GTPR

Personal Data Protection Policy

The Kleidis G. Iosif Physiotherapy & Rehabilitation Center (hereinafter referred to as the “Center”) ensures the security of your personal data and takes appropriate technical and organizational measures for their protection, in accordance with the applicable national and European legislation, in particular Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR), the applicable national legislation, as well as the Decisions, Guidelines, and Opinions of the competent supervisory Authority.

This Policy applies to and is implemented across all facilities and/or digital environments and applications that belong to the Kleidis G. Iosif Physiotherapy & Rehabilitation Center and are related to its activities (indicatively mentioned): https://sifiskleidis.com

Last Revision: March 2023

1. Who We Are

We are the Kleidis G. Iosif Physiotherapy & Rehabilitation Center and we act as the Data Controller of your personal data.

The contact details of the Kleidis G. Iosif Physiotherapy & Rehabilitation Center, to which you may address any matter and which acts as the Data Controller of your data, are as follows:

Business Name: Kleidis G. Iosif Physiotherapy & Rehabilitation Center
Postal Address: 70 Amfitheas Avenue, Palaio Faliro, 17564
Telephone: +302109827300
Email Address: info@sifiskleidis.com
Website: https://sifiskleidis.com

2. How We Communicate with You

We may communicate with you through one or more of the following communication channels: via telephone, email, text message (SMS), instant messages, or other electronic means, depending on the contact details you have provided to us.

3. Types of Personal Data

The Kleidis G. Iosif Physiotherapy & Rehabilitation Center collects and processes your personal data only insofar as they are absolutely necessary, essential, and appropriate for achieving its intended purposes. In particular, the personal data we collect and process are summarized indicatively as follows:

Identification and demographic data of examinees/patients (i.e. full name, father’s name, mother’s name, date of birth/age, spouse’s name, gender, identity card number, passport number, AMKA, patient code, health booklet number/registry number, tax identification number, profession or employer, etc.),

Data of third parties, such as your relatives (i.e. name, surname, father’s name, identity card number, etc.), for example for the collection of your medical results or for granting authorization for the collection of your medical results in the event of your objective inability,

Contact details (i.e. postal address, landline and mobile phone number, email) for communication between us, for sending you the results of your examinations, or for sending you newsletters of the Center regarding provided services, news, and offers, insurance details [e.g. insured person code, insurance fund or company, insurance relationship, group or individual policy number, coverage code, policy start or renewal date, insurance coverage expiration date, policy anniversary date, registration submission date, policy status (active or inactive), covered members, etc.],

Health data and, in particular, data relating to the medical services provided by the Center, including diagnostic and clinical examinations, hospitalization, medical referrals, internal tracking records, clinical symptoms, medical staff, family and/or previous medical history, medication and treatment, medical opinions and reports, possible incapacities and disabilities, obstetric and gynecological medical services, details of surgical procedures such as recordings of endoscopic surgical acts, previous healthcare, incident codes, etc.

Furthermore, in the context of providing our medical services, we may collect and process health data following medical services not provided by our Center, but which were communicated/transmitted to us by you or a person accompanying you, insofar as such data are absolutely necessary for assessing your health condition and providing relevant services.

Data from clinical studies and related research programs for the conduct of clinical studies/research, which we initially process in a pseudonymized form, information relating to financial data and financial obligations, such as details of the financially responsible party, receipt data, etc., website browsing data such as the Internet Protocol (IP) address of your device when browsing our websites https://sifiskleidis.com
, the type of browser you use, etc. For more information regarding the use of cookies on our website, you may refer to the Center’s Cookie Policy (https://sifiskleidis.com
),

Image and visual data from closed-circuit television (CCTV) and security cameras,

Audio data from recorded telephone calls during the scheduling of your medical visits, following prior notification regarding such recording (i.e. full name, telephone number, date of birth and/or age, postal address, type of examination, intended date of medical examination, insurance fund), data relating to requests you have submitted for the exercise of rights or complaints,

Data of prospective employees of our Center contained in submitted CVs or relevant forms (i.e. name, surname, contact details, education, work experience, etc.),

