Privacy Policy
Summary
Who collects and processes the data?
Telios Care S.A. (with the role of Personal Data Operator) and the medical staff and specialist employee and collaborator (with the role of Empowered Persons).
What data? Why?
Personal data for patient identification and medical data for medical advice.
How will the data be used and by whom? Will third parties be involved?
The data is used exclusively to identify the patient in the system and perform medical counseling.
Doctors and internal and external medical staff with practice notices will have access to data to perform the service.
External medical staff with practice notices will have access to personal and medical data only during the decision to take over counseling and during counseling.
External non-medical staff (nutritionists, fitness trainers, psychologists, etc.) will have access only to personal data and those medical data that the patient decides to communicate during the consultation. Access is provided only during the decision to take over counseling and during counseling.
Telios Care S.A. internal medical staff, with practice notice, will always have access to the files of active patients.
What options do people have and what can they do if they have questions or concerns
For any questions and complaints, patients can contact by email at acting-dpo@telios.ro or by phone at the centralized number used for counseling.
In detail
Who collects and processes the data?
1. Procesarea Datelor cu caracter personal
1.1 Telios Care S.A. will process personal data in accordance with applicable personal data protection laws, with GDPR requirements directly relevant to the provision of services by Telios Care S.A.
1.2 In accordance with the provisions of art. 28 of the GDPR, the object and duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and the categories of Data Processing Persons are regulated in Section 2 of this Information Note (entitled 2. Details of processing personal data of patients). The processing of personal data by Telios Care S.A. it is directly related to the provision of the services of the object of the medical counseling activity.
What data? Why?
2. Detaliile procesării datelor personale ale pacienților
Activities performed in the processing of personal and medical data::
- Collection - YES
- Registration - YES
- Disclosure - NO
- Delete - NO *
- Alteration - NO
- Change - NO
- Use - YES
*The data is archived instead of being deleted when patients leave the system. This is necessary because the legal provisions in the field of health require the keeping of medical records of patients. The data is stored for up to 5 years from the date of the patient's last consultation.
Patient personal data is used to provide medical counseling services and to identify the patient.
The categories of personal data that will be processed:
- Identification data - YES
- Physiological data - YES
- Sensitive medical data - YES
- Job data - YES
Categories of medical activities for the purpose of data processing:
- Preventive medicine - YES
- Curative medicine - YES
- Occupational medicine - NO
3. The rights of data subjects
3.1 The operator of Telios Care S.A., within the limits of the applicable legal provisions, will promptly respond to the Patient if he receives a request regarding the exercise by him of his right of access, rectification, restriction of processing, deletion ("the right to be forgotten ”), The portability of the data object of the Processing or the right to oppose the data processing.
3.2 The operator Telios Care S.A. will not use your personal data for the purpose of sending materials for advertising or marketing purposes.
4. Data storage
4.1 When a patient of Telios Care S.A. will lose this quality, Telios Care S.A. will archive the patient's data and make it unavailable in his work environment. Archived data will not be used by Telios Care S.A. staff. and will not be accessible to him, except as required by law for the purpose of proving previous medical reports. The archived data will be kept for 5 years from the last advice and for as long as the company is in existence.
4.2 At the request or with the consent of the patient, if he will prove his identity, Telios Care S.A. will import the archived data into its work environment and reactivate its account when the patient regains access to Telios Care services through another employer or other form of contractual relationship.
How will the data be used and by whom? Will third parties be involved?
5. Staff
5.1 Telios Care S.A. ensure that its personnel who process personal data are informed of the confidential nature of such data, that they have received appropriate training for their responsibilities and that they are contractually obliged to maintain the confidentiality of the data, and that this obligation survives when the contract is terminated.
5.2 Telios Care S.A. will take reasonable steps to ensure that the personnel processing personal data provide sufficient safeguards for the implementation of appropriate technical and organizational measures for this task.
5.3 Telios Care S.A. ensure that Telios Care Group's access to personal data is limited to those personnel who require such access in order to perform the services.
5.4 Telios Care S.A. ensure that access to medical data is limited to medical personnel who require such access for the purpose of performing the services.
5.5 Data Protection Officer. Members of the Telios Care Group have appointed a person responsible for data protection under the legal provisions on the protection of personal data. The person thus designated can be contacted at the e-mail address: acting-dpo@telios.ro.
What options do people have and what can they do if they have questions or concerns?
