Last updated in October 2020
The Clinics, Diagnostic Centres, Polyclinics of Hellenic Healthcare Group (hereinafter HHG) take the protection of the privacy of their patients, customers, and visitors seriously. For that reason, we stringently adhere to the following Personal Data Protection Policy, which ensures a high level of provided services and strictly observes the current legislative framework. Personal data that concerns you will be collected and kept only for the absolute minimum time necessary, for predetermined, explicit, and legal purposes; they are lawfully and fairly processed in a transparent way, always in accordance with the current legal framework and in such a way that guarantees their integrity and confidentiality. These data are always adequate, relevant, expedient, and no more than required to achieve the aforementioned objectives, while they are also exact, and, if necessary, can be updated.
Hellenic Healthcare Group Data
For the provision of health services, HHG has the following Clinics / Diagnostic Centres / Polyclinics, which operate as joint controllers of the personal data processed, whether it be ordinary data or special sensitive Health data.
Their details are as follows:
Company Name: DIAGNOSTIKON KAI THERAPEFTIKON KENTRON ATHINON ‘HYGEIA’ SOCIETE ANONYME
Trade Name: HYGEIA S.A.
Based: KIFISIAS AVENUE & 4 ERYTHROU STAVROU STREET, MAROUSSI
Company Name: PERSEFS SOC. ANONYME EKMETALEFSIS & LITOURGIAS YGIONOMIKIS MERIMNAS
Trade Name: PERSEFS YGIONOMIKI MERIMNA S.A. - METROPOLITAN
Based: 9 ET. MAKARIOU ST. & 1 EL. VENIZELOU ST.
Company Name: MITERA IDIOTIKI GENIKI, MEEFTIKI, GYNEKOLOGIKI KE PEDIATRIKI KLINIKI SOCIETE ANONYME
Trade Name: MITERA S.A.
Based: 6 ERYTHROU STAVROU STREET, MAROUSSI, POSTAL CODE GR-15123
Company Name: METROPOLITAN GENERAL HOSPITAL S. ANONYME EKMETALEFSIS & LITOURGIAS YGIONOMIKIS MERIMNAS
Trade Name: METROPOLITAN GENERAL S.A.
Based: 264 MESOGION AVENUE, CHOLARGOS
Company Name: LETO MEEFTIKO - GYNEKOLOGIKO KE CHIROURGIKO KENTRO SOCIETE ANONYME
Trade Name: LETO
Based: 7-13 MOUSON STREET, ATHENS
Company Name: ALFA LAB IDIOTIKO DIAGNOSTIKO ERGASTIRIO MEDICAL SOCIETE ANONYME
Trade Name: ALFA LAB S.A.
Based: 11 G. ANASTASIOU, ATHENS
Company Name: HEALTH SPOT IDIOTIKO POLYIATRIO IATRIKI SINGLE MEMBER PRIVATE COMPANY
Trade Name: HEALTH SPOT BY HHG SINGLE MEMBER PRIVATE COMPANY
Based: 16 Levidou Street, Postal Code: GR-145 62, Kifisia
The details of the Data Protection Officer (DPO) for HHG’s companies are: Dimitris Kolios, 14 Fleming Street, GR-15123, Maroussi, Tel.: 210 686 7679
This policy determines the terms and conditions observed by HHG for the protection in general of the privacy of patients, escorts, loved ones, and any other individual supporting them, whose personal data is processed for the purpose of providing health services, and of the users of the applications created by HHG’s Clinics / Diagnostic Centres / Polyclinics. The purpose of this Policy is to inform you on how we collect, store, and process data that concerns you, such as the personal data you provide us with upon selecting to receive health services from our Group, or health data that arise from the provision of our services to you.
The Group reserves the right to amend and adjust this Policy, whenever deemed necessary, while any changes are put into effect from the moment they are posted to the present website/application.
HHG strives to carry out its business activities in accordance with the principles of privacy, as we believe that they are an indication of our unwavering commitment to ethical and responsible practices. We recognise that innovation and new technologies lead to constant changes as regards risks, expectations, and legislation, and that is why we follow the standards of undertaking responsibility for privacy, and also why we aim to adapt their implementation in response to these changes in a timely manner.
