Y&C Institute of Medical Rehabilitation Limited (hereinafter “MedInstitute”) is a private limited liability company duly registered under the company laws of the Republic of Cyprus with registration number HE35363 an registered offices at 29, Dikaiosinis Str., Makedonitisa – Nicosia Cyprus. [u1]
Your privacy is really important to us and here at MedInstitute, we are committed to protecting your personal information and maintain transparency in regards to their processing.
MedInstitute is the data controller in respect of your personal information for the purposes of applicable data protection legislation as amended from time to time in Cyprus and the European Union that sets out the obligations that MedInstitute has when processing personal information.
Address: 13 — 15 Digeni Akrita Str., Nicosia, 1055, Cyprus
E-mail us at: firstname.lastname@example.org
Tel. no.: +35722755940
The definitions below shall have the same meaning as the relevant definitions set out in the EU General Data Protection Regulation 2016/679.
Consent means any freely given, specific, informed and unambiguous indication of a Data Subject’s wishes by which the Data Subject, by a statement or a clear affirmative action, signifies his agreement to the processing of personal information relating to him/her.
The Data Controller means a natural or legal person, which alone or jointly with others determines the purpose and means of the processing of personal information or data.
An identified or identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
A Data Subject may for example be a patient, a client, a representative of a patient or client, or any person visiting MedInstiute’s websites or utilizing its services.
The European Economic Area, meaning the EU member states together with the EFTA countries
(Liechtenstein, Iceland and Norway)
GDPR shall mean the EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016.
Personal Information means any information relating to an identified or identifiable individual (the “Data Subject”).
Personal information includes all types of information that directly or indirectly may be linked to the Data Subject and may include:
- Names, dates of birth, ID and passport details
- Contact details such as addresses, e-mail addresses, telephone numbers, instant message identification and social media profiles
- Indirect information such as IP address and laptop names
- Expressions of opinions on living individuals
- Location data
- Information concerning income and payment information
- Client and supplier information (if linked to an individual)
Encrypted information is also deemed to be Personal Data if the information can be made readable and therefore identifies an individual.
Personal Data Breach shall mean a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal information transmitted, stored or otherwise processed.
Any operation or set of operations which is performed upon personal information or on sets of personal information, whether or not by automatic means, such as use, collection, recording, organization, structuring, alignment or combination, adaptation or alternation, retrieval, consultation, dissemination, storage and disclosure by transmission or otherwise making available, restriction, erasure or destruction.
The definition is technology-neutral and includes the processing of personal information that is wholly or partly performed with the aid of computers or similar equipment that is capable of automatically processing personal information or data. The definition also includes manual registers or filing systems if the personal information is included within, or is intended to form part of, a structured collection making the personal information available for searching or compilation according to specific criteria.
A natural or legal person, public authority, agency or other body, which processes the personal data on behalf of the controller, i.e. a company, an employee or service provider which processes personal data on the Data Controller’s behalf.
Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, is authorized to process personal data.
Special categories of personal information (sensitive data)
Special categories of data are Personal Data revealing or concerning:
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership
- genetic data
- biometric data for the purpose of uniquely identifying a Data Subject
- sex life or sexual orientation
The term Supervisory Authority means an independent public authority which is established by an EU Member State pursuant to Article 51 of GDPR and is concerned with supervisory functions over the processing of personal data by data controllers and processors established within the territorial jurisdiction of that Member State.
For the purposes of this document and the policies herein, all references to “supervisory authority” shall refer to The Office of the Commissioner for Personal Data Protection (here an after called The Commissioner) which is an independent public authority responsible for monitoring the implementation of GDPR and other laws aiming at the protection of individuals with regards to the processing of their personal data.
For the purpose of this Data Protection Policy, Transfer shall mean any Personal Data disclosure, copy or move via a network, access from a system or web application or any Personal Data disclosure, copy or move from one medium to another irrespective of type of medium from the EEA to a recipient outside the EEA.
This policy statement represents binding company rules and governs personal information collection and usage in MedInstitute’s day to day activities either through our websites or directly at our medical institute.
The application of the privacy policies herein extend to all personal data retained, processed or stored by MedInstitute in all structured filing systems:
- Paper based or electronic (including data on individual PCs)
- Other media linked to an individual directly or indirectly identifying this person as being himself (ex: e-mail addresses, photographs etc.)