6. The person authorised by the operator
6.1 Persons affiliated with Telios Care S.A. are considered Persons Authorized by the Operator, and Telios Care or the entities affiliated with Telios Care will transfer data to third parties authorized by other Operators for the purpose of providing the Services. Any such authorized persons will have the right to obtain personal data only in order to provide the services they have undertaken to provide to Telios Care S.A. and at the same time, they will be prohibited from using such data for any other purpose.
6.2 Telios Care S.A. is liable for the actions or omissions of its own Authorized Persons to the same extent as it would be liable if it itself provided the services of each Empowered Person directly under the DPA, unless otherwise provided in the Contract.
6.3 Telios Care S.A. and the entities affiliated with Telios Care are in contractual relations with each Empowered Person, relations that include obligations regarding the protection of personal data, and these obligations are no less protective than the provisions of this Information Note and meet the requirements of Article 28 para. 3 of the GDPR or any other equivalent legal provisions, with the limitations imposed by the nature of the Services provided by such authorized persons.
6.4 Telios Care S.A. and each Affiliate of Telios Care S.A. shall appoint a Person empowered by the Operator in accordance with the provisions of this Section (5). The list of Persons Subordinated by the Telios Care Operator in connection with the provision of its Services can be found on the telios.ro website, and will be presented upon request and by email. The patient may at any time request the consultation of the list of all Empowered Persons whose services have been used at any time.
6.5 Data transfers. Telios Care S.A. will not transfer personal data outside the EU without the separate and express consent of the patient.
7. Security
7.1. Taking into account innovations, implementation costs and the nature, scope, context and purposes of the processing of personal data, but also the risks inherent in the variety and importance of the rights and freedoms of individuals, Telios Care S.A. will implement appropriate technical and organizational measures to ensure a level of security commensurate with the risk. Telios Care S.A. will maintain adequate technical and organizational measures for the protection of the security, confidentiality and integrity of personal data, measures that meet the requirements imposed on a Person authorized by the GDPR Operator, as provided in Art. 32 of the GDPR. Telios Care S.A. regularly monitor compliance with these safeguards. Telios Care S.A. the total security level of the Services will not decrease as they are provided.
8. Violation of the security of personal data and notification of the breach
8.1 Telios Care S.A. will notify the Patient in the event of unauthorized destruction, loss, alteration or disclosure caused by fault or intent or any illegal access to the Patient's Personal Data which is transmitted, stored or processed in any way by Telios Care S.A. or its proxies (“Data Security Infringement”), if the security incident is likely to pose a high risk to the rights and freedoms of data subjects. The risk is assessed according to:
a) the type of incident;
b) nature, context, volume of data affected;
c) the possibility to identify the persons concerned;
d) the consequences of the incident on the persons concerned;
e) the circumstances of the data subjects;
f) the circumstances of the operator concerned;
g) the number of people affected.
Telios Care S.A. it will take into account the severity of the risk, but at the same time it will take into account the probability of its occurrence
8.2 Choice of Telios Care S.A. to notify or respond to a Data Security Violation under this Section may not be construed or construed as an acknowledgment by Telios Care S.A. of a fault with regard to a possible breach of data security.
8.3 The notification of data breaches will be communicated online on the Telios website (www.telios.ro) or by e-mail to the affected patients when it is possible to do so. The patient is solely responsible for ensuring that his / her contact details are on the support system of Telios Care S.A. are correct and current. Telios Care S.A. will inform the Patient of data security breaches if the security incident is likely to pose a high risk to the rights and freedoms of data subjects within 24 hours between L-V and 48 hours on weekends or public holidays, and the information will include the category of data considered affected and the method of stopping the infringement.
9. Returning or deleting customer data
9.1 Telios Care S.A. will return the Patient's data to him / her and / or delete (or archive, for medical data) the Patient's data in accordance with the procedures of Telios Care S.A. and with the legal provisions in the field of personal data protection.
9.2 At the Patient's request, Telios Care S.A. will delete (or archive, regarding medical data) or return all personal data to the Patient at the end of the provision of Services and will delete existing copies, in accordance with the procedures regulated in Art. 32 of the GDPR, unless the legal provisions applicable to the protection of personal data require the storage of such data.
9.3 Telios Care S.A. Automatically back up and archive data. Data and data archives are backed up periodically, and this back-up is rewritten every 4 weeks. Telios Care S.A. reserves the right to extend this period up to 8 weeks.