Privacy Policy

Effective from December 2, 2024

Privacy Policy of the CARE MEDICO Healthcare Group

In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as “GDPR”).

I. Data Controller

This Privacy Policy applies to all entities within the CARE MEDICO healthcare group:

• CARE MEDICO s.r.o., registered at Sokolovská 131/86, 186 00 Prague 8, Company ID: 26761505 (parent company),

• UROGYN MEDICO s.r.o., registered at Daliborova 308/9, 102 00 Prague 10, Company ID: 08760411,

• ORTO MEDICO s.r.o., registered at Daliborova 308/9, 102 00 Prague 10, Company ID: 17056632.

These entities operate healthcare facilities in the Czech Republic, providing outpatient care for children, adults, and seniors. As the data controller, we inform you, in accordance with Article 12 of the GDPR, about the processing of your personal data and your rights.

II. Scope of Personal Data Processing

Personal data is processed to the extent necessary, depending on:

• The information provided by the data subject to the controller in connection with a contractual or legal relationship.

• Data collected and processed in compliance with applicable laws (e.g., the Healthcare Services Act, the Ministry of Health decree on medical records).

III. Sources of Personal Data

The controller collects personal data primarily in the following ways:

• Directly from the data subject, especially during registration, the provision of healthcare services, and medical record management.

• Through oral, written, email, telephone, website contact forms, or business cards.

• From publicly available registers, lists, and records (e.g., the Commercial Register, Trade Register, Land Registry).

• From business relationships or contractual partnerships.

IV. Categories of Processed Personal Data

The controller processes the following categories of personal data as necessary:

• Identification and contact details, such as name, surname, title, birth number, date of birth, permanent address, company ID (IČO), VAT number (DIČ), phone number, fax number, and email address.

• Descriptive data relevant to service provision.

• Data required for contract execution.

• Additional data provided voluntarily, such as photographs or HR-related personal data.

• Personal data processed in connection with healthcare services.

V. Categories of Data Subjects

The data subjects include, but are not limited to:

• Patients.

• Clients of the controller.

• Employees of the controller or job applicants.

• Service or product suppliers.

• Other individuals in contractual relationships with the controller.

• Persons authorized to access medical records.

VI. Categories of Personal Data Recipients

The controller may provide personal data to:

• Health insurance companies.

• Healthcare and social service providers.

• Patients.

• Public institutions.

• State and other authorities to fulfill legal obligations.

• Contractual partners.

• Other recipients, including transfers of personal data within the EU.

VII. Purpose of Personal Data Processing

The controller processes personal data for the following purposes:

• For purposes specified in the data subject’s consent.

• For business relationships and contract negotiations, including contract fulfillment (e.g., email contacts of business representatives).

• For the protection of the controller’s rights, as well as the rights of other affected parties (e.g., legal disputes, security camera recordings for property protection).

• For record-keeping and archiving in compliance with legal and internal regulations.

• For HR management, including employment contracts, personnel records, and tax filings.

• For compliance with legal obligations.

• For the protection of vital interests of the data subject.

VIII. Processing Methods and Data Security

Personal data processing is carried out by the controller’s authorized and trained personnel. Processing is conducted:

• Electronically using IT systems.

• Manually, in paper form, ensuring compliance with all data security regulations.

To protect personal data, the controller has implemented technical and organizational security measures to prevent unauthorized or accidental access, modification, destruction, loss, or misuse of personal data.

IX. Data Retention Period

Personal data is processed and stored:

• For the period necessary to fulfill the contractual or legal obligations of the controller.

• In compliance with legal regulations, contractual terms, and internal archiving policies.

• For the duration specified in the data subject’s consent.

X. Legal Basis for Data Processing

The controller processes personal data with the data subject’s consent, except in cases where processing is legally required. Under Article 6(1) of the GDPR, personal data processing is lawful if:

• The data subject has given consent for specific purposes.

• Processing is necessary for contract execution or pre-contractual measures requested by the data subject.

• Processing is necessary to fulfill legal obligations applicable to the controller.

• Processing is necessary to protect vital interests of the data subject or another person.

• Processing is necessary for tasks carried out in the public interest or in the exercise of official authority.

• Processing is necessary for legitimate interests pursued by the controller or a third party, unless overridden by the data subject’s rights and freedoms.

XI. Data Subject Rights

Under Articles 12 and following of the GDPR, the controller must inform data subjects, upon request, about their rights, including:

• The purpose of processing.

• The categories of processed personal data.

• The recipients or categories of recipients of personal data.

• The planned retention period.

• Available information on data sources, if the data was not obtained from the data subject.

• Whether automated decision-making, including profiling, is used.

• Intended data transfers and their purpose.

If a data subject believes that their personal data is being processed in violation of privacy rights or legal regulations, they may:

1. Request an explanation from the controller.

2. Request rectification, blocking, correction, completion, or deletion of personal data.

3. If the request is justified, the controller must immediately correct the issue.

4. If the controller does not comply with the request, the data subject may file a complaint with the Office for Personal Data Protection (Úřad na ochranu osobních údajů).

5. The data subject may contact the supervisory authority directly.

Contact for Data Protection Officer (DPO)

📩 gdpr@caremedico.cz

This Privacy Policy ensures compliance with GDPR requirements while protecting the rights and privacy of our clients, employees, and partners.