- Verbal or any media communications & conversations.
- CCTV recordings
If you have any queries about this policy, its contents or the ways in which we may process your personal information, please do not hesitate to contact us at:
Tel.no.: +357 22 755940
Email us at: email@example.com
As a general policy all Personal Information processed my MedInstitute through its websites or directly at our medical institute must be :
- Obtained, used, shared ,transferred, stored and disposed off, in a professional, transparent, legal and ethical manner, whether the processing is performed electronically, within the premises of our institute or elsewhere.
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.
The requirements of GDPR and other applicable data protection laws must be met:
- Data confidentiality good practice standards and appropriate supporting guidance shall be advised within all work streams of the company to assure appropriate organizational and technical controls are implemented in order to protect data
- Security measures and internal audit procedures must be in palace to assure compliance.
MedInstitute acting as Data Controller of the personal information bears the responsibility to demonstrate compliance with the principles set out herein at any time such a request is made by the data protection authority of competent jurisdiction.
Principles for Processing Personal Information
Here at MedInstitute we recognize that when processing personal information, the individual rights of the data subjects must be protected at all times.
Personal data must be collected and processed in a legal and fair manner under one of the legal basis for which processing is permitted by law and regulations and which are describes in the section Legal Basis for Processing below.
Personal Information can be processed only for an explicit and legitimate purpose that was defined before the data was collected and/or processed and the individuals of whom the personal data is being processed have been informed as such.
The data subject must be informed of how his/her data is being handled. In general, personal data must be collected directly from the individual concerned and the data subject must be made aware of, its rights within a reasonable time from obtaining the Personal Information. If the personal information is to be used for communication with the data subject, notice of the above information shall be given at the latest at the time of the first communication with the Data Subject.
Before processing personal data, it must be determined whether and to what extent the processing of personal data is necessary in order to achieve the purpose for which it is processed.
Where the purpose allows and where the expense involved is in proportion with the goal being pursued, anonymised or statistical data shall be used.
Personal data may not and shall be collected in advance and stored for potential future purposes unless required or permitted by law.
Personal information must be stored and processed for the shortest time possible. Personal data that is no longer needed after the expiration of legal or business process related periods must be deleted. There may be an indication of interests that merit protection or historical significance of this data in individual cases. If so, the data must remain on record until the interests that merit protection have been clarified legally, or the company archive has evaluated the data to determine whether it must be retained.
Personal data on file must be correct, complete and only if necessary kept up-to-date. Suitable steps must be taken to ensure that inaccurate or incomplete data are deleted, corrected, supplemented or updated without delay.
Personal Information is subject to data secrecy. It must be treated as confidential on a personal level and secured with suitable organizational and technical measures to prevent unauthorized access, illegal processing or distribution, as well as accidental loss, modification or destruction.
What Information do we collect about you?
For the purpose of this policy and in light of all relevant data protection legislations, personal information shall mean any data that can identify an individual either directly or when combined with other data.
Our healthcare professionals as well as our supporting staff working with you and that are involved in providing our services to you such as doctors, nurses, physical therapists and other members of the staff in our employment, keep records about you, your health and any care and treatment you are offered or receive. For example, data might be collected through patients registration forms; obtained from your identification documents, medical records provided by you or third parties, from, online web-forms completed by you before or at the start of your treatment; from correspondence with you; through interviews, meetings, consultations and/or other assessments or communication methods.
The data that we collect unless you have expressly advised us not to, may include:
- Name, address, phone number, and email address where you have provided these to enable us to communicate with you. This could include emails, text messages, voicemail messages as well as VoIP (voice over IP) and ToIP (text over IP) communications.
- Date of birth and gender
- Information regarding your nationality, country of provenience and residence status
- Information about your marital and employment status
- Your next of kin, dependants, nominees or emergency contact names and contact details
- Your previous medical health record regardless as to whether it refers to treatments provided by MedInstitute or other third parties
- Notes and reports about your current physical health and any treatment, care or support you need and/or receive either from MedInstitute or other third parties
- Results and information pertaining to your tests, diagnosis and prognosis
- Information about medical or health conditions of your family and relevant information from other professionals, relatives or those who care for you or know you well
- Any contacts you have with us such as home visits or outpatient appointments
- Information on medicines, side effects, allergies and/or special dietary requirements that impose limits to treatment or particular medicines.
