- Introduction
The purpose of the present Privacy Policy (hereinafter the “Privacy Policy” or the “Policy”) is to determine the terms and conditions under which the “Data Controller” (each company of IASO Group, hereinafter the “Companies” or the “Clinics”) collects, processes, stores and uses personal data concerning patients and their close relatives, in the provision of healthcare services, the transfer and stay of patients on the premises of Clinics and the use of services provided through the websites of the Clinics as detailed below.
The present Privacy Policy aims to inform you about the categories of personal data IASO Group collects and processes, as well as about the means and the purposes for the collection, retention, processing, use and transfer of your personal data according to the applicable legislation. The present Privacy Policy also aims to inform you about your rights regarding your personal data,
The Privacy Policy can be revised from time to time, if there is a need to do so, without any prior notice. For this reason, we invite you to review this Privacy Policy frequently, in order toremain informed of any amendments thereof.
- Definition of the term “personal data”
The term “personal data” shall mean any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- Definition of the term “health data”
The term “health data” shall mean personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.
- Definition of the term “data processing”
The term “data processing” shall mean any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- Definition of the term “Data Controller”
The term “Data Controller” designates the natural or legal person, public authority, service or any other entity which, alone or jointly with others, determine the scope and purpose of personal data processing; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
All medical and other healthcare services, as well as the services provided through the IASO Group websites (and, in particular, www.groupiaso.gr, www.da.groupiaso.gr, www.iaso.gr, www.iasopaidon.gr, www.iasothessalias.gr, www.filoktitis.com.gr, www.iolife.eu), are provided by the IASO Group and/or its Clinics, i.e.:
(a) the company under the corporate name « ΙASO PRIVATE GENERAL, OBSTETRICS – GYNECOLOGICAL AND PEDIATRIC CLINIC – DIAGNOSTIC, THERAPEUTIC & RESEARCH CENTER S.A. » and the distinctive title « IASO S.A. », having its registered seat at 37-39 Kifissias Avenue, Maroussi of Attica, with Tax Identification Number 094055324, Tax Offices FAE of Athens;
(b) the company under the corporate name « ΙASO MEDICAL SOLUTIONS S.A.” and the distinctive title “IMS S.A.”, having its registered seat at 37-39 Kifissias Avenue, Maroussi of Attica;
(c) the company under the corporate name “MEDSTEM SERVICES – SUPPLEMENTARY HEALTHCARE SERVICES S.A.” and the distinctive title “MEDSTEM SERVICES S.A.” (former “IASO SERVICES SA”), having its registered seat at 37-39 Kifissias Avenue, Maroussi of Attica,;
(d) the company under the corporate name “IASO THESSALIAS GENERAL CLINIC – PRIVATE MATERNITY CLINIC S.A.” and the distinctive title “IASO THESSALIAS S.A.”, having its registered seat at 8th kilometer of Route Larissa-Athens, Nikaia, Larissa; and
(e) the company under the corporate name “FILOKTITIS MEDICAL REHABILITATION CENTER FOR SENIORS AND DISABLED PERSONS S.A.” and the distinctive title “FILOKTITIS S.A.”, having its registered seat at Pefkon&Pisistratou, Koropi, Attica,
Each Clinic or Company is the Data Controller (depending on the type and scope of processing) of the personal data collected by the means and through the procedures described in detail in the present Privacy Policy and processed for the performance of your relationship with such Company and/or Clinic.
- Categories of Personal Data Collected and Processed by the Companies of IASO Group
Each time you request the provision of medical or healthcare services, visit the facilities and/or the website, and/or contact any of the Clinics and/or Companies of IASO Group directly by any means, each time you insert your data in any electronic or hardcopy requests or communication forms, conclude any kind of contract with a Clinic and/or Company of IASO Group, provide your services or make use of the services provided by the companies of IASO Group, we collect and process personal data that concern you, including special categories of personal data, such as health data and other information.
More specifically, the personal data collected and further processed include the following:
- Identification data and contact information referring to you and/or your relatives, including name, surname, date of birth, postal address, e-mail address, telephone number, ID card number, Social Security Number (AMKA), Tax Identification Number, etc.
