Introductory information

This information serves several purposes for you. You will learn which of your data we process and why we do so. You will also learn about the rights that you have in connection with personal data processing, i.e. what you can request from us and to whom you can turn with your suggestions and complaints, if you have any. Therefore, we request that you carefully read the following text. The information is divided into several sections so that it will be easier for you to find the relevant information according to your status or position.

In the event that anything is unclear to you with respect to the protection of personal data, please do not hesitate to contact us using one of the following methods:

• by post or in person upon prior agreement at the address EUC a.s., Evropská 859/115, 160 00 Prague 6
• by e-mail at the e-mail address dpo@euc.cz,
• by telephone at +420 731 546 921 from 9:00 a.m. to 3:00 p.m. (not by SMS)
• via data box ID: nxedyy6

For the issue of personal data protection, we established a special position – personal data protection officer. This person is a specialist who monitors whether your personal data is being processed in the manner prescribed by the current legislation. If necessary, you can therefore contact the personal data protection officer, Ing. Jiří Benedikt, using the following methods:

• by post or in person upon prior agreement at the address EUC a.s., Evropská 859/115, 160 00 Prague 6
• by e-mail at the e-mail address dpo@euc.cz,
• by telephone at +420 731 546 921 from 9:00 a.m. to 3:00 p.m. (not by SMS)

In this introduction, we would also like to remind you that the supervisory authority with respect to the issue of personal data protection in the Czech Republic is the Office for Protection of Personal Data, which is also prepared to receive your suggestions and complaints. The Office for Protection of Personal Data is located at the address Ppl. Sochora 27, 170 00 Prague 7. You can find its current contact information on its website at www.uoou.cz.

Basic principles of personal data processing

We always approach your personal data in accordance with the legislation currently in force. You can find a list of the most important legal regulations at the conclusion of this information. In accordance with these regulations, we also comply with the following basic principles of personal data processing:

• We always process your personal data in the correct manner in accordance with the law and using a method that is adequately clear, transparent and comprehensible.
• We always process your personal data in the necessary scope and using a method that is in accordance with the purpose for which we process your data.
• We take care to ensure that your personal data which we process is always accurate and updated as needed. Inaccurate personal data will be deleted or corrected.
• We process your personal data only for the absolutely necessary period of time. In certain cases, such period is stipulated by the law; in other cases, we set the period internally so that it corresponds to our legitimate interests.
• We properly secure your personal data against leakage, unauthorised processing, accidental loss and damage. For this purpose, we have adopted appropriate technical measures particularly consisting in strict setting of individual persons’ access to your data, encryption and other technical and physical means of security.

List of legal regulations governing the protection of personal data

You can find the most important legislative provisions governing the protection of your personal data in the following regulations:

• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC
• Act No. 110/2019 Coll., on Personal Data Processing
• Act No. 89/2012 Coll., the Civil Code
• and other regulations in the area of administration and accounting

Basic reasoning

Our main activity is provision of medical care, whether that involves care consisting in prevention, diagnostics, dispensary care, treatment, evaluative care, therapeutic rehabilitative care, nursing care, palliative care or pharmaceutical care. All of these types of medical care have one thing in common – in order to provide them, we need to be aware of a full range of your personal data, particularly data that can be designated as sensitive. Such sensitive data comprises, in particular, data on your health condition and, in certain cases, genetic data, data on your sexual life and other data that is part of the most sensitive area of each of our lives. Due to the fact that medical care cannot be provided at a sufficient level without such data, we would like to thank you for your trust and to assure you that no unauthorised person will gain access to your data. We carefully select all persons who may gain access to your data in connection with the provision of medical care, whether that concerns our employees or contractors. All of our employees (from physicians to providers of cleaning services) are bound by law to strict confidentiality. We also negotiate a confidentiality obligation with all of our contractual partners if they may come into contact with personal data. We consider trust and a high level of data security to be one of the fundamental priorities within our operations.

Which of your data do we process?

Due to the fact that care is always very individual for each patient, the specification of personal data that you can find below is as broad as possible – this is the maximum set of data that we can process in relation to you as a patient. We obtain your personal data either directly from you or from the physicians who cared for you prior before us.

