Subject of the Personal Data Protection Policy
The “BIOIATRIKI” Group (hereinafter referred to as the “Group”) ensures the security of your personal data and takes the appropriate technical and organizational measures to protect them in accordance with the current national and EU legislation, in particular the General Data Protection Regulation (EU) 2016/679, the respective national legislation, as well as the Decisions, Instructions and Opinions of the competent supervisory Authority.
The Group “BIOATRIKI” is composed in particular from the BIOIATRIKI HealthCare Group of Companies (BIOIATRIKI PRIVATE MEDICAL POLYCLINIC SA, BIOCLINIC OF ATHENS ANONYMOUS COMPANY – PRIVATE CLINIC PROVIDING HEALTH SERVICES, BIOCLINIC OF PIRAEUS ANONYMOUS COMPANY – PRIVATE CLINIC PROVIDING HEALTH SERVICES, BIOCLINIC OF THESSALONIKI ANONYMOUS COMPANY – PRIVATE CLINIC PROVIDING HEALTH SERVICES, GIANNOUKA CHEMISTRY LTD, ALPHA EVRESIS DIAGNOSTIC CENTER LTD, BIOIATRIKI DERMATOLOGY PRIVATE MEDICAL MEDICINE SOLUTION SA, BIOIATRIKI ERGOMETRIC CENTER SA, DIGITAL HEALTH SOLUTIONS SA) and the Associated Companies (FONEMED HELLAS SA TELEPHONE SERVICES, BIO – DENTAL DENTAL SA, CROSSBORDERMEDCARE HELLAS MEDICAL SA, CROSSBORDERMEDCARE FACILITATIONSA SA).
This Policy is valid and applied to all facilities and/or digital environments and applications, which belong to the Group and are related to its activity (indicatively mentioned): www.bioiatriki.gr, www.bioclinic.gr, www.biomedsmile.gr, www.bioiatrikiplus.gr, www.fonemed.gr, www.crossbordermedcare.com, www.labcy.com, www.evresisdiagnostic.com, www.bioiatrikidigital.gr.
The contact details of the “BIOIATRIKI” Group to which you have addressed and which is the Data Controller, are as follows:
Name: BIOIATRIKI PRIVATE MEDICAL POLYCLINIC SA.
Postal address: 132, Kifisias St. and Papadas St., PO Box 115 26, Athens
Email address: email@example.com
Contact phone: +30 210 6966000
For the purposes of this Policy, the following terms shall have the following meanings:
“Personal Data”: any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one whose identity can be ascertained, directly or indirectly, in particular by reference to an identifier such as a name, in an identity number, in location data, in an online identifier, or in one or more factors that characterize the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.
“Special categories of personal data”: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as the processing of genetic data, biometric data for the purpose of unambiguous identification of a person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
“Processing any operation or series of operations carried out with or without the use of automated means, on personal data or sets of personal data, such as collection, registration, organization, structuring, storage, adaptation or alteration, retrieval, information retrieval, use, disclosure by transmission, dissemination or any other form of disposal, association or combination, restriction, deletion or destruction.
“Data Controller”: the natural or legal person, public authority, agency or other entity that, alone or jointly with others, determines the purposes and means of processing personal data; when the purposes and means of such processing are determined by Union law or the law of a Member State, the controller or the specific criteria for his appointment may be provided for by Union law or the law of a Member State.
“Data Processor”: the natural or legal person, public authority, agency or other entity that processes personal data on behalf of the data controller.
“Data Subject”: the natural person whose personal data is processed, e.g. customers, employees, etc.
“Recipient”: the natural or legal person, public authority, agency or other body to which the personal data is disclosed, whether it is a third party or not. However, public authorities that may receive personal data in the context of a specific investigation in accordance with Union or Member State law are not considered as recipients; the processing of such data by said public authorities is carried out in accordance with the applicable data protection rules depending on the purposes of the processing.
“Third party”: any natural or legal person, public authority, agency or body, with the exception of the data subject, the data controller, the data processor and the individuals who, under the direct supervision of the data controller or the data processor , are authorized to process personal data.
