Privacy policy
Notice of collection and processing of personal data
pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter referred to as the “Regulation”) effective from 01.07.2021.
Introduction
Medirad s.r.o. as the Data Controller, with registered office at Ružinovská 42, Bratislava – Ružinov district 821 03, ID No.: 53581733 (hereinafter referred to as the “Controller”) hereby informs its clients (patient, client, legal representative or patient’s proxy) and business partners (resp. Natural persons of our business partner who is a legal person or persons acting for the business partner on the basis of authorization, appointment, election or in the exercise of their functions, who are designated as authorized persons for particular areas of communication concerning the supply of products and services within the framework of contractual relations) about the collection and processing of their personal data.
Privacy Policy
We only process your personal data on the basis of the lawful conditions that are set out in the Regulation or the law. As a data controller, we are responsible for the protection of your personal data that we have obtained or obtain from you in accordance with the Regulation and the law, to the extent and in the manner set out in this Information Letter. If you have any questions about the processing of your personal data, you can contact us in person or by post at our registered office or electronically via email: info@test.medirad.sk.
Your personal data will be stored and backed up securely, in accordance with our security policy and that of our processors, and only for the period specified below in this information sheet.
Your personal data will be accessible by the recipients and by persons authorised by us to process it on our instructions and in accordance with our security policy. As a data controller, we are required to ensure that data is backed up in accordance with the security requirements of the Regulation and the Act.
Source of collection of personal data
We primarily obtain your personal data directly from you when you voluntarily provide it to us in connection with an enquiry or request for our services that you address to us in person, by telephone, in writing by post or electronically, either on the basis of your own request or through pre-prepared forms that can be found on our website https://www.test.medirad.sk.
If you are an employee of our business partner who is a legal entity or a sole trader who has appointed you as their authorised person for individual areas of communication relating to the supply of products and services within the framework of contractual relations, we obtain personal data from your employer; the provision of the data contained in this information is without prejudice to your employer’s information obligation to the extent provided for in Article 13 of the Regulation or Article 19 of the Act in the collection and processing of your personal data in connection with the employment relationship between the employee and the employer.
We also obtain your personal data from our contractual partners or other authorised persons in connection with the performance of our contracts or other contractual, pre-contractual or other obligations.
Necessity of the provision of personal data
The patient, client, legal representative or patient’s attorney is required to provide personal information for the purposes of providing healthcare to the extent requested, otherwise failure to provide personal information may result in a refusal to provide healthcare.
Personal data of business partners or employees or authorised persons of business partners are necessary in some cases to enable the contractual relationship between the supplier and the customer to be established, or in the case of failure to provide personal data, the performance of contracts may be significantly hindered or even prevented, or may result in the communication between the parties to the contract being made difficult or even impossible.
Recipients of personal data
All your personal data will be stored in our internal systems and will be further provided by us to various collaborating entities. Recipients of personal data may include:
– Control, supervisory and other state authorities in the performance of their activities under specific legislation, e.g. the Data Protection Authority, the Tax Authority, etc,
– courts and law enforcement authorities at their request or in the context of the legitimate interests of the controller in proving, asserting and defending legal claims,
– health insurance companies of the data subjects – clients, other healthcare providers providing them with healthcare, the National Centre for Health Information, persons listed in § 24 (4) and § 25 (1) of Act No. 576/2004 Coll. on Health Care, Services Related to the Provision of Health Care,
– contracted service providers, such as providers of IT infrastructure support services, software administration services, postal and forwarding services, financial and insurance services,
– other recipients to whom the controller is obliged to disclose personal data pursuant to a specific law or legitimate interest, such as auditors, legal advisors, tax and accounting advisors, insurance companies, banks, credit registers, as well as persons who have an employment or other similar relationship with us, to the extent that, which are strictly necessary for the exercise of their work or rights, and who, in relation to the personal data provided or made available, will also be under an obligation of confidentiality in relation to such information to the extent and under the conditions agreed in a written contract concluded with them or provided for by generally binding legal regulations.
