Privacy Policy MEDSTEM

1. Introduction

2. Definition of the term “personal data”

3. Definition of the term “health data”

4. Definition of the term “processing”

5. Definition of the term “Data Controller”

6. Categories of personal data collected by MEDSTEM SERVICES S.A.

7. Purposes of the collection and processing of personal data by MEDSTEM SERVICES S.A.

8. Legal basis for the processing of personal data by MEDSTEM SERVICES S.A.

9. Access of third parties to personal data

10. Retention period

11. Rights in relation to personal data

12. Data and Information security safeguards

13. Information about the processing of personal data through video surveillance system (CCTV)

1. Introduction

The purpose of the present Privacy Policy (hereinafter the “Privacy Policy” or the “Policy”) is to determine the terms and conditions under which the “Data Controller” ( MEDSTEM SERVICES - SUPPLEMENTARY HEALTHCARE SERVICES S.A.”, hereinafter “MEDSTEM SERVICES S.A.” or the “Company”) processes and safeguards personal data concerning patients and their close relatives, for the purpose of the provision of healthcare services, the transfer and stay of patients on the premises of MEDSTEM SERVICES S.A. and the use of services provided by the Company and through its Website, as detailed below.

The present Privacy Policy aims to inform you about the categories of personal data MEDSTEM SERVICES S.A. collects and processes, as well as about the means and the purposes for the collection, retention, processing, use and transfer of your personal data according to the applicable legislation. The present Privacy Policy also aims to inform you about your rights regarding your personal data.

The Privacy Policy can be revised from time to time, if there is a need to do so, without any prior notice. For this reason, we invite you to review this Privacy Policy frequently, in order to remain informed of any amendments thereof.

2. Definition of the term “personal data”

The term “personal data” shall mean any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

3. Definition of the term “health data”

The term “health data” shall mean personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.

4. Definition of the term “data processing”

The term “data processing” shall mean any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

5. Definition of the term “Data Controller”

The term “Data Controller” designates the natural or legal person, public authority, service or any other entity which, alone or jointly with others, determine the scope and purpose of personal data processing; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

All medical and other healthcare services, as well as the services provided through the Website http://www.cryobanks.gr (hereinafter, “Website) are provided by the Company under the corporate “ MEDSTEM SERVICES - SUPPLEMENTARY HEALTHCARE SERVICES S.A.” and the distinctive title “MEDSTEM SERVICES S.A.” (former “IASO SERVICES SA”), having its registered seat at 37-39 Kifissias Avenue, Maroussi of Attica, Tax Identification Number 999634537.

The Company is the Data Controller of the personal data collected by the means and through the procedures described in detail in the present Privacy Policy and processed for the performance of your relationship with the Company.

6. Categories of Personal Data Collected and Processed by MEDSTEM SERVICES S.A.

Each time you request the provision of medical or healthcare services, visit the facilities and/or the Website, and/or contact the Company directly by any means, each time you insert your data in any electronic or hardcopy requests or communication forms, conclude any kind of contract with the Company, provide your services or make use of the services provided by the Company, we collect and process personal data that concern you, including special categories of personal data, such as health data and other information.

More specifically, the personal data collected and further processed include the following:

Identification data and contact information referring to you and/or your relatives, including name, surname, date of birth, postal address, e-mail address, telephone number, ID card number, Social Security Number (AMKA), Tax Identification Number, etc.
Data of special categories relating to your physical health either past, current or future including information such as medical history, medical examinations, medical actions and information derived during the course of provision of medical services including numbers, symbols or identification details assigned to a natural person to identify that person for the purpose of providing healthcare services, information deriving from examination or analysis of parts or substances of the human body, such as genetic data and biological samples, as well as any information on any disease, disability, risk of disease, medical history, clinical treatment or your physiological or biomedical situation, irrespective of which is the source of such information, i.e. whether such information has been collected from a doctor or other healthcare professional, a hospital, a medical device or an in vitro diagnostic test, as well as genetic and biometric data, etc.
Technical and other information concerning your activity on the Company Website and/or information deriving from the use of the Internet and/or automatically through your browser on your desktop, laptop, tablet, or mobile device such as the IP address, the ISP domain, the type and version of your browser, your operating system, or other information on internet Websites you visited and information you have searched for. For further information regarding the Company’s Cookies Policy, you may visit this page.

