This policy is more specifically related to all the necessary operations established and implemented by the Company, as these are required by the General Data Protection Regulation 2016/679 (GDPR) and the applicable national legislation, which concern the protection of natural persons regarding the processing of their personal data, the rules governing their free movement, as well as the protection of the fundamental rights and freedoms of natural persons and, in particular, their right to privacy. Such processing may concern collecting, recording, organizing, structuring, storing, amending, updating, retrieving, user information searching, disclosing, transmitting, deleting, destructing of personal data.
Because of the nature of its business, the Company daily interacts with personal data belonging to its customers, employees, physicians – associate physicians, other partners – suppliers or subcontractors, website visitors and/or recipients of electronic messages, etc.
Personal data is any information pertaining to an identified or identifiable natural person, whose identity may be directly or indirectly determined by reference to identifiers such as name, national ID number, VAT number, Social Security Number, etc. and/or by reference to characteristics determining a natural person’s physical, physiological, genetic, mental, financial, cultural, or social identity. Genetic data, biometric data, and health-related data are special data categories (sensitive) and require increased protection.
Collection, Processing, and Disposal Purposes of Personal Data
The Company collects, processes, and stores personal data to:
- provide medical and nursing services of primary and secondary care to visitors (customers: inpatients, outpatients, and diagnostics sector visitors);
- manage Human Resources issues pertaining to the Company’s personnel, regardless of their employment status and specialization (recruitment, dismissals – resignations, payroll, evaluations, corporate communications, etc.);
- orderly collaborate with its physicians, regardless of their employment status and medical specialty;
- manage partnership issues with product and service suppliers, subcontractors, and other partners, on the basis of relevant contracts or additional acts;
- respond to requests from auditing bodies and manage requirements and audits provided for by law;
- address customer and visitor complaints;
- perform ancillary services such as access and security, as well as entry checks to all Company premises, including video surveillance (CCTV) for security purposes;
- market and advertise its services, including Internet & Social Media Marketing, e-mail marketing, SMS marketing, organizing training activities and events in various subjects for both its customers and the general public, as well as for any other marketing-related actions (direct marketing, printed material, etc.);
- promote the Company’s Public Relations Strategy (corporate social responsibility actions, sponsorships, etc.);
- organize and hold training seminars/programs for the personnel, as well as scientific conferences/events and/or training courses for its physicians in every specialty;
- handle legal issues (via the legal service);
- manage accounting and tax services; and
- effectively and securely run the Company’s childern’s area (playroom).
Key Principles of Personal Data Collection and Processing
The Company strictly adheres to the following key principles:
- The data is collected in a fair and lawful manner, for specified, explicit, and legitimate purposes and is not further processed in a way incompatible with those purposes
- The data is adequate, relevant, and limited to the minimum necessary for the purposes for which the data are processed
- The data is accurate and kept up to date; every reasonable step is taken to ensure that inaccurate personal data, i.e., with respect to the purposes for which they are processed, are erased or rectified without delay
- The data is kept in a format which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed in accordance with the law
- Personal data processing, including transmission to third parties, is carried out only with the explicit and written consent of the natural person (subject), except in the cases for which a relevant exception is provided by the current regulatory framework
- Data collection and processing is carried out with respect to the rights of information, access, and objection of the subjects
- Personal data processing is confidential and carried out only by persons who are bound to observe confidentiality
- Adequate organizational and technical measures are taken for the security of data and their protection against accidental or unlawful destruction, accidental loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed
- The data is processed under the responsibility of the Company (controller), which ensures and demonstrates that each processing operation is compliant with the provisions of the current regulatory framework.
Types of Personal Data Collected
Indicatively, personal data collected by the Company and subject to additional processing pertain to all those details required for the admission/entry of a customer/patient or visitor to the Department of Diagnostics, the recruitment of an employee, any kind of partnership with a physician, regardless of their medical specialty, the cooperation with suppliers – subcontractors – other partners, electronic sending of newsletters to third parties, etc.
For customers, such data pertain to name and general contact information, marital status, etc., including their own or their relatives’ email address and telephone number. At the same time, health data is collected regarding medical or nursing services provided by the Company or even health data for medical services that were not provided by the Company but were reported to the Company either by the customers themselves or third parties. In addition, payment processing information (e.g., credit card details) may be collected.
Furthermore, information may be collected through the use of the Company’s website and all kinds of digital platforms the Company uses or may use in the future, for the purpose of informing third parties about the services the Company provides. Indicatively, and beyond using/visiting the Company’s website, data collection is also performed when registering through the online application to receive the Company’s newsletter on a regular basis and/or receive e-correspondence or notice e-mails/news and submit questions in relation to services provided.
In addition to the above data provided to the Company, technical information that constitutes personal data may also be collected, e.g., the Internet Protocol address of the visitor’s device (e.g. computer, laptop, tablet, smartphone), browsing patterns, information about the use of a website, browser history, geolocation data, components of the HTTP protocol, etc. This technical information is used for the smooth operation and performance of the website and online services and is not permanently stored in the Company’s infrastructure, while the data is kept in a centralized format to prevent user identification.
Collection of Personal Data and Transmission
All personal data is collected by authorized Company employees for each service, for the sole purpose of providing each service. For example, the Admissions Office, the Secretariat of the Outpatient Clinics, the Secretariat of the Department of Diagnostics, the Parturient Front Desk, and the Central Front Desk collect customer data (inpatients, outpatients, and visitors for diagnostic tests), the Human Resources Office collects personnel and physician data, the Accounting Office collects data of suppliers – subcontractors – other partners, the Department of Marketing collects data of individuals, among others, for sending newsletters and other company updates/actions, etc.
