Patient safety is our main focus. There are adequate space and facilities, modern medical equipment and instruments in the Centre, all of which meet the high standards of the needs of the patients.
This Personal Data Processing Policy (hereinafter – the Policy) of Northway chirurgijos centras, UAB contains information on how Northway chirurgijos centras, UAB, company code 300064600, operating at S. Žukausko Str. 19, LT-08234 Vilnius (hereinafter – MI), processes personal data collected from the person who receives healthcare services (hereinafter – the Patient, You), including:
The definitions used in this Personal Data Protection Policy correspond to the definitions used in the Contract for Healthcare Services concluded between the Patient and the MI, as well as the definitions used in legislation, including the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter – BDAR).
In processing personal data, the MI relies on and follows the BDAR, the Law on Legal Protection of Personal Data of the Republic of Lithuania, and other valid legislative acts regulating personal data protection.
MI acts as a controller of Patient personal data. Should you have any questions related to the processing of your personal data, please feel free to contact the MI and the Data Protection Officer appointed by the MI whose contact is as follows: duomenuapsauga@northway.lt, +370 633 30 303, address: S. Žukausko Str. 19, Vilnius.
The term ‘personal data’ used in this Privacy Policy means any information related to the Patient or any information that can directly or indirectly identify the Patient, including data related to health.
The MI won’t be able to check the accuracy and truthfulness of the information the Patient provides. The Patient commits to familiarise himself/herself with this Policy and the information it contains about data processing, and commits to provide accurate and truthful personal data.
In processing Patient personal data, the MI:
(a) will comply with the requirements of the valid and applicable legislative acts, including the BDAR;
(b) will process your personal data in a lawful, fairly and transparent manner;
(c) will collect your personal data for the established, clearly defined and legal purposes, and will not further process it in a manner that is incompatible with those purposes, except for the extent that legislative acts allow.
(d) will take every reasonable measure to ensure that personal data that are inaccurate or incomplete, having regard to the purposes for which they are processed, are rectified, supplemented, erased or its processing stopped without delay.
(e) will keep them in a form that permits to identify you for no longer than is necessary for the purposes for which the personal data are processed;
(f) will not provide personal data to third parties and will not publish them, except for the cases specified in the Privacy Policy or applicable legislative acts;
(g) will secure that your personal data is processed in a way that ensures appropriate security of the personal data including protection from unauthorised or unlawful processing and from accidental loss, damage or destruction, using appropriate technical or organisational measures.
We process your personal data collected in the following ways:
(i) When you provide your personal data to us;
(ii) When we receive your personal data from other persons in the order established by legislative acts and/or the Privacy Policy.
This is to notify you that we process your personal data for the following purposes:
a) For the provision of healthcare services, including data transfer to laboratories, when the provision of services requires to do the tests, fulfilment of rights and obligations set out in the legislative acts applicable to the MI, including provision of emergency medical care:
Data categories | General patient data: name, surname, date of birth, personal ID, address, e-mail address, phone number, insurance ID, and a copy of the identity document. Special category data: health information that must be collected for the proper provision of specific healthcare services and personal data of special category that the MI is obliged to process in medical document templates approved by the Ministry of Health; patient pictures (in the case of plastic surgery services); other patient data of special category – referrals, test results, etc. Donor data: donor name, surname, phone number, e-mail address, address, donor appearance (face features, hair, eye colour, height, weight). General data of minor patient’s parents/guardians, other representatives: name, surname, phone number, address, e-mail address. Data that are obtained via communication on the phone for the fulfilment of the contract for healthcare services: records of conversations with patients and their contents. |
Lawful basis for data processing | Data processing is necessary to protect the vital interests of the data subject (GDPR, Art. 9, p. 2 (c)); Consent of the data subject (GDPR, Art. 9, p. 2 (a)); Data processing is necessary for the purposes of preventive or occupational medicine (GDPR, Art. 9, p. 2 (h)); Data processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract (GDPR, Art. 6, p. 1 (b)); Data processing is necessary for compliance with a legal obligation to which the controller is subject (GDPR, Art. 6, p. 1 (c)); Data processing is necessary for the purposes of the legitimate interests pursued by the controller (GDPR, Art. 6, p. 1 (f)); |
