Last updated in March 2023
The Clinics, Diagnostic Centres, Polyclinics, Assisted Reproduction Unit e.i., In vitro fertilisation (IVF) unit and the Training Centre of Hellenic Healthcare Group (hereinafter HHG) take the protection of the privacy of their patients, customers, visitors, and trainees seriously. For that reason, we stringently adhere to the following Personal Data Protection Policy, which ensures a high level of provided services and strictly complies with the current legislative and regulatory framework for the protection of personal data. Personal data that concerns you will be collected and kept only for the absolute minimum time necessary, for predetermined, explicit, and legal purposes; they are lawfully and fairly processed in a transparent way, always in accordance with the current legal framework and in such a way that guarantees their availability, integrity and confidentiality. These data are always adequate, relevant, expedient, and no more than required to achieve the aforementioned objectives, while they are also exact, and, if necessary, can be updated.
Hellenic Healthcare Group Data
For the provision of health services, HHG has the following Clinics / Diagnostic Centres / Polyclinics / IVF Unit, which operate as Independent Personal and Health Data Controllers who are obliged to keep the above mentioned data but also as Joint Controllers of personal and health data, about the possible and sometimes necessary notification and exchange of simple and special categories of personal data in the framework of the provision of primary and secondary health care each subject, defining together the scope and the means of procession of personal and health data.
Their details are as follows:
Company Name: DIAGNOSTIC & THERAPEUTIC CENTER OF ATHENS “HYGEIA” SINGLE MEMBER S.A.
Trade Name: HYGEIA or HYGEIA S.M.S.A.
Based: KIFISIAS AVENUE & 4 ERYTHROU STAVROU STREET, MAROUSSI
Company Name: PERSEUS HOSPITAL – HEALTHCARE FACILITIES OPERATION AND MANAGEMENT SINGLE MEMBER S.A
Trade Name: PERSEUS HEALTHCARE S.M.S.A.
Based: 9 ET. MAKARIOU ST. & 1 EL. VENIZELOU ST.
Company Name: MITERA PRIVATE GENERAL, MATERNITY, GYNECOLOGICAL & CHILDREN'S CLINIC S.A.
Trade Name: MITERA S.A.
Based: 6 ERYTHROU STAVROU STREET, MAROUSSI, POSTAL CODE GR-15123
Company Name: METROPOLITAN GENERAL HOSPITAL – HEALTHCARE FACILITIES OPERATION AND MANAGEMENT SINGLE MEMBER S.A
Trade Name: METROPOLITAN GENERAL S.A.
Based: 264 MESOGION AVENUE, CHOLARGOS
Company Name: LETO GENERAL, MATERNITY AND GYNECOLOGY CLINIC S.A.
Trade Name: LETO G.M.G.C.S.A.
Based: 7-13 MOUSON STREET, ATHENS
Company Name: ALFA LAB PRIVATE DIAGNOSTIC LABORATORY MEDICAL SOCIETE ANONYME
Trade Name: ALFA LAB S.A.
Based: 11 G. ANASTASIOU, ATHENS
Company Name: Y-LOGIMED IMPORT, TRADING AND SUPPLY OF MEDICAL DEVICES SINGLE MEMBER SA
Trade Name: Y-LOGIMED S.M.S.A.
Based: 11 KAVALIERATOY str & 4 EVAG. TRIANTAFILLOU str, KIFISIA ATTICA Postal Code: GR- 14 564
Company Name: GROUP MEDICAL PURCHASING SINGLE MEMBER SA
Trade Name: G.M.P. S.M.S.A.
Based: 4 EVAG. TRIANTAFILLOU str, KIFISIA ATTICA Postal Code: GR- 14 564
Company Name: HEALTH SPOT IDIOTIKO POLYIATRIO IATRIKI SINGLE MEMBER PRIVATE COMPANY
Trade Name: HEALTH SPOT BY HHG SINGLE MEMBER PRIVATE COMPANY
Based: 16 Levidou Street, Postal Code: GR-145 62, Kifisia
Company Name: PRIVATE CLINIC CRETA INTERCLINIC THERAPEUTIC - DIAGNOSTIC - SURGERY AND RESEARCH CENTER SINGLE MEMBER SOCIETE ANONYME
Trade Name: CRETA INTERCLINIC S.M.S.A.
Based: MINOOS 63, Street, CRETA Postal Code: 71304
Company Name: SOUTH EAST AIGAION PRIVATE POLYCLINIC MEDICAL S.A.
