Privacy Policy

The Company "NOSILEFTIKI SA", trading as "St. Luke's Hospital" with registered seat at Charilaou Trikoupi Street, P.C. 55236, Panorama, Thessaloniki, tel. 0030 2310 380000, ensures the privacy and confidentiality of your personal data and adopts the General Data Protection Regulation 679/2016 of the EU in all procedures and communication with you.

Purpose of this policy

This policy provides every person interested in receiving medical services from the Company and every visitor/user of the Company's website with clear and transparent information regarding the practices followed for the management and protection of personal data.

It concerns any operation or series of operations carried out, with or without the use of automated means, on personal data or on sets of personal data, such as the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, search for information, use, disclosure by transfer, dissemination or any other form of making available; the association or combination, restriction, deletion or destruction.

The Policy is updated from time to time and may be amended whenever necessary, without prior notice, always within the in force legal framework and in accordance with any modifications to the applicable legislation on the protection of personal data. We therefore recommend that you check this Policy regularly in order to be informed of any changes that have been made.

What is personal data?

Personal data is any information concerning a specific natural person or person whose identity can be verified (e.g. name, identity number, address, etc.). Data relating to health (physical or mental condition, medical services, etc.) are included in the general term personal data but constitute a special category of data. 

How is your personal data collected?

Your personal data is collected as follows:

(a) you provide them to us when the Company provides medical services to you or to a person you are accompanying; 

(b) when you contact us, in order for you or a third party obtain medical services; 

(c) when you submit an application for employment to the Company. The disposal of your personal data in the context of submitting a CV to find a job in the Company takes place voluntarily as otherwise it would not be possible to evaluate the likelihood of your recruitment. 

The processing is necessary to take measures at the request of the data subject prior to the conclusion of a contract, in accordance with Article 6b of the Regulation.

(d) when you fill in electronic forms or send e-mails in order to obtain information or use the services available on the Company's website www.klinikiagiosloukas.gr. The submission of your basic data is done at your choice and the processing is done with your consent for the sole purpose of informing you in accordance with Article 6b of the Regulation, 

(e) automatically through your browser or mobile device that you use to access our Website www.klinikiagiosloukas.gr,

(f) they are provided to us by a third-party partner after you have given your consent (e.g. insurance company), 

 (g) you provide them to us in order to join the list of promotional activities (newsletter) in order to send informative material about the services and other actions of the Company. The submission of your basic data is at your choice and the processing is carried out with your consent for the sole purpose of informing you about the medical services provided by our Company in accordance with article 6b of the Regulation.

What kind of personal data is collected and for what purpose?

Personal data collection and further processing include:

- your identity, demographic information, address and, more generally, contact details (including your email address and phone number), yours or those of your relatives;  The purpose of the collection is the execution of the contract for the provision of health services that you have signed or signed by another natural or legal person on your behalf and / or for the preservation of your vital interest and / or for the fulfilment of a legal obligation or interest of the company and / or on the basis of your consent. The Company may transfer them within or outside the European Union to private and /or public insurance bodies, associates, and/or competent judicial, police or tax authorities in accordance with the applicable legal framework.

- health data relating to medical or nursing services provided by the Company or health data for medical services not provided by us but referred to us either by you or through third parties, e.g. your clinical symptoms, the medical treatments you have received, your personal medical history, the medication you are taking, your family - medical history, imaging tests, genetic data, biological samples, photographic imaging of your clinical picture on admission, etc. The purpose of collecting and maintaining the data is to provide medical services and the administrative management of these services. The processing is necessary for the purposes of medical diagnosis & provision of health care, in accordance with Reg. 679/2016, articles 9.2h and 9.2c.

We would like to inform you that where the provision of health services is related to the performance of a surgical act (where applicable), the company may for scientific research purposes (Regulation 679/2016, article 9.2j) and for the exercise or support of its legal claims (Regulation 679/2016, article 9.2f) make a medical record thereof. In cases where the company wishes to publish this act, e.g. at medical conferences, then the maximum possible effort will be made to protect the patient's personal data through the application of various techniques (e.g. blurring of the image) so that it is not possible to identify the patient.

- information you give us about our payment, such as bank card information. The purpose of the processing is the execution of the health service contract signed by you or another natural or legal person on your behalf.

In addition to the above data you provide to us, when you use our Website, your device automatically provides us with data so that we can serve and customize our response to you. The type of information we collect by automated means generally includes technical information about your computer, such as your IP address or other device identifier, the type of device you are using, and the version of the operating system. The data we collect may also include usage information and statistics about your interaction with the website. It may also include information about the URLs of the web pages you visited, the referring pages and exit pages, page views, the time spent on a page, the number of clicks, the type of platform, the location data (if you have enabled access to your site) and other information about how you used the platform.

This information is collected using Cookies and other similar tracking technologies. We recommend that you check our Cookie Policy to learn more about Cookies, how we use them and how you can control their use.

More details about the technologies used on our website can be found in our Cookies Policy. 

Are the data transferred to third parties?

We may disclose your personal information (in whole or part of it, as required) indicatively to: 

a) all authorised people of our Company, e.g. legal advisors, associate histopathologists, associate doctors for diagnostic purposes or clinical tests, associate physiotherapists, collaborating diagnostic centres, collaborating clinics and hospitals, collaborating laboratories and other health providers.
 

(b) system support providers for processing such data; 

(c) insurance institutions patients declare when admitted to our Hospital; 

d) judicial or other supervisory or auditing authorities, e.g. HCDCP, YPEDYFKA, etc. 

(e) to third parties having a legitimate interest in the establishment, exercise or defence of legal claims; 

g) to third parties (e.g. another doctor of your choice) / companies cooperating with the Company (e.g. insurance companies), following your order.

