INFORMATION ON THE PROCESSING OF PATIENTS' PERSONAL DATA BY HEALTHCARE INSTITUTIONS (GDPR)Dear Clients,
In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as the "General Regulation" or "GDPR"), we would like to inform you how our medical facility Gynekologie MEDA s.r.o, 03531953, ID No.: 72 983 501, registered in the Commercial Register kept at the Regional Court in Brno, file No.: C 85356, as a personal data controller (hereinafter referred to as the "Controller"), processes your personal data and about the rights and obligations related to that.
1. EXTENT AND PURPOSES OF THE PROCESSING OF PERSONAL DATAThe administrator processes personal data to the extent that they have been provided by the data subject in connection with the conclusion of a health care contract with the administrator or in connection with the provision of health services in accordance with Act No. 372/2011 Coll., on Health Services and Conditions of their Provision (Health Services Act), its implementing regulations and other regulations governing the provision of health services. The controller also processes personal data that have not been provided to it by the data subject but which it obtains in the course of providing health services, e.g. data obtained as results of specific examinations. The controller processes personal data in accordance with the valid and generally binding legal regulations of the Czech Republic and to fulfil its legal obligations.
Your personal data are processed for the following purposes:
- provision of health services (performance of legal obligations by the administrator);
- the purpose arising from the negotiation of a contemplated contractual relationship (for the purpose of entering into a health care contract);
- the purpose resulting from the performance of a health care contract between you and the administrator;
- the establishment, exercise or defence of legal claims;
- the provision, to the extent necessary, of legal, economic and tax advisers and auditors, for the purpose of providing advisory services to the administrator;
2. SOURCES OF PERSONAL DATAThe administrator processes the personal data that receives:
- in connection with the provision of health services within the meaning of Act No 372/2011 Coll., on health services and conditions of their provision, and Act No 373/2011 Coll., on specific health services;
- directly from data subjects in connection with the handling of complaints.
3. CATEGORIES OF PERSONAL DATA AND CATEGORIES OF DATA SUBJECTThe following categories of personal data are subject to processing: - address and identification data that serve to uniquely and unmistakably identify data subjects, such as name, surname, date of birth, permanent address, etc; - contact data such as contact address, telephone number, email address, etc; - other data, such as bank details; - other data necessary for the performance of the health care contract, in particular data on the health status of the data subject The data subjects whose data is processed by the data controller and to whom this information is addressed are: - client/patient; - potential client/patient;
4. PROCESSING AND PROTECTION OF PERSONAL DATAPersonal data are processed primarily in medical records in full compliance with applicable law. Their security and protection is ensured in accordance with these regulations and the General Regulation. Processing is carried out manually in paper and electronic form or automated by computer technology, in compliance with all security principles for the management and processing of personal data. To this end, technical and organisational measures have been taken by the controller, in particular to ensure that personal data cannot be subject to unauthorised or accidental access, alteration, destruction or loss, unauthorised transmission, unauthorised processing or other misuse. All entities to which personal data may be disclosed shall respect the right of privacy of data subjects and shall comply with applicable data protection laws and regulations.
5. PERIOD OF PROCESSING OF PERSONAL DATAThe administrator processes personal data for the period of time necessary to fulfil the given purpose and in accordance with the time limits specified in the relevant generally binding legal regulations of the Czech Republic for the shredding and archiving of documents, or for as long as necessary for the establishment, exercise or defence of legal claims.
6. CATEGORIES OF RECIPIENTS OF PERSONAL DATAThe recipients of the subjects' personal data are: - other providers of health services in the context of augmentative or follow-up health care and providers of selected health services, in particular external laboratories; - public institutions, in particular health insurance companies; - processors under contract with the controller to the extent necessary for the purpose of the processing, e.g. companies managing electronic medical record keeping systems, data storage or archiving providers, etc; - persons providing legal advice; - state authorities in the performance of their statutory obligations under the relevant legislation.
7. INFORMATION ON THE RIGHTS OF THE DATA SUBJECTYou have the right with our company as the data administrator:
(a) to request access to the personal data processed by the controller, which means the right to obtain confirmation from the controller as to whether or not personal data concerning you are being processed and, if so, to obtain access to such personal data and to the other information referred to in Article 15 of the General Regulation,
(b) to request the rectification of personal data processed about you if it is inaccurate. Taking into account the purposes of the processing, you also have the right in some cases to request the completion of incomplete personal data,
(c) to request the erasure of personal data in the cases provided for in Article 17 of the General Regulation,
(d) to request the restriction of the processing of data in the cases provided for in Article 18 of the General Regulation,
e) to obtain personal data concerning you which we process by automated means for the performance of a contract concluded with you, in a structured, commonly used and machine-readable format, whereby you have the right to request that the controller transmits such data to another controller; under the conditions and with the limitations set out in Article 20 of the General Regulation; and
(f) you have the right to object to processing within the meaning of Article 21 of the General Regulation on grounds relating to your particular situation.
If we receive your request, we will inform you of the action taken without undue delay and in any event within one month of receipt of the request. This time limit may be extended by a further two months if necessary, taking into account the complexity and number of requests. Our company is not obliged to comply in whole or in part with the request in certain cases provided for in the General Regulation. This will be the case, in particular, if the request is manifestly unfounded or unreasonable, especially because it is repetitive. In such cases, we may (i) impose a reasonable fee taking into account the administrative costs involved in providing the requested information or communication or in taking the requested action, or (ii) refuse to comply with the request.
If we receive the above request but have reasonable doubt about the identity of the applicant, we may ask the applicant to provide us with additional information necessary to confirm his or her identity.
In addition, you have the right to bring your complaint directly to the Data Protection Authority if you believe that personal data is not being processed lawfully at your usual place of residence, place of employment or place where the alleged breach occurred. If you have suffered damage other than pecuniary damage as a result of the processing of personal data, your claim shall be governed by a specific law.
The provision of personal data to patients is a legal requirement and the patient has a duty to provide it, just as a healthcare professional has the right to request it. Failure to provide it may mean that the controller will not be able to provide the patient with health services, which could result in harm to the patient's health or direct threat to his or her life.
MUDr. Leopold Rotter, Ph.D. - Managing Director