This Policy is also in force for all individuals whose data we process, including, but not limited to, customers, potential and former employees and their dependants, members of the morals and ethics committee, partners, investors and shareholders, state employees, and other stakeholders.
All Group Employees and Management Executives bear significant responsibilities as regards the protection of privacy, which they must observe.
We recognise that inadvertent errors or bad judgment regarding data protection can cause risks to the privacy of individuals and risks as regards the reputation, processes, compliance, and finances of our Group. All Group employees and other individuals who process data for our companies, are responsible for understanding and observing their obligations with regard to this Policy and current laws.
Our Values and Standards with regard to Privacy
We observe our values regarding privacy in everything we do that has to do with people, including how we apply privacy standards. The four privacy values include:
- Respect - We recognise that concerns about privacy are often related to the essential questions of who we are, how we see the world, and how we define ourselves. Thus, we strive to respect the perspective and interests of individuals and societies, and to be fair and transparent in how we use and share data regarding them.
- Trust - We know that trust is of vital importance for our success, and that is why we strive to create and keep the trust of our customers, employees, patients, and other stakeholders, with regard to respect and protection of data related to them.
- Avoiding damage - We understand that misuse of data related to people may cause tangible and intangible damage to those people, and thus we strive to deter physical and financial damage, damage to their reputation or any other type of damage related to privacy.
- Compliance - We have learned that laws and regulations do not always keep up with the rapid developments of technology, the flow of data, and related changes in the risks and expectations of privacy. Thus, we strive to comply with the spirit and the regulations of privacy, as well as the laws of data protection, in a way that is consistent and operationally sound for our business activities on a global level.
We incorporate privacy standards in all our activities, processes, technologies, and relationships with third parties that use Personal Data. We design privacy checks in our procedures and technologies, which are consistent with our privacy values and standards, as well as with the legislation in force. The eight privacy principles described below summarise the privacy standards and basic requirements for the processes, activities, and their supporting technologies at a high level.
- Necessity – Prior to collecting, using, or sharing Personal Data, we define and document the specific, legitimate business purposes for which it is needed.
- Fairness – We do not process Personal Data in ways that are unfair to the people whom those data relate.
- Transparency – We do not process Personal Data in ways or for purposes that are not transparent.
- Purpose Limitation – We only use Personal Data in accordance with the principles of Necessity and Transparency.
- Data Quality – We keep Personal Data accurate, complete, and up to date, and consistent with their intended use.
- Security – We implement safeguards to protect Personal Data and Sensitive Data from loss, misuse, and unauthorised access, disclosure, or destruction.
- Data Transfer – We are responsible for preserving privacy security for Personal Data when they are transferred to or from other organisations or across country borders.
- Legally Permissible – We only process Personal Data if the requirements of the current legislation are met.
‘personal data’ means any information relating to an identified or identifiable natural person;
‘genetic data’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;
‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person;
‘health data’ means personal data related to the physical or mental health of a natural person, including the provision of healthcare services, which reveal information about their health status;
‘special category personal data’ includes, among others, genetic, biometric, and data concerning health;
‘processing of personal data’ means any operation or set of operations performed upon personal data, such as collecting, recording, organising, structuring, storing, adapting or altering, retrieving, using, disclosing by transmission, dissemination or otherwise making available, aligning, combining, restricting, erasing, or destroying;
‘controller’ is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
‘personal data breach’: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
PERSONAL DATA PROTECTION LEGAL FRAMEWORK
The ‘personal data protection legal framework’, for the purposes of this Policy, means General Data Protection Regulation 679/2016 of the European Parliament and of the Council for the protection of natural persons against the processing personal data and for the free movement of such data, and any law or regulation that has been issued pursuant to or for the implementation of the aforementioned General Regulation, as well as any national law that is in force and applied and which concerns the processing and protection of personal data in general, and in the health service provision sector in particular.
