The secure processing of your personal data is of the utmost importance to us and an essential part of our responsible operating principles. Nova Vita is committed to protecting the rights of patients and to keeping your personal data safe and confidential.
Aktsiaselts Nova Vita Kliinik
A.H. Tammsaare tee 47, Tallinn 11316
(hereafter ”We” or ”Nova Vita”)
2. Data Protection Officer (DPO)
WHTPR L&C OÜ
3. What is the legal basis for and purpose of the processing of personal data?
We process Your data in order to provide the best quality of care for our patients. In addition, We need to process Your data for purposes related to the provision of care (e.g., for billing purposes). In some cases the law obliges us to process Your data. The legal bases for each of these processing purposes is as follows:
Data processing for provision of care and related tasks. For the purpose of providing the best quality care to You and carrying out related tasks, We process Your data on the basis of law. This includes both the provision of care, follow-up care and monitoring, and tasks related to it. The Estonian Health Services Organization Act (RT I 2001, 50, 284) allows us to process Your data for the purposes of providing health care services to You and for purposes of carrying out tasks related to the provision of care (e.g., quality management, billing, etc.). We may obtain the necessary data either from You directly, from other health care providers, state or local municipality databases, family members, etc. Please See Section 5 below regarding how We obtain necessary data about You.
It is important to understand that providing quality care to You is conditional on You providing all relevant health-related information to us. Should You withhold any information from Us that could be relevant in the context of providing medical care to You, this may affect the quality of care You receive.
Processing required by law. In certain cases, the law might require us to process Your data. For example, the law requires us to process donor and recipient data in order to ensure traceability of donors and recipients of gametes and other organs, tissues and cells. If Your have further questions about this, please do not hesitate to contact Us.
Processing for quality management and complaint investigation. Based on art. 6(1)(f) and art. 9(2)(f) GDPR (where there is no relevant legal basis in national legislation), in the pursuit of a legitimate interest to ensure proper quality management at our clinics and to investigate any complaints, our management can access Your data and attend case management discussions and meetings, where and to the extent that this is necessary for quality management and/or investigating any complaints. Our management is subject to a strict obligation of confidentiality and may not disclose Your data to anyone in any form.
Processing that is necessary for establishing, exercising or defending legal claims. The GDPR allows us to process Your data if this is necessary for the establishment, exercise or defense of legal claims or whenever courts are acting in their judicial capacity. This means that in case of a dispute between You and Us, we may process Your data in order to investigate any complaints and solve any disputes arising from such complaints.
Processing for statistical or research purposes. Your data might need to be processed for statistical purposes, or be valuable for research purposes in order to contribute to scientific progress in the medical field. For this end, Estonian Data Protection Act allows us to process Your data for scientific research or statistical purposes.
Any other processing activity. If the processing of Your data should be necessary for any purposes not described above, and where such processing is not mandated or required by law, such processing will be subject to Your prior informed consent as established under the GDPR. In this case, You will be asked for consent prior to the commencement of such processing, and You can decide whether to give consent or not. Consent is voluntary, and can be withdrawn at any time. For example, We may ask for Your consent to ask for information on family medical history from Your family members that might be relevant or necessary in providing the services to You. It is entirely Your choice, whether You want to give such consent or not.
4. What data do we process?
We may process, depending on the health care service provided, the following personal data of our customers and other data subjects` (for example gamete donor`s) in connection with our services:
- Basic information of the data subject* such as name, date of birth, age, identification number, profession, marital status, spouse`s/partner`s name, gender, mother language, nationality;
- Contact information of the data subject* such as e-mail address, phone number, postal address;
- Medical history of the data subject such as chronic diseases, current medications, psychological health, allergies, height, weight, previous treatments;
- Habits such amount of consumed portions of alcohol per week, smoking habits, use of drugs;
- Information of the customer ship and the contract such as past and current contracts and orders (fertility preservation, embryo storage), correspondence with the client, other information of the customer ship.
