I. INFORMATION REGARDING THE DATA CONTROLLER
1. The controller of your data is “Gemma sveikatos centras” UAB (hereinafter – the Institution), company code 301240955, business address: Bistryčios g. 13, Vilnius.
2. In case you have any questions about data management at the Institution, please contact us by email email@example.com or firstname.lastname@example.org. If it is not possible to find a mutually acceptable solution, you have the right to contact the State Data Protection Inspectorate at L. Sapiegos g. 17, Vilnius or by email: email@example.com.
II. GENERAL PROVISIONS
3. We understand and respect the right to privacy and data protection regarding our residents and other natural persons whose personal data we process (hereinafter – the Data Subjects), therefore we are making every effort to ensure the highest level of personal data protection.
4. This Privacy Notice contains information regarding the processing of personal data in the Institution, including information about from where and what personal data we receive and to whom we transfer it, for what purposes and on what legal grounds we process it, what security measures were implemented, what rights the Data Subjects have and where they can apply for the implementation of such rights as well as other issues related to the processing of personal data.
5. The Privacy Notice is prepared in accordance with the following legislation:
5.1. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter – GDPR or the Regulation);
5.2. Law of the Republic of Lithuania No. XIII-1426 of 30 June 2018 “On Legal Protection of Personal Data” (hereinafter – LPPD);
5.3. Law of the Republic of Lithuania No. IX-2135 of 15 April 2004 “On Electronic Communications”;
5.4. Guidelines and recommendations of the State Data Protection Inspectorate and the European data Protection Board;
5.5. other (related to data protection) legal acts regulating the activities of health care institutions.
III. DATA SOURCES
6. The Institution processes personal data received from the following sources:
6.1. received directly from the Data Subjects: when you receive a consultation and/or register for services by phone, when you fill in a request form online, when you use the services provided by the Institution as well as when you submit different requests or other information. It shall be noted that without processing your personal data (except in cases when the data is processed on the basis of your consent), the Institution cannot provide professional health care services, identify you, maintain contact and perform other necessary actions;
6.2. received from third parties – National Health Insurance Fund under the Ministry of Health, territorial health insurance funds, Ministry of Health of the Republic of Lithuania, other health care institutions, research laboratories, insurance companies and other companies or institutions;
6.3. generated by information systems, for example, when browsing our web page, entering the field of video surveillance, etc.
IV. TERMS, PURPOSES, CATEGORIES AND LEGAL BASIS OF DATA PROCESSING
7. Personal data is stored in accordance with the terms approved by the Order No. 515 of 29 November 1999 of the Minister of Health of the Republic of Lithuania and other legal acts of the Republic of Lithuania. In case there are no terms provided for in the legislation, the data shall be stored for as long as it is necessary to process the data in order to fulfil the legitimate aims of the Institution or the Data Subjects.
8. The Institution processes personal data of the Data Subjects for the following purposes:
8.1. registration for visits;
8.2. provision of health care services;
8.3. ensuring the quality of service provision, conducting the research on guest opinion and/or other related inquiries;
8.4. ensuring the safety of residents, employees and property;
8.5. debt administration;
8.6. sending personalized offers and notifications about the services provided by the Institution as well as other news;
8.7. administering web pages and social network accounts of the Institution;
8.8. during the selection process for hiring employees;
8.9. ensuring the smooth supply of necessary tools to the Institution, while cooperating with suppliers and partners.
9. Legal basis of data processing:
9.1. general personal data – Clauses a, b, c, d, f of Part 1 of Article 6 of GDPR;
9.2. sensitive personal data – Clauses a, b, c, e, f, h, I or Part 2 of Article 9 of GDPR.
