DATA PROTECTION POLICY
The purpose of this policy is to inform you about the ways in which “GENESIS OBSTETRICS GYNECOLOGY SURGERY HOSPITAL” (hereinafter referred to as “the Company”) collects, processes and protects personal data, for the reasons for which it keeps such data, for the type of data it processes, the length of time it stores the data and the appropriate technical and organizational measures it adopts to protect such data.
The Company unilaterally reserves the right to update, modify, add, change its services and this Policy, from time to time, whenever it deems it necessary, without prior notice, always within the legal framework in force and in accordance with any changes in the applicable legislation on personal data protection. The Company encourages all interested parties to check this Policy periodically to be informed of any changes that have taken place.
Personal Data is any information relating to an identified or identifiable natural person, whose identity can be verified directly or indirectly, through reference to an identifier such as name, ID number, TIN, SSN, etc. and/or through factors that determine the physical, physiological, genetic, psychological, economic, cultural, social identity of the natural person.
Genetic, biometric and health data are special categories of data (sensitive) and require increased protection.
The nature of the Company’s activity is such that it comes into daily contact with a multitude of personal data of patients, staff, doctors – associates other partners – suppliers – subcontractors, visitors to an electronic website, recipients of electronic communications, etc.
Purposes of Collection, Processing and Disposal of Personal Data
The Company collects, processes and stores personal data to accomplish the following purposes:
- To provide medical and nursing services of primary and/or secondary care to patients visiting its centres (clinics and/or diagnostic centres).
- To manage human resources issues concerning the staff employed by the Company, irrespective of their employment relationship and specialty (recruitment, dismissals – resignations, payroll, evaluations, corporate communications, etc.).
- For the proper cooperation between the Company and its cooperating doctors, irrespective of their employment relationship and medical speciality.
- To manage collaboration issues with suppliers of products and services, subcontractors and other partners, through relevant contracts or additional acts.
- To respond to requests from audit authorities and to manage statutory requirements and audits.
- To manage patient and visitor complaints.
- To manage ancillary services such as access, security, entry check to the Company’s premises, including CCTV closed circuit for the purposes of protecting persons and property.
- To inform the public about the services offered by the Company, through the organization of events of an informative or scientific nature, through electronic media including social media and other actions of any kind.
- To promote the Company’s public relations (corporate social responsibility actions, sponsorships, etc.)
- To organize and conduct educational seminars/programs for the staff, as well as scientific workshops/events and/or trainings for the associate physicians of each specialty.
- To deal with legal matters (through the legal department).
- To manage accounting and tax services.
Basic Principles for the Collection and Processing of Personal Data
The Company complies with the following fundamental principles of personal data protection, which is required by the General Regulation of the European Union (EU)2016/679 on the protection of personal data (hereinafter “GDPR”):
- Data are collected in a fair and lawful manner, for specified, explicit and legitimate purposes and are not further processed in a way incompatible with those purposes.
- The data are adequate and relevant and limited to the minimum necessary in relation to the purposes for which they are processed
- The data are accurate and updated whenever necessary and all reasonable steps are taken to promptly correct personal data which are inaccurate in relation to the purposes for which they are processed.
- The data shall be kept in a form which permits identification of data subjects and for a period no longer than is necessary for the purposes of the processing and in accordance with the applicable legislation.
- The processing of personal data, including the transfer to third parties, shall only be carried out in accordance with the legitimizing of Article 6 and Article 9 of the GDPR.
- The collection and processing of data shall be carried out with respect to the rights of information, access and objection of the data subjects.
- The processing of personal data shall be confidential and carried out by persons who are bound by confidentiality obligations.
- Appropriate organizational and technical measures are taken to ensure the security of the data and to protect them against accidental or unlawful destruction, accidental loss, alteration, unauthorized disclosure or access and any other form of unlawful processing.
- Data is processed under the responsibility of the Company (data controller), which ensures and proves for each processing operation its compliance with the provisions of the applicable regulatory framework.
Types of Personal Data Collected
Indicatively, the personal data collected by the Company and are subject to processing include the necessary data for the admission or visit of a patient, for the recruitment of an employee, for the cooperation with a doctor, for the cooperation with a supplier – subcontractor – other partners , for the electronic transmission of a newsletter to third parties and so on.
In the case of patients, health data is collected regarding the medical or nursing services provided by the Company or even health data for medical services not provided by the Company, but reported to the Company either by the patients themselves or by third parties. Personal data of persons accompanying patients or relatives may also be collected. In addition, payment processing information (e.g. bank account or credit card) may be collected.
In the case of visitors to the Company’s website, information is collected from the use of the Company’s website and all types of digital platforms that the Company uses or may use in the future, in order to inform third parties about the services provided. In particular, technical information that constitutes personal data may be collected, such as the Internet Protocol address of the visitor’s device (e.g. computer, laptop, tablet, smartphone), browsing patterns, information about the use of a web page, browser history, geolocation data, HTTP protocol elements, etc. Such technical information is used for the smooth operation and performance of the website and the online services, and is not stored permanently in the Company’s infrastructure, while the data are kept in a centralized form so that it is not possible to identify the users as much as possible.
Personal Data Collection and Transmission
The personal data of the data subjects are collected by authorized per Department employees of the Company for the sole purpose of providing the respective service. Indicatively, the Admission Office, the outpatient clinic reception, the diagnostic department reception, the central reception collect patient data, the human resources department collects data relating to employees and medical staff/associates, the accounting department collects data relating to suppliers and other associates, and so on. Especially in the case of patients, personal data may be provided by the data subjects themselves or, if this is not possible, by the person / persons accompanying them.
