"PERSEUS Healthcare Group SA", which operates and profits from METROPOLITAN HOSPITAL, is today one of the leading Greek healthcare providers that established a model hospital with a direct view to Man and Life, and follows the basic principle that the provision of top quality healthcare services is not a luxury but a right of every patient.
Our Company strives to conduct its business activities in accordance with the Privacy Principles, as we believe they demonstrate our firm commitment to ethical and responsible practices. We acknowledge that innovation and new technologies result in constant changes in risks, expectations and legislation and, thus, we observe privacy liability standards and aim at timely adaptation of how we implement them in response to these changes.
This Policy determines our standards for Personal Data management and protection by or on behalf of our company, which originates, directly or indirectly, from any country in the European Economic Area (EEA) and Switzerland, and is transferred to any other country, including transfer among EEA countries. These standards apply to our activities in any country and to any activity containing personal information and which activity is conducted in each of our affiliates and any domain (including any successor to our business) including, but not limited to, research, production, business activities, corporate support and data transfers necessary to carry out the above activities, including but not limited to:
Research and Production: initiation, management and funding of research studies / evaluation and involvement of researchers, members of the Science and Ethics Committee and partners to support research studies and product development / recruitment for research studies / evaluation of safety, effectiveness, quality of our product portfolio / compliance with our safety commitments and the quality of our products, including management and reporting of adverse events and complaints about product quality / submission of applications for approval and registration of our products with health authorities / compliance with applicable legal, regulatory or ethical requirements.
Commercial Activities: market evaluation of our products / advertising, marketing, sales, distribution and delivery of our products / communication with our customers and other end-users of our products / sponsorship and conduction of events / evaluation and encouragement of our partners to support our commercial activities / compliance with applicable legal, regulatory or ethical requirements.
Corporate Support: recruitment, employment, management, development, communication with and compensation of employees / provision of benefits to employees and their dependents / assessment of employee performance and talents / provision of education and other training and development courses / conduction of disciplinary proceedings and dealing with employee complaints / dealing with ethical and privacy concerns and conduct of investigations / managing and securing our physical and virtual assets and infrastructure / procurement and payment for products and services / fulfilling our commitments on environment, health and safety, and corporate responsibility / media communication / and compliance with the applicable legal, regulatory or ethical requirements.
This Policy also applies to all individuals whose data we process, including, but not limited to, customers, prospects, current and former employees and their dependents, members of the Ethics Committee, partners, investors and shareholders, government employees and other stakeholders.
All Company Employees and Executives have significant privacy responsibilities they must fulfill.
We acknowledge that unintentional errors and misjudgments in data protection can cause risks to the privacy of individuals as well as risks to our Company's reputation, processes, compliance and finances. Every Company employee and other individuals processing data on behalf of our company are responsible for understanding and fulfilling their responsibilities under this Policy and the applicable legislation.
Our Values and Standards on Privacy
Our privacy values are respected throughout our activities involving people, including how we apply privacy standards. The four privacy values comprise:
We acknowledge that privacy concerns are often related to the essential questions of “who we are”, “how we see the world”, and “how we define ourselves”. Thus, we strive hard to respect the perspective and interests of individuals and societies, and to be righteous and transparent in how we use and share information about them.
We know that confidence is vital to our success and, so, we are working hard to create and maintain customer, employee, patient and other stakeholders' confidence, with regard to respect and protection of information related to them.
We understand that misuse of human-related information can create tangible and intangible harm to individuals, thus, we try to prevent physical, financial damage, damage to their reputation or other privacy-related damage.
We have learned that laws and regulations are not always consistent with the rapid advances in technology, data flow and associated changes in privacy risks and expectations. Hence, we strive hard to comply with the spirit and regulations of privacy as well as with the data protection legislation, in ways that demonstrate consistency and operational competence of our business activities globally.