- Patient experience feedback and treatment outcome information that you provide.
- Your bank or credit/debit card details if you are a ‘selfpay’ patient or the financial information of the company or individual who is responsible for the payment of invoices/bills relating to your care (e.g. insurer, sponsor or Guarantor);
- Information about your usage of our website
Please note that this data may also include visual images, personal appearance and behavior e.g. where CCTV is used as part of our building security measures.
By navigating on MedInstitute websites, you consent to the personal data practices described in this policy statement. Please be aware that when you visit or register on our website, subscribe to our newsletter or fill out a form, you may provide us with personally identifiable information such as:
- Your name
- Your contact details
- Your date of birth
- Your credit/debit card details
- Your job title
- Information on your usage of our website
In addition to the above we may collect anonymous demographic information that is, information that is not unique to you such as your ZIP code, age, gender, preferences, interests and favourites.
Likewise, when accessing our website we may also collect automatically information regarding your computer hardware and software such as:
- Your IP address,
- Browser type,
- Domain names,
- Access times
- Referring Web site addresses.
This information may and/or shall be used by MedInstitute for the operation of our websites, to maintain the quality of our services, and to provide general statistics regarding the use of our web sites in order to determine which MedInsititute services are most popular, to customize our online content and advertising to customers according to their particular area of interest.
Here are some examples of when you can provide us with personal information on our websites:
- When contacting us with an enquiry either via a web-form or email link
- When communicating with us via the online chat function available directly from our website
- When signing up to a newsletter
- When using our instant messaging tool
- When giving feedback
- When filling out a form
MedInsitute Websites use «cookies» to help us personalize your online experience and help us improve the quality of our website. A cookie is a text file that is placed on your hard disk by a web page server. Cookies cannot be used to run programs or deliver viruses to your computer. Cookies are uniquely assigned to you, and can only be read by a web server in the domain that issued the cookie to you.
One of the primary purposes of cookies is to provide a convenience feature that save you time. In any case, you have the ability to accept or decline cookies. Most Web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer so.
Monitoring of communications
In order to ensure and appropriate standard of care, for regulatory compliance, self-regulatory practices, crime prevention and detection, to protect the security of our communication networks and systems, to check for unlawful content, obscene and profane content, for quality control of our services and staff training or when necessary to protect the legitimate interests of our company, subject to the restrictions devised in the applicable laws and regulation in relation to data protection, we may monitor and record telephone calls, emails, text messages, social media messages and other communications forms in relation to our dealings with you.
Please keep in mind that if you directly disclose personally identifiable information or sensitive data through any of MedInstitute public message boards, this information may be collected and used by others.
Special category of data/Sensitive data
Applicable data protection laws articulate the difference between personal information and data of a more sensitive nature such as racial or ethnic origin, political opinions and or affiliaions, religious beliefs, trade union activities, physical or mental health, sexual orientation, details of criminal offences, genetic data and biometric data that is processed to uniquely identify an individual.
As a medical institute, MedInstitute may collect and process such sensitive data however we shall not do so without previously obtaining your consent. This is why we will tell you if and when providing personally identifiable information and/or sensitive data is optional, including if we require your consent to process it. In all other cases, we need you to provide your personal data so that we can provide the appropriate care and treatment to you and in return receive payment for these services.
Legal basis for processing
Most of the personal information that we process is related to your care and the the medical services that we provide however, please note that there are other important reasons that we may need to process your personal information. In all circumstances we shall process your personal data fairly and lawfully, only under the legal basis provided by the EU General Data Protection Regulation.
At times, MedInstitute may rely on one or more of these legal bases when processing personal data in providing our services to you and shall only use enough of your personal information that will be relevant and necessary for us to carry out various tasks within the delivery of your care.