“Consent” of the data subject: any indication of will, free, specific, explicit and fully informed, by which the data subject manifests that he agrees, by statement or by a clear positive action, to be the subject of processing of the personal data that may concern it.
“Personal Data Breach”: the breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access of personal data transmitted, stored or otherwise processed.
“Anonymization”: the processing of personal data in such a way that the data can no longer be attributed to a specific data subject.
“Pseudonymization”: the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separate and subject to technical and organizational measures to ensure that cannot be attributed to an identified or identifiable natural person.
“Genetic data”: the personal data relating to the genetic characteristics of a natural person inherited or acquired, as derived, in particular, from the analysis of a biological sample of the said natural person and which provide unique information about the physiology or health of the said natural person.
“Biometric data”: personal data resulting from special technical processing linked to physical, biological or behavioral characteristics of a natural person and which allow or confirm the unmistakable identification of the said natural person, such as facial images or fingerprint data.
“Health data”: personal data related to the physical or mental health of a natural person, including the provision of health care services, and which reveal information about their state of health.
“Existing legislation”: The respective national and EU legislation on personal data protection and specifically the General Data Protection Regulation (EU) 2016/679 (hereinafter “GDPR”), the Greek Law 4624/2019, the Cypriot Law 125(I )/2018, as applicable, as well as the Decisions, Instructions and Opinions of the Greek Personal Data Protection Authority and the Office of the Personal Data Protection Commissioner (Cyprus).
General Principles of Personal Data Processing
The Group collects and processes your personal data in accordance with the following processing principles:
Legality, objectivity, transparency: The Group collects and processes your personal data legally, in a transparent manner.
Purpose limitation: The Group processes your personal data only for specified, explicit and lawful purposes.
Data minimization: The Group takes appropriate technical and organizational measures, so that the personal data it processes are appropriate, relevant and limited to what is necessary for the purposes for which they are processed.
Accuracy: The Group ensures that the personal data it maintains and processes is always accurate and up-to-date.
Limitation of the storage period: The Group does not retain personal data for a period longer than the purposes for which they were collected and processed. However, the Group may retain them for a longer period of time if the processing of such data is necessary:
a) in order to comply with a legal obligation that imposes the processing based on a provision of law, b) for the performance of a task carried out in the public interest, c) for reasons of public interest, d) for archiving purposes in the public interest, or for the purposes of scientific or historical research, or for statistical purposes, after taking the appropriate technical and organizational measures, including their pseudonymization, and only if these purposes cannot be served through the anonymization of the data,e) for the establishment, exercise or defence of legal claims .
Integrity and confidentiality: The Group ensures that the collection and processing of your personal data is carried out in a secure manner, using appropriate technical and organizational means, to protect it from any unauthorized or illegal processing and accidental loss, destruction or deterioration.
Personal Data We Collect
The Group collects and processes your personal data only if it is absolutely necessary, appropriate and adequate for the achievement of its intended purposes. In particular, the personal data we collect and process are summarized in the following:
Method of Collection of Personal Data
The collection of personal data is carried out by both physical and electronic means on a case-by-case basis, as indicated:
At the reception and service points of the Group Companies, when filling out various forms or when communicating with us electronically, when using our call center or our websites to schedule an exam or receive another medical or non-medical service through the use of our online service «Digital Health Record», when providing primary or secondary health care medical services to you following information that you give us or that arise during your examination or are the results of your medical examinations, when you notify us of your wish to make use of your insurance contract, when you apply to work for our Group, when you are hired as an employee in our Group, when you contract as a partner/supplier with the Group or our individual Companies, when you submit a request to receive a newsletter, when you enter a Group Company area, which is monitored by closed circuit television (CCTV) and security cameras.
