This UAB “Northway medicinos centrai” Personal Data Processing Policy provides how UAB “Northway medicinos centrai”, legal entity code 111807761, operating at S. Žukausko St. 19, LT-08234 Vilnius (hereinafter, the SPE) processes the Patient’s data, including:

• what Patient’s data is processed by the SPE;
• for what purposes and on what grounds the SPE processes the Patient’s data;
• to whom the Patient’s data may be transferred and where from the SPE may receive the Patient’s data;
• Patient’s data storage periods;
• Patient’s rights relating to the processing of his personal data by the SPE;
• other aspects related to the processing of the Patient’s personal data.

The terms used in this Personal Data Processing Policy are in accordance with the terms used in the agreement that the Patient concluded with the SPE for the provision of healthcare services, as well as the definitions used in legislation, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

The SPE is the controller of the Patient’s personal data. The SPE is an appointed Data Protection Officer, its contacts are: phone: +370 5 264 4466, e-mail: duomenuapsauga@northway.lt.

What Patient’s data will be processed by the SPE?

The SPE will process the Patient’s personal data that the Patient will provide to the SPE, including specific data relating to his or her health.

The SPE may also process the Patient’s personal data which can be obtained from other sources: in the cases provided for by law, from other health care institutions, territorial health insurance funds, state enterprise Centre of Registers; from test laboratories, maternity homes, insurance companies with which the Patient has contracted, other companies of the SPE group, such as UAB “Northway chirurgijos centras”, provided that the Patient has entered into a service agreement with this institution.

In order to execute the agreement with the Patient, as well as to provide services adequately, when the Patient is directed, in accordance with the conditions provided for in the agreement for the provision of personal health care services, to partners of the SPE – other health care institutions, the SPĮ may obtain the Patient’s personal data that is necessary for the provision of or settlement for the provided services from the said institutions.

For what purposes will the SPE process the Patient’s personal data?

The SPE will process the Patient’s personal data in order to:

• conclude and execute an agreement with the Patient;
• provide healthcare services, including data transfer to laboratories, where it is necessary to carry out tests for the provision of services;
• implement the statutory duties of the SPE, including the provision of emergency medical assistance, the response to patients’ complaints, etc.;
• carry out the duties and rights of the SPE in relation to the use of the state e-health information system;
• administer patients’ feedback on provided services, respond to patients’ inquiries that they submit by phone or e-mail, also online;
• carry out patient registration, including reminders to patients about their visit time;
• contact the Patient when it is necessary for the provision of services / performance of the agreement with the Patient and/or for ensuring the Patient’s interests and appropriate quality of services (for example, to inform the Patient about the test results, the time of vaccination, the payment for services, etc.).;
• contact the Patient for the provision of services covered by compulsory health insurance;
• carry out direct marketing when the Patient has given his or her separate consent.

On what grounds will the SPE process the Patient’s personal data?

The SPE may process the Patient’s personal data on the following grounds:

• when the Patient has consented to the processing of his or her personal data;
• processing of data is necessary in order to protect the vital interests of the data subject (Patient);
• processing is necessary for the establishment, exercise or defence of legal claims;
• processing is necessary in order to provide health care services or to manage health care systems in accordance with applicable legislation.

The grounds for processing are laid down in points (a), (c), (f) and (h) of Article 9(2) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

How will the SPE process the Patient’s data through direct marketing?

With the consent of the Patient to use his or her data for direct marketing purposes, the SPE acquires an opportunity to get to know the Patient, tailor offers to the Patient’s needs, and provide other benefits specially geared towards the Patient, such as personalized offers in newsletters, information on the latest services provided by the SPE and other relevant notifications, as well as to offer services and/or ask an opinion on services. During marketing, the SPE processes the following personal data of the Patient: name, surname, age, gender, telephone number and e-mail address The SPE also uses data profiling and distributes the Patient’s data, such as age and gender, and provides the Patient with relevant, interesting and useful offers and other information based on such data of the Patient. The SPE performs profiling to provide the Patient only with relevant updates and notifications. The Patient will also receive general offers and information.

For example, depending on the Patient’s age, the SPE can provide the Patient with special offers related to health preventive care, etc.

The SPE will send notifications to the Patient to his or her e-mail and by telephone.

If the Patient does not want his or her data to be used for provision of personal offers, the Patient may refuse to give his or her consent to the SPE for direct marketing purposes or withdraw it at any time. In this case, the SPE will no longer be able to provide personalized offers and information useful to the Patient.

To whom can the Patient’s personal data be provided?

The SPE may provide the Patient’s personal data to:

• taking into account legal requirements: others health care institutions, as well as state and municipal institutions, budgetary entities (for example, territorial health insurance funds, institutions dealing with complaints, National Transplant Bureau, etc.);
• in order to perform the agreement with the Patient, as well as to provide services properly: test laboratories, state enterprise Centre of Registers, insurance companies with which the Patient has concluded agreements;
• the SPE may also engage certain data processors to whom the Patient’s personal data may be transferred. Such data processors may include: entities providing data centre services, other SPE group companies, such as UAB “Northway chirurgijos centras”, entities providing call centre services, entities providing and maintaining software, entities providing email or other information technology infrastructure services, entities providing marketing services or other service providers whose services are related to the storage of the Patient’s personal data;
• in order to perform the agreement with the Patient as well as to provide services properly when the Patient is referred to partners of the SPE – other health care institutions, in accordance with the conditions provided for in the agreement for the provision of personal health care services. The SPE transfers the Patient’s personal data that is necessary for the provision of services and which the SPE receives from the Patient during registration to these institutions.

How long will the SPE store the Patient’s personal data?

Patients’ personal data will be stored:

• within the time limits laid down by law, taking into account the nature of the data and the purposes for which it is processed;
• in cases where the period of data storage is not set out in legislation, as well as patients’ photographs will be stored for no longer than 3 years from the end of provision of services under agreement with the Patient;
• sound recordings, when the Patient calls the SPI by phone +370 5 264 4466, will be kept for no longer than 6 months.

The Patient’s data may be stored longer in specific cases provided for by law, when a dispute or complaint is under examination, as well as when it is necessary for the technical functioning characteristics and security requirements of the SPE information system (for example, backup copies, etc.). At the end of the storage period, the Patient’s personal data will be deleted within a reasonable time.

What rights does the Patient have?

Taking into account the restrictions established by law and under the conditions established therein, the Patient has the right to:

• request from the SPE access to the Patient’s personal data;
• require from the SPE rectification of incorrect, inaccurate or incomplete data;
• require the erasure of personal data or restriction of its processing, where there are legal grounds for doing so;
• object to the processing of his or her personal data;
• apply to the administration of the SPE for transferring the Patient’s personal data provided by the Patient himself to the SPE and processed in an electronic format to the Patient and/or other data controller.

When the Patient’s data is processed in violation of legal requirements, the Patient has the right to lodge a complaint with the State Data Protection Inspectorate (A. Juozapavičiaus St. 6, 09310 Vilnius, e-mail: ada@ada.lt)

When the Patient’s personal data is processed with the consent of the Patient, the Patient always has the right to withdraw the given consent by filing a request to the SPE by contacts indicated by the SPE in this Personal Data Processing Policy and/or the agreement with the Patient.

SPE contacts

If you have any questions about the Patient’s rights regarding the processing of personal data, also for the purpose of exercising the Patient’s rights, please contact the SPĮ at S. Žukausko St. 19, Vilnius, by phone: +370 5 264 4466, e-mail: info@nmc.lt.