Information on the processing of personal data
In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on informing data subjects (hereinafter referred to as "GDPR"), we hereby inform you how our company UNICA Prague s.r.o, Office Park Nové Butovice - budova C, Bucharova 2657/12, 158 00 Prague 13, ID No.: 052 87 031, registered in the Commercial Register kept by the Municipal Court in Prague, file number C 261259, as the personal data controller (hereinafter referred to as "the controller" or also "we") processes your personal data and about the rights and obligations associated with it.
Personal data controller
The controller of your personal data is our company UNICA Prague s.r.o., with its registered office at Office Park Nové Butovice - budova C, Bucharova 2657/12, 158 00 Prague 13, registered in the Commercial Register kept by the Municipal Court in Prague, file number C 261259.
In connection with the processing of personal data, you can contact us through our Data Protection Officer, who has been appointed by LAWYA, s.r.o., with registered office at Březinova 746/29, Žabovřesky, 616 00 Brno, ID No.: 023 22 021, through the contact person Mgr. Ivana Šilhánková, email@example.com, +420 770 606 082, or via the following contact details: IVF-Praha@unica.cz
Scope of personal data processing
We collect and use your personal data solely in connection with the provision of healthcare to you. We are also obliged to disclose your personal data when reporting on covered healthcare and fulfilling other legal obligations, such as tax and accounting obligations and reporting to the registers of certain diseases provided for by law. The protection of your personal data and your medical records is essential to us and we have taken a number of strict technical and organisational measures to secure your personal data.
We process personal data to the extent that they are provided to us by the data subject in connection with the conclusion of a health care contract with the controller or in connection with the provision of health services in accordance with Act No. 372/2011 Coll., on Health Services and Conditions of their Provision (Health Services Act), its implementing regulations and other regulations governing the provision of health services. We also process personal data that have not been provided by the data subject but which we obtain in the course of providing health services, e.g. data obtained as results of specific examinations.
Purpose of processing personal data
We process personal data for the following purposes:
- the provision of health services;
- the fulfilment of legal obligations by the controller;
- maintaining medical records;
- entering into and performance of a healthcare contract;
- establishing, exercising or defending legal claims;
- the provision, to the extent necessary, of legal, economic and tax advisers and auditors for the purpose of providing advisory services to the Trustee and fulfilling legal obligations.
- The processing of your personal data for purposes other than those listed above will only occur if such processing is compatible with the above purposes. We will inform you of such further processing of your personal data and, if necessary, request your consent.
Legal basis for the processing of personal data
The legal basis for processing your personal data is:
- Performance of a contract: Processing of personal data to the extent necessary for the performance of a healthcare or other contract with you within the meaning of Article 6(1)(b) of the GDPR;
Compliance with legal obligations: processing of personal data to the extent necessary for compliance with legal obligations to which the controller is subject as a provider of healthcare services within the meaning of Article 6(1)(c) of the GDPR;
- Legitimate interest: Processing of personal data to the extent necessary for the purposes of the legitimate interests of the controller within the meaning of Article 6(1)(f) of the GDPR. The legitimate interest of the controller consists in the defence and enforcement of legal claims, the protection of the company's facilities, objects and assets, as well as the data and the facilities for processing them. The processing of your data is permissible here unless the protection of your interests, fundamental rights and freedoms overrides the legitimate interests of the controller. Data on the health status of patients are not processed on the basis of legitimate interest.
- Consent: If necessary, your consent will be sought on a case-by-case basis for the processing or transfer of your data. Your consent in these cases is voluntary and you may withdraw it at any time in the future. You will not suffer any disadvantages from not giving consent or later withdrawing consent.
With regard to the processing of special categories of personal data to the extent required by law, we process your health data and the medical history data you provide solely for the purpose of providing health services in accordance with health services legislation and to comply with related legal obligations.
Categories of personal data
Personal data is processed to the following extent:
- Address and identification data, such as name, surname, date of birth, residential address, etc;
- contact data such as contact address, telephone number, email address, etc;
- data in connection with payments under the healthcare contract, such as bank details, health insurance company details;
- data necessary for the performance of the healthcare contract and the provision of the healthcare in question, including data on the health status of the data subject and data provided in the anamnestic questionnaire.
- Data in connection with CCTV systems, namely the processing of video footage of the movement of persons in the vicinity of installed cameras. The camera system is installed in publicly accessible areas of the Administrator's building, on the exterior of the Administrator's buildings and at entrances and entrances to the Administrator's buildings. The camera systems are installed to, among other things, ensure the security of your data and medical records, as well as to protect property and the life and health of persons in the building. Camera systems are not installed in any private areas such as locker rooms or restrooms. Further information on the processing of personal data in connection with the camera systems is provided in the Information on the processing of personal data in connection with the operation of the camera system or at the contact details above.
- In specific cases where consent has been given, photographs or videos for the purpose of placing on the company's website, whereby the patient will be informed of such use and their consent to the processing of personal data will be sought.
