Home

Privacy Policy

Privacy Policy and processing of personal data (EU Regulation 679/2016)

In this Privacy Policy, Testbusters IMAT Medschool explains how your personal data is collected, used and protected when you browse this website, request information or purchase IMAT-related services. The information below is provided in compliance with EU Regulation 2016/679 (“GDPR”).

Data Controller

The Data Controller of Personal Data collected through this website is Testbusters S.r.l. Società Benefit, with registered office in Via Ulpio Traiano, 17 20149, Milan, Italy, email address: testbusters@pec.it.

Nature of personal data processed

The Personal Data processed are voluntarily provided by the User or legitimately collected by the Data Controller, in compliance with current legislation. The Personal Data collected through this Website are:


  • Navigation/Website operation data. The computer systems, telematic systems, and software procedures used to operate the Site acquire, during their normal operation, some data whose transmission is implicit in the use of web communication protocols and necessary for the functioning of the Site. This category of data includes, for example, IP addresses, date and time of access, visited pages (URI/URL), the numerical code indicating the status of the response given by the server, and other parameters relating to the operating system and the user's computer environment.
  • Voluntarily provided data. In some sections of the websites, certain Personal Data are requested: upon registration, the User is asked for an email address and registration password; to proceed with the purchase, the User is asked to provide the Personal Data necessary for shipping, invoicing, and the provision of the requested services (name, surname, address, email address, telephone, tax code, date and place of birth). Failure to provide certain data (e.g., contact details or address) could make it impossible to provide certain services. Users are responsible for any third-party Personal Data entered and confirm that they have obtained the consent of the data subjects to provide Personal Data to the Data Controller. 
  • During the course of training courses, other Personal Data may be collected (such as, by way of example, educational qualifications, years of work experience, and other curricular information) for the purpose of greater customization of the services provided. Such data are freely provided by the User and are not necessary for the provision of services.
  • Data collected via tracking (cookies). A cookie is a piece of data that is stored on a computer or mobile device during internet browsing so that the computer or mobile device can be recognized at a later time. The cookies used by Testbusters IMAT Medschool do not identify the User but are limited to recognizing the device used. Cookies do not damage the device in any way, do not allow the Data Controller access to the device in any way, but enable multiple important features of the Website. They allow, for example, returning to previously viewed pages; remembering User preferences; customizing Site content to be more suitable for the User; ensuring an overall improvement in the browsing experience on the Site; protecting Testbusters IMAT Medschool. Furthermore, cookies are used to measure traffic and analyze User behavior with the aim of improving the service. Collection occurs anonymously and concerns information such as the number of Site visitors, where visitors come from, and pages visited. The User can choose whether or not to accept cookies. Most browsers automatically accept cookies, but it is possible to modify browser settings to reject cookies. By disabling cookies, the experience on Testbusters IMAT Medschool.it may be limited. For more information on cookies, external services used, purposes, and consent management, please refer to the cookie policy

Data processing methods

The Personal Data provided are processed by subjects authorized to do so using electronic and/or paper means, in accordance with the principles of fairness, lawfulness, transparency, and protection of confidentiality and rights. Personal Data are protected by technical and organizational measures to ensure appropriate levels of security and confidentiality pursuant to Arts. 25 and 32 of the GDPR.


The Data are processed at the operational offices of the Data Controller and, potentially, at the offices of external Processors who process data on behalf of the Controller. The Data will be processed within the territory of the European Union. Should it become necessary, for technical or operational reasons, to transfer the Data to an external Data Processor located outside the European Union, the Processing will be carried out in compliance with the provisions of Chapter V of the GDPR. Therefore, all necessary precautions will be taken to guarantee the protection of Personal Data.

Data communication and recipients

Personal Data are not subject to dissemination to third parties. However, in order to correctly carry out the Processing activities necessary to pursue the purposes referred to in this Privacy Policy, the following Recipients may find themselves in a position to process Personal Data:


  • Third parties who provide services to the Data Controller (e.g., hosting services, IT services, marketing services, web analytics services, marketing research, market surveys, opinion polls...), who perform part of the Processing activities or activities connected and instrumental thereto on behalf of the Data Controller and become Data Processors. The Controller provides such third parties only with the information necessary for the performance of the requested services.
  • Individual individuals, employees, or collaborators of the Data Controller, to whom specific Processing activities on Personal Data have been entrusted. These individuals are given specific instructions regarding security and the correct use of Personal Data.
  • Where required by law or to prevent or suppress the commission of a crime, Personal Data may be communicated to the competent public bodies or judicial authorities without them being defined as Recipients.


The list of such subjects can be requested from the Controller at any time.


Legal Basis


The User's Personal Data will be processed by the Controller only if one of the following conditions exists:

  • Processing is necessary for the performance of a contract with the User or for the implementation of pre-contractual measures (Art. 6 lett. b of the GDPR);
  • Processing is necessary to comply with a legal obligation to which the Controller is subject (Art. 6 lett. c of the GDPR);
  • Processing is necessary for the purposes of the legitimate interest pursued by the Controller or by a third party (Art. 6 lett. f of the GDPR);
  • The Data Subject has given consent to the Processing of their personal data for one or more specific purposes (Art. 6 lett. a of the GDPR).


It is always possible to ask the Controller to clarify the concrete legal basis of each Processing operation and in particular to specify whether the Processing is based on consent, necessary for the performance of a contract, based on a legal obligation, or necessary for the legitimate interest.

