GDPR Affidea Patient Portal
Data Privacy Notice for Patients
Affidea is a medical services provider with high ethical standards. “Affidea” (“we” or “us” or “our”) refers to the legal entities in the Republic of Croatia which are a part of the international company Affidea Diagnostics B.V. as following:
· Poliklinika Maja i Krešimir Čavka, Jordanovac 99, Zagreb, OIB: 7184499541515
· Poliklinika Sveti Rok M.D., Vukovarska 284, Zagreb, OIB: 28842147765
· Poliklinika Eljuga, Bukovačka cesta 121, Zagreb, OIB: 75638154676
· Poliklinika Vita, Matije Gupca 93, Šibenik, OIB: 06098806804
· Poliklinika dr. Kalajžić, Moliških Hrvata 4, Split, 52021264667
and its co-controller(s), namely Affidea BV (registered address: Vijzelstraat 68 1017HL Amsterdam, Netherlands,). Your contact point is our Croatian Data Protection Officer. Contact details can be found in clause 9.
1. Legal basis for processing your personal data
We are committed to protecting your personal data when processing it and we are also required to do so by law. Our medical professionals are subject to both a professional and a contractual duty of confidentiality.
1.1. It is necessary for us to use your personal and health data so that we can provide you the requested medical service.
Processing of your basic personal data (e.g. name and contact details) is necessary for scheduling your appointment and for the delivery of the medical services you need. The medical service agreement constitutes the legal basis for processing your basic personal data.
Your health data covers information related to your health (e.g. information about a requested diagnosis/treatment and our health assessment). Providing you with a medical diagnosis and/or medical treatment forms the legal basis for processing your health data. Affidea is subject to a legal obligation to process (specially to retain) your health data (see clause 3 and Annex 1 for further information).
If you are in an extreme or life-threatening condition while present at one of our clinics, we will use your health data in order to preserve your health and well-being, and on the basis of protecting your vital interests.
Affidea provides you and your identified individuals with secure and convenient electronic access to medical records (diagnostic images) created during the provision of health services at Affidea through its online interface called the Patient Portal. Medical records are made available on the Patient Portal.
To use the Affidea Patient Portal, you need a valid email address provided by you. The email address will be registered by our reception colleagues and will create your access to the system, which you only need to activate with the password you received from us.
Access to third parties is only possible on the basis of your explicit decision, through a unique security code (PIN) generated and provided by you. Affidea does not manage, supervise or assume responsibility for further data processing by these third parties, so we advise you to check beforehand who the people with whom you share the data are and for what purpose they will use it.
By using the Affidea Patient Portal (e.g. to view and download your medical records), we process your basic personal data (e.g. name and contact details) and health data (e.g. medical records) to provide the services you have requested on the Patient Portal. In such case, the processing of your personal data is necessary for the performance of a contract for the provision of electronic services (including medical services) and for the medical diagnosis, the provision of health care of treatment or the management of health care services.
More information about the rules of use of the Affidea Patient Portal is available in the document "Terms of Use of the Affidea Patient Portal", which is available on the reception desk and as part of the system's user interface.
1.2. We are constantly improving our services.
At Affidea we are always looking for better ways to provide our services.
A) Patient survey
We think that feedback about your patient experience is essential to understand how to best serve our patients. You are therefore invited to take part in our satisfaction survey and we thank you in advance for your input. The participation is optional and will not affect our service to you. If you prefer, we will abstain from contacting you.
B) Statistical analysis of aggregated data
We intend to analyse some of your personal data in an aggregated way, to derive valuable statistical information for our sales and marketing teams, for example to understand which services are of most interest in specific regions. If you prefer, we will exclude your data from our analysis.
C) Quality assurance
We consider crucial to learn from unintended events occurring in our clinics. We record and analyse near misses (incidents prevented) and events that may result in a harm on any kind to assure health and safety. We limit such processing of patient data to the necessary extent, and typically do not use directly identifiable personal data for this purpose.
