Asklepieia Health Cluster S.A.
Effective Date: 12 / 2020
This Website collects some Personal Data from its Users.
Owner and Data Controller
Asklepieia Health Cluster S.A.
2, Viantos str.
10442, Athens, Greece
Owner contact email: email@example.com
This policy applies to all personal data processed by Asklepieia Health Cluster S.A. (“Company”, “Asklepieia”, “we”, “us”, “our”).
The respect for your privacy and the management, protection and security of your personal data is a priority for us. Hence, we take all technical and organizational measures for the protection of your personal data pursuant to the applicable national and European legislation and in particular to the General Data Protection Regulation (EU 2016/679), the national laws and the Decisions, Directives and Opinions of the competent supervisory Authority.
This Data Protection Policy includes:
1. information about the Data Controller and the Data Protection Officer (DPO), and our contact details for any issue regarding your personal data;
2. general principles of personal data processing;
3. the type of personal data that we collect from you and methods of collection;
4. the purpose of collecting and processing of your personal data and the legal basis for the processing;
5. Transfer of personal data to third parties;
6. security measures that we undertake for the protection of your data;
7. Instances where we may run a Data Protection Impact Assessment (DPIA);
8. Retention duration of your personal data;
9. your rights and how to access them, as well any options you may have regarding the collection and processing of your data;
1. DATA CONTROLLER AND DATA PROTECTION OFFICER
Who is the Data Controller?
Data Controller of your personal data is the Company under the name “Asklepieia Health Cluster SA” and the distinctive title “Asklepieia Health Cluster”, with company registration number 152787201000, having its headquarters in Athens (2 Viantos str 10442 Athens, Greece), VAT no 801253906, Tax Office of IB Athinon, tel. +30 2111826515 and email: firstname.lastname@example.org .
Who is the Data Protection Officer?
Questions and Comments
You may communicate with us using the contact details above and submit any comment, queries, observations or any complaints regarding this Policy and generally the collection and processing of your personal data. You have the right to submit any claim regarding issues of protection of your personal data that may arise from its processing by the Company, before the Hellenic Data Protection Authority, which is the supervisory authority in our country. Please find details in link www.dpa.gr. However, it is our obligation and duty to handle any troubles regarding your personal data, hence we are happy to answer any questions.
2. GENERAL PRINCIPLES OF PERSONAL DATA PROCESSING
The Company collects and processes your personal data in accordance with the following principles:
i. Lawfulness, Fairness and Transparency: the Company collects and processes your data lawfully, fairly and transparently,
ii. Purpose Limitation: the Company processes your personal data only for specified, explicit and legitimate purposes,
iii. Data Minimization: the Company takes all appropriate technical and organizational measures in order for the data processing to be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed,
iv. Accuracy: the Company takes all reasonable steps to ensure that personal data are accurate and, where necessary, kept up to date,
v. Storage Limitation: the Company does not keep personal data for longer than is necessary for the purposes for which the personal data are processed; nevertheless, the Company may store personal data for longer periods if necessary: (a) for compliance with a legal obligation, (b) for the fulfillment of a duty in public interest, (c) for public interest purposes, (d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organizational measures, (e) for the establishment, exercise or support of legal claims.
vi. Integrity and Confidentiality: the Company ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
3. TYPE AND MEANS OF COLLECTING AND PROCESSING PERSONAL DATA
Personal Data that we Collect and Process
The Company collects and processes your personal data only insofar as it is absolutely necessary and appropriate in relation to the purposes for which they are processed. Specifically, the personal data we collect and process are summarized as follows:
i. Identity data (full name, father’s name, date of birth, gender, postal address, email address, passport or other official identity document number),
ii. social security data,
iii. employment data,
iv. health data,
v. private insurance data (insurance name, policy number, country of residence, assistance ref. number etc.),
vi. payment data (e.g. card details or PayPal account, credit balances, amounts you have spent on the use of the Service, amounts credited to you and amounts covered by your Insurance Company, bank accounts of doctors who are required to provide for their payment, or their PayPal account),
vii. geolocation data (you can optionally tell us your geolocation data if you set your browser to be tracked by the signal),
viii. website browsing data (e.g. your IP address),
ix. sound data from recorded calls - after we have expressly informed you of such recording (e.g. full name, telephone number, date of birth, postal address, insurance data etc.),
x. data in relation to requests you have submitted in relation to the exercise of your rights or complaints,
xi. data of potential Company employees which are contained in attached CVs or relevant submission forms,
xii. data of our employees (name, surname, father’s name, mother’s name, gender, date of birth, postal address, telephone number, email, nationality, family status, number of children, national identity or passport numbers, tax identification number, IBAN, education, professional certifications, date of hiring etc),
xiii. data of doctors who provide medical services (including name, surname, gender, date of birth, title, telephone number, address, tax identification number, membership to medical associations, professional accreditations, professional insurance coverage data etc),
xiv. your reviews on doctors, time and place of provision of medical services.