We integrate our privacy standards into all activities, processes, technologies and relationships with third-parties using Personal Data. We design privacy controls on our processes and technologies that are consistent with our values and privacy standards as well as with the applicable legislation. The 8 privacy principles outlined below summarize the privacy standards and basic requirements for high-level processes, activities and assistive technologies.
1. Lawfulness – Prior to collection, use or distribution of Personal Data, we set and record the specific, legitimate business purpose for which it is necessary.
• We set and record the time period for which Personal Data is needed for these specified business purposes.
• We do not collect, use or share any more Personal Data than needed, or retain Personal Data in an identifiable form for no longer than is necessary for these specified business purposes.
• We anonymize data when business requirements mandate that activity or process information be kept for a longer period of time.
• We ensure that such necessary requirements are embedded in any assistive technology and that all third-parties supporting the activity or process have been duly informed.
2. Fairness –We do not process Personal Data in ways that are unfair to the data subjects.
• We consider whether the proposed collection, use, or other form of Personal Data Processing constitutes a risk for actual or indefinite harm to individuals, in accordance with the Privacy Prevention Legislation.
• If the nature of the data, types of people or activity contain an inherent risk of actual or indefinite harm to individuals, we ensure that the risk of harm does not outweigh the relative benefits for these individuals or for our mission to save and to improve human lives.
• Where the risk is inversely related to the benefits for individuals, we handle Sensitive or Personal Data only with the explicit consent of individuals or as required or expressly permitted by the existing legislation.
• We record risk analysis and design any required mechanisms to obtain and record evidence that demonstrates consensus in assistive technologies.
3. Transparency - We do not process Personal Data in ways or for purposes that are not transparent.
• All individuals whose Personal Data are processed under this Policy shall be entitled to a copy of this Policy. Copies of this Policy shall be made available online at www.metropolitan-hospital.gr. The Data Protection Officer shall provide digital and/or physical copies of this Policy upon written request sent to the addresses listed below.
• When collecting Personal Data directly from individuals, we inform them through a clear, distinct, and easily accessible privacy notice or via similar means prior to collecting any information about (1) the corporate entity or entities responsible for processing, (2) the type of data to be collected, (3) the purposes for which it is to be used, (4) whom it will be shared with, including any claims for personal data disclosure upon legitimate requests from public authorities, (5) its retention period, (6) how individuals can ask questions, express their concern or exercise their rights with respect to their data, and (7) the online link of this Policy, where possible and appropriate.
• When collecting Personal Data from other sources and not necessarily under the direction of our company, prior to obtaining the data, we verify in writing that the data provider has informed individuals about the ways in and purposes for which the company intends to use this information. If a written verification cannot be obtained from the provider, we only use anonymous data or, prior to using Personal Data, we inform the individuals affected through a privacy notice or via similar means of (1) the corporate entity or entities responsible for processing, (2) the type of data to be collected, (3) the purposes for which it will be used, (4) whom it will be shared with, including any claims for personal data disclosure upon legitimate requests from public authorities, (5) its retention period, (6) how individuals can ask questions, express their concern or exercise their rights with respect to the data, and (7) the online link of this Policy, where possible and appropriate.
• We ensure that the necessary transparency mechanisms, including mechanisms supporting individual rights requests, where possible, are introduced into assistive technologies, and that third-parties supporting the activity or processing do not process personal data in ways that are inconsistent with what these people have been told, through privacy notices or via other verifiable means, on how we and others who work for us shall use this data.
4. Purpose Limitation – We use Personal Data only in accordance with the principles of Necessity and Transparency.
• Should new legitimate business purposes are identified for Personal Data already collected, we ensure that either the new business purpose (including a substantially similar purpose) is compatible with the purpose as described in the privacy notice or other transparency mechanism previously provided to the individual, or we obtain the consent of the individual for this new use of his/her Personal Data.
• We do not apply the above principle either to anonymous data or where we use Personal Data exclusively and solely for historical and scientific research purposes, and (1) an Ethics Review Committee or other competent auditor has determined that the risk of such use to privacy or other the rights of individuals are acceptable and (2) there is respect for the existing legislation.
