ATHENS MEDICAL CENTER S.A.
(ΙΑΤΡΙΚΟ ΑΘΗΝΩΝ Ε.Α.Ε.)
5-7 Distomou Str., GR-151 25, Marousi
TAX ID NO.: 094129169 – ATHENS TAX OFFICE FOR SAs
GEMI NO.: 000356301000
Version: 21 February /2024
The company “ATHENS MEDICAL CENTER S.A.” (hereinafter the “Company”) has the utmost respect for the privacy of natural persons, and takes very seriously the need to protect their personal data. The purpose of this Statement is to provide concise and transparent information regarding the practices that are followed to process and protect personal data for anyone who is interested in using and receiving telemedicine services through the Company’s online platform, TeleHospital, accessible through the www.telehospital.gr website, and/or the related mobile device application in an Android/iOS environment (hereinafter the “Application”), collectively referred to herein as the “Platform”.
The Company retains the unilateral right to update, amend, add to and to change its services and this Statement from time to time, whenever it deems necessary, without prior notice, always within the legal framework currently in effect and in accordance with any changes to applicable national and European legislation on personal data protection (hereinafter referred to in total as the “Existing Legislation”); any such changes shall enter into force when posted on this website. The Company encourages any interested party to review this Statement regularly and be informed of any changes that have taken place.
What personal data are
“Personal data” means any information that pertains to a directly or indirectly identified or identifiable natural person who is living, particularly by referencing a unique identifying detail (e.g. name, ID card number, address, etc.). Data pertaining to health (physical or mental condition, receiving medical services, etc.) are included under the umbrella term of “personal data”, but constitute a special data category.
Purposes and legal bases for processing personal data
As part of its activities as a primary and/or secondary healthcare service provider, as the case may be, the Company is required to keep medical records, as specified by Greek Law 3418/2005 (Code of Medical Ethics), and as such, it collects and processes personal data pertaining to natural persons who make use of its services.
The Company shall collect and process personal data for the following purposes, with the relevant legal basis for processing:
| S/N | PURPOSE OF PROCESSING | LEGAL BASIS | ||
| SUMMARY | GDPR | Greek Law 4624/2019 | ||
| 1 | Subject’s creation of an account on the Platform to provide appropriate and strictly personalised telemedicine services. | Provision of telemedicine services for preventive or occupational medicine and medical diagnosis as part of primary healthcare services through contracted health professionals. | Article 9 par. 2 (h) | Article 22 par. 1(b) |
| 2 | Identification, drawing up contracts and invoicing. | Performance of contract to which the data subject is a party or to take measures at the request of the data subject before concluding the contract. | Article 6 par. 1 (b) | – |
| 3 | Retention and storage of essential data and information relevant to the healthcare services provided for a period of 5 years from rendering services or issuing billing. | Establishing, exercising or substantiating legal claims, pursuing financial claims, either through a judicial, administrative or potentially extra-judicial procedure. | Article 9 par. 2 (f) | Article 25 par. 1 (c) |
| 4 | Storage and retention of medical records with special categories of personal data (sensitive data) for 10 years from the subject’s last visit to the Platform. | Compliance with the provisions of current legislation (Greek Law 3418/2005) | Article 6 par. 1 (c) | Article 27 par. 1 |
| 5 | Sending announcements and newsletters about company activities to the subject receiving services, scientific conferences and meetings (newsletters), and promotion of new and innovative healthcare services. | Subject’s consent | Article 6 par. 1 (a) | Article 28 par. 1 (a) |
| 6 | Use of cookies and related technologies | TECHNICAL COOKIES Performance of contract to which the data subject is a party or to take measures at the request of the data subject before concluding the contract. | Article 6 par. 1 (b) | – |
| OPTIONAL COOKIES Subject’s consent | Article 6 par. 1 (a) in tandem with the provisions of Article 4 par. 5 of Greek Law 3471/2006, transposing European Directive 2002/58/EC (ePrivacy Directive) | Article 28 par. 1 (a) | ||
How personal data are collected
Your personal data are collected in the following ways:
(a) Directly from you: you provide them to us when the Company provides medical services to you, when you fill out online forms or send an email to receive information or to use the services available on the Platform.
(b) Automatically through the browser or mobile device you use to access the Platform. Further, technical information that constitutes personal data, such as the internet protocol address (IP address) of your device [including your desktop computer, laptop, tablet or smartphone]. This technical information is used to ensure the proper function and performance of the Platform and is not stored permanently on Company infrastructure.
Specifically, the use of your device camera (image and sound data) is required to conduct the desired teleconference as part of operating the TeleHospital service, firstly, to confirm your identity by the competent doctor/health professional and, secondly, to provide the necessary health services, but without recording or storing the teleconference.
(c) Through third-party healthcare professionals or service providers or your treating physician, as part of obtaining a second medical opinion to ensure the best possible scientific treatment for the health issues that concern you.
When registering for the service provided by the Platform, you will be asked to fill out certain fields on a form, as well as to select a username and password.
