Declaration on Personal Data Processing
IVF Zentren Prof. Zech – Pilsen s.r.o., with its registered office at Bedřicha Smetany 167/2, Vnitřní Město, 301 00 Plzeň, Id. No.: 26360942 (hereinafter the "Company"), issues this Declaration on Personal Data Processing and information communication (hereinafter the "Declaration"), in accordance with Regulation (EC) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data (General Data Protection Regulation) (hereinafter the "GDPR Regulation"), which came into effect on 25 May 2018.
The Czech version of the GDPR Regulation is available at the following website: https://eurlex.europa.eu/legal-content/CS/TXT/?uri=CELEX:32016R0679
Information for employees and other personnel of the Company regarding the GDPR Regulation is provided for in a separate information communication which the Company issued for its employees.
This Declaration is issued by the Company in particular for the purpose of informing the Company’s clients (patients) and contractual partners (in particular health care providers) which are regarded as so-called data subjects and whose personal data the Company processes in the framework of its activity.
The Company values the confidence placed in us by our clients and contractual partners and, therefore, protection of their privacy and personal data is very important for us. For this reason, the Company issues this Declaration so that our clients and contractual partners can obtain adequate information regarding management of personal data and regarding rights they are entitled to in this respect.
What can you learn from this document?
- Explanation of Main Terms (Article III)
- Method of Personal Data Processing (Article IV)
- Category of Personal Data,Purposes and Legal Basis for Their Processing (Article V)
- Processing of Personal Data Based on Consent (Article VI)
- Contact Information of the Company as the Controller (Article VII)
- Contact Information of the Data Protection Officer (Article VIII)
- Categories of Recipients of Personal Data (Article IX)
- Period of Retention of Personal Data (Article X)
- Rights of Data Subject in Relation to Protection of Its Personal Data (Article XI)
- Consequences of Possible Refusal to Provide Personal Data (Article XII)
Explanation of Main Terms
First, we would like to provide you with explanation of the main terms referred to in this Declaration. These terms have been taken over from the GDPR Regulation where you can find the exact legal definitions. For the purposes of this Declaration and clarity thereof, we have taken the liberty of simplifying some of the legal definitions and making them more transparent.
The terms below used in this Declaration have the following meaning:
"personal data" = any information relating to a data subject
"data subject" = unique natural person (human), that is directly or indirectly identifiable based on certain data
"processing" = any operation with personal data, in particular their collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
"controller" = natural or legal person or public authority which determines the purposes and means of the processing of personal data
"processor" = natural or legal person or public authority which processes personal data on behalf of the controller
Method of Personal Data Processing
The processing of personal data is carried out primarily in the Company’s establishments by duly trained personnel of the Company or, possibly, in specific cases, it is carried out at the premises of the processors - third parties authorised to this end by the Company. The processing is carried out through computer technology or, in case of personal data in written form, also manually, while adhering to the adopted security principles for ensuring proper management of personal data, including data and security integrity of the relevant systems.
To this end, the Company adopted technical and organisational measures ensuring protection of personal data, in particular measures preventing unauthorized or accidental access to personal data, their change, destruction or loss, unauthorized transmission and other unauthorized processing, as well as other misuse of personal data.
In conformity with the GDPR Regulation, the Company may transfer personal data to other countries of the European Union, in particular in the framework of use of information systems where operators of the relevant cloud services have their data storage servers located in other countries of the European Union.
All entities whom personal data may be made accessible to shall respect the right of the data subjects to protection of privacy and shall proceed according to the applicable legal regulations concerning personal data protection.
