In EUROCLINIC Group, protecting your privacy and preserving the privacy of your health information and data is our fundamental priority.
This information note provides to every person who is receiving or is interested to receive medical services in any company of our Group, concise, accurate and transparent information regarding the practices used for the management and protection of personal data.
The Euroclinic Group reserves the right to modify and update this Policy whenever it deems necessary. Any changes performed, will take effect upon their public appearance on the website of www.euroclinic.gr, any revised version of which will take precedence over the printed issue of this document.
Our organization has appointed a Data Protection Officer (DPO), with whom you can get in touch directly for any related issue at the telephone number: 210.6416600 / 210.6416126 and at the e-mail: email@example.com.
Personal Data Protection Legal framework
In the Euroclinic Group, we collect and process your personal data in accordance with this Privacy Notice and in compliance with EU Regulation 2016/679, the Greek data protection legislation, the current legal framework for the provision of health services and the Code of Medical Conduct and Ethics, as well as with the consents we receive from our patients. This note provides you with the necessary information regarding your rights and obligations and explains how, why and when we collect and process your personal data.
We maintain the licenses provided by the Independent Data Protection Authority, we are registered to the Hellenic Data Protection Authority, and we act as data controllers.
"Personal data" means any information relating to a particular individual or person whose identity can be directly or indirectly identified (e.g. name, identity number, address, etc.) ("Data subject"). Health data (physical or mental state, medical services, etc.) for the purposes of the present privacy notice are included in the general term "personal data", but they consist a special category of data, hereinafter referred to as "sensitive personal data" or "health data".
“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
“Processor” means a natural or legal person, public authority, agency or other body, which processes personal data on behalf of the controller.
The "Data Protection Officer (DPO)" independently supervises the strategy and compliance of the controller and the processor with the provisions of the 2016/679 EU (GDPR) and mediates between the different interested parties (e.g. data protection authorities, data subjects). His role is advisory (not decisive) and he is not personally responsible for any non-compliance with the regulation.
Information / Personal Data We Collect
When you enter the Euroclinic Group, information about you, your contact information and identity, as well as your demographics, your clinical symptoms, the medical treatments you have received, your personal medical history, the medical treatment you are receiving, your family - medical history will be recorded, both in printed and digital media, to help us provide you with the best medical care and the full range of medical services that will be deemed appropriate for your diagnosis, as well as your treatment in general. This information will be part of your health record and will be retained for twenty (20) years, as required by the applicable law, as well as for your medical follow-up, in case you need to revisit and receive health services within our Clinic.
Your health record or patient’s file is the collection point of all the information that is collected in any contact you make as a patient with all the healthcare professionals in our Clinic. A file is created for each patient to support his assessment, diagnosis and treatment, continuity in his health care, clinical exchange of information, security and improvement of health care provided, and meet the requirements set by the legislation (Law 3418/2005) and the state. The information entered in the patient’s file is sensitive personal data and is therefore confidential. Health professionals involved in managing your health within our Clinic can access your health records and make use of the information they contain, only for your medical treatment needs and only if this access is directly related to the fulfillment of their duties (e.g. medical treatments, nursing work, prescribing, dietary training) or if it is explicitly required by the law (e.g. the obligation to notify HACCP for infectious diseases).
The administrative staff of our Group will have access to your personal data for the needs of performing our administrative functions, for pricing and service delivery, and your health data or medical records that may come to its knowledge due to its work execution duties will be limited in scope and will remain confidential. All the personnel in our Group, are bound by a Code of Conduct that seeks to protect the confidentiality of information of all patients that receive any kind of health services in our Group of companies. Privacy and protection of your private life is very important to us, and we conduct strict controls to protect your data.
The Euroclinic Group processes only your personal data that is required to meet legal, regulatory and contractual obligations and in order to provide you with health and hospitalization services in accordance with international medical standards and best practices. We will never collect any unnecessary personal data from you and we will not process your data in any way other than what is stated in this privacy notice. We take every possible and appropriate measure to only collect and process data that are absolutely necessary. We acquire, maintain, process only the data necessary for the execution of our services to you and the fulfillment of our legal obligations and we only maintain them for as long as is it is necessary.