• We ensure that purpose limitation constraints have been incorporated into the assistive technologies, including any reporting and downstream data sharing capabilities.
5. Data Quality - We keep all Personal Data accurate, complete and up to date, and in accordance with its intended use.
• We ensure that periodic data control mechanisms have been integrated into the assistive technologies to validate data accuracy with respect to source and downstream systems.
• We ensure that Sensitive Data is validated as accurate and current prior to use, evaluation, analysis, reporting or other processing that involves the risk of injustice to individuals if inaccurate or outdated data is used.
• When changes to Personal Data are made by our company or third-parties working for our company, we ensure that these changes are communicated in time, when reasonably possible.
6. Security – We incorporate safeguards to protect your Personal Data and Sensitive Data from loss, misuse, and unauthorized access, disclosure, or destruction.
• We have implemented a detailed information security policy and we apply security checks based on the sensitivity of the information and the risk magnitude of the activity, taking into account the best practices of modern technology and the cost of implementation. Our operational safety policies include, but are not limited to, business continuity and disaster recovery standards, identity and access management, information classification, information security incident management, network access control, physical security, and risk management.
7. Data Transfer - We are responsible for preserving the privacy of Personal Data when it is transferred from or to other organizations or cross-borders.
(1) We only transfer Personal Data or permit its processing by third-parties if the following conditions are met, and we are responsible for ensuring that any third-party we partner with fulfills these requirements:
• If the third-party’s role is to process Personal Data for or on behalf of our company, prior to the third-party receiving any Personal Data, we: (1) perform a legal privacy audit to evaluate privacy practices and risks related to these third-parties, (2) we obtain guarantees through contractual agreements with these third-parties that they shall process Personal Data in accordance with the instructions of our company and in accordance with this Policy, including, but not limited to, all 8 Privacy Principles and other standards set forth by this Policy and the existing Legislation, and that they shall promptly notify our company of any Privacy-Invasive Event, including any inability to comply with the standards set forth in this Policy and the existing legislation, or Security Event, and that they shall cooperate in the timely rectification of any documented Event and that they shall address the individual rights as these are outlined in Section 2 below, and that they shall allow our company to perform audits and supervise their practices during processing regarding their compliance with these requirements. Additionally, if the third-party processes Personal Data originating from a country or territory with legislation restricting the transfer of Personal Data, we shall ensure that the transfer to the third-party meets the conditions for cross-border transfer as described below in Section 2. Where one of our subsidiaries acts exclusively on behalf of another subsidiary of our company for the processing of Personal Data, and where required by Legislation, these subsidiaries of our company shall perform internal data processing in accordance with Principle 8 of this Policy.
• If the third-party’s role is to provide Personal Data to our company, prior to the obtaining of this Personal Data from the third-party, we ensure that the Transparency Requirements are met for collecting Personal Data from other sources, not specifically under the supervision of our company, and we obtain guarantees through contractual agreements with these third-parties that the provision of Personal Data to our company entails no violation of any Legislation or of any third-party’s rights.
• If the third-party's role is to obtain from our company data for processing that is not specifically under our company's supervision, before we deliver the data to the third-party, we ensure that the data have been anonymized and we obtain written guarantees from the third-party that it shall only use the data for the operational purposes specified in the agreement and in accordance with the existing legislation, and that it shall not attempt to reverse the data anonymization process.
(2) We perform cross-border Personal Data transfer from or on behalf of our company in accordance with this Policy. We shall apply this Policy to Personal Data transfers from any other country or territory with legislation that restricts the transfer of Personal Data.
8. Legally Permissible - We process Personal Data only if it complies with the requirements of the applicable legislation.
• Whereas the other 7 Privacy Principles and terms of Individual Rights set out below are intended to ensure that the conditions for most privacy and data protection laws applicable in our industry around the world are met, some countries need to meet additional requirements, including, but not limited to:
• Where appropriate, we shall obtain specific forms of consent to process specific Personal Data, including, but not limited to, approval of processing by works councils or other trade unions.
