Information obligation when providing personal data

In relation to meeting of the information obligation pursuant to Article 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter referred to only as the “Regulation”), we would hereby like to familiarise you with the following information.

Identification details and contact details for the controller:
MUDr. Gabriel Šlárko, Tax ID No. 1080305039, Company ID No. 51417138, VAT Tax ID No. SK1080305039, Tatranská Polianka 21001, 06201 Vysoké Tatry, email: gabriel.slarko@gmail.com, telephone no.:  +421905247021
(hereinafter referred to only as the “Controller”)

Basic information about processing and protection of personal data – “Information” within the meaning of Act No. 18/2018 Coll. of the National Council of the Slovak Republic on personal data protection (the “Act”)

The Controller provides health care services, medical interventions/procedures (“health care services”), to its patients and clients subject to a fee on the basis of mutual agreement which arises by confirmation of the patient’s written informed consent to a specific medical intervention/procedure or method of treatment, after simultaneously having been familiarised with the price list of medical services which are provided.

A patient of the Controller may be any natural person who is assessed by the relevant examining physician to be eligible for admission to health care provided by the Controller. Otherwise, the examining physician is obliged to advise the person of other appropriate alternative health care services. In the case of children who are minors, the Controller will communicate with their legal representative.

When using the healthcare services of the Controller, both patients and potential patients (communicating via the web portal www.slarko.sk – hereinafter referred to only as the “Portal”) are asked to provide their personal data and in this context, they must be provided basic information about processing of their personal data and the principles of protection of this data by the Controller within the meaning of the Act.

Pursuant to this Act, the Controller is the controller (administrator) of the personal data of natural persons which is collected.

The internal organisational structure of the Controller ensures the lawful processing and handling of personal data of the data subjects (patients/potential patients of the Controller) and permanent monitoring of the functionality and security of the Controller’s information systems.

The Controller obtains and processes the following information about the person – patient/potential patient:

a/ basic identification data (name, surname, title, date of birth and personal ID number);
b/ contact details (permanent address, correspondence address, email address and telephone number);
c/ data about the patient’s/potential patient’s state of health within the scope of a questionnaire regarding the patient’s/potential patient’s medical history and health insurance company code;
d/ photographic documentation (an image of the person concerned – the patient) or video recording of the course of the medical intervention/procedure performed on the patient.

(hereinafter referred to only as “personal data”)

The Controller obtains this personal data from mutual communication (both over the telephone and in writing, including text messages and email).

Provision of this personal data is voluntary and such data is provided with the explicit informed consent of the patient/potential patient.

Certain items of data are necessary in order to ensure compliance with legal obligations when concluding an agreement on health care and without certain items of data, the Controller cannot provide the health care services offered via the internet Portal.

The patient/potential patient is obliged to provide the Controller only truthful, accurate and complete information about his/her personal data, a fact which he/she is solely liable for.

The patient’s/potential patient’s personal data is processed electronically in the information systems of the Controller and also in the information systems of contracted physicians (or health care professionals) providing health care services, or other contracted professionals (e.g. for the purposes of HR management and payroll accounting, bookkeeping or legal representation under the Act on Advocacy, etc.).

The controller, insofar as this is possible and expedient from the point of view of exercising its rights and legitimate claims, may also obtain other types of information about the patient/potential patient from available public sources, registers or databases, this being for the purpose of verifying and identifying the information obtained and where applicable for verification of the patient’s/potential patient’s credibility, etc.

The Controller may also process other data, for example from web browsers, satisfaction surveys and user/consumer testing, on the basis of specific consent or permission settings for certain applications.

The Controller processes personal data without the patient’s/potential patient’s consent in order to comply with its obligations imposed by law (e.g. the Act on protection against money laundering), to protect its rights and legitimate interests, to ensure the security of its operations and to prevent fraud, to analyse and evaluate potential risks and for the direct marketing of its own services (products).

The Controller processes personal data with the consent of the patient/ potential patient data for marketing purposes beyond the framework of its legitimate interest, i.e. including profiling, for offering of health care services (products) or services of the Controller’s contractual partners (listed on the Controller’s website).

The purpose of the processing of the patient’s/potential patient’s personal data is defined by the extent to which such data is provided in connection with the offer for performance of health care services and, on the other hand, the enquiry for reservation of a specific date and time for performance of such health care services via the Controller.

If the patient/potential patient fails to provide his/her personal data, it will not be possible to enter into the relevant contractual relationships which will enable, on the one hand, the offer – or provision of the respective health care service and, on the other hand, use of the health care services offered via the Controller. In this context, the personal data of the person in question is necessary for use and utilisation of the health care services provided via the Controller.

The user of the health care services provided by the Controller is informed of the rules regarding processing of personal data as part of the contractual documentation and whenever the Controller processes any additional or changed personal data. This information for patients/potential patients is publicly available on the Company’s website: www.slarko.sk.