Trade Name: S.E.A. MEDICAL HEALTH CLINIC S.A.
Based: AGGELIKA MYCONOS Postal Code: GR-84600
Company Name: HYGEIA IVF EMBRYOGENESIS ASSISTED REPRODUCTION PRIVATE UNIT SOCIETE ANONYME
Trade Name: HYGEIA IVF EMBRYOGENESIS
Based: FLEMING 15 Street, ATHENS Postal Code: GR- 151 23
Company Name: APOLLONIO PRIVATE HOSPITAL LTD
Trade Name: -
Based: AV. LEFKOTHEOY 20, CYPRUS, Postal Code:2054
REGISTER NUMBER: ΗΕ33353
Company Name: ARETAIEION MEDICAL CENTER LTD
Trade Name: -
Based: 55-57 ANDREA AVRAMIDES str, STROVOLOS, NICOSIA CYPRUS Postal Code: 2024
REGISTER NUMBER: HE102990
At the same time, it maintains a Training Centre for education, further training, vocational training and research in medicine, nursing and all health sciences, which maintains personal data of trainees and trainers, acting as an Independent Data Controller.
Company Name: HEALTHCARE EDUCATION ADVANCED LEARNING ACADEMY NON PROFIT CIVIL COMPANY
Trade Name: HEAL
Based: FLEMING 15 Street, Postal Code: GR- 151 23
The details of the Data Protection Officer (DPO) for HHG’s companies in Greece are:
Dimitris Kolios, 14 Fleming Street, GR-15123, Maroussi, Tel.: 210 686 7679
This policy determines the terms and conditions observed by HHG for the protection in general of the privacy of patients, escorts, loved ones, and any other individual supporting them, whose personal data is processed for the purpose of providing health services, and of the users of the applications created by HHG’s Clinics / Diagnostic Centres / Polyclinics / IVF. The purpose of this Policy is to inform you on how we collect, use, store, share and process data that concerns you, such as the personal data and your demographic data that you provide us with upon selecting to receive health services from our Group, or health data that arise from the provision of our services to you.
The Group reserves the right to amend and adjust this Policy, whenever deemed necessary or whenever it becomes mandatory by the relevant legislation, while any changes are put into effect from the moment they are posted to the present website/application.
HHG strives to carry out its business activities in accordance with the principles of privacy, as we believe that they are an indication of our unwavering commitment to ethical and responsible practices. We recognise that innovation and new technologies lead to constant changes as regards risks, expectations, and legislation, and that is why we follow the standards of undertaking responsibility for privacy, and also why we aim to adapt their implementation in response to these changes in a timely manner.
This Policy is also in force for all individuals whose data we process, including, but not limited to, customers, potential and former employees partners, investors, shareholders, and other stakeholders.
All Group Employees and Management Executives bear significant responsibilities as regards the protection of privacy, which they must observe.
We recognise that inadvertent errors or bad judgment regarding data protection can cause risks to the privacy of individuals and risks as regards the reputation, processes, compliance, and the position of our Group. All Group employees and other individuals who process data for our companies, are responsible for understanding and observing their obligations with regard to this Policy and current laws.
Our Values and Standards with regard to Privacy
We observe our values regarding privacy in everything we do that has to do with people, including how we apply privacy standards. The four privacy values include:
- Respect - We recognise that concerns about privacy are often related to the essential questions of who we are, how we see the world, and how we define ourselves. Thus, we strive to respect the perspective and interests of individuals and societies, and to be fair and transparent in how we use and share data regarding them.
- Trust - We know that trust is of vital importance for our success, and that is why we strive to create and keep the trust of our customers, employees, patients, and other stakeholders, with regard to respect and protection of data related to them.
- Avoiding damage - We understand that misuse of data related to people may cause tangible and intangible damage to those people, and thus we strive to deter physical and financial damage, damage to their reputation or any other type of damage related to privacy.
- Compliance - We have learned that laws and regulations do not always keep up with the rapid developments of technology, the flow of data, and related changes in the risks and expectations of privacy. Thus, we strive to comply with the spirit and the regulations of privacy, as well as the laws of data protection, in a way that is consistent and operationally sound for our business activities on a global level.
We incorporate privacy standards in all our activities, processes, technologies, and relationships with third parties that use Personal Data. We design privacy checks in our procedures and technologies, which are consistent with our privacy values and standards, as well as with the legislation in force. The eight privacy principles described below summarise the privacy standards and basic requirements for the processes, activities, and their supporting technologies at a high level.
