Data Protection Privacy Policy of Bioiatriki Group of HealthCare Companies and the Associated Companies (Bioiatriki Healthcare Group) websites

April 2020

Object of the Privacy Policy
The BIOIATRIKI Group (hereinafter referred to as the “Group”) takes care of the security of your personal data and takes the appropriate technical and organizational measures for their protection in accordance with applicable national and EU legislation, in particular the General Data Protection Regulation (EU) 2016/679, the respective national legislation, as well as the Decisions, Instructions and Opinions of the competent supervisory Authority.

“BIOIATRIKI” Group consists in particular of the Bioiatriki Group of HealthCare Companies (BIOIATRIKI PRIVATE MULTI-MEDICAL CLINIC SA, BIOCLINIC ATHENS SA – HEALTH SERVICES PRIVATE CLINIC, BIOCLINIC THESSALONIKI PRIVATE CLINIC SA, ΥIANNOUKAS MEDICAL LABORATORIES LTD, ALPHA EVRESIS DIAGNOSTIC CENTER LTD) and its affiliated companies (FONEMED HELLAS SA TELEPHONE SERVICES, BIO – DENTAL DENTAL SA, CROSSBORDERMEDCARE HELLAS MEDICAL SA, CROSSBORDERMEDCARE FACILITATIONS SA).

This Policy applies to all installations and / or digital environments and applications, which belong to the Group and are related to its activity (indicatively mentioned): www.bioiatriki.gr, www.bioclinic.gr, www.biomedsmile.gr, www.fonemed.gr, www.crossbordermedcare.com, www.labcy.com, www.evresisdiagnostic.com, www.bioiatrikidigital.gr. 

The contact details of the BIOATRIKI Group to which you have addressed and which is the Data Controller, are the following:

Name: BIOIATRIKI PRIVATE MEDICAL CLINIC SA
Postal address Leoforos Kifisias 132 and Papada, 115 26, Athens
Email address: dpo@bioiatriki.gr
Contact telephone: 210 6966000
Website: www.bioiatriki.gr

Definitions
For the purposes of this Policy, the following terms have the following meanings:

“Personal Data”: any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one whose identity can be ascertained, directly or indirectly, in particular by reference to an identifier such as a name; in an identity number, position data, online identity ID or one or more factors specific to the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.
“Specific categories of personal data”: personal data disclosing racial or ethnic origin, political beliefs, religious or philosophical beliefs or trade union affiliation, as well as the processing of genetic, biometric data for the data relating to health or data relating to the natural sexual life or sexual orientation of the person.

“Processing”: any operation or sequence of operations performed, with or without the use of automated means, on personal data or on personal data sets, such as collection, registration, organization, structure, storage, adaptation or change, retrieval, retrieval of information, use, disclosure by transmission, dissemination or any other form of disposal, association or combination, restriction, deletion or destruction.

“Controller”: a natural or legal person, public authority, department or other body which, alone or in conjunction with others, determines the purposes and manner of processing personal data; determined by Union law or the law of a Member State, the controller or the specific criteria for his appointment may be laid down by Union law or the law of a Member State.

“Executor”: a natural or legal person, public authority, department or other body that processes personal data on behalf of the controller.

“Data Subject”:  the natural person whose personal data is processed, eg customers, employees, etc.

“Recipient”: the natural or legal person, public authority, service or other body to which personal data are disclosed, whether third party or not. However, public authorities which may receive personal data in the context of a specific investigation under Union or Member State law shall not be considered as recipients; the processing of such data by such public authorities shall be in accordance with applicable data protection rules depending on the purposes of the processing,

“Third party”: any natural or legal person, public authority, service or body, with the exception of the data subject, the controller, the processor and the persons who, under the direct supervision of the controller or processor , are authorized to process personal data,

“Consent” of the data subject: any indication of a will, free, specific, express and fully aware, by which the data subject expresses his or her consent, by declaration or clear positive action, to the processing of personal data concern it.

“Violation of personal data”: a breach of security that results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed.

