For all of us at the Henry Dunant Hospital Center, both management and staff, Quality is the highest value; it is what guides us in our goal of providing safe and comprehensive care in a welcoming environment for our patients and visitors.

All our health care services are patient-centered, so patients trust us for their safety and treatment. To build this relationship of trust, we continually work with consistency and persistence, setting as our priority:

• - to provide high quality services

• - to focus on patient safety and minimize risks, by adopting international best practices to that end
• - to invest in cutting-edge technologies

• - to constantly offer new and innovative services, diagnostic and therapeutic methods
• - to adopt international medical protocols and guidelines

At the Henry Dunant Hospital Center, we all embrace the vision of providing continuously better and higher quality services to patients and their families, and we feel that this commitment is our high duty.

So, we offer:

• - services with a primary focus on maximum patient safety
• - effective treatments, based on scientific knowledge and guidelines
• - services delivered in a timely manner, as we strive to minimize the time needed to provide them
• - adequate and appropriate services, making the best use of our resources, technology, diagnostic tools and treatment methods
• - patient-centered health services that take into account the patient’s expectations, wishes and needs

At the Henry Dunant Hospital Center, we apply procedures and protocols based on scientific evidence, with up-to-date and evidence-based knowledge. For us, Quality is not an intangible, but a fully measurable concept, the evaluation of which is done with tangible results, with indicators that assess and certify its degree, while at the same time being the guide for continuous, perpetual improvement. Which continuous improvement is our main objective that runs through the entire range of our operations and activities.

The objective of continuous improvement is achieved by:

• - complying with the applicable laws and regulations which govern our operation
• - strictly complying with the regulatory framework concerning the protection of our patients’ personal data
• - recording and correctly implementing procedures for all our activities
• - establishing control, supervision and feedback mechanisms for all areas of our operation
• - Analyzing measurable results and continuously aiming at improving these results
• - measuring the experience of our patients
• - providing continuous training of all our medical, nursing and administrative staff
• - creating the right working environment for employee development, better performance, evaluation and reward. 

Our tools for all the above are compliance and adherence to the most modern Quality Management Systems, harmonized with international standards:

• - Joint Commission International – Hospital Accreditation Standard
• - ISO 9001 – Quality Management System
• - ELOT EN 15224 – Quality Management System for Health Care
• - Center of Excellence in Hernia Surgery, Surgical Review Corporation

The monitoring and control of the implementation of the Quality Policy is carried out through the operation of Committees across the entire range of services provided by the Henry Dunant Hospital Center.

To achieve the above, the Management of the Henry Dunant Hospital Center is committed to ensuring that the Quality Policy is understood, implemented, and adhered to at all levels of its organization.

INTRODUCTION

The Henry Dunant Hospital Center (HDHC), in order to fulfill its purpose of providing high quality medical and nursing services, processes personal data of its patients, both simple and sensitive, such as health data, in compliance with both the Code of Medical Ethics and the broader legislative and regulatory framework, including Regulation 679/2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the Regulation), as well as the relevant decisions of the Personal Data Protection Authority (the Authority). In addition, it processes data of its employees, partners, and suppliers and all those who have transactions with it, browse its website, subscribe to its newsletters or training seminars, etc.

THE POLICY 

With this Policy, HDHC sets out and discloses the conditions under which it collects, maintains and uses personal data information in paper and/or electronic form, i.e., it acts as a Data Controller (see definition below).

This Privacy Policy also describes how we use, disclose, and protect your personal data, how you can exercise your rights in relation to your personal data, and how you can contact us, and complies with the terms of European Regulation 679/2016 and any other relevant applicable legislation.

The recipients of the data are the subjects themselves, their family members in case of physical incapacity, the persons authorized by them, the social insurance funds insofar as the provision of the data is necessary for insurance coverage, public authorities following a public prosecutor’s decision, and ministries for the purpose of statistical processing, as well as any others expressly described by law.