Purposes and legal bases for processing of your personal data
The personal information collected by the Group is used for the following processing purposes, namely:
For the provision of health services, i.e. the planning of the medical visit and/or – after prior identification of the examinees – the provision of primary and secondary health care medical services and medical care in general, the sending/delivery to you of the results of your medical examinations, to retain and update your medical file, etc. Regarding the processing of special categories of data, i.e. sensitive data (health data, biometric and genetic data), the processing is necessary for the purposes of preventive medicine, diagnosis, provision of health care services or treatment. The legal basis for processing of the said data is: (a) in principle, the necessity of processing your data for the purposes of preventive or occupational medicine, medical diagnosis, provision of health or social care or treatment or pursuant to a contract with a health professional, as well as (b) the necessity of processing for the performance of obligations and the exercise of specific rights of ours or yours in the field of employment and social security and social protection law or for the performance of a task carried out in the public interest, (c) the necessity of processing the data to protect the vital interests of you or the person you accompany, (d) the necessity of processing your data for the establishment, exercise or defence of rights and legal claims in cases concerning medical liability and the provision of health services in general, (e ) the necessity of processing the data for reasons of public interest in the field of public health, such as protection against serious cross-border threats to health or ensuring high standards of quality and safety of healthcare and medicines or medical devices, as provided for by law. We will never process your medical data if one of the above legal bases does not exist and we have not previously obtained your explicit consent, after first informing you for the purposes of the processing. In the event that you use a public insurance fund/body, some of your personal data will be processed on the legal basis of the relevant processing, the necessity of processing your personal data for the purposes of providing health or social care, as well as the necessity of processing for the performance of obligations and the exercising specific rights of yours in the field of social security and social protection law or for the fulfillment of a duty performed in the public interest.
For the compliance of the Group and its affiliated Companies with their legal obligations, such as compliance with the Code of Medical Ethics (Law 3418/2005) or compliance with tax, insurance legislation, etc. Legal basis of processing in this case is the compliance of the Group Companies with their legal obligations.
To safeguard and protect the legal interests of both natural persons (e.g. patients, visitors) and the Companies of our Group. e.g. we use closed circuit television (CCTV) and security cameras, in order to be able to protect the safety of individuals, materials, facilities, in accordance with the more specific conditions provided for the installation of cameras in medical institutions. The legal basis for processing in this case is the legal interest of the Group Companies.
To send newsletters concerning the Group’s news, so that you are informed about the innovations, products, and offers of the Group. The legal basis for processing in this case is your prior explicit consent.
Upon your prior identification for our communication and the management of your requests, whether related to personal data protection issues or to the quality of your service. The legal basis for processing in this case is the legitimate interest of the Group Companies and/or the Group’s compliance with its legal obligations, in accordance with Existing Legislation.
To extract statistical data, upon prior anonymization of your data. The legal basis for processing in this case is the necessity for the extraction of statistical data.
For the purposes of scientific research and the conduct of clinical studies/trials and/or other clinical research programs, upon prior pseudonymization of your data. The legal basis for processing in this case is the need for scientific research, as long as the necessary technical and organizational measures are taken, e.g. pseudonymization, encryption, as well as compliance with legal obligations. We will only ask for your consent for your participation in the relevant research programs.
For the lawful conclusion and execution of contracts concluded by the Group with third parties. The legal basis for processing in this case is the necessity to process your data in the context of the performance of our contractual obligation or during the pre-contractual stage.
So that the Group can hire staff or contract with external partners (e.g. doctors, nurses, etc.). The legal basis for processing in this case is: (a) the necessity of processing the data in question, in the context of the execution of our contractual obligation or during the pre-contractual stage and (b) the necessity of processing for the execution of our obligations and the exercise of our specific rights or yours in the field of employment and social security and social protection law or for the performance of a task carried out in the public interest.