“Anonymization”: the processing of personal data in such a way that the data can no longer be attributed to a specific data subject.

 “Nickname”: the processing of personal data in such a way that the data can no longer be attributed to a particular data subject without the use of additional information, provided that such additional information is kept separate and subject to technical and organizational measures to ensure that cannot be attributed to an identified or identifiable natural person.

“Genetic data”: the personal data relating to the genetic characteristics of a natural person inherited or acquired, as obtained in particular from the analysis of a biological sample of that natural person and which provide unique information about the physiology or health of the individual; due to natural person,

“Biometric data”:  the personal data obtained by special technical processing relating to the natural, biological or behavioral characteristics of a natural person and which enable or confirm the unambiguous identification of that natural person, such as facial images or fingerprint data,

“Health data”: the personal data relating to the physical or mental health of a natural person, including the provision of health care services, disclosing information relating to his or her state of health,

“Existing legislation”: The respective national and EU legislation on personal data protection and specifically the General Data Protection Regulation (EU) 2016/679 (hereinafter “GDPR”), the Greek N. 4624/2019, the Cypriot Law 125 (I) / 2018, as in force, as well as the Decisions, Instructions and Opinions of the Greek Authority for Personal Data Protection and the Office of the Commissioner for Personal Data Protection (Cyprus).

General Principles of Personal Data Processing
The Group collects and processes your personal data in accordance with the following processing principles:
Legitimacy, objectivity, transparency: The Group legally collects and processes your personal data, in a transparent manner.
Restriction of purpose: The Group processes your personal data only for specified, explicit and legal purposes
Data minimization: The Group takes the appropriate technical and organizational measures, so that the personal data it processes are appropriate, relevant and limited to what is necessary for the purposes for which they are processed
Accuracy: The Group ensures that the personal data it maintains and processes is always accurate and up to date.
Limitation of the storage period:  The Group does not maintain personal data for a period longer than required by the purposes under which they were collected and processed. However, the Group may retain them for a longer period of time if the processing of such data is necessary:

1. a) for the observance of a legal obligation that requires processing under a provision of law,
2. b) for the fulfillment of a duty performed in the public interest;
3. c) for reasons of public interest,
4. d) for archiving purposes in the public interest, or for the purposes of scientific or historical research, or for statistical purposes, after appropriate technical and organizational measures have been taken, including their pseudonymization, and only if such purposes cannot be served by the data,
5. e) for the establishment, exercise or support of legal claims.  
   Integrity and confidentiality: The Group ensures that the collection and processing of your personal data is done in a safe manner, using the appropriate technical and organizational means, to be protected from any unauthorized or illegal processing and accidental loss, destruction or damage.

Personal Data we collect
The Group collects and processes your personal data, only if it is absolutely necessary, necessary and appropriate to achieve its intended purposes.  In particular, the personal data we collect and process is briefly summarized as follows:
The Group collects and processes your personal data, only if it is absolutely necessary, necessary and appropriate to achieve its intended purposes. In particular, the personal data we collect and process is briefly summarized as follows:

• 
  Identity and demographics of examinees / patients (ie name, patronymic, mother’s name, date of birth-age, spouse’s name, gender, ID card number, passport number, AMKA, examiner’s code, sick book number / registration number, TIN, registration or in which company / organization do you work, etc.),
• 
  data of third parties, such as your relatives (ie name, surname, patronymic, ID card number, etc.) e.g. for the receipt of your medical results or for the provision of authorization for the receipt of your medical results in case of your objective disability,
• 
  contact details (ie postal address, landline and mobile phone, e-mail) for the communication between us, the sending of the results of your examinations or for the sending to you of the Group information and advertising bulletins for the provided services, news and offers,
• 
  insurance details [eg insured code, insurance fund or company, insurance relationship, group or individual insurance number, coverage code, date of entry into force or renewal of the insurance policy, expiry date of the insurance coverage, date of the contract, date of dispatch, insurance policy status (active or invalid), members covered, etc.],
• 
  health data and in particular data related to the medical services provided by the Group, which relate to diagnostic and clinical examinations, hospitalization, doctors’ referrals, internal circulation cards, clinical symptoms, medical staff and / or your family and / or previous medical history, medication and treatment, medical reports and medical findings, any disabilities and obstetrics, obstetrics and gynecology medical services, details of surgeries, such as recording endoscopic surgeries, previous health care, incident code, etc. also, in the context of the provision of our medical services we may collect and process health data following medical services that were not provided by our Group, but were communicated / transmitted to us by you or a person accompanying you and become absolutely necessary for the assessment of the condition your health and the provision of related services,
• 
  biological samples and genetic data for the purpose of laboratory testing (eg hematological, biochemical, hormonal, pathological, immunological, microbiological, molecular biology and cytogenetic),
• 
  data of clinical studies and related research programs for conducting clinical studies / research, which we initially process using a pseudonym  • information on financial data and financial liabilities, e.g. details of the financially liable expense, evidence of receipts and so on,
• 
  browsing data on our website, such as the Internet Protocol (IP) address of your device when you browse our individual websites www.bioiatriki.gr, www.bioclinic.gr www.biomedsmile.gr , www.fonemed.gr , www.crossbordermedcare.com , www.labcy.com , www.evresisdiagnostic.com , www.bioiatrikidigital.gr the type of browser you use etc For more information on the use of cookies on our website, you can refer to its Cookies Policy Group (https://bioiatriki.gr/cookies),
• 
  CCTV and video camera data and video equipment, security cameras,
• 
  Audio data from your recorded telephone calls during the scheduling process of your medical visits, following your prior notification of the relevant recording (eg name, telephone number, date of birth (and / or age), postal address, type of examination , intended date of medical examinations, insurance fund),
• 
  data on requests you have made to exercise your rights or grievances,
• 
  data of prospective employees in our Group which are contained in the attached CVs or in relevant forms (ie name, surname, contact details, education, work experience, etc.)
• 
  data of employees in our Group such as: name, surname, patronymic, patronymic, gender, date of birth, home address, telephone (landline / mobile), email (corporate / personal), citizenship, marital status, number of children, registries or family certificates, details of ID number, TIN, Tax Office, IBAN, diplomas, professional certifications, certificates of military service, training seminars, qualifications, previous service, date of employment, salary data, allowances, evaluation reports, etc.
• 
  data of suppliers and associates of the Group, such as name, patronymic, gender, date of birth, telephone, home address, telephone (landline / mobile), email (company / staff), ID number, passport number, VAT number, tax office, IBAN, professional certificates , qualifications, as well as any further information that may be required by national law (eg tax law).

How to Collect Personal Data
The collection of personal data is carried out by both physical and electronic means per case, such as:
• at the reception and service points of the Group Companies,

• 
  when filling out various forms or during our electronic communication,
• 
  when using our call center or our individual websites to schedule an examination or receive another medical or non-medical service,
• 
  when providing primary or secondary health care medical services to you following information that you give us or that arises during your examination or constitutes the results of your medical examination,
• 
  when you tell us your desire to use your insurance contract,
• 
  when you apply to work for our Group,
• 
  when you are hired as an employee in our Group,
• 
  when you contract as a partner / supplier with our Group or our individual Companies,
• 
  when you request a newsletter,
• 
  when entering a Group Company premises, which is monitored by CCTV and security cameras.

Purposes and legal bases for the processing of your personal data
The personal data collected by the Group is used for the following processing purposes, namely:

• For the provision of health services, ie the planning of the medical visit and / or the -after prior identification of the examinees- provision of primary and secondary health care services and general medical care, the sending / delivery to you of the results of the medical examinations, for the maintenance and updating of your medical record, etc. Regarding the processing of special categories of data, ie sensitive data (health data, biometric and genetic data), the processing is necessary for the purposes of preventive medicine, diagnosis, health care or treatment. The legal basis for processing this data is: (a) in principle the need to process your data for the purposes of preventive or occupational medicine, medical diagnosis, health or social care or treatment or under contract with a healthcare professional, and (b) the necessity of elaboration for the fulfillment of the obligations and the exercise of our specific rights or yours in the field of labor law and social security and social protection law or for the fulfillment of a duty performed in the public interest, (c) the necessity of elaboration of the (d) the need to process your data to establish, exercise or uphold rights and legal claims in cases relating to medical liability and the provision of health services in general, (for the protection of the vital interests of you or the person accompanying you), (e) the need to process the data for reasons of public interest in the field of public health, such as protection against serious cross-border health threats or ensuring high standards of quality and safety of healthcare and medicines or medical devices, as required by law. We will never process your medical data unless there is one of the above legal bases and we have not previously obtained your explicit consent, after first informing you of the respective purpose of processing. In case you use a public insurance fund / institution some of your personal data will be processed on the legal basis of the relevant processing, the need to process your personal data for the purpose of providing health or social care, as well as the need to process for the fulfillment of obligations and exercise of your specific rights in protection or for the performance of a duty performed in the public interest.
• For the compliance of the Group and its affiliated Companies with their legal obligations, such as for example the compliance with the Code of Medical Ethics (Law 3418/2005) or the compliance with the tax, insurance legislation, etc. Legal basis for processing in it the case is the compliance of the Group Companies with their legal obligations.
• For the safeguarding and protection of the legal interests, both of the natural persons (eg patients, visitors) and of the Companies of our Group. Eg we use closed circuit television (CCTV) and security cameras, in order to be able to protect the security of individuals, materials, facilities, in accordance with the specific conditions provided for the installation of cameras in medical institutions. The legal basis of processing in this case is the legal interest of the Group Companies.
• To send newsletters about the Group’s news, for commercial communication about our products and services, so that you are informed about the Group’s innovations, products, and offers. The legal basis for processing in this case is your prior explicit consent.
• For the – upon prior identification – communication between us and the management of your requests, whether related to personal data protection issues, or the quality of your service. The legal basis for processing in this case is the legal interest of the Group Companies and / or the compliance of the Group with its legal obligations, in accordance with the Existing Legislation.
• To export statistical data, after anonymizing your data. The legal basis for processing in this case is the need to export statistical data.
• For the purposes of scientific research and the conduct of clinical studies / trials and / or other clinical research programs, after the pseudonymization of your data. The legal basis for processing in this case is the need for scientific research, provided that the necessary documents are obtained. We will ask for your consent, only for your participation in the relevant research projects.

For the legal conclusion and execution of the contracts concluded by the Group with third parties. The legal basis for processing in this case is the need to process your data in the context of fulfilling our contractual obligation or during the pre-contractual stage.

In order for the Group to hire staff or to contract with external partners (eg doctors, nurses, etc.). The legal basis for processing in this case is: (a) the need to process such data, in the context of the performance of our contractual obligation or at the pre-contractual stage and (b) the need for elaboration in order to fulfill our obligations and the exercise of certain rights of ours or yours in the field of labor law and social security and social protection law or for the performance of a duty performed in the public interest.

Transfer of personal data
The Group may transmit the above personal data to:
• Third parties to whom it has entrusted the processing of personal data on its behalf. In particular, the Group may transfer your personal data to associates belonging to its medical network, who act on its behalf, contractually committed to the Group companies for the provision of independent services (eg to associate doctors for diagnostic or clinical trials, associate physiotherapists / dentists / nutritionists / psychologists), collaborating diagnostic centers, collaborating clinics and hospitals, collaborating laboratories) or / to third-party collaborators for the Company’s account Especially, for the associates employed within the Group’s Companies, they may have access to the data of the medical record kept by the Group for you, where this is necessary for the evaluation and assessment of your health condition during the provision of medical services and t the issuance of medical opinions, findings, etc. In any case, the third parties to whom the data of the subjects may be transmitted are contractually bound to the Group, in order to ensure the obligation of confidentiality as well as all the obligations provided by the Existing Legislation. In all the above cases, the Group defines the individual elements of the processing, signs special contracts with third parties to whom it entrusts the execution of specific processing activities, ensuring that the processing is carried out in accordance with Existing Legislation. These third parties undertake contractually with the Group that they will process your personal data only for the specific and contractually defined purposes and will not transmit and / or disclose them to third parties, unless required by law.

