PLLC "Sapiegos Clinic" Personal Data Protection Policy
CONCEPTS
LLPPD – Law on Legal Protection of Personal Data of the Republic of Lithuania.
‘Personal data’ means any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is a person who can be directly or indirectly identified, in particular by reference to an identifier such as a name, an identification number, location data and an online identifier, or to one or more of that natural person’s physical, physiological, genetic, mental, economic, cultural or social identity.
‘Personal data breach’ means a breach of security resulting in the accidental or unauthorized, destruction, loss, alteration, unauthorised disclosure of personal data transmitted, stored or otherwise processed, or access to, or unauthorized transmission, unauthorized disclosure of, stored or otherwise processed personal data.
Responsible employee – an employee of the Company who, by the position held and the nature of the work, is entitled to perform specific functions relating to the processing of data.
Company / data controller – PLLC “Sapiegos clinic” (hereinafter referred to as “Sapiegos klinika”), company code 303433522, address: Grybo str. 17-124, e-mail [email protected]
GDPR / General Data Protection Regulation – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
Data recipient – means a natural or legal person, public authority, agency or other body to which personal data are disclosed, whether third party or not.
Data subject – an employee, customer or other natural person whose personal data is processed by the Company. Processing means any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as: collecting, recording, sorting, storing, adapting or modifying, reproducing, retrieving, using, disclosing, transmitting, disseminating or otherwise making available, arranging in an appropriate order or by means of a combination of such operations or combinations, blocking, deleting or erasing.
Data processor – a legal entity that processes personal data on behalf of the Company.
ECL – Electronic Communications Law of the Republic of Lithuania. Other terms used in this Policy correspond to the terms used in the GDPR and the LLPPD.
GENERAL PROVISION
This personal data protection policy applies to the processing of personal data by PLLC “Sapiegos clinic” (the Company) when providing health care services and serving persons when they contact it by telephone, e-mail and/or via the website www.sapiegosklinika.lt. We take your privacy very seriously. We collect, store and process all personal data in accordance with the General Data Protection Regulation, the GDPR, the ECL, and other laws and regulations governing patients’ rights, and we do not pass it on to any third party unless we are obliged to do so by law or regulation, or if it is necessary for the provision of our services, or if you have expressly consented to the transfer of your data. The Company will always act in accordance with good business practice and ensure that your privacy is not compromised. This privacy policy describes what personal data we collect and for what purposes we process your personal data when you contact the Company. This Personal Data Protection Policy also contains important information about data protection, in particular the data subject rights guaranteed to you by the General Data Protection Regulation.
Contact details of the company’s data protection officer:
Tel: +370 655 50200
E-mail: [email protected]
THE PURPOSES FOR WHICH THE PERSONAL DATA ARE PROCESSED, THE PERSONAL DATA PROCESSED AND OTHER INFORMATION RELATING TO THE PROCESSING OF PERSONAL DATA
Provision of health care services
Conditions for lawful processing under the GDPR: Article 6(1)(a), (b) and (c), Article 9(2)(a), (b) and (h).
Categories of data subjects: persons to whom the Company’s services are or have been provided.
Personal data processed: name, surname, contact details (telephone number, e-mail address), special categories of data (services provided, laboratory tests, diagnoses, visits to specialists, pictures, descriptions of the services provided by the specialists and of the patient’s condition, etc.), the name of the person to whom any information is provided on the patient’s treatment and the results of the treatment, the relationship with the patient.
Retention period: personal data shall be retained for the periods laid down by law.
Processing of data: personal data may only be processed by responsible employees, doctors and assistants of the Company and access to these data is strictly limited.
Categories of recipients: the data are provided only to those recipients to whom the law or other legal acts establish the right to receive or the obligation to provide such data (lawyers, bailiffs, tax authorities, etc.), and personal data are not transferred to third countries or international organizations. Personal data may also be provided at the request/consent of the data subject to specific recipients.
Video surveillance for the protection of persons and property
Conditions for lawful processing under the GDPR: Article 6(1)(c) and (f).
Categories of data subjects: persons entering the field of video surveillance. Personal data processed: video data.
Retention period: 2 months.
Processing of the data: Video surveillance is carried out on the Company’s premises (visitor and reception areas). Personal data may only be used by responsible personnel and access to video data is strictly limited.