10. In order to fulfil the above-mentioned purposes, the Institution processes the following personal data:
10.1. personal data necessary for the identification of our residents and the provision of personal health care services: medical case-history identification number, contact information (address, phone), address of a declared place of residence, name, surname, marital status, date of birth, sex, social security number, address of the actual place of residence, billing data, call records and metadata of calls, data regrading the registration in the health care institution (name of the institution, name, surname and speciality of the treating doctor, the time of the visit, the reason for the visit and complaints), family relationship (relationship of the Data Subject with the related person, name and surname of the related person, personal number, date of birth, sex) and other data;
10.2. sensitive personal data: examination data, photos, videos, list of diagnoses, history of visits at the Institution (date, name and surname of the treating doctor, office, status), descriptions and conclusions, data regarding the prescription for medicinal products and medical aids, referrals for obtaining health care services at other institutions, referrals for examinations, anamnesis, other entries in the medical case-history, certificates and other data;
10.3. data necessary for sending personalized marketing communications: email and/or phone number, and/or address of the place of residence, sex, age and other data;
10.4. data necessary for the selection process for hiring employees: name and surname, date of birth, place of residence, phone number, email, education, information about work experience, skills, driver’s licence, computer literacy, expectations regarding the workplace, position and salary, curriculum vitae (CV) and other similar data;
10.5. data for maintaining relations with the suppliers and partners: name, surname, contact data (email, phone, address), VAT identification number, business certificate number or the number of an individual activity certificate, its period of validity, personal number, activity, according to the business certificate or individual activity certificate, bank account number, authorizations and other data;
10.6. website visitor data, unique identifiers and other tracking tools which collect the information about subscribing, (not) receiving, opening the newsletters, clicking on links as well as unsubscribing, information about what application/program is being used to open the letter, IP address and the country assigned to it, the information provided by the visitors on social networks (recommendations, complaints, opinions, suggestions) and other data;
10.7. data for maintaining commercial relations: name, surname, position, information on indebtedness, contact details, bank account information;
10.8. call centre data: name, surname and contact details (email, phone, address) of the caller, opinion on the quality of the service, feedback, orders, call records and metadata of calls.
11. In order be informed about what specific personal data the Institution processes, please apply for the implementation of the rights of the Data Subjects as described in this Privacy Notice.
V. DATA PROTECTION AND PROVISION
12. In order to ensure an appropriate level of security corresponding to the risks of data processing, the Institution has chosen and implemented relevant technical and organizational measures in accordance with:
12.1. ENISA guidelines: https://www.enisa.europa.eu/publications/guidelines-for-smes-on-the-security-of-personal-data-processing;
12.2. good information security practices;
12.3. guidelines of the State Data Protection Inspectorate: https://vdai.lrv.lt/uploads/vdai/documents/files/VDAI_saugumo_priemoniu_gaires-2020-06-18.pdf.
13. The Institution only chooses the Data Processors which are able to ensure compliance with the GDPR and the same level of personal data security as determined in the internal documents of the Institution.
14. List of categories of recipients of personal data:
14.1. to the following third parties in the cases and the procedure established by the legislation of the Republic of Lithuania: National Health Insurance Fund under the Ministry of Health, territorial health insurance funds, Ministry of Health of the Republic of Lithuania, State Tax Inspectorate under the Ministry of Finance of the Republic of Lithuania, Employment Service under the Ministry of Social Security and Labour, State Social Insurance Fund Board under the Ministry of Social Security and Labour, other health care institutions and/or laboratories, insurance companies and other persons to whom the Institution is obliged to provide such data under the legislation of the Republic of Lithuania;
14.2. to persons (natural persons and/or legal entities) in respect of whom you have given your consent regarding the provision of personal data;
14.3. to companies providing data centres, cloud, website administration and other related services, creating, providing, supporting and developing software, companies providing information technology infrastructure services as well as companies providing communication services;
14.4. to companies providing advertising and marketing services;
14.5. to companies providing accounting, archiving, physical and/or electronic security, asset management and/or other business services;
14.6. to bailiffs, legal entities providing legal and/or debt collection services;
14.7. to law enforcement authorities (on the basis of submitted requests or on the initiative of the Institution, in case of any suspicion that a criminal act has been committed).
