Privacy policy
1. General information
1.1. Purpose of the Limited liabilities company „KLĪNIKA EGV” (hereinafter – the Clinic) personal data processing policy (hereinafter – Privacy policy) is to provide information to the natural person (hereinafter – Data subject) on the processing of the personal data, purpose, amount of processing, and protection, as well as to inform the Data subject on his/her rights and obligations to ensure transparent and fair processing of personal data.
1.2. Processing personal data Clinic complies to the existing laws and regulations of the Republic of Latvia, as well as Regulation of the European Parliament and of the Council (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter also – GDPR, and other applicable laws and regulations in the privacy and data processing area.
1.3. All terms used in the Privacy policy are interpreted according to the meaning of the General Data Protection Regulation.
1.4. Clinic, in order to perform its functions and provide services in the most efficient way, needs to collect, and process and use certain types of information on the Data subjects.
1.5. This Privacy policy applies to privacy and personal data protection for persons who:
1.5.1. Are clients of the Clinic and have received or receives health care services of the Clinic;
1.5.2. Have used, uses or have expressed willingness to use the services offered by the Clinic;
1.5.3. In any other way have cooperated, cooperates or have expressed willingness to cooperate with the Clinic (including, taking part in the recruitment process of the Clinic, have sent letters, applications, including, e-mail to the Clinic);
1.5.4. Employed/authorised persons of the cooperation partners (natural persons) of the Clinic, cooperation partners (legal persons) of the Clinic which are ensuring implementation of the cooperation according to the contractual obligations.
1.6. This Privacy policy is not implemented in relation to the processing of the personal data of the employees of the Clinic.
2. Information about the Controller
2.1. Controller for the processing of personal data is the Limited liabilities company „KLĪNIKA EGV”, registration number 50003393261, address Lāčplēša iela 38, Riga, LV-1011, phone +371 67 278 183, e-mail address: info@egv.lv.
2.2. E-mail of the data protection officer of the Clinic: dpo@egv.lv.
2.3. Clinic processes the personal data according to this Privacy policy.
2.4. Clinic can process personal data also as the authorised processor of another party (for example, performing a service as the authorised person). The privacy provisions, policy or mutual agreements of other responsible controllers can be applied to the processing of personal data.
3. Data protection principles
3.1. Performing the processing of data Clinic complies with the following principles:
3.1.1. Processes personal data in a way to provide adequate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damaging using appropriate technical or organisational measures. Clinic performs appropriate measures to ensure that personal data processing takes place according to the requirements of laws and regulations;
3.1.2. Processes personal data legally, in good faith and manner that is transparent to the Data subject;
3.1.3. Collects personal data only for the specific, clear and legitimate purposes, and does not perform their further processing in a manner that is incompatible with the stated purposes. Except, if it is necessary to fulfil functions and responsibilities stated in the laws and regulations.
3.1.4. Processes personal data adequately, appropriately and only the ones necessary for reaching of the purposes of processing;
3.1.5. Processes only precise personal data and renews them if necessary;
3.1.6. Stores personal data not longer than necessary for the purposes for which the personal data is processed.
4. Purposes of personal data processing, legal basis, storage periods and recipients of personal data
Clinic processes the personal data of Data subjects in compliance with the principles indicated in the Paragraph 3 and only when there is a legal basis for processing. Clinic processes the personal data for the following purposes:
-
4.1. Provision of the health care services
- Identification of the client when the person is required to present personal identification document before the receipt of the service;
- Booking an appointment with the professionals of the Clinic;
- Provision of outpatient and inpatient services, performing tests and examinations;
- Development and maintenance of the client’s medical documentation according to the requirements of the laws and regulations;
- Transfer of the personal data of the client to the health care sector regulatory bodies, for example, National Health Service or Health Inspectorate;
- Payment administration for the health care services;
- And other purposes which are legally binding to the Clinic and imposed by the valid laws and regulations of the Republic of Latvia.
