Preamble
Our company “Central Clinic of Athens S.A.” is the Controller of the existing website and ensures that all business activities are conducted in accordance with the principles of protection of privacy, respect for human dignity, protection of personal data and confidentiality of communications, as we believe that they demonstrate our unwavering commitment to ethical and responsible practices.
The present Policy describes our standards regarding the management and protection of Personal Data by or on behalf of our Company and applies to any activity we conduct, in every area, which is related with the processing of information relating to natural persons, including, inter alia, the operation of research and therapy center, the research and promotion of medical science and in application of modern scientific developments in care and treatment of patients, corporate support and transmission of data that are necessary for the conduct of the above mentioned activities.
The present policy for the protection of personal data is valid and applies to all facilities or/and digital environments and applications, which belong to Central Clinic and are related to Central Clinic’s activity.
Definitions
For the purposes hereof, the following concepts are understood as follows:
“Personal Data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Special Categories of Personal Data”: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Anonymization” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject.
“Pseudonymisation” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller
“Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
“Existing legislation”: provisions that already exist in Greek, EU or other legislations, in which Central Clinic submits, and define personal data protection issues.
Controller
Any processing of personal data carried out by the Company or its affiliates, solely for the purposes and in manner that the Company determines, Controller is considered to be the Company under the name “Central Clinic of Athens S.A.”, in some cases we might operate as processor on behalf of other legal persons, with which we have contractual obligation.
What kind of personal data does the Company collect?
Central Clinic within the context of its normal operation, may collect personal data from both its patients and its employees, as well as from its partners in general, along with other natural persons, with whom it interacts within its sphere of competence.
A. Categories of Personal Data:
Depending on the form of processing, Central Clinic may collect and process data on the following categories of data subjects:
- Patients Data: We collect personal and sensitive data, which you provide to us yourselves, as well as all the sensitive personal data collected from medical exams and procedures that you perform or present to us, which are stored in the patient’s medical record.
- Employee Candidates: If you are an employee candidate and in order to learn more about the data processed by the company, read the privacy marking for employee candidates, which is available on Central Clinic’s website.
- Employee Data: Collected any personal information required to complete the hiring and the contractual relationship of the parties.
- Partners Data: Collected any personal information required to complete the contractual relationship of the parties.
B. Type of Personal Data
Certain personal data collected are the following:
- Identification and demographics (i.e. name, surname, father’s name, date of birth- age, spouse’s name, gender, identity card number, passport number, sickness booklet number, VAT number, data of relatives etc),
- Contact Details (i.e. mailing address, telephone and mobile phone, e-mail). We collect these data so that we can communicate with you, to send you your examination results, if you have submitted relevant request, and to send you informational and promotional bulletins, if we have your relevant consent,
- Health Data, due to the nature of the services we provide, we collect data in order to create your history file, and include any performed diagnostics and clinical examinations, hospitalization, doctor referrals, clinical symptoms, medical- pharmaceutical treatment and therapy, medical opinions and findings, any disabilities, data on surgical procedures, previous healthcare etc. Also, we may collect and process health data for medical services not provided by us, health data that have been transmitted to us either from you or the person accompanying you, and are absolutely necessary for the assessment of your health status,
- Biological and genetic data we receive for laboratory testing,
- Data regarding your insurance,
- Data regarding the payment method, such us credit/debit card information etc., details of the person who is economically liable of expenditure,
- Navigation Data and the Internet Protocol address (IP) of your device as you browse on our website (for more information see our Company’s cookies policy),
- Data regarding images and visuals from closed-circuit television (CCTV) and security cameras,
- Data regarding requests you have submitted in the context of exercising your rights or complaints,
- Data you have submitted to us when you request the evaluation of your qualifications for a job position in our Company
Lawful basis for Processing Data
We process your personal data with transparency, according to principles of legality, proportionality, confidentiality and integrity, the purpose limitation and accuracy principle, of storage limitation and data minimization.
- The lawful basis for processing your personal data in each case can be especially: your consent (it is noted that according to the existing legislative framework for the provision of medical services and the processing of your personal data necessary for this purpose, your consent is not required [art. 9 par. 2 c. VIII of the General Regulation]).
