The company under the name “GENERAL CLINIC OF DODECANESE SINGLE-MEMBER SOCIETE ANONYME” (hereinafter referred to as the “Company”) processes the personal data of its patients, both simple and sensitive, such as health data, in order to fulfill its purpose of providing high-quality medical and nursing services, processes its patients’ personal data, both simple and sensitive, such as health data, in compliance with both the Code of Medical Ethics and the broader legislative and regulatory framework, including Regulation 679/ 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as the Regulation) and the relevant decisions of the Personal Data Protection Authority (hereinafter referred to as the Authority). In addition, it processes data of its employees, associates, and suppliers, as well as anyone who has transactions with the company, visits its website, subscribes to any newsletters or educational seminars, etc.

This policy applies to all processes, departments, services, and facilities, regardless of whether they are owned, leased, or operated under any other regime of use, of the General Clinic of Dodecanese Single Member S.A, for the provision of its medical and nursing services.

Definitions

In particular, for the purposes of this policy:

“Personal data”: any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one whose identity can be ascertained, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

“Health data”: personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;

“Processing”: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adapting or altering, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making available, aligning or combining, restricting, erasing or destroying;

“Controller”: the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;

“Processor”: the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller,

“Consent” of the data subject: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. 

Basic Principles

By means of this Policy, the Company determines and discloses the conditions under which the company collects, maintains and uses personal data information in printed and/or electronic form, i.e. it acts as a Data Controller.

This Policy also describes how it uses, shares, and protects the personal data it processes, how individuals /data subjects can exercise their rights regarding their personal data, and how to contact the Company, and is in compliance with the terms of the European Regulation 679/2016 and any other relevant applicable legislation.

The recipients of the data are the subjects themselves, their family members in case of physical incapacity, persons authorized by them, insurance funds to the extent that the provision of data is necessary for insurance coverage, public authorities following a prosecutor’s decision and ministries for the purpose of statistical processing, as well as any others expressly described by law.

Finally, with its Personal Data Protection Policy, the Company assures that it is committed to keeping the information provided to the company confidential and secure, thus ensuring privacy, maintaining a processing record for all its activities, primary and secondary to its objects , to continuously train staff on data protection, clean desk policy, respect for privacy, and confidentiality, adopt policies such as this one and the Information Security Policy, work exclusively with individuals and companies who are equally committed to the principles of personal data protection and who take appropriate measures to protect it, and finally, to process the personal data it processes simply and fairly, with respect and a high sense of responsibility.

PRINCIPLES OF PERSONAL DATA PROCESSING

The Company, as Data Controller, processes the personal data of its patients, employees, and associates, as well as the health data of its patients, in accordance with the principles that, according to the Regulation on the protection of personal data, must govern the processing. Thus:

1. a) it processes the data it collects in a lawful and legitimate manner and in a transparent way
2. b) the purposes for which it collects them are specified, explicit, and legitimate
3. c) the data it processes are adequate and relevant for the purposes of processing
4. d) it is accurate and, where necessary, kept up to date
5. e) it is kept and stored only for as long as required by the legal framework
6. f) it takes all necessary and appropriate technical and organizational measures to ensure its security.

DATA CONTROLLER

The Data Controller is:

The company under the name “GENERAL CLINIC OF DODECANESE SINGLE-MEMBER SOCIETE ANONYME” and the distinctive title “GΕNERAL CLINIC OF DODECANESE SINGLE MEMBER S.A with VATEL 099658646 – Tax Office of Rhodes, and General Commercial Registry No. 072215820000, based in the Municipality of Rhodes, in the Municipal Community of Koskinou – Municipal Unit of Kallithea, Postal Code 85150.

PROCESSING DATA

Ι. Patients

• Simple personal data: name, surname, date of birth, home address, email address, profession, identity card number, Social Security Number, Tax Identification Number, insurance provider, contact phone etc. In addition, simple personal data of persons accompanying patients, relatives, or friends of patients may also be collected. Furthermore, information may be collected for the purpose of processing payments (e.g., bank account or credit card).

1. Health data: data relating to the health status of patients, as obtained from their medical history, upon admission and during their hospitalization, from consent forms for medical procedures, as well as from the results of diagnostic and clinical tests carried out in the context of providing medical services.

ΙΙ. Employees/external partners: personal and other data (health data, e.g., for the justification of sick leave, data on an employee’s children in order to grant allowances, etc.) necessary for the fulfillment of its legal obligations towards employees (salaried and external partners) in accordance with labor and insurance legislation.