• To your public insurance company / fund in case you use it.
• In private insurance / employer companies. The Group, through its Companies, may transmit your sensitive personal data (health data) to trading third party companies to bear the cost of the medical services provided to you or to partner private insurance companies within the European Union and the EEA for your insurance, provided only by your prior explicit consent has been given prior to such transmission. Your medical data will not be transmitted to your insurance / employer Company without your prior explicit consent. Furthermore, the Group transmits upon your request to your insurance company, your recorded conversation with the telephone center, coordination center and computer center of the Group, under the name FONEMED HELLAS SA or sends written information about your communication and the course of your scheduled visits.
• In Group Companies, to the extent that this transfer is necessary to serve your requests and the purposes of the Group, obtaining the necessary consent where necessary A common electronic database for the registration of medical results of primary health care and makes intra-group transfers of your data, whenever necessary, for the provision of medical services to you and their management.
• Judicial and prosecutorial authorities, as well as other public authorities (eg tax authorities, etc.) in the exercise of their duties ex officio or at the request of a third party invoking a legal interest and in accordance with legal procedures In addition, for reasons of protection of the public interest in the field of public health, we may, in accordance with the relevant legislation, transmit your personal data to the competent authorities, such as e.g. the National Organization of Public Health (EODY).

In case the transmission concerns a country outside the European Union (EU) or the European Economic Area (EEA), in the context of testing and analysis of biological material for rare diseases or in third countries and / or organizations for clinical trials / tests or to cover the total cost of the services provided to you (eg your insurance company), the Group checks whether:
– The Commission has issued an adequacy decision for the third country to which the transfer will take place.
– The appropriate guarantees are observed in accordance with the Existing Legislation for the transmission of this data.
Otherwise, the transfer to a third country is prohibited and the Group will not transfer your personal data to it, unless one of the special derogations provided by the Existing Legislation applies (eg explicit consent as well as informing you about them. risks involved in the transmission, the transmission is necessary for the performance of the contract at your request, there are reasons of public interest, it is necessary to support legal claims and vital interests of the subjects, etc.).

Personal Data Retention Period

The personal data collected by the Group, are kept for a predetermined and limited period of time, depending on the purpose of processing, after which the data is safely deleted and / or destroyed, unless otherwise provided or permitted by applicable law.
The period of keeping your data is defined indicatively based on some more specific criteria and depending on the case. Indicative:

(a) Your personal data must be kept for the duration required by the purpose of their processing and / or the applicable legal framework. At the end of this period, the data are kept in accordance with the current institutional framework for the period provided by the end of the transaction or for as long as is required to defend the rights of the “BIOATRIKI” Group before a Court or other competent Authority. We keep for two (2) years the applications with the attached CVs that you send us, in order to evaluate them to fill a certain position and after the lapse of two years, we destroy them or delete them safely

(b) When processing is required by the provisions of the applicable legal framework, your personal data will be stored for at least as long as the relevant provisions require. In particular, and according to article 14 of the Code of Medical Ethics L.3418 / 2005, the keeping of a medical record is provided for a decade (10 years) from the last visit of the patient to the private clinics and other primary health care units of the private sector and for twenty years (20 years) from the last visit of the patient in any other case In particular, the brief medical history that you may give us prior to a diagnostic test is only kept for as long as it takes to diagnose the test, and is then safely destroyed.

(c) For the Companies of our Group, GIANNOUKA CHEMISTRY LTD and ALPHA EVRESIS DIAGNOSTIC CENTER LTD based in Cyprus, in accordance with the Directive issued by the Commissioner for Personal Data Protection entitled “Data on personal health , the retention period of personal data related to the health of the data subject, does not exceed fifteen (15) years after the death of the subject or fifteen (15) years, after the last registration by the above Companies of our Data Group relating to the subject to an archiving system. This period is valid as, there are no financial / legal or other pending issues or differences between the data subject and the Companies of our Group.