Data of employees of our Center such as: name, surname, father’s name, mother’s name, gender, date of birth, home address, telephone number (landline/mobile), email (corporate/personal), nationality, marital status, number of children, civil registry acts or family certificates, identity card details, tax identification number (AFM), tax office (DOY), IBAN, education degrees, professional certifications, military service certificates, seminars and training, previous employment, date of hiring, payroll data, benefits, evaluation reports, etc., as well as data of suppliers and partners of the Center, such as full name, father’s name, gender, date of birth, telephone number, home address, telephone number (landline/mobile), email (corporate/personal), identity card number, passport number, tax identification number (AFM), tax office (DOY), IBAN, professional certifications, academic degrees, and any additional data required by national legislation (e.g. tax legislation).

4. How We Collect Your Personal Data

The collection of personal data is carried out through both physical and electronic means, depending on the case, indicatively including:

At the reception and service area of our Center, during the completion of various forms or during our electronic communication, through the use of our call center or our individual websites for scheduling examinations or receiving other medical or non-medical services, during the provision of primary or secondary healthcare services to you based on information you provide or that arises during your examination or from the results of your medical examinations, when you inform us of your wish to use your insurance policy, when you submit an application to work at our Center, when you are hired as an employee of our Center, when you enter into a cooperation agreement as a partner/supplier with our Center, when you submit a request to receive a newsletter, and when you enter the premises of our Center, which are monitored by closed-circuit television (CCTV) and security cameras.

5. Purposes and Legal Bases for Processing Your Personal Data

The personal data collected by the Group are used for the following processing purposes, namely:

For the provision of healthcare services, i.e. the scheduling of medical appointments and/or—following prior identification of examinees—the provision of primary and secondary healthcare services and medical care in general, the sending/delivery to you of the results of your medical examinations, the maintenance and updating of your medical record, etc. With regard to the processing of special categories of data, namely sensitive data (health data, biometric and genetic data), processing is necessary for the purposes of preventive medicine, diagnosis, the provision of healthcare, or treatment.

The legal basis for processing such data is:

(α) primarily, the necessity of processing your data for the purposes of preventive or occupational medicine, medical diagnosis, the provision of healthcare or social care or treatment, or pursuant to a contract with a healthcare professional, as well as

(β) the necessity of processing for the performance of obligations and the exercise of specific rights of ours or yours in the field of labor law and social security and social protection law, or for the performance of a task carried out in the public interest,

(γ) the necessity of processing the data for the protection of vital interests of you or the person accompanying you,

(δ) the necessity of processing your data for the establishment, exercise, or defense of rights and legal claims in cases relating to medical liability and, in general, the provision of healthcare services,

(ε) the necessity of processing the data for reasons of public interest in the field of public health, such as protection against serious cross-border threats to health or ensuring high standards of quality and safety of healthcare and of medicinal products or medical devices, as provided by law.

We will never process your medical data unless one of the above legal bases applies and we have first obtained your explicit consent, after informing you of the specific purpose of processing. In the event that you make use of a public insurance fund/body, certain personal data will be processed on the legal basis of the necessity of processing your personal data for the provision of healthcare or social care, as well as the necessity of processing for the performance of obligations and the exercise of specific rights of yours in the field of social security and social protection law or for the performance of a task carried out in the public interest.

For the Center’s compliance with its legal obligations, such as compliance with the Code of Medical Ethics (Law 3418/2005) or compliance with tax, insurance, and other applicable legislation.

The legal basis for processing in this case is the compliance of the Center’s entities with their legal obligations.

For the safeguarding and protection of legitimate interests of both natural persons (e.g. patients, visitors) of our Center. For example, we use closed-circuit television (CCTV) and security cameras in order to be able to protect the safety of individuals, property, and facilities, in accordance with the specific conditions provided for the installation of cameras in medical institutions.

The legal basis for processing in this case is the legitimate interest of the Center.

For the sending of newsletters regarding news of the Center, so that you may be informed about innovations, products, and offers of the Center.

The legal basis for processing in this case is your prior explicit consent.

For the publication of images & video (posts on social media) regarding new treatment methods and new services of the Center, as well as the analysis of the treatment methods used.

The legal basis for processing in this case is your prior explicit consent.