D) Call center scheduling and information services
We intend to record your call to our call centers for the purpose of training our staff, resolving complaints, and monitoring the quality of the service we provide. We monitor calls and train our staff based on their performance during your conversation. If any connection issues occur during the call or a complaint is submitted to Affidea regarding the contact made, we will be able to listen to the recording and provide you with the best possible response to the situation described. If you wish, we will not record your call and this will not affect our service to you.
We do the above for our legitimate interest of understanding how to improve our service and its quality. See clause 7.6. about your right to object.
1.3. You can consent to the following additional processing activities of Affidea, if you wish.
By ticking the relevant box in the “your data protection statement” part you can consent to the following with no extra cost. If you do not want to give your consent, this will not have any impact on the medical services provided to you.
A) Informing you about opportunities to participate in clinical studies
Affidea is committed to healthcare and the advancement of medical science. We have trustworthy partners, who help pharmaceutical companies or medical device manufacturers to conduct clinical studies in strict compliance with the applicable laws. If you might be interested in participating in such clinical studies, we are happy to inform you about those which potentially fit you (based on the health data we retain about you). We might use all available communication channels to reach out to you. Your consent means no authorization to disclose your data to any third-party, nor any authorization to use your data in a specific clinical study – these require separate informed consent from you, if you express interest further to our initial information about the opportunity.
B) De-identifying a copy of your data
We are committed to continuously improving medical science and to contribute to research and development efforts, whether those are led by Affidea and/or third parties (including but not limited to hospitals, universities and health insurers). Research and development refer to work for the innovation, introduction and improvement of products, procedures and cost-effective health care provision. It includes a series of investigative activities to improve existing products and procedures or to lead to the development of new products and procedures.
We kindly ask for your support by allowing us to de-identify a copy of your personal data during the retention period determined by laws (see clause 3.). The data set subject to the de-identification includes the health data we collect(ed) when providing you with our medical service. The data set covers both your personal data we collected in the past and the personal data we collect of you in the future if you make use of our medical services. Pursuant to clause 7.1, you have the right to request access to your personal data.
De-identification of personal data consists of a process applied to personal data (or a set of personal data) that makes it impossible to the person using the de-identified data to identify the person to whom the personal data originally related. In this way, you remain anonymous when your de-identified data is used.
We would like to use your de-identified data for research and development, educational, statistical and commercial purposes ourselves or to share it ,with others for or without any consideration for us. We duly select our partners and the method of de-identification to minimize the risks associated to the use of your de-identified data.
C) Contacting you for marketing purposes
We would like to keep you informed of our latest offering in medical services and would like to be able to contact you for that purpose (e-marketing). In addition, if you wish and have given your consent, we may send you personalized promotions, including screening reminders when it is time for a follow-up screening. The use of your personal data for the purpose of sending personalized promotions is considered profiling (see section 8 for further information).
D) Sending medical documentation
Based on your specific request, we can send your findings and images to your e-mail or postal address, via an electronic service, or hand them over to a person you specifically designate.
If you change your mind later, you can withdraw your consent(s) at any time and free of charge, and this will not have any impact on the medical service you receive from us. You can withdraw your consent by contacting our Data Protection Officer (you can see the contact details in clause 9 below). Please note, that the withdrawal of your consent will not affect the lawfulness of processing based on your consent before its withdrawal.
2. Data we process
During your relationship with Affidea, we obtain your personal data from three sources: (1) from you, (2) from others and (3) from our medical activity.
(1) In order to provide you with our medical service, we ask you to provide us with your basic personal data (especially your personal identification data), your payment and insurance data (data necessary in order to pay for our service) and your health data (particularly information about your health condition). If you decide to share previous images and medical reports for us to use, we will store and process these on our systems for the purposes of your medical diagnosis and/or medical treatment. If you voluntarily supply contact information of your next of kin or family, this data will only be used when we are unable to contact you, or in the event of an emergency.