- Client identification information – name, surname, personal identity number/identification code, date of birth;
- Contacts – phone number, e-mail, place of residence address;
- Payment information – information on the received service and the payment amount for the service, applicable payment reductions, for example, in case of the health insurance policy;
- Information on the health condition and services provided – information on the requested service, diagnosis, prescribed and applied treatment and diagnostics methods, prescribed and used medications, results of the examinations and tests performed, health care service result, information on the medical practitioner who provided the health care service and any other information on the health condition of the client.
- For the conclusion and performance of the agreement (GDPR Article 6, Paragraph 1, Sub-paragraph b)), processed data is necessary for the conclusion and performance of the contractual obligations with the client;
- For the fulfilment of legal obligations (GDPR Article 6, Paragraph 1, Sub-paragraph c)), processing is performed to implement requirements of the external laws and regulations, for example, maintain the medical documentation of the client according to the requirements of the laws and regulations or to provide information in the unified health sector electronic information system etc.;
- For the implementation of the legitimate interests of the Controller (GDPR Article 6, Paragraph 1, Sub-paragraph f), Article 9, Paragraph 2, Sub-paragraph f)), in order the Clinic could implement its legitimate interests if the Clinic requires it, for example, in case of the complaints of the clients;
- For the provision of health care services (GDPR Article 9, Paragraph 2, Sub-paragraph h)), in order the Clinic as the medical institution could provide respective service to the clients;
- Consent granted by the client (GDPR Article 6, Paragraph 1, Sub-paragraph a), Article 9, Paragraph 2, Sub-paragraph a)) only in cases when one of the previously mentioned legal basis are applied to the personal data processing. In case of consent the client is asked to submit a separate written consent.
- Other laws and regulations: Law on the Rights of Patients, Medical Treatment Law, Health Care Financing Law, Cabinet Regulation No.555 adopted on 28 August 2018 “Procedures for the Organisation of and Payment for Health Care Services”, Cabinet Regulation No.134 adopted on 11 March 2014 “Regulations Regarding the Unified Electronic Information System of the Health Sector”, Cabinet Regulation No.60 adopted on 20 January 2009 “Regulations Regarding Mandatory Requirements for Medical Treatment Institutions and Their Structural Units”, Cabinet Regulation No.265 adopted on 4 April 2006 “Procedures for Keeping Medical Documents” and other laws and regulations regulating the health care sector.
- Authorised employees of the Clinic – reception employees, medical nurses, doctors etc.;
- Hired processors of the Clinic who process the personal data only according the instructions provided by the Clinic – for example, e-mail service provider (in case if the information is sent in the e-mail), IT systems maintainer, SIA “Datamed” (to ensure convenient and safe access of the client to the results of the laboratory examinations);
- Third parties – National Health Service, Health Inspectorate, State Agency of Medicines, other law enforcement institutions, other medical institutions if it is required for the obtaining of the treatment goals etc. Transfer of the Client’s personal data takes place only in case there are legal basis according to the Section 10 of the Law on the Rights of Patients or other laws and regulations that imposes a responsibility on the Clinic to transfer personal data of the client. In cases if the transfer of the personal data of the client is not anticipated in laws and regulations then transfer of the personal data of the client can be performed only on the basis of the written consent of the client.
Clinic performs processing of these data to organise and ensure health care services, as well as to store and ensure the medical documentation of the clients according the requirements of the laws and regulations. For this personal data processing purpose personal data can be processed with the following aims:
The following personal data categories can be processed in frame of this purpose:
Legal basis:
Storage period
Storage of the received persona data is carried out for different periods until the purpose of certain personal data processing is achieved. Medical documentation of the clients is stored according to the periods determined by the provisions of the Cabinet Regulation No.265 adopted on 4 April 2006 “Procedures for Keeping Medical Documents” which anticipates that, for example, outpatient’s medical record must be stored for 40 years after the last entry, whereas outpatient’s ticket must be stored for 5 years after the last entry.
Possible recipients of the personal data:
-
4.2. For ensuring of the recruitment process of candidates and implementation of the rights and obligations arising from it
- Information included in CV and motivation letter – name, surname, contacts, previous work experience, information on the education obtained etc.
