Privacy Notice of

Creta InterClinic

Introduction

We would like to assure you that for Creta InterClinic, the protection of our customers’ personal data is of paramount importance. That is why we are taking appropriate steps to protect the personal data we process and to ensure that the processing of personal data is always carried out in accordance with the obligations laid down by the legal framework, both by the company itself and by third parties who process personal data on behalf of the company.

Data Controller – Data Protection Officer (DPO)

The Company ‘’CRETA INTERCLINIC S.A’’ having its registered office at Heraklion (Crete), Minoos 63, email: info@cic.gr, tel: +302810 373800, website: www.cic.gr, informs that, in the context of its business activities, it processes personal data of its customers in accordance with the applicable national legislation and the European Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, hereinafter referred to as the “Regulation”) as it is currently in force.
For any matter concerning the processing of personal data, please contact the Data Protection Officer directly (DPO)

email: dpo@cic.gr
tel: +302810 373800

What is the purpose of the processing and how we use your personal data?

We process the personal data you provide us [i.e. name, email, mobile/landline telephone, data concerning health], only when we have a legitimate reason to do so.
Legal grounds for processing your personal data are:
(a) the consent you provide us with under the specific conditions set by the legal framework, such as the management of service satisfaction questionnaires, complaints and the transfer of special categories of your personal data to your insurance company, such as data concerning health,
(b) the provision of the services you appoint us for and you wish to receive from us,
(c) compliance with an obligation imposed by law, such as the Code of Medical Ethics/Legislation no 3418/2005,
(d) the safeguarding and the protection of our legitimate interests. Therefore, we use closed circuit television (CCTV) and security cameras to be able to protect the security of individuals, materials, facilities in accordance with the specific requirements regarding the installation of cameras in hospitals,
(e) as regards the processing of special categories of data (data concerning health), the processing which is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment

To whom we transfer personal data

‘’CRETA INTERCLINIC S.A.’’ transfers personal data to third parties who have been entrusted by the company with the processing of personal data on its behalf, for instance, external associates, collaborating doctors, diagnostic centers etc. In these cases, ‘’CRETA INTERCLINIC S.A.’’ remains the controller of the processing of your personal data and sets out the details of the processing, signing a specific contract with the third parties assigned with processing activities, in order to ensure that the processing is carried out in accordance with the applicable legal framework and that any individual may freely and without hindrance exercise the rights conferred on him/her by the legal framework.
In addition, in the context of compliance with the legislative and regulatory framework, the personal data are transmitted to the competent Public Authorities – judicial, police, administrative, supervisory, fiscal, public or private bodies, natural or legal persons of public or private law, in order to fulfill our legal obligations.
Moreover, and only subject to your own consent, which meets the specific legality conditions set out in the legal framework, it is possible to transfer special categories of your personal data, such as health data, to your insurance company.

Storage Time

The data storage time is decided on the basis of the following specific criteria, as appropriate on each case:
When the processing is based on your consent, then the personal data are stored until their withdrawal. You have the right to withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
To withdraw your consent please contact the Data Protection Officer (DPO) of at the following contact details:

Email: dpo@cic.gr
telephone: +302810 373800

When the processing is based on a contractual relationship, your personal data are stored for as long as is necessary to perform the contract and for the establishment, exercise or defense of our legal claims in accordance with the contract.
When the processing is necessary for compliance with legal obligations under the applicable legal framework such as the applicable tax legislation, your personal data will be stored for as long as required by the relevant provisions. In particular, as regards health data, and in accordance with the Code of Medical Ethics Law no 3418/2005, article 14, a medical record shall be stored for a period of 20 years from a provision linked with the need to preserve your life, health and appropriate treatment. If time limits change, we will notify you of any changes.

What are your rights with respect to your personal data?

Any natural person whose data are being processed by ‘’CRETA INTERCLINIC S.A.’’ enjoys the following rights:
Right of Access:
You have the right to be aware and verify the legitimacy of the processing. So, you have the right to access the data and get additional information about how your date are processed.

Right to Rectification:
You have the right to study, correct, update or modify your personal data by contacting the Data Protection Officer (DPO) with the above-mentioned contact details.

Right to Erasure (“Right to be forgotten”):
You have the right to request the erasure of your personal data when we process them based on your consent or in order to protect our legitimate interests. In all other cases (for example, when there is a contract, or an obligation to process personal data required by law or for public interest reasons), this right is subject to specific restrictions or may not apply, depending on the case.

Right to Restriction of Processing:
You have the right to obtain from us restriction on the processing of your personal data where one of the following applies:
(a) the accuracy of the personal data is contested and until such accuracy is verified;
(b) you oppose the erasure of your personal data and request (instead of erasure) the restriction of their use;
c) personal data are not needed for the purposes of processing, but they are, however, required for the establishment, exercise or defense of legal claims; and
(d) you object the processing pending the verification whether our legitimate grounds override those of yours.

Right to Object:
You have the right to object at any time the processing of your personal data where, as described above, such processing is necessary for the purposes of legitimate interests we seek as controllers.

Right to Data Portability:
You have the right to receive your personal data free of charge in a format that allows you to access, use, and edit them, using commonly used editing methods. You also have the right to ask us, if technically feasible, to transmit the data directly to another controller. This right concerns the data you have provided to us and their processing is carried out in a commonly used format based on your consent or in order to perform a contract.
The abovementioned rights are subject to specific restrictions or, where appropriate, not existing, considering the specific legal framework. For instance, the Right to Erasure does not apply to the processing of data in the field of health services, given the mandatory maintenance of a medical record, in accordance with the Code of Medical Ethics.
In order to exercise any of the above-mentioned rights you may refer to the Data Protection Officer (DPO)

email: dpo@cic.gr
tel: +302810 373800

Right to lodge a complaint with the Hellenic Data Protection Authority
You have the right to file a complaint with the Hellenic Data Protection Authority (www.dpa.gr): Telephone: +30 210 6475600, Fax: +30 210 6475628, email: contact@dpa.gr

Personal Data Security

‘’CRETA INTERCLINIC S.A.’’ implements appropriate technical and organizational measures aimed at the safe processing of personal data and the prevention of accidental loss or destruction and / or unauthorized access to, use, modification or disclosure thereof. In any case, the way in which the internet operates and the fact that it is free to anyone cannot guarantee that unauthorized third parties will never be able to violate the applicable technical and organizational measures by gaining access and possibly using personal data for unauthorized and / or unfair purposes.

Additional Data When Data are Collected by Third Parties and Not Directly from the Natural Person

We may receive your health data from third parties, such as patient escorts.
In addition, we may receive your identification information from the associated insurance companies.