For communication between us—following prior identification—and for the management of your requests, whether they relate to personal data protection issues or to the quality of services provided to you.

The legal basis for processing in this case is the legitimate interest of our Center and/or the Center’s compliance with its legal obligations, in accordance with the applicable legislation.

For the extraction of statistical data, following anonymization of your data.

The legal basis for processing in this case is the necessity for the extraction of statistical data.

For the purposes of scientific research and the conduct of clinical studies/trials and/or other clinical research programs, following pseudonymization of your data.

The legal basis for processing in this case is the necessity of scientific research, provided that appropriate technical and organizational measures are taken, such as pseudonymization and encryption, as well as compliance with legal obligations. Your consent will be requested only for your participation in the relevant research programs.

For the lawful conclusion and execution of contracts entered into by the Center with third parties.

The legal basis for processing in this case is the necessity of processing your data for the performance of a contractual obligation or at the pre-contractual stage.

In order for the Center to be able to recruit staff and/or enter into agreements with external collaborators (e.g. physicians, nurses, etc.).

The legal basis for processing in this case is:

(α) the necessity of processing such data for the performance of a contractual obligation or at the pre-contractual stage, and

(β) the necessity of processing for the performance of obligations and the exercise of specific rights of ours or yours in the field of labor law and social security and social protection law, or for the performance of a task carried out in the public interest.

6. Transfer of Personal Data

The Kleidis G. Iosif Physiotherapy & Rehabilitation Center may transfer the above personal data to:

Third parties to whom it has entrusted the processing of personal data on its behalf. In particular, the Center may transfer your personal data to partners belonging to its medical network, who act on its behalf and are contractually bound to the Center’s entities for the provision of independent services (e.g. collaborating physicians for diagnostic purposes or clinical examinations, collaborating physiotherapists), cooperating diagnostic centers, cooperating clinics and hospitals, cooperating laboratories, and/or to third-party collaborating companies that process your personal data on behalf of the Center.

In all cases, the third parties to whom data of data subjects may be transferred are contractually bound to the Center in order to ensure the obligation of confidentiality as well as all obligations provided for by the applicable legislation. In all of the above cases, the Center defines the specific elements of the processing, enters into special agreements with the third parties to whom it assigns the execution of specific processing activities, ensuring that processing is carried out in accordance with the applicable legislation. Such third parties are contractually bound to the Group to process your personal data only for the specific and contractually defined purposes and not to transfer and/or disclose them to third parties, unless required by law.

To your public insurance fund/body, in the event that you make use of it.

To private insurance companies/employers. The Center may transfer sensitive personal data (health data) to contracting third-party companies for the assumption of the cost of the medical services provided to you, or to cooperating private insurance companies within the European Union and the European Economic Area (EEA) for your insurance coverage, only provided that your prior explicit consent has been given before such transfer. Your medical data will not be transferred to your insurance/employer company without your prior explicit consent.

To judicial and prosecutorial authorities, as well as other public authorities (e.g. tax authorities, etc.) in the exercise of their duties ex officio or following a request by a third party invoking a legitimate interest and in accordance with lawful procedures. In addition, for reasons of protection of the public interest in the field of public health, we may, in accordance with the relevant legislation, transfer your personal data to the competent authorities, such as the National Public Health Organization (E.O.D.Y.).

In the event that the transfer concerns a country outside the European Union (EU) or the European Economic Area (EEA), in the context of conducting examinations and analyzing biological material for rare diseases, or to third countries and/or organizations for the conduct of clinical studies/trials or for coverage of the total cost of the services provided to you (e.g. your insurance company), the Center verifies whether: the European Commission has issued an adequacy decision for the third country to which the transfer is to be made.

Appropriate safeguards in accordance with the applicable legislation are observed for the transfer of such data. Otherwise, transfer to a third country is prohibited and the Center will not transfer your personal data thereto, unless one of the specific derogations provided for by the applicable legislation applies (e.g. your explicit consent and prior information regarding the risks involved in the transfer, the transfer is necessary for the performance of a contract at your request, reasons of public interest exist, it is necessary for the establishment, exercise, or defense of legal claims, or for the protection of vital interests of the data subjects, etc.).

