Privacy Policy

The company under the name “NextHealth S.A.” (hereinafter “Company”)in order to fulfill its purposes, which are the provision of high-level medical and nursing services, it processes personal data of its patients, both simple and sensitive, such as health data, in compliance with both the Code of Medical Ethics and the broader legislative and regulatory framework, including Regulation 679/2016 for the protection of natural persons with regard to the processing of personal data and the free movement of such data (hereinafter the Regulation) as well as the relevant decisions of the Data Protection Authority (hereinafter the Authority). Additionally, it processes data of its employees, partners, and suppliers, and all those who conduct transactions with it, browse its website, subscribe to any newsletters or its training seminars, etc. This applies to all processes, departments, services, and facilities, whether owned, leased, or operated under any other usage regime, of the Company, for the provision of its medical and nursing services.

Definitions

For the purposes of this Policy:

  • “Personal data”: any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
  • “Health data”: personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status
  • “Processing”: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction,
  • “Controller”: the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data
  • “Processor”: the natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller
  • “Consent” of the data subject: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Basic Principles

By means of this Policy, the Company determines and discloses the terms under which it collects, stores, and uses personal data in printed and/or electronic form, i.e., it acts as a Data Controller.

This Policy also describes how it uses, shares, and protects the personal data it processes, how natural persons/data subjects can exercise their rights regarding their personal data, and how to contact the Company,in compliance with the terms of European Regulation 679/2016 and any other relevant applicable legislation.

The recipients of the data are the subjects themselves, their family members in case of physical incapacity, persons authorized by them, insurance funds to the extent that the provision of data is necessary for insurance coverage, public authorities following a prosecutor’s decision and ministries for the purpose of statistical processing, as well as any others expressly described by law.

Finally, by its Privacy Policy, the Company assures that it is committed to keeping the information provided to it confidential and secure, thus ensuring privacy, maintaining a processing record for all its activities, both primary and subsidiary to its purposes, to continuously train staff on data protection, clean desk policy, respect for privacy, and confidentiality, adopt policies such as this one and the Information Security Policy, work exclusively with individuals and companies that are equally committed to the principles of personal data protection and that take appropriate measures to protect it, and finally, to process the personal data it processes simply and fairly, with respect and a high sense of responsibility

Principles of Processing of Personal Data

The Company, as Data Controller, processes the personal data of its patients, employees, and associates, as well as the health data of its patients, in accordance with the principles that, according to the Regulation on the protection of personal data, must govern the processing. Thus:

  1. it processes the data it collects in a lawful and legitimate manner and in a transparent way
  2. the purposes for which the data are collected are specified, explicit, and legitimate
  3. the data it processes is adequate and relevant for the purposes of processing
  4. it is accurate and, where necessary, kept up to date
  5. it keeps and stores them only for as long as required by the legal framework
  6. takes all necessary and appropriate technical and organizational measures for their safety.

Controller

The Data Controller is:

The company under the name “NextHealth S.A.” and the trade name “NextHealth”, headquartered in Athens at 109-111 Mesogeion Avenue, Postal Code 11526, with VAT number 802842446 – Attica Tax Office, and General Commercial Registry number 183786001000, operates the clinics General Clinic of Thessaloniki and Kyanous Stavros (Blue Cross) in Thessaloniki and the General Clinic of Kozani in Kozani, which operate as independent Data Controllers of personal data, including health data, which they are obligated to maintain, and as joint Data Controllers of the aforementioned data within the scope of any necessary exchange of personal data between them, during the provision of health services.

Data Processed

Patients

  • Simple personal data: name, surname, date of birth, home address, email address, occupation, identity card number, Social Security Number, Tax Identification Number, insurance provider, contact phone numbers, etc. In addition, simple personal data accompanying persons, relatives, or friends of patients may also be collected. Furthermore, information may be collected for the purpose of processing payments (e.g., bank account or credit card).
  • Health data: data relating to the health status of patients, as derived from their medical history, upon admission and during their hospitalization, from consent forms for medical procedures, as well as from the results of diagnostic and clinical tests carried out in the context of providing medical services

Employees / External Associates

personal and other data (health data, e.g., for the justification of sick leave, data on an employee’s children in order to grant allowances, etc.) necessary for the fulfillment of its legal obligations towards employees (salaried and external partners) in accordance with labor and social security legislation.