Our systems, employees, procedures and operational activities are designed to limit the collection of personal information to the extent necessary to achieve the stated purpose. Minimizing the processing of personal data allows us to reduce the dangers and risks of violations of data protection and to support our compliance with the applicable personal data protection laws and regulations.
Our approach is based on the "privacy by design" principle, which means that we use methods to restrict the use of personal data across the company for all activities and processes. The Data Minimization principle is integrated into each relevant process, system and corporate structure, and ensures that only those who are authorized and/or have a relevant responsibility have access to personal information.
The personal data that we collect from you are:
- Contact details: name / surname, home address, e-mail, corporate e-mail, home phone, mobile phone, business phone number, surname and contact details of your relatives or escorts
- Demographics and identity data: date of birth, identity card number, passport number, VAT number, Social Security Number, the name of the person/fund that is liable of paying the cost of your hospitalization, insurance details if you use a health insurance policy from a private insurance company
- Special Category Personal Data: medical health information such as surgical information, prior health care data etc.
We collect all the above-mentioned categories of information in the following ways:
- By asking you at the reception and service points of our Group
- By filling in the documents that are intended to be your health records /
patient’s file after receiving information that you provide to us and following your examination by the Euroclinic Group’s health professionals as well as the results of the diagnostic tests you are performing.
- When you provide your personal ID, your insurance policy number and you declare that you wish to make use of your insurance benefits.
• By the people accompanying you or having a legal right to act on your behalf (your personal representative) if you are under the age of 16 or you are unable to provide this information yourself.
How we use your personal data (Legal basis for Processing your Data)
Euroclinic Group takes your privacy seriously and will not disclose, process or share your personal data, unless required by law, without your consent. We maintain and process your data only for as long as it is necessary for the purposes stated in the present privacy notice, while transferring them to third parties is only performed upon your request and authorization to us and only if there is a legitimate interest or contractual obligation (i.e. Announcement of hospitalization to your public social security institution or to the insurance company where you have a health insurance policy to compensate for your hospital costs).
The purposes and reasons for processing your personal data are detailed below:
We collect and store your personal data and your sensitive personal data in order to provide you with your treatment(s) based on: a) the contractual agreement with you; b) our legitimate interest in providing health services, c) your vital interest in receiving these services.
- In addition, we collect and store your personal data as part of our legal obligation for accounting and tax purposes.
- We maintain your sensitive personal data for as long as it is required by law.
•We may only share your data if required by law:
- When an infectious disease can endanger the safety of others
- When a formal court order has been issued
- When sharing data with the police can prevent a serious crime.
- When you give us an explicit mandate and authorization to do so (e.g. if you wish to be compensated for your hospital costs by your social security institution and / or your insurance company)
- When we must safeguard the legitimate interests of our Organization, such as collecting our claims through third party agents (e.g. authorized lawyers).
- As part of our contractual agreement with you, we may contact you in order to receive information on your satisfaction as a customer regarding the healthcare services that were provided to you within our Group, either by telephone or via e-mailing you relevant questionnaires, either by employees of the Euroclinic Group of Companies, or by using trusted contracting partners.
Sharing and Disclosing Your Personal Data
We do not share or disclose your personal data without your consent for any other than the purposes set out in this notice or where it is required by law. The Euroclinic Group uses selected partners to provide the following services and business functions, however all the processors acting on our behalf, process your personal data in accordance with the instructions they receive from us and fully comply with this privacy notice, data protection laws and any other appropriate confidentiality and security measures. The main categories of processors with which we can share your data include:
- External private or public sector diagnostic laboratories for specialized examinations (e.g. Pasteur Institute)
- Public Social Security Organizations / Social Security / Health Funds
- Insurance Companies and their affiliated Audit Firms
- Call Centers and Coordinating Centers for Servicing Your Health Insurance Programs that we undertake to serve
- Suppliers of Medical Equipment to ensure "traceability" and protect your health
- Organizations and IT service providers supporting and supporting information systems
- Supervisory Authorities and Organizations under the authority of the Ministry of Health
- Storage and filing companies
- Call Centers and Coordinating Centers used to conduct service satisfaction surveys, or to receive and manage complaints from our patients.