7. Data Retention Period

The personal data collected by the Center are retained for a predetermined and limited period of time, depending on the purpose of processing, after which the data are deleted and/or securely destroyed, unless a different retention period is provided for or permitted by the applicable legislation. The retention period of your data is determined indicatively based on certain specific criteria and depending on the case. Indicatively:

(α) Your personal data are mandatorily retained for the entire period required by the purpose of their processing and/or the applicable legal framework. Upon expiration of this period, the data are retained in accordance with the applicable institutional framework for the period provided following the termination of the transactional relationship or for as long as required for the defense of the Center’s rights before a Court or other competent Authority. We retain applications with attached CVs submitted to us for a period of two (2) years in order to evaluate them for the coverage of a specific position, and after the lapse of two years, we securely destroy or delete them.

(β) Where processing is imposed as an obligation by provisions of the applicable legal framework, your personal data will be stored at least for the period required by the relevant provisions. In particular, and in accordance with Article 14 of the Code of Medical Ethics (Law 3418/2005), the retention of medical records is provided for a period of ten (10) years from the patient’s last visit to the Center and for a period of twenty (20) years from the patient’s last visit in all other cases. Specifically, the brief medical history that you may provide prior to the performance of diagnostic examinations is retained only for as long as required for the diagnosis of the examination and is subsequently securely destroyed.

(γ) In any other case where processing is based on your consent, your personal data are retained until the withdrawal of your consent, without affecting the lawfulness of the processing carried out prior to the withdrawal based on consent. For the process of withdrawing consent, you must submit a request to the Center (see contact details below). Alternatively, for the purposes of promoting the Center’s products and services, you may also use the unsubscribe options by following (clicking on) the relevant link provided in our electronic communications. For as long as your email address remains in our database, you will periodically receive informational email messages from us.

(δ) The data we collect when you submit a request, as well as the corresponding file in which such data are recorded, are retained for twenty (20) years from the date of their collection.

8. Personal Data Security

Taking into account the latest developments, the cost of implementation, and the nature, scope, context, and purposes of the processing, as well as the risks of varying likelihood and severity for the rights and freedoms of users arising from the processing, the Center adopts the necessary technical and organizational measures to protect your personal data. Although no method of transmission over the Internet or method of electronic storage is completely secure, the Center takes all necessary digital data security measures (antivirus software, firewalls, etc.). At the same time, the Center adopts the required physical security measures, such as the installation of a video surveillance system (CCTV), alarm systems, etc.

Data Protection Impact Assessment (DPIA)
Where processing is likely to result in a high risk to the rights and freedoms of natural persons, the Center carries out, prior to the processing, an assessment of the impact of the envisaged processing operations on the protection of personal data (“impact assessment”). The impact assessment is a process designed to describe the processing, assess its necessity and proportionality, and assist in risk management by evaluating and determining measures to address such risks. It is not required for every type of processing, but only in cases where a form of processing is considered high risk. Within the framework of the impact assessment, the nature, extent, broader context, and purposes of the processing are taken into account in order to assess the likelihood of a risk occurring, as well as the severity of such risk for the rights and freedoms of the data subjects.

The Center may decide to conduct a data protection impact assessment for processing activities even if such assessment is not considered mandatory under the applicable legislation. Furthermore, it is not mandatory to prepare a separate impact assessment for each processing activity; instead, a set of similar processing operations involving similar high risks may be included in a single impact assessment. In particular, the performance of a data protection impact assessment is required in all cases where processing “is likely to result in a high risk to the rights and freedoms of natural persons.” Indicatively, such cases include: cases of systematic and extensive evaluation of personal aspects relating to natural persons, based on automated processing (including profiling), and on which decisions are based that produce legal effects concerning or significantly affect the natural person—the data subject; cases of large-scale processing of special categories of data (sensitive data); and cases of systematic processing of personal data (images from video surveillance systems).

9. Personal Data Breach

In the event that a data breach incident occurs, the Center follows a specific procedure for handling incidents involving breaches of the security of your personal data. If you become aware of or suspect that a breach of your personal data may have occurred, please inform us without delay at the email address info@sifiskleidis.com.

