Search
Opening hours
I-V 07:30 - 20:30 | VI 09:00 - 15:00 | VII Closed
Our location
Vilnius: S. Žukausko str. 19View map >>
Privacy Policy

This Personal Data Processing Policy (hereinafter – the Policy) of Northway medicinos centrai, UAB contains information on how Northway medicinos centrai, UAB, legal entity code 111807761, operating at S. Žukausko Str. 19, LT-08234 Vilnius (hereinafter – MI), processes personal data collected from the person who receives healthcare services provided by the MI (hereinafter – the Patient, you), including:

  • What Patient personal data the MI collects;
  • For what purposes and the basis on which the MI processes Patient data;
  • To whom we may transfer Patient data and where the MI can obtain Patient data;
  • What are the periods for Patient data storage;
  • What are Patient rights (as the Data Subject) related to the processing of personal data by MI;
  • Other aspects related to Patient personal data processing.

The definitions used in this Personal Data Protection Policy correspond to the definitions used in the Contract for Healthcare Services concluded between the Patient and the MI, as well as the definitions used in legislation, including the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter – BDAR).

In processing personal data, the MI relies on and follows the BDAR, the Law on Legal Protection of Personal Data of the Republic of Lithuania, and other valid legislative acts regulating personal data protection.

MI acts as a controller of Patient personal data. Should you have any questions related to the processing of your personal data, please feel free to contact the MI and the Data Protection Officer appointed by the MI whose contact is as follows: duomenuapsauga@northway.lt, 8-5) 264 4466, address: S. Žukausko Str. 19, Vilnius.

1. PERSONAL DATA

The term ‘personal data’ used in this Privacy Policy means any information related to the Patient or any information that can directly or indirectly identify the Patient, including data related to health.

The MI won’t be able to check the accuracy and truthfulness of the information the Patient provides. The Patient commits to familiarise himself/herself with this Policy and the information it contains about data processing, and commits to provide accurate and truthful personal data.

2. PRINCIPLES RELATING TO PROCESSING OF PERSONAL DATA

In processing Patient personal data, the MI: 

(a) will comply with the requirements of the valid and applicable legislative acts, including the BDAR;

(b) will process your personal data in a lawful, fairly and transparent manner;

(c) will collect your personal data for the established, clearly defined and legal purposes, and will not further process it in a manner that is incompatible with those purposes, except for the extent that legislative acts allow.

(d) will take every reasonable measure to ensure that personal data that are inaccurate or incomplete, having regard to the purposes for which they are processed, are rectified, supplemented, erased or its processing stopped without delay.

(e) will keep them in a form that permits to identify you for no longer than is necessary for the purposes for which the personal data are processed;

(f) will not provide personal data to third parties and will not publish them, except for the cases specified in the Privacy Policy or applicable legislative acts;

(g) will secure that your personal data is processed in a way that ensures appropriate security of the personal data including protection from unauthorised or unlawful processing and from accidental loss, damage or destruction, using appropriate technical or organisational measures.

3. HOW DOES THE MI COLLECT YOUR PERSONAL DATA?

We process your personal data collected in the following ways:

(I) When you provide your personal data to us;

(ii) When we receive your personal data from other persons in the order established by legislative acts and/or the Privacy Policy.

4. THE PURPOSES OF PERSONAL DATA PROCESSING AND PERSONAL DATA THAT ARE BEING PROCESSED

This is to notify you that we process your personal data for the following purposes:

a) For the provision of healthcare services, including data transfer to laboratories, when the provision of services requires to do the tests, fulfilment of rights and obligations set out in the legislative acts applicable to the MI, including provision of emergency medical care:

Data categoriesGeneral patient data: name, surname, date of birth, personal ID, address, e-mail address, phone number, insurance ID, and a copy of the identity document.                                                                                                       
 
Special category data: health information that must be collected for the proper provision of specific healthcare services and personal data of special category that the MI is obliged to process in medical document templates approved by the Ministry of Health; patient pictures (in the case of plastic surgery services); other patient data of special category – referrals, test results, etc.                                                                                                                 
 
Donor data: donor name, surname, phone number, e-mail address, address, donor appearance (face features, hair, eye colour, height, weight).                                                                                                                                              
General data of minor patient’s parents/guardians, other representatives: name, surname, phone number, address, e-mail address.
 
