Proton Therapy Center Czech, s.r.o., hereinafter PTCC, processes all personal data in compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter the General Data Protection Regulation or GDPR), and Act No. 110/2019 Coll., on personal data processing.
Who is supposed to adhere to GDPR
First and foremost, the entity processing personal data shall adhere to the GDPR in terms of its responsibilities. Such an entity is called the personal data controller. The GDPR also governs the activities of the processor, which is an entity processing personal data for the controller. Furthermore, the GDPR shall be followed by supervisory authorities, e.g., the Office for Personal Data Protection, which is to exercise the powers vested therein for the performance of assigned tasks.
Personal data controller and contact details
Proton Therapy Center Czech, s.r.o., with its registered office at Budínova 2437/1a, Postal Code 180 00 Prague 8, Business ID No.: 26466791.
E-mail address: firstname.lastname@example.org, tel.: +420 999 222 000.
Data Protection Officer
Mgr. Kateřina Krejbichová, Dis., e-mail: email@example.com, tel.: +420 222 999 058.
I. Purpose of personal data processing
The main activities of PTCC rest with the provision of healthcare services; therefore, we need to know a number of your personal data. The necessary personal data provided by you are collected and processed in both paper and electronic form.
II. What is a personal data processing
Personal data processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Nevertheless, processing as per the Regulation cannot be understood as any handling of personal data. Personal data processing must be considered as an activity carried out by the personal data controller for a specific purpose and in a systematic manner. Handling of personal data which is not processing is governed, e.g., by Act No. 89/2012 Coll., the Civil Code. Besides controllers, only entities processing personal data as per the definition of processing shall comply with the GDPR.
III. What are personal data?
Personal data means any information relating to an identified or identifiable natural person (data subject). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
WHAT ARE SPECIAL CATEGORIES OF PERSONAL DATA?
Special categories of personal data are data indicative of the racial or ethnic origin, political opinion, religion or philosophical beliefs, trade union membership, health status or sexual life or sexual orientation of the natural person. Genetic and biometric data processed for the unique identification of natural persons are also considered as special categories of personal data.
IV. Legal basis for the processing of patients’ personal data
Patients’ personal data are processed at PTCC because it is necessary for PTCC to fulfil its obligations as your personal data controller (as per Article 9(2)(h) of the Regulation and/or Article 6(1)(c) of the Regulation).
LEGAL REGULATIONS AUTHORISING PERSONAL DATA PROCESSING IN HEALTH CARE
The statutory obligation is to render healthcare services in accordance with Act No. 372/2011 Coll., on health care services, Act No. 373/2011 Coll., on specific health care services, Act No. 48/1997 Coll., on public health insurance and change and amendment to certain related acts, Act No. 258/2000 Coll., on protection of public health, Act No. 378/2007 Coll., on pharmaceuticals and on amendments to certain related acts (Pharmaceuticals Act), as amended
V. Personal data sources
Personal data are collected at PTCC namely in the following manner:
VI. Categories of processed personal data
PTCC processes about you as the data subject, specifically the following data necessary for the performance of the Controller’s duties:
VII. Personal data processing and protection method
Personal data are processed by PTCC. Processing is carried out by individual authorised and trained staff members. Personal data are processed in paper and/or electronic form. Personal data are processed only for the necessary period of time which is individual for each purpose of processing and is stipulated by the PTCC Filing and Shredding Rules. After that period of time, personal data are disposed of or further retained for the period stipulated by the applicable legal regulations. PTCC is authorised by law to provide your personal data to selected recipients of personal data such as health insurance companies, other providers of healthcare or social services, state authorities, mandatory registers, etc.
PERSONAL DATA ARE PROCESSED IN RELATION TO THE FOLLOWING PURPOSES
VIII. Rights of data subjects
Data subjects have the right to be informed of their personal data processing. In relation to the processing of your personal data at PTCC, you have the right to have access to your personal data, to have your personal data rectified or erased and/or to limit processing if it is not in contradiction with the legal requirements imposed on PTCC. Furthermore, you have the right to raise an objection or complaint about the method of personal data processing and/or you can exercise the right to data portability in the case of a contractual relationship.
Right of access to personal data
You have the right to acquire confirmation of whether the personal data concerning you are processed or not and if so, you have the right of access to such personal data. You will receive information on the processing of your personal data. However, PTCC is authorised to require for any other copy a reasonable fee corresponding to administrative costs incurred by PTCC.
Right to erasure of personal data
The right to erasure (right to be forgotten) establishes the controller’s obligation to erase personal data where one of the following grounds applies:
Nevertheless, we would like to point out that it is not possible to require erasure of personal data contained in the medical documentation. Handling of medical documentation is governed by Sections 53–69 of Act No. 372/2011 Coll., on healthcare services, and Decree No. 98/2012 Sb., on medical documentation.
You can exercise your rights and requirements with the data protection officer. Your requirements shall be duly assessed and settled in compliance with the relevant provisions of the Regulation.