Privacy Notice for Patients

1.  Introduction

This privacy notice aims to inform you about how DR. CONSTANTINOS GEORGALLAS M.D.  referred to as “the Practice”, “we”, “us” or “our” in this privacy notice processes your personal data and tells you about your privacy rights under data protection laws.

2.  Data Controller

For the purposes of EU data protection laws, we are the ‘controller’ of the personal data we collect about you.  This means that we are responsible to you in regards to how we hold and use your personal information. Under data protection laws, we are required to notify you of all of the information contained within this privacy notice.

Please send any questions relating to our privacy practices and to this policy to the following address, or call the following number.

 Address: 25th March 25, Lentia Court 4, Apt 001, Ground floor, P.C. 1087, Nicosia, Cyprus

 Telephone:  +357 22 20 33 11

3.  How do we collect your personal information?

Our practice may collect you personal information in several different ways.

  • When you make your first appointment our practice staff will collect your personal and demographic information through your registration form.
  • During the course of providing medical services, we collect further personal information.
  • We may also collect your personal information, when you send us an email or telephone us, or make an online appointment. 

4.  What information do we collect about you?

Your basic details, including your name, address, date of birth, landline number, mobile number, email address, next of kin.

And

We may also collect sensitive confidential data known as “special category personal data”, such as ethnicity, race, genetics, sexual orientation, medical history including all contact that we have had with you, such as reports about your health, treatments and care you have had or need, and records of clinic visits, test results, such as x-rays, scans and laboratory tests, details of any procedures or treatments you’re had, and any relevant information from other health professionals or those caring for you, as well as information about any medications we have prescribed to you, including any allergies or other relevant medication information.

5.  Why do we collect this personal information?

  • In order to provide your healthcare professionals with current and accurate information so that they can accurately assess your medical needs and make decisions abut your treatment and on-going care.
  • To record the details of our contact with you so that we can avoid duplication of assessments and provide consistent care.
  • To ensure that all care provided is effective and safe.
  • In order to accurately investigate any complaints or concerns.

6.  What is the legal basis for us to process your personal data?

In order for our processing of you personal data to be lawful under the GDPR, we are obliged to identify the lawful basis before processing personal data. This obligation requires us to satisfy certain conditions under Article 6, and when special category data is processed, also under Article 9. For the purposes of this privacy notice, the following conditions, under Article 6, for lawful processing apply: 61.e. “for the performance of a task carried out in the public interest or in the exercise of official authority” and 61.b. “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”.

There may be certain occasions during which the consent of the person whose data is processed provides the legal basis for the processing of their personal data: 61.a. – Consent of the data subject.

For any necessary processing of special categories, e.g. the processing of any health data for medical purposes, the following condition under Article 9 applies: 92.h. “Processing is necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional”.

7.  Your rights under GDPR

The right to be informed

The right to be informed in a clear, transparent manner of how we collect, use, store and share your information. We are required to inform you of the name and contact details of our organisation, which you can find at the top of this document.  You have the right to be informed of all the ways that we collect and use your personal data. We are obliged to provide you with this right to be informed about your data in a clear and concise manner.

The right to access all of the information that we hold about you

You have the right to confirm that we are processing your data, and you have the right to view this information. This is known as a Subject Access Request.  You are not required to specify this term when you request your personal information from us. You also have the right to request a copy of your personal data that we have processed.

We are required to identify you using reasonable means before beginning the process of collating your personal information. Once we have identified you, we are further required to reply to any requests for your personal information within 30 days, unless we have deemed the request to be complex or repetitive, in which case we will notify you that we may take up to an additional two months to provide you with the personal information that you have requested.

We will generally not charge you if you have requested information from us. However, if the request is repetitive, we will charge a reasonable fee.  We ask that you contact us to discuss this fee before requesting another copy of information that we’ve provided previously.

If your request is deemed to be excessive or manifestly unfounded, particularly if the request becomes repetitive, we may decide to:

  • Charge a reasonable fee based on the administrative costs of providing the information; or
  • Refuse to respond.

In case that we refuse to respond to a request, we will explain why, and we will inform you of your right to complain to the Data Protection Authority within one month of our refusal.

The right to rectification under specific circumstances

You have the right to request that we rectify your personal information. We only will consider these requests if the information is factual. Clinical opinions will not be changed, since they were the opinion of the clinician at the time that they were recorded. If a diagnosis or clinical opinion changes, your personal information will be updated, but the original opinion will remain.

The right to erasure

You have the right under GDPR to request that your data is erased. It is quite unlikely that such a request is approved in a healthcare setting, because the removal or deletion of health information poses risks that may seriously harm or endanger a patient. In some circumstances, a patient’s records may become a legal document, and in that case, we have a legal obligation to retain all documentation.