In cases where your consent is required for the disclosure of your data to third parties (where they are not mentioned by law), this will be explicitly requested by you and you have the right at any time to withdraw it. In these cases, the Company assures you that it is constantly vigilant and takes all the necessary security measures, so that transfer of personal data is carried out in the safest possible way.

They are transferred only to authorised third parties who are bound to maintain confidentiality, when they are required to have access to such services (e.g. doctors for diagnostic purposes). The Company reserves the right, in exceptional cases, to process your personal information to the extent permitted or required by law, and / or by court decisions or prosecutorial orders / provisions.

The Company is legally obligated not to trade your personal data by making it available for sale/ rent by giving it/ transferring/ disclosing or sharing it to third parties or to use it in another way and for other purposes that may endanger your privacy, rights or freedoms, unless required by law, court order/ order, an administrative act or if it is a contractual obligation necessary for the proper functioning of the Company's Website and the realization of its functions.

Personal data may be transferred to partners, or third parties, complying with the terms of this Policy and committed to confidentiality, who act on behalf of the Company for further processing for the purpose of providing services, evaluating and improving the functionality of the website, marketing, data management and technical support purposes, only after the user has been informed in advance and his/her consent has been obtained. 

These third parties are legally committed to the Company to use the personal data only for the above reasons and not to transfer the personal information to third parties, as well as not to disclose it to third parties unless required by law.

For how long can personal data be kept?

The retention period can vary significantly depending on the type of data and how it is used. The determination of the data retention time is based on criteria such as legal retention deadlines, pending or potential disputes, intellectual property or property rights, contractual requirements, operational instructions or needs for archiving. 

According to the Code of Medical Ethics (L.3418/2005, Government Gazette A 287/28.11.2005), "Article 14§4: The obligation to maintain medical records applies: a) to private clinics and other primary health care units of the private sector, for a decade from the last visit of the patient and b) in any other case, for twenty years from the last visit of the patient".

Data retained for the marketing of products or services and/or the granting of privileges will be deleted six months after the completion of the action. 

CVs collected by the Personnel Department are kept for one year.

Tax information is kept in accordance with tax legislation.

If you have given your consent for using your data for direct marketing, we will retain such data until you notify us of something different and/or withdraw your consent by sending a relevant written request to the email address privacy@klinikiagiosloukas.gr or making use of the unsubscribe feature.

Data collected through the video surveillance system are kept up to 15 days after which they are automatically deleted. In the event that during this period we find an incident, we isolate part of the video and keep it for up to one (1) month more, in order to investigate the incident and initiate legal proceedings to defend our legitimate interests, while if the incident concerns a third party we will keep the video for up to three (3) more months.

Information on the processing of personal data through a video surveillance system

We use a surveillance system for the purpose of protecting persons and property. The processing is necessary for purposes of legitimate interests pursued by us in our capacity as Data Controller and in accordance with Article 6.1f of the Regulation. 

Our legitimate interest lies in the need to protect our space and the goods found in it from illegal acts, such as thefts. The same applies to the safety of life, physical integrity, health as well as the property of our staff and third parties legally present in the supervised area. We only collect image data and limit the download to places where we assessed that there is an increased likelihood of illegal acts (e.g. at the entrance) without focusing on places where the privacy of the persons whose image is taken may be excessively restricted, including their right to respect for personal data.

The material kept is accessible only by our competent / authorised personnel who are in charge of the Hospital's security. Such material shall not be transferred to third parties, except in the following cases: a) to the competent judicial, prosecutorial and police authorities when it includes information necessary for the investigation of a criminal offence concerning persons or property of the controller, b) to the competent judicial, prosecutorial and police authorities when they request data, lawfully, in the exercise of their duties; and (c) to the victim or offender of an offence, in the case of data which may constitute evidence of the act.

What are my rights to the processing of my personal data?

You have the right at any time to request: a) access to your personal data, b) correction of your personal data if it is inaccurate or incomplete, c) deletion of your personal data, unless their processing is necessary for the exercise of the legal rights of the Company or third parties, for the fulfilment of a legal obligation, for reasons of public interest or for the defence of our legal rights before judicial or other authorities, d) restricting the processing of your personal data only for specific purposes.

In order to exercise any of the above rights, please use the "Request Form for the Exercise of Rights" and send it either by letter to the Company's headquarters (Char. Trikoupi 3, P.C. 55236, Panorama of Thessaloniki, tel. 2310 380000), or by e-mail (to the e-mail account: privacy@klinikiagiosloukas.gr), always stating your full details and the reason for your communication.

In the event of the exercise of one of your above rights, the Company will take every possible measure to satisfy your request within one month, informing you in writing of the satisfaction of your request or of the reasons that prevent the satisfaction of one or more of them, as well as of the reasons for any delay beyond the period of one month and in any case not later than three months. In addition, the Company will inform you of your further rights in case of improper response. This information is provided free of charge by the Company, provided that the request for disclosure and information is not repeatedly, excessively and / or is manifestly unjustified.

If you consider that the Company in any way violates the applicable legislation on personal data, you reserve the right to submit a complaint to the competent Supervisory Authority for the Protection of Personal Data: http://www.dpa.gr, Kifissias 1-3, P.C. 115 23, Athens, tel. 210 6475600, email: contact@dpa.gr.

In this case, we would greatly appreciate your prior communication with the Company's Data Protection Officer (DPO) either by letter at the Company's headquarters (Fri. Char. Trikoupi 1, P.C. 55236, Panorama of Thessaloniki, tel. 2310 3800000), or by e-Mail (to the E-Mail account of the Data Protection Officer: privacy@klinikiagiosloukas.gr), always indicating your full details and the reason for your contact.

Version 5/ 01.07.2022