"PERSEUS Healthcare Group SA", which operates and profits from METROPOLITAN HOSPITAL, is today one of the leading Greek healthcare providers that established a model hospital with a direct view to Man and Life, and follows the basic principle that the provision of top quality healthcare services is not a luxury but a right of every patient.
Our Company strives to conduct its business activities in accordance with the Privacy Principles, as we believe they demonstrate our firm commitment to ethical and responsible practices. We acknowledge that innovation and new technologies result in constant changes in risks, expectations and legislation and, thus, we observe privacy liability standards and aim at timely adaptation of how we implement them in response to these changes.
This Policy determines our standards for Personal Data management and protection by or on behalf of our company, which originates, directly or indirectly, from any country in the European Economic Area (EEA) and Switzerland, and is transferred to any other country, including transfer among EEA countries. These standards apply to our activities in any country and to any activity containing personal information and which activity is conducted in each of our affiliates and any domain (including any successor to our business) including, but not limited to, research, production, business activities, corporate support and data transfers necessary to carry out the above activities, including but not limited to:
- Research and Production: initiation, management and funding of research studies / evaluation and involvement of researchers, members of the Science and Ethics Committee and partners to support research studies and product development / recruitment for research studies / evaluation of safety, effectiveness, quality of our product portfolio / compliance with our safety commitments and the quality of our products, including management and reporting of adverse events and complaints about product quality / submission of applications for approval and registration of our products with health authorities / compliance with applicable legal, regulatory or ethical requirements.
- Commercial Activities: market evaluation of our products / advertising, marketing, sales, distribution and delivery of our products / communication with our customers and other end-users of our products / sponsorship and conduction of events / evaluation and encouragement of our partners to support our commercial activities / compliance with applicable legal, regulatory or ethical requirements.
- Corporate Support: recruitment, employment, management, development, communication with and compensation of employees / provision of benefits to employees and their dependents / assessment of employee performance and talents / provision of education and other training and development courses / conduction of disciplinary proceedings and dealing with employee complaints / dealing with ethical and privacy concerns and conduct of investigations / managing and securing our physical and virtual assets and infrastructure / procurement and payment for products and services / fulfilling our commitments on environment, health and safety, and corporate responsibility / media communication / and compliance with the applicable legal, regulatory or ethical requirements.
This Policy also applies to all individuals whose data we process, including, but not limited to, customers, prospects, current and former employees and their dependents, members of the Ethics Committee, partners, investors and shareholders, government employees and other stakeholders.
All Company Employees and Executives have significant privacy responsibilities they must fulfill.
We acknowledge that unintentional errors and misjudgments in data protection can cause risks to the privacy of individuals as well as risks to our Company's reputation, processes, compliance and finances. Every Company employee and other individuals processing data on behalf of our company are responsible for understanding and fulfilling their responsibilities under this Policy and the applicable legislation.
Our Values and Standards on Privacy
Our privacy values are respected throughout our activities involving people, including how we apply privacy standards. The four privacy values comprise:
We acknowledge that privacy concerns are often related to the essential questions of “who we are”, “how we see the world”, and “how we define ourselves”. Thus, we strive hard to respect the perspective and interests of individuals and societies, and to be righteous and transparent in how we use and share information about them.
We know that confidence is vital to our success and, so, we are working hard to create and maintain customer, employee, patient and other stakeholders' confidence, with regard to respect and protection of information related to them.
We understand that misuse of human-related information can create tangible and intangible harm to individuals, thus, we try to prevent physical, financial damage, damage to their reputation or other privacy-related damage.
We have learned that laws and regulations are not always consistent with the rapid advances in technology, data flow and associated changes in privacy risks and expectations. Hence, we strive hard to comply with the spirit and regulations of privacy as well as with the data protection legislation, in ways that demonstrate consistency and operational competence of our business activities globally.