Finally, with this Personal Data Protection Policy, HDHC assures you of its commitment to keeping the information provided to it confidential and secure, thus ensuring privacy, to maintain a processing record for all its activities, both primary and ancillary to its purposes, to continuously train its staff on data protection, clean office policy, respect for privacy and confidentiality, to adopt policies such as this and the Information Security Policy, to work exclusively with individuals and companies who are equally committed to the principles of personal data protection and who take appropriate measures to protect them and, finally, to process your personal data, whether simple or health-related, with respect and a high sense of responsibility.

PERSONAL DATA AND OTHER DEFINITIONS

The following definitions, as described in the Regulation, will help you to better understand this Policy.

“Personal Data”: any information relating to an identified or identifiable natural person (”data subject”); an identifiable natural person is one whose identity can be established, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person,

“health-related data”: personal data related to the physical or mental health of a natural person, including the provision of health care services, a including the provision of health care services, which reveal information about his or her health status;

 “processing”: “any operation or set of operations performed with or without the aid of automated processes and applied to personal data or set of personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, comparison or interconnection, restriction, erasure or destruction”;

“controller”: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;

“processor”: the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

“Consent” of the data subject: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

DATA CONTROLLER

According to the definition above, the Data Controller shall be the Single Person S.A. by the name “IMITHEA MONOPROSOPI ANONYMI ETAIREIA EKMETALLEFSIS NOSILEFTIKON MONADON KAI IATRIKON DIAGNOSTIKON KENTRON KAI PAROCHIS SYNAFON YPIRESION” (translated in English as “IMITHEA NURSING UNITS AND MEDICAL - DIAGNOSTIC CENTERS OPERATION AND KINDRED SERVICES PROVIDING SINGLE PERSON S.A.”) and the distinctive title “IMITHEA M.A.E.” (translated in English as “IMITHEA Single Person S.A.”), headquartered in Athens, 107, Mesogeion Avenue, Tax registration No 998936357, General Commercial Registry (GEMI) No: 006502201000, Single Person S.A. Reg. No: 59294/001/Β/05/0422, which operates at the above address the “HENRY DUNANT HOSPITAL CENTER” private clinic that provides medical services.

HDHC’s PRINCIPLES OF PERSONAL DATA PROCESSING

As Data Controller, HDHC processes the personal data of its patients, employees, and collaborators as well as the health data of its patients, respecting the principles that, according to the Personal Data Protection Regulation, must govern the processing. So:

(a) collected data are processed lawfully, fairly and in a transparent manner,

(b) data are collected for specified, explicit and legitimate purposes;

(c) the data processed are adequate and relevant to the purposes of the processing;

(d) they are accurate and, where necessary, kept up to date;

(e) data are kept and stored only for as long as required by the legal framework,

(f) all necessary and appropriate technical and organizational measures are taken to ensure their security.

DATA WE PROCESS

(a) Patient data:

Simple Personal Data: first name, surname, date of birth, home address, e-mail address, occupation, ID card number, social security number, social security number (AMKA), tax identification number (AFM), insurance carrier, contact telephone numbers, etc.

Health data:  Data relating to the state of health of its patients, as they result from obtaining their medical history, during admission and the course of their hospitalization, from the consents to medical procedures and from the results of diagnostic and clinical tests carried out in the context of the provision of medical services.

(b) Employees/external collaborators: personal and other data (health data e.g., to justify sick leave, data on the children of an employee in order for him to receive benefits, etc.) necessary for the fulfilment of HDHC’s legal obligations towards its employees (salaried and external collaborators) in accordance with the labor and insurance legislation.

(c) Partners/suppliers: the necessary personal data of company representatives and employees are processed for the handling of HDHC’s commercial relations with partner companies (pharmaceutical, biotechnology equipment companies, suppliers, etc.) for its operation, and the fulfilment of its purposes.

1. D) Finally, we process the personal data of all those who contact us either to subscribe to our newsletter or to obtain a privileged card, to look for a job by sending us a CV, to contact us through the online form on our website or finally to browse our website by accepting cookies. For all this, HDHC has specific procedures and policies that ensure both that the data it processes are kept secure and only for the period specified by law or its procedures.
   