Period of data processing | Patient personal data will be stored: (i) within the period established by legislative acts, taking into consideration the character of such data and the purposes for which they are processed; (ii) in those cases when the legislative acts do not establish the period of storage, the data, including patient pictures, will be stored for no longer than 3 years after termination of the contract for healthcare services. (iii) Patient pictures and videos used during remote consultations will be stored for no longer than 24 hours after the end of rendering services. A contract with the patient – for 20 years after termination of the cotract; Patient Chart in Outpatient Setting – for 15 years after the last visit; Patient Statistic Chart in Outpatient Setting – for 5 years after the last visit; Application for Treatment at the Selected Primary Healthcare Institution – for 3 years after the last visit; Vaccination Record Card – for 5 years after the last vaccine; Prenatal Record – for 15 years are the last visit; Dentist’s records (Patient Chart) – for 15 years after the last visit; The record book of vaccination – for 3 years after the last vaccine; Appointments chart – for 3 months after booking; The record book of outpatients – for 5 years after the last visit; Notification of development of diabetes (DM) – 3 years after delivering the notification; Urgent notification of the suspected acute myocardial infarction (MI) – for 10 years after notification. Notification of newly diagnosis with malignant tumour – for 3 years after notification. |
We obtain data | We receive personal data directly from data subjects – patients, patient legal representatives, healthcare institutions, companies of the Northway Group (if you have concluded a contract with them), insurance companies, laboratories, maternity hospitals, National Health Insurance Fund |
We submit or transfer data | To other healthcare institutions, state and self-government bodies, budgetary entities (for example, National Health Insurance Fund, bodies that hear complaints, National Transplant Bureau, etc.), laboratories, maternity houses, State Enterprise Centre of Registers, insurance companies which the Patient has entered into insurance contracts, to companies which provide data center services, other companies of the MI, companies which supply and maintain software, provide e-mail or other information technology infrastructure services, other suppliers which services are related to the storage of personal data, SODRA (The State Social Insurance Fund Board), court bailiffs, the Group companies (for example, Northway medicinos centrai, UAB), State Health Care Accreditation Agency under the Ministry of Health, National Public Health Center, state bodies and institutions in the cases established by legislation. |
In order to perform the contract signed with the Patient, as well as to provide the services properly, when the Patient is being referred to the MI partners – other healthcare providers, under the conditions stipulated in the contract for the provision of healthcare services, the MI may obtain Patient personal data from these providers that are necessary for the provision of services or payment for services provided.
b) Via online registration (via the website, e-mail, on the phone) to obtain healthcare services and for the purpose of visit administration:
Data categories | Personal ID, name, surname, date of birth, mobile phone number, e-mail address, the contents of the e-mail, appointment date, appointment time, selected medical specialist, and purpose of appointment (complaints). |
Lawful basis for data processing | Data processing is necessary take steps at the request of the data subject prior to entering into a contract (GDPR, Art. 6, p. 1 (b)); Consent of the data subject (GDPR, Art. 9, p. 2 (a)). |
Period of data processing | Information about appointment bookings will be stored for no longer than 5 years after your appointment; |
We obtain data | Directly from Data subjects. |
We submit or transfer data | To the companies that provide data storage services, as well as to the companies that provide online registration services. |
c) For the purpose of serving visitors (for administration of applications, requests, complaints, reviews and other type of communication with us):
Data categories | Name, surname, e-mail address, complaint and/or other requests, the contents of the review, phone number, date and time of appealing to the Company, and communication information. |
Lawful basis for data processing | A consent given by the data subject to the processing of his or her personal data (GDPR, Art. 6, p. 1 (a)), Art. 9, p. 2 (a)). |
Period of data processing | Personal data will be stored for a period of 6 months after recording it, except for the cases in which there is a reason to believe to have recorded the offense being committed or in the event of an initiated internal investigation – until the corresponding investigation and/or case hearing ends. |
We obtain data | Directly from Data subjects. |
We submit or transfer data | To the companies that provide data storage services. |
d) For the purpose of direct marketing (including profiling):
Data categories | E-mail address, gender, age |
Lawful basis for data processing | A consent given by the data subject to the processing of his or her personal data (GDPR, Art. 6, p. 1 (a)). |
Period of data processing | Personal data will be processed as long as Data subject’s consent is valid, but no longer than for 2 (two) years. |
We obtain data | Directly from Data subjects. |
We submit or transfer data | To the companies that provide direct marketing services and to the companies that provide data storage services; |
Once the Patient gives his/her consent to use his/her personal data for direct marketing purposes, including profiling, the MI gains the right to understand the Patient better, adapt offers to Patient’s needs and provide him/her advantages tailored to the Patient’s needs, for example, personal offers received in newsletters, information about the newest services rendered by the MI and other relevant information, as well as to offer the Patient services and/or to ask for an opinion about the services.