Category of Personal Data, Purposes and Legal Basis for Their Processing
The Company processes personal data mostly for the purpose of providing health care services and related activities (in particular for the purpose of keeping medical documentation), primarily in order to comply with its statutory obligations. It basically includes the following categories of personal data:
- Identification data – name, surname, birth identification number, date and place of birth, residence/registered office address, health insurance company, insured person’s number, signature
- Contact data – contact address, telephone number, e-mail address and other similar informationMethod of Personal Data Processing (Article IV)
- Medical data (special category of personal data) – anamnesis, diagnosis, laboratory test results, medical records, genetic data and similar sensitive data concerning the state of health of its patients
The Company further processes personal data for the purpose of performance of the rights and obligations under contracts relating to or in connection with the Company’s activity which the Company concluded with its contractual partners (in particular health service providers, patients – self-employed persons, clients and suppliers) on the basis and within the limits of such contracts; they include the following categories of personal data:
- Identification data – name, surname, birth identification number, date of birth, residence/registered office address, health insurance company, insured person’s number, Id. No., Tax Id. No., facility/workplace identification number, signature
- Contact data – contact address, telephone number, e-mail address, fax and other similar information
- Information on education / qualifications – professional qualification, continuous education and certificate of formal qualifications and improvement thereof, and other similar information
- Payment information – bank account number, payment history
The above-specified personal data processing is required for the performance of legal obligations of the Company as the health service provider and for the performance of concluded contracts. Therefore, the Company, in principle, does not require consent of the relevant data subject to the processing of personal data in the above-specified cases.
The Company further processes some personal data of its clients and contractual partners or third parties, as the case may be, whenever necessary for the protection of the Company’s property or other legitimate interests. However, in all the above cases, the Company strictly makes sure that these interests are not outweighed by the interests or fundamental rights and freedoms of data subjects whose personal data are to be processed.
For the purpose of protection of its own property, the Company operates a CCTV system in some of its premises. The operation of the CCTV system is subject to strictly stipulated rules and it is carried out only within the necessary scope to make sure that it does not excessively interfere with the privacy of individuals.
Such processing of personal data is necessary for the purposes of legitimate interests of the Company and, therefore, the Company neither requires consent of the relevant data subject for the processing of these personal data.
Processing of Personal Data Based on Consent
There is a narrow category of personal data which the Company processes on the basis of consent of the data subject.
In the case of processing of personal data which do not fall within any of the above-specified categories, we do require your consent to the processing of personal data as a matter of principle. In such narrow category of personal data, we process e.g. data on visits to the Company’s website (in particular by means of cookies or, possibly, IP address of the visitor to the website and similar data).
You are not obliged to provide us with these data and they are processed solely on the basis of your consent. You may revoke your consent to the processing of the above-specified data at any time. However, the legality of personal data processing prior to revocation of the consent shall not be prejudiced by the revocation.
Contact Information of the Company as the Controller
Business name: IVF Zentren Prof. Zech – Pilsen s.r.o.
Id. No.: 26360942, with its registered office at Bedřicha Smetany 167/2,
Vnitřní město, 301 00 Plzeň, registered in the Commercial
Register kept by the Regional Court in Plzeň, Section C,
Contact Information of the Data Protection Officer
You may contact the Company in any matter regarding personal data through the Data Protection Officer, both by electronic means using e-mail address email@example.com or in writing at the address: IVF Zentren Prof. Zech – Pilsen s.r.o. Data Protection Officer, Bedřicha Smetany 167/2, 301 00 Plzeň.
Categories of Recipients of Personal Data
Although the Company aims to process the received personal data with its own means, in some cases it is necessary to transfer the personal data to other entities (so-called recipients of personal data). In order to protect personal data, the Company has set its internal processes so that these personal data are provided only to defined third parties and only in justified cases and within the necessary scope.
In order to be able to perform its obligations stipulated by the legal regulations or by the concluded contracts, the Company transfers data about its clients (patients) and contractual partners, for the purpose of performance of its statutory obligations, to certain third parties which include in particular health insurance companies, other health service providers, tax administrator, as well as processors authorised by the Company to process personal data for the purpose of performance of the Company’s statutory and/or contractual obligations (data archive operator, auditors, external lawyers, operators of the Company’s IT systems, entities performing accounting for the health services provided, etc.).
Period of Retention of Personal Data
The Company has set its internal rules to make sure your personal data are retained only as long as necessary. The data that the Company is obliged to process for the purposes of performing its statutory obligations are thus retained for a period which is imposed on the Company by the applicable legal regulations.
