I. CONTROLLER INFORMATION AND CONTACT DETAILS
1. The controller of the processing of personal data is the limited liability company “Pallas clinic” (hereinafter - Clinic), unified registration No 42103111641, legal address: Marupe municipality, Marupe, 4-1 Jaunzemu Street, LV-2167. The contact details for matters relating to the processing of personal data shall be:
2.1. In the form of correspondence: Jurmala, 23-25 Jūras Street
2.2. In the online form: ………
2.3. In the form of e-mail communication: [email protected]
3. The contact details of the Clinic for information about possible data breaches: [email protected]
II. GENERAL INFORMATION
5.1. natural persons – Clinic patients (including potential, former and present);
5.2. visitors to the Clinic, including those subject to video surveillance;
5.3. visitors of the Internet website of the Clinic.
7. TheClinic shall take care of patient privacy and the protection of personal data, respect patients' right to the lawfulness of the processing of personal data in accordance with the applicable law - Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter - Regulation), the Law on the processing of personal data, the Law on Patients' Rights and other applicable laws and regulations in the field of privacy and data processing.
8. In its action, the Clinic:
8.1. protects the personal data of the data subject by implementing administrative, technical and physical security measures to the extent that they are proportionate to the potential risks;
8.2. informs and explains what personal data are necessary to receive services and how they will be used;
8.3. the transfer of data to third parties shall be carried out in compliance with the applicable regulatory framework;
8.4. implements measures for the regular training and information of its staff in matters of personal data protection in order to reduce the likelihood of possible incidents occurring;
8.5. implements internal control procedures to reduce the probability of occurrence and the consequences of security incidents.
III. PURPOSES AND LEGAL BASIS FOR THE PROCESSING OF PERSONAL DATA
9. The Clinic processes personal data for the following purposes:
9.1. for the provision and administration of healthcare services:
9.1.1. identification of the patient;
9.1.2. registering a patient with the Clinic specialists for
9.1.3. drawing up of the medical documentation of the patient in accordance with the requirements specified in regulatory enactments;
9.1.4. reminders to patients of their planned visit to the Clinic specialists;
9.1.5. carrying out medical examinations;
9.1.6. medical advice and carrying out medical manipulations;
9.1.7. assessment of the health status of patients or other natural persons;
9.1.8. administration of payments;
9.1.9. recovering debts from debtors;
9.1.10. pexamination of patient complaints and quality control;
9.1.11. encouraging patient loyalty, measuring satisfaction;
9.1.12. preparing and concluding a contract with patients;
9.1.13. maintaining and improving the operation of homepages;
9.2. clinical training in accordance with nationally accredited educational programmes;
9.3. conducting clinical studies;
9.4. provision of information to State administrative institutions and operational activity subjects in the cases and in the amount specified in external regulatory enactments;
9.5. ensuring the safety of patients, the Clinic employees and the protection of property;
9.6. information for the introduction of the national uniform medical information system (E - Health).
10. The Clinic processes patients' personal data on the basis of the following legal basis:
10.1. with the consent of the data subject (patient) (Section 9 Paragraph two Clause a) of the Regulation, Section 10 Paragraph two of the Patients’ Rights Law);
10.2. enforcement of laws and regulations - in order to fulfil the obligations laid down in external laws and regulations binding on the Clinic or the rights of the data subject laid down in external laws and regulations (Section 9 Paragraph two Clause b) of the Regulation, Section 10 of the Patients’ Rights Law);
10.3. where the processing is necessary to pursue or defend the legitimate interests of the Clinic before a court (Section 9 Paragraph two Clause f) of the Regulation);
10.4. where processing is necessary to safeguard the legitimate interests of the Clinic (to organise an efficient process of providing healthcare services, to ensure an efficient process of applying for and withdrawing patient visits, to be paid for the healthcare services provided);
10.5. where processing is necessary for the execution of a contract with the data subject (patient) or for the adoption of measures upon the request of the data subject before the conclusion of the contract (Section 6 Paragraph one Clause b) of the Regulation);
10.6. where processing is necessary to protect the vital interests of the data subject (patient) or other natural person (Section 6 Paragraph one Clause d) of the Regulation);
10.7. archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (Section 6 Paragraph 1 Clause e) of the Regulation).
