This website is provided by the IASO Group of companies (hereinafter the “IASO Group”), as described in detail in the present. The IASO Group respects and takes seriously into consideration the protection of personal data of its patients, the family of the patients, clients, visitors, personnel, doctors, contractors, and all individuals in general who use our facilities, services (hereinafter the “Services”) and website(s). IASO Group collects and processes personal data in full compliance with the principles laid down in Regulation (EU) 2016/679 of the European Parliament and the Council of the 27th April 2016 on the natural persons’ protection against the processing of their of personal data and on the free circulation of these data and the repeal of Directive 95/46/EK (hereinafter the “General Data Protection Regulation” or the “GDPR”), as well as with the applicable national and European legislation on the protection of personal data. It also takes all, appropriate technical and organizational measures required to protect the personal data it collects and processes.
The purpose of the present is to determine the terms and conditions under which the IASO Group processes, stores, uses personal data on a case-by-case basis and the measures that it adopts for their protection. The processing takes places for the purpose, among others, of or in connection with the provision of healthcare services to data subjects and/or for purposes connected with the use of the facilities by the data subjects and/or the use of the internet website and the Services provided through it. It also aims to inform you about the rights provided to you under the GDPR.
“personal data” shall mean any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
“processing” shall mean any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
“controller” shall mean the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
“recipient” shall mean a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
“third party” shall mean a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data;
“genetic data” shall mean personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;
“biometric data” shall mean personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;
“data concerning health” shall mean personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;
3. Data Controller
All medical and other healthcare services, as well as the services which are provided through the websites www.groupiaso.gr, www.da.groupiaso.gr, www.iaso.gr, www.iasopaidon.gr, are provided by the company under the corporate name "ΙASO PRIVATE GENERAL, OBSTETRICS - GYNECOLOGICAL AND PEDIATRIC CLINIC - DIAGNOSTIC, THERAPEUTIC & RESEARCH CENTER SA" and the distinctive title "IASO SA", having its registered seat at 37-39 Kifissias Avenue, Maroussi of Attica, with Tax Identification Number 094055324, Tax Offices FAE of Athens (hereinafter referred to as the “Clinic”). The Clinic is the Controller of the personal data collected by the means and through the procedures described in detail herein and processed for the performance of your contract with the Clinic. Data Protection Officer (DPO) for the companies of IASO Group is Ms. Chara Daouti, e-mail: firstname.lastname@example.org (hereinafter referred to as the “DPO”).
4. Data subjects
The Clinic collects and processes personal data of the following categories of individuals:
a. Patients and individuals in general that request the provision of special or general medical or healthcare services.
b. Doctors, administrative staff and employees as well as affiliated doctors providing services to IASO Group.
c. Relatives to patients, visitors, suppliers, contractors and service providers, individuals using at the premises and facilities of the Clinic, persons applying for employment or by any means contacting a Clinic’s representative, personnel or associate etc.
d. Users of the website(s) of the Clinic referred to in Article 3 herein and of the online forms in which users insert their data in order to receive newsletters on a regular basis, correspondence with respect to announcements and news, periodicals, such as “My Life” and the “Right to be born healthy”, in electronic or printed form, or in order to make use of the services “Make an appointment” and “Pregnancy Diary”, to the service “My Club Card”, or in order to receive updates concerning the scientific program of IASO Group and the online forms available through the websites of IASO Group and its individual clinics in order to contact the Group on any request and/ or to submit questions.
e. Persons using the free Internet access service (WiFi service) of the Clinic.
5. Personal Data Collected
Each time you request the provision of medical or healthcare services, visit our facilities or website, contact the Clinic directly by any means, insert your data in any electronic or hardcopy requests or communication forms, conclude with the Clinic any kind of contract, provide us with your services or make use of the services we provide to you, we collect and process personal data that concern you, including special categories of personal data, such as health data and other information on a case-by-case basis.
Personal data collected and further processed within the above-described context include the following:
- Identification data and contact information referring to you and/or your relatives, including name, surname, date of birth, postal address, e-mail address, telephone number, ID card number, Social Security Number (AMKA), Tax Identification Number, etc.
- Data of special categories relating to your physical health either past, current or future including information such as medical history, medical examinations, medical actions and information derived during the course of provision of medical services including any number, symbol or particular assigned to a natural person to uniquely identify that person for healthcare purposes; information deriving from examination or analysis in parts or substances of human body, such as from genetic data and biological samples, as well as any information on any disease, disability, risk of disease, medical history, clinical treatment or your physiological or biomedical situation, irrespective of which is the source of such information, i.e. whether such information has been collected from a physician or other healthcare professional, a hospital, a medical device or an in vitro diagnostic test, as well as genetic and biometric data, etc.
- Technical and other information concerning your activity on the Clinic's website and information deriving from the use of the Internet and/or automatically through your browser on your desktop, laptop, tablet, or mobile device such as IP address, ISP domain, type and version of your browser, your operating system, or other information on internet websites you visited and information you have searched for.