- Data of special categories relating to your physical health either past, current or future including information such as medical history, medical examinations, medical actions and information derived during the course of provision of medical services including numbers, symbols or identification details assigned to a natural person to identify that person for the purpose of providing healthcare services, information deriving from examination or analysis of parts or substances of the human body, such as genetic data and biological samples, image data derived from the video recording of laparoscopic surgeries, as well as any information on any disease, disability, risk of disease, medical history, clinical treatment or your physiological or biomedical situation, irrespective of which is the source of such information, i.e. whether such information has been collected from a doctor or other healthcare professional, a hospital, a medical device or an in vitro diagnostic test, as well as genetic and biometric data, etc.
- Technical and other information concerning your activity on the websites of the IASO Group and/or information deriving from the use of the Internet and/or automatically through your browser on your desktop, laptop, tablet, or mobile device such as the IP address, the ISP domain, the type and version of your browser, your operating system, or other information on internet websites you visited and information you have searched for. You may be informed in detail about Cookies Policy of IASO Group, which is available here.
- Purposes of the collection and processing of personal data by the Companies of IASO Group
The Companies of the IASO Group process personal data only when they have a legitimate reason to do so, and always in order to achieve one of the following purposes of processing. In particular:
(a) The company “ΙASO PRIVATE GENERAL, OBSTETRICS – GYNECOLOGICAL AND PEDIATRIC CLINIC – DIAGNOSTIC, THERAPEUTIC & RESEARCH CENTER S.A.” collects and processes personal data of adult and under-aged patients, pregnant women, accompanying persons and relatives of the above mentioned individuals, male and female donors, employees and prospective employees, doctors, administrative and nursing staff of the Company, as well as of other companies of the IASO Group, employees and auditors of private insurance companies, as well as of the National Organisation for the Provision of Health Services (EOPYY), suppliers and their employees, associates and their employees, visitors and of third parties in general, in order to provide its medical and healthcare services, including services for assisted reproduction, as well as services for the freezing (cryopreservation) of biological material, the admission and management of internal and external patients and of pregnant women, the management of medical examinations and medical records (including the assessment of the completeness of medical records), the management of blood examinations, cytological, biological and histological samples – biopsies, the circulation of blood units, the monitoring of infection incidents, medicines and diet plans, the financial planning, the management of payments and outstanding balances owed by patients, personnel management and training, the management and payment of doctors, suppliers and associates, the handling of legal and judicial matters, the conclusion and management of legal contracts, the evaluation of the services provided by the Clinic, the assessment of any complaints made and the execution of satisfaction surveys, the retention of all books, official legalization and other documents, the execution of marketing promotional actions and competitions, the organization of scientific events, the supervision of the quality management system and video surveillance system, the management of medical equipment and building infrastructure, etc.
The company “ΙASO S.A.” is also the Data Controller with respect to personal data collected and processed during the operation of the following special units and clinics:
- Intensive Care Unit of seniors (ICUS)
- Intensive Care Unit of newborns (ICUN)
- In-Vitro Fertilization Unit (IVF) Institute of Life
- IASO PediatricsClinic
(b) The company « ΙASO MEDICAL SOLUTIONS S.A.” collects and processes personal data of patients, pregnant women, as well as of persons requesting the provision of medical and/or healthcare services, accompanying persons and relatives of the above mentioned individuals, employees and prospective employees, doctors, administrative and other nursing staff, suppliers, associates, visitors and of third parties in general, in order to manage the procurement of special materials, sales, payments and balances, to recruit, manage and train its personnel, to manage vendors and partners, to conduct marketing promotional activities, to supervise the video surveillance system, etc.
(c) The company “MEDSTEM SERVICES – SUPPLEMENTARY HEALTHCARE SERVICES S.A” collects and processes personal data of donors (mothers), accompanying persons and relatives of the above mentioned individuals, under-aged patients (e.g newborns), employees and prospective employees, doctors, midwives and other nursing staff, suppliers, associates, visitors and third parties in general, in order to manage the biological material, the payments required for the storage of biological material, to recruit, manage and train its personnel, to manage its suppliers and partners, to conduct marketing promotional activities, to supervise the video surveillance system, etc.