(2) We collect personal data from others in the following instances:
a) If you are referred to our clinic by a medical provider (referring doctor or hospital) we consult this person about your health condition and/or treatment, if necessary to identify the most appropriate medical service for you.
b) If the medical service we provide you with, is paid for by a medical insurer (either public or private) we need to gather information about coverage from this insurer in order to provide the medical service to you.
(3) When providing medical services to you, we create health data about you. As a medical services provider, Affidea is required by law to carefully document these services.
For further information about the data we process, please see the Annex of this notice or ask one of our receptionists.
3. How long we retain your data
Affidea retains your personal data as long as necessary to provide our medical services and to comply with applicable medical, tax, accounting or other legislative requirements. If our legal obligation to retain your data expires, we will delete your data or de-identify it. Affidea will not delete your data if an alternative processing purpose for keeping said data exists. For example, in case of legal action or defence against the same. If this is the case, we will retain the data as long as needed for this alternative processing purpose. In case of claims, this will be until the handling of the claim has been completed.
For further information about how long we keep your data, please see the Annex of this notice or ask one of our receptionists.
4. With whom we share your data
During your relationship with Affidea, we share your personal data with three different types of recipients: (1) with providers instructed by us, (2) with providers independent from us and (3) with people you request us to share your data with.
(1) We use service providers (so-called data processors) to assist us in processing the personal information we receive and create (for example medical and financial software vendors and contracted medical professionals). The data processors act on behalf of Affidea based on our written instructions. We only share your data to the extent it is absolutely necessary.
(2) We share your personal data with third parties (meaning recipients independent from us) in the following instances:
a) If we are required by law.
b) If required by a contract to which you are a party (e.g. your health insurance contract).
c) If the protection of your vital interest (e.g. an emergency) so requires, we will share your health data with other medical professionals.
We only share your data to the extent it is absolutely necessary.
(3) You may request that we send your health data to your referrer or your family doctor. The processing activities of third-party recipients are outside our control and responsibility. We therefore recommend that you first ask this third party how they will process your personal data. If you want us to share your health data with other medical professionals, we will ask you to fill a dedicated consent form available from our receptionist.
For further information about the recipients of your personal data, please see the Annex of this notice or ask one of our receptionists.
5. International data transfers
We might have to share your personal data with recipients located outside the European Economic Area (“EEA”). Some countries are considered as Adequate Countries by the European Commission and therefore treated as those belonging to the EEA. Before transferring your data outside the EEA (or outside of an Adequate Country), your data is de-identified or safeguarded, typically by using the Standard Contractual Clauses as approved by the European Commission. The Annex of this notice contains information about the actual data transfers and the measures we use, if any data is transferred in an identifiable format.
You can find more information on the Standard Contractual Clause here: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en. You can find more information on the adequate countries here: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en.
6. Keeping your data safe
Keeping your data safe is our priority. Your personal data is stored securely by us, or by our carefully selected service providers. When our service providers process health data on our behalf, we require a high level of security, stipulated also in a written agreement with them. We make sure that very strict protection measures are in place to keep your personal data safe against loss and misuse, as well as unauthorized access or transfer.
7. Your rights
Under the data protection legislation, you have the following rights.
7.1. Right to request access to your personal data: This means that you are entitled to know that your data is processed by Affidea, that you are entitled to access this data and to be informed about what Affidea does with your personal data.
7.2. Right to request rectification of your personal data: This means that you are entitled to have your personal data corrected or completed if it is inaccurate or incomplete.
7.3. Right to request erasure of your personal data: This means that you are entitled to have your personal data deleted in specific circumstances if Affidea has no lawful reason to continue its processing.
7.4. Right to request restriction of processing: This means that you may request, in specific circumstances, to ‘block’ the processing of your personal data by Affidea. Your request will mean that we will be allowed to store your personal data, but not to process it further.