In general, your data may be disclosed to a cooperating specialist doctor, who is an intermediary for the processing of personal data, to the extent necessary for the performance of a specialist examination, diagnosis and the design of a treatment procedure. The identification data of the specialist doctor will be communicated to the patient after the first X-ray examination, which will require the consultation of a specialist, according to the area of the examination and the specialist specialty of the doctor concerned (e.g. pneumologist, orthopaedic surgeon, neurologist, etc.).
We have duly concluded contracts with all the intermediaries to ensure the protection of your personal data. We make sure that these processors ensure an adequate level of protection of personal data, in accordance with the applicable data protection legislation.
Purpose of the processing of personal data
We will collect and further process your personal data for the following purposes:
(i) patient appointments; the processing is necessary for the purpose of making an appointment for a patient to be examined and subsequently to enable the provision of healthcare. The legal basis for processing your personal data for this purpose is Article 6(1)(b) of the Regulation, i.e. the processing is necessary for the purpose of the pre-contractual relationship. The provision of personal data by the data subject is a necessary requirement in this case. In the event of failure to provide personal data, it will not be possible to make an appointment for an examination.
Furthermore, it is in the legitimate interest of the controller to process the voice recordings of subscribers of calls recorded in the directory enquiry service within the telephone lines intended for the purpose of making appointments for examinations for the purpose of contacting them back. The legal basis for processing your personal data for this purpose is Article 6(1)(f) of the Regulation, i.e. the processing is necessary for the purpose of the legitimate interest of the controller.
(ii) the provision of healthcare; the processing is necessary for the purpose of preventive occupational medicine, the provision of healthcare and services related to the provision of healthcare. The legal basis for the processing of your personal data for this purpose is Article 6(1)(c) of the Regulation and Section 16(b) and (h) of Act No. 18/2018 Coll. on the Protection of Personal Data, i.e. the processing is necessary for the purpose of preventive occupational medicine, the provision of health care and services related to the provision of health care and the fulfilment of legal obligations arising in particular from Act No. 576/2004 Coll. on health care, services related to the provision of health care, as well as Act No. 577/2004 Coll. on the scope of health care reimbursed on the basis of public health insurance and on reimbursement for services related to the provision of health care, as amended, Act No. 578/2004 Coll. on health care providers, health care workers, professional organisations in the health care sector and amendment and supplementation of certain acts, as amended, Act No. 580/2004 Coll. on health insurance and amendment to Act No. 95 of the National Assembly of the Slovak Republic on health care services, as amended No. 153/2013 Coll. on the National Health Care System, Act No. 153/2013 Coll. on the National Health Care System. The provision of personal data by the data subject is a necessary requirement in this case. In case of failure to provide personal data, it will not be possible to provide services.
(iii) bookkeeping and preparation of accounting documents; in particular, administration and invoicing of the price for the supply of the Products (pursuant to the Contract), processing of accounting, tax documents and invoices. The legal basis for the processing of your personal data for this purpose is the provision of Article 6(1)(c) of the Regulation, i.e. the fulfillment of our legal obligations under the law, in particular under Act No. 431/2002 Coll. on Accounting, as amended (hereinafter referred to as the “Accounting Act”).
(iv) registering mail and managing the registry; registering and managing mail, mail delivered and sent to and from the electronic mailbox; and registering and archiving contracts, accounting, tax and related documents in our internal systems. The legal basis for the processing of your personal data for this purpose is Article 6(1)(c) and (e) of the Regulation, i.e. the fulfillment of the supplier’s legal obligation under specific regulations and the public interest, in particular under the Accountancy Act and Act No. 395/2002 Coll. on archives and registers and on amendment and supplementation of certain acts.
(v) the exercise of the rights of data subjects; it is the legal obligation of the controller to ensure that requests by which data subjects exercise their rights are properly dealt with in accordance with the Regulation.