- For the conclusion and performance of the agreement (GDPR Article 6, Paragraph 1, Sub-paragraph b)), processing is performed on the basis of the application received from the candidate, attesting the willingness to candidate for the vacancy;
- For the implementation of the legitimate interests of the Controller (GDPR Article 6, Paragraph 1, Sub-paragraph f), Article 9, Paragraph 2, Sub-paragraph f)), to evaluate suitability of the candidate to the vacancy;
- Authorised employees of the Clinic – director, deputy director, head of the structural unit where the vacancy is announced;
- Hired processors of the Clinic – provider of the e-mail service, IT systems maintainer;
CV and motivation letters sent by the candidates are processed in frame of this data processing to evaluate the suitability of candidates to the vacancy.
The following personal data categories can be processes in frame of the purpose:
Legal basis:
Storage period
Storage period of the received personal data is 4 months after filling of the vacancy.
Possible recipients of personal data:
-
4.3. For ensuring of the record-keeping processes, receipt, processing and registering of the incoming documents, preparation, sending and registering of the outgoing documents.
- Information indicated in the received document, for example, name, surname, address; contents of the application. In case if the letter is submitted by legal entities, the personal data of the person who prepared the document, if indicated, is processed.
- For the fulfilment of legal obligations (GDPR Article 6, Paragraph 1, Sub-paragraph c)), processing is performed to implement requirements of the external laws and regulations, this legal basis is applied if the need to prepare response is stipulated by laws and regulations, for example, fulfilling the requirements of the Law on the Rights of Patients or implementing the rights of data subjects determined in the Chapter III of the General Data Protection Regulation;
- For the implementation of the legitimate interests of the Controller (GDPR Article 6, Paragraph 1, Sub-paragraph f)), to review the applications received and provide a response;
- Authorised employees of the Clinic according to their expertise;
- Hired processors of the Clinic – provider of the e-mail service, IT systems maintainer;
In frame of this data processing Clinic organises the circulation of the incoming and outgoing e-mails, applications and other documents, their registration and preparation of responses.
The following personal data categories can be processed in frame of the purpose:
Legal basis:
Storage period
Storage period of the personal data received is 10 years.
Possible recipients of personal data:
-
4.4. For the conclusion and fulfilment of economic transactions
- Concluding the agreement with legal persons, personal data of the legal representatives, contacts can be processed – name, surname, e-mail, phone number, signature;
- Concluding the agreements with natural persons – name, surname, personal identity number, address, e-mail, phone number, signature, accounting information and other information related to the agreement;
- For the conclusion and performance of the agreement (GDPR Article 6, Paragraph 1, Sub-paragraph b)), processed data is required to conclude and fulfil contractual obligations with the contractual party that is a natural person;
- For the implementation of the legitimate interests of the Controller (GDPR Article 6, Paragraph 1, Sub-paragraph f)), to be able to fulfil the obligations undertaken in accordance with the concluded cooperation agreement and to communicate on issues related to the fulfilment of the agreement;
- Authorised employees of the Clinic responsible for the fulfilment of the agreement according to their expertise;
- Processors hired by the Clinic – provider of the e-mail service, IT systems maintainer;
In frame of this data processing Clinic concludes cooperation agreements both with legal and natural persons, performing the processing of personal data in frame of this.
The following personal data categories can be processes in frame of the purpose:
Legal basis:
Storage period
Storage period of the received personal data is 10 years after the fulfilment of the obligations of the agreement.
Possible recipients of personal data:
-
4.5. Performance of the video surveillance
- For the protection of the property, prevention and detection of criminal offences to ensure protection of legal interests of the Clinic, employees and visitors of the Clinic;
- For obtaining, preserving and submitting evidence to law enforcement institutions.
- The following personal data can be processed in the process of video surveillance – appearance of the person and activities in the video surveillance area.
- For the implementation of the legitimate interests of the Controller (GDPR Article 6, Paragraph 1, Sub-paragraph f)). The Clinic has the legitimate interest in video surveillance to protect its property and other material values and protect legal interest of its employees, visitors and clients. For the realization of its interests, the Clinic is entitled to transfer video recordings to the supervisory authorities according to their expertise, for example, State Police, if the transfer has legal basis and is necessary for the protection of legal interests of the Clinic.
- Authorised employees of the Clinic responsible for the operation of the video surveillance system;
- Law enforcement institutions.