- Necessity – Prior to collecting, using, or sharing Personal Data, we define and document the specific, accurate and legitimate business purposes for which it is needed.
- Fairness – We do not process Personal Data in ways that are unfair to the people whom those data relate.
- Transparency – We do not process Personal Data in ways or for purposes that are not transparent.
- Purpose Limitation – We only use Personal Data in accordance with the principles of Necessity and Transparency.
- Data Quality – We keep Personal Data accurate, complete, and up to date, and consistent with their intended use.
- Security – We implement safeguards to protect Personal Data and Sensitive Data from loss, misuse, and unauthorised access, disclosure, or destruction, ensuring their integrity confidentiality and availability.
- Data Transfer – We are responsible for preserving privacy security for Personal Data when they are transferred to or from other organisations or across country borders in the context of satisfying the right of data portability.
- Legally Permissible – We only process Personal Data in accordance with the applicable legal and regulatory framework.
‘personal data’ means any information relating to an identified or identifiable natural person;
‘genetic data’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;
‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person;
‘health data’ means personal data related to the physical or mental health of a natural person, including the provision of healthcare services, which reveal information about their health status;
‘special category personal data’ includes, among others, genetic, biometric, and data concerning health;
‘processing of personal data’ means any operation or set of operations performed upon personal data, such as collecting, recording, organising, structuring, storing, adapting or altering, retrieving, using, disclosing by transmission, dissemination or otherwise making available, aligning, combining, restricting, erasing, or destroying;
‘controller’ is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
‘personal data breach’: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
PERSONAL DATA PROTECTION LEGAL FRAMEWORK
The ‘personal data protection legal framework’, for the purposes of this Policy, means General Data Protection Regulation 679/2016 of the European Parliament and of the Council for the protection of natural persons against the processing personal data and for the free movement of such data, or regulation that has been issued pursuant to or for the implementation of the aforementioned General Regulation, law 4624/2019 “Hellenic Data Protection Authority (HDPA), measures for implementing Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, and transposition of Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016, and other provisions” .as well as any national law or directive of HDPA that is in force and applied and which concerns the processing and protection of personal data in general, and in the health service provision sector in particular.
Indicatively, we would like to mention that, among others, the following laws are in force as amended:
- Law 3418/2005 Code of Medical Ethics;
- Law 2071/1992 Modernisation and Organisation of the Health System;
- Law 2619/1998 Oviedo Convention
- Relevant Regulatory Acts of competent Independent Administrative Authorities
- General Data Protection Regulation 2016/679
- Law 4624/2019 for the implementation GDPR
- Current Legislation regarding the urgent measures for dealing with the consequences of the appearance of coronavirus COVID-19 and the need to limit its spread
WHICH OF YOUR DATA IS COLLECTED?
In summary, the personal data, which collected and further processed include:
-name, surname, date of birth, identity card, TIN number, address and general contact details (including email address and telephone number) yours and/or of your relatives.
-the health data produced by us or provided to us in any way.
-information you give us about our payment, such as bank card details.
-information derived from the use of websites and other digital platforms that we use in order to inform you, or to provide services, regarding the following services provided by the Company through its websites and/or your registration in one or more of them:
- receive a newsletter on a regular basis and be informed about promotional actions.
- management of your medical file, via my- Ygeia application, if you have received services from Group and you have made relevant registration.
- access to the digital platform Digital Clinic.
- asking questions regarding the services related to our companies.
In addition to the above data that you provide to the Group, technical information, which contain personal data may be collected, such as the Internet Protocol address of your device (i.e., computer, laptop, tablet smartphone). This technical information is used for the smooth operation and performance of websites and electronic services and is not stored permanently in the Group’s infrastructure.
Particularly, by using the Service My Ygeia (mobile & web application), you acknowledge and provide your consent to this processing, so that the camera of your device is used for the purpose of photographing the identification document, during the registration process of a new User. This specific processing is mandatory in order to be able to identify the User, before he has access to the data of the Service. Also, the Service will ask you to access the storage space of your device, exclusively to edit the photos of the identification document and to proceed with the new User approval process.
For Android Users – Required Google Play Disclosures for Certain Health Apps
Google has determined our mobile app “my-Ygeia” is subject to their COVID-19 apps requirements. As a result, we are required to provide the following information so we can make our mobile apps available to you in the Play store.
- Our mobile app “my-Ygeia” interacts with your device camera only if you choose to use your camera during the user registration process. This information is not used in connection with COVID-19.