• Where appropriate, we shall record the processing of Personal Data with the applicable privacy or data protection regulatory authority.
• Where appropriate, we shall further limit the Personal Data data retention periods.
• Where appropriate, we shall enter into agreements that include special contract clauses, including agreements for cross-border data transfers to third-parties.
• Where appropriate, we shall disclose personal data upon legitimate requests from the public authorities, including
We shall promptly address requests related to individual rights to access, correction, modification or deletion of Personal Data or objection to the processing of Personal Data.
• Access, Correction and Deletion – According to the Greek Legislation, individuals have the right to access any Personal Data related to them, and to correct, modify or delete any Personal Data that is inaccurate, incomplete or obsolete. We shall approve all individuals’ requests for access, correction and deletion of their Personal Data. If an application for access, correction or deletion set forth by the existing Legislation provides greater protection for individuals, we shall ensure that the additional conditions are met under this Legislation.
• It is hereby clarified that, in particular, the request for deletion of personal data shall always be met within the context of the legislation in force and provided there is no regulatory or other obligation on the Hospital to keep the personal data to be deleted, such as the obligation to keep medical data for a period of twenty (20) years.
• Choice - In accordance with the Privacy Principles of "Respect" and "Trust", we approve individual objections to Personal Data processing, including, but not limited to, the choice not to participate in programs or activities that individuals previously had agreed to participate in, the process of their personal data for direct marketing purposes involving communication that targets them and is based on Personal Data, and for any evaluation or decision making about them, which has the potential to significantly affect them, and which is performed through the use of algorithms or automation
• Save for cases where it is also prohibited by the Legislation, we may refuse the choice where a particular application may impede the ability of the company to: (1) comply with the Legislation or a moral obligation, including the case where we are obliged to disclose personal data in response to legitimate requests by the public authorities, on the grounds of security authority or national security requirements, (2) to investigate, defend or file legal claims, and (3) to seek legal remedies, and (3) conclude contracts, manage relationships, or perform other permissible business activities that are consistent with the principles of Transparency and Restriction of Purpose and which have been introduced on the basis of the data of the persons related to them. Within fifteen working days of any decision to refuse a request for selection in accordance with this Policy, we shall record the decision and communicate it to the applicant.
We shall respond timely and we shall rank all privacy-related questions, complaints, concerns and any Privacy-Invasive Event or Security Event.
• Any person, whose Personal Data we process within the scope of this Policy, may ask questions, complain or express their concerns to our company at any time, including the request to receive a list of all our subsidiaries subject to this Policy. We expect that our employees and other individuals working on behalf of our company shall provide an early notice if they have reason to believe that an applicable law may prevent them from complying with this Policy. Any question, complaint or concern from an Individual or any notice from an employee or other person working on behalf of our company must be addressed to the Data Protection Officer:
• Via email:firstname.lastname@example.org
• By post: Data Protection Officer, 264 Messogeion Avenue, Cholargos, P.C. 15562 Attica, Greece.
• Employees and contract staff are obliged to timely inform their Data Protection Officer about any questions, complaints or concerns regarding our company's privacy practices.
• The Data Protection Officer shall review and investigate or work with the Legal Service to investigate all questions, complaints or concerns related to our company's privacy practices, whether received directly by our employees or other individuals or third-parties, including, but not limited to, regulatory authorities, accountability officers or other government authorities. We shall respond to the person or entity who raised the question, complaint, or concern against our company within thirty (30) or sixty (60) calendar days maximum, except where the Law or an applicant/third-party requires a response within a shorter period of time or where conditions require a longer period of time, as in the case of parallel government investigation. In this case, the person or applicant/third-party shall be notified in writing as soon as permitted by the general nature of the circumstances contributing to the delay.
• The Data Protection Officer, in cooperation with the Legal Service and the Compliance Office, shall cooperate with the privacy regulatory authority in response to any investigation, inspection or inquiry.