In frame of this data processing Clinic in its premises at Lāčplēša ielā 38, Riga, 5th floor, performs video surveillance for the following purposes:
The following personal data categories can be processed in frame of the purpose:
Legal basis:
Storage period
Video surveillance records are stored for 14 days. This period can be prolonged if the video is necessary for the implementation of the legitimate interests of the Clinic.
Possible recipients of personal data:
-
4.6. Informing the public on the activities of the company
- Photo, video and activities pictured on them.
- For the implementation of the legitimate interests of the Controller (GDPR Article 6, Paragraph 1, Sub-paragraph f)), to inform the public about the services provided by the Clinic, important events and development of the Clinic. Taking photos and filming of the events also allows the Clinic to document its activities to create the archive featuring important events of the Clinic. Photos and videos are carefully reviewed before publishing to ensure that the rights to privacy of the data subjects are not violated.
- Authorised employees of the Clinic – head of the PR and marketing;
- Hired processors of the Clinic – IT systems maintainer, creator of the photo or video;
- Any third party that is legally entitled to access the published materials.
In frame of this data processing Clinic takes photos or films the events it is organising or activities significant to its business in order to inform the public on the conduct of the Clinic’s business and promote the services it provides. In frame of this data processing photos and videos can be published on the website of the Clinic www.egv.lv, social media, Instagram, Facebook profiles. Patients receiving health care services at the Clinic are not photographed or filmed in frame of this purpose. Such activities can be performed in exceptional cases and only when the clear and unmistakable consent of the patient has been received.
The following personal data categories can be processed in frame of the purpose:
Legal basis:
Storage period
Published photos and videos are stored and publicly displayed for 5 years. In case if the photo or video has a significant archival or historical value in the business of the Clinic, these materials can be stored for a longer period of time until the reaching of the purpose.
Possible recipients of personal data:
Clinic can perform processing of personal data also for other purposes for which the Data subjects shall be informed separately.
5. Transfer of the personal data to countries outside the European Union or European Economic Area
5.1. Clinic does not transfer the personal data to the countries outside the European Union and European Economic Area.
5.2. In case the processing of personal data is performed outside the European Union or the European Economic Area, then Clinic makes sure that with regard to data security and technical requirements the respective service providers, processors to whom data will be transferred, comply to the requirements stipulated in the GDPR, other laws and regulations of the European Union and the Republic of Latvia and good practice guidelines.
6. Rights of the Data subject
6.1. Data subject is entitled when submitting an application to the Clinic in person and presenting personal identification document or sending application electronically to the e-mail info@egv.lv signed with the secure electronic signature:
6.1.1. Approach the Clinic and request information on the processing of his/her personal data performed by the Clinic;
6.1.2. Request rectification or correction, erasure or restriction of processing of one’s personal data or object to the processing of one’s personal data, as well as rights to request the portability of data;
6.1.3. Withdraw consent to the processing of one’s personal data if the basis for the processing of the personal data of the Data subject is the consent of the Data subject but it does not affect the legality of the processing activities of the personal data performed when the consent was in force.
6.1.4. Submit complaint on the illegal processing of personal data to the Data State Inspectorate if the Data subject has any doubts;
6.1.5. In any case implement all rights as the Data subject stipulated in the Chapter III of the General Data Protection Regulation.
6.2. Clinic will evaluate the request of the Data subject and implement rights of the Data subject according to the requirements of laws and regulations. Clinic will provide response to the application of the Data subject not later than within one month time, in cases of exception according to the Article 12, Paragraph 3 of the General Data Protection Regulation, Clinic can extend the replay period by two further months for which the Clinic will inform the Data subject.
7. Closing information
7.1. In case of any questions or uncertainties related to the processing of the personal data performed by the Clinic, Data subjects are entitled to approach the Clinic, using the contact details provided in Paragraph 2.1 or approach the data protection officer of the Clinic, using the contact details provided in the Paragraph 2.2.
7.2. Privacy policy can be changed upon necessity. Current version of the Privacy policy is published on the website www.egv.lv in the section – Privacy policy.
7.3. This Privacy policy enters into force on 5 July 2024.