1. We integrate our privacy standards into all activities, processes, technologies and relationships with third-parties using Personal Data. We design privacy controls on our processes and technologies that are consistent with our values and privacy standards as well as with the applicable legislation. The 8 privacy principles outlined below summarize the privacy standards and basic requirements for high-level processes, activities and assistive technologies.
|Privacy Principle||Our Fundamental Commitments|
|1. Lawfulness – Prior to collection, use or distribution of Personal Data, we set and record the specific, legitimate business purpose for which it is necessary.||
|2. Fairness –We do not process Personal Data in ways that are unfair to the data subjects.||
|3. Transparency - We do not process Personal Data in ways or for purposes that are not transparent.||
|4. Purpose Limitation–We use Personal Data only in accordance with the principles of Necessity and Transparency.||
|5. Data Quality - We keep all Personal Data accurate, complete and up to date, and in accordance with its intended use.||
|6. Security –We incorporate safeguards to protect your Personal Data and Sensitive Data from loss, misuse, and unauthorized access, disclosure, or destruction.||
|7. Data Transfer - We are responsible for preserving the privacy of Personal Data when it is transferred from or to other organizations or cross-borders.||
(1) We only transfer Personal Data or permit its processing by third-parties if the following conditions are met, and we are responsible for ensuring that any third-party we partner with fulfills these requirements:
(2) We perform cross-border Personal Data transfer from or on behalf of our company in accordance with this Policy. We shall apply this Policy to Personal Data transfers from any other country or territory with legislation that restricts the transfer of Personal Data.
|8. Legally Permissible - We process Personal Data only if it complies with the requirements of the applicable legislation.||
2. We shall promptly address requests related to individual rights to access, correction, modification or deletion of Personal Data or objection to the processing of Personal Data.
- Access, Correction and Deletion – According to the Greek Legislation, individuals have the right to access any Personal Data related to them, and to correct, modify or delete any Personal Data that is inaccurate, incomplete or obsolete. We shall approve all individuals’ requests for access, correction and deletion of their Personal Data. If an application for access, correction or deletion set forth by the existing Legislation provides greater protection for individuals, we shall ensure that the additional conditions are met under this Legislation.
It is hereby clarified that, in particular, the request for deletion of personal data shall always be met within the context of the legislation in force and provided there is no regulatory or other obligation on the Hospital to keep the personal data to be deleted, such as the obligation to keep medical data for a period of twenty (20) years.
- Choice - In accordance with the Privacy Principles of "Respect" and "Trust", we approve individual objections to Personal Data processing, including, but not limited to, the choice not to participate in programs or activities that individuals previously had agreed to participate in, the process of their personal data for direct marketing purposes involving communication that targets them and is based on Personal Data, and for any evaluation or decision making about them, which has the potential to significantly affect them, and which is performed through the use of algorithms or automation
- Save for cases where it is also prohibited by the Legislation, we may refuse the choice where a particular application may impede the ability of the company to: (1) comply with the Legislation or a moral obligation, including the case where we are obliged to disclose personal data in response to legitimate requests by the public authorities, on the grounds of security authority or national security requirements, (2) to investigate, defend or file legal claims, and (3) to seek legal remedies, and (3) conclude contracts, manage relationships, or perform other permissible business activities that are consistent with the principles of Transparency and Restriction of Purpose and which have been introduced on the basis of the data of the persons related to them. Within fifteen working days of any decision to refuse a request for selection in accordance with this Policy, we shall record the decision and communicate it to the applicant.
3. We shall respond timely and we shall rank all privacy-related questions, complaints, concerns and any Privacy-Invasive Event or Security Event.
- Any person, whose Personal Data we process within the scope of this Policy, may ask questions, complain or express their concerns to our company at any time, including the request to receive a list of all our subsidiaries subject to this Policy. We expect that our employees and other individuals working on behalf of our company shall provide an early notice if they have reason to believe that an applicable law may prevent them from complying with this Policy. Any question, complaint or concern from an Individual or any notice from an employee or other person working on behalf of our company must be addressed to the Data Protection Officer:
- By fax:
- By post: Data Protection Officer, 264 Messogeion Avenue, Cholargos, P.C. 15562 Attica, Greece.
- Employees and contract staff are obliged to timely inform their Data Protection Officer about any questions, complaints or concerns regarding our company's privacy practices.
- The Data Protection Officer shall review and investigate or work with the Legal Service to investigate all questions, complaints or concerns related to our company's privacy practices, whether received directly by our employees or other individuals or third-parties, including, but not limited to, regulatory authorities, accountability officers or other government authorities. We shall respond to the person or entity who raised the question, complaint, or concern against our company within thirty (30) or sixty (60) calendar days maximum, except where the Law or an applicant/third-party requires a response within a shorter period of time or where conditions require a longer period of time, as in the case of parallel government investigation. In this case, the person or applicant/third-party shall be notified in writing as soon as permitted by the general nature of the circumstances contributing to the delay.