III. Partners/suppliers: the necessary personal data of representatives and employees of companies is processed for the purpose of conducting its commercial relations with partner companies (pharmaceutical companies, biotechnology equipment companies, suppliers, etc.) for its operation and the fulfilment of its objectives.

IV. Finally, the Company processes the personal data of all those who contact the company either to subscribe to its electronic newsletter (newsletter) or to obtain a privilege-user card, to seek employment by sending a CV, to communicate via the electronic form available on the Company’s website, which form is available exclusively for the purpose of informing them about the services provided by the Company and under no circumstances it replaces clinical examination and medical opinion, or, finally, to browse the website by accepting cookies. For all of the above, the Company has specific procedures and policies in place to ensure both the secure storage of the data it processes and its retention only for the period specified by law or procedures.

PURPOSES OF COLLECTION, PROCESSING, AND DISPOSAL OF PERSONAL DATA

The Company collects, processes, and stores personal data for the following purposes:

• To provide medical and nursing services.
• To manage human resources issues relating to the Company’s employees, regardless of their employment relationship and specialty.
• For the smooth cooperation of the Company with its medical associates, regardless of employment relationship and medical specialty.
• To manage cooperation issues with product and service suppliers, subcontractors, and other partners through relevant contracts or additional operations,
• To respond to requests from regulatory authorities and manage requirements and audits provided for by law.
• To manage complaints from patients and visitors.
• To manage the security of persons and property, such as access, security, and entry control to the Company’s premises, including closed-circuit CCTV for the protection of persons and property. Any collection of closed-circuit CCTV material is limited to areas necessary for this purpose, such as cashier areas or critical facilities, and is kept in accordance with applicable law and the Authority’s guidelines.
• To inform the public about the services offered by the Company, through the organization of informational or scientific events, through electronic media, including social media, and through other actions of any kind.
• To promote the Company’s public relations (e.g., corporate social responsibility actions).
• To organize and conduct training seminars/programs for staff, as well as scientific conferences/events and/or training for medical associates of all specialties.
• To handle legal matters.
• To manage accounting and tax services.

The Company processes personal data on the following legal bases:

• when the data subject has given his/her consent,
• to perform a contract with the data subject or to take steps at their request prior to entering into a contract,
• to comply with a legal obligation to which the Company is subject,
• to protect the vital interests of the data subject,
• to perform a task carried out in the public interest
• for the purposes of the legitimate interests pursued by the Company,
• for the purposes of social security obligations and rights,
• to establish exercise, or defend legal claims or when courts act in their judicial capacity,
• for the purposes of preventive or occupational medicine, medical diagnosis, provision of health care or treatment, or management of health care systems. 

RETENTION PERIOD OF DATA

The Company is required to keep the Patient Medical File in its Medical Records for twenty (20) years (in accordance with its legal obligation under Law 3418/2005), from each hospitalization and from the need to protect life, health, and provide appropriate treatment. Data on outpatients is also kept in its archives for 20 years. For purely accounting and tax records, there is an obligation to keep them for as long as required by the applicable tax legislation.

The Medical Record contains all data relating to the patient’s health as well as simple personal data provided by the patient him/herself for the performance of the contract for the provision of medical services between the patient and the Company.

In the event that the time limits change, the Company shall notify you of any changes. Any data obtained through the website for the purpose of making an appointment is kept secure in the Company’s computer system and is incorporated into the medical files kept in the Archive as described above.

After the mandatory data retention period has elapsed, the Company destroys the data in accordance with the instructions of the Authority and its own procedures and protocols, in accordance with the applicable regulatory framework.

TRANSFER OF PERSONAL DATA TO THIRD PARTIES

The Company may transfer (by electronic and physical means), in fulfillment of its contractual obligation, simple and sensitive personal data of its patients, data relating to their hospitalization, to their insurance company and its Auditors, for the purpose of covering and compensating for their hospitalization expenses, in combination with the health coverage they have.

It may also transfer (by electronic and physical means), in fulfillment of its legal obligation, simple personal and sensitive personal data (health data) to the competent authorities, to the public insurance institution (National Organization for Health Care Services (EOPYY) or other Insurance Fund) of insured patients and its Auditors for the purpose of covering and reimbursing their hospitalization expenses, in combination with their existing health coverage.

Furthermore, for the purpose of providing health services, it may transfer simple and sensitive personal data to doctors who provide independent services to the Company and service providers in the health sector on the basis of contracts with the Company.

