Data protection procedures

GP Clinic Personal Data Processing Policy

Data manager:
Papečkys’s Enterprise
Zamenhofo 7, LT-44287 Kaunas, Lithuania
LT-44287
Reg. No.: 135285880
VAT payer No.: LT100005707012
Mobile +370 656 82505

Other terms used to refer to the data controller in this descriptor: “Us”, “Data Controller”, “Clinic”, “Aesthetic Surgery Clinic”, “Plastic Reconstruction Clinic”.

Introduction

1. Papečkys’s Enterprise pays special attention to the security of its clients’ and partners’ data. The staff is well-trained and follows strict requirements when working with the personal data of the clients and partners. In G. Papečkys’s Enterprise, data is processed transparently, with clearly defined purpose and scope of such processing, information transfer limits, clearly establishing the rights of the controller and the processors, respecting and maintaining the obligations toward the data subject. In this data processing policy, G. Papečkys’s Clinic describes all the essential aspects of data processing in its daily activities.

This descriptor provides all the information on how personal data is processed upon visiting websites and our Facebook page, sending emails from a computer or a mobile device, including the following topics:

• How the clients’ personal data is used
• What personal data is collected
• What measures are taken to ensure data security
• How the users can help protect their personal data
• Rights of the data subjects
• Legal framework
• Cookies
• Contact information
• Third parties and micro-websites

How The Personal Data is Used

General Information

Papečkys’s Enterprise uses personal data for the following purposes:

– Providing clinical services or goods to the clients;
– Improving service quality;
– Developing its website or Facebook page or pages on similar social networks;
– Issuing invoices, accepting and transferring payments;
– Identification and confirming identity;
– Ensuring the prevention of money laundering and the financing of terrorism;
– Ensuring the supply of healthcare services;
– Sending out commercial offers and service descriptions by electronic means, but only with the permission of the data subject;
– For marketing purposes, but only with the permission of the data subject;
– If allowed by the administration of the clinic, by Lawyers, Accountants, Auditors, for conducting inspections, providing reports on the activities conducted, responding to questions or for directly communicating with the client;
– Revealing specific data to Institutions that inspect healthcare activities, during an inspection, if a legally-grounded request is received;
– Legal obligations (employing staff, paying salaries, being subject to the Healthcare Institutions etc.)
– Collaborating with law enforcement Institutions under legal grounds proven by appropriate documentation;

If the user is connecting through insecure internet servers, the clinic is not responsible for the security of the data. (E.g. a public internet connection and other connections of questionable security).

Marketing Policy

Commercial Offers for Clients and Partners

1. Papečkys’s Enterprise uses the personal data of its clients and partners for electronic marketing purposes (only with the direct permission of the person), and to such end, sends electronic offers to the clients or partners with the clinic’s latest offers.
2. Papečkys’s Enterprise aims to only supply information that is of interest to the particular data subject. These offers can be unsubscribed from at any time in the following ways:
3. By sending us a request to stop sending offers.
4. By clicking the link “unsubscribe from the newsletter” contained in every newsletter, at the bottom.
5. By calling the clinic’s reception and asking for directions on how to unsubscribe from letters of commercial nature.

* All personal information is collected directly from the client/patient. We are not responsible for the marketing strategies used by websites such as Google, Bing, Yahoo, Facebook Instagram etc. However, in order to avoid any conflict of interest, we specify how you can opt out of the collection of certain types of information by these websites in the cookies section.

Disclosing Data to Third Parties

Partners of Our Enterprise and Data Processors

In order for the staff of the clinic to be able to provide certain services, we may potentially have to disclose certain personal data of yours to other companies: medical test laboratories, IT companies, telecommunications companies, institutions overseeing the activities of healthcare establishments. Such disclosure to third parties is only possible in the case when the companies have the permission to receive information of a personal nature and can prove that data protection will be ensured in accordance with the General Data Protection Regulation and other data protection laws.