(d) The company “IASO THESSALIAS GENERAL CLINIC – PRIVATE MATERNITY CLINIC S.A” collects and processes personal data of adult and under-aged patients, pregnant women, accompanying persons and relatives of the above mentioned individuals, male and female donors, employees and prospective employees, doctors, administrative and nursing staff of the Company as well as of other companies of the IASO Group, employees and auditors of private insurance companies, as well as of the National Organisation for the Provision of Health Services (EOPYY), suppliers and their employees, associates and their employees, visitors and third parties in general, in order to provide its medical and healthcare services, including services for assisted reproduction, as well as services for the freezing (cryopreservation) of biological material, the admission and management of internal and external patients and of pregnant women, the management of medical examinations and medical records (including the assessment of the completeness of medical records) of the patients, the management of blood examinations, cytological, biological and histological samples – biopsies, the circulation of blood units, the monitoring of infections, medicines and diet plans, the financial planning, the management of payments and outstanding balances owed by patients, personnel management and training, the management and payment of doctors, suppliers and associates, the handling of legal and judicial matters, the conclusion and management of legal contracts, the evaluation of the services provided by the Clinic, the assessment of any complaints made and the execution of satisfaction surveys, the retention of all books, official legalization and other documents, the execution of marketing promotional actions and competitions, the organization of scientific events, the supervision of the quality management system and video surveillance, the management of medical equipment and building infrastructure, etc.
(e) The company “FILOKTITIS MEDICAL REHABILITATION CENTER FOR SENIORS AND DISABLED PERSONS S.A.” collects and processes personal data of patients, prospective patients accompanying persons and relatives of the above mentioned individuals, employees and prospective employees, doctors, administrative and other nursing staff, suppliers, associates, visitors and third parties in general, in order to provide its medical and healthcare services, for the admission and management of internal and external patients, as well as of their medical examinations, infections, medicines and diet plans, the management of payments and outstanding balances owed by patients, the recruitment, management and training of personnel, the management of its suppliers and associates, the execution of marketing promotional actions, the organization of scientific events, the supervision of the video surveillance system, etc.
- Legal bases for the processing of personal data by the Companies of the IASO Group
The Companies of the IASO Group process personal data only when they have a legitimate reason to do so and in particular when:
(a) processing is necessary for the performance of contract and the provision of the services you require and wish to receive from the companies of the IASO Group, the performance and compliance with our legal obligations and the exercise of the legitimate rights of each Clinic and/or Company acting as data controller (Article 6 par. 1 (b), (c) and (f) GDPR);
(b) processing is necessary for the purposes of preventive or professional medicine, medical diagnosis, the provision of healthcare services or treatment or management of health systems and services (Article 9 par. 2 (h) GDPR);
(c) processing is necessary to safeguard the legitimate interests of data subjects, as well as those of the Clinic, including for example the management of medical, healthcare and/or other ancillary services, the collection and/or coverage of medical fees from the insurance company and/or the insurance institution, the creation of electronic files including health data, the use of special software and applications relating to healthcare services for communicating the results of any diagnostic tests by electronic and other appropriate means, the evaluation of the services provided by completing and submitting the relevant satisfaction questionnaires , etc. In this context, we also use closed circuit television system (CCTV) and security cameras in order to be able to protect the safety of all natural persons, materials, equipment, as well as of our facilities (Article 6 par. 1 (f) GDPR);
(d) processing is necessary for the establishment, exercise and/or support of legal claims of each Clinic or Company and/or the defense of its rights before Courts, Administrative or Judicial Authorities or in the context of an extrajudicial procedure, as well as for the purpose of exercising and/or defending the rights of the companies of IASO Group or of other third parties before Courts, Judicial or other Authorities, etc. (Article 9 par. 2 ( f) GDPR);
(e) processing is necessary for the compliance of each Clinic or Company with its legal obligations as imposed under the provisions of the tax, social security etc. legislation (Article 6 par.1 (c) and article 9 par. 2 (b) GDPR);