For clarity reasons and for the avoidance of any doubt regarding the processing of your personal information, we have summarised the circumstances in which we may lawfully process your personal data as follows:
- You have provided your express consent for us to undertake any processing activities of your personal information
- The processing of your personal information is necessary for the performance of a contract to which you are a party or in taking preparatory steps at your request prior to entering into a contract
- We have a legal obligation vested in us for processing your personal information
- The processing is necessary in order to protect someone else’s vital interests
- The processing of your personal information is necessary to perform a task or duty that is in the public interest
- The processing of your personal data is necessary in order to protect our company’s legitimate interests or the legitimate interests of a third party
When processing any personal data falling under the sensitive information definition, MedInstitutes shall undertake processing activities only if:
- You have provided us with your explicit consent to process sensitive personal information for a defined and specific purpose
- The processing of sensitive data is mandatory for social security and social protection purposes
- Your vital interests or those of another natural person need protection and processing of sensitive data is imposed in situations where we are unable to secure your consent because you are physically or legally incapable of giving your consent
- You have manifestly made public the sensitive data before being processed by MedInstitute
- Processing of your sensitive personal information is necessary for the establishment, exercise or defence of legal claims by MedInstitute
- The processing activities of your sensitive personal information entail substantial public interest
- The processing of your sensitive personal information is necessary for the provision of health or social care
- Public interest in the area of public health such as protecting against serious cross border threats to health
Whenever our processing of your personal data is based on your consent you are free, at any time, to change your mind and withdraw your consent. MedInstitute will consider all objections to the processing of your personal information and will advise you about the consequences of withdrawing your consent, including situations where such withdrawal will impair our ability to continue to provide our services to you.
Making you aware of your rights and how your information is used is of paramount importance to us therefore, if you have any questions relating to the legal grounds on which the processing of your personal data by MedIntitute is based, please do not hesitate to reach out to us using the information provided in the contact information section at the beginning of this document and we would gladly help you clarify the specific legal basis for the processing of your personal information.
Retention and Security of your personal information
MedInstitute shall dedicate the best commercially reasonable and technically viable resources to keep your information accurate and up to date. If your personal information is found to be wrong, we will make it right, where appropriate and necessary, as soon as possible.
We will only retain your personal information for as long as necessary to fulfil the purposes for which the information has been collected in the first place, including for the purposes of satisfying any legal, regulatory, accounting, or reporting requirements.
In determining the appropriate retention period of your personal information, Medinstitute will consider the amount, nature and sensitivity of the personal information involved, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which the information requires processing, the applicable legal requirements and whether we can achieve those purposes through other means.
Details of retention periods for different aspects of your personal information are available in our retention policy which you can request from us at any time by contacting us and submitting an inquiry to this end.
For security and retention purposes, in some circumstances MedInstitute may anonymise your personal information so that it can no longer be associated with you for research or statistical purposes in which case we may use this information indefinitely without further notice to you.
MedInstitutes is committed to securing your personal information from unauthorized access, use or disclosure. In this respect , we shall implement security processes to keep your personal information safe when it is being used, shared, and when it is being stored. These measures include policies and procedures aimed to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or unlawfully disclosed. In order to minimize the risk of unauthorised processing, MedInstitute limits the access to your personal information to those employees, agents, contractors and other third parties who have a legitimate need to know. They will only process your personal information strictly in accordance with our instructions and they are subject to a duty of confidentiality.
A notification procedure is in place to deal with any actual or suspected data breach according to which we will notify you, the relevant law enforcement agencies as well as the local data protection Commissioner when we are under a legal obligation to do so unless, the personal data breach is unlikely to result in a risk to the rights and freedoms of the data subjects involved.
Sharing of your personal data
Your personal information will be shared with the team involved in the care, treatment and services that we provide to you. Therefore, we shall use your personal data:
- To support the provision of our services to you
- To decide how best to provide our services to you;
- As necessary to support the provision of our services to you and to allow
us to receive full payment for those services;
- To take steps at your request during the course of your treatment;
Subject to obtaining your written consent and communications preferences, MedInstitute may use your contact details to send you our newsletters and other information regarding our new facilities, services and treatments which we think may be of interest to you however we will not sell, lease or rent our customer base list or their personal information to any third parties without firstly obtaining your consent.
Based on the applicable data protection laws and the limitations therein, we may share your personal data with:
- Specialist Consultants, Doctors and/or other healthcare professionals who provide treatment to you at our facilities or collaborate with MedInstitute and its professional staff in providing medical services, care and treatments.
