Privacy Policy

The company named “NextHealth S.A.” (hereinafter referred to as “the Company”) in order to fulfill its purpose of providing high-quality medical and nursing services, processes its patients’ personal data, both simple and sensitive, such as health data, in compliance with both the Code of Medical Ethics and the broader legislative and regulatory framework, including Regulation 679/ 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as the Regulation) and the relevant decisions of the Personal Data Protection Authority (hereinafter referred to as the Authority). In addition, it processes data of its employees, associates, suppliers, and all those who have transactions with it, visit its website, subscribe to any newsletters or educational seminars, etc. This policy applies to all processes, departments, services, and facilities, regardless of whether they are owned, leased, or operated under any other usage regime, of the Company for the provision of its medical and nursing services.

DEFINITIONS

Specifically, for the purposes of this document:

“Personal data”: any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

” Health data”: personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;

“Processing”: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adapting or altering, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making available, aligning or combining, restricting, erasing or destroying,

“Controller”: the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;

“Processor”: the natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller;

“Consent” of the data subject: any indication of willingness, free, specific, explicit and informed, by which the data subject indicates, by a statement or by a clear affirmative action, that he or she agrees to the processing of personal data relating to him or her.

BASIC PRINCIPLES

With this Policy, the Company sets out and discloses the terms under which it collects, stores, and uses personal data in printed and/or electronic form, i.e., it acts as a Data Controller.

This Policy also describes how we use, share, and protect the personal data we process, how individuals/data subjects can exercise their rights regarding their personal data, and how to contact the Company, and is in accordance with the terms of European Regulation 679/2016 and any other relevant applicable legislation.

The recipients of the data are the subjects themselves, their family members in case of physical incapacity, persons authorized by them, insurance funds to the extent that the provision of data is necessary for insurance coverage, public authorities following a prosecutor’s decision and ministries for the purpose of statistical processing, as well as any others expressly described by law.

Finally, with its Personal Data Protection Policy, the Company assures that it is committed to keeping the information provided to it confidential and secure, thus ensuring privacy, maintaining a processing record for all its activities, primary and secondary to its purposes, to continuously train staff on data protection, clean desk policy, respect for privacy, and confidentiality, adopt policies such as this one and the Information Security Policy, work exclusively with individuals and companies who are equally committed to the principles of personal data protection and who take appropriate measures to protect it, and finally, to process the personal data it processes simply and fairly, with respect and a high sense of responsibility.

PRINCIPLES OF PERSONAL DATA PROCESSING  

The Company, as Data Controller, processes the personal data of its patients, employees, and associates, as well as the health data of its patients, in accordance with the principles that, according to the Regulation on the protection of personal data, must govern processing. Thus:

a) processes the data it collects in a lawful and legitimate manner and in a transparent way

b) the purposes for which they are collected are specified, explicit, and legitimate

c) the data processed are adequate and relevant for the purposes of processing

d) are accurate and, where necessary, kept up to date

e) retains and stores them only for as long as required by the legislative framework

f) takes all necessary and appropriate technical and organizational measures for their security.

DATA CONTROLLER

The Data Controller is:

The company named “NextHealth S.A.” and trading under the name “NextHealth”, based in Athens at 109-111 Mesogeion Avenue, Postal Code 11526, with Tax Identification Number 802842446 – KEFODE Attica, and GEMI No. 183786001000, which operates the General Clinic of Thessaloniki and Kyanos Stavros clinics in Thessaloniki and the General Clinic of Kozani in Kozani, which operate as independent Data Controllers of personal data, including health data, which they are obliged to comply with, and as joint Data Controllers of such data in the context of any necessary exchange of personal data between them in the provision of health services.