- Our mobile app “my-Ygeia” accesses, collects and uses your information as stated above in the section titled, “WHICH OF YOUR DATA IS COLLECTED?” We also prominently highlight these uses, describe the type of data being accessed, and obtain your consent for these purposes as you use our mobile apps.
- Our mobile app “my-Ygeia” was not created specifically for the COVID-19 pandemic. It existed before the COVID-19 pandemic to allow you to access your health information on file with your healthcare organization. Your healthcare organization may allow you to access COVID-19-related vaccination information, laboratory test results, and documents with illness-related information using our mobile app “my-Ygeia”. You may choose if or how you want to access, display, or use the information – just like you can make those decisions about health information relating to other conditions, services, tests, or vaccinations.
PURPOSE OF THE PROCESSING OF YOUR PERSONAL DATA
In accordance with the above legal framework, HHG collects and processes the personal data of patients, patiencorts, or users of its companies’ websites for the following reasons and only to the extent this is necessary to effectively serve their purposes. These data are always relevant, expedient, and no more than required in view of the purposes below, while they are also exact, and, if necessary, can be updated. HHG may process personal data if the processing is necessary for at least one of the following legal grounds, namely:
- to perform a contract between us or to take measures at your request prior to entering into the contract,
- in order to comply to a legal obligation to which it is subject,
- for the purposes of its legal interests,
- when you have given your consent,
- for the protection of your vital interests,
- to fulfil a duty to the public good,
- to perform rights and obligations that arise from social insurance law,
- to establish, exercise or defend legal claims or whenever courts are acting in their judicial capacity,
- for purposes of preventative or professional medicine, medical diagnosis, provision of healthcare or treatment or management of healthcare systems
- a. HHG retains and processes the ordinary and sensitive personal data provided by you or another person with your legally provided authorisation, in order to perform the contract for the provision of health services signed by you or another natural or legal person on your behalf and/or to protect your vital interests and/or to fulfil the legal obligation or interest of each Group company and/or based on your consent and may transfer your data within or beyond the European Union to private and/or public insurance agencies, partners/processors, and/or the competent court, police, or tax Authorities, in accordance with the legal framework in force.
HHG retains and processes special category data, namely medical history, medical examinations, medical acts submitted by you or another natural or legal person on your behalf, and medical data that transpires from the provision of medical services – health services, aiming to provide medical services – health services based on the provision of preventative or professional medicine, medical diagnosis, the protection of your vital interests, and/or your explicit consent. HHG can transfer the aforementioned data for the aforementioned purposes within or beyond the European Union, to private or public insurance agencies in accordance with your legal relationship to them, to a network of Doctors providing independent services to our Group, to partners acting on the behalf of each company, in accordance with the contracts between us for the purpose of health service provision.
- b. HHG, in accordance with what is provided for in the current legal framework, may process and transfer ordinary or special category personal data of the patient to law firms, to establish, exercise, or defend legal claims or to the competent Authorities whenever courts are acting in their judicial capacity, as well as for reasons of legal obligation or public interest, as required by law. Furthermore, HHG may process and transfer the ordinary data of a patient and/or their obligee/escort in order to comply with its legal obligation, and its duty with regard to public interest, on a case-by-case basis, to the competent police, court, administrative, and tax Authorities, within and beyond the European Union, following their valid request. Furthermore, it is legally obligated to carry out every necessary internal control of personal data that concern you, in accordance with its internal procedures, when provided for or required by law.
- c. HHG, in accordance to what is provided for by the legal framework, may transfer for the collection and payment of debts that have transpired from the provision of medical services – health services, your ordinary and special category personal data, to law firms for the establishment, exercise or defence of legal claims.
- d. HHG, following your relevant consent, may process personal data that concerns you, in order to develop, improve, and promote its services, as well as to provide privileges.
DATA RETENTION PERIOD
HHG is obligated to retain printed or electronic archives for the period of time provided for by national law. Specifically, in accordance with the Code of Medical Ethics (Law 3418/2005, G.G. Series I Issue 287/28.11.2005), “Article 14§4: The obligation to keep medical records applies to: a) private clinics and other private sector primary healthcare units, for one decade since the patient’s most recent visit, and b) in all other cases for 20 years since the patient’s most recent visit.”
The data kept for the commercial promotion of products or services, and/or the provision of privileges, will be deleted six months after the action is completed.
The curricula vitae collected by the competent Human Resource Departments will be kept for one year, and will then be destroyed in accordance with the destruction policy HHG has in place for its companies.