Personal data is transferred solely on the legal basis of Article 6 of the GDPR for simple personal data or Article 9 of the GDPR for special categories of personal data (sensitive). Special categories of patient data are provided to third parties only when necessary to provide medical services to the data subjects (e.g. physicians for diagnostic / treatment purposes). Based on the explicit consent of the data subjects, health data may be passed on to third parties (e.g. patient’s insurance company).
The Company undertakes not to use the personal data of the data subjects for purposes other than those collected and will not disclose them to third parties without a legal basis for processing in accordance with the GDPR.
Duration of data retention
Personal data are kept for as long as specified by the relevant legislation, in accordance with the specific information provided separately to each category of data subject.
In particular, for patients, the retention period for the personal data of outpatients/examinees is 10 years, while the retention period for the personal data of inpatients is 20 years, in accordance with the obligation imposed by the applicable legislation, unless legal actions are in progress, in which case the retention period is extended until the issuance of an irrevocable court decision.
After the expiry of the retention period, the Company shall ensure that the personal data is destroyed in a secure manner.
Fundamental rights of data subjects
In compliance with the GDPR, each data subject has the following rights in relation to his or her personal data:
- Right to information: The Company has the obligation to inform the data subject of personal data in an intelligible manner about the identity and contact details of the Company, the contact details of the Data Protection Officer, the purpose of the processing of his/her data and the legal basis for the processing, the recipients or categories of recipients of his/her personal data, the period of time for which the data will be stored, the rights of access, rectification, erasure, portability, restriction of the processing of personal data, the right of access, rectification, erasure, portability, restriction of the processing of personal data, and of submitting a complaint to the supervisory authority, on the mandatory or non-mandatory nature of the provision of the data, as well as on the possible consequences of not providing the data. If the Company intends to transfer data of the data subject to a third country or international organization, the Company must inform the data subject accordingly. If the data are not provided by the data subject, the Company must additionally inform the data subject on the source of the data.
- Right to access: The Company has the obligation to confirm to the data subject that they are processing his/her personal data and to provide him/her with a copy of the data processed when the data subject exercises the right of access.
- Right to rectification. – the data subject is entitled to request from the Company the rectification of inaccurate data concerning him/her, in accordance with the GDPR.
- Right to erasure: The data subject has the right to request the erasure of personal data concerning him or her, subject to the restrictions provided for in the GDPR.
- Right to restriction of processing: The data subject has the right to request the restriction of the processing of his or her data under the conditions provided for by the GDPR.
- Right to data portability: the data subject has the right to request the portability of his or her data in the cases provided for by the GDPR.
- – Right to object: the data subject has the right to object to the processing of personal data concerning him or her under the conditions set out in the GDPR.
Data subjects may exercise the above rights by submitting a request in writing to email@example.com.
Any request submitted should be accompanied by the identification details of the data subject and contain the necessary information. The Company may request the provision of additional methods to confirm the identity of the data subject.
In any case, data subjects have the right to address the competent authority for the protection of personal data (Hellenic Data Protection Authority, www.dpa.gr).
The Company shall make every effort to ensure that requests are answered without delay and in any case within one month of receipt. This deadline may be extended by two (2) more months, if necessary, taking into account the complexity of the request and the number of requests.
Security of Personal Data
The Company shall make every effort to protect the personal data of the data subjects it processes, both in terms of confidentiality/secrecy of the information and its integrity (not to be altered, not to be accidentally destroyed, etc.).
In general, the Company, as the controller of personal data, taking into account the available technology and implementation costs, the nature, scope, context and purposes of the processing, as well as the seriousness and likelihood of the risks posed by the processing to the rights and freedoms of natural persons, applies appropriate technical and organisational measures to ensure an appropriate level of security for personal data. The Company shall, where it considers it appropriate and effective, apply the technical and organisational measures of pseudonymisation and encryption.
Access to the personal data of the data subjects is limited only to the Company’s staff who need to have access for the purpose of the specific processing. The Company’s staff and its associates are bound to the Company to maintain confidentiality and medical confidentiality for any data that comes to their attention or is disclosed to them by the patient or third parties (relatives, persons accompanying relatives, visitors, doctors, other associates, etc.).
The handling of the sensitive personal data of the data subjects (in particular the health data of patients) is handled with great care and discretion by the Company’s staff. In particular, the following have been pointed out to the staff:
- The handling of patients’ personal data must be carried out with utmost discretion.
- When a patient comes in either to receive medical services or to receive tests or copies of their medical records, they must always be identified.
- The patient’s health data shall only be handed over to the patient personally or to a third person duly authorised by the patient, who shall receive the patient’s data only after the patient has been identified.
- Staff must be very careful when handling documents containing patient data: these should never be left exposed and should only be handed over to unauthorised persons.
- Staff should be very careful when using a computer – when they are away from the computer, they should ensure that it is locked.
- Computer passwords are strictly personal and staff should not share them with anyone.
- When staff become aware that a third party has gained unauthorised access to patient data they should inform the Head of the Department and the Data Protection Officer.
- Where staff are in any doubt about the correct handling of patient personal data they should inform the Head of the Department, who is responsible for either giving the correct directions himself or they should contact the Data Protection Officer.
All company staff are aware that the obligation to respect and maintain medical confidentiality and the protection of personal data shall apply to all staff, regardless of their position, speciality and seniority.
Data Protection Officer (DPO)
For further clarifications on this Data Protection Policy, or for any matter concerning the processing of personal data, as well as for the exercise of their rights under the GDPR, data subjects may contact the Company’s Data Protection Officer (DPO), either by phone at 2310-984000, or by e-mail at the following e-mail address: firstname.lastname@example.org.