This privacy policy (“Policy”) has been drafted by and applies to PETROS AND NIKI KOKKINOU D.E.L.C a company registered in Cyprus with registered number ΗΕ351307 and all their subsidiaries (which shall hereinafter be referred to collectively or separately, “KOKKINOU”, “we,” or “us” or the “Clinic”).
At KOKKINOU, we value and respect your privacy and prove this through this Policy which demonstrates our compliance with the General Data Protection Regulation (EU) 2016/679 (hereinafter referred to as the “Regulation”) which is directly applicable in the European Economic Area from 25th May 2018, and has introduced new measures aiming to protect your Personal Information and thus your privacy.
KOKKINOU in the process of receiving and processing your information for the purposes specified hereunder has and takes responsibility as the controller of your Personal Information, meaning that we, as a legal person alone or jointly with others, determine the purposes and means of the processing of the Personal Information we receive.
In this Policy, we explain our practices regarding the collection, processing and disclosure of your Personal data, the purposes for which we use your Personal data, what kind of Personal data we collect from you and when we collect them. “Personal data/Information” is information that identifies you as an individual or relates to an identifiable individual i.e. through which you may be identified. It always has to do with living people and does not concern legal entities such as companies. We always collect only what is necessary for the purposes defined below and any use and/or disclosure and/or transfer of Personal data is only done to the extent that is necessary and proportionate to the purposes defined below. In the event that, you have provided your consent on the basis of the below processing purposes, and we decide to further process your Personal data for a purpose that is not compatible to the purposes you have consented, we shall provide you prior to that further processing with information on that other purpose, with any other information which the General Data Protection Regulation requires and seek your consent in relation to such use.
The processing activities, the legal basis for the processing, the types of data we collect, whether we store them or not and for how long and the method in which they are protected differs depending on processing activity. We therefore deal with each processing activity separately depending on the data subjects that are affected, i.e. identified or identifiable natural person to whom the information relates.
Processing Activities
A. Patients
- Patients’ records: Collection, storage, maintenance, updating and sending of data of patient records
Except as provided otherwise, in relation to the patients’ records, the provision of the Personal data specified below is necessary for the provision of our services and/or the performance of the contract and/or transaction and/or the conclusion of a contract between us. The collection of the below Personal Information is also necessary to comply with our legal obligations to keep our patients records and accounting books in order and our legal obligations under the Protection of Patient’s Rights Law (Ν. 1(I)/2005)), VAT and income tax laws and regulations. Failure to provide them might render our service impossible or illegal to provide. The management, medical assistants, receptionists and doctors collect, store, maintain and update patient records based on information received by patients and/or their parents and/or legal guardians and/or their external or referring doctors. The legal basis for this activity is a contractual relationship with the patients and/or their legal guardians and / or the Clinic’s obligations under the Protection of Patient’s Rights Law (Ν. 1(I)/2005)) and/or the Income Tax Law and/or VAT legislation and / or and the General Data Protection Regulation and/or the legitimate interest of the Clinic which are reflected on the purposes of this activity The purposes of this activity are the following:a) The provision of dental and / or orthodontic services (depending on the department that is involved) in medically correct and/or responsible manner, in accordance with the agreed treatment (e.g. Invisalign method of treatment) and the doctors’ code of conduct;b) For the purposes of identification of our patients and their external doctors and the verification of their identity;c) the communication with our patients and their external doctors in the course of their treatment;d) Compliance with ISO procedures;e) The efficient organisation and operation of the medical practice and its accounting books;f) To justify the Clinic’s income and provide evidence under tax laws and regulations;
- To maintain the good and efficient operation and organisation of the Clinic, the safe storage of Personal Information and the protection of the environment through the filing Personal Information in an electronic form thus reducing the use of paper;
- To prepare materials to be applied to a patient’s mouth in the course of his/her treatment;
- to obtain technical support and test the functionality and effectiveness of the technical support;
- To enable us to pursue available remedies and defend our case in the course of a court case or to limit the damages that we may sustain.