(vi) the protection and security of information on the network; the management and administration of information and communication technologies and the provision of related services and facilities for the purpose of conducting business is a legitimate interest of ours. The protection and security of information, the effective management of security risks, the ability to contribute to the reliable and adequate clarification of security-relevant events occurring, the resolution of their consequences and the prevention of their continuation, the ability to prevent security-relevant events from occurring, is at the same time our obligation under the Regulation to take appropriate security measures to prevent the unlawful processing of personal data and other information that needs to be protected in the operator’s environment, and to ensure the protection of assets. The legal basis is the legitimate interest of the controller (Article 6(1)(f) of the Regulation).
Retention periods of personal data
We will keep our clients’ personal data related to health within the meaning of Section 22 of Act No. 576/2004 Coll. on health care, services related to the provision of health care for 20 years after the death of the person concerned, other documentation, 20 years after the last health care was provided and within the meaning of Act No. 395/2002 Coll. on archives and registers and on the amendment of certain acts. After the expiry of the statutory period, the data shall be destined for destruction and shredding.
Audio recordings of subscribers’ calls recorded in the answering service within the telephone lines intended for ordering are deleted after contact/automatic after 30 days.
We will process the personal data of our business partners within the framework of contractual relationships for as long as necessary to achieve the purposes of processing, but at most for the duration of the contractual relationship. In the event that we assert legal claims against you and pursue legal or administrative proceedings, or if you assert legal claims against us and pursue legal or administrative proceedings against us, the personal data will be processed for the purpose of proving, asserting or defending the legal claims until the final conclusion of such proceedings. After the termination of the contractual relationship or the final conclusion of the proceedings according to the previous sentence, your personal data will only be stored (archived) for 10 years after the termination of the contract, because the obligation to store the contract and the accounting and tax documents related to the contract containing your personal data is imposed on us by generally binding regulations, in particular by the Accountancy Act. The storage period starts on the first day of the calendar year following the year in which the contract expires. After the expiry of this period, the data will be deleted or destroyed/shredded.
Your personal data processed for the purpose of the proper exercise of the rights of the data subject may be processed for a period of 5 years if you exercise the right of the data subject.
If we also process your personal data on the basis of consent, you have the right to withdraw this consent to the processing of your personal data at any time. We will only process your personal data for as long as the consent is valid. Withdrawal of consent does not affect the lawfulness of the processing of personal data based on consent prior to its withdrawal. You may withdraw the consent given in the same way as consent was given.
Transfer to third countries or international organization
Your personal data is not transferred to an international organization, nor is it subject to transfer to third countries that do not guarantee an adequate level of protection of personal data.
Withdrawal of consent
If we also process your personal data on the basis of consent, you have the right to withdraw your consent to the processing of your personal data at any time. Withdrawal of consent does not affect the lawfulness of the processing of personal data based on consent prior to its withdrawal. You may withdraw your consent in the same manner in which it was given.
Automated decision-making, including profiling
There is no automated decision-making or profiling in the processing of your personal data by us.
Privacy policy on our website
Data that you have provided voluntarily
You may voluntarily provide certain information on our website for certain purposes, such as any information entered when expressing an interest in being contacted. Such information may include personal contact information such as name, phone number, email address and any other information you provide.
We use this collected information to contact you when necessary to answer your questions.
Cookies, usage data and similar tools
When you visit our website, we collect certain information through automated means such as cookies, pixel tags, browser analytics tools, etc. For more information regarding cookies, usage data and similar tools we use, please see our cookie information: https://medirad.sk/nastavenia-suborov-cookie.
Related sites
We may provide links from our website to third party websites (“linked sites”). Linked Sites are not necessarily controlled or reviewed by us. Each Linked Site has its own terms of use and privacy information. We are not responsible for the policies and practices of any Linked Sites and other links contained therein, so we encourage users to read the terms and notices of such Linked Sites before using them.
Children
Our website is not directed at children and we do not use it to knowingly solicit personal information from or market to children. If we learn that a child has provided personal through one of our websites, we will remove that information from our systems.
