Personal Data and Consent Form

Introduction

The private limited company with name “GARAVELAS MEDICAL GROUP PRIVATE MEDICAL OFFICE PRIVATE LIMITED COMPANY”, with headquarters in Neo Psychiko- Attica, 5 Agia Sofia Square and 27 Sikelianou, with VAT number 801066744 Tax Registration Office of Psychiko, with General Commercial Registry (G.E.M.I.) No. 148307701000, as legally represented by Mr. Athanasios Garavelas, (hereinafter “GMG” or “we” or “us” or “our”), provides you with this information regarding processing of your Personal Data by us (hereinafter “Information”).

Information concerns you if you are a patient receiving medical services from us (hereinafter “patient” or “you” or “your” or “yours”).

1. Which of your Personal Data do we collect?

We process the following personal data of yours:

• · name, sex, age, home address, private email address, work address, identity card details, passport details, date of birth, place of birth, photo, telephone number(s), email addresses, social security number (SSN), tax identification number (TIN), insurance registration number (IRA), emergency contact information, private insurance information, as well as similar data about you (hereinafter collectively “Identification and Contact Data”);

In addition, we process the following special categories of personal data (where applicable):

• health data and medical data, such as medical history, medical examinations, medical data resulting from the provision of medical and health services (hereinafter collectively “Health Data“).

2. How do we use your Personal Data?

Purpose of Processing	Legal Base of Processing	Date retention period
We process your personal data to draw conclusions about your health	Processing is necessary for executing the contract between us or taking measures before conclusion of the contract, as well as for purposes of preventive or professional medicine and medical diagnosis (Article 6 par. 1 β’, article 9, par. 2 η’ of the General Data Protection Regulation – “GDPR”)	Ten (10) years after your last visit
We process your personal data to provide you with medical services that include the following categories: obstetric services, gynecological check-up, assisted reproduction services and counseling.	Processing is necessary for executing the contract between us or taking measures before conclusion of the contract, as well as for purposes of preventive or professional medicine and medical diagnosis (Article 6 par. 1 β’, article 9, par. 2 η’ of GDPR)	Ten (10) years after your last visit
We process your personal data to conduct clinical trials/studies.	To the extent that processing activities are related to reliability and security and result directly from our legal obligations, processing is necessary for our compliance with our legal obligations in question (Article 6 par. 1 γ’, article 9, par. 2 θ’ of GDPR). To the extent that processing acts are exclusively related to research activities, your data are used pseudonymously and processing is necessary i) for the performance of a task in the public interest (Article 6 par. 1 ε’, article 9 2 θ’-ι’ of the GDPR), ii) for pursuit of our best legal interests (article 6 par. 1 στ’, article 9 2 ι’ of the GDPR) or iii) under special circumstances, when all conditions are met, your explicit consent (article 6 par. 1 α’, article 9 2 α’ of the GDPR).	Participants’ medical records are archived for a minimum period of 25 years from the last visit of the last clinical trial participant.
We process your personal data to maintain Medical Records, according to terms of Code of Medical Ethics	Compliance with the controller’s legal obligation (Article 6 par. 1 γ’, article 9, par. 2 θ’ of the GDPR in conjunction to article 14 of Law. 3418/2005)	Ten (10) years after your last visit
We process your personal data in order to make use of the access provided by the electronic prescribing system of E-governance in Social Insurance (ΙDIKA) in order to obtain information about history of all types of prescribed drugs and tests	Processing is necessary for executing the contract between us or taking measures before conclusion of the contract, as well as for purposes of preventive or professional medicine and medical diagnosis (Article 6 par. 1 β’, article 9, par. 2 η’ of GDPR)	Ten (10) years after your last visit
We process Identification and Contact Data in order to communicate with you by phone or electronic messages (SMS, email, Whatsapp, or Viber) to inform you about issues related to your health and/or organize a follow-up visit.	Processing is necessary for executing the contract between us or taking measures before conclusion of the contract, as well as for purposes of preventive or professional medicine and medical diagnosis (Article 6 par. 1 β’, article 9, par. 2 η’ of GDPR)	Ten (10) years after your last visit
We process your Identification and Contact Data in order to inform you via email or SMS about new health services and products, offers and activities of GMG.	Processing is necessary for the pursuit of best legal interest of GMG in order to promote its services or based on the patient’s consent (Article 6 par. 1 α’ and στ’  of GDPR). You may unsubscribe from this type of contact at any time by clicking on the “Unsubscribe” link provided at the bottom of each promotional email we send you;	Five (5) years after your last visit
We process your personal data in order to pass it on to third parties, such as partners or collaborating laboratories, for processing to draw medical conclusions	Processing is necessary for executing the contract between us or taking measures before conclusion of the contract, as well as for purposes of preventive or professional medicine, assessment of the employee’s ability to work, and medical diagnosis (Article 6 par. 1 β’, article 9, par. 2 η’ of GDPR)	Ten (10) years after your last visit

3. Who do we share your Personal Data with?

Α. Receivers

Συνεργάτες της GMG: We transfer your personal data to our Partners, in order to execute the contract between us, to provide you with the medical services you have requested.