   

RETENTION PERIOD OF YOUR DATA

We inform you that HDHC is obliged to keep your Medical Record in its Medical Records Archive for twenty (20) years (in application of our legal obligation under L. 3418/2005), from each of your hospitalizations as well as from the need to preserve your life, your health and to provide the appropriate treatment. Outpatient data are kept in our Archive for 20 years, while purely accounting-tax records must be kept for 5 years. 

The contents of a Medical Record comprise any data related to your health as well as the personal data that you have provided to us for the execution of the contract for the provision of medical services between us.

 If the time limits change, we will inform you of any change.
The data we receive through our website to make an appointment are kept secure in our computer system and are integrated in the medical records that we keep in the Archive as above.

After the mandatory data retention period has expired, HDHC shall destroy the data following the instructions of the Authority and its own procedures and protocols, in accordance with the applicable regulatory framework and JCI accreditation.

TRANSFER OF PERSONAL DATA TO THIRD PARTIES

HDHC may transfer (by electronic and natural means), in performance of a legal obligation your personal and sensitive personal data concerning your hospitalization to your insurance company and its Auditors, to cover and reimburse you for your medical expenses, in combination with your health coverage.

HDHC may also transfer (by electronic and natural means), in performance of a legal obligation your personal and sensitive personal data concerning your hospitalization to your insurance company and its Auditors, to cover and reimburse you for your medical expenses, in combination with your health coverage.

HDHC’s financial services (Inpatient Accounting Office, Outpatients Accounting Office, Laboratory Cashier’s Office, Submission Department, Central Accounting Office) are required to process your simple personal data (referring physician) or limited health data (for instance: type of surgery, type of diagnostic test) in order to issue the legal document for the payment of the medical services we provide to you and to satisfy our legitimate business interest and our legal tax obligation.

Finally, to pursue our legal claims we may transfer limited personal data to legal firms with whom we work or to individual lawyers/associates of ours.

SECURITY OF PERSONAL DATA

HDHC uses the appropriate technical and organizational protection measures to ensure that the personal data you entrust to us is secure, whether stored in physical form or electronically.

When HDHC assigns to a third party as processor (including our service providers) to collect or process personal data on our behalf, such processor is carefully selected based on its know-how, reliability and available resources as well as based on the technical and organizational security measures it takes to secure the processing, according to the specifications set by the General Regulation of Data Protection.

RIGHTS OF NATURAL PERSONS WITH REGARD TO THEIR PERSONAL DATA

You have the following rights in relation to your personal data:

Right to revoke your consent: as the case may be, you have the right to revoke your consent at any time without prejudice to the lawfulness of any processing carried out with your consent prior to its revocation. 

Right to access, rectification, and erasure: you have the right to request access to any of your personal data that we may hold, to request that any inaccurate data about you be rectified and, in certain cases, to request the erasure of your personal data. You may request the deletion of your health data because, by law, we are obliged to keep it for 20 years.

Right of data portability: under certain conditions, you have the right get the personal data you have provided to us in a structured, widely used and machine-readable format as well as to request that we transfer it to another controller where technically feasible. For example, you can contact us to send a Medical Record or diagnostic tests to another clinic or hospital by any available means.

Right to restrict processing: you have the right to restrict our processing of your personal data if:

• you question the accuracy of such personal data until we have taken the necessary steps to correct or verify its accuracy;
• you think such processing is illegal, but you do not want us to erase the data;

we no longer need your personal data for processing purposes, but you need same data to establish, pursue or defend legal claims; or

you have objected to the processing for reasons of legitimate interest (see below), pending verification as to whether we have compelling legitimate grounds to continue the processing.

Where personal data is subject to such restrictions, we will process it solely with your consent or for the establishment, exercise, or defense of legal claims.

Right to object to processing: as long as the conditions set by law are met, you have the right to object to the processing of your personal data. If you object to it, we will have to discontinue the processing, unless we can demonstrate compelling legitimate grounds for processing which override your interests, rights and freedoms or where we need to process the data for the establishment, exercise or defense of legal claims.