Transmission of personal data
The Group may transmit the above personal data to:
Third parties to whom he has entrusted the processing of personal data on his behalf. In particular, the Group may transmit your personal data to partners belonging to its medical network, who act on its behalf, contractually bound with the companies of the Group to provide independent services (e.g. to partner doctors for diagnosis purposes or clinical audits, partner physiotherapists/dentists/nutritionists/psychologists), collaborating diagnostic centers, collaborating clinics and hospitals, collaborating laboratories) or/to third partner companies that process your personal data on behalf of a Group company. In particular, in regards to the partners employed within the Group Companies, they may have access to the details of the medical file kept by the Groupon your behalf, in cases where it is necessary for the evaluation and assessment of your health condition during the provision of medical services and issuing medical opinions, findings, etc. In any case, the third parties to which subjects’ data may be transmitted, are contractually bound towards the Group, in order to ensure the obligation of confidentiality as well as all obligations provided for by the Existing Legislation. In all the above cases, the Group, defines the individual elements of the processing, signs special contracts with the third parties to whom it assigns the execution of specific processing activities, ensuring that the processing is carried out in accordance with the Existing Legislation. These third parties are contractually committed to the Group that they will process your personal data only for the specific and contractually defined purposes and will not transmit/or communicate it to third parties, unless required by law.
To your public insurance institution/fund in case you benefit from it.
In private insurance/employer companies. The Group, through its Companies, may transmit your sensitive personal data (health data) to cooperating third-party Companies to cover the cost of the medical services provided to you or to affiliated private insurance companies within the European Union and the EEA for your insurance coverage, provided that your prior explicit consent has been given before such transfer. Your medical data will not be transmitted to your insurance/employer Company without your prior explicit consent. Furthermore, at your request, the Group transmits to your insurance company, your recorded conversation with its telephone, coordination and IT center-company of the Group, under the name FONEMED HELLAS SA. or sends written information about your communication and the progress of your scheduled visits.
To Group Companies, to the extent that this transmission is necessary to serve your requests and the purposes of the Group, obtaining the necessary consent where required. In particular, the Group, with the aim of providing excellent and high-quality medical services, maintains a common electronic database of primary health care medical results and transfers your data within the group, whenever this is deemed necessary, for the management and the provision of medical services to you.
To judicial and prosecuting authorities, as well as other public authorities (e.g. Tax authorities, etc.) in the performance of their duties of its own motion or at the request of a third party citing a legitimate interest and in accordance with legal procedures. In addition, for reasons of protection of the public interest in the field of public health, we may, in accordance with the relevant legislation, transmit your personal data to the competent authorities, such as e.g. the National Public Health Organization (EODY).
In the event that the transmission involves a country outside the European Union (EU) or the European Economic Area (EEA), in the context of conducting examinations and analysis of biological material for rare diseases or to third countries and/or organizations for the conduct of clinical studies/ tests or in order to cover the total cost of the services provided to you (e.g. your insurance company), the Group checks whether:
The Commission has issued a relevant adequacy decision for the third country to which the transfer will take place.
The appropriate safeguards are observed in accordance with the Existing Legislation for the transmission of the said data.
Otherwise, the transmission is prohibited and the Group will not transmit your personal data to a third country, unless one of the special exceptions provided by the Existing Legislation apply (e.g. express consent as well as your notification regarding the risks involved in the transmission, the transmission is necessary for the performance of a contract at your request, there are reasons of public interest, it is necessary to support legal claims and vital interests of the subjects, etc.).
Personal Data Retention Period
The personal data collected by the Group are kept for a predetermined and limited period of time, depending on the purpose of the processing, after which the data is deleted and/or securely destroyed, unless a different period is provided for or permitted by the applicable legislation.
Your personal data retention period is indicatively defined based on certain specific criteria and on a case – by – case basis. Indicatively:
(a) Your personal data shall be kept for the entire duration required by the purpose of their processing and/or the applicable legal framework. At the end of this period, in accordance with the current regulatory framework, the data shall be kept for the time period provided upon termination of the contractual relationship or for as long as it is required in order to defend the rights of “BIOIATRIKI” Group before a Court or other competent Authority. The applications including the attached CVs that you send to us, are kept for a period of two (2) years in order to evaluate them for a certain position and after the two-year period, we destroy or delete them securely.
(b) In cases where the processing is imposed as an obligation under the applicable legal framework, your personal data will be stored at least for as long as the relevant provisions impose. In particular, and in accordance with article 14 of the Code of Medical Ethics L.3418/2005, medical record keeping is required for a period of 10 years from the patient’s last visit to private medical practices and other primary health care units of the private sector and for twenty years (20 years) from the patient’s last visit in any other case. In particular, the brief medical history that you may provide to us prior to the performance of diagnostic tests is only kept for as long as necessary for the diagnosis of the test, after which it is securely destroyed.