Indicatively, we would like to mention that, among others, the following laws are in force as amended:
- Law 3418/2005 Code of Medical Ethics;
- Law 2071/1992 Modernisation and Organisation of the Health System;
- Law 2619/1998 Oviedo Convention
- Relevant Regulatory Acts of competent Independent Administrative Authorities
- General Data Protection Regulation 2016/679
- Law 4624/2019 for the implementation GDPR
- Current Legislation regarding the urgent measures for dealing with the consequences of the appearance of coronavirus COVID-19 and the need to limit its spread
PURPOSE OF THE PROCESSING OF YOUR PERSONAL DATA
In accordance with the above legal framework, HHG collects and processes the personal data of patients, patient escorts, or users of its companies’ websites for the following reasons and only to the extent this is necessary to effectively serve their purposes. These data are always relevant, expedient, and no more than required in view of the purposes below, while they are also exact, and, if necessary, can be updated. HHG may process personal data if the processing is necessary for at least one of the following legal grounds, namely:
- to perform a contract between us or to take measures at your request prior to entering into the contract, or
- in order to comply to a legal obligation to which it is subject, or
- for the purposes of its legal interests, or
- when you have given your consent, or
- for the protection of your vital interests, or
- to fulfil a duty to the public good, or
- to perform rights and obligations that arise from social insurance law, or
- to establish, exercise or defend legal claims or whenever courts are acting in their judicial capacity, or
- for purposes of preventative or professional medicine, medical diagnosis, provision of healthcare or treatment or management of healthcare systems
a. HHG retains and processes the ordinary and sensitive personal data provided by you or another person with your authorisation, in order to perform the contract for the provision of health services signed by you or another natural or legal person on your behalf and/or to protect your vital interests and/or to fulfil the legal obligation or interest of each Group company and/or based on your consent and may transfer your data within or beyond the European Union to private and/or public insurance agencies, partners/processors, and/or the competent court, police, or tax Authorities, in accordance with the legal framework in force.
HHG retains and processes special category data, namely medical history, medical examinations, medical acts submitted by you or another natural or legal person on your behalf, and medical data that transpires from the provision of medical services – health services, aiming to provide medical services – health services based on the provision of preventative or professional medicine, medical diagnosis, the protection of your vital interests, and/or your explicit consent. HHG can transfer the aforementioned data for the aforementioned purposes within or beyond the European Union, to private or public insurance agencies in accordance with your legal relationship to them, to a network of Doctors providing independent services to our Group, to partners acting on the behalf of each company, in accordance with the contracts between us for the purpose of health service provision.
b. HHG, in accordance with what is provided for in the current legal framework, may process and transfer ordinary or special category personal data of the patient to law firms, to establish, exercise, or defend legal claims or to the competent Authorities whenever courts are acting in their judicial capacity, as well as for reasons of legal obligation or public interest, as required by law. Furthermore, HHG may process and transfer the ordinary data of a patient and/or their obligee/escort in order to comply with its legal obligation, and its duty with regard to public interest, on a case-by-case basis, to the competent police, court, administrative, and tax Authorities, within and beyond the European Union, following their valid request. Furthermore, it is legally obligated to carry out every necessary internal control of personal data that concern you, in accordance with its internal procedures, when provided for or required by law.
c. HHG, in accordance to what is provided for by the legal framework, may transfer for the collection and payment of debts that have transpired from the provision of medical services – health services, your ordinary and special category personal data, to law firms for the establishment, exercise or defence of legal claims.
d. HHG, following your relevant consent, may process personal data that concerns you, in order to develop, improve, and promote its services, as well as to provide privileges.
DATA RETENTION PERIOD
HHG is obligated to retain printed or electronic archives for the period of time provided for by national law. Specifically, in accordance with the Code of Medical Ethics (Law 3418/2005, G.G. Series I Issue 287/28.11.2005), “Article 14§4: The obligation to keep medical records applies to: a) private clinics and other private sector primary healthcare units, for one decade since the patient’s most recent visit, and b) in all other cases for 20 years since the patient’s most recent visit.”
The data kept for the commercial promotion of products or services, and/or the provision of privileges, will be deleted six months after the action is completed.
