THE HEALTH CLINIC OÜ
Last update: 12 October 2023
The controller of the personal data of data subjects is the Health Clinic OÜ, Tartu mnt 13, Tallinn 10145, Estonia, registry code 11837333, telephone +372 600 0925, e-mail firstname.lastname@example.org (hereinafter referred to as the Health Clinic OÜ or we). The Health Clinic OÜ’s Data Protection Specialist is Anni Laas, e-mail email@example.com.
WHAT PERSONAL DATA ARE PROCESSED?
The Health Clinic OÜ processes the following personal data of data subjects:
- first and last name;
- address, telephone and e-mail;
- personal identification code and/or date of birth;
- height and weight (both current weight and previous highest weight);
- health data which are necessary for the provision of a healthcare service to the data subject, the exact nature of which depends on the specific service required;
- data relating to the provision of a healthcare service (content of the service and time of provision, other data relating to the provision of the service, except health data listed in clause 5).
The Health Clinic OÜ may further process other personal data that the data subject voluntarily provides to us, for example, in the course of providing a service or in other communications with us.
PURPOSE AND LEGAL BASIS OF PERSONAL DATA PROCESSING
Personal data are processed for the following purposes and on the following legal bases:
- Fulfilling the obligations arising from a healthcare service contract and/or taking the necessary steps to enter into a contract. In this case, the legal basis for processing the personal data is the performance of the contract with the data subject or taking necessary measures to enter into a contract in accordance with the data subject’s request.
- Ensuring the quality of healthcare services, including ensuring the continued quality of our healthcare services by implementing a quality management system designed to reduce risks. In this case, the legal basis for the processing of personal data derives from the Health Services Organisation Act.
- Performing analytics and customer satisfaction surveys to improve the quality of our services and develop new services. In this case, the legal basis for the processing of personal data is our legitimate interest in fulfilling the aforementioned purposes. We do not process your health data for these purposes.
- Complying with legal requirements, such as healthcare legislation, the Accounting Act and tax legislation. In this case, the legal basis for the processing of personal data is the fulfilment of our legal obligations.
- Responding to client enquiries, requests and other communications. Depending on the nature of the interaction, the legal basis for the processing of personal data in such cases may be either the performance of a contract or our legitimate interest in providing seamless customer service.
- Managing business and contractual relationships, including managing our business partner and client databases and negotiating contractual relationships. In this case, the legal basis for the processing of personal data is our legitimate interest in fulfilling the aforementioned purposes.
- Direct marketing by sending promotional and informational material regarding our services and other offers. In this case, the legal basis for the processing of personal data is the explicit consent of the data subject. The data subject may withdraw their consent at any time in order to stop receiving these marketing materials.
- Where we need to do so, we may process personal data in order to pursue our legitimate interest in filing, processing or defending legal claims arising out of a contract between you and us.
RIGHTS OF DATA SUBJECT
A data subject has the right to:
- upon request, access the personal data we process about them. To the extent permitted by legislation, the data subject also has the right to correct, update or amend the personal data;
- delete personal data unless we have any other legal basis for retaining the data subject’s personal data;
- object to the processing of certain personal data and request the restriction of the processing of personal data, in accordance with legislation;
- data portability, i.e. the right to receive personal data in an organised form in a commonly used machine-readable format and to transmit them to another controller at their discretion, subject to legislation;
- withdraw consent to the processing of personal data where the processing is based on the data subject’s consent. Please note that the withdrawal of consent does not affect the lawfulness of the processing of personal data that occurred based on the consent prior to the withdrawal;
- to the extent permitted by legislation, request access to the relevant decision made on a legitimate interest where the processing of personal data is based on a legitimate interest of the Health Clinic OÜ.
In order to exercise the above rights, please contact our Data Protection Specialist at firstname.lastname@example.org. If you believe that we aren’t processing your personal data correctly, you have the right to lodge a complaint about the processing of your personal data with the Data Protection Inspectorate or to take legal action.
If the retention of your personal data is no longer required by legislation or necessary to achieve the purpose for which it was collected, we will permanently delete your personal data or render it anonymous, unless you have instructed us otherwise and we have entered into an agreement to retain it for a longer period.
TRANSFER OF PERSONAL DATA TO THIRD PARTIES
The Health Clinic OÜ makes every effort to protect the personal data of data subjects by requiring strict security and confidentiality from its employees and partners. The Health Clinic OÜ may transfer data subjects’ personal data to third parties in the following cases and ways:
- to trusted service providers who provide services to us or you in accordance with our instructions, such as suppliers of the IT systems we use to manage our client interactions, providers of payment processing services, and laboratories, hospitals or other third party healthcare providers in connection with the provision of healthcare services;
- to public authorities if the transfer of personal data is necessary for the fulfilment of our legal obligations or for the prevention or investigation of possible criminal offences; and
- to other third parties if it is necessary to protect our property or rights or defend against legal claims.
The Health Clinic OÜ does not transfer personal data outside the European Economic Area.
- functional cookies, which are essential for the operation and navigation of websites;
- analytical cookies, which collect information about how visitors use our websites, for example, to improve your user experience and develop our websites. Analytical cookies are only stored on your device with your consent;
- advertising cookies, which collect information about your online browsing habits in order to assess the effectiveness of ads to help us choose ads relevant for you and your interests. Advertising cookies are only stored on your device with your consent; and
- third party cookies that allow us, among other things, to exchange information about your use of our websites with, for example, communication channels and social networks. The corresponding cookies will only be stored on your device with your consent.
The length of time cookies are stored on your device depends on whether they are persistent or temporary (or ‘session’ cookies). Persistent cookies will remain on your device until they expire or are manually deleted. Session cookies are deleted from your device the moment you leave our websites.
The Health Clinic implements various organisational and IT security measures to protect the personal data and store the data in electronic form. For example, we only give access to your personal data to authorised employees and contractors who need it to perform their duties. We also take additional measures to ensure the security of your health data, for example by storing it separately from other personal data. Please note, however, that while we strive to take reasonable measures to protect the security of your personal data, no system can completely eliminate all possible security risks.