Client zone

Information on Personal Data Processing

1. Principles of Personal Data Processing

 

The company GYNCARE, s. r. o. with its registered office at Magnezitárska 2/C, 040 13 Košice, ID No. 47 242 990, registered in the Commercial Register of the District Court Košice I, Section: Sro, File No.: 39664/V (hereinafter referred to as the „Controller“), in accordance with Regulation 2016/679 GDPR on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as the „Regulation“) and Act No. 18/2018 Coll. on Personal Data Protection and on Amendments to Certain Acts (hereinafter referred to as the “Act”), has established and regularly updates security measures. These measures define the scope and method of security necessary to eliminate and minimize threats and risks affecting the information system, with the aim of ensuring:

  1. the availability, integrity, and reliability of management systems using state-of-the-art information technologies,
  2. the protection of personal data against loss, damage, theft, modification, destruction, and the preservation of their confidentiality,
  3. the identification and prevention of potential problems and sources of disruption.

Contact for the Data Protection Officer: dpo@gyncare.sk

2. Principles of Personal Data Protection

 

Your personal data will be stored securely, in accordance with the data retention policy and only for the period necessary to fulfill the purpose of processing. Access to personal data is granted only to persons authorized by the Controller to process personal data, who process them based on the Controller’s instructions. Your personal data will be backed up in accordance with the Controller’s retention rules. Personal data stored on backup storage serves to prevent security incidents that could arise, particularly from security breaches or damage to the integrity of processed data.

3. Definition of Terms

 

  1. “personal data” means any information relating to an identified or identifiable natural person (hereinafter referred to as “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
  2. “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
  3. “restriction of processing” means the marking of stored personal data with the aim of limiting their processing in the future;
  4. “profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
  5. “information system” means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;
  6. “controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
  7. “processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
  8. “third party” means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
  9. “data subject’s consent” means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
  10. “genetic data” means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;
  11. “personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
  12. “relevant and reasoned objection” means an objection to a draft decision as to whether there is a breach of this Regulation, or whether the envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union.

4. Purposes of Personal Data Processing

 

  1. Provision of Healthcare
    Personal data that we process about patients is processed for the purpose of providing healthcare, maintaining patient medical records, and managing medical and other services for invoicing health insurance companies and the Social Insurance Agency, in accordance with Article 6(1)(c) of the Regulation and Act No. 576/2004 Coll. on Healthcare. The scope of personal data processed includes: title, first name, last name, date of birth, personal identification number, disease data, data on the course and results of examinations, treatment data, data on the scope of healthcare provided, data on services related to healthcare provision, and health insurance company data. Subsequently, they are stored in accordance with Act No. 395/2002 Coll. on Archives and Registries.
  2. Consultation Booking
    Personal data that we process about patients for the purpose of booking an appointment is processed in accordance with Article 6(1)(b) of the Regulation – processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. The scope of personal data processed includes: first name, last name, telephone, email, and a brief description of the problem. Subsequently, they are stored for a period of 1 year. If retention periods according to commercial and tax law must be observed, the retention period is governed by Act No. 395/2002 Coll. on Archives and Registries. Personal data is not transferred to a third country. Personal data will not be used for automated individual decision-making, including profiling.
  3. Performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
    Personal data that we process about our clients is processed based on a contract in accordance with Article 6(1)(b) of the Regulation (processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract). The scope of personal data processed includes: title, first name, last name, address, date of birth, personal identification number, telephone, email, signature, and other necessary personal data, as well as health data essential for examination/processing. Subsequently, they are stored in accordance with Act No. 395/2002 Coll. on Archives and Registries.
  4. Records of Requests
    Personal data processed via emails is processed solely for handling your request. By completing and submitting a request, you consent to the processing of personal data in accordance with Article 6(1)(a) of the Regulation (the data subject has given consent to the processing of his or her personal data for one or more specific purposes). The scope of personal data processed includes: first name, last name, address, telephone, email. Personal data will be stored only until the purpose for which they were processed has been fulfilled. If retention periods according to commercial and tax law must be observed, the retention period is governed by Act No. 395/2002 Coll. on Archives and Registries. Personal data is not transferred to a third country. Personal data will not be used for automated individual decision-making, including profiling.
  5. Processing of Accounting Documents
    Processing is necessary for compliance with a legal obligation to which the controller is subject, in accordance with Article 6(1)(c) of the Regulation. The scope of personal data processed includes: title, first name, last name, address, telephone, account number, email, and signature. Subsequently, they are stored in accordance with Act No. 395/2002 Coll. on Archives and Registries.
  6. Records of Complaints
    Personal data of data subjects who seek to protect their rights or legally protected interests, or who point out specific shortcomings, especially violations of legal regulations whose elimination requires the intervention of the competent authority, are processed in accordance with Article 6(1)(c) of the Regulation (processing is necessary for compliance with a legal obligation to which the controller is subject). The scope of personal data processed includes: first name, last name, address, telephone, email, and signature. Subsequently, they are stored for a period of 5 years.
  7. Debt Collection
    In the case of debt collection, personal data is processed in accordance with Article 6(1)(c) of the Regulation. The scope of personal data processed includes: first name, last name, personal identification number, address, telephone,
    email. Subsequently, they are stored in accordance with Act No. 395/2002 Coll. on Archives and Registries.
  8. Executions
    The processing of personal data is necessary for compliance with a legal obligation to which the controller is subject, in accordance with Article 6(1)(c) of the Regulation. The scope of personal data processed includes: ordinary personal data, other personal data identified or provided during the proceedings. Subsequently, they are stored in accordance with Act No. 395/2002 Coll. on Archives and Registries.
  9. Records of Job Applicants
    The processing of personal data of job applicants is carried out based on the “Consent” to personal data processing in accordance with Article 6(1)(a) of the Regulation, provided by the applicant. The Controller will contact only successful applicants. Personal data is stored for a period of 12 months from the date consent is given. Personal data is not transferred to a third country. Personal data will not be used for automated individual decision-making, including profiling. You have the right to withdraw your consent to personal data processing at any time before the expiry of the stated period by sending a request to the email address: dpo@gyncare.sk or by sending a request to the Controller’s address with the text “GDPR consent withdrawal” on the envelope. The Controller declares that in the event of a written request from the data subject to cease personal data processing before the stated deadline, the data will be erased within 30 days of receipt of the consent withdrawal.
  10. Marketing
    Personal data that we process about our clients for marketing purposes is processed based on the data subject’s consent in accordance with Article 6(1)(a) of the Regulation. The scope of personal data processed includes: first name, last name, address, telephone, email, and signature. Subsequently, they are stored for a period of 2 years. Your personal data related to marketing may be provided to our partners who perform partial personal data processing activities for the Controller, particularly in the area of marketing and satisfaction surveys.
  11. Records of Supplier and Customer Representatives
    The processing of personal data of suppliers and customers is carried out in accordance with the legitimate interests of the Controller, pursuant to Article 6(1)(f) of the Regulation. The scope of personal data processed includes: title, first name, last name, job position, official position, functional position, employee ID number, department, place of work, telephone number, fax number, work email address, and employer identification data. Subsequently, they are stored for a period of 10 years after the termination of the contract or business relationship.

