Subject of the Personal Data Protection Policy

The “BIOIATRIKI” Group (hereinafter  referred to as the “Group”) ensures the security of your personal data  and takes the appropriate technical and organizational measures to  protect them in accordance with the current national and EU legislation,  in particular the General Data Protection Regulation (EU) 2016/679, the  respective national legislation, as well as the Decisions, Instructions  and Opinions of the competent supervisory Authority.

The Group “BIOATRIKI” is composed in  particular from the BIOIATRIKI Health Care Group of Companies (BIOIATRIKI  PRIVATE MEDICAL POLYCLINIC SA, BIOCLINIC OF ATHENS ANONYMOUS COMPANY –  PRIVATE CLINIC PROVIDING HEALTH SERVICES, BIOCLINIC OF PIRAEUS ANONYMOUS  COMPANY – PRIVATE CLINIC PROVIDING HEALTH SERVICES, BIOCLINIC OF  THESSALONIKI ANONYMOUS COMPANY – PRIVATE CLINIC PROVIDING HEALTH  SERVICES, GIANNOUKA CHEMISTRY LTD, ALPHA EVRESIS DIAGNOSTIC CENTER LTD,  BIOIATRIKI DERMATOLOGY PRIVATE MEDICAL MEDICINE SOLUTION SA, BIOIATRIKI  ERGOMETRIC CENTER SA,  DIGITAL HEALTH SOLUTIONS SA) and the Associated  Companies (FONEMED HELLAS SA TELEPHONE SERVICES, BIO – DENTAL DENTAL SA,  CROSSBORDERMEDCARE HELLAS MEDICAL SA, CROSSBORDERMEDCARE FACILITATIONSA  SA).

This Policy is valid and applied to  all facilities and/or digital environments and applications, which  belong to the Group and are related to its activity (indicatively  mentioned): www.bioiatriki.gr, www.bioclinic.gr, www.biomedsmile.gr, www.bioiatrikiplus.gr, www.fonemed.gr, www.crossbordermedcare.com, www.labcy.com, www.evresisdiagnostic.com, www.bioiatrikidigital.gr. 

The contact details of the “BIOIATRIKI” Group to which you have addressed and which is the Data Controller, are as follows:

Name: BIOIATRIKI PRIVATE MEDICAL POLYCLINIC SA.

Postal address: 132, Kifisias St. and Papadas St., PO Box 115 26, Athens

Email address: dpo@bioiatriki.gr 

Contact phone: +30 210 6966000

Website: www.bioiatriki.gr

Definitions

For the purposes of this Policy, the following terms shall have the following meanings:

“Personal Data”: any information relating to an identified or identifiable natural  person (“data subject”); an identifiable natural person is one whose  identity can be ascertained, directly or indirectly, in particular by  reference to an identifier such as a name, in an identity number, in  location data, in an online identifier, or in one or more factors that  characterize the physical, physiological, genetic, psychological,  economic, cultural or social identity of that natural person.

“Special categories of personal data”: personal  data revealing racial or ethnic origin, political opinions, religious  or philosophical beliefs or trade union membership, as well as the  processing of genetic data, biometric data for the purpose of  unambiguous identification of a person, data concerning health or data  concerning a natural person’s sex life or sexual orientation.

“Processing any operation or  series of operations carried out with or without the use of automated  means, on personal data or sets of personal data, such as collection,  registration, organization, structuring, storage, adaptation or  alteration, retrieval, information retrieval, use, disclosure by  transmission, dissemination or any other form of disposal, association  or combination, restriction, deletion or destruction.

“Data Controller”: the natural  or legal person, public authority, agency or other entity that, alone  or jointly with others, determines the purposes and means of processing  personal data; when the purposes and means of such processing are  determined by Union law or the law of a Member State, the controller or  the specific criteria for his appointment may be provided for by Union  law or the law of a Member State.

“Data Processor”: the natural  or legal person, public authority, agency or other entity that processes  personal data on behalf of the data controller.

“Data Subject”: the natural person whose personal data is processed, e.g. customers, employees, etc.

“Recipient”: the  natural or legal person, public authority, agency or other body to  which the personal data is disclosed, whether it is a third party or  not. However, public authorities that may receive personal data in the  context of a specific investigation in accordance with Union or Member  State law are not considered as recipients; the processing of such data  by said public authorities is carried out in accordance with the  applicable data protection rules depending on the purposes of the  processing.