- Other healthcare providers including your General Practitioner (GP) where we believe this will enhance the quality of your care.
- Sub-contractors and other persons who help us to provide healthcare products and services to you ;
- Our legal and other professional advisors, including our auditors with a need to know involving any of your personal information;
- Government bodies, agencies and supervisory authorities with a legal need to know.
- To protect the security or integrity of our business operations and other patients;
- Payment systems and providers;
- Anyone else as long as we have secured your consent to do so or we are required by law to disclose your personal information.
MedInstitute will disclose your personal information, without previously obtaining your consent or without providing to you previous notice of the disclosure only if required to do so by law or in the good faith and belief that such action is necessary to:
(a) Comply with a mandatory legal requirement or a court order served on MedInstitute;
(b) Protect and defend the rights or property of MedInstitute; and,
(c) Act in extreme circumstances to protect the personal safety of MedInstitute customer base or its personnel or disclosing the personal information is required in the public interest.
You have the right to refuse/withdraw your consent to information sharing at any time. If for any reasons whatsoever you do not wish for us to share your personal information please contact MedInstitute to discuss this matter with the person in charge of your account that can explain how this is likely to change the way in which you receive further our services and how this may affect your care or treatment plan so that you can make a fully informed choice.
Data subject rights
We will tell you if providing some personal data is optional, including if we ask for your consent to process it. In all other cases, we need you to provide your personal data so we can provide our services to you and receive payment in exchange for these services.
Under certain circumstances, you have rights under the applicable data protection laws
in relation to your personal information. These rights include:
- Requesting access to your personal information – Data subject have the right to learn if their personal information is being processed, obtain disclosure regarding certain aspects of the processing and request a copy of the personal information undergoing processing.
- Requesting correction of your personal information — Data subjects have the right to verify the accuracy of their personal information and ask for any inconsistencies to be removed, updated and/or corrected.
- Requesting erasure of your personal information – Data subjects have the right,
to request for their personal information to be deleted if the processing of such data has no legal basis, or if the legal basis has ceased to apply however eexisting retention periods and conﬂicting interests meriting protection must be observed.
- Objecting to processing of your personal information – Data subjects have the right, at any time to object to the processing of their personal information if the processing is carried out on a legal basis other than consent. This right will not be enforced if MedInstitute is under a mandatory legal obligation to retain and process the personal information.
- Requesting restriction of processing your personal information — Data subjects have the right, under certain circumstances, to restrict the processing of their personal information. In this case, before MedInstitute shall advise the data subject about the consequences of such restriction on a case by case basis including any consequences that might affect the provision of its services to the data subject.
- Requesting transfer of your personal information – Data subjects have
the right to receive all their personal information undergoing processing in a structured, commonly used and machine readable format and shall not infringe or adversely affect the rights protected by these rules of other individuals. If technically feasible, the data subjects can request to have their personal data processed by MedInstitute transmitted to another controller without any hindrance. This provision is applicable provided that the personal information is processed by automated means and that the processing is based on the data subject consent, on a contract which the data subject is a party of or on pre-contractual obligations thereof.
- Right to withdraw consent for processing at any time – Data subjects have the right to withdraw consent where they have previously given their consent to the processing of their personal information.
- Right to lodge a complaint – Data subjects have the right to bring a claim or submit a complaint before the competent supervisory authority or a competent court.
If a data subject wishes to exercise any of the rights set out above, please contact us at the contact details provided in this document. All requests from data subjects seeking to exercise any of the above listed rights will be addressed by MedInstitute free of change and a response shall be transmitted to the data subject as early as possible and in any case within one month from receiving a request.
To the extent that the processing of the personal information is necessary for compliance with a legal obligation vested in MedInstitute or for the establishment, exercise or defense of legal claims, MedInstitute can refuse to fulfill requests for exercising any of the above listed rights by informing the data subject accordingly.
Please note the right to access, the right to erasure, the right to rectification and the right to data portability cannot be enforced after the expiration of the retention period which means that your personal data and all copies of it have been deleted which means the personal information it is no longer undergoing processing by MedInstitute.
©Copyright Y&C Institute of Medical Rehabilitation Limited 2020 – All rights reserved.
[u1]Please check the accuracy of this information with Yuri or Christalla before posting it online.