Personal data protection

Home / Personal data protection

1. Personal Data Controller - GDPR - Patients

  • BU PRAGUE No. 1 a. s. (hereinafter referred to as "BUPR") with registered office: Prague 9, Trojmezní 1537/46, Postal Code 19000, ID No.: 24841595, is a provider of non-state health services pursuant to Act No. 372/2011 Coll., on Health Services.
  • In its activities, BUPR, as the data controller, processes personal data of individuals (referred to as "patients" or "You") to whom health services are provided, in accordance with applicable legal regulations, particularly Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons concerning the processing of personal data and on the free movement of such data (hereinafter referred to as "GDPR").
  • We handle the information we collect, process and store about you responsibly.
  • This document contains information about the processing of your personal data and describes your rights.

2. Why we process your personal data

We process your personal data for the following purposes:

  1. The processing of personal data is carried out for the purpose of providing health services and fulfilling obligations imposed by healthcare providers by virtue of applicable legal regulations (including, for example, the management of medical documentation and reporting of provided healthcare services). The legal basis for this processing is, in this case, Article 6(1)(c) and Article 9(2)(h) of the GDPR.
  2. The processing of personal data is carried out for the performance of a contract with you, for example, a healthcare contract under which we provide you with healthcare services (this contract may not necessarily be concluded in writing). The legal basis for this processing is, in this case, Article 6(1)(b) of the GDPR.
  3. The processing of personal data is necessary for the protection of BUPR's rights, legitimate interests, and property, including internal needs related to the proper performance of its activities (e.g., informing and notifying patients of examination or check-up dates). The legal basis for this processing is Article 6(1)(f) and Article 9(2)(h) of the GDPR.
  4. If you provide your consent, we may process your personal data for the purposes specified in such consent. The legal basis for this processing is Article 6(1)(a) and Article 9(2)(h) of the GDPR.

Providing personal data processed for the purpose of providing healthcare services partially covered by public health insurance and fulfilling our obligations as a healthcare provider is a legal requirement. Without providing this data, we will not be able to provide healthcare services to you (at all or in the required quality), which may result in damage to your health or even endanger your life. BUPR's right to request a patient's personal data also applies to their legal representative or guardian. Providing personal data processed for contract performance purposes is a contractual requirement. You are not legally obliged to provide us with this personal data, but without it, we cannot enter into and/or fulfill the relevant contract, meaning you cannot receive treatment.

 

3. What personal data we may process

BUPR processes personal data that you provide to us before or during the provision of health services and data collected during the provision of health services. BUPR processes the following categories of information about its patients:

  1. identification data (e.g. name, surname, title, place of residence, gender, date of birth, birth number, nationality),
  2. information about your health, weight and height,
  3. contact details (e.g. contact address, email and telephone);
  4. other information that you provide to us or that we collect during the provision of health services.

BUPR only processes personal data that is adequate, relevant and limited to what is necessary in relation to the purpose for which it is processed.

 

4. Updating your personal data - archiving

  • We will make reasonable efforts to ensure the accuracy of your personal data. To assist us in doing so, you should provide us with only accurate, truthful, and up-to-date information. If you discover that the information we process is inaccurate, untrue, or outdated (e.g., due to changes in your personal data), please inform us so that we can make the necessary corrections.
  • We will process your personal data only for the period necessary for the purpose of their processing. If personal data are used simultaneously for multiple different processing purposes, we will process them until the purpose with the longer processing period is fulfilled. However, we will cease processing for the purpose with the shorter processing period once that period has expired.
  • BUPR uses the following criteria to determine the duration of processing of patients' personal data:
  1. For the purpose of compliance with our legal obligations, your personal data will be processed for the duration of the relevant legal obligation of BUPR (e.g., in relation to our obligation to maintain healthcare documentation).
  2. For the purpose of fulfilling the contract, your personal data will be processed until the obligations under the respective contract concluded with BUPR expire.
  3. For the purpose of protecting BUPR's rights, legitimate interests, and property, your personal data will be processed for the duration of the relevant protected interest of BUPR. For the protection of our rights, we will, for example, process your personal data even after the obligations under a concluded contract have ceased, specifically until the end of the 5th calendar year after such an obligation ceases. In the case of the initiation and duration of legal, administrative, or other proceedings in which our rights or obligations towards you are being addressed, the processing will not end before the conclusion of such proceedings.
  4. Personal data processed based on your consent will be processed until you withdraw your consent unless a shorter processing period is specified at the time of obtaining your consent

 

5. To whom we transfer your personal data

  • We will transfer your personal data in accordance with generally binding legal regulations to other health service providers (e.g. for the purposes of consultations or consular examinations), health insurance companies, public authorities or persons authorised to consult your medical records under the Health Services Act. We may also inform you of other recipients of your personal data when providing specific health services.
  • If you participate in a clinical trial with us, your personal data will be transferred to the (principal) investigating physician and/or the study sponsor, who will process your personal data as separate data controllers.
  • If it is necessary to protect the rights, legitimate interests, and property of BUPR, we may disclose your personal data to, for example, judicial or administrative authorities, bailiffs, and etc..
  • BUPR is also entitled to transfer your personal data to its processors with whom it has entered into a written contract for the processing of personal data (e.g. accountants, tax or legal advisors, IT system providers). Upon request, we will provide you with an up-to-date list of the processors who process your personal data for BUPR.
  • We will always disclose your personal data only to the extent necessary to maximize the protection of your right to personal data protection and your privacy.
  • We do not transfer your personal data outside the European Union or to international organisations.

 

6. What are your rights

In connection with the processing of your personal data, you have the rights listed below. However, certain exceptions may apply to the exercise of these rights, and therefore they may not be applicable in all situations. If you exercise your rights and your request is found to be justified, we will take the necessary measures without undue delay, at the latest within one month from the receipt of your request (in reasonable cases, this period can be extended until the matter is resolved).

  1. You have the right to access the personal data we process about you.
  2. You have the right to rectification or erasure under Article 17 of the GDPR, but it must not interfere with the processing of medical records.
  3. You can ask us to correct inaccurate personal data.
  4. You have the right to withdraw your consent to the processing of personal data at any time if the processing is based on Article 6(1)(a) or Article 9(2)(a) of the GDPR. However, the withdrawal of consent does not affect the lawfulness of processing during the period prior to its withdrawal.
  5. If we process your personal data on the basis of BUPR's legitimate interests, you have the right to object to such processing.
  6. In certain cases, you may request that we restrict the processing being carried out (for example, pending the resolution of your objections).
  7. You can ask us to transfer personal data we process about you on the basis of a contract or your consent to you or to a third party in electronic form.
  8. If you believe that your personal data is being processed in violation of the law, please contact us and we will promptly remedy the situation. However, you may also lodge a complaint about the processing directly with the Data Protection Authority.
  9. You have the right to object at any time to the processing of personal data concerning you that BUPR processes for direct marketing purposes. If you object to processing for direct marketing purposes, the personal data will no longer be processed for these purposes.

7. Contact details of the GDPR Officer

If you have any questions regarding the processing and protection of your personal data, you can contact directly the Data Protection Officer at BUPR, Ing. Milan Kozák. You can contact him via email kozak@banksys.cz  or by phone at +420 777 290 092.