(c) For the Companies of our Group, GIANNOUKA CHEMISTRY LTD and ALPHA EVRESIS DIAGNOSTIC CENTER LTD based in Cyprus, in accordance with the Directive issued by the Commissioner for Personal Data Protection entitled “Time period of retention of personal data relating to health “, the retention period of personal data relating to the health of the data subject does not exceed fifteen (15) years after the death of the subject or fifteen (15) years after the last entry of data relating to a data subject in a filing system by the aforementioned Companies of our Group . This period of time is valid given that there are no financial/legal or other pending matters or differences between the data subject and the Companies of our Group.
(d) In any other case where the processing is based on your consent, your personal data is kept until your consent is withdrawn, without prejudice to the lawfulness of the processing based on consent during the period prior to its withdrawal. In order to withdraw your consent, you must submit a request to the Group’s Data Protection Officer (DPO) (see below for his contact details). Alternatively, and for the purposes of promoting the Group’s products and services, you can also use the unsubscribe options, by following (clicking) on the corresponding link (link), which exists in our electronic communications. For as long as your email address remains in our database, you will receive periodic email notifications from us.
(e) The physical record with the medical results of your examinations and generally, files with medical content that you receive, are kept for sixty (60) days from the date of the examination/issuance at the delivery office of each Unit-Company in which you perform the examinations, unless you choose to have them sent to your email address or by courier to your postal address, whichever company of our Group provides this possibility. At the same time, they are registered and kept in electronic form, while the physical file, upon expiry of the above 60-day period, is safely destroyed according to the stipulated and secured procedure. The digital files with your electronic signature in which you indicate the way of receiving your exam results other than the personal receipt of the results by you or a third person that you shall indicate and the granting of your consent to receive newsletters, informative material and offers of our Group, the provision of your consent for any transmission, are kept for as long as is required to satisfy its respective purpose, and after the fulfillment of its purpose, are kept for a period of five (5) years.
(f) The data we collect when you submit a request, as well as the relevant file in which it is recorded, are kept for twenty (20) years from the date of collection.
Security of Personal Data
Taking into account the latest developments, the cost of implementation and the nature, scope, context and purposes of the processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons affected by the processing the Group implements the necessary technical and organizational measures to protect your personal data. Although no method of transmission via the Internet or method of electronic storage is completely secure, the Group takes all the necessary digital data security measures (antivirus, firewall, etc.) etc. At the same time, the Group adopts the required security measures such as ISO 27001, installation video surveillance system (CCTV), alarm system, etc.
Data Protection Impact Assessment (DPIA)
When a processing may entail a high risk for the rights and freedoms of natural persons, the Group carries out, before the processing, an assessment of the impact of the intended processing operations on the protection of personal data (“impact assessment”). An impact assessment is a process designed to describe the processing, assess its necessity and proportionality, and assist in risk management by assessing and defining countermeasures. It is not required for every form of processing, but only in cases where a form of processing is considered high risk. In the framework of the impact assessment, the nature, extent, general context and purposes of the processing are taken into account in order to assess whether a risk is likely to occur, as well as the seriousness of this for the rights and freedoms of the subjects.
The Group may decide to carry out an impact assessment for processing, even if the Existing Legislation does not consider this mandatory. Furthermore, it is not mandatory to draw up a separate impact assessment for each form of processing, but a set of similar processing operations, which entail similar high risks, can be included in one impact assessment.
In particular, the carrying out of an impact assessment is required in all cases in which the processing “may entail a high risk for the rights and freedoms of natural persons”. Indicative examples are as follows:
Cases of systematic and extensive evaluation of personal aspects relating to natural persons, which is based on automated processing (including profiling) and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person.Cases of large-scale processing of special categories of data (sensitive data).
Cases of systematic processing of personal data.
Breach of Personal Data
In the event that an incident of violation takes place, the Group follows a specific procedure for handling incidents of violation of the security of your personal data. In the event that you realize or suspect that a breach of your personal data may have taken place, please inform us without delay at the email address: firstname.lastname@example.org.