VI. RIGHTS OF THE DATA SUBJECTS
15. In accordance with the provisions of the GDPR, the Data Subjects may exercise the following right:
15.1. the right to access personal data, i.e. to submit a request for information whether your personal data is being processed, and in case your personal data is being processed, you have the right to access such data;
15.2. the right to rectification, i.e. to submit a request to have your personal data rectified in case you determined that the personal data we process is incorrect, incomplete or inaccurate;
15.3. the right to erasure (right to be forgotten), i.e. to submit a request to have your personal data erased, if this can be done under the legislation of the Republic of Lithuania, in case you believe that your personal data is being processed illegally or unfairly;
15.4. the right to restrict the processing of personal data, i.e. to submit a request to restrict (suppress) the processing of your personal data, except for storage, in the event when, for example, you request the rectification of your personal data (while the accuracy of the personal data is being checked and/or the data is being corrected), in case it is determined that the personal data is being processed illegally and you do not agree for your personal data to be erased, as well as in case you have expressed your objection to the processing of your personal data, etc.;
15.5. the right to data portability, i.e. to submit a request to transfer, if this can be done under the legislation of the Republic of Lithuania, your personal data, which is processed by automated means, to another Data Controller in a systematized or commonly used format;
15.6. the right to object to the processing of personal data, i.e. to express objection regarding the processing of your personal data when the data is being processed on the legal basis of the legitimate interest or public interest;
15.7. the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you;
15.8. the right to withdraw the consents submitted to us regarding the processing of personal data at any time.
16. You can exercise your rights and/or report personal data breaches:
16.1. by sending us your request by email firstname.lastname@example.org or email@example.com. The request shall be signed and a notarized copy of your identity document must be submitted together with the request (the notary confirmation is not required if the request and the attached documents are signed by electronic signature);
16.2. by sending the request by registered mail to Bistryčios g. 13, Vilnius. The request shall be signed and a notarized copy of your identity document must be submitted together with the request;
16.3. by arriving at the Institution and filling in the request form. You will also be asked to provide your identity document;
16.4. the request must be legible, it must contain the name, surname, place of residence and other data of the Data Subject necessary for maintaining the desired form of communication, it shall also include the information about which rights of the Data Subject and to what extent should be implemented;
16.5. we will provide an answer to your request no later than within 30 (thirty) calendar days from the date of its receipt. In exceptional cases which require additional time, we, after properly notifying you, will have the right to extend the period for submitting the requested data or examining other requirements specified in your request for an additional period of 60 (sixty) calendar days.
17. The Data Subjects shall ensure that the personal data they provide is correct and relevant, i.e. in case any personal data changes, the Data Subjects must update it by providing new and correct data. The Data Subjects are aware that otherwise the Institution may not be able to ensure the provision of professional health care services and shall have the right to refuse the provision of such services to the Data Subjects.
VII. SOCIAL NETWORKS
18. When you are visiting our social network accounts, your data may also be processed by social network administrators. We recommended that you familiarize yourself with the Privacy Policies of the following social networks:
19. A cookie is a small text file that a website saves on your computer or mobile device when you visit the website. It enables the website to remember your actions and preferences (for example, your registration name, language, font size and other display options) for a period of time, so that you don’t have to keep re-entering them whenever you visit the website or navigate from one page to another.
20. The information collected by cookies allows us to ensure a more comfortable browsing experience and learn more about the behaviour of page users as well as analyse the trends and improve the website.
IX. FINAL PROVISIONS
21. We have the right to partially or fully change the provisions of this Privacy Notice, provided that we notify you of such changes on our website and/or by your specified email.
22. The laws of the Republic of Lithuania shall apply to the provisions set out in this Privacy Notice. All disputes shall be resolved by mutual agreement. In case of failure to reach such agreement the disputes shall be resolved in the court of the Republic of Lithuania in accordance with the procedure established by the laws of the Republic of Lithuania.