Data that are obtained via communication on the phone for the fulfilment of the contract for healthcare services: records of conversations with patients and their contents.
Lawful basis for data processingData processing is necessary to protect the vital interests of the data subject (GDPR, Art. 9, p. 2 (c));
 
Consent of the data subject (GDPR, Art. 9, p. 2 (a));
 
Data processing is necessary for the purposes of preventive or occupational medicine (GDPR, Art. 9, p. 2 (h));
Data processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract (GDPR, Art. 6, p. 1 (b));
 
Data processing is necessary for compliance with a legal obligation to which the controller is subject (GDPR, Art. 6, p. 1 (c));
 
Data processing is necessary for the purposes of the legitimate interests pursued by the controller (GDPR, Art. 6, p. 1 (f));
Period of data processingPatient personal data will be stored:
 
(i)           within the period established by legislative acts, taking into consideration the character of such data and the purposes for which they are processed;
(ii)          in those cases when the legislative acts do not establish the period of storage, the data, including patient pictures, will be stored for no longer than 3 years after termination of the contract for healthcare services.
(iii)         Patient pictures and videos used during remote consultations will be stored for no longer than 24 hours after the end of rendering services.
 
A contract with the patient – for 20 years after termination of the contract;
 
Patient Chart in Outpatient Setting – for 15 years after the last visit;
 
Patient Statistic Chart in Outpatient Setting – for 5 years after the last visit;
 
Application for Treatment at the Selected Primary Healthcare Institution – for 3 years after the last visit;
 
Vaccination Record Card – for 5 years after the last vaccine;
 
Prenatal Record – for 15 years are the last visit;
 
Dentist’s records (Patient Chart) – for 15 years after the last visit;
 
The record book of vaccination – for 3 years after the last vaccine; 
 
Appointments chart – for 3 months after booking;
 
The record book of outpatients – for 5 years after the last visit;
 
Notification of development of diabetes (DM) – 3 years after delivering the notification; 
 
Urgent notification of the suspected acute myocardial infarction (MI) – for 10 years after notification.
 
Notification of newly diagnosis with malignant tumour – for 3 years after notification.
 
We obtain dataWe receive personal data directly from data subjects – patients, patient legal representatives, healthcare institutions, companies of the Northway Group (if you have concluded a contract with them), insurance companies, laboratories, maternity hospitals, National Health Insurance Fund  
We submit or transfer dataTo other healthcare institutions, state and self-government bodies, budgetary entities (for example, National Health Insurance Fund, bodies that hear complaints, National Transplant Bureau, etc.), laboratories, maternity houses, State Enterprise Centre of Registers, insurance companies which the Patient has entered into insurance contracts, to companies which provide data center services, other companies of the MI, companies which supply and maintain software, provide e-mail or other information technology infrastructure services, other suppliers which services are related to the storage of personal data, SODRA (The State Social Insurance Fund Board), court bailiffs, the Group companies, State Health Care Accreditation Agency under the Ministry of Health, National Public Health Center, state bodies and institutions in the cases established by legislation.