Purpose and duration of processing of personal data

(i) performance of a contract or meeting of another obligation and provision of health care services:

a/ for the period of negotiations regarding (or the process of) conclusion of the contractual relationship for the purpose of concluding the contract, as well as for the duration of the contractual relationship;
b/ sending satisfaction questionnaires for the purpose of improving the quality of the services provided to the public following a reservation which has been made, as well as within the framework of evaluation of the patient’s satisfaction, personal data in the scope of name, surname, residence address, telephone number and email address may be transferred to a third party – to an intermediary which processes the personal data of Users of the Portal on the basis of a contract and authorisation from the Controller and which is obliged to ensure the same level of protection of personal data as the Controller itself. The period of processing of personal data in this case is 2 years;
c/ marketing promotions: for the purpose of fulfilling the purpose of the marketing promotion, evaluation, termination, delivery of any possible prizes, etc. Period of processing: for the duration of the marketing promotion.
d/ sending of newsletters with new offers of health care services; Period of processing: for the period of consent or until withdrawal of consent;
e/ claims for defectively provided health care services; Period of processing: for the duration of the period over which the patient’s claim is being dealt with, or while an investigation is being carried out by the relevant supervisory and control bodies, other public authorities or local authorities, or for the duration of any judicial proceedings.

(ii) compliance with a legal obligation or for the purpose of meeting a statutory obligation (in particular accounting, tax and archiving obligations, provision of assistance to public authorities, police and courts, etc.);

a/ tax documents will be kept for a period of 3 years from the end of the contractual relationship; for the purpose of meeting the legal obligation of archiving accounting documents on the basis of Act No. 563/1991 Coll. on Accounting as amended, personal data will be further processed and stored for a period of 2 years from the year following the year in which the contractual relationship between the patient/potential patient, the Controller and the personal data administrator (a contracted third party) was concluded;

b/ meeting of obligations in connection with exercising of rights arising from defective performance, provision of assistance to public administration authorities/local government, administrative authorities, the police or courts, etc. The Controller is entitled to process basic personal, identification and contact data of the patient/potential patient, data regarding the health care service and data from communication between the Controller and the patient/potential patient for a period of 2 years from the date of expiration of the period for making a claim for the health care services provided.

(iii) legitimate interests of the Controller and protection of the Controller’s rights and Controller’s interests protected by law:

a/ effective defence in the event of a dispute; the period of processing of personal data here is set at 2 years from the expiry of the time limit for making a claim for the health care services provided;
b/ it is a legitimate interest of the Controller, in its capacity as a commercial company, to send commercial communications (bulk offers and individual offers), this being in accordance with point 47 of Regulation (EU) 2016/679 of the European Parliament and of the Council, if the Company has obtained electronic contact details for a patient/potential patient in connection with use of a referral via its online Portal.

(iv) marketing and commercial offers of the Controller’s healthcare services;

a/ bulk mailing of commercial offers for health care services: sending of general advertising messages without targeting a specific group of recipients; the period of processing of personal data in this case is 2 years;
b/ individual offer: sending of advertising messages after evaluation of certain personal aspects relating to the patient/potential patient of the Controller. The Controller does not perform profiling in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council, as this does not concern automated processing, but manual creation of individual offers. The period of processing of personal data in this case is 2 years;
c/ sending of commercial information by third parties (other administrators) to whom the personal data of the Controller’s patients/potential patients has been handed over on the basis of consent given by the Controller’s patient/potential patient (the specific explicit consent of the Controller’s patient/potential patient is required here);
d/ sending questionnaires – verified by patients/potential patients of the Controller: for the purpose of improving the quality of health care services provided to the public. Within the framework of assessment of satisfaction and other surveys, the Controller may transfer personal data within the scope of the email address to a third party (another administrator), exclusively on the basis of a contract and contractual authorisation to do so. The period of processing of personal data in this case is 2 years (the specific explicit consent of the Controller’s patient/potential patient is required here);
e/ sending of newsletters (the specific explicit consent of the Controller’s patient/potential patient is required here); The period of processing of personal data in this case is 2 years.

(v) Cookies (short text files generated by a web server and stored on a computer via a browser).

First and foremost, this concerns cookies which are necessary to ensure the functioning and analysis of the website (to perform transmission of electronic communication via an electronic communication network, you cannot refuse consent to use of these cookies).

This also concerns cookies which assess certain personal aspects relating to a specific patient/potential patient of the Controller, but to which this specific patient/potential patient must give his/her consent. The period of processing of in this case is 2 years.

Cookies are only passed on to third parties (processors) for the purpose of re-marketing if consent has been granted for this purpose, this being with an expiry date of at most 540 days. If consent to advertising cookies is withdrawn, it is technically not possible to immediately delete the cookie once it has been transmitted to the processor. Deletion of cookies by the processor occurs automatically after the expiry date. An immediate solution to prevent re-marketing activities by processors is to delete cookies from the browser, see instructions at: www.slarko.sk.

After expiration of the periods mentioned above, the Controller will delete or anonymise the personal data.

Processed personal data is under permanent physical, electronic and procedural control, which the Controller ensures by means of modern electronic technological equipment equipped with set security mechanisms and processing of processed data. This ensures protection of the processed data against unauthorised access or transmission, against loss or destruction, as well as against other possible misuse.