The Group ensures that it is able to respond immediately to requests to exercise your rights in accordance with Existing Legislation. These rights are the following:
(a) Right to withdraw consent:
In cases where the processing is based solely on your prior consent, e.g. for marketing activities, you have the right to withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of the processing based on the consent in the period prior its withdrawal.
(b) Right of access and information:
You have the right to know that the personal data concerning you are being processed and to verify the legality of the processing. Therefore, upon your request you have access to the data and can receive additional information about its processing, to whom we transmit it and for what purpose we process it. With regard to your medical file, you may access your medical records at any time, as well as download copies of the file, for free.
(c) Right of rectification:
You have the right to complete, correct, update or modify your personal data.
(d) Right to erasure:
You have the right to request the deletion of your personal data, unless there is a legitimate reason for the Group to further retain them.
In particular due to our legal obligation, your medical data and everything related to it (i.e. your first name, last name, gender, age (date of birth), occupation, your address, the dates of your visit , as well as any other essential information related to the provision of healthcare services , such as, but not limited to and depending on the specialty, your health complaints, your medical history, the reason for your visit, the primary and secondary diagnosis or treatment followed) shall not be deleted in the event that you exercise this right.
(e) Right to restrict processing:
You have the right to request the restriction of the processing of your personal data in the following cases: (1) when you dispute the accuracy of the personal data and until verification, (2) when you object to the deletion of personal data and request instead the restriction of its use, (3) when the personal data is no longer necessary for us, but is nevertheless necessary for you to establish, exercise, support legal claims, and (4) when you object to the processing and until it is verified that there are legitimate reasons that concern us and override the reasons for which you object to the processing.
(f) Right to object to processing and right to object to automated individual decision-making, including profiling:
You have the right to object at any time to the collection and processing of your personal data in cases where, as described above, it is necessary for legitimate interests pursued by the Group. However, it is pointed out that the Group does not use an automated decision-making process.
(g) Right to Portability:
You have the right to receive, free of charge, after your identification, your personal data in a structured, commonly used and machine-readable format (pdf, word, etc.). You also have the right to ask us, if technically possible, to transfer the data directly to another data controller (e.g. your personal doctor). This right exists for the data you have provided to us and their processing is carried out by automated means based on your consent or for the execution of a relevant contract.
In case of exercising any of the rights mentioned below, the Group will respond to you within one (1) month from the receipt and identification of your relevant request. This deadline may be extended by two (2) more months, if necessary, taking into account the complexity of the request and the number of requests. In this case, the Group will provide you with relevant information on the extension in question within one (1) month of receiving the request, as well as on the reasons for the delay. If the request is submitted by electronic means, you shall be informed in the same way, unless you request otherwise. If your request is manifestly unfounded or excessive, in particular due to its repetitive nature, the Group may condition its satisfaction on the payment of a reasonable fee or refuse to respond to the said request.
Right of Appeal to the Personal Data Protection Authority/ to the Office of the Personal Data Protection Commissioner. For any complaint you have regarding this policy or personal data protection issues, if we do not satisfy your request, you can address the Hellenic Data Protection Authority through the following link: www.dpa.gr, at the following contact details: Ave. Kifisias 1-3, P.O. 115 23, Athens, +30 210 6475600, +30 210 6475628, email@example.com or to the Office of the Commissioner for Personal Data Protection through the following link: www.dataprotection.gov.cy, at the following contact details Office address: Iasonos 1 , 1082 Nicosia, Postal address: P.O. 23378, 1682 Nicosia, Phone: +357 22818456, Fax: 22304565, Email: firstname.lastname@example.org.
Data Protection Officer (DPO) contact details
To exercise all of the above rights, as well as for any issue regarding the processing of your personal data, you may contact the Group’s Data Protection Officer, at the email address email@example.com.
Disclaimer for Third Party Websites
In case there are links on our websites that redirect you to third party websites, we inform you that the Group does not control or is responsible for the content of these websites, nor for the way in which your personal data is processed.
Last Review: July 2022