- The Data Protection Officer, in cooperation with the Legal Service and the Compliance Office, shall cooperate with the privacy regulatory authority in response to any investigation, inspection or inquiry.
- For complaints that cannot be resolved between our company and the person who made the complaint, our company has agreed to participate in the following conflict resolution processes, investigation and treatment of complaints to resolve disputes related to this Policy.
- However, if, at any time, persons residing in the EEA or persons whose Personal Data is subject to the EEA Data Protection Legislation and is transferred outside the EEC and whose data is subject to processing related to this Policy, they have the right, under this Policy, to impose the conditions of this Policy as eligible third-parties, including the right to take legal action in order to claim damages for the violation of their rights under this Policy and the right to receive damages for harm caused by such violation.
Persons residing in the EEA or individuals whose Personal Data is subject to the EEA Data Protection Legislation and is transferred outside the EEA (for reasons of clarity, including the USA) may have claims against the Company under this Policy
- before the courts or the data protection authority of the country of the EEA from which their Personal Data was transferred; or
- before the Greek courts or the Hellenic Data Protection Authority.
- Our company shall respond to the person or entity who put forth the question, complaint, or concern in our company within thirty (30) calendar days, except where the Law or an applicant/third-party requires a response within a shorter period of time or where conditions require a longer period of time, in which case the person or the third-party shall be notified in writing.
Terms that you need to know
- Anonymization. Changing, cutting, eliminating or otherwise restricting or transforming Personal Data to make it impossible for them to be used to identify, locate or communicate with the individual.
- Legislation. All laws, rules, regulations and mandates which have the force of law in any country in which our company operates or in any country Personal Data is processed by or on behalf of our company.
- Our company. Our company. "IASO GENERAL - GENERAL CLINIC IN CHOLARGOS S.A.”, its subsidiaries, apart from the joint ventures in which our company participates.
- Personal Data. All data for an identified or unidentified individual, including data that identifies a person or data that could be used to identify, locate, track, or communicate with this person. Personal Data also includes direct identification information, such as name, identification number or unique job title, and indirect identification information, such as date of birth, unique mobile or portable identification number, telephone number and encoded data.
- Privacy-invasive Event. It refers to the violation or breach of this Policy or of privacy or data protection legislation, and includes a Security Event. Whether a privacy-invasive event has taken place and whether it has a physical occurrence shall be determined by the Data Protection Officer and the Legal Service/Compliance Department.
- Processing. Performing any process or series of processes in human data, with or without automated means, including, but not limited to, collection, recording, arranging, storage, access, adaptation, conversion, retrieval, counseling, use, evaluation, analysis, reference, distribution, disclosure, and dispersion, transmission, disposal, formatting, combination, inhibition, deletion, erasure or destruction.
- Security Event. Access by an unauthorized person to Personal Data or disclosure of Personal Data to an unauthorized person or a reasonable suspicion by our company that this has occurred. Access to Personal Data by or on behalf of our company without the intention of violating this Policy does not constitute a Security Event, provided that the specific Personal Data was used afterward and disclosed only as permitted by this Policy.
- Sensitive data. Any type of data relating to people, involving intrinsic risk of potential harm to individuals, including data that is legally defined as sensitive, including, but not limited to, health, inheritance, race, ethnic origin, religion, political or philosophical beliefs or convictions, criminal records, precise geographic location information, bank or other financial account numbers, state registration numbers, minors, sexual life, relations with trade unions, security, social security and other employer or state benefits.
- Third-party. Any legal entity, organization or person not belonging to our company, or for which our company has no auditing interest or does not work for our company. Unless explicitly set by this Policy, no subsidiary or sector of our company is required to meet the requirements of a third-party under this Policy, as all subsidiaries and sectors are required to process human data in accordance with this Policy, including the cases where one of our subsidiaries supports one or more of our subsidiaries during processing.
Changes to this Policy
This Policy may be reviewed occasionally in accordance with the requirements of the existing legislation. Whenever this Policy is changed, a notice shall be posted on our company’s website (www.metropolitan-hospital.gr) for 60 days.
20 May 2018