Categories of recipients: the data are not disclosed to anyone, except to those recipients to whom the law or other legal acts provide the right to receive or the obligation to provide such data (law enforcement authorities, insurance companies, etc.), and the personal data are not transferred to third countries or international organizations.
Recording of telephone conversations to preserve evidence of the terms and/or transactions of futures contracts and/or transactions concluded and ongoing
Conditions for lawful processing under the GDPR: Article 6(1)(a).
Categories of data subjects: Persons calling telephone numbers published by the Company.
Personal data processed: telephone number, call recording. Retention period: 6 months.
Data processing: personal data may only be used by responsible employees and access to call records is strictly limited.
Categories of recipients: the data are not disclosed to anyone, except to those recipients to whom the law or other legal acts provide the right to receive or the obligation to provide such data (law enforcement authorities, insurance companies, etc.), and the personal data are not transferred to third countries or international organizations.
Managing of cookies on the website
Conditions for lawful processing under GDPR: Article 6(1)(a) if the Company’s website also contains non-technical cookies. It should be noted that the data subject’s consent is only required for non-technical cookies, in accordance with the provisions of the EIR.
Categories of data subjects: persons browsing the Company’s website.
Personal data processed: when you access the website, we process your IP address, network (browser used by your device), location data, etc.
Data processing: personal data may only be processed by responsible employees of the service provider and access to the data is strictly limited.
Categories of recipients: the data is not shared with anyone, and personal data is not transferred to third countries or international organizations.
Cookies are small text files that our Platform wants to place on your computer or other devices connected to the internet, such as tablets or smartphones. If your browser settings accept cookies, your browser will add the text in the form of a small file.
The cookies used by the Company are necessary for the operation of the website and are technical. Most cookies are deleted from your device at the end of your browser session (session cookies). We only use the information stored in essential cookies to provide you with the information you need on the website.
{cookie table}
The Cookie Notice informs you that we use cookies. By continuing to use our Platform after we show you the cookie notice, you are accepting the cookies and confirming that you are aware of them. You can configure your browser to refuse some or all cookies or to ask for your permission before accepting them. For information on how to change your browser settings, please visit www.aboutcookies.org or www.allaboutcookies.org.
For more information on the management of cookies, please click here:
– “Internet Explorer” browser.
– “Google Chrome” browser.
– “Mozilla Firefox” browser.
– Personal service (via the Sapiegos Clinic’s website, by phone or email) Conditions for lawful processing provided for in the GDPR: Article 6(1)(a), Article 9(2)(a).
Categories of data subjects: persons who contact the Company.
Personal data processed: name, surname, contact details (telephone number, e-mail address) and other data which the natural person himself wishes to provide to the Company by contacting the Company via the website www.sapiegosklinika.lt, by telephone or by e-mail
Retention period: the data will be deleted when the individual’s contact with the Company has been processed. Data processing: personal data may only be used by responsible employees.
Categories of recipients: the data is not provided to anyone.
Personnel management:
Conditions for lawful processing under the GDPR: Article 6(1)(a), (b) and (c), Article 9(2)(a), (b) and (h) Personal data processed and categories of data subjects:
personal data of applicants for the position: name, surname, personal photograph, contact details (telephone number, e-mail address, address, education, information about work in other jobs, other data provided in the CV.
personal data of former employees: name, surname, personal identification number, contact details (telephone number, e-mail address) and other data provided by the individual to the Company.
personal data of employees: name, surname, personal identification number, contact details (telephone number, e-mail address) and other data which the natural person himself/herself wishes to provide to the Company.
Retention period: personal data shall be retained for the periods laid down by law, with the exception of personal data processed for the purpose of the selection of applicants, and personal data which are not required shall be destroyed after the end of the selection procedure for the vacant post.
Data processing and security: personal data may only be used by responsible staff.
Categories of recipients: public authorities (e.g., tax office, State Social Insurance Fund Board), personal data are not transferred to third countries or international organizations.
Bookkeeping
Conditions for lawful processing under the GDPR: Article 6(1)(a), (b) and (c), Article 9(2)(a), (b) and (h).
Personal data processed: billing data, payment data, any other information specified in the payment order.