IV. AMOUNT OF INFORMATION THAT IS BEING ACCUMULATED
11. In its basic activity, the Clinic shall primarily obtain from the data subject the basic information necessary for the unambiguous identification of the relevant person for the provision of medical treatment services and for ensuring communication:
11.3. Personal identity number (identification number)
11.5. Phone number and/or e-mail address
11.6. Number of the person's passport or ID card.
12. In the context of the provision of services, the Clinic may obtain additional information from the data subject and from other third parties, which primarily covers, but is not limited to, referral information, information on previous medical cases, information obtained in the context of a particular treatment episode.
13. A specific amount of information depends on the specific nature of the service to be provided and the laws and regulations in force governing the conditions for the provision of the service.
14. The Clinic is aware that, when providing its services, it processes health data, which is considered to be a specific category of personal data in the context of the Regulation.
V. PROCESSING AND PROTECTION OF PERSONAL DATA
15. The Clinic processes patient data through modern technology capabilities, taking into account existing privacy risks and the organizational, financial and technical resources available to the Clinic.
16. The Clinic continually develops and complements the technical solutions at its disposal, taking into account current industry trends and the opportunities offered, based on the risks identified.
VI. CONDITIONS FOR THE USE AND ISSUANCE OF DATA
17. The personal data held by the Clinic and obtained during the provision of the services shall be used:
17.1. for the operation of the Clinic and to the extent necessary for the provision of the highest possible quality of service;
17.2. for the establishment of co-operation with other third parties, for the implementation of the medical treatment process of a patient.
18. The Clinic, in cooperation with third parties, shall only carry out its activities in accordance with the laws and regulations governing the possibility for the Clinic to carry out personal data exchange activities with regard to the collection and transmission of the necessary data.
19. The Clinic implements measures in its day-to-day work to minimize the amount of processing of personal data for its employees, providing that employees are given access only to the data of patients they need to perform their duties.
20. The Clinic shall ensure that personal data held by it are only provided to the data subject himself/herself. The issuance of data to third parties, including persons related to the data subject, shall be performed only in cases if a written consent of the data subject has been received or a case specified in regulatory enactments exists when such transfer of data is permitted.
21. The Clinic shall not transfer data in cases where it is unable to verify the identity of the data subject or suspects that the identity presented by the data subject does not coincide with its true identity.
22. In cases where the transmission of data is effected by means of e-mail communication, the Clinic shall ensure that such activity is performed only after obtaining the consent of the data subject, indicating in writing or orally (by the employee recording it in the electronic information system) the e-mail address to which he/she wishes to receive the consignment. The relevant information is requested each time the consignment is prepared, requiring the data subject to provide the e-mail address of his/her choice.
23. When sending data using e-mail communication facilities or other online data exchange solutions, including self-service platforms of information systems, the Clinic shall implement measures for the protection of relevant data by applying data access protection or encryption methods.
24. The Clinic transfers personal data to third parties, ensuring that the third parties concerned maintain the confidentiality of personal data and provide adequate protection.
25. The Clinic has the authority to transfer personal data to the Clinic subcontractors, which helps the Clinic secure the performance of its functions.
26. In the case referred to in Clause 25 of this document, the Clinic subcontractors receiving and processing personal data shall be considered to be controllers of personal data within the meaning of the Regulation and shall enter into a written contract stating that the Clinic requires the recipients of the data to undertake to use the information received only for the purposes for which the data were transferred and in accordance with the requirements of the applicable laws and regulations in the field of data processing and data protection.
27. The Clinic transfers data to third countries (countries located outside of the European Union and the European Economic Area) only if a written consent of the data subject has been obtained.