We do not knowingly collect any information from any person under the age of 15 without the consent of parents, guardians. Our services are aimed exclusively at people who are at least 15 years of age or older. If you are under 15, do not use or provide any information to us, do not register as a Member or in our newsletters list of recipients, do not use the Platform and Service, even the upload, and do not give any information about your identity to us, including your name, address, or contact information (phone, email, etc.). If we find that we have collected or received personal data from a child under the age of 15 without the consent of the guardian, we will delete it immediately unless consent has been given by a parent or guardian. If you think we may have information from or for a child under 15, please contact us.
How We Collect Personal Data
The collection of personal data is made by physical and electronic means, as the case may be, such as:
ii. When you use the Platform to send health data to doctors of the Company’s network,
iii. when you fill out various forms or during our electronic communication,
iv. while using our call center or website for scheduling an appointment for a medical service,
v. when you declare to us your wish to use your insurance coverage,
vii. when you apply for employment to the Company,
viii. when you are hired as an employee in the Company,
ix. when you become a member of our network as a medical service provider, hotel or insurance company,
x. when you submit a request for receiving our newsletters.
4. PURPOSE AND LEGAL BASIS FOR PROCESSING
The Company may process personal data relating you if one of the following applies:
i. You have given your consent for one or more specific purposes;
ii. provision of data is necessary for the performance of an agreement with you and/or for any pre-contractual obligations thereof;
iii. processing is necessary for compliance with a legal obligation to which the Company is subject;
iv. processing is related to a task that is carried out in the public interest or in the exercise of official authority vested in the Company;
v. processing is necessary for the purposes of the legitimate interests pursued by the Company or by a third party.
We will never process your health data if none of the above legal bases applies and we have not received your prior express consent, after we have informed you of the purpose of processing. In any case, the Company will gladly help to clarify the specific legal basis that applies to the processing, and in particular whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract.
Purposes for Processing Personal Data:
The personal data (other than health data) collected by the Company are used for the following purposes:
i. To enable medical service providers to register as a member in the Company’s professional network. Legal basis for processing is (a) the medical service provider’s consent regarding the information provided to us (b) fulfillment of our contractual obligations with the medical service providers.
ii. To receive and manage a request for the provision of a medical service. Legal basis for processing is (a) your consent for submitting a request form and (b) the fulfillment of our contractual obligations with regards to the provision of our services.
iii. To present in the Platform medical doctors and their services. Legal basis for processing is (a) the doctor’s consent and (b) the fulfillment of our contractual obligations with regards to the provision of our services.
v. To process any insurance cover/ claim for patients. Legal basis for processing is (a) your consent with regard to the provision of insurance policy data and your geolocation, (b) the fulfillment of a legitimate interest with regard to your identification for the safety of transactions. In the event that you make use of a public insurance cover, certain personal data may be processed with legal basis the necessity of processing for the provision of health or social care.
vi. To send advertising and marketing material. Legal basis for processing is your express consent.
vii. For our communication and the management of your requests, whether those are related to personal data protection issues, or to the quality of our services. Legal basis for processing is the Company’s legal interest and compliance with its legal obligations, pursuant to the existing legislation.
viii. For the Company to be able to hire employees or collaborate with independent contractors. Legal basis for processing is (a) the necessity of processing in the context of our contractual or pre-contractual obligations, (b) necessity of processing for the fulfillment of rights and obligations in the field of labor law, social security law or for the fulfillment of an obligation in the public interest.