“Third party”: any natural or  legal person, public authority, agency or body, with the exception of  the data subject, the data controller, the data processor and the  individuals who, under the direct supervision of the data controller or  the data processor , are authorized to process personal data.

“Consent” of the data subject: any  indication of will, free, specific, explicit and fully informed, by  which the data subject manifests that he agrees, by statement or by a  clear positive action, to be the subject of processing of the personal  data that may concern it.

“Personal Data Breach”: the  breach of security resulting in the accidental or unlawful destruction,  loss, alteration, unauthorized disclosure or access of personal data  transmitted, stored or otherwise processed.

“Anonymization”: the processing of personal data in such a way that the data can no longer be attributed to a specific data subject.

“Pseudonymization”: the  processing of personal data in such a way that the data can no longer be  attributed to a specific data subject without the use of additional  information, provided that such additional information is kept separate  and subject to technical and organizational measures to ensure that  cannot be attributed to an identified or identifiable natural person.

“Genetic data”: the personal  data relating to the genetic characteristics of a natural person  inherited or acquired, as derived, in particular, from the analysis of a  biological sample of the said natural person and which provide unique  information about the physiology or health of the said natural person.

“Biometric data”: personal  data resulting from special technical processing linked to physical,  biological or behavioral characteristics of a natural person and which  allow or confirm the unmistakable identification of the said natural  person, such as facial images or fingerprint data.

“Health data”: personal data  related to the physical or mental health of a natural person, including  the provision of health care services, and which reveal information  about their state of health.

“Existing legislation”: The  respective national and EU legislation on personal data protection and  specifically the General Data Protection Regulation (EU) 2016/679  (hereinafter “GDPR”), the Greek Law 4624/2019, the Cypriot Law 125(I  )/2018, as applicable, as well as the Decisions, Instructions and  Opinions of the Greek Personal Data Protection Authority and the Office  of the Personal Data Protection Commissioner (Cyprus).

General Principles of Personal Data Processing

The Group collects and processes your personal data in accordance with the following processing principles:

Legality, objectivity, transparency: The Group collects and processes your personal data legally, in a transparent manner.

Purpose limitation: The Group processes your personal data only for specified, explicit and lawful purposes.

Data minimization: The Group  takes appropriate technical and organizational measures, so that the  personal data it processes are appropriate, relevant and limited to what  is necessary for the purposes for which they are processed.

Accuracy: The Group ensures that the personal data it maintains and processes is always accurate and up-to-date.

Limitation of the storage period: The  Group does not retain personal data for a period longer than the  purposes for which they were collected and processed. However, the Group  may retain them for a longer period of time if the processing of such  data is necessary:

a) in order to comply with a legal  obligation that imposes the processing based on a provision of law, b)  for the performance of a task carried out in the public interest, c) for  reasons of public interest, d) for archiving purposes in the public  interest, or for the purposes of scientific or historical research, or  for statistical purposes, after taking the appropriate technical and  organizational measures, including their pseudonymization, and only if  these purposes cannot be served through the anonymization of the data,e)  for the establishment, exercise or defence of legal claims .

Integrity and confidentiality: The Group ensures that the collection and processing of your personal  data is carried out in a secure manner, using appropriate technical and  organizational means, to protect it from any unauthorized or illegal  processing and accidental loss, destruction or deterioration.

Personal Data We Collect

The Group collects and processes your  personal data only if it is absolutely necessary, appropriate and  adequate for the achievement of its intended purposes. In particular,  the personal data we collect and process are summarized in the  following:

Identity and demographic data of  examinees/patients (i.e. first and last name, patronymic, mother’s name,  date of birth-age, spouse’s name, gender, identity card number,  passport number, AMKA, examinee code, sick book number/registry number,  VAT number, occupation or in which company/organization you work, etc.),  data of third parties, such as your relatives (name, surname,  patronymic, ID card number, etc.) e.g. for the receipt of your medical  results or for the provision of authorization for the receipt of your  medical results in the event of your objective inability, contact  details (ie postal address, landline and mobile phone, e-mail) for  communication between us, for  sending the results of your exams or for  sending newsletters about the Group’s provided services , news and  offers, insurance details [ie e.g. insured person code, insurance fund  or company, insurance relationship, group or individual insurance policy  number, coverage code, date of commencement or renewal of the insurance  policy, date of expiry of insurance coverage, date of policy  anniversary, date of sending registration, policy status (active or  invalid), covered members, etc.], health data and in particular data  related to the medical services provided by the Group, which concern  diagnostic and clinical tests, hospitalization, doctor referrals,  internal circulation records, clinical symptoms, medical personnel  and/or your family and/or previous medical history, pharmaceutical  treatment and treatment, medical opinions and medical findings, any  disabilities and disabilities, obstetric and gynecological medical  services, details of surgical operations, such as recording of  endoscopic surgeries, previous health care, incident code, etc. also, in  the context of providing our medical services, we may collect and  process health data in the context of medical services that were not  provided by our Group, but were communicated/transmitted to us by you or  a person accompanying you and become absolutely necessary for the  assessment of your health situation and the provision of related  services, biological samples and genetic data for the purpose of their  laboratory control (e.g. haematological, biochemical, hormonal,  patho-anatomical, immunological, microbiological, molecular biology and  cytogenetic),data from clinical studies and related research programs  for the conduct of clinical studies/research, which in principle are  being processed in a pseudonymized form, information about financial  data and financial obligations, e.g. details of the financially liable  expenditure, details of receipts, etc., browsing data on our website,  such as the Internet Protocol (IP) address of your device when browsing  our individual websites www.bioiatriki.gr, www.bioclinic. gr,  www.biomedsmile.gr, www.fonemed.gr, www.crossbordermedcare.com,  www.labcy.com, www.evresisdiagnostic.com, www.bioiatrikidigital.gr, www.dhs.online the  type of browser you use etc. For more information regarding the use of  cookies on our website, you can refer to the Group’s Cookies Policy  (https://bioiatriki.gr/cookies) . image and visual data from closed circuit television (CCTV) and  security cameras, audio data from your phone calls which are recorded  during the process of planning your medical visits, following your prior  notification of  the relevant recording (i.e. name, phone number, date  of birth (and/or age), postal address, type of examination, intended  date of medical examinations, insurance fund), data related to requests  you have submitted to exercise your rights or complaints, data of our  Group’s prospective employees which are contained in the attached CVs or  relevant forms (ie name, surname, contact details, education, work  experience etc.), data of our Group’s employees such as: name, surname,  father’s name, mother’s name, gender, date of birth, residential  address, telephone (landline/mobile), email (corporate/personal),  citizenship, marital status, number of children, notarial acts or family  certificates , Identification Number, Tax Registration Number, Tax  Office, IBAN data, qualifications, professional certifications,  certificates of completion of military service, training seminars,  qualifications, previous service, date of employment, payroll data,  allowances, evaluation reports, etc., data of suppliers and partners of  theGroup, such as first and last name, father’s name, gender, date of  birth, telephone, residential address, telephone (landline/mobile),  email (corporate/personal), Identification Number, passport number, Tax  Registration Number, Tax Office, IBAN, professional certificates,  degrees, as well as any further information that may be required by  national legislation (e.g. tax legislation).

Method of Collection of Personal Data

The collection of personal data is carried out by both physical and electronic means on a case-by-case basis, as indicated:

At the reception and service points  of the Group Companies, when filling out various forms or when  communicating with us electronically, when using our call center or our  websites to schedule an exam or receive another medical or non-medical  service through the use of our online service «Digital Health Record»,  when providing primary or secondary health care medical services to you  following information that you give us or that arise during your  examination or are the results of your medical examinations, when you  notify us of your wish to make use of your insurance contract, when you  apply to work for our Group, when you are hired as an employee in our  Group, when you contract as a partner/supplier with the Group or our  individual Companies, when you submit a request to receive a newsletter,  when you enter a Group Company area, which is monitored by closed  circuit television (CCTV) and security cameras.

