(INFORMATION ON PROCESSING OF PERSONAL DATA)
Ladies and gentlemen,
UAB Bolerada (hereinafter referred to as – the Company or the Data Controller), being a socially responsible and caring participant in the Lithuanian health system and health care market services, in order to ensure the high standard of services provided and to adequately and comprehensively protect personal data processed by the Company:
- performed a thorough and consistent audit of the personal data being processed;
- appointed a data protection officer;
- prepared and approved the Company’s personal data processing manual (the Company’s internal collection of personal data processing documents);
- updated the service agreements used by the Company, and Patient Consents;
- performed an assessment of its suppliers for the reliability of personal data processing;
- has taken other steps necessary for the processing of personal data.
The Company appreciates and values its relationships with all data subjects (patients, employees, partners, etc.), and therefore, strives to provide the most complete, consistent and clear information about the processing of personal data. For your convenience, we provide hereby information in the form of questions and answers.
The Company kindly reminds you that personal data are any information that can be used to identify a person, as well as information about a person who has already been identified.
The Company respects your privacy and takes appropriate legal and organisational measures to ensure that your personal data are secure and that the data processing activities comply with the requirements of data protection legislation.
When processing your personal data, we comply with the Regulation, the Civil Code of the Republic of Lithuania, the Labour Code of the Republic of Lithuania, the Republic of Lithuania Law on Electronic Communications, the Republic of Lithuania Law on Consumer Protection, the Republic of Lithuania Law on Health Care Institutions, the Republic of Lithuania Law on the Rights of Patients and Compensation of the Damage to their Health, the Republic of Lithuania Law on Accounting, other laws and legal acts regulating the processing and protection of personal data, conformity and due implementation.
- WHY DOES THE COMPANY PROCESS PERSONAL DATA?
The Company carries out activities related to the processing of personal data:
- maintains business relations with its partners and ensures provision of a high quality services (client care);
- provides health care services to patients;
- manages the Company’s corporate documentation;
- manages employment relationship and occupational safety documentation (concludes employment contracts, performs their accounting, performs the company’s duties established by legal acts as an employer, maintains and ensures proper communication with employees outside working hours, ensures appropriate working conditions, collects and stores historical data, ensures employee and document security);
- manages the documents of the interns studying health care and related data;
- prepares and manages commercial agreement (sale and purchase, supply, contracting, lease, service, copyright, etc.), and administers contractual and related regulatory relations;
- organises social and cultural events (concerts) and actions;
- collects, systematises and analyses information about the services received by patients, determines the needs of patients, forms personalised offers, and manages the Company’s sales;
- conducts direct marketing;
- administers patient arrears and takes measures to recover them;
- collects, stores and uses video data (photos and footage) for the provision of the Company’s services, advertising, marketing and other related purposes;
- uses aggregated data on use of social networks and interest identification;
- uses the IP address (browsers of website visitors) recognition means (website cookies).
In accordance with legal acts, the performance of these activities obliges the Company to process (collect, retain (store), use and share) relevant personal data. We confirm that all personal data are processed in accordance with the requirements of the legal acts of the EU and the Republic of Lithuania, the Company’s internal procedures and taking into account the conditions described in this information.
- WHERE DOES THE COMPANY OBTAIN PERSONAL DATA?
The Company receives personal data:
- directly from natural persons – patients, employees, partners, service providers, etc. (e.g., when concluding agreements, submitting applications, subscribing to newsletters, filling in questionnaires and sending e-mails, these persons provide their personal data to the Company);
- from other medical institutions;
- from banks, credit institutions, payment service providers (e.g., information on patient payments);
- from the competent state authorities;
- from public databases and information sources (e.g., Register of Legal Entities, Real Property Register, Credit info, Regia.lt, etc.);
- from recorded video (photographs and videos) materials;
- from cookies.
- WHO CAN RECEIVE PERSONAL DATA FROM THE COMPANY?
The legislation stipulates that the Company may provide personal data held by it not only to their owners or use these data in its activities, but also to transfer these personal data to other persons. The Company wants the data subjects to know that their personal data may be lawfully and legitimately transferred by the Company:
- to other medical institutions;
- to credit institutions that provide financial services to patients;
- to service providers of the Company (e.g., financial institutions, auditors, IT service providers, lawyers and law firms, judicial officers, consultants and advisers, etc.);
- to service providers of the patient who have submitted a written request (instruction, consent) of the patient to the Company to contact the Company and receive the patient’s personal data;
- to companies that provide a specialised newsletter sending services;
- to competent public authorities (e.g., the State Tax Inspectorate, the State Consumer Rights Protection Service, the Competition Council, etc.);
- to state-owned enterprises (e.g., the Centre of Registers).