In order to perform the contract signed with the Patient, as well as to provide the services properly, when the Patient is being referred to the MI partners – other healthcare providers, under the conditions stipulated in the contract for the provision of healthcare services, the MI may obtain Patient personal data from these providers that are necessary for the provision of services or payment for services provided.

b) Via online registration (via the website, e-mail, on the phone) to obtain healthcare services and for the purpose of visit administration:

Data categoriesPersonal ID, name, surname, date of birth, mobile phone number, e-mail address, the contents of the e-mail, appointment date, appointment time, selected medical specialist, and purpose of appointment (complaints).  
Lawful basis for data processingData processing is necessary take steps at the request of the data subject prior to entering into a contract (GDPR, Art. 6, p. 1 (b)); Consent of the data subject (GDPR, Art. 9, p. 2 (a)).  
Period of data processingInformation about appointment bookings will be stored for no longer than 5 years after your appointment;  
We obtain dataDirectly from Data subjects.
We submit or transfer dataTo the companies that provide data storage services, as well as to the companies that provide online registration services.

c) For the purpose of serving visitors (for administration of applications, requests, complaints, reviews and other type of communication with us):

Data categoriesName, surname, e-mail address, complaint and/or other requests, the contents of the review, phone number, date and time of appealing to the Company, and communication information.  
Lawful basis for data processingA consent given by the data subject to the processing of his or her personal data (GDPR, Art. 6, p. 1 (a)), Art. 9, p. 2 (a)).  
Period of data processingPersonal data will be stored for a period of 6 months after recording it, except for the cases in which there is a reason to believe to have recorded the offense being committed or in the event of an initiated internal investigation – until the corresponding investigation and/or case hearing ends.  
We obtain dataDirectly from Data subjects.  
We submit or transfer dataTo the companies that provide data storage services.  

d) For the purpose of direct marketing (including profiling):

Data categoriesE-mail address, gender, age  
Lawful basis for data processingA consent given by the data subject to the processing of his or her personal data (GDPR, Art. 6, p. 1 (a)).  
Period of data processingPersonal data will be processed as long as Data subject’s consent is valid, but no longer than for 2 (two) years.  
We obtain dataDirectly from Data subjects.  
We submit or transfer dataTo the companies that provide direct marketing services and to the companies that provide data storage services;

Once the Patient gives his/her consent to use his/her personal data for direct marketing purposes, including profiling, the MI gains the right to understand the Patient better, adapt offers to Patient’s needs and provide him/her advantages tailored to the Patient’s needs, for example, personal offers received in newsletters, information about the newest services rendered by the MI and other relevant information, as well as to offer the Patient services and/or to ask for an opinion about the services.

To achieve this goal, the MI also uses data profiling. The MI classifies Patient data, such as age and gender, and given these Patient data, provides relevant, valuable and useful offers, as well as other information to the Patient. The MI carries out profiling only for the purpose of sending the Patient offers that are tailored to his or her needs (for example, given the Patient’s age, the MI may offer special packages related to health prevention, etc.) and other relevant information. The Patient will also receive general offers and information.

If the Patient doesn’t want his/her personal data to be used for the provision of personal offers, the Patient may not give his/her consent for direct marketing purposes or withdraw his/her consent at any time. If the Patient doesn’t give his/her consent or withdraws his/her consent, the MI will not send any messages containing direct marketing to the Patient.

e) Ensuring the quality of services (recording phone calls):

Data categoriesPhone call content, the time of starting and ending the phone call; call duration, phone number from which you are calling.  
Lawful basis for data processingA consent given by the data subject (GDPR, Art. 6, p. 1 (a)), Art. 9, p. 2 (a)).  
Period of data processingPersonal data will be stored for a period of 6 months after recording them, and it will be erased after this period ends.  
We obtain dataDirectly from Data subjects.
We submit or transfer dataTo the companies that provide data storage services; To the companies that provide communication services, and medical information system services.  

f) For the purpose of ensuring the security of property and people present on the Company’s premises and its territory (video surveillance and recording):

Data categoriesImages, i.e., general information (picture) which can identify a person (provide information about the structure of the body, clothes, etc.).  
Lawful basis for data processingCompany’s legitimate interests (GDPR, Art. 6, p. 1 (f)).
Period of data processingPersonal data will be stored for a period of 1 month after recording them, and it will be erased after this period ends.  
We obtain dataFrom the Company’s video surveillance system.  
We submit or transfer dataTo the companies providing video surveillance (security) services.

