GDPR

Information on processing patient personal data by medical facilities

Dear clients,

In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and the instruction of data subjects (hereinafter referred to as the "General Regulation"), we would like to provide information how our medical facility První privátní chirurgické centrum, spol. s r.o., with its registered office at Labská kotlina 1220/69, 500 02 Hradec Králové, company ID: 49813692, entered in the Commercial Register maintained by the Regional Court in Hradec Králové, Section C, Insert 5023, as the controller of personal data (hereinafter referred to as the "controller") processes your personal data and the rights and obligations associated with it.

Personal data is all information about an identified or identifiable natural person (also called a "data subject"); an identifiable natural person is a natural person who can be identified, directly or indirectly, in particular by reference to a specific identifier, such as the name, identification number, location data, network identifier or one or more specific physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

1. Scope and purposes of personal data processing

The controller processes personal data to the extent provided by the data subject in connection with the conclusion of a health care contract with the controller, or in connection with the provision of medical services in accordance with Act No. 372/2011 Coll., on medical services and conditions of their provision (Act on Medical Services), its implementing regulations and other regulations governing the provision of medical services. The controller also processes personal data not provided to the controller by the data subject, but which the controller obtains in the provision of medical services, such as data obtained as a result of specific examinations. The controller processes personal data in accordance with valid and generally binding legal regulations of the Czech Republic and for the fulfilment of its legal obligations.

Your personal data is processed for the following purposes:

• provision of medical services (fulfilment of legal obligations by the controller);
• the purpose arising from the negotiation of the contractual relationship under consideration (for the purpose of concluding a health care contract);
• the purpose arising from the performance of the health care contract between you and the controller;
• determination, enforcement or defence of legal claims;
• provision to the extent strictly necessary for legal, economic and tax advisers and auditors, in order to provide advisory services to the controller;
• protection of company property and protection of life, health, property and personal data of patients, employees and other persons moving on the premises of the controller and prevention of undesirable acts and phenomena via camera systems; detailed information on the processing of information obtained using camera systems can be found in the "Information on the processing of personal data obtained using camera systems" document.

2. Sources of personal data

The controller processes personal data it obtains:

• in connection with the provision of medical services in the sense of Act No. 372/2011 Coll., on medical services and conditions of their provision, and Act No. 373/2011 Coll., on specific medical services;
• directly from data subjects in connection with handling of complaints.

3. Categories of personal data and categories of data subject

The following categories of personal data are the subject of processing:

• address and identification data, which serve for the unambiguous and unmistakable identification of data subjects, such as the name, surname, date of birth, address of permanent residence and others;
• contact details such as contact address, telephone number, email address and others;
• other data, such as bank details;
• data detectable from camera recordings, i.e., sex and appearance;
• other data necessary for the performance of the healthcare contract, in particular data on the medical condition of the data subject.

Data subjects whose data is processed by the personal data controller and to whom this information is addressed are:

• client/patient;
• potential client/patient;

4. Method of processing and protection of personal data

Personal data is primarily processed in medical documentation in full compliance with applicable laws. Their safety and protection is ensured in accordance with these regulations and in accordance with the General Regulation.

The processing takes place manually in paper and electronic form or automatically via computer technology, in compliance with all security principles for the management and processing of personal data. To this end, technical and organisational measures have been taken by the controller, in particular to ensure that unauthorised or accidental access to personal data, their alteration, destruction or loss, unauthorised transfers, unauthorised processing and other misuse of such personal data cannot occur. All subjects to whom personal data may be disclosed respect the right of data subject privacy and are obliged to proceed in accordance with the applicable legislation on personal data protection.

5. Time of personal data processing

The controller processes personal data for the time strictly necessary to fulfil the purpose and in accordance with the deadlines specified in the relevant generally binding legal regulations of the Czech Republic for shredding and archiving documents, or as long as necessary to determine, enforce or defend legal claims.

6. Categories of personal data recipients

Recipients of personal data subjects are:

• other health service providers in the context of expanding or follow-up health care and providers of selected medical services, in particular external laboratories;
• public institutions, especially health insurance companies;
• processors based on a contract with the controller, to the extent of data necessary for the purpose of processing, e.g., companies that manage systems for medical record keeping in electronic form, persons providing data storage or archiving and others;
• persons providing legal advice;
• state authorities in the framework of fulfilling legal obligations stipulated by relevant legal regulations.

7. Information on the rights of the data subject

You have the right to request the following from our Company as a controller of personal data:

• request access to personal data processed by the controller, i.e., to obtain confirmation from the controller whether or not the personal data concerning you is processed and, if so, you have the right to access this personal data and other information referred to in Article 15 of the General Regulation,
• request the correction of personal data processed about you, if the data is inaccurate. In some cases you have the right to request the addition of incomplete personal data taking into account the purposes of processing,
• request the deletion of personal data in the cases provided for in Article 17 of the General Regulation,
• request restrictions on data processing in the cases provided for in Article 18 of the General Regulation,
• obtain personal data concerning you, which we process automatically for the performance of the contract concluded with you, in a structured, commonly used and machine-readable format, and you have the right to request that the controller pass this data to another controller; under the conditions and with the restrictions specified in Article 20 of the General Regulation, and you have the right to object to processing within the meaning of Article 21 of the General Regulation for reasons related to your specific situation.

If we receive your request, we will inform you of the measures taken without undue delay, in any case within one month of receiving the request. This time limit may be extended by another two months if necessary and with regard to the complexity and number of applications. In certain cases stipulated by the General Regulation, our company is not obliged to comply in whole or in part with the request. This shall be in particular in situations when such request is apparently groundless particularly due to its repetition.

In such cases we may (i) impose an adequate fee due to administrative costs associated with provision of the requested information or statements or with the required actions or (ii) to refuse to satisfy such request.

If we receive the above request but have reasonable doubts about the applicant's identity, we may ask the applicant to provide additional information necessary to confirm their identity.

You also have the right to contact the Office for Personal Data Protection directly with your complaint if you think that your personal data is not processed in accordance with the law, in the place of your usual residence, place of employment or in the place of the alleged infringement. If you have suffered any damage other than property damage as a result of the processing of personal data, the procedure for exercising its claim is subject to a special law.

We also inform you that our Company has appointed a data protection officer. Contact details of the officer: Ing. Anna Mityashina, Na Poříčí 1047/26, 110 00 Praha 1, email: dpo@akdap.cz

The provision of patients' personal data is a legal requirement and the patient must provide the data, just as the healthcare professional has the right to request it. Failure to provide personal data may mean that the controller will not be able to provide medical services to the patient, which could damage the patient's health or directly endanger the patient’s life.
Information on processing patient personal data by medical facilities.