5. Rights of the Data Subject

 

  1. Right to withdraw consent – in cases where we process your personal data based on your consent, you have the right to withdraw this consent at any time. You can withdraw consent electronically, at the address of the authorized person, in writing, by notification of consent withdrawal, or in person at our company’s registered office. The withdrawal of consent does not affect the lawfulness of personal data processing that we carried out based on your consent before its withdrawal.
  2. Right of access – you have the right to obtain a copy of the personal data we hold about you,
    as well as information on how we use your personal data. In most cases, your personal data will be provided to you in written paper form, unless you request a different method of provision. If you requested this information by electronic means, it will be provided to you electronically, if technically feasible.
  3. Right to rectification – we take reasonable steps to ensure the accuracy, completeness,
    and up-to-dateness of the information we hold about you. If you believe that the data we hold is inaccurate, incomplete, or outdated, please do not hesitate to ask us to amend, update, or supplement this information.
  4. Right to erasure (right to be forgotten) – you have the right to ask us to erase your personal data, for example, if the personal data we have collected about you is no longer necessary for the original purpose of processing. However, your right must be assessed in light of all relevant circumstances. For example, we may have certain legal and regulatory obligations, which means we may not be able to comply with your request.
  5. Right to restriction of processing – under certain circumstances, you are entitled to ask us to stop using your personal data. This applies, for example, if you believe that the personal data we hold about you may be inaccurate or if you believe that we no longer need to use your personal data.
  6. Right to data portability – under certain circumstances, you have the right to ask us to transfer the personal data you have provided to us to another third party of your choice. However, the right to portability only applies to personal data that we have obtained from you based on consent or based on a contract to which you are one of the parties.
  7. Right to object – you have the right to object to data processing that is based on our legitimate interests. If we do not have a compelling legitimate ground for processing and you submit an objection, we will no longer process your personal data.

If you believe that any personal data we hold about you is incorrect or incomplete, please contact us.

If you wish to object to the way we process your personal data, please contact our Data Protection Officer by email at: dpo@gyncare.sk or in writing to the address:

GYNCARE, s. r. o.
Magnezitárska 2/C
040 13 Košice

Our authorized person will review your objection and work with you to resolve the matter.

If you believe that your personal data is being processed unfairly or unlawfully, you may file a complaint with the supervisory authority, which is the Office for Personal Data Protection of the Slovak Republic, Hraničná 12, 820 07 Bratislava 27; tel. number: +421 2 323 132 14; email: statny.dozor@pdp.gov.sk, https://dataprotection.gov.sk.