To achieve this goal, the MI also uses data profiling. The MI classifies Patient data, such as age and gender, and given these Patient data, provides relevant, valuable and useful offers, as well as other information to the Patient. The MI carries out profiling only for the purpose of sending the Patient offers that are tailored to his or her needs (for example, given the Patient’s age, the MI may offer special packages related to health prevention, etc.) and other relevant information. The Patient will also receive general offers and information.
If the Patient doesn’t want his/her personal data to be used for the provision of personal offers, the Patient may not give his/her consent for direct marketing purposes or withdraw his/her consent at any time. If the Patient doesn’t give his/her consent or withdraws his/her consent, the MI will not send any messages containing direct marketing to the Patient.
e) Ensuring the quality of services (recording phone calls):
Data categories | Phone call content, the time of starting and ending the phone call; call duration, phone number from which you are calling. |
Lawful basis for data processing | A consent given by the data subject (GDPR, Art. 6, p. 1 (a)), Art. 9, p. 2 (a)). |
Period of data processing | Personal data will be stored for a period of 6 months after recording them, and it will be erased after this period ends. |
We obtain data | Directly from Data subjects. |
We submit or transfer data | To the companies that provide data storage services; To the companies that provide communication services, and medical information system services. |
f) For the purpose of ensuring the security of property and people present on the Company’s premises and its territory (video surveillance and recording):
Data categories | Images, i.e., general information (picture) which can identify a person (provide information about the structure of the body, clothes, etc.). |
Lawful basis for data processing | Company’s legitimate interests (GDPR, Art. 6, p. 1 (f)). |
Period of data processing | Personal data will be stored for a period of 1 month after recording them, and it will be erased after this period ends. |
We obtain data | From the Company’s video surveillance system. |
We submit or transfer data | To the companies providing video surveillance (security) services. |
Personal data collected for the purpose specified in this Policy may be stored for a longer period if there is a reason to believe that personal data may be needed for the investigation of criminal actions or another incident, or accident that caused damage to the MI. If this is the case, personal data will be stored until an appropriate decision or conclusion related to criminal actions or any other accident investigated (examined) by respective specialists or any other accident that caused damage to the MI is made.
Patients have the following rights which may be implemented to the extent provided by legislation:
If the Patient believes that his or her personal data are being unlawfully processed or his or her rights are being violated, the Patient can submit a complaint to the State Data Protection Inspectorate (L. Sapiegos Str. 17, LT-10312 Vilnius; e-mail: ada@ada.lt) or to a supervisory authority located in another EU member country at your place of residence or employment (refer to the list of supervisory authorities: https://edpb.europa.eu/about-edpb/about-edpb/members_lt#member-lt). In all cases, before you submit a complaint, you can always contact us to find the best possible solution to your problem.
Hereby the MI notifies that implementation of the above-listed rights may depend on the conditions for the implementation of particular rights established by legislative acts. Therefore, subject to the grounds established by legislative acts, the MI has a right to refuse to implement a particular right requested by the Patient by providing a grounded written response.
Upon receiving the Patient’s request, the MI commits to implement the Patient’s right as soon as possible or refuse to do it by providing a grounded written response no later than within one month after the receipt of the Patient’s request. This term, if necessary, may be extended for two more months considering complexity of the request and the number of requests. Upon receiving such a request from the Patient, we will inform the Patient about the above-mentioned extension of the term and indicate the reasons for the delay.
If for the legitimate purpose and under the legal basis personal data must be transferred outside the EEA to the country that the European Commission doesn’t recognize as an ‘appropriate safeguard’, the MI will take all possible and appropriate measures to protect Patient personal data (for example, the MI will justify the transfer of personal data by the standard data protection clauses approved by the European Commission).
The MI will process the Patient’s personal data safely and in a responsible manner, subject to the requirements for personal data protection set forth in legislative acts. The MI will protect personal data by strictly following the rules for protection and confidentiality of personal data, and implement organisational, physical, and IT security measures to ensure integrity, suitability, and confidentiality of the data.
The MI will implement appropriate technical and organisational measures to ensure a level of security as set forth in the legislative acts and protect Patient personal data against unlawful or accidental loss, destruction or damage, modification or disclosure, as well as against unlawful processing. These measures cover the protection of IT infrastructure, computer and communication networks, hardware, staff, bureau, and information in order to ensure a level of security appropriate to the risk, protect data against loss, leak, and avoid threats.
In case of questions related to the Patient’s rights, processing of personal data, and in order to implement Patient’s rights, please contact MI at S. Žukausko Str. 19, by phone at +370 633 30 303 or by e-mail duomenuapsauga@northway.lt.
Updated on September 13th, 2022