Πάροχοι υπηρεσιών: GMG contracts with third-party service providers in the context of its usual activities, in order to perform certain tasks related to human resources (provider of tax and accounting services, legal advisors, etc.) and information technology (provider of IT services, who provides us with electronic mail (email) and data hosting services, provider of support services and maintenance of IT systems).

Άλλα τρίτα μέρη: In some cases, we are legally obliged to pass on your personal data (strictly to the extent necessary) to public, judicial, prosecutorial, investigative and regulatory authorities, for example for execution of a court order. In order to exercise and support our legal claims or defend ourselves legally we will pass on your personal data to our legal advisors and judicial/investigative authorities. Accordingly, GMG may also transfer your data to government agencies and regulatory authorities (e.g. tax authorities), social security institutions, courts, law enforcement authorities and state authorities, always in accordance to applicable law, for the purpose of compliance with tax legal obligations, as well as to external consultants (e.g. lawyers, accountants, auditors,).

Β. Cross-border data transfers

In the context of cooperation with the above service providers, any transfer of your personal data outside EU/EEA to achieve the above processing purposes, due to their notification to said recipients (providers), will be subject to appropriate and tailored guarantees and conditions for ensuring an adequate level of data protection, e.g. adequacy decisions or transfer agreements based on the standard contractual clauses issued by the European Commission.

For more information on how GMG protects your Personal Data when transferred outside EU/EEA, or to obtain a copy of guarantees we have in place to protect your Personal Data when transferred, please visit: info@garavelas.com.

4. How long do we keep your Personal Data?

We retain the information necessary to carry out the purposes described above, taking into account the need to provide services, marketing requirements, security requirements, legal requirements and statute of limitations.

In the event of dispute or disciplinary action, your personal data may be stored until completion of said procedure, as well as during adjudication of any appeal or revocation, and will then be deleted or archived, as provided by the applicable legislation.

In principle, we will retain your personal data for as long as required or permitted by applicable legislation, including for as long as the data may be necessary to satisfy or contest claims that are not time-barred.

5. How do we protect your Personal Data?

• We ensure medical confidentiality and protect information of our patients, as doctors bound by the Code of Medical Ethics (Law 3418/2005).
• We generally follow accepted field standards for the protection of information submitted to us, both during transfer and upon receipt. We maintain appropriate administrative, technical and physical safeguards to protect information from accidental or unlawful destruction, accidental loss and unauthorized modification.
• Please note that no method of transfer over the Internet or method of electronic storage is 100% secure. Therefore, we cannot guarantee complete security.

6. What are your rights in relation to your Personal Data?

Under conditions provided in the relevant legislation, you have the following rights regarding protection of your personal data:

• Access right: You can contact GMG to let us inform and explain whether and what data we hold about you and how we process them. You can also request a copy of your personal data that GMG holds about you.

• Right of rectification: If you believe that your data is inaccurate or needs to be updated, you have the right to request correction of inaccurate personal data and completion of incomplete information.
• Right to erasure: Under certain conditions, such as, e.g. when data are no longer necessary, you have withdrawn your consent or data have been unlawfully processed, you can ask GMG to delete them.
• Right to restrict processing: If you consider your data to be inaccurate, or their processing unlawful, if you consider that the data are no longer needed by GMG, or you object to automated processing, you have the right to demand restriction of processing.
• Right to object: You can object to processing of your personal data by GMG for reasons that concern you and relate to your particular situation, unless, among others, there are compelling and legitimate reasons for processing, which override interests, rights and freedoms of yours. You also have the right to object when a decision concerning you is based solely on automated processing, including profiling, and that decision produces legal effects or significantly affects you (statutory exceptions apply).
• Right of portability: You can request to receive your data in a structured, commonly used and machine-readable format, and to have your data transferred to another organization (processor), which you will indicate to GMG.

Right to withdraw consent: Where processing of your personal data is based on your consent, you have the right to withdraw your consent at any time. Withdrawal of consent does not affect legality of processing that was based on the consent before its withdrawal. You can be informed further and in more detail about your rights by visiting the website of the Personal Data Protection Authority (www.dpa.gr). If you wish to exercise any of your rights or have questions or concerns, please contact us via email at info@garavelas.com and we will get back to you.

When you submit a request exercising any of the above rights, GMG must respond to you within 1 month either by satisfying the right (e.g. giving you a copy of your medical file) or rejecting your request with reasons (e.g. denying a deletion request, because the law obliges us to keep it for 10 years) or by explaining the reasons of delay.

You also have the right to appeal to the Personal Data Protection Authority (P.D.P.A.) for issues concerning the processing of your Personal Data. P.D.P.A. is based in Athens (Kifisias 1-3, P.O. BOX 115 23). Regarding competence of P.D.P.A. and how to submit a complaint, you can visit the website of P.D.P.A. (www.dpa.gr).

7. How can you contact us?

You can direct questions or comments about this Update or the way your Personal Data is processed to the following communication channels:

Address: 5 Agia Sophia Square, Neo Psychiko 154 51

Contact Phone: +30 210 67 100 20

Email adress: info@garavelas.com