"SmartFeet RIX SIA PERSONAL DATA PRIVACY POLICY at the Clinic

INFORMATION AND CONTACT DETAILS OF THE CONTROLLER

[1] The controller of personal data processing is "SmartFeet RIX" SIA and the medical institution "Podology Academy" (hereinafter - the Academy), single registration No. 40203307684, registered office at Vasarnīcu iela 1b dz.3, Saulkrasti, LV-2160, medical institution code: 001000023

[2] Contact details for matters related to the processing of personal data are:

a.    In the form of a correspondence: 50 Skanstes Street, Riga, LV-1013

b.    By phone: +371 25747979

c.    E-mail: [email protected]

GENERAL INFORMATION

[3] The purpose of this Privacy Policy is to provide the natural person - the Data Subject - with information about the purpose, legal basis, scope, protection and duration of the processing of personal data at the time of collection and processing of the Data Subject's personal data.

[4] The Privacy Policy applies to ensure the privacy and protection of personal data relating to:

a.    Natural persons - clients (patients) of the Academy, (including potential, former and current);

b.    visitors to the Academy, including those subject to CCTV;

c.    Visitors to the Academy's website.

[5] The Privacy Policy applies to data processing regardless of the form or medium in which the Customer provides personal data (in person, on the Academy's website, in paper format or by telephone).

[6] The Academy cares about the privacy and protection of personal data of Patients and respects the rights of Clients to the lawfulness of the processing of personal data in accordance with the applicable legislation - Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter - the Regulation), the Personal Data Processing Act, the Patients' Rights Act and other applicable legislation in the area of privacy and data processing.

[7] In its activities, the Academy:

a.    Protect the Data Subject's personal data by implementing administrative, technical and physical security measures to the extent proportionate to the risks involved;

b. inform and explain what personal data is necessary to receive the services and how it will be used;

c. the transfer of data to third parties shall be carried out in compliance with the applicable legal framework;

d. implement measures to regularly train and inform its employees on the protection of personal data in order to reduce the likelihood of incidents occurring;

e. implement internal control procedures capable of reducing the likelihood and consequences of security incidents.

PURPOSES AND LEGAL BASIS FOR PROCESSING PERSONAL DATA

[8] The Academy processes personal data for the following purposes:

a.    For the provision and administration of healthcare services:

i.    patient identification;

ii. for the purpose of making an appointment for the patient with the Academy's specialists;

iii. for the preparation of the patient's medical records in accordance with the requirements laid down in the regulatory enactments;

iv.    reminding patients of their scheduled appointment with the specialists of the Academy;

v.    for medical examinations;

vi.    for medical consultations and medical manipulations;

vii. to assess the health of patients or other natural persons;

viii. administering billing;

ix. the recovery of debts from debtors

x. handling patient complaints and quality control;

xi.    promotion of patient loyalty, measurement of satisfaction;

xii. preparation and conclusion of the contract with patients;

xiii. website maintenance and performance improvement;

b. scientific activities relating to clinical trials;

c. the provision of information to public administration authorities and subjects of operational activity in the cases and to the extent provided for in external regulatory enactments.

d. for the protection of the safety and property of patients, employees of the Academy;

e. for entering information into the National Unified Medical Information System (E-Health).

[9] The Academy processes patients' personal data on the following legal basis:

a.    For the purpose of establishing a medical diagnosis for the purposes of treatment (Article 9, second paragraph, point h) of the Regulation);

b. with the consent of the data subject (patient) (Article 9(2)(a) of the Regulation, Article 10(2) of the Patients' Rights Act);

c. for the enforcement of laws and regulations - to comply with the obligations imposed on the Academy by external laws and regulations or the rights of the data subject under external laws and regulations (Article 9(2)(b) of the Regulation, Article 10 of the Patients' Rights Act);

d. where processing is necessary for the exercise or defence of the legitimate interests of the College before a court (Article 9, second paragraph, point (f) of the Regulation);

e. where processing is necessary for the purposes of the legitimate interests of the College (to organise an efficient process for the provision of healthcare services, to ensure an efficient process for requesting and cancelling patient appointments, to obtain payment for healthcare services provided);

f. where processing is necessary for the performance of a contract with the data subject (patient) or for taking measures at the request of the data subject prior to entering into a contract (Article 6, first paragraph, point (b) of the Regulation);

g. where processing is necessary to protect the vital interests of the data subject (patient) or of another natural person (Article 6, first paragraph, point (d) of the Regulation)