PROCESSING DATA

  1. Patients
  2. Simple personal data: name, surname, date of birth, residential address, email address, occupation, identity card number, Social Security Number, Tax Identification Number, insurance provider, contact telephone numbers, etc. Simple personal data of companions, relatives, or friends of patients may also be collected. In addition, information may be collected for payment processing (e.g., bank account or credit card).
  3. Health data: data relating to the health status of patients, as derived from their medical history, during admission and the course of their hospitalisation, from consent forms for medical procedures, and from the results of diagnostic and clinical tests carried out in the context of the provision of medical services.
  4. Employees/external associates: personal and other data (e.g., health data for the purpose of justifying sick leave, data on an employee’s children for the purpose of granting allowances, etc.) necessary for the fulfillment of its legal obligations towards employees (salaried and external partners) in accordance with labor and social security legislation.
  5. Partners/suppliers: The necessary personal data of representatives and employees of companies is processed for the purpose of conducting commercial relations with partner companies (pharmaceutical companies, biotechnology equipment companies, suppliers, etc.). for its operation and the fulfillment of its purposes.
  6. Finally, the Company processes the personal data of all those who contact it either to subscribe to its electronic newsletter (newsletter) or to obtain a privilege card, to seek employment by sending a CV, to communicate via the electronic form found on the Company’s website or, finally, to browse the website by accepting cookies. For all of the above, the Company has specific procedures and policies in place to ensure both the secure storage of the data it processes and its retention only for the period specified by law or procedures.

PURPOSES OF COLLECTION, PROCESSING, AND DISPOSAL OF PERSONAL DATA

The Company collects, processes, and stores personal data for the following purposes:

  • For the provision of medical and nursing services.
  • For the management of human resources issues relating to the Company’s employees, regardless of their employment relationship and specialty.
  • For the smooth cooperation of the Company with its medical partners, regardless of employment relationship and medical specialty.
  • To manage issues relating to cooperation with suppliers of products and services, subcontractors, and other partners, through relevant contracts or additional acts.
  • To respond to requests from supervisory authorities and manage requirements and audits stipulated by law.
  • For managing complaints from patients and visitors.
  • For managing the safety of persons and property, such as access, security, and control of entry to the Company’s premises, including closed-circuit CCTV for the protection of persons and property. Any collection of closed-circuit CCTV material is limited to areas necessary for this purpose, such as cashier areas or critical facilities, and is maintained in accordance with applicable law and Authority guidelines.
  • To inform the public about the services offered by the Company, through the organization of informational or scientific events, through electronic media, including social media, as well as through other actions of any kind.
  • To promote the Company’s public relations (e.g., corporate social responsibility activities)
  • For the organization and conduct of educational seminars/programs for staff, as well as scientific conferences/events and/or training for medical associates of all specialties.
  • For handling legal matters.
  • For the management of accounting and tax services.

The Company processes personal data on the following legal bases:

  • when the data subject has given his or her consent,
  • for the performance of a contract with the data subject or to take steps at his request prior to entering into a contract,
  • for the Company’s compliance with its legal obligation,
  • to safeguard the vital interests of the data subject,
  • for the performance of a task carried out in the public interest
  • for the purposes of the Company’s legitimate interests,
  • for the purposes of social security obligations and rights,
  • for the establishment, exercise, or defense of legal claims, or when courts are acting in their judicial capacity,
  • for preventive or occupational medicine, medical diagnosis, provision of health care or treatment, or management of health systems.

DATA RETENTION PERIOD

The Company is required to keep the Patient Medical File in its Medical Records for twenty (20) years (in accordance with its legal obligation under Law 3418/2005), from each hospitalization and from the need to protect life, health, and provide appropriate treatment. Data on outpatients is also kept in its archives for 20 years. For purely accounting and tax records, there is an obligation to keep them for as long as required by the applicable tax legislation.

The Medical File contains all data relating to the patient’s health as well as simple personal data that the patient himself has provided for the performance of the contract for the provision of medical services between the patient and the Company.

In the event that the time limits change, the Company will notify you of any changes. Any data received through the website for the purpose of making an appointment is kept secure in the Company’s computer system and incorporated into the medical records kept in the Archive as above.

After the mandatory data retention period has expired, it destroys the data in accordance with the Authority’s instructions and its own procedures and protocols, in accordance with the applicable regulatory framework.

TRANSFER OF PERSONAL DATA TO THIRD PARTIES

The Company may transmit (by electronic and physical means), in fulfillment of its contractual obligation, simple and sensitive personal data of its patients, data relating to their hospitalization to their insurance company and its Auditors, for the purpose of covering and compensating for their hospitalization expenses, in combination with the health coverage they have.

It may also transmit (by electronic and physical means), in fulfillment of its legal obligation, simple personal and sensitive personal data (health data) to the competent authorities, to the public insurance institution (EOPYY or other Insurance Fund) of insured patients and its Auditors for the purpose of covering and reimbursing their hospitalization expenses, in combination with the health coverage they have.

Furthermore, for the purpose of providing health services, it may transfer simple and sensitive personal data to doctors who provide independent services to the Company and to healthcare providers under contract with the Company.