If you consider that the processing of your personal data violates the applicable law, you have the right to file a complaint to: 

Hellenic Authority for the Protection of Personal Data,
1-3 Kifissias Avenue, 115 23, Athens, Greece
Telephone: +30-210 6475600
Fax: +30-210 6475628
E-mail: contact@dpa.gr

THE DATA PROTECTION OFFICER

For more information regarding the exercise of your rights or for any question regarding the processing of your personal data, please contact our Data Protection Officer we have appointed in accordance with the Regulation at dpo@dunant.gr and we will respond to your request within the applicable time frames.

The Data Protection Officer will respond to your request without delay, and in any case within one (1) month of receiving it. However, if the request is complex, he will inform you within the month of the necessity to extend the time to respond by a further (2) two months, within which he will reply.

CHANGES TO THE PERSONAL DATA PROTECTION POLICY

We regularly review this Policy and reserve the right to review and make changes to it to include any changes to our business activities, to the legal requirements and how we process your personal data.

Whenever we take those actions, we will notify you through our website or upon your arrival at HDHC.

In any case, we encourage you to check this Policy from time to time for possible changes so that you are informed in time.

1. Data Controller

The societe anonyme under the name “IMITHEA MONOPROSOPI ANONYMI ETAIREIA EKMETALLEFSIS NOSILEFTIKON MONADON KAI IATRIKON DIAGNOSTIKON KENTRON KAI PAROCHIS SYNAFON YPIRESION” (translated in English as “IMITHEA NURSING UNITS AND MEDICAL DIAGNOSTIC CENTERS OPERATION AND KINDRED SERVICES PROVIDING SINGLE PERSON S.A.”) and the distinctive title “IMITHEA S.A.”, headquartered in Athens, 107, Mesogeion Avenue, which operates the Private Clinic “HENRY DUNANT HOSPITAL CENTER” at the aforementioned address.

2. Purpose and legal basis of the processing

The Henry Dunant Hospital Center (HDHC) provides high quality medical and nursing services to its patients, both on an inpatient and outpatient basis, and to that end the hospital processes personal data, both general and health data (Article 6(1)(C) of the General Data Protection Regulation - GDPR).

The HDHC has a legal obligation to protect the equipment necessary for its operation, its information systems and networks, the health and property of its staff as well as of its patients, partners and visitors. Thus, it maintains and operates on a 24-hour basis and throughout the year, a closed circuit television system (CCTV), for the operation of which conditions are met in accordance with the principles of legality, necessity, proportionality and data minimization, as provided for in the GDPR, but also in Directive 1/2011 of the Personal Data Protection Authority (the Authority) and in all relevant opinions and directives of the Authority.

3. Security and protection of processing

• Video-surveillance is limited, as far as possible, to the areas strictly necessary for its purposes.
• Cameras focus on those of the assets and infrastructure that are critical to the operation of the HDHC.
• No further processing is carried out on the data collected.
• The closed circuit is not used for the surveillance or monitoring of employees in their workplaces, nor for evaluating the behaviour and performance of the staff.
• The closed circuit does not take images of external public space, pavements or entrances to neighbouring buildings.
• The circuit does not capture images of areas where there is an increased expectation of privacy (areas and lobbies of toilets, changing rooms, etc.).
• The cameras have a fixed viewing angle and do not have a rotation mechanism.
• They record only images and not sound.
• The circuit is self-contained and is not connected to the internet or to the HDHC central network (secure communication circuit) and the surveillance monitors are located in a dedicated secure area.
• Access to the video surveillance data is strictly limited to a small number of authorised and specially trained operators, and access to the site is by means of access control and a special security lock. There is a fire extinguishing system in the Control Unit.
• The authorised personnel ensures:
• the security of the video material;
• the control of access to the Control, Storage and Processing Unit,
• the operation of the display screens and software,
• the continuous training of staff on personal data protection issues and the compliance with the procedures for the protection of personal data,
• that natural persons/subjects are informed before they enter the scope of the video surveillance system by posting prominent information signs indicating the name of the Data Controller, the purpose and how to contact the interested parties in order to exercise their rights.
  
