1.2. The Policy describes the measures to ensure protection of interests and freedoms of the Data Subject, at the same time ensuring that its data are processed in good faith, lawfully and in a visible way.
1.3. The Policy refers to the processing of data of natural persons irrespective of the form and/or environment, in which the natural person provides the personal data (when entering the premises, by phone, orally, in a paper form, electronically, etc.) and in which systems of the Controller they are processed.
1.4. The Controller shall be entitled to amend the Policy at its own discretion. The Policy is available on the website of the Controller – www.apinesklinika.lv and is applied from the effective date of a respective version of the document.
2.1. The personal data processing Controller is SIA “Dr.Apines zobārstniecības klīnika” (unified reg.No. 40103323790, address: Lielirbes iela 17A-3, LV – 1046, telephone: 29184219, E-mail address: email@example.com, website: www.apinesklinika.lv (hereinafter – Controller).
2.2. Contact information in data protection issues – firstname.lastname@example.org
- APPLICABLE LAWS AND REGULATIONS
3.1. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter – Regulation).
3.2. Personal Data Processing Law.
3.3. Law on the Rights of Patients.
3.4. Medical Treatment Law.
3.5. Other effective laws and regulations of the Republic of Latvia in the field of personal data processing and protection, including laws and regulations governing patients’ rights, information society services, etc.
- PURPOSES OF PERSONAL DATA PROCESSING
4.1. The Controller, in exercising its rights, shall carry out:
4.1.1. health care – provision and securing of dentistry services (personal data are obtained, processed and stored with the aim to secure provision of quality and fast services based on Article 6(1)(a)(b) and (c) of the Regulation and Article 9(2)(h) of the Regulation);
4.1.2. retention and recordkeeping of the incoming and outgoing correspondence to ensure compliance with the legitimate interests of the Controller and/or execution of the contractual obligations (substantiation – Article 6(1)(b) and (f) of the Regulation);
- PERSONAL DATA PROCESSED BY THE CONTROLLER
5.1. Categories of personal data processed by the Controller as the provider of dentistry services depend on the services of the Controller used by the natural persons.
5.1.1. When the Data Subject receives the dentistry services, pursuant to the requirements of the laws and regulations the Controller as an institution is obliged to process the identifying information of the data subject and the information acknowledging the diagnosis, substantiating the examinations and treatment methods, as well as precisely reflecting the treatment results. In this case, in order to accomplish the goal of the provision of dentistry services the Controller may process the widest possible volume of personal data including a name, surname, personal identity number, contact information, health insurance data, any type of data about health that may be directly or indirectly related to securing the dentistry services, including but not limited to the information on the health condition of teeth, mouth hygiene, general health condition, prescribed and taken medicine, performed medical procedures and operations, side-effects caused by any type of medicine, allergies, earlier diseases.
5.1.2. The Controller shall process the personal data of a special category – data on the health of the data subject having regard to the processing provisions of special categories of personal data only in cases when any of the substantiations provided for by the laws and regulations is applicable and only to the extent commensurate with the purpose to be achieved.
5.1.3. Contact information of the data subject is processed with the aim to contact or provide information to the data subject in the interests of the Data Subject and in relation to the dentistry services, for which the Data Subject has applied for.
5.1.4. When contacting the Controller in writing, the communication contents and time may be retained, as well as the information on the used tool of communication (e-mail address, telephone number, address in the e-appointment system and other specified information);
5.1.3. The Controller shall conduct the analysis of the website browsing history using the online identifiers, as well as the information provided by the data subject deliberately (for example, service assessment, experience of visiting the website, moving around, information on a wish to apply to any of the services of the Controller, etc.) to carry out the market research and opinion analysis.
5.2. The Controller as an employer, for securing the lawful requirements of authorities and institutions, shall perform processing of personal data of the employees.
- LEGAL BASIS OF PERSONAL DATA PROCESSING
6.1. The data processing with the aim to ensure dentistry services shall be performed on the basis of Article 6(1)(b) and (c) of the Regulation and Article 9(2)(h) of the Regulation.
6.2. Retention and recordkeeping of the incoming and outgoing correspondence (e-mail letters, mail letters, e-appointment) shall be carried out on the basis of Article 6(1)(b),(c) and (f) of the Regulation with the aim to ensure fulfilment of the obligations of the Controller provided for by the laws and regulations, i.e. to keep record of the correspondence in accordance with the classification and requirements of the Controller arising from the Archives Law, as well as to ensure compliance with the legitimate interests of the Controller, for example, to investigate the cases when complaints on the customer service quality are received, as well as to assure of evidence against possible claims.
6.3. The Controller shall conduct the analysis of the website, social networks browsing history to carry out the market research, analysis of opinion of data subjects, as well as analysis on recognizability of its brand based on Article 6(1)(f) of the Regulation.
6.4. Whenever the legal basis of the data processing is Article 6(1)(a) of the Regulation, consent of the data subject for collection and processing of the personal data for specific purposes shall be received. Similarly, consent shall be received for the data processing for direct marketing purposes to make new and individual proposals.
6.5. The data processing of employees of the Controller shall be performed based on the Article 6(1)(b) and (c) of the Regulation.
- PERIOD OF PERSONAL DATA PROCESSING
7.1. The Controller, in selecting criteria for the personal data retention, shall take into consideration the circumstances listed below:
7.1.1. whether the personal data retention period is provided for or derives from the laws and regulations of the Republic of Latvia and European Union;
7.1.2. the required period of retention of the respective personal data to ensure implementation and protection of the legitimate interests of the Controller or third party;
7.1.3. until the consent provided by the person for the personal data processing is withdrawn and no other legal basis for the personal data processing exists, for example, to fulfil the obligations binding to the Controller;
7.1.4. The Controller shall protect vitally important interests of the Data Subject or other natural persons, including life and health.