(d) For the purposes of promoting products and services (marketing activities) and in any other case where the processing is based on your consent, your personal data is kept until the withdrawal of your consent, without prejudice to the legality of the processing based on consent in the period before its revocation. For the process of revoking the consent you must submit a request to the Group Data Protection Officer (DPO) (see his contact details below). Alternatively and for the purposes of promoting products and services you can also use the unsubscribe options by following (clicking) on the corresponding link that exists in our electronic communications. As long as your email address remains in our database, you will receive periodic email updates from us.

(e) The physical file with the medical results of your examinations and in general files with medical content that you receive, is kept for sixty (60) days from the date of its examination / issuance at the delivery office of the respective Unit-Company in which you perform the examinations. , if you do not choose to be sent to your e-mail address or by courier to your postal address, any company of our Group provides this possibility. At the same time, they are registered and kept in electronic form, while the physical file, after the expiration of the above period of 60 days, is safely destroyed according to the prescribed and safe procedure The digital files with your electronic signature in which you indicate the way of receiving the results of your exams in a different way than the personal receipt of them by you or a third party that you will declare and your possible consent for receiving newsletter, information material and offers of our Group, providing your consent for any transfer, is maintained for as long as is required to meet its respective purpose, and after the fulfillment of its purpose is maintained for a period of five (5) years

(f) The data we collect when you submit a request, as well as the relevant file in which they are recorded, are kept for twenty (20) years from the date of their collection.

Security of Personal Data
Taking into account the latest developments, the application cost and the nature, the scope, the context and the purposes of the processing, as well as the risks of different probability of occurrence and seriousness for the rights and freedoms of the users from the processing, the Group receives the necessary technical and organizational measures to protect your personal data. Although no internet transmission method or electronic storage method is completely secure, the Group takes all the necessary digital data security measures (antivirus, firewall, etc.) etc At the same time, the Group adopts the required security measures such as ISO 27001, installation video surveillance system (CCTV), alarm system, etc.

Data Protection Impact Assessment (DPIA)
When a processing may pose a high risk to the rights and freedoms of individuals, the Group conducts, prior to processing, an assessment of the impact of the planned processing operations on the protection of personal data (“impact assessment”). Impact assessment is a process designed to describe the treatment, assess its necessity and proportionality, and assist in risk management by evaluating and identifying measures to address them. It is not required for every form of processing, but only in cases where a form of processing is considered high risk (high-risk). The impact assessment takes into account the nature, extent, general context and objectives of the treatment in order to assess whether a risk is likely to occur, as well as its seriousness for the rights and freedoms of the subjects.
The Group may decide to carry out an impact assessment for processing, even if it is not considered mandatory by the Existing Legislation. In addition, it is not mandatory to have a separate impact assessment for each form of processing, but a set of similar processing operations may be included, which involve similarly high risks in an impact assessment.
In particular, an impact assessment is required in all cases where the processing “may pose a high risk to the rights and freedoms of individuals”. These include:
– Cases of systematic and comprehensive evaluation of personal aspects of natural persons, based on automated processing (including profiling) and on which decisions are made that produce legal effects on / affect the natural person – data subject.  
– Cases of large-scale processing of specific categories of data (sensitive data).
– Cases of systematic processing of personal data.

Violation of Personal Data
In the event that a breach occurs, the Group follows a specific procedure for handling breaches of the security of your personal data.. In case you notice or suspect that a violation of your personal data may have occurred, please inform us without delay at the email address dpo@bioiatriki.gr.

Your rights
The Group ensures that it is able to respond immediately to requests for the exercise of your rights in accordance with Existing Legislation. These rights are the following:
(a) Right to withdraw consent:
In cases where the processing is based solely on your prior consent, e.g. for the purpose of promoting products and services (marketing activities), you have the right to withdraw your consent at any time. Withdrawal of consent shall not affect the lawfulness of the processing which was based on consent in the period prior to its withdrawal.

