Personal Data Protection Policy

Personal Data Protection Policy

The General Hospital of Corfu “AGIA EIRINI” (hereinafter referred to as the Hospital), wishing to secure your personal and sensitive personal data, has implemented all the necessary technical and organizational measures as defined by the General Data Protection Regulation (EU) 2016/679. The protection of your privacy and the preservation of the confidentiality of your health information and data is our fundamental priority.

This policy explains the legal framework under which your data is collected and processed, the types of data we collect and process, the process and purpose of their collection, the retention period, as well as the reasons for their disclosure to third-party partners if required. In addition, all your rights are disclosed and analyzed, as well as the actions you can take to exercise them.

This information text provides every person who receives or is interested in receiving medical services from the Hospital with concise, accurate and transparent information regarding the practices followed for the management and protection of personal data.

The Hospital reserves the right to modify and adapt this Policy, whenever it deems it necessary, while any changes will come into effect upon their public appearance on the Website http://www.gnkerkyras.gr/ and at the reception points of our facilities.

The Hospital has appointed ANDREAS KOUTOUPIS AND ASSOCIATES IKE – KPS as Data Protection Officer (DPO), with whom you can contact directly for any relevant matter at the following telephone numbers: 6970138009 (Mr. Zisakis Nikolaos), as well as at the following email address: dpo@gnkerkyras.gr

Introduction

  • Personal Data

Personal data is any information relating to a specific natural person or a person whose identity can be ascertained directly or indirectly (e.g. name, identity number, address, etc.) (“Data Subject”). Data relating to health (physical or mental condition, receipt of medical services, etc.) for the purposes of this are included in the general concept of “personal data”, but constitute a special category of data, which will hereinafter be called either “sensitive personal data” or “health data”.

  • Processing

Processing is any operation or set of operations which is performed upon personal data or upon sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

  • Data Controller

Data Controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for his appointment may be provided for by Union or Member State law.

  • Processor

Processor is the natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.

  • Data Protection Officer (DPO)

The Data Protection Officer (DPO) independently oversees the strategy and compliance of the controller and processor with the provisions of the GDPR 2016/679 EU (GDPR) and mediates between the various stakeholders (e.g. supervisory authorities, data subjects). His role is advisory (not decisive) and he does not bear personal responsibility for non-compliance with the Regulation.

Legal framework for personal data protection

At the Hospital we collect and process your personal data in accordance with this privacy notice and

  • in compliance with EU Regulation 2016/679,
  • the current Greek data protection legislation,
  • the current legislative framework governing the operation of Public Health Institutions,
  • the Code of Medical Ethics and Conduct,
  • as well as the consents we receive (in cases where there is no legal basis for the processing).

This notice provides you with the necessary information regarding your rights and obligations and explains how, why and when we collect and process your personal data.

Personal Data we collect

During your visit or hospitalization, and for the provision of medical services by the Hospital, a large amount of personal data is collected, such as, but not limited to: contact information, demographic information, clinical symptoms, medical treatments-opinions, personal medical history, medication, family medical history, risk factors related to your lifestyle, etc. This data is collected:

  • In electronic form.
  • In printed form.
  • In the form of a still or moving medical image (video).
  • In combination of the above.

in order to provide you with excellent medical care and treatment and the full range of medical services that will be deemed appropriate for the diagnosis, treatment and general management of your medical issue. This information will henceforth form part of your personal medical file and will be retained for twenty (20) years from the date of your last contact (visit or hospitalization) with the Hospital, as defined by applicable legislation (Code of Medical Ethics – art. 14 par. 4 L. 3418/2005), as well as for the continuity and sequence of your medical monitoring, in the event that your re-examination is required or you receive new health care within the Hospital.

Your personal medical record is the point of collection and maintenance of all information recorded in each of your contacts, as a patient, with any health professional within the Hospital. A medical record is created for each of our patients, to support their assessment, diagnosis and treatment, the continuity of the health care provided, the clinical exchange of information, the safety and improvement of the health care provided and to satisfy the requirements set by the legislation (Law 3418/2005) and the State. The information recorded in the personal patient record constitutes sensitive personal data and is therefore confidential. Health professionals involved in the management of your health within the Hospital may have access to your health file and use the information it contains, only for your treatment needs and only if such access is directly related to the fulfillment of their duties (e.g. medical treatments, nursing work, prescriptions, diet preparation) or is provided for by law (e.g. obligation to notify a public health body, need to notify a public health provider due to the specificity and complexity of the incident).

