Nova Vita
Privacy Policy for Clients
The secure processing of your personal data is of the utmost importance to us and an essential part of our responsible operating principles. Nova Vita is committed to protecting the rights of patients and to keeping your personal data safe and confidential.
This Privacy Policy contains a description of how We collect, use, store and protect Your data. We are committed to securing a high level of data security, and continuously monitor and update our security measures to keep Your data safe!
1.Data controller
AS Nova Vita Clinic
Tammsaare tee 47, 11316 Tallinn, Estonia
novavita@novavita.ee
(hereafter ”We” or ”Nova Vita”)
2. Andmekaitseametnik
Advokaadibüroo WIDEN OÜ
privacy@novavita.ee
3.Why do We process Your data and what are the legal bases for such processing?
We process Your data in order to provide the best quality of care for our patients. In addition, We need to process Your data for purposes related to the provision of care (e.g., for billing purposes). In some cases the law obliges us to process Your data. The legal bases for each of these processing purposes is as follows:
- Data processing for provision of care and related tasks. For the purpose of providing the best quality care to You and carrying out related tasks, We process Your data on the basis of law. This includes both the provision of care, follow-up care and monitoring, and tasks related to it. The Estonian Health Services Organisation Act (RT I 2001, 50, 284) allows us to process Your data for the purposes of providing health care services to You and for purposes of carrying out tasks related to the provision of care (e.g., quality management, billing, etc.). We may obtain the necessary data either from You directly, from other health care providers, state or local municipality databases, family members, etc. Please See Section 5 below regarding how We obtain necessary data about You.
It is important to understand that providing quality care to You is conditional on You providing all relevant health-related information to us. Should You withhold any information from Us that could be relevant in the context of providing medical care to You, this may affect the quality of care You receive.
- Processing required by law. In certain cases, the law might require us to process Your data. For example, the law requires us to process donor and recipient data in order to ensure traceability of donors and recipients of gametes and other organs, tissues and cells. If Your have further questions about this, please do not hesitate to contact Us.
- Processing for quality management and complaint investigation. Based on art. 6(1)(f) and art. 9(2)(f) GDPR (where there is no relevant legal basis in national legislation), in the pursuit of a legitimate interest to ensure proper quality management at our clinics and to investigate any complaints, our management can access Your data and attend case management discussions and meetings, where and to the extent that this is necessary for quality management and/or investigating any complaints. Our management is subject to a strict obligation of confidentiality and may not disclose Your data to anyone in any form.
- Processing that is necessary for establishing, exercising or defending legal claims. The GDPR allows us to process Your data if this is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity. This means that in case of a dispute between You and Us, we may process Your data in order to investigate any complaints and solve any disputes arising from such complaints.
- Processing for statistical or research purposes. Your data might need to be processed for statistical purposes, or be valuable for research purposes in order to contribute to scientific progress in the medical field. For this end, Estonian Data Protection Act allows us to process Your data for scientific research or statistical purposes.
- Any other processing activity. If the processing of Your data should be necessary for any purposes not described above, and where such processing is not mandated or required by law, such processing will be subject to Your prior informed consent as established under the GDPR. In this case, You will be asked for consent prior to the commencement of such processing, and You can decide whether to give consent or not. Consent is voluntary, and can be withdrawn at any time. For example, We may ask for Your consent to ask for information on family medical history from Your family members that might be relevant or necessary in providing the services to You. It is entirely Your choice, whether You want to give such consent or not.
4.What data do We process?
We only process Your data to the extent necessary for the purposes explained above in the Section 3 of this policy. For these purposes, we need to process the following data:
- Information necessary for identification and contacting You, such as Your name, date of birth, identification number, home address, contact information, information on Your next of kin (where this is necessary).
- Data concerning a possible partner and/or marital status, which is necessary in the context of fertility treatments.
- Health-related data obtained for or during the provision of health care services or tasks related to it. This includes all and any data that is necessary for the provision of care and tasks related to it, such as medical history, relevant information provided by You, results of analyses and medical imagining (e.g., ultrasonography images), data recorded by psychologists and psychotherapists (to which only the relevant specialist in question has access, unless otherwise agreed upon with the patient), data about eggs and sperm quantity and quality, pregnancies, miscarriages, terminations, childbirth, health-status of children born etc.
