Privacy notice

Information about the data controller

Depending on Your chosen service provision location, Your data controller is one of the indicated below personal health care facilities (hereinafter collectively referred to as Kardiolita Clinics):

• JSC „Kardiolita“, company code 126118245, office address: Laisvės ave. 64A, 05263 Vilnius;
• JSC „Bendrosios medicinos praktika“, company code 133643318, office adress: Savanoriu ave. 423, 49287 Kaunas;
• JSC „Svalbono klinika“, company code 302445728, office adress: Tilžės str. 11A, 78233 Siauliai.

You can contact the appointed Data Protection Officer of Kardiolita Clinics by e-mail: duomenuapsauga@cgpklinikos.lt.

General provisions

We understand and respect the right to privacy and data protection of our patients and other individuals, whose personal data we process (hereinafter - Data Subjects), therefore, we make every effort to ensure the highest possible level of personal data protection for personal data processed in Kardiolita Clinics.

In this Privacy Notice, we provide information about how Kardiolita Clinics handle the personal data of Data Subjects, including information about where and what personal data we receive and to whom transmit it, for what purposes and on what legal basis process them, what security measures have been implemented, what rights the Data Subjects have, as well as where can apply for their implementation or other issues related to the processing of personal data.

The Privacy Notice is prepared in accordance with the following legislation:

• European Parliament and Council April 27, 2016 Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (hereinafter referred to as the GDPR or the Regulation);
• June 30, 2018 Law of the Republic of Lithuania on Legal Protection of Personal Data No. XIII-1426 (hereinafter - LPPDL);
• April 15, 2004 Law on Electronic Communications of the Republic of Lithuania No. IX-2135;
• Guidelines and recommendations prepared by the State Data Protection Inspectorate and the European Data Protection Board;
• other (with data protection requirements) legal acts regulating the activities of personal health care institutions.

Sources of personal data

Kardiolita clinics process personal data obtained from the sources listed below:

• received directly from the Data Subjects: when you register for visits by phone, online or live, make use the services provided by Kardiolita Clinics, provide various types of requests or other information;

Important! Kardiolita Clinics cannot provide qualified personal health care services without processing your personal data (except cases, when the data is processed with Your consent), identify You, keep in touch with You and take other necessary steps in providing You with personal health care.  

• Received from third countries – National Health Insurance Fund under the Ministry of Health, Territorial Health Insurance Funds, Ministry of Health, other health care institutions, research laboratories, insurance companies, as well as other companies or establishments;
• generated by information systems, such as browsing our websites, entering the field of video surveillance, etc.

Terms of personal data processing

Personal data is stored by the Minister of Health of the Republic of Lithuania No. 515 dating November 29, 1999 and within the terms approved in other legal acts of the Republic of Lithuania. In the absence of legal data storage periods in the legislation, the data shall be kept for as long as the processing is necessary for the legitimate purposes of the Kardiolita Clinics or the Data Subjects.

Personal data processing purposes, personal data categories and legal bases

Kardiolita Clinics process personal data of Data Subjects for these purposes:

• during registrations for visits;
• providing personal health care services;
• ensuring the quality of service provision, performing examinations of patients and (or) studies;
• ensuring the protection of patients, staff and property;
• administering arrears of patients;
• sending personalized offers and notifications about the services and news provided by Kardiolita Clinics;
• administering Kardiolita Clinics websites and social networking accounts;
• performing the selection for vacancies;
• ensuring the smooth supply of Kardiolita Clinics with the necessary measures, in cooperation with suppliers and partners.

Conditions for the lawfulness of data processing:

• general categories of personal data – part 1 of Article 6 of the GDPR: a, b, c, d, f points;
• special categories of personal data – part 2 of Article 9 of the GDPR: points a, b, c, e, f, h, i points.