Partners / Suppliers

the necessary personal data of company representatives and employees is processed for the purpose of conducting its commercial relations with partner companies (pharmaceutical companies, biotechnology equipment companies, suppliers, etc.) for its operation and the fulfilment of its purposes.

Finally, the Company processes the personal data of all those addressed to the company either to subscribe to its newsletter or to obtain a privilege card, to search for work by sending a CV, to communicate via the electronic form found on the the Company website or, finally, to browse the website by accepting cookies. For all these purposes, the Company has specific procedures and policies in place to ensure both the secure storage of the data the company processes and its
retention only for the period specified by law or procedures.

Purposes of Collection, Processing and Supply of Personal Data

The Company collects, processes and stores personal data for the fulfilment of the following purposes:

  • Provision of medical and nursing services.
  • Management of human resources matters concerning staff employed by the Company, regardless of employment relationship and specialty.
  • Smooth cooperation with the Company’s associate physicians, regardless of employment relationship and medical specialty.
  • Management of cooperation matters with suppliers of products and services, subcontractors and other partners, through relevant contracts or addenda.
  • Response to requests from supervisory authorities and management of requirements and audits provided by law.
  • Management of complaints from patients and visitors.
  • Management of the security of persons and property, such as access, safety and entry control to the Company’s premises, including the use of CCTV for the protection of persons and property. Any collection of CCTV material is limited to areas where it is necessary for this purpose, such as cash desks or critical facilities, and is kept in accordance with applicable law and the Authority’s guidelines.
  • Informing the public about services offered by the Company through events of an informative or scientific nature, through electronic means including social media, as well as through other actions of any kind.
  • Promotion of the Company’s public relations (e.g., corporate social responsibility actions).
  • Organisation and conduct of training seminars/programs for staff, as well as scientific workshops/events and/or trainings for associate physicians of every specialty.
  • Handling of legal affairs.
  • Management of accounting and tax services.

The Company processes personal data on the following legal bases:

  • when the data subject has given consent;
  • to perform a contract with the data subject or to take steps at their request prior to entering into a contract,
  • for the Company to comply with a legal obligation;
  • to protect the vital interests of the data subject;
  • to perform a task carried out in the public interest;
  • for the purposes of the Company’s legitimate interests;
  • for the purposes of social security obligations and rights;
  • for the establishment, exercise, or defense of legal claims or when courts are acting in their judicial capacity;
  • for the purposes of preventive or occupational medicine, medical diagnosis, provision of health care or treatment, or management of health care systems.

Retention Period of Data

The Company is required to keep the Patient Medical File in its Medical Records for twenty (20) years (in accordance with its legal obligation under Law 3418/2005), from each hospitalization and due to the need to protect life, health, and provide appropriate treatment. Data on outpatients is also kept in its archives for 20 years. For purely accounting and tax records, there is an obligation to keep them for as long as required by the applicable tax legislation.

The Medical record contains all data relating to the patient’s health as well as simple personal data that the patient himself/herself has provided for the performance of the contract for the provision of medical services between the patient and the Company.

In the event that the time limits change, the Company shall notify of any changes. Any data obtained through the website for the purpose of making an appointment is kept secure in the the Company’s computer system and incorporated into the medical records kept in the Archive as described above

After the mandatory data retention period has elapsed, it destroys the data in accordance with the instructions of the Authority and its own procedures and protocols, in accordance with the applicable regulatory framework.

Disclosure of Personal Data to Third Parties

The Company may transfer (by electronic and physical means), in fulfillment of its contractual obligation, simple and sensitive personal data of its patients, data relating to their hospitalization to their insurance company and its Auditors, for the purpose of covering and compensating for their hospitalization
expenses, in combination with the health coverage they have.

It may also transfer (by electronic and physical means), in fulfillment of its legal obligation, simple personal and sensitive personal data (health data) to the competent authorities, to the public insurance institution (National Organization for Health Care Services (EOPYY) or other Insurance Fund) of insured
patients and its Auditors for the purpose of covering and compensating for their hospitalization expenses, in combination with their existing health coverage.

Furthermore, for the purpose of providing health services, it may transfer simple and sensitive personal data to the clinics the company operates, doctors who provide independent services to NextHealth, and service providers in the health sector based on contracts with NextHealth.

