GDPR

 

Dear clients,

in compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (“GDPR”) we hereby inform you about how our healthcare facility ISCARE, a.s., ID No.: 35752351, with registered office at Prievozská 4/A, 821 09 Bratislava, registered in Business Register of District Court Bratislava I, Section: Sa, File No.: 1849/B, as the controller of personal data (the “Controller”) processes your personal data obtained through the Controller’s application/website (www.iscare.sk) and the rights and obligations related thereto.

You can contact the Controller in writing at the above address, or via email at gdpr@iscare.sk or by calling +421 259 207 800.

Personal data means any information relating to an identified or identifiable natural person (the “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

  1. Scope, purpose and legal basis of processing of personal data

The Controller processes the personal data to the extent to which the Controller obtains the personal data on the basis of the application/web form published on the Controller’s website www.iscare.sk through which the data subject will disclose his/her personal data to the Controller. The Controller processes the personal data in compliance with the applicable and generally binding legal regulations of the Slovak Republic.

Personal data of data subjects obtained through the Controller’s application/website are processed for the following purposes:

  1. activities leading to contacting of the data subject for the purpose of negotiations for conclusion of future contract related to providing of healthcare by the Controller as the healthcare facility authorised to perform the activities of assisted reproduction, and in case of conclusion of the respective contract, for the purpose of performing the particular healthcare contract concluded between the data subject and the Controller;
  2. marketing and promotion activities, i.e. in particular sending of commercial and/or promotion materials and advertising materials related to sales activities or interactive commercial communication related to products, services or other activities of the Controller, in paper form, in automated or electronic format, and mainly by mail or via email, by phone (including automated calls, SMS, MMS, etc.), and by any other electronic means (e.g. websites and mobile applications);
  • research activities, such as client satisfaction surveys, marketing research and client opinion surveys and the related statistics.

The legal basis for processing of data subject’s personal data is a voluntary consent of the data subject given for the purpose defined by the data subject, except for the purpose specified in Clause i of this Article in case of successful negotiations between the data subject and the Controller and conclusion of the healthcare contract, as the purpose for processing of personal data defined therein is based on the data subject’s request to implement the measures prior to conclusion of the contract (“pre-contractual relations”), or the processing is necessary for the performance of the contract to which the data subject is the party, i.e. it constitutes the contractual requirement to disclose the personal data. Depending on the particular circumstances of processing of the data subject’s personal data, the Controller informs the data subject that there can be also another legal basis for processing of the data subject’s personal data, in which case the Controller strictly complies with the respective legal regulations.

After expiry of the period or after withdrawal of consent the Controller will store only the data necessary to demonstrate that the personal data have been processed by the Controller in a due manner and in accordance with the consent given by the data subject and with the legal regulations. If the Controller processes the personal data also for the reasons and purposes other than those specified in the consent given by the data subject (e.g. for the purpose of performance of the contract), the personal data will be further processed for these reasons.

  1. Withdrawal of consent

The consent to processing of personal data as well as the consent to sending the direct marketing messages is voluntary and the data subject may withdraw it at any time, either in writing at the address of the registered office of the Controller or via email at gdpr@iscare.sk (please, state “withdrawal of consent” in email subject line” ).

  1. Sources of personal data

The Controller processes the personal data obtained:

  • on the basis of the application/web form published on the Controller’s website iscare.sk through which the data subject will disclose his/her personal data to the Controller.
  1. Categories of personal data and categories of data subjects

The following categories of personal data are processed:

  • data entered by the data subject in the Controller’s application /web form published on the Controller’s website iscare.sk, in particular, but not limited to, the following data: name, surname, date of birth, email address, telephone number, or IP address, type of browser, type of operating system.

Data subjects whose personal data are processed by the Controller and for whom this information is intended are:

  • client/patient;
  • potential client/potential patient,
  • any other persons who will disclose their personal data to the Controller through the application/web form for the above purposes.
  1. Method of processing and protection of personal data

Personal data are processed in compliance with the applicable legal regulations. Safeguarding and protection of personal data are ensured in accordance with the aforesaid regulations and in compliance with GDPR.