List of entities to whom your data may be transferred:

– Banks and bank representatives;
– Insurance companies;
– State supervision control services (Ministry of Health, Centre for Public Health and others);
– Lawyers;
– Judicial authorities during case investigation or enforcement, under an individually supplied legitimate request;
– In cases when the safety of our staff, inventory, tangible and intangible assets has to be protected – to institutions ensuring it;
– To establishments or persons providing accounting services;
– To the marketing division;
– To the administration staff;
– To our medical and nursing staff;
– To another healthcare institution under legal grounds;
– To your workplace, upon the patient’s request (regarding an illness, certificate of incapacity and in similar cases);
– Persons authorised by the patient but only with a document that proves clear legal grounds;
– To a manager providing international communication (medical tourism).

In all cases of data communication, we ensure the full possible protection of the data.

Other Concerned Subjects

Other than the aforementioned subjects, G. Papečkys’s Enterprise never sells or otherwise transfers personal data to any third parties, companies or individuals that are not specified in these rules.

Data Transfer Across the Borders of the European Union or the European Economic Area

The data that you provide will never by any means travel outside the borders of the European Union or the European Economic Area. All the information you provide is stored on servers of trusted companies or external safe and encrypted storage media, in electronic form or on paper. That way, the data is protected from unwanted loss, leaks, copying or any other disclosure of criminal nature.

Only a limited number of people can access your data, and only in order to perform their employee duties. The groups of such people are described in the above section on the purposes for which your data may be used.

In any case, should an unplanned disclosure of data to third parties take place, we react instantaneously and take all the necessary safety precautions to prevent that. In any case of a break-in, we maintain our obligations in terms of data protection and inform the relevant Institutions as well as the data subject.

For How Long Do We Store Your Data?

In providing healthcare services, we comply with the legal requirements to only store your data for as long as it is necessary, which is why we perpetually review the data we have and delete any data for which the right of use has expired. We keep different data for different durations but the average data storage time is 25 years.

Your Rights

Your rights regarding your data processed by GP Clinic:

• You may demand GP Clinic do inform you about information collection methods, duration, storage location, third party interference, as well as the areas and purposes for which the personal data is used, in accordance with the General Data Protection Regulation;
• You may submit a request to be introduced to the data we have on you or to correct or delete any information you have provided to the GP Clinic, as long as it is for an appropriate purpose and under appropriate grounds, and there are sufficient legal and technical capabilities for such actions;
• You may submit a request to move your data if no data protection requirements are violated in doing so.
• You may refuse to provide certain personal information that is not necessary for providing the healthcare service. You will be notified of this possibility before providing information of this sort;
• You may refuse to use certain cookies or software as specified in your browser under the cookies policy (Cookies, Use of Cookies).
• You may unsubscribe from the newsletter by simply clicking the link under the newsletter text, which can be found in each newsletter message.

In any case, please feel free to file a free-form request at dap@gpklinika.lt

We will process your request over 20 days and provide you with an answer regarding the possibilities to fulfil your requests.

With any additional questions, please contact our data protection officer:

dap@gpklinika.lt
Business hours: Mon-Fri 9 AM – 4 PM

Legal Framework

Laws, under which your personal data is processed, used and protected at GP Clinic:

Civil Code of the Republic of Lithuania;
Law on Management of State Information resources of the Republic of Lithuania;
Law on Legal Protection of Personal Data of the Republic of Lithuania;
Law on Cyber Security of the Republic of Lithuania;
Law on Health System of the Republic of Lithuania;
Law on Health Care Institutions of the Republic of Lithuania;
Law on the Rights of Patients and Compensation of the Damage to their Health of the Republic of Lithuania;
Law on Health Insurance of the Republic of Lithuania;
Law on Pharmacy of the Republic of Lithuania;

Descriptor for the procedure of establishment, creation, modernisation and liquidation of state information systems, approved by the Government of the Republic of Lithuania decree No. 180 of 27 February 2013 “On the Approval of the Descriptor for the Procedure of Establishment, Creation, Modernisation and Liquidation of State Information Systems” (hereinafter – Descriptor);

the General Data Protection Regulation 2016/679.

Other legislation regulating the safe management, protection and elimination of electronic information;