Your other data protection rights
In addition to the rights set out above, you have the following rights in relation to the processing of your personal data:
(i) the right of access to personal data (Article 15 of the Regulation); you have the right to obtain confirmation from us as to whether we are processing your personal data and, if so, the right to obtain access to such personal data (copies thereof), as well as the right to supplementary information to the extent provided for in Article 15 of the Regulation.
In most cases, we will provide you with these copies of your personal data and the additional information in written paper form, unless you request otherwise. If you have requested this information by electronic means, it will be provided to you electronically where technically feasible.
(ii) the right to rectification of personal data (Article 16 of the Regulation); we take reasonable steps to ensure that the information we hold about you is accurate, complete and up to date. However, this right allows you to ask us to correct your inaccurate personal data or to complete your personal data if it is inaccurate, incomplete or out of date without undue delay.
Please note that you are only obliged to provide us with personal data that is complete and correct, and you are responsible for the truthfulness of the personal data you provide to us.
(iii) the right to erasure of personal data (right to be forgotten) (Art. 17 of the Regulation) without undue delay after exercising this right, for example, if your personal data is no longer necessary for the purpose for which we obtained or processed it, if you have withdrawn your consent to the processing of personal data on the basis of which we process your personal data and there is no other legal basis for the processing of personal data (for example, the Contract (or other contracts) we have concluded with you), if you object to the processing of personal data pursuant to Art. 21(1) of the Regulation or if we process your personal data in breach of the Regulation and the law.
However, this right of yours must be considered in light of all the relevant circumstances. For example, we may have certain legal and regulatory obligations which means that we may not be able to comply with your request.
(iv) the right to restrict the processing of personal data (Article 18 of the Regulation), in the cases provided for by law, you have the right to ask us to stop processing your personal data, e.g. if you object to the accuracy of the personal data we hold about you but only for a period of time that allows us to verify the accuracy of your personal data, object to the processing of your personal data by automated decision-making or the processing of your personal data is contrary to the Regulation and the law and object to the erasure of your personal data, requesting instead that we restrict its use, or object to the erasure of your personal data which we as a supplier no longer need and wish to erase but which you need, for example in ongoing legal proceedings,
(v) the right to data portability (Article 20 of the Regulation), i.e. the right to obtain from us your personal data that you have previously provided to us in a structured, commonly used and machine-readable format and the right to request that we transfer your personal data to another controller subject to the fulfilment of the legal conditions; the exercise of this right is without prejudice to your right to have your personal data erased by the supplier.
However, the right of portability only applies to personal data that we have obtained from you on the basis of consent or on the basis of a Contract to which you are a party.
(vi) the right to object to the processing of personal data (Article 21 of the Regulation) if the processing of your personal data is based on our legitimate interest or if we process your personal data for the purpose of direct marketing of our services and products, including profiling in such processing. If you object and we do not demonstrate a compelling legitimate ground for processing your personal data or if you object to the processing of your personal data for the purpose of direct marketing of our services and products, we will no longer process your personal data for these purposes.
(vii) the right not to be subject to a decision based solely on automated processing of personal data, including profiling, where such automated decision-making and profiling would have legal effects in relation to you or significantly affect you (Article 22 of the Regulation); however, as we have stated, there is no automated decision-making or profiling in our processing of your personal data,
(viii) the right to lodge a complaint with a supervisory authority (Article 77 of the Regulation); if you believe that the processing of your personal data is in breach of the Regulation or the law, you may lodge a complaint (a proposal to initiate a personal data protection procedure pursuant to Section 100 of the Act) with the Office for Personal Data Protection of the Slovak Republic https://dataprotection.gov.sk, Hraničná 12, 820 07 Bratislava 27; telephone number: +421 /2/ 3231 3214; e-mail: statny.dozor@pdp.gov.sk.
You can exercise your rights in person or by sending a written request by post to the address of our registered office or electronically via e-mail: info@test.medirad.sk. We will properly review all your suggestions and complaints.
Modifications to our privacy policy
We reserve the right to change, modify and update this privacy notice at any time. Please check back periodically to ensure that you are familiar with our most up-to-date notice.