The Company’s financial services are required to process simple personal data of the patient or health data (e.g., type of surgery, type of diagnostic test) in order to issue the legal document for the payment of medical services that the Company provides to its patients and to satisfy its legitimate business interest as well as its legal tax obligation.

Finally, in order to pursue its legal claims, the Company may transfer personal data to law firms with which it cooperates or to individual lawyers/associates.

SECURITY OF PERSONAL DATA

The Company uses appropriate technical and organizational protection measures to ensure that the personal data entrusted to the company by patients is secure, whether stored physically or electronically.

When the Company entrusts a third party as a processor (including service providers) to collect or process personal data on its behalf, the processor is carefully selected based on its expertise, reliability, and available resources, as well as the appropriate technical and organizational security measures it takes to ensure the security of the processing, in accordance with the specifications set out in the General Data Protection Regulation.

RIGHTS OF DATA SUBJECTS WITH REGARD TO THEIR PERSONAL DATA

• Right to information: The Company is required to inform the data subject in an understandable manner of their  identity and contact details, the details of the data protection officer, the purpose of processing their data and the legal basis for processing it, the recipients or categories of recipients of their personal data, the period for which their data will be stored, their rights of access, rectification, erasure, portability, restriction of processing of personal data and complaint to the supervisory authority, the mandatory or non-mandatory nature of providing the data, as well as the possible consequences in case of non-provision. If the Company intends to transfer the data subject’s data to a third country or international organization, it must inform the data subject accordingly. If the data is not provided by the data subject, the Company must inform them of the source of the data.
• Right to withdraw consent: Depending on the case, patients have the right to withdraw their consent at any time without affecting the lawfulness of processing based on consent prior to its withdrawal.
• Right of access, rectification, and erasure: They are entitled to request access to any of their personal data that the Company may hold, to request that any inaccurate data be corrected and, in certain circumstances, to request the erasure of their personal data. Patients cannot request the deletion of their health data because, by law, there is an obligation to store it for 20 years.
• Right to data portability: under certain conditions, patients have the right to receive the personal data they have provided in a structured, commonly used, and machine-readable format, as well as to request that the Company transfer it to another controller, where technically feasible. For example, they may contact the Company to request that copies of their medical records or diagnostic tests be sent to another clinic or hospital by appropriate means.
• Right to restriction of processing: patients have the right to request the restriction of the processing of their personal data where:

1. the accuracy of the personal data is contested until the necessary measures are taken to correct or verify its accuracy
2. the patient considers that the processing is unlawful, but does not want the Company to delete the data
3. the Company no longer needs the patient’s personal data for the purposes of the processing, but the patient needs the data for the establishment, exercise, or defense of legal claims; or
4. the patient has objected to processing that is justified on grounds of legitimate interests (see below), pending verification of whether there are compelling legitimate grounds for the Company to continue such processing.

Where personal data is subject to such restrictions, the Company shall the data process   only with the consent of the individual or for the establishment, exercise, or defense of legal claims.

• Right to object to processing: provided that the conditions set out in the law are met, the patient has the right to object to the processing of their personal data. If they object, the Company must stop processing, unless it can demonstrate compelling legitimate grounds for processing that override the interests, rights, and freedoms of the individual or, where it needs to process the data for the establishment, exercise, or defense of legal claims.

If anyone believes that the processing of their personal data violates applicable law, they have the right to file a complaint with:

Hellenic Data Protection Authority,

1-3 Kifissias Avenue, 115 23, Athens, Greece

Telephone: +30-210 6475600

E-mail: contact@dpa.gr

 DATA PROTECTION OFFICER

For more information on exercising your rights under the Regulation or for any questions regarding the processing of personal data, interested parties may contact the Data Protection Officer appointed by the Company at dpofficer@imitheamg.gr and the request shall be satisfied  within the applicable time frame, i.e. in any case within (1) one month from the date of submission. If the request is complex, the Data Protection Officer will inform the interested party within one month of the need for an extension of the response by an additional two (2) months, within which they are obliged to respond.

CHANGES TO THE PERSONAL DATA PROTECTION POLICY

The Company reviews this Policy regularly and reserves the right to review and make changes to the policy to reflect changes in its business activities, legal requirements, and the way  the company processes personal data.

When it takes the above actions, the Company informs the public through its website or when patients and associates visit its premises.

In any case, the Company recommends that interested parties periodically check this Policy in order to be informed of any changes in a timely manner.