(f) processing is necessary for the protection of the vital interests of the data subjects when the data subject is physically or legally incapable of giving consent (Article 9 par. 2 (c) GDPR);
(g) processing is necessary for reasons of public interest in the area of public health, such as for scientific research conducted in the public interest in the health sector, protection against serious cross-border threats to health or the safeguarding of high quality and safety standards of healthcare services, medicines and/or medical devices under national and/or European Union law (Article 9 par. 2 (i) GDPR);
(g) processing is necessary for reasons of public interest in the area of public health, such as for scientific research conducted in the public interest in the health sector, protection against serious cross-border threats to health or the safeguarding of high quality and safety standards of healthcare services, medicines and/or medical devices under national and/or European Union law (Article 9 par. 2 (i) GDPR);
(i) processing is based on your explicit consent, provided that such processing is made for medical information purposes (Article 6 par. 1 (a) and article 9 par. 2 (a) GDPR) and more specifically in order for the IASO Group to send you updates for products, services, applications and offers provided by its Clinics or Companies, to participate in researches for the evaluation and improvement of the IASO Group services, in order for the IASO Group to collect through the Google Analytics Service technical and other information relating to your website activity, which will be used for the orderly functioning and performance of the website and the services we provide, as well as in order for you to make use of the websites and online platforms of the IASO Group and to sign up for one or more of them. Byway of example, the followingservicesarementioned:
- Receive newsletters on a regular basis.
- Receive emails and/or mail/news/offers.
- Receive periodicals such as the magazine “My Life” and the journal the “Right to be born healthy” in electronic or printed form.
- “Make an appointment” and “Pregnancy Diary” services.
- “MyClubCard” service.
- Update on the IASO Group’s scientific program.
- Online forms available through the IASO Group websites as well as in its individual clinics and allow you to contact us about any request and/or submit questions.
- Completion and filing of satisfaction forms in electronic and physical form.
The Companies of the IASO Group process your personal data in a lawful and legitimate manner. Under no circumstances do they collect or process a greater number of information or data than that which is required to fulfill the processing purposes. Your data is kept safely. The collection and processing of your data is exclusively being carried out for the purposes of their processing and use.
- Third-party access to personal data
The companies of IASO Group do not provide to any third parties access to personal data that each Clinic or Company collects and processes as Data Controller. By way of exception, they may provide access only if it is absolutely necessary for the herein described legitimate purposes, to doctors, medical, nursing and administrative staff, collaborating doctors, doctors providing independent services to IASO Group, professionals and companies that provide services in the fields of healthcare, medical laboratories, diagnostic centers, companies of medical equipment, and/or software and applications concerning healthcare (including for example companies which provide services for the evaluation and improvement of IASO websites, as well as technical support and IT companies), TEIRESIAS company, debtor informing companies, other companies of IASO Group, private insurance companies and companies auditing insurance benefits, public insurance entities and institutions, Courts, Administrative or Judicial Authorities, as well as other State entities, lawyers, experts, technical advisors, witnesses, etc..
Such data shall be accessed exclusively for the purposes and to the extent of providing each service and always on the condition that the above mentioned persons accept and comply with the terms of the present Policy and with the applicable legislation. In such cases, each Clinic or Company remains responsible for the processing of your personal data and determines the individual elements to be processed; it also concludes a special agreement with the third parties to whom it could assign the execution of processing activities, in order to ensure that processing is carried out in accordance with the applicable legal framework and that all natural persons are able to freely and without any hindrance exercise the rights granted to them under the applicable legislation.
- Retention period
Τhe time-period for which the personal data will be stored is determined based on the particular criteria set out below on a case-by-case basis:
(a) When processing is performed for the purposes of execution of contract, personal data shall be stored for as long as it is necessary for the performance of the contract and the establishment, exercise and/or support of legal claims possibly arising from such contract.
