Controller means the “NEUROLOGICAL INSTITUTE OF ATHENS -NIA- MEDICAL SOLE MEMBER LIMITED LIABILITY COMPANY” directed by Dr. Klimentini Karageorgiou, neurologist- psychiatrist, scientific director.
The Institute has its registered offices at the following address:
The Institute processes simple and sensitive personal data in various forms of processing. While processing your personal data it uses its best efforts and best practices to safeguard the security of processing by any means, putting forward the respect to the patient and the compliance to the medical ethics and the medical and nursing confidentiality obligations imposed by the law (art. 13 L. 3418/2005 & art. 11 P.D. 216/2001 and 25 L.3252/2004).
In particular, the Institute collects, files, organizes, retains, stores, exports, uses, forwards, correlates, interlinks, binds (locks), deletes and destroys your personal data, either simple or of special (sensitive) defined in the law, which have to do with the condition of your health.
With respect to our works, we only collect relevant, necessary and appropriate to our research, clinical and medical services’ scope pieces of personal data.
Α. For the patients, we collect:
Any piece of information which is obligatorily dictated for the keeping of medical records (art. 14 L. 3418/2005), indicatively, identity and communication elements, dates of visits’ to the doctor, symptoms and anything relevant to your medical record.
a) Simple identity data and communication data with you: your first and last name, your father's name, your identity card number, your VAT number, your social security number, your date of birth, your sex, your postal and/or email address, your telephone number and mobile number. All the above data is collected directly by you, either by your oral declaration, or at the time of the explicit expression of your consent in writing, or at the time of the expression of the written consent of your proxies or caregivers, should you belong to the categories of patients demanding the joint action of a proxy or caregiver. This data is collected in paper or electronic form.
b) Special categories of personal data (sensitive) i.e. personal data about the condition of your health and your medical history, your diagnostic examinations, your pharmaceutical treatment and therapy, your visits’ as per the Institute calendar, the progress of your treatment and therapy, your biometric data and your total condition of your health.
Β. For the caregivers, we collect:
a) Simple identity and communication data with you: your first and last name, your father’s name, your identity card number, your VAT number, your postal and/or email address, your telephone and mobile number. All the above data is collected directly by you, either by your oral declaration, or from on line sources from accessible and safe webpages, cloud and email or off-line via telephone or fax. This data is collected in paper or electronic form.
b) Special categories of personal data (sensitive) i.e. personal data about the condition of the health of the patients, that you give your care for, either by an explicit law provision or by means of a written proxy or by means of a court decision and refer to their medical record, their diagnostic examinations, their pharmaceutical treatment and therapy, their visits as per the Institute calendar, their treatment progress, their biometric data and the total condition of their health, as well as the sensitive medical history of the caregivers.
3. We share information (data) with:
a) the medical, clinical, research and nursing personnel of our Institute, who are bound with us by means of a written contract so as they act as “processors” of your data. This personnel are consisted of renowned scientists, bound by the medical and nursing confidentiality obligations and are suitably trained for this purpose. They process personal data according to the Institute’s scope and as this scope is defined by the Institute itself for processing purposes.
b) the state owned body EOPYY and HDIKA in case we need to prescribe or execute a prescription or diagnostic examination (e-prescribing) in favor of a patient, with social security bodies not consolidated with EOPYY, with private insurance companies, in case you have an active health insurance contract which you declare to us and instruct us to share information.
c) any public health body, if we are obliged by law (ex. hospital institution).
4. Processing Purpose
Our processing has to do with our compliance with lawful obligations, deriving from our enactment of the medical science and the right medical, clinical and research practice and ethics. For the purposes of diagnosis, provision of health care or social care or protection, for safeguarding your vital interests, for instance death risk prevention, i.e. for absolutely necessary purposes, for purposes that have to do with the performance of a task carried out in the public interest of public health, for the performance of a contract and in general in order to support our treatment duties for you or for your patient or our clinical research.