5.From where do We receive data?
The data we process about You, we receive either directly from You or from third parties:
- We collect data from the patient, from other health care providers and from the national Health Information System (digilugu.ee) and, with the patient’s consent, from family members of the patient.
- Data about the patient’s health is also is obtained during the examinations, treatments and analyses carried out at our clinic.
6.To whom do we disclose Your data?
All of our staff and employees, including management, are subject to an obligation of confidentiality. This means that we cannot disclose Your information to third parties outside of our clinic unless this is required or mandated by law, or where You have given explicit consent for Your data to be shared, or where You have requested for Your data to be transerred to another party.
The Health Services Organisation Act requires us to submit to the Estonian Health Information System data concerning the health services provided to patients and for management of health care, including for maintaining registers concerning the state of health established on the basis of law. The joint data controllers for the Health Information System are the Ministry of Social Affairs and the Estonian Health Insurance Fund. Patients can access their data in the Health Information System via the Patient Portal (www.digilugu.ee).
In case You wish for Your gametes or embryos to be transferred to a clinic outside of Estonia/Finland, we concurrently have to submit Your data to the receiving clinic.
In case of disputes related to the provision or quality of care, we may share Your data with legal advisors where this is necessary for the establishment, exercise or defence of legal claims, but only to the extent strictly necessary.
We may outsource book-keeping, invoicing and debt collection services, in which case Your billing data may be shared with such service providers.
We may outsource laboratory services (e.g., for blood or genetic tests), in which case your name and/or social security/personal ID number is sent to the laboratory with the biosample to be analysed.
All providers of outsourced services are subject to a strict confidentiality obligation and may only process your data to the extent and as long as is necessary to provide the services outsourced to them.
Certain third parties to whom we transfer patients’ personal data are independent data controllers under the GDPR (General Data Protection Regulation). For example, these parties include companies providing laboratory services, such as IVF Riga Ltd. (code 40103352569; located in Latvia; https://ivfriga.lv/en/), GENNET, s.r.o. (code 270 80 234; located in the Czech Republic; https://www.gennet.cz/en/), and Ovumia Oy (code FI23202940; located in Finland; https://ovumia.fi/en/). The processing of personal data by these companies is subject to their own data protection terms, which we recommend reviewing on their websites or by contacting them.
As a general rule, we do not transfer personal data outside the European Economic Area. However, in one instance, we transfer personal data to the United Kingdom. The European Commission has adopted a decision allowing the transfer of personal data to the United Kingdom, confirming it complies with GDPR requirements.
7.Cookies
We utilise cookies and other techniques on our website for studying the demographic reachability of our services and for the statistical monitoring of our visitor numbers. We may also use data collected using cookies and other techniques in order to direct contents to our customers. Cookies and other techniques are used to analyse and further develop our services to ensure that we serve our customers as well as possible. Cookies are also used to improve the user experience; for example, cookies store data about the services and settings the customer used on a previous visit.
You can choose in Your Internet browser’s settings whether you accept the use of cookies. If you do not accept the use of cookies, You will still be able to use our website and some of its services, but this choice may considerably limit the functionality of the website and services.
We use the Google Analytics Display Advertising programme. This is why the users of our website may come across our advertising outside of our website.
With our consent, Google may use first-party cookies (such as those of Google Analytics), which contain anonymous identifier data, together with third-party cookies (such as the DoubleClick cookie) in order to convey and optimise data and show advertisements based on the fact that the customer has visited our website.
We never disclose the personal data of our customers/website visitors to external advertising networks.
You can, at any time, remove the advertisements of the Google Analytics Display Advertising or the tailored advertisements of the Google Display Network, by using the control tool for advertisement selection. If You wish, You can also prevent the use of the Google Analytics measuring tool by installing an add-on in Your Internet browser.
Our website and services have links and connections to third-party websites and social extensions (such as the Facebook community add-on). The add-ons on our website, which are maintained by third parties, are downloaded from these services’ own servers.
It is important to note that if you click on any link on our website that directs you from our website to a third party’s website, we do not have control over such third party websites and are not liable for the third party’s actions even if a connection exists between the two websites. Before you proceed to a third party website from our website, we recommend you familiarise yourself with that particular website’s privacy policy before sharing any data.