Categories of data subjects: Persons who make payment orders to the Company or to whom the Company makes payment orders.
Retention period: personal data shall be retained for the periods prescribed by law
Processing of data: personal data may only be accessed by responsible employees authorized to keep accounting records.
Categories of recipients: the data are provided only to those recipients to whom the law or other legal acts provide the right to receive the data (lawyers, bailiffs, tax authorities, etc.), and the personal data are not transferred to third countries or international organizations.
DATA PROCESSORS
The Company has the right to use data processors in accordance with the provisions of the General Data Protection Regulation. They shall be contracted for the processing of personal data in accordance with the requirements of that Regulation. Sub-processors may not be used without the consent of the Company.
The Company shall use processors only in cases where it is not in a position to carry out such personal data processing operations itself, i.e.:
IT system maintenance companies.
These service providers shall undertake the data processing procedures on behalf of the Company and only on the instructions of the Company. The third parties that process personal data shall be selected carefully and in accordance with applicable data protection legislation.
In certain circumstances, the Company’s external service providers may be granted access to your personal data, but only for the specified purposes of processing. Such third parties are contractually obliged to ensure that their level of data protection is at least equivalent to that provided by the Company and required by applicable law. All data processed on behalf of the Company remains under the Company’s control. Compliance with the Company’s instructions, data protection levels and contractual obligations entered into with the data processor is monitored on an ongoing basis.
RIGHTS OF THE DATA SUBJECT AND THEIR IMPLEMENTATION
The Company will give effect to the data subject’s rights without undue delay, but in any event not later than one month after receipt of the request and will provide the data subject with information about the action taken following the request. The Company may extend the one-month period by a further two months, depending on the complexity and number of requests, but in any event the Company will inform you of such extension within one month of receipt of the request, together with the reasons for the delay.
The General Data Protection Regulation (GDPR) guarantees You the rights of the data subject. You have the right, at any time after the Company has duly verified your identity, to: be informed about the processing of your data.
The Company will provide you with all the information to which you are entitled and which is not specified in this Data Protection Policy, such as: the recipients of the personal data, if any; the periods of retention of personal data or, if this is not possible, the criteria used to determine that period; the right to request that the Company access and rectify or erase personal data concerning the data subject, or to restrict the processing of the data, or the right to object to processing, including the right of portability of the data; whether or not the submission of personal data is a requirement by law or by contract, etc.
- access to the data processed
The Company will confirm to you whether personal data relating to you is being processed and, if such personal data is being processed, provide you with all the necessary information: the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipients to whom the personal data have been or will be disclosed; the retention periods of the personal data or, where this is not possible, the criteria used to determine that period; the right to request the controller to rectify or erase the personal data or to restrict or object to the processing of personal data relating to the data subject; and, where the personal data are not collected from the data subject, any available information on the sources of the data. The Company will provide a copy of the personal data processed. Where the data subject makes the request by electronic means, the information shall be provided in the usual electronic form.
- request the rectification of data
The data subject shall have the right to require the Company to rectify inaccurate personal data concerning you without undue delay. The data subject shall have the right to have incomplete personal data completed, taking into account the purposes for which the data were processed
- request erasure (“right to be forgotten”)
If there are grounds (e.g. the personal data are no longer necessary to achieve the purposes for which they were collected, etc.), you can request that your personal data be erased.
- restrict data processing
You may request the restriction of the processing of your data if it meets the criteria defined in the General Data Protection Regulation, e.g. the Company no longer needs your personal data for the purposes of the processing, but it is necessary for you to assert a legal claim; you contest the accuracy of the data for a period of time during which the Company can verify the accuracy of the personal data, etc.
- data portability
Where the Company processes your personal data by automated means with your consent or on the basis of a contract concluded with the Company, you have the right to receive the personal data you have provided in a structured and computer-readable format and to transmit it to another data controller, and the Company will not impede this. You have the right to have your personal data transmitted by the Company to another party where technically feasible.
- disagreement
You have the right to object at any time to processing of your personal data where such processing is carried out for the purposes of the legitimate interests of the Company, except where the processing is carried out by the Company for reasons which override the interests, rights and freedoms of the data subject or for the purpose of asserting legal claims. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to further processing for marketing purposes. If you object to processing for direct marketing purposes, the Company will no longer process your personal data for such purposes.
