Privacy Policy

Company Details
IATRIKO THRIASIO S.A.
VAT Number: 998576140, Tax Office: LARISSA
6th km Larisa – Kozani
TYRNAVOS, 401 00
Branch:
Nikitaras and Meleti Miliou
Magoula, Attica, 196 00

GENERAL INFORMATION
This Privacy Policy outlines the terms and conditions that are adhered to by the Rehabilitation Center to protect the privacy of patients, companions, family members, and all kinds of supporters, visitors, and collaborators, whose personal data are processed for the provision of healthcare services (nursing and medical services). The Rehabilitation Center takes the privacy of its patients, clients, and visitors very seriously, and for this reason, it implements this Privacy Policy, which ensures a high level of information security and complies with the applicable legal and regulatory framework. The purpose of this Policy is to inform you about how we collect, store, and process the information concerning you, such as the personal data that you or your insurance provider provide us when you choose to receive healthcare services from our Rehabilitation Center, or health data that arise from the provision of our medical services and from your medical record.

DATA
The data concerning hospitalized patients are collected directly from the patients themselves, their supporters, and from documented information/documents they provide, as well as from independent third-party sources, such as doctors and laboratories that provide health data like referrals, analyses, diagnostic results, etc. All personal data concerning you are collected and stored for the necessary duration, for specific, explicit, and lawful purposes, processed lawfully and fairly in a transparent manner, in accordance with the applicable legal framework, and in a way that guarantees their integrity and confidentiality. The controller of the stored file is the Rehabilitation Center. The data processed by the Rehabilitation Center include “personal data,” information concerning identified or identifiable natural persons, as well as “special category personal data,” including genetic, biometric, and health-related data, i.e., information relating to the physical or mental health of a person, including the provision of healthcare services, which reveals information regarding their health status. This data is relevant, appropriate, and necessary for all stages of processing and not more than required in view of the purposes outlined in section 4 of this document. The data is accurate and, if necessary, is updated. In the event of a change/alteration in the nature of the data of the hospitalized person and/or directly insured person, requiring the use of the data to necessitate additional information and consent, the Rehabilitation Center will immediately inform the client in an appropriate manner and obtain their consent before any further action regarding the modification, update, or retention of such records.

LEGAL FRAMEWORK
The legal framework protecting personal data, which governs this Privacy Policy and the operation of the Rehabilitation Center, mainly consists of Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR), as well as any laws or regulations issued in accordance with or to implement the above General Regulation, as well as any national legislation related to the processing and protection of personal data in general and particularly sensitive personal health data. Indicative legislation includes: Law 3418/2005, Medical Ethics Code, Law 2071/1992, Modernization and Organization of the Health System, Law 2619/1998, Convention on Human Rights and Biomedicine, Law 3471/2006, “Protection of personal data and privacy in electronic communications,” Law 2774/99 regarding medical confidentiality, relevant regulatory acts of the competent independent authorities.

PURPOSE & LEGALITY OF PROCESSING
According to the above legal framework, the Rehabilitation Center is authorized to collect and process personal data of patients, hospitalized persons, and insured individuals, directly or indirectly, as well as legally authorized supporters of patients, to complete the medical work, which includes admission, hospitalization, monitoring, medical and pharmaceutical treatment, diagnosis, handling insurance matters, payment, discharge of the patient, and the issuance of certificates. The primary purposes for processing your data by the Rehabilitation Center, as described below, make the process lawful: The Rehabilitation Center stores and processes the personal data that you or another person on your behalf provide, a) for the execution of the healthcare services contract that you or another legal or natural person have signed on your behalf, b) to safeguard your vital interests (the information relates to actions that directly concern your health status), c) to fulfill legal obligations towards the public and organizations or the interest of the Rehabilitation Center, d) based on your consent. The Rehabilitation Center stores and processes special category data (health data), i.e., medical history, diagnostic tests, medical opinions, etc., which you provide yourself or another person on your behalf, and the medical data arising during your hospitalization, a) to provide medical services – preventive or professional medical services, medical diagnosis, healthcare and treatment, b) to manage obligations to health organizations, health insurance institutions, and social security organizations, b) to safeguard your vital interests, as medical data are crucial to the success of medical work, c) with your explicit consent and acceptance of the terms of cooperation with us.

CONSENT
Your consent upon admission to the Rehabilitation Center is essential because: a) we confirm your information and communication, b) we verify the accuracy of your data, c) we identify the authorized persons you choose as companions or representatives, d) you are granted access to third-party services you may require. Refusing to provide consent for the required collection, processing, or transmission of data does not imply the inability to provide the requested medical services. The Rehabilitation Center reserves the right to make further updates and requests for consent from its clients if deemed necessary and will ensure the necessary notifications and approvals from the competent authorities.

RIGHTS
Clients of the Rehabilitation Center have rights regarding their personal data maintained by the Rehabilitation Center and its content, and the process of exercising these rights is provided for by current legislation. The exercise of rights by hospitalized/insured persons is free of charge and can be done by written request to the Data Protection Officer (DPO) of the Rehabilitation Center. The legislation for the protection of your personal data provides the following rights:

• Right to access: to be informed about what data are being processed by the Rehabilitation Center, the source, the purposes, and the legal basis for their processing, any third parties who receive personal data, especially in third countries, and the retention period.
• Right to rectification: to correct any inaccurate personal data to ensure they are accurate and up to date.
• Right to completion: to complete any incomplete information, such as medical history documents.
• Right to erasure: personal data of hospitalized/insured individuals are erased only in the following cases: i) after the mandatory retention period set by law has passed or when the data subject is deceased, ii) when you withdraw your consent upon which the processing is based and no other legal basis for processing exists.
• Right to data portability: to receive and transfer your personal data to another healthcare provider, hospital, or doctor.
• Right to object: to oppose the processing of your data and to withdraw your consent at any time (without retroactive effect).
  These rights may be limited due to the obligation to comply with another law, such as when you request the deletion of data, and we are obliged to retain them according to the law. For all the above, for your requests and for any questions regarding your personal data, you can contact the Rehabilitation Center at the contact details provided at the end of this document. The Rehabilitation Center follows specific procedures to manage its clients’ requests regarding data and provides related forms. For your requests, please contact the Operations Office or the Data Protection Officer (DPO). The Rehabilitation Center will respond to your request, whether it can satisfy it or not, and provide the requested information promptly and, in any case, within one month of receiving the request. In exceptional cases, considering the complexity of the request or the number of requests being handled, the above deadline may be extended by up to two months if needed. The Rehabilitation Center will inform you about any extension within 30 days of receiving the request, as well as the reasons for the delay. If you believe that your rights regarding the protection of personal data are being violated, you have the right to file a complaint with the Data Protection Authority (email: complaints@dpa.gr) and also the right to appeal to the competent judicial authorities.

DATA TRANSFER AND TRANSMISSION
According to the applicable legal framework, the Rehabilitation Center may process and transmit simple or special category personal data of the Patient/hospitalized person (Personal details, AMKA, medical records, prescriptions, etc.) as well as simple personal data of the directly insured to:
a) Public, national & European healthcare and social security systems, insurance providers (e.g., EOPYY, EFKA, IKA) and Health Services involved in any way in the provision of the Rehabilitation Center’s Medical Services or in the issuance of health/social security certificates and payment management,
b) Private insurance providers according to your legal relationship with them,
c) Private companies and professionals who contribute to the execution of medical work under our contracts, for the purpose of providing healthcare services (sending data, biological samples to contracted diagnostic & biochemical laboratories),
d) Organizations and services collecting data for statistical and scientific purposes (Statistical service, Child Health Institute, universities, etc.),
e) Competent supervisory, police, and judicial authorities for the prevention, investigation, and suppression of any criminal offenses,
f) Public hospitals, EKAB, blood donation units where immediate transmission of medical data and provision of information is required in cases of emergencies (e.g., transfers, immediate blood transfusion, etc.),
g) The Legal advisor of the Rehabilitation Center to comply with legal procedures to protect the rights, property, and corporate reputation of IATRIKO THRIASIO S.A., its scientific officers, staff, and clients, as well as to collect and settle client debts and ensure our compliance with policies governing our Services,
h) Tax authorities for the purpose of public tax auditing (e.g., AADE, SDOE), where access to patients’ medical files constitutes a lawful purpose for processing, as provided by the relevant authority under the applicable legislation. For this processing, no license is required for the healthcare institution, and the institution is also exempt from the obligation to notify the patients in advance. This is also stipulated in Article 82, paragraph 2 of the Income Tax Code, as amended by Article 32, paragraph 3 of Law 3986/2011. The Rehabilitation Center, as well as any third-party provider or organization involved in any way in the process of completing the provision of Medical Services (e.g., banks, organizations, EOPYY, EFKA, IKA, HDIKA, etc.) has the right to seek information and data from legally maintained information files and databases concerning the hospitalized/patient and related to medical acts, prescriptions, and hospitalizations, for which purpose the client/hospitalized person unequivocally gives consent. The Rehabilitation Center does not provide personal and medical data to any third parties, companies, organizations, or bodies for scientific, commercial, advertising, or marketing purposes, except for the exceptions described in this paragraph. The Rehabilitation Center does not conduct mass promotional activities or communication programs to individuals using the collected data.

DATA RETENTION PERIOD
The Rehabilitation Center IATRIKO THRIASIO S.A. is required to maintain both paper and electronic records containing the patients’ data, hospitalization details, and medical procedures carried out within the Rehabilitation Center for the minimum time periods set by the applicable national legislation. Specifically, as stated in the Code of Medical Ethics (N.3418/2005, FEK A 287/28.11.2005): The obligation to maintain medical records applies: a) in private practices and other primary healthcare units in the private sector, for ten years from the patient’s last visit, and b) in all other cases, for twenty years from the patient’s last visit. This means that even in the case of the definitive completion of medical work and the discharge of the patient, the Rehabilitation Center is required to retain the legally required data and the medical file for as long as prescribed. Access to and rights regarding this data for the hospitalized individual are determined by legislation. Tax records are maintained in accordance with tax legislation and the relevant Accounting and Taxation laws (K.F.A.S.).

SECURITY AND DATA PROTECTION
The Rehabilitation Center IATRIKO THRIASIO S.A., in addition to this privacy policy regarding the personal data it collects and processes, also implements a comprehensive Information Security Policy with a focus on the provided medical/nursing services and their integration with electronic platforms and systems of Insurance Funds and public services. The Rehabilitation Center applies specific security procedures for both digital and physical records, as well as a set of technical and organizational measures for the protection of personal data, and also provides training to its staff on related subjects. It is recommended that patients and their companions become familiar with the Information Security policy implemented by the Rehabilitation Center, as well as the Code of Ethics followed by its staff and collaborators. Our informational website operates with cookies, and more information about their use is provided in the Cookies Policy available on our official website. The Rehabilitation Center stores all of its files (both digital and physical) on-site and does not use external providers for data processing and storage (e.g., servers, cloud services, file storage, safes, etc.).

CONTACT INFORMATION
Operations Office: 214 404 9400
Contact with Data Protection Officer (DPO): dpo@atticarehab.gr
Last update date: 25/02/2020