Categories of subjects and data collected
| SUBJECT CATEGORIES | DATA CATEGORIES |
| RECIPIENTS OF TELEMEDICINE SERVICES – FINANCIAL TRANSACTORS | Identification and demographic data: First/Last name, father’s name, sex, date of birth, and ID card or passport photo Insurance information: Social Security Number (AMKA) Contact information: postal address, telephone and email address Tax information: Tax Identification Number Health information: Information on medical record as part of the Company’s provision of medical or nursing services, or health information regarding medical services not provided by the Company but which were reported to it either directly by the data subject or by third parties. Bank and financial information: billing information and transaction history. |
| THIRD-PARTY TREATING PHYSICIANS | Identification and demographic data: full name Professional information: Specialisation, professional registry number, type of facility where employed, registered business address |
| VISITORS TO TELEHOSPITAL.GR WEBSITE | Identification and demographic data: First/Last name Contact information: Email, mobile phone number Other information: Any information provided voluntarily by the visitor/user in the empty fields of a contact form. Digital data: IP address, cookies, browser type |
| USERS OF APPLICATION ON ANDROID & APPLE MOBILE DEVICES | Identification and demographic data: First/Last name Login particulars: username, password Contact information: Email, mobile phone number Mobile device information: type of device used to connect to the application, details of operating system device uses Other user information: Anonymous user behaviour data for statistical analysis |
Principles governing the Company’s processing of personal data
The Company processes your personal data in a legitimate, transparent and legal manner for the clearly defined purposes stated here. Your personal data the Company processes are limited to those absolutely essential for achieving these purposes; they are accurate and current, retained for a period determined by the purpose for processing and protected by appropriate technical and organisational security measures, and their transfer to third countries outside the EU/EEA occurs in some cases provided there are appropriate safeguards in place, e.g. standard contractual clauses approved by Implementing Decision of the European Commission 2021/914, as in force.
Recipients of personal data collected and processed by the Company
Other than the Company’s duly authorised personnel and specialised physician partners, the following authorised third parties acquire access to your data that are absolutely necessary for the purpose of their processing listed:
| COMPANY NAME | PURPOSE | CONTACT INFORMATION |
| VIDAVO SA | Development and operational support of the telemedicine platform on the Company’s behalf | Address: 10th km Thessaloniki-Nea Moudania Road, BALKAN CENTER, Building D, GR-57001 Thessaloniki. Tel.: +30 2310474762 Email: vidavo@vidavo.eu |
| Hetzner Online GmbH | Cloud computing services with facilities/infrastructure in Germany and Finland to operate the VIDAVO SA Vida24 service. | Address: Industriestr. 25, 91710 Gunzenhausen, Germany Tel.: +49 98315050 Email: support@hetzner.com |
| ALPHA BANK SA (e-Commerce department) | Online payment services | Address: 40 Stadiou Str., GR-10564 Athens Tel.: +30 210326 0000 Email: contact-DPO@alpha.gr |
| DOPE STUDIO Data Systems and Internet Communication SA | Development and support of www.telehospital.gr website (including contact form) | Address: 451 Mesogeion Ave., GR-15343 Agia Paraskevi, Attica Tel.: + 30 210 0108900 Email: gdpr@wearedope.com |
Personal data are collected and processed by authorised staff in each department and Company partners solely for the purpose of providing each service. They are only transferred to authorised third parties which have expressly committed to maintaining confidentiality when they are required to have access as part of providing said services (e.g. consulting physicians) or other written and valid legal commitment, or where the requirement for confidentiality arises from their duties as provided by law.
On your instructions, your personal data may be transferred to third parties (e.g. to another doctor of your choice) or to the Company’s partner businesses (e.g. insurance companies which insure you).
The Company is bound to refrain from trading your personal data by offering them for sale/lease and giving/transferring/disclosing or notifying them to third parties, or to use them in any manner for other purposes which may place at risk your privacy, rights or freedoms, unless mandated by law, court judgment/order, administrative act, or as part of a contractual obligation necessary for the proper functioning of the Company’s Platform, for performing its functions, and for the appropriate provision of the services you select.
Retention period for personal data
The personal data the Company collects are retained for a predetermined and limited time period, depending on the purpose for processing; once the period has lapsed, they are deleted from its records, unless current legislation specifies or permits a different retention period, such as where specific provisions for tax or labour issues are concerned.
Specifically, the Company retains personal data related to the user’s account on the Platform, including a copy of their Police ID Card for identification, for a period of 6 months, except for information and files uploaded by the user for each case and service, including DICOM files, which are kept for 1 month from uploading to a cloud computing provider based within the EU with appropriate security safeguards in place. Further, as regards health-related data included in the medical record, the Company is required to keep a physical and/or electronic patient medical record consisting of general and sensitive personal data, as specified in Article 14 of the Code of Medical Ethics (Greek Law 3418/2005). The retention period for these data is 10 years from your last interaction on the Platform or your last in-person visit to the Company’s facilities (hospitals).
Teleconferences are not recorded, and therefore no sound or image data are retained.
As to the information users provide indirectly depending on the medium used to connect to the Platform, such as device or digital fingerprint, please refer to the Cookies Policy.
Rights
The Company takes appropriate measures so you are able to exercise the rights assured by Existing Legislation regarding collection and processing of personal data pertaining to you. These rights are:
With regard to any issue related to exercising your rights or for any clarification of issues related to the processing of your personal data, you may contact the Company’s Data Protection Officer, as follows:
| DATA PROTECTION OFFICER (DPO) Address: Filadelfeos & 1 Kefalariou streets |
| GR- 14562, Kefalari-Kifisia |
| Athens, Greece |
| Email: dpo@iatriko.gr |
Additionally, if you believe the processing of your personal data violates your rights and/or the provisions of GDPR, you have the right to lodge a complaint with the competent supervisory authority. In Greece, the competent supervisory authority is the Hellenic Data Protection Authority, 1-3 Kifisias Ave, GR-11523, Athens, https://www.dpa.gr/, tel. +30 2106475600 .
The Company is bound to make every possible effort so your requests can be answered without delay, and no later than 1 month after receiving them. This deadline may be extended by 2 more months if necessary, based on the complexity of the request and number of requests. You will be notified within 1 month of the Company’s receipt of your request regarding any extension and the reasons for the delay. If you submit your request via electronic means, the response will be provided electronically, if possible, unless you specify otherwise (e.g. by written letter).
For further information on the Company’s Privacy Policy, please refer to the website, www.iatriko.gr, using the link Notification of Personal Data Processing .