Personal Data Protection Policy
Last updated May 2018
HYGEIA Group takes into serious consideration the protection of privacy of its patients, clients and visitors. That is why we strictly follow this Personal Data Protection Policy, which ensures the high level of services we offer and fully complies with the legislative framework in force. Your personal data is collected and stored for the absolutely necessary time, and for specified, explicit and legitimate purposes. It is processed fairly, lawfully and transparently, in compliance with the legal framework in effect and in a way that guarantees data integrity and confidentiality. This data is adequate, relevant, useful and not excessive in relation to the above purposes. It is also accurate and, where necessary, kept up to date.
- HYGEIA Group Company Information
The details of the Company you have contacted for the provision of healthcare services is as follows:
Company name: MITERA PRIVATE, GENERAL, MATERNITY, GYNECOLOGICAL & CHILDREN’S HOSPITAL SA
Trading under: MITERA SA
Registered in: 6 Erythrou Stavrou Street, 15123 Marousi, Greece
TAX NO.: 094039858
TAX OFFICE: SA COMMERCIAL COMPANIES’ ATHENS OFFICE
The details of the Data Protection Officer for the HYGEIA Group companies are:
14 Fleming Street, 15123 Marousi, Greece
+30 210 686 7679
This Policy specifies the terms and conditions followed by HYGEIA Group for the general protection of the privacy of the patients, carers, visitors and other parties close to them, whose personal data may be processed with the aim of providing healthcare services, and of the users of www.mitera.gr.Through this Policy we aim to inform you on how we collect, store and process your information, such as personal data provided by you or your insurer when you choose to receive healthcare services from our Group, or health information arising from the provision of our services and your online medical file.
The Company reserves the right to amend and adjust this Policy as it sees fit, while any changes are in force as soon as they are posted on the www.mitera.gr website.
“personal data” means any information relating to an identified or identifiable natural person;
“genetic data” means personal data relating to the inherited or acquired genetic characteristics of a natural person, as arising, in particular, from an analysis of a biological sample from the natural person in question, which give unique information about the physiology or the health of that natural person;
“biometric data” means personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person;
“data concerning health” means personal data related to the physical or mental health of a natural person, including the provision of healthcare services, which reveals information about his or her health status;
“special category personal data” includes genetic data, biometric data and data concerning health;
“personal data processing” means any operation or set of operations which is performed on personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, use, disclosure by transmission, dissemination or otherwise making available, alignment, combination, restriction, erasure or destruction;
“controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
“processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
- Personal data protection legislative framework
The personal data protection legislative framework in this Policy refers to the General Data Protection Regulation (GDPR) (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and any law or regulation issued subsequently or for applying the aforementioned General Regulation, as well as any applicable national law in force on personal data protection in general, especially in the healthcare sector.
These include the following applicable laws, as amended and in force:
- Law 3418/2015 on the Code of Medical Ethics
- Law 2071/1992 on updating and organizing the health system
- Law 2619/1998 on the Oviedo Convention
- Relevant regulatory acts by independent administrative authorities
- Purposes of processing your personal data
According to the legislative framework outlined above, HYGEIA Group collects and processes personal data of patients, patient carers or users of its companies’ websites for the following purposes, and to the extent absolutely necessary, to best serve these purposes. This data is relevant, useful and not excessive in relation to the above purposes. It is also accurate and, where necessary, kept up to date. HYGEIA Group may process personal data, provided the processing is necessary, for at least one of the following legal grounds:
- For entering into agreements between us or for taking measures at your request, prior to entering into an agreement, or
- For complying with a legal obligation, or
- For the purposes of our legal interests, or
- When you have given your consent, or
- For safeguarding your vital interests, or
- For performing tasks in the public interest, or
- For exercising rights and obligations arising from the social insurance legislation, or
- For establishing, exercising or defending of legal claims, or for courts acting in their judicial capacity, or
- For the purposes of preventive or professional medicine, medical diagnosis, provision of medical treatment or management of health systems.
a. HYGEIA Group stores and processes the simple personal data provided by you or another person on your behalf for the purpose of carrying out the agreement for provision of healthcare services, signed by you or another natural or legal person on your behalf, and/or for safeguarding your vital interests, and/or for complying with a legal obligation or interest of HYGEIA Group, and/or based on your consent. It may also transfer your personal data to private and/or public insurance companies, and/or associates/processors, and/or competent judicial, police or tax authorities within and outside the EU, in compliance with the legislative framework in force.
HYGEIA Group stores and processes special category data, i.e. medical history, medical tests and medical procedures, submitted by you or another natural or legal person on your behalf, and the medical data arising from the provision of medical services – healthcare services by HYGEIA Group for the purpose of providing medical treatment – and healthcare services based on preventive or professional medicine, medical diagnosis, the protection of your vital interests and/or your explicit consent. HYGEIA Group may transfer the data acquired for the aforementioned purposes within and outside the EU, to private or public insurance bodies, based on your legal relationship with them; a network of physician who offer independent services to our Group; and associates acting on behalf of the Company, in line with the agreements between us with the aim of providing healthcare services.
b. In compliance with the provisions of the current legislative framework, HYGEIA Group may process and transfer simple or special category patient personal data to lawyers to establish, exercise or defend legal claims, or for courts acting in their judicial capacity, to competent authorities, as well as for the purposes of legal obligations or public interest, as specified in the law. Moreover, HYGEIA Group may process and transfer simple data of a patient and/or a patient’s liable person/carer to comply with a legal obligation, as well as for the purposes of performing tasks in the public interest, and for competent police, judicial, administrative and tax authorities within the EU, following a valid request by them. It also has a legal obligation to conduct any necessary internal control into your personal data, in line within its internal procedures, as determined or specified by the law.
c. In compliance with the provisions of the legislative framework, HYGEIA Group may transfer simple and sensitive personal data to law firms for collecting or settling debts arising from the provision of medical services, so as to establish, exercise or defend legal claims.
d. Following your relevant consent, HYGEIA Group may process your personal data for the purpose of developing, improving and promoting its services, as well as for offering privileges.
