Terms of personal data processing
DoktorPRO s.r.o., registered office: Ružinovská 40, 821 03 Bratislava, identification number: 50 372 394, a company registered in the commercial register of the District Court of Bratislava I, in the department: Sro, in the insert No. 112320/B (hereinafter referred to as the "operator"), as an operator and provider of medical services, guarantees the safety and protection of entrusted personal data in full compliance with the Regulation of the European Parliament and the Council no. (EU) 2016/679 on the protection of natural persons in the processing of personal data and on the free movement of such data (hereinafter referred to as "GDPR") and Law No. 18/2018 Coll. on the protection of personal data and on the introduction of amendments to certain laws with subsequent amendments. In order to inform patients and customers (hereinafter - "data subject") about the methods of processing their personal data, the operator issues these Terms of Personal Data Processing (hereinafter - "PDP").
1.1 LEGAL BASIS.
In order to provide medical care, the provider must and has the right to process patients’ personal data. The legal basis for processing is the need to fulfill contractual obligations on the basis of a contract concluded between the provider and the data subject (Article 6, paragraph 1, let. b) of the GDPR), as well as the need to fulfill the provider’s legal obligations (Article 6, paragraph 1,
let. c) of the GDPR), in particular, but not exclusively, in accordance with the Law No. 576/2004 of the Compilation of Laws “On health care, services related to the provision of medical care and on changes of certain laws with amendments and additions” (hereinafter – the “Law on health care”), – the Law on health care providers, – the Law No. 362/2011 of the Compilation of Laws “On medicines and medical products and on changes of certain laws with amendments and additions, – the Law No. 153/2013 of the Compilation of Laws “On the National Health Information System and on changes of certain laws with amendments and additions” (hereinafter referred to as the “NHIS Law”), – the Law No. 580/2004 of the Compilation of Laws “On health insurance and on amendments to the Law No. 95/2002 of the Compilation of Laws “On insurance and changes of certain laws, as well as the legitimate interests of the provider” (Article 6, paragraph 1, let. f) of the GDPR).
The purposes of processing the data subject’s personal data are, in particular, proper provision of medical care, proper handling of medicines and medical products, maintaining medical documentation, submitting data to the National Health Information System (Electronic Health System, hereinafter “NHIS”), implementation of the rights and obligations of the provider in relation to insurance companies, patient accounting and communication with patients. The purpose of processing personal data of the data subject based on the legitimate interests of the provider is direct marketing and offering other services to a data subject.
The provision of personal data by the data subject is voluntary, but is a necessary condition for the processing of personal data for the purposes specified in paragraph 1.2 of these Terms of personal data processing. In case of providing medical care (e.g. surgery), prescribing or using a medicine or medical device, the provider has to store personal data in accordance with these Terms of personal data processing, and the data subject no longer has the right to delete and liquidate them.
1.4 DATA CATEGORIES.
Personal data that the provider processes in relation to the data subject include, in particular, the following:
Current personal data, such as title, first name, last name, permanent residence address, date of birth, personal number. The provider has a legal right to process such data.
Health-related data (a special category of personal data), e.g. data on the diagnosis, medical history, previous medical care, medications and medical products used, allergies, diseases and health status of a patient, data on patients’ doctors, data on the provision of medical care by the provider, medicines and medical products used in the provision of medical services by the provider. The provider has a legal right to process such data.
Contact details, such as e-mail address, phone number, correspondence address, and other contact details. The provider has no legal right to process such data.
1.5 LEGITIMATE INTERESTS.
The legitimate interest of the provider in processing the data subject’s personal data is, inter alia, to improve the provider’s services and clarify patient and customer satisfaction, to remind patients of regular procedures (e.g. routine checkups in the form of SMS or phone call, e-mail, if any) and to offer other services to patients and customers. Based on the data provided, the provider will not make decisions that are important for the data subject in an automated way.
By providing personal data, the data subject declares that the data provided are correct, truthful and up-to-date, otherwise they are responsible for any damage that they may cause to the provider by giving incorrect, false, unreliable or irrelevant data. The data subject is obliged to inform the provider of any changes in the personal data provided by them.
1.7 PROCESSING TIME.
The provider processes the personal data of the data subject during the following periods:
In order to properly provide medical care before and during the entire period necessary for the provision of medical care, keep records in the NHIS system and communicate with the patient’s health insurance company.
For the purpose of maintaining medical records throughout the entire maintenance of the provider’s medical records in accordance with the Health Care Act.
For the purpose of contacting the data subject with reminders and suggestions for a maximum
of 5 years from the last service provision, but always only until an objection is received from a data subject.
1.8 DATA TRANSMISSION.
The data subject’s personal data may be made available to third parties and public authorities to the extent required by law; in particular, it may be entered into the NHIS, notified to the relevant health insurance company, transmitted when transferring medical documentation to another health care provider, provided to persons authorized to supervise medical documentation and reported to the health care supervisory authority.
1.9 RESPONSIBLE PERSON.
The provider claims that it has not appointed a responsible person in accordance with Article 37 of the GDPR.
2. INFORMATION ABOUT THE RIGHTS OF A DATA SUBJECT.
The rights of the data subject to the protection of personal data are regulated, in particular, by the provisions of Articles 12-22 of the GDPR with amendments and additions. In particular, as a data subject, you have the right, on the basis of a written or electronic request to the provider’s name (to the provider’s registered office or e-mail address), to demand: – confirmation of whether personal data about you is processed or not, access to your personal data and information about them, as well as changes to these data, – restrictions on the processing of your personal data, in particular if they are incorrect or processed illegally, – erasure of your personal data, in particular if the purpose of processing them has ceased to exist or they were processed illegally, or if other legal obligations require it, – extraction of your personal data in a structured and machine-readable form and their provision to another provider, if this is technically possible and does not contradict generally binding legal norms. The processing of personal data is not carried out on the basis of your consent, so you have the right to refuse to process your data in order to provide marketing offers and regular communication by written notification or e-mail (to the provider’s registered office or e-mail address). You can also express your disagreement with other messages that are not required for medical care by sending a confirmation e-mail to your provider. You also have the right to file a complaint with the personal data protection department, as the Supervisory Authority of the Slovak Republic, to investigate the processing of your personal data. Your rights may be restricted if such a restriction follows from a special decree, their application will violate the protection of your identity or the exercise of rights will violate the rights and freedoms of other interested parties.
3. These Terms of personal data processing come into force on 25.05.2018