7.2. In providing the dentistry services the Controller shall comply with special laws and regulations providing for an obligation to retain individual data. If detailed information is required, the Controller shall be contacted using the contact information referred to above.
7.3. The recordkeeping of the incoming and outgoing communication (e-mail letters, mail letters) to ensure compliance with the legitimate interests of the Controller shall be retained for the period not exceeding 5 (five) years unless the respective communication reflects a possible illegal action or action that possibly would help the Controller or third parties to secure their legal interests. In this case a respective document may be retained until the moment the legal interests are secured.
7.4. Upon expiry of the retention period the personal data shall be permanently deleted unless their retention obligation is provided for by the laws and regulations.
- RIGHTS TO ACCESS PERSONAL DATA
8.1. The Controller shall be obliged to provide information on the processed personal data:
8.1.1. to law enforcement institutions, court or other public authorities if the laws and regulations require so and respective institutions are authorised to request this information;
8.1.2. if the personal data are to be provided to the respective third party within the framework of an agreement entered into in order to carry out any function required for performance under the agreement (for example, in case of an insurance agreement, for implementation of the legitimate interests of the Controller; to another health care institution having regard to the preconditions provided for by the Law on the Rights of Patients) or if it is required to improve the service and provision of quality services to the customer engaging service providers;
8.1.3. upon a clear and unambiguous request of the Data Subject.
8.2. The personal data of the Data Subject may be accessed only by the authorised employees of the Controller, who need these data for the provision of health care services and securing the support processes or execution of other work duties.
8.3. The Controller shall issue the personal data of natural persons only in a required and sufficient volume, pursuant to the requirements of the laws and regulations and circumstances justified by a specific situation.
8.4. It is not envisaged to send the personal data referred to in this Policy to a third country (a country, which is not a member state of the European Union or European Economic Area), except for the data processed in the electronic environment. In this case, the Processors selected by the Controller (google.com (google analytics), facebook.com, twitter.com, snapchat, etc.) shall be recognized as enterprises operating outside the member states of the European Union and European Economic Area, therefore the Controller advises to get acquainted with the privacy policies of these enterprises or address the Controller individually with a request to provide additional information on the cooperation conditions.
- INFORMING THE DATA SUBJECT OF PERSONAL DATA PROCESSING
9.1. The Data Subject shall be informed of the personal data processing referred to in this Policy by visiting the website, the Data Subject may acquaint himself or herself with the notification on cookies, as well as is advised to get acquainted with this Policy.
9.2. The Policy is publicly available on the Internet on the website of the Controller www.apinesklinika.lv.
- RIGHTS OF THE DATA SUBJECT
10.1. The Data Subject shall be entitled to request the Controller to access its personal data and receive specifying information on what data about him or her are at the disposal of the Controller, for what purposes the Controller processes these personal data, categories of recipients of personal data (persons to which the personal data have been disclosed or to which it is planned to disclose the personal data unless the laws and regulations in a specific case allow the Controller to provide such information (for example, the Controller may not provide to the Data Subject the information on respective public authorities directing the criminal proceedings, persons performing investigative field work or other authorities in relation to which the laws and regulations forbid to disclose such data)), information on the retention period of personal data or criteria used for the determination of the referred period.
10.2. If the Data Subject believes that the information at the disposal of the Controller is outdated, inaccurate or wrong, the Data Subject shall be entitled to ask for correction of its personal data.
10.3. The Data Subject shall be entitled to request deletion of its personal data or object to the processing thereof if the person considers that the personal data are processed illegally or are no longer required for the purposes they were collected and/or processed for (implementing the principle – the right “to be forgotten”).
10.4. The Data Subject shall be entitled to lodge a complaint to the Data State Inspectorate if it considers that the Controller has processed his or her personal data illegally.
10.5. The Data Subject may submit a request on exercising its rights as follows:
10.5.1. in a written form in person in the premises of the Controller upon presenting a personal identification document (for example, passport or ID) as the Data Subject is obliged to identify itself;
10.5.2. by electronic mail with a safe electronic signature. In this case it is presumed that the data subject has identified itself by submitting a request signed with a safe electronic signature. Concurrently, the Controller shall reserve the right in case of doubt to request additional information from the data subject if it considers it as necessary.
10.5.3. by post. In this case a reply shall be prepared and sent by registered mail, thus ensuring that unauthorised persons may not receive it. Concurrently, the Controller shall reserve the right in case of doubt to request additional information from the data subject if it considers it as necessary.
10.6. The Data Subject shall be obliged as much as possible to specify in its request the date, time, place and other circumstances that would help to execute its request.
- PROTECTION OF PERSONAL DATA
11.1. The Controller shall ensure, continuously review and improve the personal data protection measures to protect the personal data of natural persons from unauthorised access, accidental loss, disclosure or destruction. In order to ensure the abovementioned, the Controller shall use appropriate technical and organizational requirements, including restricting access to the card file and archives.
11.2. The Controller shall carefully inspect all service providers processing the personal data of natural persons upon instruction of the Controller, as well as shall assess whether the cooperation partners (personal data processors) apply appropriate safety measures to ensure that the personal data processing of natural persons takes place as delegated by the Controller and pursuant to the requirements of laws and regulations.
11.3. In case of a personal data safety incident if it creates a possibly high risk for the rights and freedoms of the data subject, the Controller, if possible, shall notify the respective Data Subject thereof, or the information shall be published on the website of the Controller or notified otherwise. Similarly, the Controller shall notify the authorities of the data processing safety incidents or possible incidents pursuant the applicable laws and regulations without unreasonable delay within 72 hours from the moment when the violation has become known.