The Company’s financial services are required to process simple personal data of the patient or health data (e.g., type of surgery, type of diagnostic test) in order to issue the legal document for the payment of medical services that the Company provides to its patients and to satisfy its legitimate business interest as well as its legal tax obligation.

Finally, in order to pursue its legal claims, the Company may transfer personal data to law firms with which it cooperates or to individual lawyers/associates.

PERSONAL DATA SECURITY

The Company uses appropriate technical and organizational protection measures to ensure that the personal data entrusted to it by patients is secure, whether stored physically or electronically.

When the Company assigns a third party as a processor (including service providers) to collect or process personal data on its behalf, the processor is carefully selected based on its expertise, reliability, and available resources, as well as the appropriate technical and organizational security measures it takes to ensure the security of the processing, in accordance with the specifications set out in the General Data Protection Regulation.

RIGHTS OF DATA SUBJECTS WITH REGARD TO THEIR PERSONAL DATA

  • Right to information: The Company is obliged to inform the data subject in an understandable manner of its identity and contact details, the details of the data protection officer, the purpose of processing their data and the legal basis for processing it, the recipients or categories of recipients of their personal data, the period for which their data will be stored, their rights of access, rectification, erasure, portability, restriction of processing of personal data and complaint to the supervisory authority, the mandatory or non-mandatory nature of providing the data, as well as the possible consequences in case of non-provision. If the Company intends to transfer the data subject’s data to a third country or international organization, it must inform the data subject accordingly. If the data is not provided by the data subject, the Company must inform them of the source of the data.
  • Right to withdraw consent: where applicable, patients have the right to withdraw their consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
  • Right of access, rectification, and erasure: They have the right to request access to any of their personal data that the Company may hold, to request that any inaccurate data be corrected and, in certain circumstances, to request the deletion of their personal data. Patients cannot request the deletion of their health data because, by law, there is an obligation to store it for 20 years.
  • Right to data portability: under certain conditions, patients have the right to receive the personal data they have provided in a structured, commonly used, and machine-readable format, as well as to request that the Company transfer it to another controller, where technically feasible. For example, they can contact the Company to send copies of their medical records or diagnostic tests to another clinic or hospital by appropriate means.
  • Right to restriction of processing: patients have the right to request the restriction of the processing of their personal data where:
  • the accuracy of the personal data is contested until the necessary measures are taken to correct or verify its accuracy
  • the patient considers the processing to be unlawful, but does not want the Company to delete the data
  • the Company no longer needs the patient’s personal data for the purposes of processing, but the patient needs such data for the establishment, exercise, or defense of legal claims; or
  • the patient has objected to processing that is justified on grounds of legitimate interest (see below), pending verification as to whether there are compelling legitimate grounds for the Company to continue processing.

Where personal data is subject to such restrictions, the Company will process it only with the consent of the individual or for the establishment, exercise, or defense of legal claims.

  • Right to object to processing: provided that the conditions set out in the law are met, the patient has the right to object to the processing of their personal data. If they object, the Company must stop processing, unless it can either demonstrate compelling legitimate grounds for processing that override the interests, rights, and freedoms of the individual or, where it needs to process the data for the establishment, exercise, or defense of legal claims.

If anyone believes that the processing of their personal data violates applicable law, they have the right to file a complaint with:

Hellenic Data Protection Authority, 1-3 Kifissias Avenue, 115 23, Athens, Greece Phone: +30-210 6475600 E-mail: contact@dpa.gr

DATA PROTECTION OFFICER

For more information on exercising your rights under the Regulation or for any questions regarding the processing of personal data, interested parties may contact the Data Protection Officer appointed by the Company at dpofficer@imitheamg. gr and the request will be fulfilled within the applicable time frame, i.e. in any case within one (1) month of its submission. If the request is complex, the Data Protection Officer will inform the data subject within one month of the need for an extension of the response by an additional two (2) months, within which he is obliged to respond.

CHANGES TO THE PERSONAL DATA PROTECTION POLICY

The Company reviews this Policy regularly and reserves the right to revise and make changes to it to reflect changes in its business activities, legal requirements, and the way it processes personal data.

When taking the above actions, the Company informs the public via its website or when patients and associates visit its premises.

In any case, the Company recommends that interested parties periodically review this Policy in order to be informed of any changes in a timely manner.

Scroll to Top