Personal data collected for the purpose specified in this Policy may be stored for a longer period if there is a reason to believe that personal data may be needed for the investigation of criminal actions or another incident, or accident that caused damage to the MI. If this is the case, personal data will be stored until an appropriate decision or conclusion related to criminal actions or any other accident investigated (examined) by respective specialists or any other accident that caused damage to the MI is made.

5. PATIENT’S RIGHTS (AS DATA SUBJECTS)

Patients have the following rights which may be implemented to the extent provided by legislation:

  • The right to access their personal data and the ways they are being processed;
  • Request to rectify invalid, inaccurate or incomplete data, to erase your personal data or restrict processing of your personal data if personal data processing is unlawful or there is another legal ground;
  • Request to erase personal data if the data are no longer needed for the purpose it was collected for, Patient has withdrawn his or her consent for the personal data processing, if data processing was based on Patient’s consent, we process Patient personal data based on our lawful interest and the Patient objects to this processing, and there are no overriden purposes to process Patient personal data;
  • The right to restrict processing;
  • Request to transfer Patient personal data to another data operator or provide this data to the Patient in a convenient form;
  • The right to object to personal data processing;
  • To withdraw the consent for personal data processing at any time;
  • To submit a complaint to a supervisory authority.

If the Patient believes that his or her personal data are being unlawfully processed or his or her rights are being violated, the Patient can submit a complaint to the State Data Protection Inspectorate (L. Sapiegos Str. 17, LT-10312 Vilnius; e-mail: ada@ada.lt) or to a supervisory authority located in another EU member country at your place of residence or employment (refer to the list of supervisory authorities: https://edpb.europa.eu/about-edpb/about-edpb/members_lt#member-lt). In all cases, before you submit a complaint, you can always contact us to find the best possible solution to your problem.

Hereby the MI notifies that implementation of the above-listed rights may depend on the conditions for the implementation of particular rights established by legislative acts. Therefore, subject to the grounds established by legislative acts, the MI has a right to refuse to implement a particular right requested by the Patient by providing a grounded written response. 

Upon receiving the Patient’s request, the MI commits to implement the Patient’s right as soon as possible or refuse to do it by providing a grounded written response no later than within one month after the receipt of the Patient’s request.    This term, if necessary, may be extended for two more months considering complexity of the request and the number of requests. Upon receiving such a request from the Patient, we will inform the Patient about the above-mentioned extension of the term and indicate the reasons for the delay.

6. DATA TRANSFER OUTSIDE THE EEA

If for the legitimate purpose and under the legal basis personal data must be transferred outside the EEA to the country that the European Commission doesn’t recognize as an ‘appropriate safeguard’, the MI will take all possible and appropriate measures to protect Patient personal data (for example, the MI will justify the transfer of personal data by the standard data protection clauses approved by the European Commission).

7. PROVISION OF PERSONAL DATA PROTECTION

The MI will process the Patient’s personal data safely and in a responsible manner, subject to the requirements for personal data protection set forth in legislative acts.  The MI will protect personal data by strictly following the rules for protection and confidentiality of personal data, and implement organisational, physical, and IT security measures to ensure integrity, suitability, and confidentiality of the data. 

The MI will implement appropriate technical and organisational measures to ensure a level of security as set forth in the legislative acts and protect Patient personal data against unlawful or accidental loss, destruction or damage, modification or disclosure, as well as against unlawful processing. These measures cover the protection of IT infrastructure, computer and communication networks, hardware, staff, bureau, and information in order to ensure a level of security appropriate to the risk, protect data against loss, leak, and avoid threats.

8. CONTACTS OF THE MI

In case of questions related to the Patient’s rights, processing of personal data, and in order to implement Patient’s rights, please contact MI at S. Žukausko Str. 19, by phone at +370 5 264 4466 or by e-mail at duomenuapsauga@northway.lt

Updated on September 13th, 2022

Search

Enter search keywords

Vilnius S. Žukausko str. 19 +370 5 264 4466 Online