THE AMOUNT OF INFORMATION THAT IS ACCUMULATED

[10] In its core business, the Academy primarily obtains from the Data Subject the basic information necessary for the unambiguous identification of the person concerned for the provision of treatment services and communication:

a.    Name

b.    Surname

c.    Identity number (identification number)

d.    Address

e.    Telephone number and/or e-mail address

[11] As part of the provision of the Services, the Academy may obtain additional information from the Data Subject and from other third parties, primarily including, but not limited to, referral information, information about previous treatment episodes, information obtained as part of a particular treatment episode.
[12] The specific amount of information depends on the specific nature of the service to be provided and the applicable laws and regulations governing the conditions under which the service is provided.
[13] The Academy is aware that in providing its services it processes health data which are considered to be special categories of personal data in the context of the Regulation.

PROCESSING AND PROTECTION OF PERSONAL DATA

[14] The Academy processes Patient Data using modern technology, taking into account the privacy risks and the organisational, financial and technical resources available to the Clinic.

[15] The Academy continuously improves and supplements the technical solutions at its disposal, taking into account current industry trends and the opportunities offered, based on the risks identified.

CONDITIONS FOR USE AND RELEASE OF DATA

[16] The personal data held by the Academy and collected in the course of the provision of services is used:

a.    For the purposes of the Academy's activities and as far as it is necessary for the provision of the best possible quality of service;

b. for the purpose of cooperation with other third parties, for the realisation of the patient's treatment process.

[17] The Academy, when cooperating with third parties with regard to the acquisition and transfer of the necessary data, shall carry out its activities only in accordance with the laws and regulations governing the possibilities of the Academy with regard to the implementation of personal data exchange activities.

[18] The Academy shall implement measures to minimise the processing of personal data relating to its employees in its day-to-day work, by ensuring that employees have access only to the patient data they need for the performance of their duties.

[19] The Academy shall ensure that personal data in its possession is only provided to the Data Subject. Data shall only be disclosed to third parties, including persons related to the Data Subject, if the Data Subject's written consent has been obtained or if there is a case under the laws and regulations where such disclosure is permitted.

[20] The Academy shall not transfer data where it cannot verify the identity of the Data Subject or suspects that the identity presented by the Data Subject does not correspond to his or her true identity.

[21] In cases where the transmission of data is carried out via email communication, the Academy shall ensure that such action is carried out only after obtaining the Data Subject's consent.

[22] When data is transmitted using email communication facilities or other online data exchange solutions, including self-service information system platforms, the Academy shall implement measures to protect the relevant data by applying data access protection or encryption methods.

[23] The Academy transfers Personal Data to third parties, ensuring that such third parties maintain the confidentiality of the Personal Data and provide appropriate protection.

[24] The Academy is entitled to transfer Personal Data to the Academy's service providers who assist the Academy in the performance of its functions. In this case, the principle of data minimisation shall be respected.

In the case referred to in paragraph [25] [24], the Academy's service providers who receive and process the Personal Data shall be considered as data processors within the meaning of the Regulation and shall enter into a written contract with them, which shall stipulate that the Academy requires from the data recipients an undertaking to use the information received only for the purposes for which the data were transferred and in accordance with the requirements of the applicable laws and regulations on data processing and data protection.

[26] The Academy transfers data to third countries (countries located outside the European Union and the European Economic Area) only in cases where the written consent of the Data Subject has been received.