6. Lawfulness of processing
IASO Group processes personal data only when it has a legitimate reason to proceed in such processing and in particular when:
a) processing is necessary for the performance of a contract and the provision of services you are requesting from the Clinic, the general execution and compliance with our legal obligations and the exercise of the legitimate rights of the Clinic as data controller,
b) processing is necessary for the purposes of preventive or professional medicine, medical diagnosis, the provision of healthcare services or treatment or management of health systems and services,
c) processing is necessary to safeguard the legitimate interests of data subjects as well as those of the Clinic, including for example management of medical services, healthcare services or other ancillary services, the collection and/or coverage of medical fees from the insurance company and/or the insurance institution, the creation of electronic files including health data, the use of special software and applications relating to healthcare services for communicating the results of any diagnostic tests by electronic and other appropriate means, etc. In this context, we also use closed circuit television system (CCTV) and security cameras in order to be able to protect the safety of all natural persons, materials, equipment, as well as of our facilities,
d) processing is necessary for the establishment, exercise and/or support of legal claims of the Clinic and/or the defense of its rights before Courts, Administrative or Judicial Authorities or in the context of an extrajudicial procedure, for the purpose of defense of the rights of the Clinic or of any third parties before Courts, or otherwise etc.,
e) processing is necessary for the compliance of the Clinic with its legal obligations as imposed under the provisions of the tax, social security etc. legislation,
f) processing is necessary for the protection of your vital interests in the event of your legal or physical incapacity to consent to the processing,
g) processing is necessary for reasons of public interest in the field of public health, such as for scientific purposes in the public interest in the health sector, protection against serious cross-border threats to health or the safeguarding of high standards of quality and safety of health care and medicines or medical devices under national and/or European law.
h) processing is based on your explicit consent provided that your personal data are further processed for the above purposes, as well as for purposes necessarily related to them.
i) processing is based on your explicit consent, provided that such processing is made for marketing and information purposes and more specifically in order for the Clinic to send you updates for products, services, applications and offers provided by the Clinic or other companies of IASO Group, in order to provide samples of products, to participate in research for the evaluation and improvement of the Clinic's services, in order for the Clinic to collect through the Google Analytics Service technical and other information relating to your website activity, which will be used for the orderly functioning and performance of the website and the services we provide, as well as in order for you to make use of the Clinic's website and online platforms and sign up for one or more of them. By way of example, the following services are mentioned:
- Receive newsletters on a regular basis.
- Receive emails and/or mail/news/offers.
- Receive periodicals such as the magazine "My Life" and the journal the "Right to be born healthy" in electronic or printed form.
- "Make an appointment" and "Pregnancy Diary" services.
- "My Club Card" service.
- Update on the IASO Group's scientific program.
- Online forms that are available through the IASO Group websites and its individual clinics and allow you to contact us about any request and / or submit questions.
The Clinic processes your personal data in a lawful and legitimate manner. Under no circumstances does it collect nor process a greater number of information or data than it is required to fulfill the processing purposes. Your data is kept safely. Their collection and processing is exclusively being carried out for the purposes of their processing and use, which are notified to you.
7. Access to personal data by third parties
The Clinic does not provide to any third parties access to personal data that the Clinic collects and processes as the data controller. By way of exception, it may provide access only if it is absolutely necessary for the herein described legitimate purposes, to doctors, medical, nursing and administrative staff, collaborating doctors, doctors providing independent services to IASO Group, professionals and companies that provide services in the fields of healthcare, suppliers, medical laboratories, diagnostic centers, companies of medical equipment, and/or software and applications concerning healthcare (including for example companies which provide services for the evaluation and improvement of IASO websites, as well as technical support and IT companies), IASO Group, insurance companies and companies auditing insurance benefits, public insurance entities and institutions, as well as other State entities Courts, Administrative or Judicial Authorities, lawyers, experts, technical advisors, witnesses, etc.
Such data shall be accessed exclusively for the purposes and to the extent of providing each service and always on the condition that the abovementioned persons accept and comply with the terms of the present Policy and with the applicable legislation. In such cases, Clinic remains responsible for the processing of your personal data and determines the individual elements to be processed; the Clinic also concludes a special agreement with the third parties to whom it could assign the execution of processing activities, in order to ensure that processing is carried out in accordance with the applicable legal framework and that all natural persons are able to freely and without any hindrance exercise the rights granted to them under the applicable legislation.
8. Retention period for personal data
Τhe period for which the personal data will be stored is determined based on the particular criteria set out below on a case-by-case basis:
(a) When processing is performed on the basis of execution of a contract, personal data shall be stored for as long as it is necessary for the performance of the contract and the establishment, exercise and/or support of legal claims possibly arising from such contract.