ix. For the Company’s compliance with its legal obligations, such as compliance with tax and social security legislation. Legal basis for processing is Company’s compliance with its legal obligations.
x. For handling, concluding and processing your payments, including the security of our financial transaction. Legal basis for processing is (a) fulfillment of our contractual obligations, (b) necessity to protect the safety of transactions.
xi. For business analysis and improvements, such as the availability of our Services and their optimization, to optimize your experience and service by us within the Platform, to manage Loyalty programs, as well to adjust your experience in the Platform and Service. Legal basis is (a) compliance with legal obligation to secure information and confidentiality, (b) the legitimate interest for security of networks, avoidance of any fraud and unauthorized access to data, for our business continuity, upgrading our systems and our partners’ system, for our business development, optimization of our technical systems and commercial processes.
xii. For statistical analysis, after your data have been pseudonymized. Legal basis for processing is the necessity to export statistical data.
Health data collected by the Company for the purposes of (ii), (iv) and (v) above shall only be processed with your express consent. Additionally, they may be processed if (a) your vital interests are concerned and you are physically or legally incapable of giving consent, (b) a substantial public interest specified by law is at stake, (c) it is necessary to defend a legal claim, (d) it is necessary for reasons of public health, specified in the law, (e ) it is necessary for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes.
5. TRANSFER OF PERSONAL DATA
The Company may transfer personal data to:
i. Third parties to which the Company has assigned the processing of personal data on the Company’s behalf.
In any case, the third parties to which personal data may be transferred are all contractually bound with the Company to ensure the obligation of confidentiality and all obligations foreseen by the existing legislation, especially that processing takes place in conformity with the existing legislation. The third parties commit that they will process your personal data only for the specific and contractually determined purposes and will not transfer them or make them known to third parties, unless they are obliged to do so by law.
ii. To your State insurance provider, in case you make use of it.
iii. To private insurance companies/ employers. The Company may transfer your health data to collaborating private insurance companies within the EU for invoking your insurance coverage but only if your prior express consent has been given.
iv. To judicial authorities and prosecutors, as well as to other public authorities (e.g. internal revenue) in the course of the exercise of their duties and with due legal process. Further, on the ground of public interest in the field of public health, we may transfer your personal data pursuant to the applicable legislation to public authorities (e.g. National Public Health Organization).
v. In principle, the Company keeps your personal data within the European Economic Area. In the event that data transfer takes place outside of the EU or the European Economic Area, the Company shall check whether: (a) the Commission has issued a relevant adequacy decision on the third country to which transfer is to take place and (b) the necessary safeguards pursuant to the relevant legislation are adhered to. In any other case, the Company shall not transfer your data to a third country, unless one of the special derogations of the existing legislation applies (e.g. your express consent and provision of information in relation to the risks run by the said transfer, the transfer is necessary for the fulfillment of the contract upon your request, on public interest grounds, is it necessary for the support of legal claims and vital interests of the data subjects).
6. SECURITY MEASURES
We take appropriate technical and organizational measures to protect your personal data from unauthorized disclosure, use, conversion or destruction. Where appropriate, we use encryption and other technologies that can help to secure any information you provide us. We also ask our service providers to comply with strict privacy and data protection requirements. Although no method of data transfer via the internet or electronic storage method is absolutely safe, we take all necessary measures for the digital security of data (antivirus, firewall etc).
More specifically, the data you submit to the Company is managed exclusively by specially authorized personnel of the Company under our control respectively and only on our mandate. In order to conduct the processing, the Company selects individuals or third party – collaborators with corresponding professional qualifications that provide sufficient guarantees in terms of technical knowledge and personal integrity to safeguard confidentiality. The Company, through its respective contractual commitments and these of its partners, takes all necessary security measures to protect and secure the privacy, confidentiality and integrity of personal data. In any case, the security of the Platform’s environment may be subject to reasons beyond Company’s influence, as well as to reasons resulting from technical or other problems of the network that are not controlled by the Company or reasons of force majeure or events of chance.