7. Purposes of the collection and processing of personal data by MEDSTEM SERVICES S.A.

The Company processes personal data only when it has a legitimate reason to do so, and always in order to achieve one of the following purposes of processing. In particular, the Company collects and processes personal data of donors (mothers), accompanying persons and relatives of the above mentioned individuals, under-aged patients (e.g newborns), employees and prospective employees, doctors, midwives and other nursing staff, suppliers, associates, visitors and third parties in general, in order to manage the biological material, the payments required for the storage of biological material, to recruit, manage and train its personnel, to manage its suppliers and partners, to conduct marketing promotional activities, to supervise the video surveillance system, etc.

8. Legal bases for the processing of personal data by MEDSTEM SERVICES S.A.

The Company processes personal data only when it has a legitimate reason to do so and in particular when:

(a) processing is necessary for the performance of contract and the provision of the services you require and wish to receive from the Company, the performance and compliance with our legal obligations and the exercise of the legitimate rights of the Company acting as data controller (Article 6 par. 1 (b), (c) and (f) GDPR);

(b) processing is necessary for the purposes of preventive or professional medicine, medical diagnosis, the provision of healthcare services or treatment or management of health systems and services (Article 9 par. 2 (h) GDPR);

(c) processing is necessary to safeguard the legitimate interests of data subjects, as well as those of the Company, including for example the management of medical, healthcare and/or other ancillary services, the collection and/or coverage of medical fees from the insurance company and/or the insurance institution, the creation of electronic files including health data, the use of special software and applications relating to healthcare services for communicating the results of any diagnostic tests by electronic and other appropriate means, the evaluation of the services provided by completing and submitting the relevant satisfaction questionnaires etc. In this context, we also use closed circuit television system (CCTV) and security cameras in order to be able to protect the safety of all natural persons, materials, equipment, as well as of our facilities (Article 6 par. 1 (f) GDPR);

(d) processing is necessary for the establishment, exercise and/or support of legal claims of the Company and/or the defense of its rights before Courts, Administrative or Judicial Authorities or in the context of an extrajudicial procedure, as well as for the purpose of exercising and/or defending the rights of the Company or of other third parties before Courts, Judicial or other Authorities, etc. (Article 9 par. 2 ( f) GDPR);

(e) processing is necessary for the compliance of the Company with its legal obligations as imposed under the provisions of the tax, social security etc. legislation (Article 6 par.1 (c) and article 9 par. 2 (b) GDPR);

(f) processing is necessary for the protection of the vital interests of the data subjects when the data subject is physically or legally incapable of giving consent (Article 9 par. 2 (c) GDPR);

(g) processing is necessary for reasons of public interest in the area of public health, such as for scientific research conducted in the public interest in the health sector, protection against serious cross-border threats to health or the safeguarding of high quality and safety standards of healthcare services, medicines and/or medical devices under national and/or European Union law (Article 9 par. 2 (i) GDPR);

(h) processing is based on your explicit consent provided that your personal data is further processed for the above purposes, as well as for purposes necessarily related to them (Article 6 par. 1 (a) and article 9 par. 2 (a) GDPR);

(i) processing is based on your explicit consent, provided that such processing is made for medical information purposes (Article 6 par. 1 (a) and article 9 par. 2 (a) GDPR) and more specifically in order for the Company to send you updates for products, services, applications and offers provided by the Company, to participate in researches for the evaluation and improvement of the Company services, in order for the Company to collect through the GoogleAnalytics Service technical and other information relating to your Website activity, which will be used for the orderly functioning and performance of the Website and the services we provide, as well as in order for you to make use of the Websites and online platforms of the Company and to sign up for one or more of them. By way of example, the following services are mentioned:

Receive emails and/or mail/news/offers.
Online forms available through the Company Website and allow you to contact us about any request and/or submit questions.
Completion and filing of satisfaction forms in electronic and physical form.

The Company processes your personal data in a lawful and legitimate manner. Under no circumstances does it collect or process a greater number of information or data than that which is required to fulfill the processing purposes. Your data is kept safely. The collection and processing of your data is exclusively being carried out for the purposes of their processing and use.