Purposes of processing personal data

Data of the User or Data Subject are collected to allow:


  • Browsing on the Site, registration on the Site, and use of the services made available on the Site (contractual legal basis pursuant to Art. 6 lett. b of the GDPR);
  • Completion of the purchase order for the products and services offered, management of payment, shipping, and any exercise of the right of withdrawal provided for distance purchases (contractual legal basis pursuant to Art. 6 lett. b of the GDPR);
  • Provision of purchased services and sending of communications necessary for the provision of such services (contractual legal basis pursuant to Art. 6 lett. b of the GDPR);
  • Management of User information requests and pre- and post-sales assistance and informing Users regarding maintenance operations on the Site or any disruptions (pre-contractual and contractual legal basis pursuant to Art. 6 lett. b of the GDPR);
  • Carrying out research and statistical analysis on aggregated or anonymous data (legitimate interest legal basis pursuant to Art. 6 lett. f of the GDPR);
  • Compliance with obligations provided for by EU and national regulations (legal obligation legal basis pursuant to Art. 6 lett. c of the GDPR);
  • erformance of administrative-accounting activities (legitimate interest legal basis pursuant to Art. 6 lett. f of the GDPR);
  • Management of any complaints or legal disputes, defense of the Controller in court or in the stages preparatory to its possible establishment, detection of illegal or fraudulent activities or unauthorized traffic (legitimate interest legal basis pursuant to Art. 6 lett. f of the GDPR).


The User's or Data Subject's Data may be processed for the following purposes only with the express consent of the User, which may be withdrawn at any time via the methods listed in the “Rights of the Data Subject” section:

  • Sending promotional information and commercial offers (consensual legal basis pursuant to Art. 6 lett. a of the GDPR);
  • Carrying out polls and market surveys (consensual legal basis pursuant to Art. 6 lett. a of the GDPR).


Data Retention


The User's Personal Data are processed until any request for cancellation and are retained for a period not exceeding that necessary to pursue the purposes for which they were collected, in compliance with the principle of minimization referred to in Art. 5, paragraph 1, letter c) of the GDPR, as well as legal obligations to which the Controller is bound. 


In particular, Data used for the purchase of goods and services will be retained for the provision of requested services and for the fulfilment of administrative-accounting obligations for a period not exceeding 10 years from the last recorded transaction, without prejudice to a further retention period that may be imposed by law.


Data processed for marketing purposes may be lawfully retained for 8 years from the moment consent was expressed, unless the User previously communicates their willingness to revoke consent for such purpose. The duration of retention is established in consideration of the type of services offered and taking into account the average purchase frequency of customers (with particular reference to the average time elapsing between the purchase of products aimed at preparing for the admission test to the Faculty of Medicine and the purchase of products aimed at preparing for the competition for access to Medical Specialization Schools).

Rights of the data subject

The Data Subject has the right to request at any time and to obtain without delay from the Controller:


  • Confirmation as to whether or not Processing of their Personal Data is in progress, access to such data and related information, including the purposes of the Processing, the categories and origin of the Personal Data, the recipients and categories of recipients to whom the Data have been or will be communicated, the retention period of the Data or the criteria used to determine it, the rights exercisable in relation to such Data (right of access, pursuant to Art. 15 GDPR);
  • Rectification of inaccurate Personal Data, or integration of incomplete Personal Data (right to rectification, pursuant to Art. 16 GDPR); 
  • Erasure of their Personal Data, if such Data have been processed unlawfully, are no longer necessary for the purposes for which they were collected or processed, or the legal basis for Processing ceases to exist (right to erasure, pursuant to Art. 17 GDPR);
  • Restriction of Processing of their Personal Data, if such data have been processed unlawfully or are no longer necessary for the purposes for which they were collected or processed, or, for the period necessary for relevant checks, if the Data Subject contests the accuracy of their Personal Data or objects to their Processing (right to restriction, pursuant to Art. 18 GDPR); 
  • Transmission of Personal Data concerning them to another Data Controller without hindrance from the Data Controller to whom they were provided, if the legal basis for Processing is contractual, pre-contractual or consensual and the Data are processed by automated means (right to data portability, pursuant to Art. 20 GDPR).


Furthermore, the Data Subject may exercise at any time:


  • The right to object to the Processing of Personal Data concerning them if such Processing is based on the legitimate interest of the Controller or third parties, or on grounds of public interest; in such case, the Controller shall refrain from further processing the Data, unless they demonstrate the existence of compelling legitimate grounds for proceeding with the processing which override the interests, rights, and freedoms of the Data Subject or demonstrate that such Data are necessary for the establishment, exercise, or defense of a legal claim (right to object, pursuant to Art. 21 GDPR); 
  • The right to withdraw consent in relation to the purposes for which it was expressed (right to withdraw consent, pursuant to Art. 7 GDPR);
  • The right to lodge a complaint with the Privacy Guarantor or to appeal to the judicial authority.


To exercise the rights listed above, the Data Subject may forward the request to the e-mail address testbusters@pec.it, by mail to the address via Marco Ulpio Traiano 17, 20149, Milan (MI) or via the contact us section of the Site. Such requests will be processed at no cost to the data subject and will be handled as soon as possible.


Consent given for the receipt of promotional information and commercial offers can also be withdrawn via the “unsubscribe” link included in the footer of all promotional emails, as well as by deselecting the appropriate box located within the User's personal profile on the Site, in the “Account Details” section.


Consent for cookies can also be modified by changing your browser settings.  (-Chrome: chrome://settings/cookies –Firefox: about:preferences#privacy –Internet Explorer: edge://settings/privacy –Opera: opera://settings/privacy –Safari: safari://settings/privacy)

Changes to this Privacy Policy

The controller reserves the right to modify, update, add, or remove parts of this privacy policy at its own discretion and at any time. The data subject is required to periodically check for any changes. Use of the Site, following the publication of changes, will constitute acceptance of the same.

    Privacy Policy | Processing of Personal Data | Testbusters IMAT Medschool