• For complaints that cannot be resolved between our company and the person who made the complaint, our company has agreed to participate in the following conflict resolution processes, investigation and treatment of complaints to resolve disputes related to this Policy.
• However, if, at any time, persons residing in the EEA or persons whose Personal Data is subject to the EEA Data Protection Legislation and is transferred outside the EEC and whose data is subject to processing related to this Policy, they have the right, under this Policy, to impose the conditions of this Policy as eligible third-parties, including the right to take legal action in order to claim damages for the violation of their rights under this Policy and the right to receive damages for harm caused by such violation.
• Persons residing in the EEA or individuals whose Personal Data is subject to the EEA Data Protection Legislation and is transferred outside the EEA (for reasons of clarity, including the USA) may have claims against the Company under this Policy
• before the courts or the data protection authority of the country of the EEA from which their Personal Data was transferred; or
• before the Greek courts or the Hellenic Data Protection Authority.
• Our company shall respond to the person or entity who put forth the question, complaint, or concern in our company within thirty (30) calendar days, except where the Law or an applicant/third-party requires a response within a shorter period of time or where conditions require a longer period of time, in which case the person or the third-party shall be notified in writing.
Terms that you need to know
Anonymization. Changing, cutting, eliminating or otherwise restricting or transforming Personal Data to make it impossible for them to be used to identify, locate or communicate with the individual.
Legislation. All laws, rules, regulations and mandates which have the force of law in any country in which our company operates or in any country Personal Data is processed by or on behalf of our company.
Our company. Our company. "IASO GENERAL - GENERAL CLINIC IN CHOLARGOS S.A.”, its subsidiaries, apart from the joint ventures in which our company participates.
Personal Data. All data for an identified or unidentified individual, including data that identifies a person or data that could be used to identify, locate, track, or communicate with this person. Personal Data also includes direct identification information, such as name, identification number or unique job title, and indirect identification information, such as date of birth, unique mobile or portable identification number, telephone number and encoded data.
Privacy-invasive Event. It refers to the violation or breach of this Policy or of privacy or data protection legislation, and includes a Security Event. Whether a privacy-invasive event has taken place and whether it has a physical occurrence shall be determined by the Data Protection Officer and the Legal Service/Compliance Department.
Processing. Performing any process or series of processes in human data, with or without automated means, including, but not limited to, collection, recording, arranging, storage, access, adaptation, conversion, retrieval, counseling, use, evaluation, analysis, reference, distribution, disclosure, and dispersion, transmission, disposal, formatting, combination, inhibition, deletion, erasure or destruction.
Security Event. Access by an unauthorized person to Personal Data or disclosure of Personal Data to an unauthorized person or a reasonable suspicion by our company that this has occurred. Access to Personal Data by or on behalf of our company without the intention of violating this Policy does not constitute a Security Event, provided that the specific Personal Data was used afterward and disclosed only as permitted by this Policy.
Sensitive data. Any type of data relating to people, involving intrinsic risk of potential harm to individuals, including data that is legally defined as sensitive, including, but not limited to, health, inheritance, race, ethnic origin, religion, political or philosophical beliefs or convictions, criminal records, precise geographic location information, bank or other financial account numbers, state registration numbers, minors, sexual life, relations with trade unions, security, social security and other employer or state benefits.
Third-party. Any legal entity, organization or person not belonging to our company, or for which our company has no auditing interest or does not work for our company. Unless explicitly set by this Policy, no subsidiary or sector of our company is required to meet the requirements of a third-party under this Policy, as all subsidiaries and sectors are required to process human data in accordance with this Policy, including the cases where one of our subsidiaries supports one or more of our subsidiaries during processing.
Changes to this Policy
This Policy may be reviewed occasionally in accordance with the requirements of the existing legislation. Whenever this Policy is changed, a notice shall be posted on our company’s website (www.iasogeneral.gr) for 60 days.