Purposes and legal bases for processing of your personal data

The personal information collected by the Group is used for the following processing purposes, namely:

For the provision of health services,  i.e. the planning of the medical visit and/or – after prior  identification of the examinees – the provision of primary and secondary  health care medical services and medical care in general, the  sending/delivery to you of the results of your medical examinations, to  retain and update your medical file, etc. Regarding the processing of  special categories of data, i.e. sensitive data (health data, biometric  and genetic data), the processing is necessary for the purposes of  preventive medicine, diagnosis, provision of health care services or  treatment. The legal basis for processing of the said data is: (a) in  principle, the necessity of processing your data for the purposes of  preventive or occupational medicine, medical diagnosis, provision of  health or social care or treatment or pursuant to a contract with a  health professional, as well as (b) the necessity of processing for the  performance of obligations and the exercise of specific rights of ours  or yours in the field of employment and social security and social  protection law or for the performance of a task carried out  in the  public interest, (c) the necessity of processing the data to protect the  vital interests of you or the person you accompany, (d) the necessity  of processing your data for the establishment, exercise or defence of  rights and legal claims in cases concerning medical liability and the  provision of health services in general, (e ) the necessity of  processing the data for reasons of public interest in the field of  public health, such as protection against serious cross-border threats  to health or ensuring high standards of quality and safety of healthcare  and medicines or medical devices, as provided for by law. We will never  process your medical data if one of the above legal bases does not  exist and we have not previously obtained your explicit consent, after  first informing you for the purposes of the processing. In the event  that you use a public insurance fund/body, some of your personal data  will be processed on the legal basis of the relevant processing, the  necessity of processing your personal data for the purposes of providing  health or social care, as well as the necessity of processing for the  performance of obligations and the exercising specific rights of yours  in the field of social security and social protection law or for the  fulfillment of a duty performed in the public interest.

For the compliance of the Group and  its affiliated Companies with their legal obligations, such as  compliance with the Code of Medical Ethics (Law 3418/2005) or compliance  with tax, insurance legislation, etc. Legal basis of processing in this  case is the compliance of the Group Companies with their legal  obligations.

To safeguard and protect the legal  interests of both natural persons (e.g. patients, visitors) and the  Companies of our Group. e.g. we use closed circuit television (CCTV) and  security cameras, in order to be able to protect the safety of  individuals, materials, facilities, in accordance with the more specific  conditions provided for the installation of cameras in medical  institutions. The legal basis for processing in this case is the legal  interest of the Group Companies.

To send newsletters concerning the  Group’s news, so that you are informed about the innovations, products,  and offers of the Group. The legal basis for processing in this case is  your prior explicit consent.

Upon your prior identification for  our communication and the management of your requests, whether related  to personal data protection issues or to the quality of your service.  The legal basis for processing in this case is the legitimate interest  of the Group Companies and/or the Group’s compliance with its legal  obligations, in accordance with Existing Legislation.

To extract statistical data, upon  prior anonymization of your data. The legal basis for processing in this  case is the necessity for the extraction of statistical data.

For the purposes of scientific  research and the conduct of clinical studies/trials and/or other  clinical research programs, upon prior pseudonymization of your data.  The legal basis for processing in this case is the need for scientific  research, as long as the necessary technical and organizational measures  are taken, e.g. pseudonymization, encryption, as well as compliance  with legal obligations. We will only ask for your consent for your  participation in the relevant research programs.

For the lawful conclusion and  execution of contracts concluded by the Group with third parties. The  legal basis for processing in this case is the necessity to process your  data in the context of the performance of our contractual obligation or  during the pre-contractual stage.

So that the Group can hire staff or  contract with external partners (e.g. doctors, nurses, etc.). The legal  basis for processing in this case is: (a) the necessity of processing  the data in question, in the context of the execution of our contractual  obligation or during the pre-contractual stage and (b) the necessity of  processing for the execution of our obligations and the exercise of our  specific rights or yours in the field of employment and social security  and social protection law or for the performance of a task carried out  in the public interest.

Transmission of personal data

The Group may transmit the above personal data to:

Third parties to whom he has  entrusted the processing of personal data on his behalf. In particular,  the Group may transmit your personal data to partners belonging to its  medical network, who act on its behalf, contractually bound with the  companies of the Group to provide independent services (e.g. to partner  doctors for diagnosis purposes or clinical audits, partner  physiotherapists/dentists/nutritionists/psychologists), collaborating  diagnostic centers, collaborating clinics and hospitals, collaborating  laboratories) or/to third partner companies that process your personal  data on behalf of a Group company. In particular, in regards to the  partners employed within the Group Companies, they may have access to  the details of the medical file kept by the Groupon your behalf, in  cases where it  is necessary for the evaluation and assessment of your  health condition during the provision of medical services and issuing  medical opinions, findings, etc. In any case, the third parties to which  subjects’ data may be transmitted, are contractually bound towards the  Group, in order to ensure the obligation of confidentiality as well as  all obligations provided for by the Existing Legislation. In all the  above cases, the Group, defines the individual elements of the  processing, signs special contracts with the third parties to whom it  assigns the execution of specific processing activities, ensuring that  the processing is carried out in accordance with the Existing  Legislation. These third parties are contractually committed to the  Group that they will process your personal data only for the specific  and contractually defined purposes and will not transmit/or communicate  it to third parties, unless required by law.