Tax data is kept in accordance with the tax legislation.
YOUR RIGHTS REGARDING PERSONAL DATA PROTECTION
The legislation for the protection of personal data provides you with the following rights, which you can exercise in principle free of charge and based on everything provided for in the legal framework:
- The right to access, namely to be informed on what data of yours HHG has collected and is processing, their source, the purpose and legal ground of the processing, the recipients or categories of recipient of the personal data, in particular recipients in third countries, and the period for which they will be kept.
- The right to rectification of any inaccurate personal data, so that they are made accurate, by submitting to HHG a relevant statement with your accurate personal data.
- The right to supplementation of any incomplete personal data, so that they are made complete, by submitting to HHG a relevant statement with your complete personal data.
- The right to erasure of your personal data in the following cases:
- when your personal data are no longer necessary in relation to the purposes for which they were collected or otherwise submitted for processing;
- when you have withdrawn your consent on which the processing was based and there is no other legal ground for the processing;
- when your personal data was submitted to processing without the necessary legal ground in place
- when the law provides for the obligation to erase your personal data
- when the data of a child have been collected in relation to the provision of information society services, following its consent or when its consent is given or approved by the holder of parental responsibility of the child.
- The right to restriction of processing of your personal data, in the following cases:
- o when you contest the accuracy of the personal data and until verification by HHG takes place;
- o when instead of erasure, you request the restriction of the processing of your personal data;
- o when HHG no longer needs your personal data for the purposes of processing, but they are required by you for the establishment, exercise, or defence of legal claims.
- The right to object to the processing of your data, unless there are compelling legitimate grounds for the processing which override your interests, rights, and freedoms or for the establishment, exercise or defence of legal claims of HHG.
- The right to portability, namely to receive and transmit to another controller your personal data, which you have provided to HHG’s Clinics, Diagnostic Centres, Polyclinics and IVF in a suitable format, provided that the processing of your personal data has taken place following your consent or that there was the necessary contract for processing between us.
- The right to withdraw your consent (without retro-active effect) on an issue related to the protection of ordinary personal data and health data.
These rights may be limited due to the obligation to apply another law, e.g. if you request the erasure of your data, while we are obligated by law to keep it (article 14 of Code of Medical Ethics).
Regarding all of the above and to answer any questions regarding the current legislation on personal data, you can contact HHG in the following ways:
- by post, to the Data Protection Officer of HHG (No 14 Fleming Street, GR-15123, Maroussi)
- HHG shall respond to your Request free of charge, with no delay, and, in any case, within a month of receipt of the request, except in exceptional circumstances, in which case the above deadline may be extended by an additional two months, if required, depending on the complexity of the request and/or the number of requests. HHG shall inform you of any such extension within one month of receipt of the request, together with the reasons for the delay.
- If your request cannot be met, HHG will inform you without delay and at the latest within a month from receipt of the request, regarding the relevant reasons and for how you may file a complaint with the Hellenic Data Protection Authority, as well as regarding your right to appeal to the competent judicial authorities.
- If your request is found by HHG to be unfounded or excessive, it may impose a reasonable and corresponding charge, taking into account its administrative costs, or it may refuse to act on your request.
RIGHT TO LODGE A COMPLAINT
If you believe that your rights are being infringed, as regards the protection of your personal data, you retain the right to lodge a complaint with the Hellenic Data Protection Authority (https://www.dpa.gr/el/polites/katagelia_stin_arxi) for Greece and at the Office of the Personal Data Protection Commissioner (https://www.dataprotection.gov.cy/dataprotection/dataprotection.nsf/All/1A39927F46993854C22586CC003F45E4) for Cyprus.
You also have the right to file an appeal with the competent judicial authorities regarding the protection of your personal data.
HHG has taken suitable technical and organisational security measures in order to ensure the implementation of the law and the suitable level of security for your personal data, and has duly trained its personnel and its entire network of partnered Doctors, through the Data Protection Policies and Procedures, and commits all its partners acting as processors on its behalf (Data Protection Agreement) through the guarantees and safeguards of the GDPR.
By submitting your e-mail address, you are giving us your consent to send you e-mails with the sole purpose of advertisement and the direct promotion of our products and/or services through our newsletter. Your e-mail address will only be used by HHG and its partner who is acting on HHG’s behalf in sending out the newsletters. In each such e-mail, we will clearly make our identity known to you and will provide you with the opportunity to object and request, easily and free of charge, to terminate communication and delete your data from the database in question.