(*) Committing personal data marked with an asterisk is a requirement for our contractual and/or customer relationship. Without necessary information we are not able to provide the service.
5. From where do we receive data?
We receive information primarily from following sources eg. from the data subject, from other healthcare professionals, Health Information System (www.digilugu.ee).
6. To whom do we disclose data and do we transfer data outside of EU or EEA?
We process information ourselves and use subcontractors that process personal data on behalf of and for us (for example we have outsorced the IT-management to an external service provider, to whose server the data is stored. The server is protected and managed by the external service provider).
Depending on the service provided we may disclose personal data to third parties only within the limits of the applicable laws and regulations.
In general we do not disclose personal data outside of EU/EEA. Only in exceptional cases the data subject`s personal data may be disclosed outside of EU/EEA (for example if data subject is interested to export germ cells or embryos, the disclosure of the personal data of the data subject with the host clinic is needed).
In case such processing take place, we ensure that the EU Commission standard contractual clauses 2010/87/EU concerning the transfer of Personal Data to outside the EU/EEA, or a similar legal safeguard approved by the EU regulation (2016/679), will apply to such transfer or processing.
We utilize cookies and other techniques on our website for studying the demographic reachability of our services and for the statistical monitoring of our visitor numbers. We may also use data collected using cookies and other techniques in order to direct contents to our customers. Cookies and other techniques are used to analyses and further develop our services to ensure that we serve our customers as well as possible. Cookies are also used to improve the user experience; for example, cookies store data about the services and settings the customer used on a previous visit.
We use the Google Analytics Display Advertising program. This is why the users of our website may come across our advertising outside of our website.
With our consent, Google may use first-party cookies (such as those of Google Analytics), which contain anonymous identifier data, together with third-party cookies (such as the DoubleClick cookie) in order to convey and optimize data and show advertisements based on the fact that the customer has visited our website.
We never disclose the personal data of our customers/website visitors to external advertising networks.
You can, at any time, remove the advertisements of the Google Analytics Display Advertising or the tailored advertisements of the Google Display Network, by using the control tool for advertisement selection. If You wish, You can also prevent the use of the Google Analytics measuring tool by installing an add-on in Your Internet browser.
Our website and services have links and connections to third-party websites and social extensions (such as the Facebook community add-on). The add-ons on our website, which are maintained by third parties, are downloaded from these services’ own servers.
8. How do we protect the data and how long do we store them?
Nova Vita will keep confidential data subjects` personal data, including state of health and private life, which has become known to Nova Vita during the provision of the health care service.
Only those of our employees, who on behalf of their work are entitled to process customer data, are entitled to use data processing systems containing personal data. Each user has a personal username and password to the system, i.e. access to personal data is granted on the basis of a role-based authorization concept.
The information is collected into databases that are protected by firewalls, passwords and other technical measures.
The databases and the backup copies of them are in locked premises and can be accessed only by certain pre-designated persons.
We store the data as long as it is necessary for the purpose of processing the data and only within the time limits of the applicable laws and regulations.
We estimate regularly the need for data storage taking into account the applicable legislation. In addition, we take care of such reasonable actions of which purpose is to ensure that no incompatible, outdated or inaccurate personal data is stored in the register taking into account the purpose of the processing. We correct or erase such data without delay.
9. What are your rights as a data subject?
As a data subject you have a right to inspect the personal data concerning yourself, which is stored in the register, and a right to require rectification or erasure of the data. You also have a right to withdraw or change your consent and right to data portability.
As a data subject, you have a right, according to EU’s General Data Protection Regulation (2016/679) to object processing or request restricting the processing and lodge a complaint with a supervisory authority responsible for processing personal data.
For specific personal reasons, you also have a right to object profiling and other processing concerning you, when processing the data is based on the customer relationship. In connection to your claim, you should identify the specific situation on which you object the processing. We can refuse to act on such request on the basis of the law.
10. Who can you be in contact with?
Management of Nova Vita