The Hospital staff exercising responsibilities in Administrative-Financial Services as well as Information Technology will be aware of your personal data for the needs of performing our administrative-financial functions, invoicing and servicing you, as well as submitting hospitalization data to the competent insurance bodies (EOPYY, other funds, etc.) in order to compensate for the cost of hospitalization, while the health data or information from your medical file that may come to their knowledge, due to the performance of their work, will be limited in scope and extent according to their responsibilities and will remain confidential. All Hospital staff are bound by their employment contracts, by clauses of confidentiality, privacy and secrecy of the information they receive, while all employees are bound by a Code of Ethics, which aims to protect the confidentiality of the information of incoming patients, whether they receive diagnostic services or receive hospitalization and care. Due to the importance of confidentiality and the protection of your privacy, we carry out strict regular checks to protect your data, as well as periodic regular training of our staff for the proper observance of the procedures as defined by applicable legislation.

The Hospital only processes your personal information that is necessary to comply with legal, regulatory and contractual obligations and to provide you with health and nursing services, in accordance with international medical standards, the Code of Medical Ethics and best practices. We will never collect unnecessary personal data from you and will not process your data in any way other than as stated in this notice. We take all possible and appropriate measures to ensure that the collection and processing of data includes only what is absolutely necessary. We obtain, retain, process only the data that is necessary to perform our services to you and to fulfill our legal obligations and we retain it only for as long as necessary.

Our systems, employees, processes and activities aim to limit the collection of personal information to the extent necessary to achieve the specified purpose. Minimizing the processing of personal data allows us to control and mitigate data protection risks and breaches and to support compliance with applicable data protection laws and regulations.

Categories of Personal Data collected

  • Personal and sensitive data of patients (adults and minors)
  • Personal and sensitive data of blood donors
  • Personal and sensitive employee data
  • Personal and sensitive data of partners/suppliers/contractors

Indicatively:

  • Contact details: name/surname, marital status, home address, personal e-mail, home phone, mobile phone, work phone, name/surname, etc. and contact details of your companions and/or relatives.
  • Demographic and identity information: date of birth, identity card number, passport number, VAT number, Social Security number, etc. information about the person financially liable for the cost of your hospitalization, insurance information in the event that you use a health insurance policy from a private insurance company.
  • Special Category Personal Data: medical health information such as surgical details, previous healthcare, medical history, test results, etc.
  • Information regarding the processing of financial transactions such as credit – debit card number, bank account number.

Method of obtaining Personal Data

The personal data processed and stored by the Hospital may be obtained:

  • Verbally, upon your arrival at the Hospital’s reception and service points (Outpatient Clinic Secretariat – Emergencies, Patient Movement Department)
  • By telephone when scheduling a visit or examination at the Hospital (name and date/time of visit or examination).
  • By completing the documents that are intended to constitute your medical file / patient file, based on information that you provide us, and what emerges after your examination by the Hospital’s health professionals, as well as the results of the diagnostic tests/examinations that you perform.
  • Μέσω της ειδικής φόρμας που υφίσταται στον ιστότοπο του Νοσοκομείου που λαμβάνεται σε μορφή μηνύματος ηλεκτρονικού ταχυδρομείου.
  • From the people accompanying you or legally authorized to act on your behalf (your personal representative) if you are under 16 years of age or are unable to provide this information yourself.

Legal basis for processing

The Hospital, within the framework of its operation and for the fulfillment of its objective purpose (provision of medical services), receives and processes a multitude of personal and sensitive personal data based on the following legal bases.

  • Article 9 / paragraph 2 / letter (h’) of the GDPR: processing is necessary for the purposes of preventive or occupational medicine, assessment of the employee’s capacity for work, medical diagnosis, provision of health or social care or treatment or management of health and social systems and services under Union or Member State law or pursuant to a contract with a health professional
  • Article 9 / paragraph 2 / letter (i’) of the GDPR: processing is necessary for reasons of public interest in the area of ​​public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of healthcare and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy.
  • The need to perform the obligations and exercise specific rights of the controller or the data subject in the field of labor law and social security and social protection law.
  • Article 9 / paragraph 2 / letter (f) of the GDPR: processing is necessary for the establishment, exercise or defense of legal claims or when courts are acting in their judicial capacity.
  • Article 9 / paragraph 2 / letter (c) of the GDPR: processing is necessary to protect the vital interests of the data subject or another natural person, if the data subject is physically or legally incapable of giving consent (in the case of patients who come to or are presented to the Emergency Department in a condition requiring immediate intervention and are unable to provide consent).
  • the need to fulfil archiving purposes in the public interest, scientific or historical research purposes or statistical purposes pursuant to Article 89(1) of the GDPR based on Union or Member State law, which are proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject.
  • Consent, in cases where it is explicitly required for the processing of sensitive personal data where they are not covered by the aforementioned legal bases. It is emphasized that this is obtained through written consent. Please note that you can withdraw your consent by submitting your relevant request either in the protocol or at dpo@gnkerkyras.gr.