For the above purposes, Kardiolita Clinics process this personal data:

• personal data necessary for the identification of patients and the provision of personal healthcare: personal health history identification number, contact information (address, phone number), declared residence place address, name, surname, marital status, birthdate, gender, personal code, address of actual residence, billing data for services, logs of calls and metadata of calls, registration data in a personal health care institution (name of the institution, name, surname and specialty of the doctor visited, visit time, reason of the visit and complaints), kinship (the relationship of the Data Subject with the person concerned, name, surname of the person concerned, personal code, birthdate, gender) and other data;        
• personal data of special categories: data of examinations, photos, videos, list of diagnosis, history of visits to Kardiolita Clinics (date, name and surname of the doctor visited, office, status), descriptions and conclusions, data of medical preparations and medical devices prescribed, referrals for obtaining personal health care services in other institutions, studies, anamnesis, other records in a person's health history, certificates and other data;
• data required to send personalized marketing messages: e-mail address and/or phone number and/or residence place address, city, gender, age and other data;
• data on the selection of candidates for vacant positions: name and surname, birthdate, residence place, residence place, phone number, e-mail address, education data, information on work experience, information on skills, driving license information, computer literacy, expectations about the city, position and salary, curriculum vitae and similar data;
• data concerning relations with suppliers and partners: name, surname, contact data (e-mail, phone number, address), VAT code, the number of the business certificate or individual activity certificate, bank account number, powers of attorney and other data;
• website visitors' data, unique identifiers and other tracking tools, collecting information on subscribing to newsletters, (not) receiving, opening, clicking links, refusal, what application/program is used to read the letter, IP address and the state assigned to it, as well as information provided by visitors on social networks – recommendations, complaints, opinions, suggestions and other data;  
• data for maintaining commercial relationships with patients: name, surname, position, debt information, contact data, account information;
• call center data: caller’s name, surname, contact data (e-mail, phone, address), opinion on the quality of service, reviews, orders, audio recordings of conversations, call metadata.

To find out or check what specific your personal data is processed by Kardiolita Clinics, please apply for the exercise of Data Subjects' rights in the following ways.

How we protect your data?

To ensure an appropriate level of security in the processing of data, Kardiolita Clinics have selected and implemented appropriate technical and organizational measures in accordance with:

• ENISA guidelines: https://www.enisa.europa.eu/publications/guidelines-for-smes-on-the-security-of-personal-data-processing
• good information security practices;
• SDPI guidelines: https://vdai.lrv.lt/uploads/vdai/documents/files/VDAI_saugumo_priemoniu_gaires-2020-06-18.pdf.

Whom we provide your data to?

Kardiolita Clinics use only those data processors which ensure compliance with GDPR and the same level of security of personal data, as set out in the Personal Data Protection Policy approved by Kardiolita Clinics.

Categories’ list of personal data recipients:

• In the cases and according to the procedure established by the legal acts of the Republic of Lithuania for these third parties: National Health Insurance Fund under the Ministry of Health, Territorial Health Insurance Funds, Ministry of Health, State Tax Inspectorate under the Ministry of Finance, Employment Service under the Ministry of Social Security and Labor, the State Social Insurance Board under the Ministry of Social Security and Labor, PI State Pathology Center, other health care institutions and/or laboratories, insurance companies, as well as other persons, to whom the Kardiolita Clinics is obliged to provide these data by the legal acts of the Republic of Lithuania;
• persons (natural and/or legal), to whom you have given your consent to the provision of personal data;
• data centers’, cloud, website administrative and related services, software development, delivery, support and expansion providing companies, institutions providing information technology infrastructure services, companies providing communication services;
• companies providing advertising and marketing services;
• institutions providing accounting, archiving, physical and/or electronic security, asset management and/or other business services;
• bailiffs, legal and/or debt recovery service providing subjects;
• law enforcement authorities (at their requests or on the initiative of the Kardiolita Clinics, if there is a suspicion, that criminal activity has taken place).

What rights, opportunities do you have and how can you exercise them?  

Data Subjects may exercise these rights in accordance with the provisions of the GDPR:  

1. the right of access to personal data, i. e. make a request for information on whether Your personal data is being processed, and if personal data is processed, You have the right to access your processed personal data;
2. the right to rectify personal data, i. e. make a request to correct your personal data, if you find out, that personal data processed is incorrect, incomplete or inaccurate;
3. the right to delete personal data (the right „to be forgotten “), i. e. to submit a request to delete your personal data, if this is permitted by the legal acts of the Republic of Lithuania, if you think, that your data is being processed illegally or unfairly;  
4. the right to restrict the processing of personal data, i. e. y. submits a request to restrict (suspend) the processing of your personal data, except for storage - in the case, when, for example, You request the rectification of your personal data (pending verification and/or correction of personal data), it is established, that personal data is being processed illegally and You do not consent to the data being deleted, You have expressed disagreement with the processing of Your personal data, etc.;  
5. the right to the transfer of personal data, i. e. to submit a request to transfer Your personal data, if this is allowed by the regulatory legal acts of the Republic of Lithuania, which are processed by automated means, in a systematic and commonly used format for another controller;
6. the right to object to the processing of personal data, i. e. to object to the processing of personal data, when the processing is carried out on a legal basis or on a legal basis in the public interest;  
7. the right to claim, that You are not subject to a decision based solely on automated data processing, including profiling, which has legal consequences for You or which has a significant effect on you in a similar way;
8. the right to withdraw the consents given to us regarding the processing of personal data at any time.