Recipients of personal data and transfer of personal data to third countries
Your personal data may be transferred to the following recipients:
- Other providers of health care services in the context of extended or follow-up health care and providers of selected health care services, in particular external laboratories or providers of genetic testing;
- public institutions, in particular health insurance companies;
- public authorities in the context of the fulfilment of their legal obligations under the relevant legislation, including the transmission of anonymised data to the National Register of Assisted Reproductive Technology;
- processors under contract with the controller to the extent necessary for the purpose of the processing, e.g. companies managing electronic medical record keeping systems, persons providing data storage or archiving, etc;
- anonymised personal data to sponsors of clinical trials in the field of assisted reproduction, whereby the patient will be informed of such use and prior informed consent to participate in the clinical trial will be sought;
- persons providing legal advice;
We do not transfer your personal data to third countries outside the European Union. Health data and medical records are not transferred to third countries outside the European Union.
Processing and protection of personal data
Personal data is processed primarily in medical records in full compliance with applicable law. The security and protection of personal data is ensured in accordance with these regulations and the GDPR.
How long do we keep your personal data?
Your personal data will be processed for as long as necessary to fulfil the purpose and in accordance with the time limits specified in the relevant legislation for shredding and archiving documents, or as long as necessary to establish, exercise or defend legal claims.
What are your rights when processing personal data?
Your data protection rights are regulated in Chapter III (Article 12 et seq.) of the GDPR. Under these provisions you have the following rights:
- The right of access to personal data with the controller, which means that you can at any time request confirmation from the controller as to whether or not the personal data concerning you are being processed and, if so, for what purposes, to what extent, to whom they are disclosed, how long they will be processed, whether you have the right to rectification, erasure, restriction of processing or to object, where the personal data were obtained from, and whether or not automated decision-making, including possible profiling, is taking place on the basis of the processing of personal data. You also have the right to obtain a copy of your personal data, the first provision of which is free of charge, and the controller may charge reasonable administrative costs for further provision.
The right to rectification of personal data, which means that you can ask the controller to rectify or complete your personal data if it is inaccurate or incomplete.
- The right to erasure of personal data ("right to be forgotten"), which means that the controller must erase your personal data if one of the following reasons applies: (i) the personal data is no longer necessary for the purposes for which it was collected or otherwise processed, (ii) you withdraw the consent on the basis of which the personal data was processed and there is no further reason for processing it, (iii) you object to the processing and there are no overriding legitimate grounds for the processing, (iv) the processing is unlawful, or (v) the personal data must be erased to comply with a legal obligation of the controller.
- The right to restrict the processing of personal data, which means that until the disputed issues regarding the processing of your personal data are resolved, specifically if (i) you contest the accuracy of the personal data, (ii) the processing is unlawful, but instead of erasing the personal data, you only want to restrict the processing, (iii) the controller no longer needs the personal data for the purposes of the processing but you do (iv) or if you have objected to the processing, the controller can only store the personal data and further processing is subject to your consent or that the data is needed for the establishment, exercise or defence of legal claims.
- The right to data portability, which means that you have the right to obtain your personal data that you have provided to the controller with your consent for processing or for the purposes of performance of a contract in a structured, commonly used and machine-readable format and, where technically feasible, you have the right to have the controller transfer the data to another controller.
The right to object to certain types of processing of personal data (specifically, processing carried out in the public interest or on the basis of the legitimate interest of the controller) where grounds for objecting to the processing of personal data would arise in your particular situation, which means, in such cases of processing, you may object to the processing of your personal data by submitting a written or electronic objection to the controller, which will cause the controller to no longer process the personal data unless it can demonstrate compelling legitimate grounds for the processing which override your interests or rights and freedoms or for the establishment or exercise of legal claims.
- The right to withdraw consent where we process your personal data on the basis of consent. You may withdraw the consent you have previously given us to process your personal data at any time without giving any reason. In this case, we will delete your personal data if we do not need the data for other purposes. However, this does not apply in cases and to the extent that consent to processing is not the legal basis for the processing.
- Right to lodge a complaint with a supervisory authority, the competent supervisory authority for personal data protection in the Czech Republic is the Office for Personal Data Protection, located at Pplk. Sochor 27, 170 00 Prague 7, tel. +420 234 665 111, e-mail: firstname.lastname@example.org.
How can I exercise individual rights?
In all matters related to the processing of your personal data, whether it is an inquiry, exercising a right, filing a complaint or anything else, you can contact the Data Protection Officer, which is LAWYA, s.r.o., with registered office at Březinova 746/29, Žabovřesky, 616 00 Brno, ID No.: 023 22 021, through the contact person Mgr. Mgr. Ivana Šilhánková, email@example.com, +420 770 606 082, or at the contact details listed in the header of this document.
Your request will be processed without undue delay, but within one month at most. In exceptional cases, in particular due to the complexity of your request, we are entitled to extend this period by a further two months. We will, of course, inform you of any such extension and the reasons for it.