Information on the processing of personal data - UNICA, spol. s r.o.

Information on the processing of personal data

In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on informing data subjects (hereinafter referred to as "GDPR"), we hereby inform you how our company UNICA, spol. s r.o., 449 60 867, registered in the Commercial Register maintained by the Regional Court in Brno, file number C 3990, as a personal data controller (hereinafter referred to as the "controller" or also "we") processes your personal data and about the rights and obligations associated with it.

1 Personal data controller

The data controller of your personal data is our company UNICA, spol. s r.o., with registered office at Barvičova 833/53, Stránice, 602 00 Brno, ID No.: 449 60 867, registered in the Commercial Register maintained by the Regional Court in Brno, file number C 3990.

In connection with the processing of personal data, you can contact us through our Data Protection Officer, who has been appointed by LAWYA, s.r.o., with registered office at Březinova 746/29, Žabovřesky, 616 00 Brno, ID No.: 023 22 021, through the contact person Mgr. Ivana Šilhánková, silhankova@lawya.cz, +420 770 606 082, or via the following contact details: IVF-Brno@unica.cz.

2 Scope of processing of personal data

We collect and use your personal data solely in connection with the provision of healthcare to you. We are also obliged to disclose your personal data when reporting on covered healthcare and fulfilling other legal obligations, such as tax and accounting obligations and reporting to the registers of certain diseases provided for by law. The protection of your personal data and your medical records is essential to us and we have taken a number of strict technical and organisational measures to secure your personal data.

We process personal data to the extent that they are provided to us by the data subject in connection with the conclusion of a health care contract with the controller or in connection with the provision of health services in accordance with Act No. 372/2011 Coll., on Health Services and Conditions of their Provision (Health Services Act), its implementing regulations and other regulations governing the provision of health services. We also process personal data that have not been provided by the data subject but which we obtain in the course of providing health services, e.g. data obtained as results of specific examinations. 

3 Purpose of the processing of personal data

We process personal data for the following purposes:

- the provision of health services, including consultative health services;

- the performance of legal obligations by the controller;

- maintaining medical records;

- entering into and performance of a healthcare contract;

- establishing, exercising or defending legal claims;

- the provision, to the extent necessary, of legal, economic and tax advisors and auditors for the purpose of providing advisory services to the Trustee and fulfilling legal obligations.

The processing of your personal data for purposes other than those listed above will only occur if such processing is compatible with the above purposes. We will inform you of such further processing of your personal data and, if necessary, request your consent.

4 Legal basis for the processing of personal data

The legal basis for processing your personal data is:

- Performance of a contract: Processing of personal data to the extent necessary for the performance of a healthcare or other contract with you within the meaning of Article 6(1)(b) of the GDPR;

- Provision of healthcare: processing of personal data, including special category personal data (in particular health data) to the extent necessary for the provision of healthcare within the meaning of Article 6(1)(b) and (c) of the GDPR in conjunction with Article 9(2)(h) of the GDPR;

- Compliance with legal obligations: processing of personal data to the extent necessary to comply with the legal obligations to which the controller is subject as a provider of healthcare services within the meaning of Article 6(1)(c) of the GDPR;

- Legitimate interest: Processing of personal data to the extent necessary for the purposes of the legitimate interests of the controller within the meaning of Article 6(1)(f) of the GDPR. The legitimate interest of the controller consists in the defence and enforcement of legal claims, the protection of the company's facilities, objects and assets, as well as the data and the facilities for processing them. The legitimate interest is also the processing of your request via the contact form on our website https://unica.cz/cs/contacts/.  The processing of your data is permitted here, unless the protection of your interests, fundamental rights and freedoms overrides the legitimate interests of the controller.

- Consent: If necessary, your consent will be requested in individual cases for the processing of your data or for the transfer of your data. Your consent in these cases is voluntary and you may withdraw it at any time in the future. You will not suffer any disadvantages from not giving or later withdrawing your consent.

With regard to the processing of special categories of personal data to the extent required by law, we process your health data and the data provided about your medical history solely for the purpose of providing health services within the meaning of Article 9(2)(h) of the GDPR and in accordance with health services legislation and to comply with related legal obligations.

5 Categories of personal data

Personal data is processed to the following extent:

- Address and identification data, such as name, surname, date of birth, permanent address, etc;

- contact data such as contact address, telephone number, email address, etc;

- data in connection with payments under the healthcare contract, such as bank details, health insurance company details;

- data necessary for the performance of the health care contract and the performance of the health care, including special category personal data (on the health status of the data subject) and other data provided in the framework of the anamnestic questionnaire and data in the form of audio or visual recordings taken during the online indication session in the framework of the provision of consultation (health) services;

- data in connection with camera systems, namely the processing of video footage of the movement of persons in the vicinity of installed cameras. The camera system is installed in publicly accessible areas of the administrator's building, on the exterior of the administrator's buildings and at entrances and entrances to the administrator's buildings. The camera systems are installed to, among other things, ensure the security of your data and medical records, as well as to protect property and the life and health of persons in the building. Camera systems are not installed in any private areas such as locker rooms or restrooms. Further information on the processing of personal data in connection with the camera systems is provided in the Information on the processing of personal data in connection with the operation of the camera system or at the above contact details.

- In specific cases where consent has been given, photographs or videos for the purpose of placing on the company's website, whereby the patient will be informed of such use and their consent to the processing of personal data will be sought.