To your public insurance institution/fund in case you benefit from it.

In private insurance/employer  companies. The Group, through its Companies, may transmit your sensitive  personal data (health data) to cooperating third-party Companies to  cover the cost of the medical services provided to you or to affiliated   private insurance companies within the European Union and the EEA for  your insurance coverage, provided that your prior explicit consent has  been given before such transfer. Your medical data will not be  transmitted to your insurance/employer Company without your prior  explicit consent. Furthermore, at your request, the Group transmits to  your insurance company, your recorded conversation with its telephone,  coordination and IT center-company of the Group, under the name FONEMED  HELLAS SA. or sends written information about your communication and the  progress of your scheduled visits.

To Group Companies, to the extent  that this transmission is necessary to serve your requests and the  purposes of the Group, obtaining the necessary consent where required.  In particular, the Group, with the aim of providing excellent and  high-quality medical services, maintains a common electronic database of  primary health care medical results and transfers your data within the  group, whenever this is deemed necessary, for the management and the  provision of medical services to you.

To  judicial and prosecuting authorities, as well as other public  authorities (e.g. Tax authorities, etc.) in the performance of their  duties  of its own motion or at the request of a third party citing a  legitimate interest and in accordance with legal procedures. In  addition, for reasons of protection of the public interest in the field  of public health, we may, in accordance with the relevant legislation,  transmit your personal data to the competent authorities, such as e.g.  the National Public Health Organization (EODY).

In  the event that the transmission involves a country outside the European  Union (EU) or the European Economic Area (EEA), in the context of  conducting examinations and analysis of biological material for rare  diseases or to third countries and/or organizations for the conduct of  clinical studies/ tests or in order to cover the total cost of the  services provided to you (e.g. your insurance company), the Group checks  whether:

The Commission has issued a relevant adequacy decision for the third country to which the transfer will take place.

The appropriate safeguards are observed in accordance with the Existing Legislation for the transmission of the said data.

Otherwise, the transmission is  prohibited and the Group will not transmit your personal data to a third  country, unless one of the special exceptions provided by the Existing  Legislation apply (e.g. express consent as well as your notification  regarding the risks involved in the transmission, the transmission is  necessary for the performance of a contract at your request, there are  reasons of public interest, it is necessary to support legal claims and  vital interests of the subjects, etc.).

Personal Data Retention Period

The personal data collected by the  Group are kept for a predetermined and limited period of time, depending  on the purpose of the processing, after which the data is deleted  and/or securely destroyed, unless a different period is provided for or  permitted by the applicable legislation.

Your personal data retention period  is indicatively defined based on certain specific criteria and on a case  – by – case basis. Indicatively:

(a) Your personal data shall be kept  for the entire duration required by the purpose of their processing  and/or the applicable legal framework. At the end of this period, in  accordance with the current regulatory framework, the data shall be kept  for the time period  provided upon termination of the contractual  relationship or for as long as it is required in order to defend the  rights of  “BIOIATRIKI” Group before a Court or other competent  Authority. The applications including the attached CVs that you send to  us, are kept for a period of two (2) years in order to evaluate them for  a certain position and after the two-year period, we destroy or delete  them securely.

(b) In cases where the processing is  imposed as an obligation under the  applicable legal framework, your  personal data will be stored at least for as long as the relevant  provisions impose. In particular, and in accordance with article 14 of  the Code of Medical Ethics L.3418/2005, medical record keeping is  required for a period of 10 years from the patient’s last visit to  private medical practices and other primary health care units of the  private sector and for twenty years (20 years) from the patient’s last  visit in any other case. In particular, the brief medical history that  you may provide to us prior to the performance of diagnostic tests is  only kept for as long as necessary for the diagnosis of the test, after  which it is securely destroyed.