The purposes and reasons for processing your personal data are detailed below:

We collect and store your personal data and data falling into special categories for the provision of health and nursing services to you based on the legal bases listed in the previous section, specifically for:

  • a. the contractual agreement with you
  • b. The retention of data for historical reasons and for reasons of future need to document cooperation
  • c. our legitimate interest in providing health services
  • d. your vital interest in receiving these services
  • e. the fulfillment of a duty performed in the public interest
  • f. Retention of data for the purpose of the Hospital’s response to audits by regulatory authorities of the legality of procedures and payments
  • g. Keeping the employee file and processing it in accordance with labor legislation
  • h. the establishment, exercise or defence of legal claims or when the courts are acting in their judicial capacity
  • i. compliance with a legal obligation
  • j. Your interest in receiving these services
  • k. the execution of rights and obligations arising from social security law
  • l. our legitimate interest and/or our legal obligation to protect the site and the goods located on the site from illegal acts.

In addition:

  • We collect and store your personal data as part of our legal obligation for accounting and tax purposes.
  • We retain your special categories of data for as long as required by law.

We may share your information with third parties (outside the Hospital) only if required by law:

  • When an infectious disease may endanger the safety of others.
  • When an official court decision has been issued.
  • When sharing information with the police can prevent a serious crime.
  • When you give us explicit instruction and authorization to do so (e.g. in the event that you wish to be compensated for your hospitalization expenses by your social security institution and/or your insurance company).
  • When we need to safeguard the legitimate interests of the Hospital or third parties, such as collecting our claims through third party agents (e.g. Tax Authorities), etc.
  • When it is our legal obligation (e.g. Tax authorities, insurance funds) after you have first been informed.
  • When a specific legitimate interest exists and is documented following prior notification to you after you have received a reasonable period of time for any objections to the transfer.
  • Where the transfer is necessary to protect the vital interests of the data subject or of other persons, where the data subject does not have the physical or legal capacity to give consent.
  • Upon receipt, after detailed information, of an explicit signed order and authorization regarding your participation in research protocols or data collection for the purposes of clinical research or clinical databases. Your participation in such research is completely voluntary on your part and your consent may be revoked by you at any time.

Sharing and Disclosure of Your Personal Data

We do not share or disclose your personal data without your consent, for anyone other than the purposes set out in this notice or where required by law. The Hospital uses selected partners (acting as “processors” under the GDPR) to provide the following services and business functions, however, all processors acting on our behalf process your personal data in accordance with the instructions they receive from us and fully comply with this privacy notice, the principles of the General Data Protection Regulation (EU) 2016/679 and any other appropriate confidentiality and security measures. Specifically, all selected partners have fully accepted the confidentiality and non-disclosure clauses set by the Hospital regarding the processing of data. The main categories of processors with whom we may share your data (referring to all subjects) include:

  • Public and Private Health Service Providers (e.g. Public Hospitals, TOMY, Health Centers, Diagnostic Centers).
  • Public Interest Platforms (DIAVGEIA, KIMDIS, e-Government Platforms, etc.)
  • Public Social Security Organizations/Social Security/Health Funds, Insurance Companies and the Audit Companies collaborating with them.
  • Medical Equipment Suppliers (with your consent)
  • Organizations and companies providing information systems support and accounting support services.
  • Supervisory Authorities and Organizations under the jurisdiction of the Ministry of Health.
  • Public Interest Bodies (e.g. Hellenic Statistical Authority).
  • External Auditors (Internal Auditors, Certified Auditors, etc.).
  • External Legal Advisors.
  • Occupational Physician
  • Security Technician

Protection measures

At the Hospital, we take all reasonable technical and organizational measures and precautions to protect and safeguard your personal data. We work to protect you and your data from unauthorized access, modification, disclosure, destruction or any other processing and have created the necessary levels of security measures such as: specific policies and procedures, role-based access management, strong password controls, network security controls, logical access perimeter security equipment and software (firewall), business continuity measures, event/incident management, etc., encryption, ongoing staff training in technical and organizational security measures.

Consequences of refusing consent to data processing

The consent of the subject is a necessary legal basis for the lawful processing of personal data in the health sector only when it is expressly required by a legal provision, e.g. for participation in scientific research activities in the context of clinical trials (cf. recital 161 of the GDPR). In cases where the consent of the subject is expressly required for the processing of sensitive personal data, it must also be in writing.
Based on the above, if the data subject is asked to sign upon receipt of an information form for the processing of personal data, his signature is understood to mean that he “received knowledge” of the information required by law for his appropriate information and not that he consents to the processing of personal data, since the legal basis for the processing of personal data is, in principle, the provision of medical services pursuant to Article 9, paragraph 2, letter (h) of the GDPR.
Therefore, the refusal to provide health services by the Hospital is not permitted, on the grounds that the data subject refused to provide consent to the processing of personal data, since the legal basis for the processing of personal data is, in principle, the provision of medical services pursuant to Article 9(2)(h) of the GDPR.