(b) When processing is imposed as an obligation by provisions of the applicable legal framework, personal data shall be stored for as long as it is required by the relevant provisions. In particular, it is noted that, under article 14 par. 4 of the Code of Professional Conduct for Doctors (Law No. 3418/2005, Government Gazette Α 287/28.11.2005), it is stipulated that “the obligation to retain medical records applies to: a) private practices and other primary healthcare units of public sector, for a period of ten years following the last visit of the patient; and b) in any other case, for a period of twenty years following the last visit of the patient”.
(c) When processing is required for purposes relating to the legitimate interests of the Data Controller or any other third party, personal data shall be stored for as long as it is required for the satisfaction of such legitimate interests.
(d) Should you wish that your data be deleted from the IASO Group databases, you can submit a relevant request, as described below under (11). In such case, the Clinic, Company or IASO Group, as the case may be, undertakes to meet your request, unless European Union law or national laws provide for a specific period of retention of personal data that cannot be waived or changed by the data subject. Withdrawal of consent does not affect the legality of consent-based processing during the period prior to its revocation.
- Your rights in relation to your personal data
All natural persons whose data are being processed by either IASO Group or a Clinic or Company of IASO Group have the following rights:
Right to information and access: You have the right to be informed and to have access to your personal data and your medical records and to receive additional information concerning their processing.
Right to rectification: You have the right to obtain the correction, amendment, addition and update of your personal data.
Right to erasure (right to be forgotten): You have the right to obtain the erasure of your personal data in the cases that such right is not restricted by the obligation of the healthcare services provider to retain your medical record under applicable law or otherwise.
Right to restriction of processing: You have the right to obtain restriction of processing of your personal data when: a) the accuracy of your personal data is contested and until the accuracy of the data is verified; b) the processing is unlawful and you oppose to the erasure of your personal data and request the restriction of their use instead; c) your personal data is no longer needed for the purposes of the processing, but they are required for the establishment, exercise or defense of legal claims; and d) you have objected to the processing pending the verification whether there are legitimate grounds concerning each Clinic or Company of IASO Group and overriding those for which you oppose to the processing.
Right to object the processing: You have the right to object any time to processing of your personal data when the processing is necessary for purposes of legitimate interests pursued by IASO Group as Data Controller.
Right to data portability: You have the right to receive without any cost accrued your personal data in a structured, commonly used and machine-readable format, as well as the right to transmit those data to another controller, provided that it is technically feasible. This right concerns the data that you have provided to IASO Group and their processing is carried out by automated means based on your consent or in performance/execution of a relative contract.
Right to withdraw consent: You have the right to withdraw your consent, to the extent it was given for the intended processing, at any time.
Right of complaint to Hellenic DPA: You have the right to lodge a complaint to the Greek Data Protection Authority (www.dpa.gr): Telephone Centre: +30 210 6475600, Fax: +30 210 6475628, Email address: [email protected].
To access your medical records, you can contact the Department of Medical Records of the concerned Clinic. To exercise any of your other rights, you can send a message to the following e-mail addresses, depending on the Clinic or Company of the Group you wish to contact. Specifically:
For IASO S.A.: [email protected].
For IMS S.A.: [email protected]
For MEDSTEM SERVICES S.A.: [email protected]
For IASO THESSALIAS S.A.: [email protected]
For FILOKTITIS S.A.: [email protected]
- Data and information security safeguards
The IASO Group has adopted and applies all appropriate technical and organizational measures in order to secure processing of personal data and to prevent accidental loss or destruction and non- authorized and/ or illegal access, use, modification or disclosure, and ensures the lawfulness of collection, processing and secure maintenance of personal data, under the provisions of national, European and international law in connection with the individual’s protection against the processing of its personal data and particularly taking into account the provisions of the General Regulation on Data Protection.
For further information, please contact the IASO Group Data Protection Officer (DPO) Ms. CharaDaouti and/or the IASO Group Deputy Data Protection Officer (Deputy DPO) Ms. Natalia Kalatzi, at: [email protected].