Our company “Central Clinic of Athens S.A.” (hereinafter referred to as “Central Clinic” or “the Company”) acts as the Controller of the personal data of users of this website and ensures that all business activities are conducted in accordance with the principles of protection of privacy, respect for human dignity, protection of personal data and confidentiality of communications, as we believe that they demonstrate our unwavering commitment to ethical and responsible practices.
The present Policy describes our standards regarding the management and protection of Personal Data by or on behalf of our Company and applies to any activity we conduct, in every area, which is related with the processing of information relating to natural persons, including, inter alia, the operation of research and therapy center, the research and promotion of medical science and in application of modern scientific developments in care and treatment of patients, corporate support and transmission of data that are necessary for the conduct of the above mentioned activities.
For the purposes hereof, the following concepts are understood as follows:
“Personal Data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Special Categories of Personal Data”: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Anonymization” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject.
“Pseudonymisation” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller
“Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
“Existing legislation”: provisions that already exist in Greek, EU or other legislations, in which Central Clinic submits, and define personal data protection issues.
Any processing of personal data carried out by the Company or its affiliates, solely for the purposes and in a manner that the Company determines, Central Clinic of Athens S.A. is considered as the Data Controller. In some cases, the Company might act as a Data Processor on behalf of other legal persons, with which we are contractually bound.
What kind of personal data does the Company collect?
Central Clinic, within the context of its normal operation, may collect personal data from both its patients and its employees, as well as from its partners in general, along with other natural persons, with whom it interacts within its sphere of competence. In addition, Central Clinic collects the personal data of the users of its website.
A. Categories of Personal Data:
Depending on the form of processing, Central Clinic may collect and process data on the following categories of data subjects:
- Patients Data: We collect personal and sensitive data, which you provide to us yourselves, as well as all the sensitive personal data collected from medical exams and procedures that you perform or present to us, which are stored in the patient’s medical record.
- Employee Candidates: If you are an employee candidate and in order to learn more about the data processed by the company, you can read the privacy marking for employee candidates, which is available on Central Clinic’s website.
- Employee Data: Collected any personal information required to complete the hiring and the contractual relationship of the parties.
- Partners Data: Collected any personal information required to complete the contractual relationship of the parties.
- Website Users Data: All personal data necessary to provide appropriate services to users of our website are automatically collected, while further personal data that users voluntarily provided for specific purposes may be collected.
B. Type of Personal Data
Certain personal data collected are the following:
- Identification and demographics (i.e. name, surname, father’s name, date of birth- age, spouse’s name, gender, identity card number, passport number, sickness booklet number, VAT number, data of relatives etc). These data are collected for the proper and lawful provision of our services.
- Contact Details (i.e. mailing address, telephone and mobile phone, e-mail). We collect this information so that we can contact you, to send you the medical examination results - with your express consent - if you have requested us to respond to a request you have made, and in order to send you newsletters and promotions, once we have obtained your explicit consent to do so.
- Health Data, due to the nature of the services we provide, we collect data in order to create your history file, and include any performed diagnostics and clinical examinations, hospitalization, doctor referrals, clinical symptoms, medical history- pharmaceutical treatment and therapy, medical opinions and findings, any disabilities, data on surgical procedures, previous healthcare etc. We may also collect and process health data for medical services not provided by us, health data that have been transmitted to us either from you or the person accompanying you, and are absolutely necessary for the assessment of your health status,
- Biological and genetic data we receive for laboratory testing,
- Data regarding your insurance,
- Data regarding the payment method, such us credit/debit card information etc., details of the person who is economically liable of expenditure,
- Navigation Data and the Internet Protocol address (IP) of your device as you browse on our website (for more information see our Company’s cookies policy),
- Data regarding images and visuals from closed-circuit television (CCTV) and security cameras,
- Data regarding requests you have submitted in the context of exercising your rights or complaints,
- Data you have submitted to us when you request the evaluation of your qualifications for a job position in our Company
Lawful basis for Processing Data
We process your personal data with transparency, according to principles of legality, proportionality, confidentiality and integrity, the purpose limitation and accuracy principle, of storage limitation and data minimization.
- The lawful basis for processing your personal data in each case can be especially: your consent (it is noted that according to the existing legislative framework for the provision of medical services and the processing of your personal data necessary for this purpose, your consent is not required [art. 9 par. 2 c. VIII of the General Regulation]).