(c) For the Companies of our Group,  GIANNOUKA CHEMISTRY LTD and ALPHA EVRESIS DIAGNOSTIC CENTER LTD based in  Cyprus, in accordance with the Directive issued by the Commissioner for  Personal Data Protection entitled “Time period of retention of personal  data relating to health “, the retention period of personal data  relating to the health of the data subject does not exceed fifteen (15)  years after the death of the subject or fifteen (15) years after the  last entry of data relating to a data subject in a filing system by the  aforementioned Companies of our Group . This period of time is valid  given that there are no financial/legal or other pending matters or  differences between the data subject and the Companies of our Group.

(d) In any other case where the  processing is based on your consent, your personal data is kept until  your consent is withdrawn, without prejudice to the lawfulness of the  processing based on consent during the period prior to  its withdrawal.  In order to withdraw your consent, you must submit a request to the  Group’s Data Protection Officer (DPO) (see below for his contact  details). Alternatively, and for the purposes of promoting the Group’s  products and services, you can also use the unsubscribe options, by  following (clicking) on ​​the corresponding link (link), which exists in  our electronic communications. For as long as your email address  remains in our database, you will receive periodic email notifications   from us.

(e) The physical record with the  medical results of your examinations and generally, files with medical  content that you receive, are kept for sixty (60) days from the date of  the examination/issuance at the delivery office of each Unit-Company in  which you perform the examinations, unless you choose to have them sent  to your email address or by courier to your postal address, whichever  company of our Group provides this possibility. At the same time, they  are registered and kept in electronic form, while the physical file,  upon  expiry of the above 60-day period, is safely destroyed according  to the stipulated and secured procedure. The digital files with your  electronic signature in which you indicate the way of receiving your  exam results other than the personal receipt of the results by you or a  third person that you shall indicate and the granting of your consent to  receive newsletters, informative material and offers of our Group, the  provision of your consent for any transmission, are kept for as long as  is required to satisfy its respective purpose, and after the fulfillment  of its purpose, are kept for a period of five (5) years.

(f) The data we collect when you  submit a request, as well as the relevant file in which it is recorded,  are kept for twenty (20) years from the date of collection.

Security of Personal Data

Taking into account the latest  developments, the cost of implementation and the nature, scope, context  and purposes of the processing, as well as the risks of varying  likelihood and severity for the rights and freedoms of natural persons  affected by the processing the Group implements the necessary technical  and organizational measures to protect your personal data. Although no  method of transmission via the Internet or method of electronic storage  is completely secure, the Group takes all the necessary digital data  security measures (antivirus, firewall, etc.) etc. At the same time, the  Group adopts the required security measures such as ISO 27001,  installation video surveillance system (CCTV), alarm system, etc.

Data Protection Impact Assessment (DPIA)

When a processing may entail a high  risk for the rights and freedoms of natural persons, the Group carries  out, before the processing, an assessment of the impact of the intended  processing operations on the protection of personal data (“impact  assessment”). An impact assessment is a process designed to describe the  processing, assess its necessity and proportionality, and assist in  risk management by assessing and defining countermeasures. It is not  required for every form of processing, but only in cases where a form of  processing is considered high risk. In the framework of the impact  assessment, the nature, extent, general context and purposes of the  processing are taken into account in order to assess whether a risk is  likely to occur, as well as the seriousness of this for the rights and  freedoms of the subjects.

The Group may decide to carry out an  impact assessment for processing, even if the Existing Legislation does  not consider this mandatory. Furthermore, it is not mandatory to draw up  a separate impact assessment for each form of processing, but a set of  similar processing operations, which entail similar high risks, can be  included in one impact assessment.

In particular, the carrying out of an  impact assessment is required in all cases in which the processing “may  entail a high risk for the rights and freedoms of natural persons”.  Indicative examples are as follows:

Cases of systematic and extensive  evaluation of personal aspects relating to natural persons, which is  based on automated processing (including profiling) and on which  decisions are based that produce legal effects concerning the natural  person or similarly significantly affect the natural person.Cases of  large-scale processing of special categories of data (sensitive data).

Cases of systematic processing of personal data.

Breach of Personal Data

In the event that an incident of  violation takes place, the Group follows a specific procedure for  handling incidents of violation of the security of your personal data.  In the event that you realize or suspect that a breach of your personal  data may have taken place, please inform us without delay at the email  address: dpo@bioiatriki.gr.