Regarding the source of data, especially in the case of customers (inpatients, patients, outpatients, visitors to the Department of Diagnostics), such data may be provided by the data subjects themselves or their escorts.
Regarding transmission, the collected personal data is transmitted exclusively to authorized third parties bound to observe confidentiality, when such parties are required to have access for the provision of all kinds of services (e.g., physicians for diagnostic purposes). At the request of the data subject, their personal data may be transferred to third parties (e.g., another physician)/enterprises cooperating with the Company (e.g., insurance companies with which the subject holds a policy). The Company undertakes not to market personal data by making them available for sale/rent, giving/transferring/publishing or disclosing them to third parties or use them in any other way and for other purposes that may endanger the privacy, rights, or freedoms of the data subject, unless required by law, court decision/order, administrative act or if it is a contractual obligation necessary for the proper functioning of the Company’s Website and the realization of its functions.
Duration of Data Retention
Depending on the service, personal data is kept for as long as required by the nature of the service provided by the Company and, additionally, for as long as the relevant legislation determines.
Fundamental Rights of Data Subjects (natural persons/data owners)
Data subjects have the following rights in respect of their personal data:
- The right to information
For example, during the stage of collecting personal data, the Company has the obligation to inform the data subject in a way that is comprehensible for:
– the identity and contact information of the Company
– the purpose of processing their data
– the recipients or categories of recipients of their data
– the period of time for which the data will be stored
– the rights of access, rectification, erasure, and objection to the processing of personal data
– the mandatory character or not of the provision of the data, as well as for the possible consequences in case of their non provision
– the right to lodge a complaint with the Data Protection Authority, providing the Authority’s contact details
– the event that the data is not provided by the person to whom they refer; the Company must inform the person to whom the data refers about the source of their data
– the event that the Company intends to transfer the data to a third country or international organization; the subject is informed of the level of protection provided by the said third country or international organization
The Company is responsible for implementing the necessary amendments to the pre-contractual and contractual inform consent forms for the data subject.
- Right to access, i.e., that the Company (controller) will process the personal data
- The data subject’s right to rectification, via a written request to the controller, who must satisfy the request without delay and within one (1) month, unless there are other reasons justifying a longer period of time
- The data subject’s right to be forgotten and to erasure
- The data subject’s right to restrict processing
- The data subject’s right to data portability
- The data subject’s right to object
- The data subject’s right not to be subject to a measure based on profiling
- Restrictions to the rights of the data subjects
In particular, with regard to the newsletter service, it is possible to unsubscribe by following the instructions included in each newsletter, in order to stop the processing of personal data related to this service.
The Company will make every effort so that requests are addressed without delay and, in any case, within one (1) month of their receipt. If needed, depending on the complexity of the request and the number of requests to be addressed, this deadline can be extended by two (2) more months. For this extension, as well as for the grounds of the delay, data subjects will be informed within one (1) month of receipt of the request by the Company. If the request is electronically submitted, the response will be provided, if possible, electronically, unless otherwise requested (e.g., a written letter).
In any case, data subjects can contact the Data Protection Officer, the Hellenic Data Protection Authority (DPA) and/or seek a judicial remedy if they consider that their above rights have been breached.
Obligations of the Company/Controller
The Company, as controller, has the following obligations:
- Obligation to notify regarding rectification or erasure of personal data or restriction of processing
- Obligation to meet the principles of data protection by design and data protection by default
- Obligation of the controller to keep records of processing operations and entries
- Obligation of the controller to cooperate with the supervisory authority
- Obligation of the controller to ensure processing privacy and security
- Obligations of the controller in the event of a data breach:
o To inform the supervisory authority within 72 hours
o To inform the data subject if the risk is high
- Obligations of the controller for Privacy Impact Assessment purposes regarding data protection
- Obligation of the controller to appoint a Data Protection Officer
Personal Data Security
The Company considers the privacy of the persons whose personal data it processes to be extremely important, whether it is customers, employees, or third parties, and makes every effort to protect them, both in terms of discretion/confidentiality of information, as well as in terms of integrity (not to be altered, not to be accidentally destroyed, etc.).
In general, the Company, as controller, considering the available technology and the cost of implementation, the nature, scope, context, and purposes of the processing, as well as the severity and likelihood of occurrence of the risks posed by the processing on the rights and freedoms of natural persons, applies in an efficient manner, both when determining the means of processing and during the processing itself, appropriate technical and organizational measures, in order to incorporate the principles of protection and the necessary safeguards during personal data processing. All appropriate technical, and organizational steps are taken to ensure that, by definition, only personal data that is necessary for the intended purpose is processed.
The Company also keeps a record of every category of processing operations for which the Company is accountable. For example, basic details of persons in charge, purpose of processing, categories of recipients, description of subjects, possible transmission to third countries, legal basis of processing, deadlines for erasure of the various categories of personal data, description of appropriate technical and organizational measures. At the same time, the Company keeps records for the following processing operations in the automated processing systems: collection, alteration, search of information, disclosure including transmissions, combination, and erasure.
Access to the contact information of visitors/users of the Company’s Websites is limited to authorized persons who are bound to observe confidentiality (employees, service providers) and it is reasonably considered that they need to know this information to provide products or services to visitors/users of the Company’s Websites or to perform their work. Also, the Company expressly prohibits the use of cameras, video recording cameras as well as the use of both the photography and video recording functions of mobile phones within the Company’s workplaces both by personnel and partners.
VERSION 1.0 – 5/1/2018