7.5. Right to data portability: It allows you to access and reuse the personal data that you have provided to Affidea so that you can further make use of this data for your own purposes, with different service providers. You are entitled to receive an electronic copy of your personal data and to ask us to transfer it to another controller.
7.6. Right to object to the processing of your personal data. You are entitled to object, on grounds relating to your particular situation, at any time to processing of your personal data based on our legitimate interest (see clause 1.2. of this Notice). You can also object to our using your personal data for direct marketing purposes.
If you wish to use your rights or wish to have further information about your rights above, please ask one of our receptionists or contact our Data Protection Officer (you can see the contact details in clause 9 below).
8. Automated individual decision-making, profiling
Affidea is not processing your personal data for automated individual decision-making.
We use profiling (which means the automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person) only in two cases:
A) If you expressly consent to us sending you personalized promotions (see section 1.3 / B.). The only consequence of this consent is that you will receive personalized information, offers or reminders about medical views. Affidea does not use this marketing profiling to make decisions about you or your medical condition.
B) If the reading of the diagnostic image by a radiologist is supported by an algorithm (e.g. in the case of post-processing of magnetic resonance images). Your medical condition is always diagnosed with the participation of a radiologist, there is no medical diagnosis made solely by automated processing of diagnostic images.
9. If you have any questions
If you have any questions or would like more information, please feel free to contact our Data Protection Officer (e-mail: dpo.hr@affidea.com, postal address: Affidea, Banjavčićeva 11, 10000 Zagreb) or ask one of our receptionists for further information. If you are unhappy with the way we process your data, you can make a complaint to the Supervisory Authority. The contact details of that Supervisory Authority are Agencija za zaštitu osobnih podataka, e-mail: azop@azop.hr, postal address: Selska cesta 136, 10000 Zagreb, telephone number: +385014609000. However, we would of course hope that you are able to raise any issues with us in the first instance.
Annex to Data Privacy Notice for diagnostic imaging
Below you can find further information about who we share your data with. We only share your data with other recipients if it is absolutely necessary.
Data recipients acting on behalf of (and instructed by) Affidea | ||||
Industry | Sector of activity | Sub-Sector of activity | Type of activity | Identity / Location of the recipient |
Medical | Medical Professionals | Doctors | Provision of medical services | Several contracted individuals or entities in Croatia |
Medical Professionals | Other healthcare professionals | Provision of medical services | Several contracted individuals or entities in Croatia | |
Consultant Medical Professional | Radiologist | Provision of a second opinion, if necessary | Affiliates of Affidea BV within or outside the EU, when necessary (and with the use of Standard Contractual Clauses), if necessary | |
Clinical studies | Clinical studies | Requirements and use of survey results if you participate | Legal entity that is the facilitator/sponsor of the clinical trial | |
Service Providers | Administration | Call Center | Scheduling appointment by calling our call center | Call Center Staff Affidea , Hrvatski Telekom d.d. |
Operation of medical equipment | Maintenance | Maintenance of Medical Equipment | Siemens d.d. Zagreb, GE Hungary Kft. SANITARIA DENTAL d.o.o., MINI MAJOR d.o.o. | |
Information Technology | Digital Workplace | Microsoft Office 365 suite | Hosting and operating the Office 365 suite | Legal persons and Affidea Group Kft. |
Administration Software | Call Center Software | Storing voice recordings of calls | Affidea i Affidea Group Kft. | |
Administration Software | Operation and Hosting of Patient Portal | Online booking | Affidea i Affidea Group Kft. | |
Medical Software | Radiology Information System | Patient registration, scheduling, examination data creation and diagnosis creation, billing support, distribution of medical report | Veridian- Medavis, Mag Informatika d.o.o. | |