8.How do We protect the data and how long do We store it?
All our staff and employees, and others performing their duties on our premises or on our behalf are subject to an obligation of confidentiality and may not disclose any of Your data. This duty of confidentiality remains in force after termination of the employment or service relationship.
The protection of personal data and confidentiality is at the core of our business. We use appropriate technical, organisational and administrative safety measures to protect all the data in our possession from being lost, abused, used illicitly, disclosed, altered or destroyed.
Our staff have access to use the company’s computers via a personal user identifier and password. Our top management decides, which employees should have access to patient data and provides access only to the extent that their duties require it. Only those of our employees, who, in the course of their work, are required to process patient data, are entitled to use a system containing personal data and special categories of personal data. Each user has a personal username and password to the system; in other words, access to personal data or special categories of personal data is granted on the basis of a role-based authorisation concept.
The company’s computers are located on our premises in locked rooms, to which only the company’s staff and authorized persons have access.
Hardcopies containing patient data are stored on our premises in locked rooms, and only our staff and authorized persons have access to these.
We store Your data as long as it is necessary for the purpose of processing the data and only within the time limits of the applicable laws and regulations.
We regularly estimate the need for data storage, taking into account the applicable legislation. In addition, we aim to ensure that no incompatible, outdated or inaccurate personal data is stored in our filing system, taking into account the purpose of the processing. We correct or erase such data without delay.
9.What are your rights as a data subject?
As a data subject, you have the following rights under the GDPR:
- You have the right to obtain information about the processing of Your data (arts. 13 and 14 GDPR). This policy aims to provide You with all necessary information about the processing of Your personal data by Us, but You are always welcome to contact Us with further inquiries regarding the processing of Your data by e-mailing our DPO at privacy@novavita.ee
- You have the right to obtain confirmation from Us about whether Your data is being processed and to receive a copy of the personal data undergoing processing (art. 15 GDPR).
- You have the right to request from Us rectification of inaccurate personal data concerning You (art. 16 GDPR).
- You have the right to request Us to erase Your personal data processed by Us, if any of the grounds in art. 17(1) GDPR arise.
- You have the right to request Us to restrict processing activities regarding Your personal data if any of the grounds in art. 18(1) GDPR arise.
- You have the right to data portability (art. 20 GDPR).
- You have the right to object to the processing of Your personal data on grounds relating to Your particular situation if the processing is based on legitimate interests pursued by Us (i.e., on the basis of art. 6(1)(f) GDPR).
- You have the right to withdraw consent at any time, if processing is based on consent (art. 7(3) GDPR).
NB: Please note that none of the rights listed above are absolute. This means that there are exceptions and derogations that might apply in certain circumstances where processing of Your data is necessary for certain purposes. Such exceptions and derogations are stipulated in the GDPR. For example, We will not delete Your data if the law requires Us to store or otherwise process it (art. 17(3)(b)), or if this data is necessary for establishing, exercising or defending legal claims (art. 17(3)(e) GDPR).
If You have any question about Your rights as a data subject, please contact Us or the supervisory authority in Estonia/Finland (contacts listed below).
If You believe there to be a breach of Your rights, please contact Us immediately. You always have the right to bring a claim to court or to submit a complaint to the supervisory authority about any possible breaches of Your data protection rights.
Contacts of the supervisory authority:
Estonian Data Protection Inspectorate
E-mail address: info@aki.ee
Website: https://www.aki.ee/et
Phone: (+372) 627 4135
Address: Tatari 39, Tallinn 10134
10.Who can you contact with question about the Privacy Policy?
All questions and concerns regarding the Privacy Policy can be directed to our DPO service provider listed in Section 2 of this policy (privacy@novavita.ee).
11.Changes to the Privacy Policy
Should we make amendments to this Privacy Policy, we will make the amended policy available on our website, with an indication of the amendment date. If the amendments are significant, we may also inform You about this by other means, for example by email or by placing a bulletin on our website. We recommend that You review the Privacy Policy and the principles herein from time to time to ensure You are aware of any amendments made.
Sincerely
Management of Nova Vita
Last updated: 06.11.2024