DURATION OF PERSONAL DATA STORAGE

[27] The Academy stores and processes Clients' personal data as long as at least one of the following criteria exists:

a. while the obligations arising from the contract concluded between the Academy and the Client are fulfilled or the Client is provided with a health care service;

b. as long as the Academy has the obligation to store the relevant data defined in the regulatory acts;

c. while the Client's request/submission is fully considered and/or fulfilled;

d. while the Academy's consent to the relevant personal data processing is valid, if there is no other legal basis for data processing;

e. Personal data obtained through video surveillance (video recordings) are stored for no longer than 30 days from the date of their collection.

[28] Upon the occurrence of conditions that determine that further storage of the Customer's data is no longer necessary, the Customer's personal data is deleted.

ACCESS TO PERSONAL DATA AND OTHER CUSTOMER RIGHTS

[29] The Academy ensures the patient's right to receive the information specified in the regulatory acts in connection with the processing of his data.

[30] In accordance with the laws and regulations, the Client also has the right to request the Clinic to access his personal data, as well as to request the Academy to supplement, correct or delete it, or limit the processing in relation to the Client, or the right to object to the processing, as well as the right to data portability. These rights are enforceable insofar as the data processing does not result from the Academy's obligations imposed on it by the current regulatory enactments.

[31] The customer can submit a request for the exercise of his rights:

a. in written form in person at the Academy, presenting an identity document;

b. in the form of electronic mail by signing a letter with a secure electronic signature and sending it to the e-mail address: [email protected]

c. by sending a letter to the Academy by post.

[32] Upon receiving the Client's request for the exercise of his rights, the Academy verifies the Client's identity, evaluates the request and fulfills it in accordance with the regulatory enactments.

[33] The Academy provides an answer to the Client in the shortest possible time, taking into account the method of receiving the answer indicated by the Client.

[34] If the reply is sent by post, it is addressed to the data subject (the person whose personal data is requested) by registered letter. If the answer is given electronically, it is signed with a secure electronic signature (if the submission has been submitted with a secure electronic signature).

[35] The Academy ensures the fulfillment of data processing and protection requirements in accordance with regulatory enactments and, in the event of objections from the Client, takes appropriate actions to resolve the objection. However, if this fails, the Client has the right to apply to the supervisory authority - the Data State Inspectorate.

[36] The client has the right to receive one free copy of his personal data processed by the Academy.

[37] The receipt and/or use of the information referred to in point [36] of this document may be restricted in order to prevent adverse effects on the rights and freedoms of other persons (including Academy employees).

[38] The Academy undertakes to ensure the correctness of Personal Data and relies on its Customers, suppliers and other third parties who transfer Personal Data to ensure the completeness and correctness of the transferred Personal Data.

CUSTOMER'S CONSENT TO DATA PROCESSING AND THE RIGHT TO WITHDRAW IT

[39] The client gives consent to the processing of personal data, the legal basis of which is consent, in writing in person at the Academy, by sending it in paper format using postal services, or by sending it in the form of an e-mail signed with a secure electronic signature.

[40] The customer has the right at any time to withdraw the consent given for data processing in the same way as it was given and in such case further data processing based on the previously given consent for the specific purpose will not be carried out in the future.

[41] Withdrawal of consent does not affect data processing carried out at the time when the Client's consent was valid.

[42] By withdrawing the consent, the processing of data, which is carried out on the basis of other legal bases (for example, according to external regulatory acts or the contract concluded between the Academy and the Client), cannot be stopped.

HOME PAGE VISITS AND COOKIE PROCESSING

[43] The Academy website may use cookies.

[44] Cookies are files that websites place on users' computers in order to recognize the user and facilitate their use of the website. Internet browsers can be configured to warn the visitor about the use of cookies and allow the visitor to choose whether or not to accept them. Not accepting cookies will not prohibit the visitor from using the website of the Academy Internet, but it may limit the visitor's possibilities of using the website.

[45] The Academy's website may include links to third-party websites that have their own terms of use and personal data protection, for which the Academy is not responsible.

CHANGES TO THE PRIVACY POLICY

[46] The Academy reserves the right to make changes to its Privacy Policy if certain circumstances change that affect the regulation of personal data processing. The Academy recommends visiting this section regularly to find out the current information.

[47] The Academy keeps the previous editions of the Privacy Policy and they are available on the Academy's website.