Any processing not connected to the above purposes, as well as the disclosure of medical secrets, is restricted, unless you obtain your explicit verbal or written consent, with prejudice to the exemption of the disclosure of a medical secret by means of a court decision dictating such a disclosure.
5. Security Measures
We apply the necessary set of operations to organize our files (records) and we keep the necessary security measures offered in several storage websites, including the computer cloud (cloud). The servers or hardware files where we store information are installed in Greece at the seat of the Institute. We use the most proper technical and administrative measures for the protection of your personal data from loss, theft, embezzlement, alteration, modification, improper access, unauthorized use, disclosure and in order to safeguard the integrity and precision of your data. Indicatively, we use encrypted structures for certain forms of correspondence as well as for uploading and forwarding medical results and in general medical records, without excluding any other better practice, deemed to be more appropriate for each case in the future.
6. Duration of record keeping:
Elements of medical records provided in article 14 of the Law 3418/2005 (Medical Code of Ethics) are kept according to the law for a period of ten (10) years following payment of your last visit to the Institute.
Simple personal data and data of financial nature (invoices) are obligatorily kept in filing system for ten (10) years for potential tax audits.
Should you request for the deletion of your data, we will use all our best endeavors to satisfy your request, so long as the law allows for such a deletion. Otherwise, we will satisfy your request after the lapse of the lawful deadline i.e. after the exhaustion of our obligation. Nevertheless, you have our confirmation, in the most declaratory manner, that your data is kept safe in a locked file, electronic and hardware, and we will retain them inactive for as long as it is imposed by the law.
May we underline that deceased persons have no personal data.
The Institute operates a website. The website includes webpages with communication formats, in which you may fill out your necessary personal data, so us to contact you and try to satisfy your request. The interaction with you is based at your own free will and consent to declaring your personal data, it remains highly confidential as it is protected by medical confidentiality and is safeguarded from any illegal disclosure by the most efficient security systems. For more information, you may consult our Terms and Conditions of Use of Website and our Cookies Policy which are therein uploaded.
8. Your rights as data subjects:
Your personal data belong to you. Therefor you have the right to access them, namely the right to know if and which of your data are submitted to processing, how and what for. The right to rectification, meaning the right to request for the rectification of inaccurate or missing personal data of yours. The right to portability, meaning the right to request for the transmission of your files to another controller, i.e. another heath care institute or insurance company, without hindrance. The right to erasure (right to be forgotten), with prejudice to the deadlines set by the law. The right to restriction of processing i.e. the right to request for selective filing of your data or no processing at all of some of your data, if the law allows for such a restriction. The right to object to processing with prejudice of contrary law provisions and to the extent that no vital interest of yours is at risk. Please notice that all of your rights may be subject to restrictions explicitly set by L. 4624/2019 and the laws regulating the medical and clinical practice in Greece.
9. Exercising your rights:
You may exercise your rights as subjects of such rights, either before the Hellenic Data Protection Authority or before the Hellenic courts.
Should you wish to contact us to the exercise of your rights, you may do so, by informing us in writing to the following email address: firstname.lastname@example.org, or through the respective page of our website, and we must reply to you within 1 (one) month from the submission of your request, for example by sending you a copy of your medical file or by justifiably rejecting your request referring to the relevant applicable law. In the case that your query requires data that demand further processing, such as sleep studies, biopsy results etc. then you should excuse us for a reasonable delay of no more than 3 (three) months. Should this delay be required, you will be informed so. In such a case, we will explain to you the reason for the delay. In either case, your queries, requests, and claims will be answered either positively or negatively within the above timeframes. Please take note again that our communication through our website, as well as any exchange of data and files takes place only through encrypted secure structures unless you instruct us otherwise, in which case we will request to document your instructions.
The NEUROLOGICAL INSITUTE OF ATHENS bears all the licenses provided by the law, as well as any civil or penal liability for breach of such laws.
This present information of policy is declaratory and brief. We remain at your disposal for any further query or needed clarification.
With great respect to the patient and his/her caregiver
NEUROLOGICAL INSTITUTE OF ATHENS
Last Edited: September 2020