- Length of time personal data is stored
HYGEIA Group is under the obligation to store documents or online files for as long as the national legislation specifies. In particular, as specified in the Code or Medical Ethics (Law 3418/2005, Government Gazette 287/A/28.11.2005), Article 14(4): “The obligation to store medical files applies for: (i) a decade from the last visit of the patient, for private practices and other private primary healthcare units, (ii) for 20 years from the last visit of the patient, in all other cases.”
Data stored for marketing promotion of products or services, and/or for the provision of privileges shall be erased in six months from the date the campaign was completed.
CVs collected by the relevant Human Resources Divisions are stored for one year and are then destroyed in line with the destruction policy adopted by HYGEIA Group for its companies.
Tax details are stored in accordance with the tax legislation.
- Your rights regarding personal data protection
The legislation on protection of your personal data gives you the following rights, which you may exercise free of charge in principle and based on the provisions of the legislative framework:
- Right of access, i.e. to obtain information on which your data has been collected and processed by the Company, its origin, the purposes and legal foundation for its processing, any recipients or recipient categories, especially in third countries, and the period for which it will be stored.
- Right to rectification of any inaccurate personal data, so as to render it accurate by submitting a relevant form with your accurate personal data to the Company.
- Right to supplement any incomplete personal data, so as to render it complete by submitting a relevant form with your complete personal data to the Company.
- Right to erasure of your personal data in the following cases: (i) your personal data is no longer necessary in relation to the purposes for which it was collected or otherwise submitted for processing; (ii) when you withdraw the consent on which the processing of your personal date is based and there is no other legal ground for the processing; (iii) when your personal data was processed without the necessary legitimate grounds; (iv) when your personal data has to be erased for compliance with a legal obligation; (v) when personal data of a child has been collected in relation to the offer of information society services, following its consent, or the consent is given or approved by the persons exercising parental care.
- Right to restriction of processing of your personal data in the following cases: (i) you contest your personal data, until the Company verifies its accuracy; (ii) you oppose the erasure of the personal data and request the restriction of its use instead; (iii) the Company no longer needs the personal data for the purposes of the processing, but it is required by you for the establishment, exercise or defense of legal claims.
- Right to object to the processing of your personal data, unless there are compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims of the Company.
- Right to data portability, i.e. to receive your personal data which you have provided to the HYGEIA Group companies, in a structured, commonly used and machine-readable format and transmit it to another controller, provided the processing of your personal data is based on your consent or was necessary for carrying out the agreement between us.
- Right to withdraw the consent you had provided (with no retroactive effect) at any time for an issue relating to the protection of simple personal and health data.
These rights may be restricted due to the obligation to apply another law, as for example in the case you request erasure of data, but we are under the obligation to keep it according to the law.
For any of the above or to resolve any issues as to the personal data protection legislation in force, you may contact our Group as follows:
- Through the online contact form to: firstname.lastname@example.org
- By post to: Data Protection Officer, 14 Fleming Street, 15123 Marousi, Greece
- HYGEIA Group will respond to your request free of charge and without delay, and in all events within one month from the date your request was received. This deadline may be extended for another two months, provided this is deemed necessary, taking into account the complexity of the request and the number of requests. The Company will inform you of any extension within one month from the date the request was received, as well as of the reasons for the delay.
- If it is impossible to satisfy your request, the Company will notify you without delay, and at the latest within a month from the date the request was received, of the relevant reasons and the option to lodge a complaint to the Hellenic Data Protection Authority, as well as your right to file a petition to the competent judicial authorities.
- If the Company considers that your requests are blatantly unfounded or excessive, it may demand the payment of a reasonable and corresponding fee, after taking into account the administrative costs to satisfy it, or it may deny responding to your request.
- Right to lodge a complaint
If you believe that your personal data protection rights are being violated, you reserve the right to lodge a complaint to the Hellenic Data Protection Authority (1-3 Kifisias Avenue, 11523 Athens, Greece, Tel: +30 2106475600, Email: email@example.com).
You also have the right to file a petition to the judicial authorities responsible for your personal data protection.
- Security measures
HYGEIA Group has taken all the appropriate technical and organizational measures to safeguard the implementation of the legislation and the suitable security level for your personal data. It has also trained all its staff and its network of associate physicians accordingly through the Personal Data Protection Procedures, and has legally bound all its associates who act on its behalf as processors with contracts governed by the guarantees and assurances of the GDPR.
When you give us your email address, you also consent to receiving emails for advertising purposes and direct marketing of our products and/or services through our newsletter. Your email shall be used exclusively by our Group and by the associate acting on our behalf for distributing the newsletters. In any such email, we will clearly and distinctly identify ourselves and will give you the option to object and request, easily and free of charge, termination of communication and erasure of your data from the database in question.