December 2021
Please read carefully the privacy policy of UAB Telesante (hereinafter referred to as the “Data Controller”) (hereinafter referred to as the “Privacy Policy”), because each time you visit the website belonging to the Data Controller, you agree to the terms and conditions described in this Privacy Policy. If you do not agree to these terms and conditions, please do not visit our website or use our content and/or services. We confirm that the Data Controller’s website visitors’ data will be collected in accordance with the requirements of the applicable legislation of the European Union and the Republic of Lithuania. Technical and administrative measures are in place to protect the data we collect about website visitors from loss, unauthorised use and alteration.
Persons under the age of 16 are not allowed to submit any personal data through our website. If you are a person under the age of 16, you must obtain the consent of your parents or other legal guardians before providing personal information.
General provisions
UAB Telesante this Privacy Policy establishes the terms and conditions for the processing of personal data when using the website operated by the Data Controller.
The terms and conditions set out in this Privacy Policy apply each time you access our content and/or service, regardless of the device (computer, mobile phone, tablet, TV, etc.) you are using.
The terms used in this Privacy Policy shall be understood as they are defined in the Privacy Policy of the European Parliament and of the Council of 2016. 27 April Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (“GDPR”).
This Privacy Policy is based on the following legislation:
- European Parliament and Council 2016 27 April Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC;
- 2018 m. 30 June Law No. XIII-1426;
- 2004 m. 15 April Law of the Republic of Lithuania on Electronic Communications No. IX-2135;
- Guidelines and recommendations issued by the State Data Protection Inspectorate and the European Data Protection Board;
- other legislation governing the activities of personal healthcare institutions (with data protection requirements).
Information about the Data Controller
UAB Telesante, legal entity code 305917454, registered office address Didžioji Riešė, Mėtų g.2, LT-14261 Vilniaus raj., e-mail: info@telesante.lt, tel. +370 686 12193
The Data Controller shall process the following data necessary for the identification of patients and the provision of personal healthcare services personal data:
Name, surname; personal identification number, gender, date of birth, e-mail address, residential address, billing data, registration data in a personal healthcare institution, relationship (relationship of the data subject to the person concerned, name and surname of the person concerned, date of birth, gender) and other data;
Special categories of personal data: examination data, photographs, videos, list of diagnoses, history of visits (date, name and surname of the doctor visited, status), descriptions and conclusions, prescription of medicines and medical aids, referrals for personal health care services in other institutions, examinations, medical history, other records in personal health records, certificates and other data;
Website visitor data, unique identifiers and other tracking tools that collect information about subscribing to, (not) receiving, opening, clicking, unsubscribing from newsletters, which application/application is being used to read the email, the IP address and the country assigned to it, and the information provided by visitors on social networks – recommendations, complaints, opinions, suggestions and other data.
Legal basis for the processing of your personal data in our institution
The provision of health services constitutes a sufficient legal basis for the processing of personal data necessary for that purpose (Article 9 GDPR).
In accordance with Article 9 of the GDPR. provisions, it is lawful to process personal data for the purpose of ‘making a medical diagnosis, providing healthcare or treatment or managing healthcare systems and services on the basis of Union or Member State law or under a contract with a healthcare professional, subject to the conditions and safeguards referred to in paragraph 3’.
This provision of the GDPR also implies which personal data are allowed to be processed. It is data that is necessary for diagnosis, treatment and healthcare. It is also the data needed to manage healthcare systems, i.e. to organise and improve the functioning of a health facility.
In individual cases, your personal data may be processed on other grounds. You will be notified in each case.
Such grounds may include:
1) where your data is processed on the basis of your consent. This means that you have given your formal consent to the processing of your data by the Data Controller’s employees. ( However, if you are under 16 years of age, your consent alone may not be sufficient in such cases. It will need to be confirmed by your parents or guardians).
You have the right to withdraw your consent at any time. Withdrawal of consent will not have any negative consequences for you personally.
2) if the processing is necessary for the performance of a contract concluded with you or is necessary for the conclusion of a new contract at your request;
3) if we are required to do so by law;
4) to protect your vital interests or the vital interests of another person;
5) the processing is necessary for the performance of a task carried out in the public interest (e.g. following a mandatory order from the public authorities concerning preventive measures during an epidemic);
6) our legitimate interests or the legitimate interests of others so require. However, before processing such data, it must be ascertained that those interests are actually so important that they allow us to process your data without your consent.
Purposes of collecting and processing personal data.
The main purpose for which we collect information is to provide you with quality healthcare services.
All other purposes of collecting information follow directly from this main one. To provide a quality service, we collect the data needed to:
1) you are registered for a service (e.g. a doctor’s appointment),
2) the doctor has all the data to make the right diagnosis and treatment,
3) get accurate information about the progress and results of the treatment prescribed,
4) to enable you to pay for the services provided,
5) You are offered effective prevention measures.
Who we disclose your information to
Access to your data will be limited to employees of the Data Controller who are bound by a professional obligation to protect personal data and who have signed a formal confidentiality undertaking.
In our institution:
Customer registration staff (with access to patients’ personal data and laboratory test data in information systems);
Doctors (with access to patient records and electronic health records in information systems);
Nurses (using doctor login credentials);
Information technology staff.