Finally, the Euroclinic Group, as required by the legal framework, may transmit personal data for the purpose of execution of the contract between us and in order to safeguard its legitimate interest regarding the collection and settlement of accounts, to financial institutions, debtor information companies, law firms.
In the Euroclinic Group, we take all reasonable measures and precautions to protect and safeguard your personal data. We work hard to protect you and your data against unauthorized access, modification, disclosure or destruction, and we have created several levels of security measures such as: role-based access management, powerful password checks, network security checks, business continuity measures, incident management procedures, encryption.
Implications of Not Providing Your Data
You are not required to provide your personal information. However, as these elements are necessary for us to provide you with health services, we will not be able to offer some or all of our services or products without this information.
How long do we keep your data
Euroclinic Group maintains personal data only for as long as it is necessary and we have implemented rigorous review and retention policies to meet these commitments. According to Greek Law 3418/2005, we are obliged to keep the data concerning your health for at least twenty (20) years and after that period the data will be destroyed.
If you have consented to the use of data for marketing purposes, we will maintain this data until you notify us of something different and / or withdraw your consent by sending a relevant request form to firstname.lastname@example.org.
Exercise of your rights
Regarding your personal data, you have the option of exercising the following rights by submitting a written request in person or through your legally authorized representative at the Euroclinic Group’s premises or by sending the request by post, with your authenticated signature.
(a) Right to information and right of access to all personal data that the Euroclinic Group maintains and processes with respect to you, the type of processing, the purposes of processing, the recipients or categories of recipients of your personal data, as well as the personal data retention policy.
(b) Right to rectification. If you believe that we have any incomplete or inaccurate data about you, you have the right to ask us to correct and / or supplement this information.
- c) Right to delete your personal data in the following cases:
- when your personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed
- when you withdraw your consent based on which your personal data was processed and there is no other legal basis for processing
- when your personal data has been processed without the necessary legal basis
- When the law requires you to delete your personal data
(d) Right to limit processing in the following cases:
- when you dispute the accuracy of your personal data and until the Euroclinic Group verifies its accuracy
- when you are requesting the restriction of the processing of your personal data instead of deleting it
- when the Euroclinic Group no longer requires your personal data for the processing purposes, but your personal data is required by you for the foundation, exercise or support of legal claims
(e) Data Portability, i.e. you have the right to request the transfer of your data to another healthcare provider in Greece or abroad.
(f) Oppose your processing of your personal data unless there are compelling and legitimate reasons for processing overriding your interests, rights and freedoms, or for the establishment, exercise or support of legal claims of the Euroclinic Group.
- g) Right to object to any direct marketing by us and / or any automated decision-making process we may be using.
The rights to delete or restrict the processing of personal data are not applicable if the processing or maintenance of data by the Euroclinic Group is mandatory or necessary under the law and for the foundation, exercise or support of its legal claims and rights or the fulfilling its obligations.
In order to carry out any of the above rights, it is our strict policy to confirm your identity. This is to confirm that your personal data is protected and kept secure.
The Euroclinic Group will respond to your request free of charge, without delay and in any case within one month of receipt of the request, except in exceptional circumstances, when that deadline can be extended by a further two months if necessary, taking into account the complexity of the request and the number of requests. The Euroclinic Group will inform you of any extension within one month of receipt of the request, as well as of the reasons for the delay.
If it is not possible to meet your request, the Euroclinic Group will inform you without delay and at the latest within one month of the receipt of the request, about the reasons and the option to file a complaint with the Hellenic Data Protection Authority (HDPA) as well as your right to appeal before the competent judicial authorities.
Euroclinic Group only processes your personal data in accordance with this privacy notice and in accordance with the relevant data protection laws. If, however, you wish to make a complaint regarding the processing of your personal data or if you are not satisfied with the way we handle your personal data, you have the right to submit a complaint to our Data Protection Officer: email@example.com. Finally, you have the right to file a complaint to the Hellenic Data Protection Authority (HDPA), [Kifissias 1-3 Ave. 115 23, Athens, tel: +30 2106475600, email: firstname.lastname@example.org] if you believe that your rights regarding the protection of your personal data are being infringed. You also have the right to appeal to the competent judicial authorities for the protection of your personal data.