Personal data will not be used for decisions based solely on automated processing or profiling.

Personal data of the data subject will be processed to the extent specified above in the Controller’s electronic database of the Controller or of the processor with which the Controller will conclude a respective contract. All disclosed personal data will be stored by the Controller in digital form. Processing is performed manually both in paper and electronic form or by automated means through computing while following all security principles for handling and processing of personal data. For this purpose, the Controller has implemented technical and organisational measures, in particular those preventing accidental or unlawful access to personal data, their destruction or loss, unauthorised transfer, unauthorised processing and other abuse of such personal data.

All entities to which the personal data may be disclosed respect the data subject’s right to privacy and are under obligation to comply with the applicable legislation concerning protection of personal data.

  1. Period of personal data storage

The Controller keeps the personal data for the period necessary to achieve the respective purpose and for the periods specified in the consent to processing of personal data given by the data subject as well as in the generally binding legal regulations of the Slovak Republic for destruction and archiving of documents, or for the period necessary to establish, exercise or defend legal claims.

Data disclosed by the data subject to the Controller for the purpose of contacting the data subject and negotiations for the conclusion of the healthcare contract with the Controller which have not been successful will be stored until the moment when the Controller and the data subject agree that the contract will not be concluded, or when the data subject has not given to the Controller an explicit consent to further processing of the data subject’s personal data in the Controller’s database for the purpose of contacting the data subject in future, or for other purpose. Maximum period for storing the data subject’s personal data is defined in consent of the concerned data subject given to the Controller.

  1. Categories of personal data recipients

Recipients of data subject’s personal data are:

  • processors on the basis of a contract with the Controller, to the extent of the data necessary for the purpose of processing, for example the companies that administer the systems for keeping medical records in electronic form, persons in charge of storing or archiving of data, etc.;
  • persons providing counselling to the Controller;
  • persons providing the Controller with data storing and back-up services;
  • companies that are related by property and/or personally related to the Controller and are members of the same group/same enterprise with the Controller;
  1. Instruction on data subject’s rights

In our company which is the Controller of personal data, you have the right:

  • to request the access to personal data processed by the Controller, which means the right to obtain from the Controller confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and other information referred to in Article 15 of GDPR,
  • to request the rectification of inaccurate processed personal data concerning you. Taking into account the purposes of the processing, in certain cases you have the right to request to have incomplete personal data completed,
  • to request the erasure of personal data in cases regulated in Article 17 of GDPR,
  • to request the restriction of processing in cases regulated in Article 18 of GDPR,
  • to receive the personal data concerning you which we process by automated means for the performance of contract concluded with you, in a structured, commonly used and machine-readable format and you have the right to request that the Controller transmit these data to another controller; under the conditions and with the limitations given in Article 20 of GDPR, and
  • to object to processing pursuant to Article 21 of GDPR on the grounds relating to your particular situation.

When we receive your request relating to exercise of the aforesaid rights, we will inform you about the implemented measures without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. In certain cases, defined by GDPR, our company is not obliged to comply with the request in full or in part, mainly where requests are manifestly unfounded or excessive, in particular because of their repetitive character. In such cases we may (i) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or (ii) refuse to act on the request.

If we receive the above request, but have reasonable doubts concerning the identity of the person making the request, we may request the provision of additional information necessary to confirm the identity.

Furthermore, you have the right to lodge your complaint directly with the supervisory authority, i.e. with Úrad na ochranu osobných údajov SR (Office for Personal Data Protection of the Slovak Republic) , Hraničná 12, 820 07 Bratislava 27, www.dataprotection.gov.sk if you consider that the personal data are not processed in compliance with legal regulations.

We hereby also inform you that our company has appointed the data protection officer. The data protection officer is Martina Masopustová and you can contact her via email at: gdpr@iscare.sk.

In Bratislava on 20 January 2020.

Ing. Denis Čabaj, director

ISCARE, a.s.