• identification data: name, surname, date of birth, birth-registration number, public health insurance policyholder number (if not the same as the patient’s birth-registration number), health-insurance provider code, myCANADIAN user account.
• information on health condition: particularly information on the client’s health condition, date and time of admission into care, date and time of completion of the patient’s care, information on transfer of the patient to a different provider, information on the course and result of provided medical services and on other significant circumstances relating to the patient’s health condition and the process of providing medical services; in connection with the ascertained information on the patient’s health condition; working conclusions and information on the final diagnosis are prepared in relation to the patient, as are a proposal of a subsequent treatment process, information on the course of treatment and the scope of provided or required medical services; data on the current development of the patient’s health condition according to an evaluation communicated to the patient, targeted objective findings, data on prescribed medications, food items for special medical purposes (including portioning and the number of prescribed packages) and medical devices, data on dispensing of medications or food items for special medical purposes (including the dispensed amount) registration number of provided transfusion equipment; data on provision of medications, food for special medical purposes (including the amount) and medical devices to the patient; data on issuance of a medical transfer order, records on performed nursing care (including nutritional and therapeutic rehabilitative care), immunisation records, record on provision of informed consent to or denial of a specific medical services, record on use of restraining devices, copies of medical reports, request forms on provision of medical services, information on acknowledgement or termination of temporary incapacity to work, examination results, records of incoming calls on the emergency line and other significant circumstances relating to the patient’s health condition that were ascertained in connection with the provision of
  medical services.
• the patient’s contact information: address of permanent residence, correspondence address, telephone number, e-mail address, data box ID.
• images and photos: photos of documents for the purposes of establishing shared profiles (e.g. birth certificates); photos of medical reports created during the delivery of care in our partner network of healthcare facilities
• other personal data: recordings of telephone calls that we are obligated to monitor pursuant to the law.

In what form is my personal data processed?

All of your personal data that we become aware of and process in connection with the provision of medical care is part of your medical documentation. We keep medical documentation in so-called mixed form. This refers to the situation when part of the documentation is kept electronically and part in paper form. The laws by which we are bound as a provider of medical services impose on us, in relation to the retention of medical documentation, a full range of obligations; in particular, me must always handle such documentation in a demonstrable manner and with a heightened degree of caution. Please be aware that we do not take the handling of your medical documentation lightly and we have therefore adopted additional technical and organisational measures. Documentation in electronic form is kept in a Medicalc professional information system and access to its contents by individual employees is strictly limited. Documentation in paper form is stored in a locked facility in order to prevent unauthorised access. No unnecessary copies are made. All employees are trained to heed the enhanced measures in connection with this matter.

Why do we process your data and what is the legal basis for such processing?

The purpose of processing your personal data is provision of medical services and administration of medical documentation. The legal basis for such processing essentially consists in the provision of medical care, whether this involves provision of requested care on the basis of a healthcare contract or in cases of urgent care on the basis of a statutory obligation. The scope and obligation of personal data processing are governed by special acts by which we are bound.

In certain cases, the patient’s personal data can be processed for a purpose other than provision of medical care. Such purpose may be, in particular, the use of your data for clinical studies or for the purposes of our promotion. In such a case, your personal data is processed on the basis of your voluntary consent to personal data processing, which you cannot and will not be forced to provide in any case. You can withdraw your consent at any time or, as the case may be, exercise your other rights connected with personal data processing, about which we will thoroughly instruct you before you grant consent.

We are authorised to process your personal data also for the purpose of science and research. This authorisation is conferred on us directly by the law. For this purpose, however, we process only the data that is necessary and in such a form that makes it impossible to easily identify you. To whom can we provide your personal data?

We administrate your personal data within the provider, whereas we transfer such data to third parties with your consent as a matter of principle. In certain cases, however, we are forced to transfer your personal data to other recipients even without your consent.

First of all, in certain cases, we are obligated to transfer your personal data on the basis of the law. In particular, we transfer your data, including information on your health condition, to health-insurance companies in order to bill the medical care that we provide to you. We are further authorised to disclose your data on the basis of the law governing the provision of medical; as such, we can allow specific persons to view such data and create extracts, transcripts or copies of your medical documentation even without your consent. This will particularly involve disclosure of your data to bodies of the state administration (e.g. social-security bodies, the State Institute for Drug Control, etc.).

In order for us to provide you with high-quality care, in certain cases we also use external contractors, particularly if this involves technical support for our information system or administration of medical instruments that we use in the provision of medical care. Processing of any of your personal data may occur in connection with such activities. External contractors are in the position of processors and have a concluded written contract with us that binds them to comply with strict principles when handling your data. In such a case, your consent is not required for the purposes of carrying out processing activities, as such processing is directly allowed by a legal regulation. Please be aware that we select our contractors according to strict criteria and you thus need not be concerned about your data.

As a matter of principle, we do not transfer your personal data abroad. This may happen only
exceptionally if you grant us consent for such transfer (e.g. if you participate in a clinical study) or if it is
required by a legal regulation.

How long do we retain your personal data?

Your personal data is always retained for the absolutely necessary period. Due to the fact that, in the absolute majority of cases, we process your data in connection with the provision of medical care, it is necessary to retain such data for the period that the law requires for retention of medical documentation. This period is stipulated by a regulation and amounts to 5-100 years or, as the case may be, ten years from the death of the patient depending on which part of the medical documentation this involves.

If we process your data for a purpose other than provision of medical services, i.e. particularly if we process your data on the basis of your consent, we shall undertake to process your data on for the period specified in such consent.

What rights do you have in relation to your personal data?