All persons who come into contact with the personal data of the Controller’s patients/potential patients during the course of their work or contractual duties are bound by a legal or contractual obligation to preserve confidentiality and ensure the legal protection of all such personal data.

The Controller may transfer the personal data of patients/potential patients (without their consent) to control and supervisory authorities as well as to other public administration bodies (if this obligation is established by law or in justified cases), also to other third parties – in the capacity of an intermediary (lawyers, notaries, accounting and tax advisors, courts and investigative authorities, etc.) in cases when this is necessary to protect the rights of the Controller or to meet the legal obligations of the Controller, whereas these third parties are legally or contractually obliged to provide the same level of protection for the personal data of the Controller’s patients/potential patients as the Controller itself.

The personal data of the Controller’s patients/potential patients may be transferred to contractors providing services for the Controller, such as provision of mailing services, marketing communication, completion of the reservation (ordering) process, sending commercial messages, evaluating the satisfaction of the Controller’s patients/potential patients, customer – client support services, handling claims and registration of a new patient/potential patient of the Controller.

A precise list of intermediaries and suppliers to whom it is possible to pass on the personal data of the Controller’s patients/potential patients can be found on the Controller’s website: www.slarko.sk. With the consent of the Controller’s patients/potential patients, personal data may also be disclosed to persons other than the above-mentioned parties.

Rights of patients/potential patients of the Controller relating to the processing of their personal data

In accordance with the valid legislation, the patient/potential patient of the Controller may exercise his/her personal data protection rights, these being the right to:

  1. a) request of the Controller access to his/her personal data;
    b) correction of the personal data which has been provided;
    c) erasure of the personal data which has been provided;
    d) restriction of processing of personal data;
    e) file a complaint with the Office for Personal Data Protection;
    f) transfer personal data to another controller;
    g) object to processing of personal data;
    h) withdraw consent to processing of personal data;
    i) request in writing the erasure of personal data from the information systems of the Controller (with the exception of cases where processing of such data is necessary for further processing in order to comply with the Controller’s legal obligations or where processing of such data is necessary to enable the Controller to continue to provide health care services).
    In cases where the Controller processes personal data on the basis of the consent of the patient/potential patient of the Controller, this consent may be withdrawn by the patient/potential patient at any time. In cases where personal data is processed on the basis of legitimate interest on the part of the Controller, the patient/potential patient of the Controller may object to such processing. The Controller will evaluate each submission of such objection and inform the patient/potential patient of the Controller of the outcome. The Controller is obliged to respond to any such request or objection (complaint) of the patient/potential patient of the Controller regarding personal data within a deadline of 30 days from the date of receipt of this complaint.

The Controller must always comply with any objection to the processing of personal data for marketing purposes.

The patient/potential patient of the Controller has the possibility of contacting the Controller at any time by e-mail/enquiry at: www.slarko.sk, where he/she can get answers to any questions he/she may have about personal data issues and where he/she can make any requests and objections (complaints) regarding the processing of his/her personal data.

If the patient/potential patient of the Controller objects that the Controller is processing his/her personal data in conflict with the protection of his/her private and personal life or in violation of the relevant legislation, in particular if the personal data is inaccurate with regard to the purpose of its processing, the patient/potential patient of the Controller may:

  1. a) request an explanation from the Controller by sending an email to: gabriel.slarko@gmail.com; or
    b) object to processing and submit a request by email sent to gabriel.slarko@gmail.com asking that the Controller ensures that the defective state of affairs is rectified (e.g. by blocking, correcting, supplementing or destroying the personal data).
    When exercising the right of the patient/potential patient of the Controller to protection of personal data, the Controller has the right to request proof of his/her identity.

Receipt of a request or objection (complaint) from a patient/potential patient of the Data Controller to exercise his/her right to protection of personal data is possible only by means of a data message or a letter with a certified signature sent to the address of the Controller’s registered office. In the written complaint, it is necessary to provide an email address to which a verification email will subsequently be sent by the Controller to confirm the identity of the patient/potential patient of the Operator – the person sending the request or objection.

Any request for access to personal data must also be sent from the email address of the patient/potential patient of the Controller, whereby the Controller has the right to request additional verification in the form of a reply to a verification email.

If the patient/potential patient of the Controller – the person sending the request does not prove his/her identity within 14 days from the date the verification email is sent, his/her request for exercising his/her right to protection of personal data will not be accepted and dealt with.

If the Controller fails to satisfactorily resolve queries or requests from the patients/potential patients of the Controller or their objections in relation to the protection and processing of personal data provided by them, they have the right to contact the Office for Personal Data Protection of the Slovak Republic, with registered office at Hraničná 12, 820 07 Bratislava 7, www.dataprotection.gov.sk.

Slovak courts are competent to resolve any disputes arising in connection with any breach of protection of the personal data (privacy) of the patients/potential patients of the Controller.

This site is registered on wpml.org as a development site.