9. Third-party access to personal data

The Company does not provide to any third parties access to personal data that the Company collects and processes as Data Controller. By way of exception, they may provide access only if it is absolutely necessary for the herein described legitimate purposes, to doctors, medical, nursing and administrative staff, collaborating doctors, doctors providing independent services to the Company, professionals and companies that provide services in the fields of healthcare, medical laboratories, diagnostic centers, companies of medical equipment, and/or software and applications concerning healthcare (including for example companies which provide services for the evaluation and improvement of the Company Website, as well as technical support and IT companies), TEIRESIAS company, debtor informing companies, other companies of IASO Group, private insurance companies and companies auditing insurance benefits, public insurance entities and institutions, Courts, Administrative or Judicial Authorities, as well as other State entities, lawyers, experts, technical advisors, witnesses, etc..

Such data shall be accessed exclusively for the purposes and to the extent of providing each service and always on the condition that the above mentioned persons accept and comply with the terms of the present Policy and with the applicable legislation. In such cases, the Company remains responsible for the processing of your personal data and determines the individual elements to be processed; it also concludes a special agreement with the third parties to whom it could assign the execution of processing activities, in order to ensure that processing is carried out in accordance with the applicable legal framework and that all natural persons are able to freely and without any hindrance exercise the rights granted to them under the applicable legislation.

10. Retention period

Τhe time-period for which the personal data will be stored is determined based on the particular criteria set out below on a case-by-case basis:

(a) When processing is performed for the purposes of execution of contract, personal data shall be stored for as long as it is necessary for the performance of the contract and the establishment, exercise and/or support of legal claims possibly arising from such contract.

(b) When processing is imposed as an obligation by provisions of the applicable legal framework, personal data shall be stored for as long as it is required by the relevant provisions. In particular, it is noted that, under article 14 par. 4 of the Code of Professional Conduct for Doctors (Law No. 3418/2005, Government Gazette Α 287/28.11.2005), it is stipulated that “the obligation to retain medical records applies to: a) private practices and other primary healthcare units of public sector, for a period of ten years following the last visit of the patient; and b) in any other case, for a period of twenty years following the last visit of the patient”.

(c) When processing is required for purposes relating to the legitimate interests of the Data Controller or any other third party, personal data shall be stored for as long as it is required for the satisfaction of such legitimate interests.

(d) Should you wish that your data be deleted from the Company databases, you can submit a relevant request, as described below under (11). In such case, the Company undertakes to meet your request, unless European Union law or national laws provide for a specific period of retention of personal data that cannot be waived or changed by the data subject. Withdrawal of consent does not affect the legality of consent-based processing during the period prior to its revocation.

11. Your rights in relation to your personal data

All natural persons whose data are being processed by the Company have the following rights:

Right to information and access: You have the right to be informed and to have access to your personal data and your medical records and to receive additional information concerning their processing.

Right to rectification: You have the right to obtain the correction, amendment, addition and update of your personal data.

Right to erasure (right to be forgotten): You have the right to obtain the erasure of your personal data in the cases that such right is not restricted by the obligation of the healthcare services provider to retain your medical record under applicable law or otherwise.

Right to restriction of processing: You have the right to obtain restriction of processing of your personal data when: a) the accuracy of your personal data is contested and until the accuracy of the data is verified; b) the processing is unlawful and you oppose to the erasure of your personal data and request the restriction of their use instead; c) your personal data is no longer needed for the purposes of the processing, but they are required for the establishment, exercise or defense of legal claims; and d) you have objected to the processing pending the verification whether there are legitimate grounds concerning the Company and overriding those for which you oppose to the processing.

Right to object the processing: You have the right to object any time to processing of your personal data when the processing is necessary for purposes of legitimate interests pursued by the Company as Data Controller.

Right to data portability: You have the right to receive without any cost accrued your personal data in a structured, commonly used and machine-readable format, as well as the right to transmit those data to another controller, provided that it is technically feasible. This right concerns the data that you have provided to the Company and their processing is carried out by automated means based on your consent or in performance/execution of a relative contract.

Right to withdraw consent: You have the right to withdraw your consent, to the extent it was given for the intended processing, at any time.