(b) Right of access and information:
You have the right to know your data we are processing and to verify the legality of the processing. So, upon request you have access to the data and you can receive additional information about their processing, to whom we transmit it or for what purpose we process it. Regarding your medical record, you have access to the medical records at all times, as well as free download of copies of the file.

(c) Right of correction:
You have the right to supplement, correct, update or modify your personal data

(d) Right of deletion:
You have the right to request the deletion of your personal data, unless there is a legal reason that requires their further retention by the Group.
In particular due to the legal obligation we have, your medical data and everything related to them (ie, name, patronymic, gender, age (date of birth), occupation, address, dates of your visit , as well as any other essential information related to the provision of care to you, such as, indicatively and depending on the specialty, your health concerns, your medical history, the reason for your visit, the primary and secondary diagnosis or treatment followed) will not be deleted if you exercise this right.  

(e) Right to restrict processing:
You have the right to request a restriction on the processing of your personal data in the following cases: (1) when you dispute the accuracy of the personal data and until it is verified, (2) when you object to the deletion of personal data and request instead of deletion the restriction of their use, (3) when personal data are no longer necessary for us, but are necessary for the establishment, exercise, support of legal claims, and (4) when you object to the processing and until it is verified that there are legitimate reasons that concern us and prevail over the reasons why you oppose the processing.

(f) Right to object to processing and right to object to automated individual decision-making, including profiling:
You have the right to object at any time to the collection and processing of your personal data in cases where, as described above, it is necessary for the purposes of legal interests we pursue as a Group, as well as to the processing for the purposes of direct marketing and consumer profile. It is noted, however, that the Group “did not carry out an automated decision-making process.

(g) Right to portability:
You have the right to receive, free of charge, upon your identification, your personal data in a structured, commonly used and machine-readable format (pdf, word, etc.).  You also have the right to request that, if technically possible, we transmit the data directly to another controller (eg your personal physician). This right exists for the data you have provided to us and their processing is carried out by automated means based on your consent or in execution of a relevant contract.

In case of exercising any of the rights mentioned below, the Group will respond to you within one (1) month from the receipt and identification of your relevant request. This deadline may be extended by another two (2) months, if required, taking into account the complexity of the request and the number of requests In this case, the Group will provide you with relevant information about this extension within one (1) month of receipt of the request, as well as the reasons for the delay If the request is submitted electronically, your update will be done in the same way, unless you request something different. If your request is manifestly unfounded or excessive, especially due to its recurring nature, the Group may make its satisfaction conditional on the payment of a reasonable fee or refuse to respond to such request.

Right of Appeal to the Personal Data Protection Authority / to the Office of the Personal Data Protection Commissioner

For any complaint regarding this policy or personal data protection issues, if we do not satisfy your request, you can contact the Greek Personal Data Protection Authority via the following link: www.dpa.gr , at the following contact details Kifisias Avenue 1-3, PC 115 23, Athens, +30 210 6475600, +30 210 6475628,contact@dpa.grat the Office of the Commissioner for Personal Data Protection through the following link: www.dataprotection.gov.cy , at the following contact details Office address: Iasonos 1, 1082 Nicosia, Postal address: PO Box 23378, 1682 Nicosia, Telephone: +357 22818456, Fax: 22304565, Email:  commissioner@dataprotection.gov.cy.

Contact details of the Data Protection Officer (DPO)
For the exercise of all the above rights, as well as for any issue concerning the processing of your personal data, you can contact the Group Data Protection Officer, at email dpo@bioiatriki.gr or by phone (+30) 210 6966222 (communication hours 10:00- 15:00).

Disclaimer for Third Party Websites
In the event that on our websites there are links that redirect you to third party websites, we inform you that the Group does not control nor is responsible for the content of these websites, nor for the way in which your personal data are processed.

Updates on the Privacy Policy
This Privacy Policy may be amended / revised in the future, in the context of the Group’s regulatory compliance as well as the optimization and upgrade of our website services.  We therefore recommend that you refer to the updated version of this Policy each time, for your adequate information.

Last Review: April 2020