Outside the institution – in Lithuania:
Territorial Health Insurance Funds (if contracted);
the State Social Insurance Fund Board;
Insurance companies (if contracted)
Outside Lithuania.
Data may also be transferred outside Lithuania if you have entered into a contract (e.g. health insurance) with a foreign company and the transfer is necessary for the performance of that contract.
How we protect your data
In order to ensure a level of security equivalent to the level of risk in the processing of data, the Data Controller has implemented appropriate technical and organisational measures in accordance with:
1) ENISA guidelines: https://www.enisa.europa.eu/publications/guidelines-for-smes-on-the-security-of-personal-data-processing
2) good information security practices;
3) IDAI guidelines: https://vdai.lrv.lt/uploads/vdai/documents/files/VDAI_saugumo_priemoniu_gaires-2020-06-18.pdf.
The duration of your data retention is determined by the “Order of the Minister of Health of the Republic of Lithuania “On the procedure for accounting and reporting of the activities of health care institutions” (1999). 29 November No 515 .
At the end of the time limit, the data will be deleted so that it cannot be reproduced.
Your rights
Under the GDPR, you can exercise the following rights:
- right of access to personal data, i.e. y. request information on whether your personal data is being processed and, if your personal data is being processed, you have the right to have access to your personal data being processed;
- the right to rectification of personal data, i.e. y. to request the rectification of your personal data if you find that the personal data we process is incorrect, incomplete or inaccurate;
- the right to erasure of personal data (‘right to be forgotten’), i.e. y. request the erasure of your personal data, if permitted by the legislation of the Republic of Lithuania, if you believe that your data is being processed unlawfully or fraudulently;
- the right to restrict the processing of personal data, i.e. y. to request the restriction (suspension) of the processing of your personal data, except for storage – for example, if you request the correction of your personal data (pending the verification of the accuracy of the personal data and/or their correction), if it is established that the personal data are being processed unlawfully and you do not consent to the deletion of the data, if you have objected to the processing of your personal data, etc.;
- the right to the portability of personal data, i.e. y. submit a request to transfer your personal data, if permitted by the legislation of the Republic of Lithuania governing the processing of personal data processed by automated means, to another data controller in a structured and commonly used format;
- the right to object to the processing of personal data, i.e. y. to object to the processing of personal data where the processing is carried out on the basis of a legitimate interest or public interest;
- the right to have a decision based solely on automated processing, including profiling, which produces legal effects for you or similarly significantly affects you, disapplied;
- the right to withdraw your consent to the processing of personal data at any time.
Ways to exercise your rights and report a personal data breach
If you have any questions, suggestions, preferences, if you wish to withdraw or clarify your consent, or if you no longer wish your personal data to be processed for the purpose of direct marketing, including profiling, you may send an e-mail to info@telesante.lt or send a request by registered mail to D. Riešė, Mėtų g. 2, LT-14261 Vilniaus r. to object to the processing of your personal data for the purpose of direct marketing and/or to the non-application of solely automated processing, including profiling, of your personal data. You can prohibit this without giving reasons for not doing so.
The controller shall respond to such a request or instruction and shall carry out or refuse to carry out the actions specified in the request within one month of the request. If necessary, the period may be extended by a further two months, depending on the complexity and number of requests. In this case, the Data Controller shall inform the Data Subject of such extension within one month of receipt of the request, together with the reasons for the delay.
If you disagree with the controller’s decision, you have the right to appeal to the supervisory authority, the State Data Protection Inspectorate – A. Juozapavičiaus g. 6, 09310 Vilnius
Cookies
A cookie is a small text file that a website places on your computer or mobile device browser when you visit. It allows the website to “remember” your actions and preferences (such as your registration name, language, font size and other display options) for a certain period of time, so that you don’t have to re-enter them each time you visit and navigate the website.
The information collected by cookies allows us to provide you with a better browsing experience and to learn more about your browsing behaviour, analyse trends and improve the site.
You are informed and express your freewill consent to allow the Data Controller to store cookies by clicking on the “I agree” button in the following way: when you open our website, in the image that appears in the box that appears, state: “We use cookies on this website. They help improve the user experience“. If you press the button “I agree“, you agree to the recording of cookies. You have the choice to accept or reject the use of cookies, or to use the active link “cookies“, which will direct you to the information on cookies provided in the Privacy Policy and to access information about the cookies used on the website, the possibility to disable them and the entire Privacy Policy.
Types of cookies used on our website:
Persistent cookies are cookies that remain on your computer for a set period of time after the end of your browsing session, and may therefore record certain of your preferences or actions when you revisit the website;
Session cookies allow you to be recognised during a single visit to a website, so that any changes or choices you make on a page are remembered when you move from one page to another. These cookies allow you to navigate quickly and easily through the pages of the website, so that you don’t have to re-process information each time you visit a new location. Session cookies are temporary and disappear as soon as you close your browser or log out of the website;
Any information collected through cookies is stored until the cookies expire and is not used for purposes other than those set out in this Privacy Policy.
Final provisions
We have the right to change the provisions of this Privacy Policy, in part or in full, by notifying you on the website.