The Company’s financial services are required to process simple personal data of the patient or health data (e.g., type of surgery, type of diagnostic test) in order to issue a legal document for the payment of medical services that the Company provides to its patients and to satisfy its legitimate business interests and its legal tax obligations.

Finally, in order to pursue its legal claims, the Company may transfer personal data to law firms with which it cooperates or to individual lawyers/associates.

Security of Personal Data

The Company uses appropriate technical and organizational protection measures to ensure that the personal data entrusted to it by patients is secure, whether stored physically or electronically.

When the company entrusts a third party as a processor (including service providers) to collect or process personal data on its behalf, the processor is carefully selected based on their expertise, reliability, and available resources, as well as the appropriate technical and organizational security measures it takes to
ensure the security of the processing, in accordance with the specifications set out in the General Data Protection Regulation.

Data Subjects’ Rights Regarding Their Personal Data

  • Right to information: The Company is required to inform the data subject in an understandable manner of its identity and contact details, the details of the data protection officer, the purpose of processing their data and the legal basis for processing it, the recipients or categories of recipients of their personal data, the period for which their data will be stored, their rights of access, rectification, erasure, portability, restriction of processing of personal data and complaint to the supervisory authority, the mandatory or non-mandatory nature of providing the data, as well as the possible consequences in case of non-provision. If the Company intends to transfer the data subject’s data to a third country or international organization, it must inform the data subject accordingly. If the data is not provided by the data subject, the Company must inform them of the source of the data.
  • Right to withdraw consent: depending on the case, patients have the right to withdraw their consent at any time without affecting the lawfulness of processing based on consent prior to its withdrawal.
  • Right of access, rectification and erasure: Patients have the right to request access to any of their personal data that the Company may hold, to request the correction of any inaccurate data and, in certain circumstances, to request the erasure of their personal data. Patients cannot request the deletion of their health data because, by law, there is an obligation to store it for 20 years.
  • Right to data portability: under certain conditions, patients have the right to receive the personal data they have provided in a structured, widely used, and machine-readable format, as well as to request that the Company transfer it to another controller, where this is technically feasible. For example, they can contact the Company to send them copies of their medical records or diagnostic tests to another clinic or hospital by any appropriate means
  • Right to restriction of processing: patients have the right to request the restriction of the processing of their personal data where:
    • the accuracy of the personal data is contested until the necessary measures are taken to correct or verify its accuracy
    • the patient considers the processing to be unlawful but does not want the Company to delete the data
    • The Company no longer needs the patient’s personal data for the purposes of the processing, but the patient needs the data to establish, exercise, or defend legal claims; or
    • the patient has objected to processing justified by legitimate interests (see below), pending verification of whether there are compelling legitimate grounds for the Company to continue processing.
  • Where personal data is subject to such restrictions, the Company will only process it with the individual’s consent or for the establishment, exercise, or defense of legal claims.
  • Right to object to processing: provided that the conditions set by law are met, the patient has the right to object to the processing of their personal data. If they object, the Company must stop processing, unless it can demonstrate compelling legitimate grounds for processing that override the interests, rights, and freedoms of the individual or, where it needs to process the data for the establishment, exercise, or defense of legal claims.

If anyone considers that the processing of their personal data is violated by the applicable law, they have
the right to lodge a complaint with:
Hellenic Data Protection Authority, 1-3 Kifissias Avenue, 115 23, Athens, Greece
Telephone: +30-210 6475600
E-mail· contact@dpa.gr

Data Protection Officer (DPO)

For more information on exercising your rights under the Regulation or for any questions regarding the processing of personal data, interested parties may contact the Data Protection Officer appointed by the Company at dpofficer@imitheamg.gr and the request shall be fulfilled within the applicable time frame, i.e. in any case within (1) one month from the date it was sent. If the request is complex, the Data Protection Officer will inform the interested party within one month of the need for an extension of the response by an additional two (2) months, within which he is obliged to respond.

Changes to this Personal Data Protection Policy

The Company reviews this Policy regularly and reserves the right to revise it and make changes in order to reflect changes in its business activities, legal requirements and the way it processes personal data.

When it carries out the above, the Company informs the public via its website or upon the arrival of patients and associates at its premises.

In any case, the company recommends that interested parties periodically review this Policy in order to be informed of any changes in a timely manner

Scroll to Top