  

4. Data transfer to third parties

The data of the video material shall not be shared with or transmitted to third parties. By exception the data shall be transmitted/shared in the following cases:

(a) to the competent judicial, prosecution and police authorities when it contains information necessary to investigate a criminal offence involving persons or property of the Data Controller; (b) to the competent judicial, prosecution and police authorities when they lawfully request data during the exercise of their duties; and (c) to the victim or perpetrator of a criminal offence when it comes to data which may constitute evidence of the commission of the offence.

5. Period of data retention

Each recorder has its own internal storage space and automatically deletes the stored data every 15 days, according to the Authority’s instructions, except as explicitly provided for by the Directive, i.e. in case of an incident against HDHC’s property or persons, the records are kept separately for 30 days and in case of an incident against a third party’s property or persons, the period of retention of the video surveillance material is extended up to 3 months.

6. Rights of the data subject

Natural persons/data subjects may exercise the rights provided for in the GDPR by sending an email to dpo@dunant.gr. Requests to exercise the rights are checked and answered within the time limit set by the GDPR.

6.1.    Right of information

People entering the range of the video surveillance system shall be notified by means of clearly visible signs placed in highly visible places. The signs shall state that the area is monitored by a closed circuit, the Data Controller, the purpose of the processing and how interested parties can obtain further information and exercise their rights. Natural persons/data subjects receive additional information through this document, which is posted on the HDHC website and in visible areas on the HDHC premises.

6.2.    Right of access

Any person entering the HDHC premises, as a data subject, shall have the right to access the video surveillance system data concerning him/her by submitting a request, which must indicate the date and exact time when he/she was in the range of the system’s cameras, the specific place and a recent good quality photograph.

6.3.    Right of objection or erasure

The data subject shall have the right to object to the processing of his/her image by the video surveillance system and to request the erasure of his/her data. However, the exercise of this right (of objection or erasure) does not imply the immediate erasure of data or the modification of the processing, but shall be investigated as to its lawfulness.

6.4.    Right of restriction

The natural person/data subject shall have the right to request restriction of processing, such as for example not to have HDHC delete any data concerning him/her which he/she considers necessary for the establishment, exercise or support of legal claims.

7. Right to lodge a complaint

If data subjects consider that the processing of data concerning them infringes Regulation 2016/679, they shall have the right to appeal to the competent supervisory authority and lodge a complaint.

The competent supervisory authority for Greece is the Hellenic Data Protection Authority and the contact details are:

1-3, Kifisias Avenue 11523 – Athens, https://www.dpa.gr/, tel. 210-64.75.600

The Henry Dunant Hospital Center has a mechanism to record and investigate information about any concerns, problems or complaints about patient safety or the quality of services provided. For any dissatisfaction or difficulty that may arise, please do not hesitate to contact your physicians or department heads (Supervisors/Directors) for immediate handling of your complaints or concerns. If immediate resolution is not possible, they will encourage you to register your complaint or they will register it themselves and forward it to the Quality Assurance Department (tel. 210 6972387, email: quality@dunant.gr).

The Henry Dunant Hospital Center is accredited by Joint Commission International, an organization committed to its mission to continuously monitor and improve the safety provided by health care organizations. If you feel that your concerns have not been resolved by Henry Dunant Hospital Center, you may contact Joint Commission International directly by email.  JCIQuality@jcrinc.com 

The following link is provided for reporting any concerns about patient safety or quality of service: http://www.jointcommissioninternational.org/contact-us/report-a-quality-and-safety-issue/

The Henry Dunant Hospital Center assures patients, family members, employees, physicians, and all persons providing services at our facility that reporting of issues related to patient care and safety is handled with the utmost confidentiality and accountability, will not affect the quality of services received by patients, and in no event will retaliatory measures, formal or informal, be implemented as a result of reporting quality of care issues to the Quality Assurance Department of the Henry Dunant Hospital Center or to the Joint Commission International.