It should be noted that the Company does not currently apply automated decision-making. In order to exercise any of the rights specified in this section, you can contact the Company using the contacts indicated below. Notwithstanding any other remedies, you also have the right to lodge a complaint with the supervisory authorities at any time.
PERSONAL DATA BREACHES
The Company will always notify the State Data Protection Inspectorate of a personal data breach, except where such a breach will not endanger the rights and freedoms of individuals. If the nature of the breach and the seriousness of the risk would result in a serious threat to the rights and freedoms of natural persons, the Company is obliged to notify the breach to you as a data subject. Breaches are notified in accordance with the procedures set out in the General Data Protection Regulation.
The notification should contain the following in clear and plain language (by email, SMS, post, etc.) to the data subject:
a description of the nature of the breach;
the contact details of the Data Protection Officer;
a description of the likely consequences of the breach;
a description of the measures taken by the Company to remedy the breach;
any other information that the Company considers should be provided to the data subject.
If providing notification would require a disproportionate effort, the Company will instead make the breach publicly available on its website.
The Company will not provide the data subject with a notification in the event of a breach if: adequate safeguards have been put in place for the personal data affected by the breach; immediately after the breach, the Company has taken measures to ensure that the rights and freedoms of individuals are no longer seriously compromised; and it would be disproportionately burdensome to contact the individuals. In such a case, the infringement shall be made public.
DATA SECURITY
The Company takes great care in protecting your personal data using appropriate data protection measures. These include proactive and reactive risk management, periodic updating of software, the use of firewalls and anti-virus programs, access control and security systems, controlled granting and supervision of access/user privileges, skills training for staff involved in the processing of personal data, and the assessment and selection of data processors. Paper documents are kept under lock and key, in premises with access control and other security measures. Persons handling personal data are bound by confidentiality obligations laid down by law, the controller’s internal regulations and/or confidentiality agreements. Backup copies of the data shall be made. The company keeps its internal practices up to date.
FINAL PROVISIONS
This Personal Data Protection Policy is also a record of the Company’s data processing activities. The Company develops and improves its activities on an ongoing basis and the Company has the right to change this Data Protection Policy at any time in accordance with applicable laws and regulations. Any changes shall be published on the Company’s website without delay. This Personal Data Protection Policy shall be reviewed periodically, but at least once every two years. If you have any questions regarding the processing of your data or questions regarding your rights, please contact our Data Protection Officer: Tel. + 370 655 50200 E-mail: [email protected]
In order to protect the data of its patients to the maximum extent, the SAPIEGOS CLINIC has a permit no. 2R- 6023 (2.6-1.) to carry out personal data processing actions (including video data).
The permit was issued by the STATE DATA PROTECTION INSPECTORATE.
Name of cookie | Description | Type | Validity |
---|---|---|---|
ci_session | Unique session ID number. Cookie necessary for the functioning of the website | Functionality | Until the session ends |
gid | The cookie collects and updates information about the pages of the website you have visited | Analytics | 24 hours after the end of the session |
_cfduid | A cookie to identify reliable website traffic that does not record the user's personal data | Functionality | 1 year |
_zlcmid | Used to support chat sessions | Communication | 6 days |
SIDCC, APISID | Security cookie to protect users' data from unauthorized access | Security | 2 months ago |
_ga | Designed to store a unique Customer ID, which is then used by Google Analytics servers to calculate user, session, and campaign data | Analytics | 2 years |
_gid | The cookie collects and updates information about the pages you have visited | Analytics | 24 hours after the end of the session |
1P_JAR, CONSENT, NID | Google Analytics cookie for session activation and customization of Google ads | Advertisement | 6 months |
_hjlncludedInSample | The Hotjar cookie collects statistical information about user behavior on the Website | Analytics | Not more than one year |
Fr, sb | Facebook cookie that allows Facebook social network to display advertising | Advertisement | 3 months ago |
datr | Facebook cookie for user identification | Analytics | 2 years |
dbr | Facebook uses a cookie to use Facebook's login functionality | Functionality | Until the end of the session |
SAPISID | Cookies enable the basic functions of Youtube videos. They are used only on pages that contain ''Youtube' videos | Functionality | Up to 10 years |