The right to restriction

You have the right to restriction, which allows you in some circumstances to control how we use your personal information. If you request that processing is restricted, we are only permitted to store your personal information, but not use it, until we reach an agreement with you that allows further processing. We are able to retain enough of your information to ensure that we are able to continue to respect your request for restriction in the future. The ways you can restrict our processing are as follows:

  • If you question the accuracy of your personal information, we will stop using it until we are able to confirm its accuracy.
  • If you object to any processing which is necessary in order for us to perform our tasks, in the public interest or for the purpose of legitimate interests, we will restrict our processing while we consider whether our legitimate grounds for use of your information override your individual interests, rights and freedoms.
  • If our use of your personal information is found to be unlawful, and you ask for restriction instead of full erasure we will restrict our processing.
  • If we no longer need your personal information but you need it to establish, exercise or defend a legal claim, we will restrict our processing.
  • When we restrict our processing, we will inform any individuals or organisations with whom we have shared your personal information provided that it will be possible and not an unreasonable amount of effort. 

The right to data portability

You have the right to data portability, which allows individuals to obtain their personal information and re-use it for their own purposes across different services. You have the right to be able to safely and securely move, copy or transfer personal information easily between IT environments.

The right to data portability applies only if the individual has submitted their personal information to us directly, through electronic means. In most circumstances, the right to data portability won’t apply.

The right to object to processing

You have the right to object our processing of your personal information if our data processing activity is a necessary part of tasks carried out in connection with our lawful, official duties, those of a third party, or tasks that are carried out in the public interest. The only instances in which we can refuse to comply with a request are when we can show an overriding legal reason or if we are required to process personal information in relation to a legal claim.

You also have a separate right to object to processing if the data will be used for direct marketing purposes. We do not use your personal information for any direct marketing purposes, but if we were to do this, we would inform you. This right includes the specific right to object to research uses of your data, except in case of research done in the public interest.

The right not to be subjected to automated decision-making including profiling

You have the right to object to any use of your data in an instance where decisions are made by an automated system, without human involvement, including any profiling.

We do not use wholly automated means to make any decision about you.

Further information about your data protection rights can be found on the Commissioner’s Office website for Personal Data Protection in Cyprus: https://www.dataprotection.gov.cy.

8.  How long do we keep your data?

We retain your personal data only as long as necessary in order to fulfil the purposes for which we collected it, including satisfying any legal requirements or mandatory reporting.

We determine the appropriate period to retain your personal information by considering the nature and sensitivity of your personal data, the amount of data that we have, the potential risk of harm from any unauthorised use or disclosure of your information, the purposes for which we have processed your personal information, whether it is possible to achieve those purposes through other means, and any the applicable legal requirements for retention or use.

9.  Further processing

If at any time we wish to use your personal information for any purpose that is not covered by this Privacy Notice, we will provide you with a new notice that explains the new use before we process your data for the new use. The new notice will provide you with information about all of the relevant purposes and processing conditions.

10.  How do we protect your personal information?

We are fully committed to protecting your privacy.  We only use information obtained lawfully. Every member of the staff working for us is legally obligated to maintain the confidentiality of your information. We uphold this duty of confidentiality by conducting training and awareness sessions annually. We ensure that access to personal data is limited to the appropriate staff. Personal information is only shared with individuals or organisations with legitimate legal basis for access. We never sell any personal data for any purpose. Any sensitive personal information that we collect such as medical records. is never used for marketing purposes. Access to any sensitive data is additionally restricted.

11.  Disclosure

We keep all of your personal information secure.  Only staff who are involved with your treatment will have access to your patient records. Our administration team does have access to your contact details in order to manage your account and make appointments for you.

We will not disclose your personal information to any third party unless we are compelled to in order to meet legal obligations, or comply with regulations. The practice may enforce its Terms and Conditions, which includes investigating any potential violation of its Terms and Conditions, in order to detect, prevent or mitigate security issues, technical issues, or fraud; or to protect the rights, safety and property of its staff from imminent harm.

12.  Changes to our privacy policy

This page will be updated with any changes we may make to our privacy policy in the future. We will also notify you via email about changes. Please check back with us for any updates or changes to this privacy policy.

13.  Complaints

If for any reason you are unhappy or unsatisfied with the way we’ve handled your personal data or if you have any query or request regarding your privacy, please contact us at info@drgeorgallas.com.  Additionally, you have the right to lodge a complaint with the Office of the Commissioner for Personal Data Protection in Cyprus. For further details, visit https://www.dataprotection.gov.cy and select ‘Lodge a complaint’.