Right of complaint to Hellenic DPA: You have the right to lodge a complaint to the Greek Data Protection Authority (www.dpa.gr): Telephone Centre: +30 210 6475600, Fax: +30 210 6475628, Email address: [email protected].

To access your medical records, you can contact the Department of Medical Records of the Company. To exercise any of your other rights, you can send a message to the following e-mail address: [email protected].

12. Data and information security safeguards

The Company has adopted and applies all appropriate technical and organizational measures in order to secure processing of personal data and to prevent accidental loss or destruction and non- authorized and/ or illegal access, use, modification or disclosure, and ensures the lawfulness of collection, processing and secure maintenance of personal data, under the provisions of national, European and international law in connection with the individual’s protection against the processing of its personal data and particularly taking into account the provisions of the General Regulation on Data Protection.

For further information, please contact the IASO Group Data Protection Officer (DPO) Ms. Chara Daouti and/or the IASO Group Deputy Data Protection Officer (Deputy DPO) Ms. Natalia Kalatzi, at: [email protected].

13. Information about the processing of personal data through video surveillance system (CCTV)

I. Controller:

The company under the corporate name MEDSTEM SERVICES - SUPPLEMENTARY HEALTHCARE SERVICES S.A.” and the distinctive title “MEDSTEM SERVICES S.A.” (former “IASO SERVICES SA”), having its registered seat at 37-39 Kifissias Avenue, Maroussi of Attica, Tax Identification Number 999634537.

II. Purpose and legal basis of processing:

We use a surveillance system for purposes of protection of property and of individuals. Processing is necessary for the purposes of the legitimate interests we pursue as controller (article 6 par. 1. f GDPR).

III. Analysis of legitimate interests

Our legitimate interest consists in the need to protect our property from illegal acts, such as theft, as well as in the need to protect the life, physical integrity, health as well as the property of our staff and of third parties who are lawfully present in the supervised area. We only collect image data and limit the video capture to areas in which we have assessed that there is an increased likelihood of committing illegal acts, e.g. theft, such as in our cash desks, storage places of pharmaceutical equipment and supplies, electromechanical equipment and at the entrance, without focusing on areas where the privacy of the individuals whose image is being taken may be restricted.

IV. Data Recipients

The material kept is accessible only by our competent / authorized staff in charge of the safety of the place. This material is not transferred to third parties, except in the following cases: a) to the competent judicial, prosecutorial and police authorities when it includes information necessary to investigate a criminal act concerning individuals or property of the controller, b) to the competent judicial, prosecutorial and police authorities when requesting data, legally, in the performance of their duties, and c) to the victim or perpetrator of a criminal act, in the case of data which may constitute evidence of the act.

V. Retention Period

We keep the data for a time period of 15 business days, after which they are automatically deleted. In case that during this period an incident is detected, we shall isolate part of the video and keep it for up to one (1) more month, in order to investigate the incident and initiate legal proceedings to defend our legitimate interests, while if the incident concerns a third party, we will keep the video for up to three (3) more months.

VI. Rights of the data subjects

Data subjects have the following rights:

Right of access: you have the right to be informed about the processing of your image and, in case of processing, to obtain a copy.
Right to restriction: you have the right to request us to limit processing, such as not to delete data that you consider necessary for legal claims.
Right to object: you have the right to object to the processing.
Right to erasure: you have the right to request the erasure of your data.

You can exercise your rights by sending an e-mail to [email protected] or by letter to our postal address. In order to examine a request related to your image, you need to determine when you were in the camera range and give us an image of yours, so as to enable us to locate your own data and hide the data of third parties. Alternatively, you have the possibility to visit our facilities, so that we show you the images in which you appear. We also point out that the exercise of the right to object or to erasure does not imply the immediate erasure of data or the modification of the processing. In any case, we will answer to you in detail as soon as possible, within the deadlines set by the GDPR.

VII. Right to file a complaint

If you consider that the processing of your data is not complying with Regulation (ΕU) 2016/679, you have the right to file a complaint before the DPA.

The competent supervision authority for Greece is Data Protection Authority, 1-3 Kifissias Str., 115 23, Athens, https://www.dpa.gr/, T. 2106475600, email: [email protected].

For further information regarding the Company’s Cookies Policy, you may visit this page.