The access of all these companies to the data subject’s information is limited; only the information necessary for the provision of their services is provided, and they may not use this information for purposes other than the provision of services to us.
Disclosure of personal data to other parties may be necessary when required by law, due to legal proceedings, litigation and/or requirements of the state and governmental authorities in or outside the country of residence.
The Company may also disclose personal information if deemed necessary:
- for reasons of national security, law enforcement or other public interests;
- to ensure compliance with the terms and conditions of the Company regulations;
- to protect the Company’s operations, and its patients;
- to be disclosed to a related third party in the event of reorganisation, merger, sale or bankruptcy.
In other cases, the disclosure of personal data shall be possible only upon a written consent of the data subject.
- IS IT NECESSARY THAT THE COMPANY PROCESSES PERSONAL DATA?
Yes, it is necessary. The Company processes personal data because:
- without the processing of these data, the legal requirements for the protection of the rights and legitimate interests of data subjects could not be met;
- in the absence of these data it would not be possible to conclude and perform agreements;
- we would not be able to analyse the patients’ needs and expectations, and ensure a higher standard of quality of services we provide;
- this would help to promptly analyse the requests, wishes and complaints of data subjects, if any. Without the collection and storage of personal data, this would not be possible.
Are you obliged to provide your personal data to the Company? No, you are not obliged to do so. However, without these personal data, we will not be able to provide the service properly and meet your expectations.
- Provision of health care services
When providing health care services, the Company shall process personal data of the patients in accordance with the requirements of legal acts.
|Categories of personal data processed:||1. name and surname;|
3. citizenship (when administering the fact of health insurance);
4. place of residence (address);
5. e-mail address (data will not be collected, if the patient does not have an e-mail address and/or does not agree to provide it);
6. telephone number (data will not be collected, if the patient does not have a phone number and/or does not agree to provide it);
7. personal ID number (data will not be collected, if it is not necessary to create a patient file for the provision of services);
8. date of birth;
9. data from the personal identity document;
10. information on social insurance – social insurance certificate number, pension recipient’s certificate number, etc.;
11. financial information:
11.1. information on whether the services are paid for by the patient or from the budget of the Compulsory Health Insurance;
11.2. whether the services have been paid in full, and whether they are partially financed (if partially financed, what funds contribute a share – the funds of an insurance company, the employer, the patient or other persons);
11.3. the amount of money spent on services;
12. health data:
12.1. personal health care services provided, including the most commonly provided services;
12.2. video images of patients (skin, body parts and X-rays);
12.3. video recordings of the patient.
The purpose of collection is fulfilment of legal obligations, performance of agreements, and control of the quality of services.
If you agree to receive newsletters and offers from the Company, the personal data shall be processed in order to provide offers and information, such as non-personalised newsletters, information about offers of the Company or the Company’s partners, discounts, promotions and sales, by asking to provide your opinion about the services we offer.
Your e-mail address may be transferred to the third parties providing specialised services only in order to send you a newsletter. The ability of these companies to use your e-mail address is limited, and they may not use this information for purposes other than providing services to us.
You can unsubscribe from receiving news and offers to your e-mail at any time by clicking on the link provided at the end of the e-mail.
Your refusal to receive partner offers and newsletters will not prevent you from using other services of the Company.
|Categories of personal data processed:|
|Legal basis||Recipients of newsletters and partner offers – legitimate interest. Your consent to receive newsletters and partner offers.|
- SERVICE MARKETING
Personal data shall be processed in order to display new services and their sets, to facilitate later acquisition, etc.
|Categories of personal data processed:||1. name and surname;|
2. contact information (e.g., e-mail address, delivery address);
3. age (if specified);
4. information on how you use the Company’s services;
5. information on purchases made.
|Legal basis||For registered and unregistered patients – legitimate interest.|
The purpose of collection is to offer the patient a personalised solution.
- patient service management
The company uses patient data for:
- responding to inquiries, complaints, requests made by these persons by telephone or digital channels;
- identity validation;
- technical support.
|Categories of personal data processed:||1. name and surname;|
2. contact information (e.g., e-mail address, telephone number and delivery address);
3. patient correspondence;
4. information about the date of purchase and complaints;
5. Other documents and/or data provided with the request (e.g., pictures).
|Legal basis||Requirements of the legal acts, as we have a duty to examine and respond to your, as consumers, inquiries. A legitimate interest in evaluating the feedback of our patients in order to improve the quality of activities and services.|
- Information on how the COMPANY’S websites are used
For purposes of evaluating, developing and improving the Company’s services and systems, in addition to information provided directly by patients, the Company may collect non-personal information about the use of the Company’s websites, including, but not limited to, social networking sites.