- The necessity of processing your personal data under our contractual obligation or pre-contractual obligation,
- The necessity of processing your personal data in order to assure our legitimate interests,
- The necessity of processing your personal data in compliance with our legal obligation,
- The necessity of processing your personal data for purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment or under contract with a health care professional,
- The necessity of processing for the fulfillment of obligations and the exercise of specific rights, ours or yours, in the field of labour law and social security law and social protection or for fulfilling the task that is performed in the public interest,
- The necessity of data processing for the protection of your own vital interests or those of the person you accompany,
- The necessity of processing your personal data for the establishment, exercise or support of rights and legal claims in cases regarding medical liability and provision of health services in general.
- The necessity for conducting statistical data,
- The necessity for scientific research.
Purposes of Data Processing
Company’s purposes regarding data processing are always based in lawful basis of processing and they vary according to the categories of data subjects.
Specifically, some purposes of data processing are the following:
- For the provision of health services˙ the processing is necessary for preventive medicine purposes, diagnosis, provision of health care or treatment,
- For scheduling your visit,
- For sending and receiving the results of your medical examinations,
- For complying with our legal obligation,
- For the safety of individuals and goods,
- For sending newsletters,
- For our communication with you and the management of your requests, regarding either matters of personal data protection or the quality of our service towards you.
- Exceptionally, use of the data of your medical file is made when it is necessary for the establishment, recognition, exercise or defense of rights and legal claims in case regarding medical liability and provision of health services in general.
- For conducting statistical data, after the anonymization of your data.
- For scientific research purposes and conduction of clinical studies or/ and other clinical programs, after the anonymization of your data or with your explicit consent.
- For legally contracting, so that there is compliance with the legal and contractual obligation it imposes
- For being able to hire staff or to contract with external partners (e.g. doctors, nurses etc.).
Transmission of Personal Data
We may transmit your personal data to third parties in the following cases:
- To our partners, who are acting on our behalf in accordance with agreements we have signed with them. In this case we assign the execution of specific processing operations, ensuring that the processing is carried out in accordance with the existing legal framework, and that our partners have taken all the appropriate technical and organizational measures to protect your data and that you can freely exercise your rights.
- To affiliated insurance companies inside the EU and the EEA for your insurance coverage, only on condition that you have given us your prior consent to do so.
- To judicial and prosecuting authorities within the exercise of their duties, or at the request of a third party claiming a legitimate interest, in accordance with the legal procedures.
- To other institutions of the Greek State, which based on their statutory provisions have such right and jurisdiction.
Transmission in third countries or/and International Organizations
Your personal data may be transmitted outside of the EU, only if appropriate safeguards are respected in accordance with the current legislation (the company checks if the Commission has adopted a decision of competence for the third country to which the transmission will take place or if appropriate safeguards are respected in accordance with the Regulation on the transmission of such data).
Duration of Personal Data Keeping
All the personal data we process are kept for predetermined and limited duration depending on the purpose of the processing, after which, the personal data are deleted from our databases. According to the Code of Medical Ethics, your medical records will be kept for 20 years since your last visit to the Central Clinic.
Under no circumstances may the maintenance period be shorter than required by law (e.g. keeping a medical record, tax documents, etc.) and data is not deleted for as long as there is a connection with the natural persons, e.g. through the contractual relationship and for the period of time during which any legal claims may rise.
Data Subjects Rights
We take care to protect and respect your rights. Specifically, always keep the following rights:
- The Right of access
- The Right to rectification
- The Right to erasure (‘the right to be forgotten’)
- The Right to restriction of processing
- The Right to data portability
- The Right to object
- The Right to withdraw consent.
You can submit a request, that we will satisfy as soon as possible, without any cost. However, and only in certain cases, we may charge a certain amount, and we will notify you of the possibility of such charges upon receipt of your request for access and we will await the confirmation of your desire to proceed with the satisfaction of your request.
Furthermore, in case of exercising one or more of the above rights of rectification, erasure or restriction of processing of your personal data, these requests will also be transmitted to any third party to whom the personal data may have been transmitted in the context of the previously mentioned purposes of processing.
To exercise any of the above rights, you may contact the Data Protection Officer in the email: firstname.lastname@example.org
In case of exercising any of your above-mentioned rights, the Company should respond to you within one month (1 month) of the receipt and identification of your request. This period may be extended by two (2) months, if required, taking into account the complexity of the request and the number of requests. In this case, the company will provide information for such an extension within a month (1 month) of receipt of the request, as well as for the reasons of the delay.
Data Protection Officer
If you are unsatisfied with the way your personal information is processed by our Company, you may contact the Hellenic Data Protection Authority (DPA) as follows:
Postal address: Kifissias Avenue 1-3, P.c., 115 23 Athens
Call Center: + 30 210 6475600
Fax: + 30 210 6475628
However, we would be very pleased if we were given the opportunity to resolve your issue internally, before contacting the DPA.
Changes to the current Policy