As a data subject, the law confers on you a full range of rights. As medical care is not possible without the processing of your personal data, some of your rights are limited by the law. At the same time, as a patient, you have an obligation to provide your data to us. Failure to provide your personal data could result in our inability to provide medical services to you and could thus be detrimental to your health or pose a direct threat to your life. As a patient, however, you have the following rights in relation to your personal data.

Right of access to personal data

Of course, you have the right to know the kind of data pertaining to you that is being processed, the purpose and duration of such processing, where we obtained the data and whether and to whom we transfer the data. At the same time, you have the right to information on other rights pertaining to such data. This document in particular serves for your awareness in this regard; nevertheless, we are prepared to provide you with confirmation or clarification regarding any item of this information.

If you request it from us, we will also provide to you, without undue delay, a copy of your processed personal data. In connection with administrative costs, we are authorised to charge a proportionate fee for such copy, especially in the case that it is requested repeatedly. If you submit the request in electronic form, we will automatically assume that you are interested in provision of information also in electronic form. However, you have the option of requesting provision by other means. Please bear in mind that the rights of other persons cannot be adversely affected by the right to obtain a copy of processed personal data.

You can also exercise your right of access to personal data in accordance with the rules for viewing healthcare documentation and acquiring extracts and copies.

Right to correction of personal data

In the event you determine that the personal data that we process in relation to you is not accurate or complete, you have the right to request that we supplement or correct such data without undue delay.

Right to restriction of personal data processing

In certain cases, this right enables you to demand that certain items of your personal data be marked for restricted processing and thus not be the subject of further processing for a certain period. This is not the same as the right to deletion, as restriction of processing is not permanent. You have the right to demand restriction of the processing of your personal data in the case that:

• you refute the accuracy of your data that we are processing; restriction will be imposed for the period necessary to verify the accuracy of the data.
• processing is without a legal basis (e.g. beyond the scope of data that we are authorised to process), but you prefer restriction of processing instead of deletion because, for example, you anticipate that you will provide the data to us in the future.
• we no longer need to process your personal data, but you request the data for the purpose of determining, exercising or defending your legal claims.
• you raise an objection against processing (see the point of instruction on this right below).

If processing is restricted, data can be processed only with your consent or for the purpose of determining, exercising or defending legal claims, for the purpose of protecting the rights of another entity, whether a natural person or legal entity, or for important reasons in the public interest. Right to raise objections against personal data processing

You can exercise the right to raise objections against the processing of personal data only in the situation when we would process any of your personal data in the public interest or on the basis of our legitimate interests or for the purposes of direct marketing. In such cases, you can raise an objection at any time. If that happens, we will further process your personal data only if we demonstrate serious, legitimate reasons for doing so (particularly if we need the data for determining, exercising or defending our legal claims). If, however, you raise an objection against data processing for the purpose of direct marketing, we will cease processing your data for such purpose without delay.

If this involves provision of medical services, we process your personal data as set forth above, on the basis of the law in the absolute majority of cases. Therefore, this right essentially does not apply to you in the position of relative of a patient.

Right to file a complaint with the supervisory authority

Exercising the rights set forth above shall not in any way affect your right to file a complaint with the Office for Protection of Personal Data via the contact information set forth in the introduction to this document. You can find the current contact information on the website of the Office for Protection of Personal Data (www.uoou.cz). You can file a complaint at any time when you have doubts as to whether your personal data is being processed as it should be, i.e. if you believe your personal data is being processed without authorisation or in conflict with legal regulations.

Right to deletion

In certain cases, you, as the data subject, have the right to have your personal data deleted. We generally accede to deletion of your personal data when we no longer need such data or we do not have a legal reason to process it. Furthermore, we will delete your personal data if it was processed on the basis of consent and that consent has been withdrawn.

Please bear in mind that, even though this concerns one of the reasons for deletion, it does not mean that we will immediately delete all of your personal data. This right does not apply in the case that processing of personal date continues to be necessary for fulfilment of our legal obligations, archiving purposes, scientific or historical research or for statistical purposes, or for determining, exercising or defending our legal claims.

Right to withdraw consent

If this involves cases in which your personal data is processed on the basis of consent, you further have the right to withdraw your consent at any time. However, previous processing that we carried out prior to withdrawal of consent shall not be affected in any way by such withdrawal of consent.

How can individual rights be exercised?

In all matters associated with the processing of your personal data, whether that involves an enquiry, exercise of rights, filing of a complaint or anything else, you can contact our data protection officer using the following methods:

• by post or in-person upon prior agreement at the address EUC a.s., Evropská 859/115, 160 00 Prague 6
• by e-mail at the e-mail address dpo@euc.cz
• by telephone at +420 731 546 921 from 9:00 a.m. to 3:00 p.m. (not by SMS)

We will handle your request without undue delay, though within one month at the latest. In exceptional cases, particularly due to the complexity of your request, we are authorised to extend this period by two months. Of course, we will inform you of any such extension and the rationale for it.