5.1 Recipients of personal data and transfer of personal data to third countries

Your personal data may be transferred to the following recipients:

- Other providers of health care services in the context of extended or follow-up health care and providers of selected health care services, in particular external laboratories or providers of genetic testing;

- public institutions, in particular health insurance companies;

- public authorities in the framework of the fulfilment of their legal obligations under the relevant legislation, including the transmission of anonymised data to the National Register of Assisted Reproductive Technology;

- processors under contract with the controller to the extent necessary for the purpose of the processing, e.g. companies managing electronic medical record keeping systems, persons providing data storage or archiving, etc;

- anonymised personal data to sponsors of clinical trials in the field of assisted reproduction, whereby the patient will be informed of such use and prior informed consent to participate in the clinical trial will be sought;

- persons providing legal advice;

We do not transfer your personal data to third countries outside the European Union. Health data and medical records are not transferred to third countries outside the European Union.

If the recipients of the personal data are in the position of processors, in accordance with Article 28 of the GDPR, the controller has entered into a processing agreement with them and has committed them to comply with all obligations arising from this document.

Further information about the recipients to whom your personal data is transferred will be provided by the controller upon request.

6 Method of processing and protection of personal data

Personal data are processed primarily in the medical records in full compliance with the applicable legislation. The security and protection of personal data is ensured in accordance with these regulations and the GDPR.

The controller has taken appropriate technical and organisational measures to ensure maximum protection of your personal data. The controller carries out personal data processing operations both automatically and manually, and the persons who access your personal data are bound by a duty of confidentiality.

 

7 How long do we keep your personal data?

Your personal data will be processed for as long as necessary to fulfil the purpose and in accordance with the time limits set out in the relevant legislation for the shredding and archiving of documents, or as long as necessary for the establishment, exercise or defence of legal claims.

8 What are your rights when processing personal data?

Your data protection rights are regulated in Chapter III (Article 12 et seq.) of the GDPR. Under these provisions you have the following rights:

- The right of access to personal data with the controller, which means that you can at any time request confirmation from the controller as to whether or not the personal data concerning you are being processed and, if so, for what purposes, to what extent, to whom they are disclosed, how long they will be processed, whether you have the right to rectification, erasure, restriction of processing or to object, where the personal data were obtained from, and whether automated decision-making, including possible profiling, is taking place on the basis of the processing of personal data. You also have the right to obtain a copy of your personal data, the first provision of which is free of charge, and the controller may charge reasonable administrative costs for further provision.

- The right to rectification of personal data, which means that you can ask the controller to rectify or complete your personal data if it is inaccurate or incomplete.

- The right to erasure of personal data ("right to be forgotten"), which means that the controller must erase your personal data if one of the following reasons applies: (i) the personal data is no longer necessary for the purposes for which it was collected or otherwise processed, (ii) you withdraw the consent on the basis of which the personal data was processed and there is no further reason for processing it, (iii) you object to the processing and there are no overriding legitimate grounds for the processing, (iv) the processing is unlawful, or (v) the personal data must be erased to comply with a legal obligation of the controller.

- The right to restrict the processing of personal data, which means that until the disputed issues regarding the processing of your personal data are resolved, specifically if (i) you contest the accuracy of the personal data, (ii) the processing is unlawful, but instead of erasing the personal data you only want to restrict the processing, (iii) the controller no longer needs the personal data for the purposes of the processing but you do (iv) or if you have objected to the processing, the controller can only store the personal data and further processing is subject to your consent or that the data is needed for the establishment, exercise or defence of legal claims.

- The right to data portability, which means that you have the right to obtain your personal data that you have provided to the controller with your consent to processing or for the purposes of performance of a contract in a structured, commonly used and machine-readable format and, where technically feasible, you have the right to have the controller transfer the data to another controller.

- The right to object to certain types of processing of personal data (specifically, processing carried out on the basis of a legitimate interest of the controller) if grounds for objecting to the processing of personal data would arise in your particular situation, which means that in these cases of processing you can lodge a written or electronic objection to the processing of your personal data with the controller, thereby causing the controller not to process the personal data further unless it demonstrates compelling legitimate grounds for the processing which override your interests or rights and freedoms or for the establishment or exercise of legal claims.

- The right to withdraw consent where we process your personal data on the basis of consent. You may withdraw the consent to the processing of personal data that you have previously provided to us at any time without giving any reason. In this case, we will delete your personal data if we do not need the data for other purposes. However, this does not apply in cases and to the extent that consent to processing is not the legal basis for processing.

- Right to lodge a complaint with a supervisory authority, the competent supervisory authority for personal data protection in the Czech Republic is the Office for Personal Data Protection, located at Pplk. Sochor 27, 170 00 Prague 7, tel. +420 234 665 111, e-mail: posta@uoou.cz.

9 How can I exercise individual rights?

In all matters related to the processing of your personal data, whether it is an inquiry, exercising a right, filing a complaint or anything else, you can contact the Data Protection Officer, which is LAWYA, s.r.o., with registered office at Březinova 746/29, Žabovřesky, 616 00 Brno, ID No.: 023 22 021, through the contact person Mgr. Mgr. Ivana Šilhánková, silhankova@lawya.cz,+420 770 606 082, or at the contact details listed in the header of this document.

We will process your request without undue delay, but within one month at most. In exceptional cases, in particular due to the complexity of your request, we are entitled to extend this period by a further two months. We will, of course, inform you of any such extension and the reasons for it.