10. Your Rights

The Center ensures that it is able to respond promptly to requests for the exercise of your rights in accordance with the applicable legislation. These rights are the following:

(α) Right to withdraw consent:
In cases where processing is based exclusively on your prior consent, e.g. for promotional purposes (marketing activities), you have the right to withdraw your consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent prior to its withdrawal.

(β) Right of access and information:
You have the right to be informed about the data we process concerning you and to verify the lawfulness of such processing. Accordingly, upon request, you have access to your data and may receive additional information regarding their processing, to whom they are disclosed, and/or for what purpose they are processed. With regard to your medical file, you are entitled at any time to access your medical records, as well as to receive copies thereof free of charge.

(γ) Right to rectification:
You have the right to complete, correct, update, or modify your personal data.

(δ) Right to erasure:
You have the right to submit a request for the erasure of your personal data, unless there is a lawful reason requiring their further retention by the Center. In particular, due to our legal obligations, your medical data and all information related thereto (i.e. full name, father’s name, gender, age/date of birth, profession, address, dates of your visits, as well as any other essential element connected with the provision of care to you, such as, indicatively and depending on the specialty, your health complaints, medical history, reason for the visit, primary and secondary diagnosis, or treatment followed) are not subject to erasure in the event that you exercise this right.

(ε) Right to restriction of processing:
You have the right to request restriction of the processing of your personal data in the following cases:
(1) when you contest the accuracy of the personal data, until such accuracy is verified,
(2) when you object to the erasure of personal data and request instead the restriction of their use,
(3) when the personal data are no longer necessary for us, but are required by you for the establishment, exercise, or defense of legal claims, and
(4) when you object to the processing, pending verification of whether there are legitimate grounds relating to us that override the grounds for which you object to the processing.

(στ) Right to object to processing and to automated individual decision-making, including profiling:
You have the right to object at any time to the collection and processing of your personal data in cases where, as described above, such processing is necessary for purposes of legitimate interests pursued by the Center. It is noted, however, that the Center does not carry out automated decision-making processes.

(ζ) Right to data portability:
You have the right to receive, free of charge and following your identification, your personal data in a structured, commonly used, and machine-readable format (PDF, Word, etc.). You also have the right to request, where technically feasible, that we transmit such data directly to another data controller (e.g. your personal physician). This right applies to data that you have provided to us and which are processed by automated means based on your consent or for the performance of a relevant contract.

In the event of exercising any of the above-mentioned rights, the Center will respond within one (1) month from receipt and identification of the relevant request. This period may be extended by a further two (2) months, where necessary, taking into account the complexity of the request and the number of requests. In such case, the Center will inform you of the extension within one (1) month from receipt of the request, together with the reasons for the delay. Where the request is submitted by electronic means, the information will be provided by the same means, unless you request otherwise. If your request is manifestly unfounded or excessive, in particular due to its repetitive nature, the Center may either charge a reasonable fee or refuse to act on the request.

Right to lodge a complaint with the Hellenic Data Protection Authority / the Office of the Personal Data Protection Commissioner

For any complaint regarding this policy or issues relating to the protection of personal data, if we do not satisfy your request, you may contact the Hellenic Data Protection Authority via the following link: www.dpa.gr
, at the following contact details:
1–3 Kifisias Avenue, 115 23 Athens, Greece
+30 210 6475600, +30 210 6475628
contact@dpa.gr

11. Disclaimer for Third-Party Websites

In the event that our website contains links that redirect you to third-party websites, we inform you that the Center neither controls nor is responsible for the content of such websites, nor for the manner in which they process your personal data.

12. Updates to the Personal Data Protection Policy

In the event that our website contains links that redirect you to third-party websites, we inform you that the Center neither controls nor is responsible for the content of such websites, nor for the manner in which they process your personal data.

13. More Information

If you require assistance or further information regarding this Policy, or if you have any questions, you may contact us using the following contact details:

Telephone: +302109827300
Email: info@sifiskleidis.com

If you are dissatisfied in any way with how we collect, share, or process your personal data, we would appreciate being informed.

If you are dissatisfied with how we collect, share, or process your personal data, we encourage you to inform us.

+302109827300
Greek