The curricula vitae collected by the competent Human Resource Departments will be kept for one year, and will then be destroyed in accordance with the destruction policy HHG has in place for its companies.
Tax data is kept in accordance with the tax legislation.
YOUR RIGHTS REGARDING PERSONAL DATA PROTECTION
The legislation for the protection of personal data provides you with the following rights, which you can exercise in principle free of charge and based on everything provided for in the legal framework:
- The right to access, namely to be informed on what data of yours HHG has collected and is processing, their source, the purpose and legal ground of the processing, the recipients or categories of recipient of the personal data, in particular recipients in third countries, and the period for which they will be kept.
- The right to rectification of any inaccurate personal data, so that they are made accurate, by submitting to HHG a relevant statement with your accurate personal data.
- The right to supplementation of any incomplete personal data, so that they are made complete, by submitting to HHG a relevant statement with your complete personal data.
- The right to erasure of your personal data in the following cases:
- when your personal data are no longer necessary in relation to the purposes for which they were collected or otherwise submitted for processing;
- when you have withdrawn your consent on which the processing was based and there is no other legal ground for the processing;
- when your personal data was submitted to processing without the necessary legal ground in place
- when the law provides for the obligation to erase your personal data
- when the data of a child have been collected in relation to the provision of information society services, following its consent or when its consent is given or approved by the holder of parental responsibility of the child.
- The right to restriction of processing of your personal data, in the following cases:
- when you contest the accuracy of the personal data and until verification by HHG takes place;
- when instead of erasure, you request the restriction of the processing of your personal data;
- when HHG no longer needs your personal data for the purposes of processing, but they are required by you for the establishment, exercise, or defence of legal claims.
- The right to object to the processing of your data, unless there are compelling legitimate grounds for the processing which override your interests, rights, and freedoms or for the establishment, exercise or defence of legal claims of HHG.
- The right to portability, namely to receive and transmit to another controller your personal data, which you have provided to HHG’s Clinics, Diagnostic Centres, and Polyclinics in a suitable format, provided that the processing of your personal data has taken place following your consent or that there was the necessary contract for processing between us.
- The right to withdraw your consent (without retro-active effect) on an issue related to the protection of ordinary personal data and health data.
These rights may be limited due to the obligation to apply another law, e.g. if you request the erasure of your data, while we are obligated by law to keep it.
Regarding all of the above and to answer any questions regarding the current legislation on personal data, you can contact HHG in the following ways:
- by post, to the Data Protection Officer of HHG (No 14 Fleming Street, GR-15123, Maroussi)
- HHG shall respond to your Request free of charge, with no delay, and, in any case, within a month of receipt of the request, except in exceptional circumstances, in which case the above deadline may be extended by an additional two months, if required, depending on the complexity of the request and/or the number of requests. HHG shall inform you of any such extension within one month of receipt of the request, together with the reasons for the delay.
- If your request cannot be met, HHG will inform you without delay and at the latest within a month from receipt of the request, regarding the relevant reasons and for how you may file a complaint with the Hellenic Data Protection Authority, as well as regarding your right to appeal to the competent judicial authorities.
- If your request is found by HHG to be unfounded or excessive, it may impose a reasonable and corresponding charge, taking into account its administrative costs, or it may refuse to act on your request.
RIGHT TO LODGE A COMPLAINT
You also have the right to file an appeal with the competent judicial authorities regarding the protection of your personal data.
HHG has taken suitable technical and organisational security measures in order to ensure the implementation of the law and the suitable level of security for your personal data, and has duly trained its personnel and its entire network of partnered Doctors, through the Data Protection Policies and Procedures, and commits all its partners acting as processors on its behalf (Data Protection Agreement) through the guarantees and safeguards of the GDPR.
By submitting your e-mail address, you are giving us your consent to send you e-mails with the sole purpose of advertisement and the direct promotion of our products and/or services through our newsletter. Your e-mail address will only be used by HHG and its partner who is acting on HHG’s behalf in sending out the newsletters. In each such e-mail, we will clearly make our identity known to you and will provide you with the opportunity to object and request, easily and free of charge, to terminate communication and delete your data from the database in question.