- The necessity of processing your personal data under our contractual obligation or pre-contractual obligation,
- The necessity of processing your personal data in order to assure our legitimate interests,
- The necessity of processing your personal data in compliance with our legal obligation,
- The necessity of processing your personal data for purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment or under contract with a health care professional,
- The necessity of processing for the fulfillment of obligations and the exercise of specific rights, ours or yours, in the field of labour law and social security law and social protection or for fulfilling the task that is performed in the public interest,
- The necessity of data processing for the protection of your own vital interests or those of the person you accompany,
- The necessity of processing your personal data for the establishment, exercise or support of rights and legal claims in cases regarding medical liability and provision of health services in general.
- The necessity for conducting statistical data,
- The necessity for scientific research.
Purposes of Data Processing
Company’s purposes regarding data processing are always based in lawful basis of processing and they vary according to the categories of data subjects.
Specifically, some purposes of data processing are the following:
- For the provision of health services˙ the processing is necessary for preventive medicine purposes, diagnosis, provision of health care or treatment,
- For sending and receiving the results of your medical examinations,
- For complying with our legal obligation,
- For the safety of individuals and goods,
- For sending newsletters,
- For our communication with you and the management of your requests, regarding either matters of personal data protection or the quality of our service towards you.
- Exceptionally, use of the data of your medical file is made when it is necessary for the establishment, recognition, exercise or defense of rights and legal claims in case regarding medical liability and provision of health services in general.
- For conducting statistical data, after the anonymization of your data.
- For scientific research purposes and conduction of clinical studies or/ and other clinical programs, after the anonymization of your data or with your explicit consent.
- For legally contracting, so that there is compliance with the legal and contractual obligation it imposes
- For being able to hire staff or to contract with external partners (e.g. doctors, nurses etc.).
Transmission of Personal Data
We may transmit your personal data to third parties in the following cases:
- To our partners, who are acting on our behalf in accordance with agreements we have signed with them, in this case we assign the execution of specific processing operations, ensuring that the processing is carried out in accordance with the existing legal framework, and that your personal data are processed safely and that you freely and unhindered to exercise your rights.
- To affiliated insurance companies inside the EU and the EEA for your insurance coverage, only on condition that there is legal basis for the processing (e.g. consent).
- To judicial and prosecuting authorities within the exercise of their duties, or at the request of a third party claiming a legitimate interest, in accordance with the legal procedures.
- To other institutions of the Greek State, which based on their statutory provisions have such right and jurisdiction.
Transmission in third countries or/and International Organizations
Your personal data may be transmitted outside of the EU, only if appropriate safeguards are respected in accordance with the current legislation (the company checks if the Commission has adopted a decision of competence for the third country to which the transmission will take place or if appropriate safeguards are respected in accordance with the Regulation on the transmission of such data).
Duration of Personal Data Keeping
All the personal data we process are kept for predetermined and limited duration depending on the purpose of the processing, after which, the personal data are deleted from our databases. In any case the duration of the keeping cannot be less than that law requires (e.g. medical file keeping, tax documents etc.) and data is not deleted for as long there is a connection with the natural persons, e.g. through the contractual relationship and for the period of time during which any legal claims may rise.
Data Subjects Rights
We take care to protect and respect your rights. Specifically, always keep the following rights:
- Right of access
- Right to rectification
- Right to erasure (‘right to be forgotten’)
- Right to restriction of processing
- Right to data portability
- Right to object
Furthermore, in case of exercising one or more of the above rights of rectification, erasure or restriction of processing of your personal data, these requests will also be transmitted to any third party, that personal data may have been transmitted in the context of the previously mentioned purposes of processing.
For exercising any of your above-mentioned rights, you can contact our Data Protection Officer at eprivacy@centralclinic.gr
In case of exercising any of your above-mentioned rights, the Company should respond to you within one month (1 month) of the receipt and identification of your request. This period may be extended by two (2) months, if required, taking into account the complexity of the request and the number of requests. In this case, the company will provide information for such an extension within a month (1 month) of receipt of the request, as well as for the reasons of the delay.
Data Protection Officer
In order to ensure the effective protection of personal data, the subjects may address requests and questions about this privacy policy via e-mail at privacy@centralclinic.gr or via telephone +30 210.7296380
In case you believe that your personal data were affected in any way, you can contact Hellenic Data Protection Authority, as follows:
Website: www.dpa.gr
Postal address: Kifissias Avenue 1-3, P.c., 115 23 Athens
Call Center: + 30 210 6475600
Fax: + 30 210 6475628
E-mail: contact@dpa.gr
Changes to the current Policy
The current Privacy Policy may be revised from time to time, according with the requirements of the applicable legislation. In case of change of the current policy, notice will be posted on our Company’s website.
Date of effect 5/25/2018