7. Data Protection Impact Assessment (DPIA)
Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the Company shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks. This assessment shall in particular be conducted in the case of:
i. a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
ii. processing on a large scale of special category data (specifically, health data) or
iii. a systematic processing of personal data on a large scale.
8. PERSONAL DATA RETENTION
The personal data collected by the Company are retained for a predetermined and limited period of time depending on the purpose of processing, after the passage of which the data are erased and/ or destroyed safely, unless existing laws permit or provide for a different retention period.
The retention period of your data is defined on the basis of certain more specific criteria. Indicatively:
i. It is mandatory to retain your personal data for the entire duration imposed by the purpose of their processing and/or the existing legal framework. With the passing of this duration, the data are retained pursuant to the applicable laws and for as long as it is necessary for the protection of the Company’s rights before a Court or other competent authority. We retain applications with attached CVs that you send us for 2 years in order to assess them for certain positions and after the expiration of this period we destroy or erase them safely.
ii. When processing is required as an obligation pursuant to provisions of the existing legal framework, your personal data shall be retained for as long as the relevant provisions require.
For marketing activities purposes and in any other case where processing is based on your consent, your personal data shall be retained until the revocation of your consent, without the legality of the processing which has been based on your consent for the duration prior to your revocation being affected. For the consent revocation process, you must submit a request to the data protection officer (DPO). Alternatively, you may also use the unsubscribe options on our electronic communications. We reserve the right in certain circumstances to anonymize your data for research or statistical purposes, so that it cannot be associated with an identifiable person, therefore we reserve the right to use this information for an indefinite period of time. In any case, your data is stored with safety.
9. YOUR RIGHTS AND YOUR OPTIONS
You may exercise certain rights regarding your data processed by the Company. In particular, you have the right to do the following:
i. Withdraw your consent at any time. You have the right to withdraw consent where you have previously given your consent to the processing of your personal data.
ii. Object to processing of your data. You have the right to object to the processing of your data if the processing is carried out on a legal basis other than consent.
iii. Access your data. You have the right to learn if data is being processed by the Company, obtain disclosure regarding certain aspects of the processing and obtain a copy of the data undergoing processing.
iv. Verify and seek rectification. You have the right to verify the accuracy of your data and ask for it to be updated or corrected.
v. Restrict the processing of your data. You have the right, under certain circumstances, to restrict the processing of your data. In this case, the Company will not process your data for any purpose other than storing it.
vi. Have your personal data deleted or otherwise removed. You have the right, under certain circumstances, to obtain the erasure of your data from the Company.
vii. Receive your data and have it transferred to another controller. You have the right to receive your data in a structured, commonly used and machine readable format and, if technically feasible, to have it transmitted to another controller without any hindrance. This provision is applicable provided that the data is processed by automated means and that the processing is based on your consent, on a contract which you are part of or on pre-contractual obligations thereof.
viii. Lodge a complaint. You have the right to bring a claim before your competent data protection authority.
We offer you easy ways to exercise these rights, such as “unsubscribe” links, or by calling from Monday to Sunday 9:00 to 17:00, or by sending email at email@example.com
Some mobile applications we offer might also send you push messages, for instance about new products or services. You can disable these messages through the settings in your phone or the application.
For the exercise of your rights with respect to the device data we collect, you can access the settings.
Any requests to exercise your rights shall be provided free of charge and will be addressed by the Company as early as possible and always within one month. However, where requests from you are manifestly unfounded or excessive, in particular because of their repetitive character, the Company may either: (a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested or (b) refuse to act on the request. The burden of demonstrating the manifestly unfounded or excessive character of the request rests with the Company.
Disclaimer for Third Party Websites
In case that in our website there are links which redirect you to third party websites, we inform you that the Company does not control nor is liable for the content of those websites, neither for the way they process your personal data.
Amendments and Updates
The Company reserves the right to make changes to this Policy at any time in the context of its regulatory compliance and optimization of our Services. It is strongly recommended to check this page often, referring to the date of the last modification listed at the bottom.
Should the changes affect processing activities performed on the basis of the User’s consent, the Company shall collect new consent from the User, where required.
Last update: December 2020