In the Company, the period of data processing and retention follows in particular from the statutory deadlines stipulated mainly in Decree No. 98/2012 Sb., on medical documentation, as amended, in Act No. 582/1991 Sb., on the organization and implementation of social security, as amended, and in Act No. 563/1991 Sb., on accounting, as amended (e.g. for medical documentation, the retention period is up to 100 years in some cases).
The personal data which are processed based on your consent are processed exclusively for the duration of the consent.
Any recordings recorded by the Company’s CCTV system are continuously, within three days of being recorded, deleted from the respective data storage (such data are replaced by the recording currently recorded). Longer period of archiving of CCTV recordings is only permissible if the recordings indicate an illegal interference with the property or other rights and protected interests of the Company.
Rights of Data Subject in Relation to Protection of Its Personal Data
In relation to processing of your personal data by the Company,you have the following rights under the terms and conditions stipulated by the GDPR Regulation:
- Right to access the personal data concerning you – you have the right to receive confirmation from the Company whether or not your personal data are being processed. If they are, you have the right to gain access to them (including obtaining a copy of personal data free of charge¹) and receive information regarding their processing;
- Right to have personal data rectified or completed if they are inaccurate or incomplete;
- Right to obtain erasure of personal data concerning you ("right to be forgotten") where the Company will erase and will no longer process your personal data if (a) the personal data are no longer required for the purposes for which they were collected or otherwise processed, (b) you revoke the consent granted and there is no other legal ground for the processing, (c) you object to the processing and there are no overriding legitimate grounds for the processing, (d) the personal data have been unlawfully processed, (e) the personal data have to be erased for compliance with a legal obligation of the Company, or (f) the personal data have been collected in relation to the offer of information society services to a child, unless the GDPR Regulation allows for further processing.
- Right to restriction of processing of personal data concerning you if (a) you contest the accuracy of the personal data, (b) you consider the processing of the personal data to be unlawful and request that the processing be restricted, (c) the Company no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims, or (d) you objected to the processing and the objection has not been addressed yet.
- Right to object to processing of the personal data concerning you if the Company processes the personal data in order to perform a task carried out in the public interest or in the exercise of official authority (but the Company does not carry out any such processing as a matter of principle) based on legitimate interests or for the purposes of direct marketing. If the Company fails to prove serious legitimate reasons for such processing, which outweigh your interests or rights and freedoms or for the establishment, exercise or defence of legal claims, the personal data will no longer be processed. If you object to processing of the personal data for the purposes of direct marketing (including profiling), the Company will no longer process the personal data for such purposes regardless of whether there are serious legitimate reasons for their processing.
- Right to lodge a complaint with a supervisory authority, i.e. the Office for Personal Data Protection (with its registered office at Pplk. Sochora 27, 170 00 Prague 7), if you consider that the processing of personal data infringes the GDPR Regulation and/or any other legal regulation;
- Right to data portability if the processing of personal data is carried out by automated means based on your consent or in connection with negotiation or performance of a contract on the basis of which you have the right to receive the personal data in a structured, commonly used and machine-readable format. You also have the right to transmit those data to another controller or ask the Company, if technically feasible, to directly transmit those data to such other controller. However, if the exercise of such right could adversely affect the rights and freedoms of other persons, the Company will not be able to satisfy the request for data transfer.
¹In case of a repeated request for a copy, the Company is entitled to charge an appropriate fee to cover the costs incurred.
Consequences of Possible Refusal to Provide Personal Data
The provision of personal data of clients and/or contractual partners of the Company, which the Company needs for the purposes of keeping the medical documentation within the scope stipulated by the applicable legal regulations and for the performance of its statutory obligations of a health service provider, is a statutory requirement and, from the Company’s viewpoint, it is also essential for the performance of the relevant contract. Without providing such personal data, the Company would not be able to duly perform its statutory and contractual obligations and, therefore, refusal to provide personal data may result in that the Company will not be able to conclude the relevant contract or will not be able to provide its services.
In case of personal data which are processed based on your consent, the granting of such consent is absolutely voluntary. In such case, refusal to provide consent or revocation of the consent will have no consequences for you. However, even if the consent is revoked, any processing of personal data carried out prior to revocation of the consent will continue to be in conformity with the legal regulations.