How long do we keep your data?

At the Hospital we retain personal data only for as long as necessary and we have implemented strict policies and procedures for reviewing and retaining your data in order to meet our commitments.

Regarding health data, according to Greek Law 3418/2005, we are obliged to retain health-related data for twenty years from your last contact with the Hospital (your visit or hospitalization). This period may be extended due to the nature of the cases that the Hospital serves as well as due to the repeated visits of patients, so that if you return to the Hospital, we have all the details of your previous hospitalizations to facilitate the provision of more complete medical services to you. When the above period has elapsed, the data is anonymized or destroyed using approved destruction procedures.

With regard to the other categories of data according to Greek legislation, the archives of Public Hospitals are considered public archives. Therefore, their maintenance is determined by Presidential Decree 480/1985 “Clearance of the archives of Local Government Organizations and of institutions, legal entities under public law and their associations”. Based on the Presidential Decree, the archives are kept from two (2) years to perpetuity depending on their usefulness and necessity. They are then checked by the General State Archive and either destroyed or transferred to the G.A.K. warehouses if they are classified as historical.

Tax information is maintained in accordance with applicable tax legislation.

Exercising your rights

With regard to the personal data concerning you, you have the possibility of exercising the following rights by submitting a relevant written request in person or through your legally authorized representative at the Hospital, or by sending the request by post with a certified original signature.

a) Right to information and right of access to all personal data held and processed by the Hospital, regarding you, the type of processing, the purposes of processing, the recipients or categories of recipients of your personal data, as well as the period of their retention.

b) Right to rectification. If you believe that we hold any incomplete or inaccurate data about you, you have the right to request that we correct and/or complete this information.

c) Right to delete your personal data exclusively and only in the following cases:

  • when your personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed
  • when you withdraw your consent on which the processing of your personal data was based and there is no other legal basis for the processing (clinical studies, statistical data, etc.)
  • when the law requires the deletion of your personal data or they were processed without the necessary legal basis (processing beyond 20 years, data processing without the existence of a legal basis or consent)

d) Right to restriction of processing in the following cases:

  • when you dispute the accuracy of your personal data and until the Hospital verifies its accuracy
  • when instead of deletion, you request the restriction of the processing of your personal data
  • when the Hospital no longer needs your personal data for the purposes of processing, but these personal data are required by you for the establishment, exercise or support of legal claims

e) Right to portability, i.e. you have the right to request the transfer of your data to another healthcare service provider, either in Greece or abroad, or their delivery to you in a standardized electronic format on a portable storage medium (e.g. CD, DVD).

e) Right to portability, i.e. you have the right to request the transfer of your data to another healthcare service provider, either in Greece or abroad, or their delivery to you in a standardized electronic format on a portable storage medium (e.g. CD, DVD).

The right to erasure does not apply if the processing or retention of data by the Hospital is mandatory and/or necessary in accordance with the law, as well as for the establishment, exercise or support of its legal claims and rights or the fulfillment of its obligations. More specifically, as stated in paragraph 3 of article 17 of the GDPR, the right to erasure does not apply to the extent that the processing is necessary:

  • For the provision of medical services and for reasons of public interest in the field of public health in accordance with Article 9(2)(h) and (i), as well as Article 9(3).
  • For archiving purposes in the public interest.

To exercise any of the above rights, identification (through an official legal document or legally signed authorization) is required in order to confirm that your personal data is protected and kept secure.

The Hospital will respond to your request free of charge, without delay and in any case within one month of receipt of the request, except in exceptional cases, in which case the above deadline may be extended by two more months, if necessary, taking into account the complexity of the request, the volume of material to be processed and/or the number of requests. The Hospital will inform you of any extension within one month of receipt of the request, as well as of the reasons for the delay.

If it is not possible to satisfy your request, the Hospital will inform you without delay and no later than within one month of receipt of the request, of the relevant reasons and of the possibility of submitting a complaint to the Personal Data Protection Authority (PDPA), as well as of your right to appeal before the competent judicial authorities.

Submit a Complaint/Report

The Hospital only processes your personal data in accordance with this privacy statement and in accordance with the relevant data protection laws. If, however, you wish to express a complaint about the processing of your personal data or if you are not satisfied with the way in which we have managed your personal data, you have the right to submit a complaint either to the email address of the Hospital’s Data Protection Officer dpo@gnkerkyras.gr or in writing through the Hospital’s secretariat. You also have the right to file a complaint with the Personal Data Protection Authority (PDPA) [1-3 Kifissias Ave., P.C. 115 23, Athens, tel.: +30 2106475600, email: contact@dpa.gr] if you consider that your rights to the protection of your personal data are violated. You also have the right to appeal to the competent judicial authorities for the protection of your personal data.

Accessibility by WAH