Picture Archiving and Communication System | Storage of diagnostic images | Biotronics 3D limited, London | ||
Financial Software Supplier | Accounting | Billing of health costs | Mag informatika d.o.o., Zagreb | |
Infrastructure Operations | Operation of IT infrastructure | Ensuring availability of data | Affidea , Affidea Group Kft., UAB "GoIT Litva | |
Support | User Support | Ensuring availability of systems | Affidea i Affidea Group Kft., UAB "GoIT Litva | |
System support | Software maintenance | Affidea i Group Kft., UAB "GoIT Litva, Combis d.o.o. | ||
Data Storage and backup | Storage device and Back-up management | Securing availability of data | Affidea i Affidea Group Kft. | |
Third party data recipients (acting independently from Affidea) | ||||
Industry | Sector of activity | Sub-Sector of activity | Type of activity | Identity of the recipient |
Health Insurer | Private Health Insurance | Financing | Confirmation of insurance coverage | The insurer you have insurance policy with |
National Health Insurance | Financing | Confirmation of insurance coverage | Hrvatski zavod za zdravstveno osiguranje | |
Operation of National Health Database | Storage of NHI financed medical files | Hrvatski zavod za zdravstveno osiguranje | ||
Financial institution | Bank | Payment | Payment processing by credit or debit card | Banks: RBA, Zagrebačka banka, Splitska banka, Privredna banka Zagreb, OTP bank, Erste banka and other banks |
Private Health Fund | Payment | Reimbursement of health costs | Insurer with whom you have concluded an insurance contract | |
Medical | Public Medical Management | National Medical Organization | Management of national quotas, if medical services is publicly financed | Hrvatski zavod za zdravstveno osiguranje |
Referring Doctor / Medical organization | - | Referral of patients | Your referring doctor | |
Clinical Research Organization | Clinical research | Requests and uses clinical exam results, if you are participant of it | the entity managing the clinical trial you participate in | |
Public Authorities | Medical Authority, police, etc. | - | Exercise of investigating power | Ministarstvo zdravlja, Ministarstvo unutarnjih poslova, Agencija za zaštitu osobnih podataka |
Insurance | Service Insurance | - | In case of a claim filed by you concerning our medical service | Rights of the Ministry of Health, the Ombudsman's Office, the Gender Equality Ombudsperson, Professional Health Associations, Croatian Association for the Promotion of Patients' Rights, Croatian Health Insurance Institute HZZO , Agency for Personal Data Protection-AZOP, |
Audit | External Audit Organization | - | examination of quality standards (ISO certification) | DNV GL Business Assurance |
Certified public accountant | - | examination of books of accounts | Tax administration of the Republic of Croatia, private audit companies | |
Communication | Postal services | - | Delivery of letters | Hrvatska pošta d.d. |
Telephone services | - | Operation and Hosting Telephone system | Hrvatski telekom d.d. | |
Below you can also find further information about the type of data we process for the various purposes (as outlined in section 1.1-1.3. of the Notice) and about how long do we keep your data for.
Personal data processed | ||||
Purpose of our data processing | Personal Data Type | Examples of Personal Data | Reasons for Processing | Retention period |
Medical service | Basic Personal Data | Name, NHI Number, Mobile number, Address, email address | Scheduling of appointment, registration, identification of patient, keeping contact with patient | 10 years |
Financial and Insurance Details | Proof of Insurance Cover, Credit Card data | Financing and payment | 11 years | |
Medical Data | Prescription, Historical Medical Records, Diagnosis | Patient safety, confirmation of correct medical procedure, production of medical diagnosis and planning medical treatment | 10 years | |
Other personal data | Identity of referring/family doctor | contact other medical professional for further heath care data for the best care | 10 years | |
Anonymisation of your data for improving medical services | Anonymised Medical Data | Diagnosis | Research and development |
No identifiable personal data of yours is retained |
General marketing | Basic Personal Data | Name, Mobile number, Address, email address | Sending general promotional information to you | until consent recall |
Call centres messages | Basic Personal Data | Name, Mobile number, Address, email address | Monitoring the quality of our service | 6 months |