VII. DURATION OF RETENTION OF PERSONAL DATA
28. The Clinic shall store and process patients' personal data while at least one of the following criteria exists:
28.1. as long as the obligations arising from the contract concluded between the hospital and the patient are fulfilled or the patient is provided with a healthcare service;
28.2. as long as the Clinic has a statutory obligation to store the relevant data;
28.3. as long as full examination and/or execution of the patient's request/application is considered.
28.4. as long as the consent of the patient to the processing of personal data in question is in force, unless there are other legitimate grounds for the processing;
29. Patients' personal data is deleted when conditions are met that require no further storage of the patient data.
VIII. ACCESS TO PERSONAL DATA AND OTHER PATIENT RIGHTS
30. TheClinics shall ensure the right of a patient to receive the information specified in regulatory enactments in relation to the processing of his or her data.
31. The patient also has the right, under the laws and regulations, to request the Clinic to have access to his/her personal data, as well as to require the Clinic to complete, correct or delete them, or restrict processing for the patient, or the right to oppose processing, as well as the right to portability of the data. This right shall be exercised in so far as the processing of the data does not result from the Clinic's obligations under the laws and regulations in force.
32. A patient may submit a request for the exercise of his or her rights:
32.1. at the Clinic, in written form in person, presenting a personal identification document
32.2. by e-mail, signing a letter with a secure electronic signature and sending to the e-mail address: [email protected].
32.3. by sending a letter via mail to the Clinic;
32.4. by phone or by e-mail to the Clinic, not signed with a secure electronic signature, to an e-mail address: [email protected] conditional if the patient has agreed with the hospital to communicate in relation to the patient data using the specific email address or phone number. Such unification shall be written in person (presenting a personal identification document of the patient) or signed with a secure electronic signature.
33. Upon receipt of a request from the patient regarding the exercise of his or her rights, the Clinic shall verify the identity of the patient, evaluate the request and execute it in accordance with regulatory enactments.
34. The Clinic provides a response to the patient as soon as possible, taking into account the type of response the Patient has specified.
35. If a reply is sent by post, it is addressed to the data subject (the person whose personal data is requested) by registered letter. If the answer is provided electronically, it shall be signed with a secure electronic signature (if the application has been submitted with a secure electronic signature).
36. The Clinics shall ensure that the data processing and protection requirements are met in accordance with the laws and regulations and, in the event of objections from a patient, shall take the appropriate steps to resolve the objection. However, if this fails, the patient has the right to refer the matter to the supervisory authority - the Data State Inspectorate.
37. The patient is entitled to receive, free of charge, one copy of his/her personal data processed by the Clinic.
38. The receipt and/or use of the information referred to in Clause 37 of this document may be restricted to prevent adverse effects on the rights and freedoms of others (including the Clinic employees).
39. The Clinic commits to ensuring the accuracy of personal data and relies on its patients, suppliers and other third parties who transfer personal data to ensure the completeness and accuracy of the personal data transferred.
IX. CONSENT OF A PATIENT TO THE PROCESSING OF DATA AND THE RIGHT TO WITHDRAW IT
40. The patient shall consent to the processing of personal data, the legal basis of which is consent, be given in writing in person at the hospital by means of a paper-based postal service or by means of an e-mail signed with a secure electronic signature.
41. The patient shall have the right at any time to withdraw the consent given for the processing of the data in the same manner as it has been given and in such a case further processing of the data based on the prior consent given for the specific purpose will not be carried out in the future.
42. The withdrawal of consent shall not affect data processing carried out at the time when the patient's consent was valid.
43. Withdrawal of consent shall not interrupt the processing of data on other legal grounds (for example, in accordance with external laws and regulations or the contract entered into between the hospital and the patient).
X. WEBSITE VISITS AND COOKIE PROCESSING
46. The Clinic's websites may include links to third-party websites that have their own usage and personal data protection rules, for which the Clinic does not carry responsibility.