Ways to exercise own rights and reporting a personal data security breach

You can exercise your rights and/or provide notifications on personal data security breaches:

1. by sending us a request by email: duomenuapsauga@cgpklinikos.lt. The application must be signed, as well as a copy of your identity document certified by a notary provided (confirmation is not required, if the application and the attached documents are signed by an electronic signature);
2. by sending a request by registered mail to Kedrų str. 4, Vilnius. The application must be signed, as well as a copy of Your identity document certified by a notary provided;
3. upon arrival at Kardiolita Clinics and filling in the application form. You need to have your ID with You.

The request must be legible and must state the name, surname and place of residence of the Data Subject, as well as other data for the desired form of communication, information on which of the data subject's rights and to what extent the Data Subject wishes to exercise.

We will respond to Your request no later than within 30 (thirty) calendar days from the reception date of the request. In exceptional cases requiring additional time, we, after notifying You, will have the right to extend the term of the submission of the requested data or other claims specified in Your application for an additional 60 (sixty) calendar days.

Terms of data provision

Data Subjects ensure that the personal data they provide are correct and relevant, i. e. in case of a change in personal data, Data Subjects must update them with new and correct data. Data Subjects understand that otherwise Kardiolita Clinics may not provide quality personal health care and will have the right to refuse to provide personal health care to the Data Subject.

Where to go for questions, concerning personal data?

If You have any questions regarding the information contained in this Privacy Notice or the protection of Your personal data and the exercise of Your rights at Kardiolita Clinics, please contact our Data Protection Officer in any way convenient for You:  

• by email: duomenuapsauga@cgpklinikos.lt;
• in writing, to Kedrų str. 4, Vilnius

If a mutually acceptable solution cannot be found, You have the right to contact the State Data Protection Inspectorate at L. Sapiegos str. 17, Vilnius or by email: ada@ada.lt.

Social networks

When visiting our social network accounts, Your data may also be processed by social networks administrators. We also recommend to get acquainted with the privacy policies provided by social networks:  

• Facebook (https://www.facebook.com/kardiolitosklinikos/ and https://www.facebook.com/KardiolitaHospital) privacy policy can be found here: https://lt-lt.facebook.com/privacy/explanation;
• LinkedIN (https://www.linkedin.com/company/jsc-kardiolita-vilnius-heart-surgery-center/) privacy policy can be found here: https://www.linkedin.com/legal/privacy-policy;
• Instagram (https://www.instagram.com/kardiolitos_klinikos/ and https://www.instagram.com/kardiolita_hospital/) privacy policy can be found here: https://help.instagram.com/519522125107875;
• Youtube (https://www.youtube.com/user/Kardiolita) privacy policy can be found here: https://www.youtube.com/intl/en-GB/yt/about/policies/#community-guidelines

Cookies

A cookie - it is a small file of text, that a website saves in the browser of Your computer or mobile device, when You visit it. It allows the website to „remember“ Your actions and options for a certain period of time (for example, registration name, language, font size, and other display options), so you don’t have to re-enter them every time you visit and browse the page. The information collected by cookies allows us to ensure Your ability to browse more conveniently and learn more about page users' behavior, analyze tendencies, as well as to improve it.

Final provisions

We reserve the right to modify the provisions of this Privacy Notice in whole or in part by notifying You on the website and/or by email to Your specified email address.

The conditions set forth in the Privacy Notice are governed by the law of the Republic of Lithuania. All disputes arising are being settled by mutual agreement. If no agreement is reached - in accordance with the procedure provided for by the laws of the Republic of Lithuania in the court of the Republic of Lithuania.