Your rights

The Group ensures that it is able to  respond immediately to requests to exercise your rights in accordance  with Existing Legislation. These rights are the following:

(a) Right to withdraw consent:

In cases where the processing is  based solely on your prior consent, e.g. for marketing activities, you  have the right to withdraw your consent at any time. The withdrawal of  consent shall not affect the lawfulness of the processing based on the  consent in the period prior its withdrawal.

(b) Right of access and information:

You have the right to know  that the  personal data concerning you are being processed and to verify the  legality of the processing. Therefore, upon your request you have access  to the data and can receive additional information about its  processing, to whom we transmit it and for what purpose we process it.  With regard to your medical file, you may access your medical records at  any time, as well as download copies of the file, for free.

(c) Right of rectification:

You have the right to complete, correct, update or modify your personal data.

(d) Right to erasure:

You have the right to request the  deletion of your personal data, unless there is a legitimate reason for  the Group to  further retain them.

In particular due to our legal  obligation, your medical data and everything related to it (i.e. your  first name, last name, gender, age (date of birth), occupation, your  address, the dates of your visit , as well as any other essential  information related to the provision of healthcare services , such as,  but not limited to and depending on the specialty, your health  complaints, your medical history, the reason for your visit, the primary  and secondary diagnosis or treatment followed) shall not be deleted in  the event that you exercise this right.

(e) Right to restrict processing:

You have the right to request the  restriction of the processing of your personal data in the following  cases: (1) when you dispute the accuracy of the personal data and until  verification, (2) when you object to the deletion of personal data and  request instead the restriction of its use, (3) when the personal data  is no longer necessary for us, but is nevertheless necessary for you to  establish, exercise, support legal claims, and (4) when you object to  the processing and until it is verified that there are legitimate  reasons that concern us and override the reasons for which you object to  the processing.

(f) Right to object to processing and right to object to automated individual decision-making, including profiling:

You have the right to object at any  time to the collection and processing of your personal data in cases  where, as described above, it is necessary for legitimate interests  pursued by the  Group. However, it is pointed out that the Group does  not use an automated decision-making process.

(g) Right to Portability:

You have the right to receive, free  of charge, after your identification, your personal data in a  structured, commonly used and machine-readable format (pdf, word, etc.).  You also have the right to ask us, if technically possible, to transfer  the data directly to another data controller (e.g. your personal  doctor). This right exists for the data you have provided to us and  their processing is carried out by automated means based on your consent  or for the execution of a relevant contract.

In case of exercising any of the  rights mentioned below, the Group will respond to you within one (1)  month from the receipt and identification of your relevant request. This  deadline may be extended by two (2) more months, if necessary, taking  into account the complexity of the request and the number of requests.  In this case, the Group will provide you with relevant information on  the extension in question within one (1) month of receiving the request,  as well as on the reasons for the delay. If the request is submitted by  electronic means, you shall be informed in the same way, unless you  request otherwise. If your request is manifestly unfounded or excessive,  in particular due to its repetitive nature, the Group may condition its  satisfaction on the payment of a reasonable fee or refuse to respond to  the said request.

Right of Appeal to the Personal Data  Protection Authority/ to the Office of the Personal Data Protection  Commissioner. For any complaint you have regarding this policy or  personal data protection issues, if we do not satisfy your request, you  can address the Hellenic Data Protection Authority through the following  link: www.dpa.gr, at the following contact details: Ave. Kifisias 1-3,  P.O. 115 23, Athens, +30 210 6475600, +30 210 6475628, contact@dpa.gr or  to the Office of the Commissioner for Personal Data Protection through  the following link: www.dataprotection.gov.cy, at the following contact  details Office address: Iasonos 1 , 1082 Nicosia, Postal address: P.O.  23378, 1682 Nicosia, Phone: +357 22818456, Fax: 22304565, Email:  commissioner@dataprotection.gov.cy.

Data Protection Officer (DPO) contact details

To exercise all of the above rights,  as well as for any issue regarding the processing of your personal data,  you may contact the Group’s Data Protection Officer, at the email  address dpo@bioiatriki.gr.

Disclaimer for Third Party Websites

In case there are links on our  websites that redirect you to third party websites, we inform you that  the Group does not control or is responsible for the content of these  websites, nor for the way in which your personal data is processed.

Updates to the Privacy Policy

This Privacy Policy may be  modified/revised in the future, in the context of the Group’s regulatory  compliance as well as for the optimization and upgrading of our website  services. For your adequate information we therefore recommend that you  refer each time to the updated version of this Policy.

Last Review: July 2022