(b) When processing is imposed as an obligation by provisions of the applicable legal framework, personal data shall be stored for as long as it is required by the relevant provisions. In particular, it is noted that, under article 14 par. 4 of the Code of Professional Conduct for Doctors (Law No. 3418/2005, Government Gazette Α 287/28.11.2005), it is stipulated that “the obligation to retain medical records applies to: a) private practices and other primary healthcare units of public sector, for a period of ten years following the last visit of the patient; and b) in any other case, for a period of twenty years following the last visit of the patient”.
(c) Should you wish that your data be deleted from IASO databases, you can submit a relevant request, as described below under (10). In such case, the Clinic or IASO Group in general depending on the case, undertakes to satisfy your request, unless the European Union law or national law provides for a specific retention period of the personal data, which cannot be repealed or modified by the data subject. Withdrawal of consent does not affect the lawfulness of the processing based on the consent given at the time period prior to its withdrawal.
9. Protection of minors
IASO Group complies with applicable legislation in cases where the permission of a parent or guardian prior to the collection, use and/or transfer of personal data concerning a minor is required. IASO Group and IASO Clinics do not deliberately collect (via their website(s) or other means) information related to or provided by minors, unless they have a legitimate purpose for the processing, as such purposes are described in the present Policy, even without the consent of the parent or the guardian. In case it comes to our attention that a minor uses our websites and Services without his or her parent’s or guardian’s consent, we will put every reasonable effort in order to delete as soon as possible any data or other information provided by the minor and to ensure that these data will not be communicated to any third parties and will not be used by the IASO Group. In case that it comes to your attention that a minor has submitted its personal information via our website without having the consent of his or her parent or guardian for that, please let us know immediately.
10. Your rights in relation to your personal data
All natural persons whose data are being processed by either the Clinic or IASO Group have the following rights:
Right to information and access: You have the right to be informed and to have access to your personal data and your medical records and to receive additional information concerning their processing.
Right to rectification: You have the right to obtain the correction, amendment, addition and update of your personal data.
Right to erasure (right to be forgotten): You have the right to obtain the erasure of your personal data in the cases that such right is not restricted by the obligation of the Clinic to retain your medical record under applicable law or otherwise.
Right to restriction of processing: You have the right to obtain restriction of processing of your personal data when: a) the accuracy of your personal data is contested and until the accuracy of the data is verified; b) the processing is unlawful and you oppose to the erasure of your personal data and request the restriction of their use instead; c) your personal data is no longer needed for the purposes of the processing, but they are required for the establishment, exercise or defense of legal claims; and d) you have objected to the processing pending the verification whether there are legitimate grounds concerning the Clinic and overriding those for which you oppose to the processing.
Right to object the processing: You have the right to object any time to processing of your personal data when specific conditions are met under the legislation.
Right to data portability: You have the right to receive without any cost accrued your personal data in a structured, commonly used and machine-readable format, as well as the right to transmit those data to another controller, provided that it is technically feasible. This right applies to data that you have provided to IASO and their processing is carried out by automated means based on your consent or in performance/execution of a relative contract.
Right to withdraw consent: You have the right to withdraw your consent, to the extent it was given for the intended processing, at any time.
Right of complaint to Greek DPA: You have the right to lodge a complaint to the Greek Data Protection Authority (www.dpa.gr): Telephone Centre: +30 210 6475600, Fax: +30 210 6475628, Email address: email@example.com.
To request access to your medical files you can refer to the Clinic’s Registry of Medical Records. To exercise any of your other rights you can send an email at: firstname.lastname@example.org.
12. Third party websites
Websites of IASO Group may contain links to other websites operated by external third parties, while websites operated by external third parties may contain links to IASO websites. IASO Group takes all necessary measures in order to ensure that its websites are only linked to websites of external third parties which maintain and enforce the same standards and criteria on privacy and security. In any case, IASO Group, bears no responsibility for the content and/or the privacy and/or personal data protection practices of websites not belonging to it, does not guarantee the permanent and secure accessibility, does not accept or adopt the content of services of third websites, nor is responsible for the privacy and protection of your personal data you may have provided to third party websites insofar as you have left the present website.
13. Information security
IASO Group has adopted and applies all appropriate technical and organizational measures in order to secure processing of personal data and to prevent accidental loss or destruction and non- authorized and/ or illegal access, use, modification or disclosure, and ensures the lawfulness of collection, processing and secure maintenance of personal data, under the provisions of national, European and international law in connection with the individual’s protection against the processing of its personal data and particularly taking into account the provisions of the General Regulation on Data Protection. Under any circumstances, it shall be noted that the way the internet functions in combination with the fact that is free to anyone cannot guarantee that non- authorized third persons may never be able to violate the applied technical and organizational measures, by gaining access to and potentially making use of personal data for unauthorized and/ or illegitimate purposes.
For further information, please contact the Data Protection Officer (DPO) of IASO Group, Ms. Chara Daouti at the e-mail: email@example.com.