Personal data protection

Information on the processing of personal data 

according to Article 13 of the REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

of 27 April 2016 on the protection of natural persons (hereinafter “GDPR”) with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

The objective of this document:

The present document is intended to provide full and transparent information about the processing of patient/client personal data, including special categories of personal data (in particular data concerning health) by the controller of such data.

1) Controller´s contact details:

Klinika GHC Praha, Krakovská 8/581, Praha 1, 110 00

Joint controllers have determined their respective responsibilities for compliance with the obligations under the GDPR in a transparent manner and duly reflected the respective roles and relationships of the joint controllers vis-à-vis the data subjects.

2) Data Protection Officer contact details:

Email: gdpr@ghc.cz
Phone: +420 311 234 188

3) The purposes of the processing and the legal basis for the processing:

The personal data are processed for the purpose of providing health care services, registration of clients, ensuring adequate quality of services, billing, monitoring of the premises and sharing information about the latest offers. The legal basis for the processing is provided by the following reasons:

• processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
• processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data
• the data subject has given consent to the processing of his or her personal data for one or more specific purposes
• processing is necessary for compliance with a legal obligation to which the controller is subject. In particular, Act No. 372/2011 Coll., on health care services and the conditions for their provision (Health Care Services Act) and its implementing regulations.

4) Legitimate interests of the controller or a third party in the event that the processing is necessary for the purposes of the legitimate interests of the relevant controller or third party:

Our legitimate interest is the processing of your personal data for the purpose of drawing up lists, surveys and schedules, keeping records of customer programmes, checking payments of receivables, receiving visits, monitoring our premises, acknowledgment of debt, sending newsletters and sending SMS notifications (appointment reminders).

 5) Recipients or categories of recipients of the personal data:

In accordance with the generally binding legislation, we shall disclose your personal data to public authorities or to persons authorised to see your medical records under the Health Care Services Act.

If necessary for the protection of our rights, legitimate interests or property, we may disclose your personal information to e.g. judicial or administrative authorities.

We will further disclose your personal information to our processors, with whom we have signed written personal data processing agreements (e.g. accountants, tax and legal advisors, IT system providers). 

Your personal information shall always be disclosed in so far as necessary in order to protect your right to personal data and privacy protection.

6) Personal data retention period:

We shall process your personal data only for the time necessary for the purpose of their processing. If personal data are used for several different purposes of processing at the same time, we will continue to process them until the purpose with a longer processing time ceases to exist.

7) Furthermore, you have the following rights concerning the protection of your personal data.

• From the controller, you have the right to request access to personal data concerning you as a data subject and you have the right to their rectification.
• You may have the right to obtain restriction of processing in the following cases:

(a) if you contest the accuracy of the personal data, for a period enabling the controller to verify the accuracy of the personal data;

(b) if the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

(c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;

(d) if you have already objected to processing in the event of legitimate grounds for the processing of the controller or third parties, pending the verification whether the legitimate grounds of the controller override those of the data subject.

• You have a right to object to the processing in the event that:

(a) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority or

(b) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party as well as the right to data portability.

• You have the right to lodge a complaint with a supervisory authority if you consider that the processing of personal data relating to you infringes the GDPR. You can lodge a complaint with a supervisory authority:

(a) in the place of your habitual residence,

(b) place of work or

(c) place of the alleged infringement.

The following rights regarding the protection of your personal data are restricted by law:

• Right to erasure of personal data (Act no. 372/2011 Coll., on health care services and the conditions for their provision (Health Care Services Act)).
• The following rights concerning the protection of your personal data do not apply to you: right to data portability since the provision of your personal data is not based on consent or contract and does not take place in an automated manner only.

If you wish to exercise data subject´s rights, please send your specific request to the mailing address of one of the joint controllers.

8) You have the right to exercise your rights under the GDPR in respect of and against each of the joint controllers.

9) The provision of your personal data is a statutory requirement and you as a patient have an obligation to provide them, just as the controller has the right to request them from you. A failure to provide your personal data will mean that the controller will not be able to provide health care services which may result in a harm to your health or an immediate threat to your life.