This helps to better understand the Company users (e.g., how much time they spend on different pages, what links they choose, what users dislike, etc.).
In order to better understand the needs of the Company users and to optimise the services and user experience, the Company may collect the following information:
- Device information, i.e., the IP address (traced and stored in an anonymous form only), the operating system version, and the settings of the device that you use to access the content.
- Login information, i.e., the time and duration of the session, terms of the queries you enter on our websites, and information stored in cookies.
- Geographic location – country only.
All such information is stored only in the pseudonymous user profile. This information is never used to identify specific users and is not linked with other individual user information.
In order for us to offer full-fledged services, with your consent, information (cookies) shall be stored on the computer (or other device you use), which is used to identify you as a previous user of the Company’s websites, collecting website traffic statistics.
More information about the Company’s cookies policy is available here.
- Websites of the third parties; services on the COMPANY’S websites
The Company’s website(-s) or social network accounts may contain third-party ads, links to their websites and services, over which the Company has no control. The Company does not bear responsibility for the safety and privacy of the information collected by the third parties.
You should be careful and read the privacy provisions applicable to the third party websites and services you use.
- Retention of personal data
The processing conforms to the legal requirements, which means that personal information shall not be stored longer than necessary for the purpose of the processing.
The information will be removed when it no longer appropriate for or no longer needed for the performance of the analysis, direct marketing or for the purposes for which it was collected.
The Company stores personal data for a period of:
- 1 (one) year when personal data related to candidates are processed;
- 2 (two) years from the date of the last provision of services to the data subject in the case of direct marketing;
- 3 (three) years when personal data related to interns are processed;
- 5 (five) years when personal data related to the performance of insurance contracts are processed;
- 10 (ten) years when personal data related to the performance of financial obligations are processed;
- 25 (twenty-five) years when personal data, including special data, related to personal health care services provided to Patients are processed;
- 50 (fifty) years when the personal data of the Employees are processed.
Upon expiration of the said periods, the data shall be deleted in a manner that does not allow their recovery.
The Company uses reasonable and appropriate physical, technical, organisational and legal measures to protect the information we collect for the purpose of providing content/services. However, be reminded that even though we take all adequate measures to protect your information, none of the websites, online transactions, computer systems or wireless connections are absolutely secure.
- Your rights and options
If your personal data is processed in the Company’s activities, you have the following rights:
14.1. Right of access to your personal data processed by us: You have the right to request our confirmation as to whether we process your personal data and, in such cases, to request access to your personal data processed by us;
14.2. The right to request the correction of your inaccurate data: if you believe that the information about you is incorrect or incomplete, you have the right to ask for its correction;
14.3. Right to object to the processing of your personal data: You have the right to object to the processing of personal data when personal data are processed in accordance with our legitimate interests. However, notwithstanding your objection, we will continue to process your data in the event of good cause for further processing;
14.4. Right to request the deletion of your personal data (right to be forgotten): In certain circumstances, you have the right to request that we delete your personal data. However, this provision does not apply if we are required by law to retain data;
14.5. Right to restrict the processing of your personal data: In certain circumstances, you also have the right to restrict the processing of your personal data;
14.6. The right to apply to the State Personal Data Protection Inspectorate directly or by e-mail with a complaint regarding improper processing of personal data. by e-mail email@example.com.
In order to exercise your right as a data subject, please complete this form and submit it to the contact details of the Data Protection Officer set out in this Policy.
We note that the Company may not create conditions for the implementation of the above rights when, in cases provided by law, it is necessary to ensure the prevention, investigation and detection of crimes, violations of official or professional ethics, as well as protection of data subject or other persons’ rights and freedoms.
- Contact information
A Data Protection Officer (DPO) has been appointed in the Company, who supervises the processing of personal data of the Company and its data subjects. Contact details of the Data Protection Officer:
UAB Veritas bona (tel. 304628436, address Kalvarijų str. 300, Vilnius), e-mail: email jurgita@ veritasbona.lt
Address: UAB Bolerada, Statybininkų g. 1A – 102, LT-03205 Vilnius
E-mail (DAP): firstname.lastname@example.org
- Validity and amendments to the Policy