The Personal data processed in the Pediatric dentistry department are as follows: Name of patient, parent’s or legal guardian’s name, reference number of patient, agreed work / treatment, the treatment which has provided, the treatment history and duration, billing amounts and records and statements of payment, name of insurance company, the responsible doctor’s name and medical personnel, treatment dates and dates of visits, landline and/or mobile telephone number of patient / parent / guardian / other relatives (e.g. grandparents) / responsible persons (e.g. nannies), the home and/or work address of the patient, the email address of the patient / parent / guardian, the fax number of the patient / parent / guardian, the date the patient is scheduled to visit again to the purposes of a review following the treatment, x-rays and photographs of patients, the patient’s dental prints and the date the prints were made, New patient Form, Agreements/Consent forms for dental treatment of underage patients, Lab Tickets, Caring Calls Schedule to check up on patients following their treatments, Radiography reference documents, references to chemical laboratory, references by paediatrician of patient, Post-Operative Instructions, Pre-Surgical Information Form, medication from us or which we requested patients to take at home, other documents necessary for treatment, such as documents from other physicians/doctors, details about allergies, illnesses or special medical conditions of patients from other doctors in the event that a surgery will be handled by our Clinic then any references and/or authorisation from external doctors of patients and information about children with special needs and disabilities. The Personal data processed by the orthodontic department are as follows: Patient name, parent / guardian name, reference number of patient, agreed treatment, treatment which has been provided, treatment history and duration, home and/or work address, witness name on the service contract, the amount charged for the provision of treatment, and payment details, records and statement, name of patient’s insurance company, name of the responsible doctor and medical personnel, dates of treatment and dates of visits, landline and/or mobile telephone number of patient and / or parent / guardian / other relatives (e.g. grandparents) / responsible persons (e.g. nannies), the email address of the patient / parent / guardian, the fax number of the patient / parent / guardian, patient’s photographs and x-rays, the patient’s dental prints and the date the prints were made, the date the patient is scheduled to visit again to the purposes of a review following the treatment, New patient form, orthodontic treatment plans/schedule, Invisalign orthodontic treatment plans/schedule, up-to-date consent to Invisalign treatment and Invisalign Patient Contract, Lab Ticket, Caring Calls Schedule to check up on patients following their treatments, references from orthodontic to dentist, Patient Dental Hygiene Assessment Certificates by the treating dentist, Patient Comments after the end of orthodontic treatment, other documents necessary for treatment such as documents from other doctors, details about allergies, illnesses or special medical conditions of patients from other doctors, references and/or authorisation from external doctors of patients in the event that a surgery will be handled by our Clinic and information about children with special needs and disabilities. For the Pediatric dentistry department the Personal data is retained for 15 years following the end of the treatment and the last entry in the records. However, in case of an ongoing lawsuit, the Personal Information may be kept until the lawsuit is resolved. Also in the event that there is reasonable suspicion of a lawsuit the period may be extended to up to 10 years after leaving In case of an ongoing lawsuit, the Personal Information may be kept until the lawsuit is resolved. For the Orthodontic department the Personal data is kept for up to 15 years. However, in case of an ongoing lawsuit, the Personal Information may be kept until the lawsuit is resolved. Also in the event that there is reasonable suspicion of a lawsuit the period may be extended to up to 10 years after leaving In case of an ongoing lawsuit, the Personal Information may be kept until the lawsuit is resolved.
The Personal data that are processed are in electronic and paper form and are protected accordingly (see below). Access to individuals other than authorised personnel described below is not allowed unless management gives their permission.
The Personal data may be received and / or disclosed to the following individuals and organisations:
- Personal data in the Clinic’s server might be disclosed to the programmer and/or the information technology technician of the Clinic in the context of technical support with the permission of the management;
- to the Clinic’s external laboratory by the orthodontic department in general and by the internal laboratory, that provide them with the patient’s name, their dental prints and the date of the dental prints were made; and
- external doctor, if this is requested by a patient;
- to individuals and organisations abroad, including countries outside the European Economic Area, such as the United States of America. For example:
- upon agreeing to follow the Invisalign method of treatment the orthodontic department send the patient’s full name and his/her dental prints to the United States in the process of the orthodontic treatments;
- our doctors in our Clinic send the full name and the dental prints of patients to doctors and laboratories in other countries in the course of treatment.
- the management sends the name of the patient and their contact details to clinics where the surgeries take place for the purpose of identification of the patient by the clinic.
There are also confidentiality agreement between our laboratory, the clinics and Invisalign with our Clinic for the protection of Personal data.
- Access to and use of patient records
I. Doctors and medical assistants They have access to and use patients’ records during and in preparation for the treatment. The legal basis is the treatment contract between our Clinic and the relevant patient and/or their legal guardian.
The purpose of accessing the record is generally to provide the right treatment and examination, especially in cases of emergencies, or additional treatment that the patient may need. In particular, in relation to the medical assistants the purpose is to enable them to support doctors in providing the right treatment (e.g. preparation of tools for use by dentists) and for them to call the same day or one day after treatment using the information of the “Caring Call” form to check on the patient and assess whether there is anything the doctor needs to look into or know about the patient’s recovery.
The Personal data processed are those listed in section “Maintenance and updating of patient records” above.
The above Personal data kept in electronic form and protected accordingly, and at the time of use of the file the only Personal data that visible are those of the patient who is being treated at that moment. The patient present does not have access to the computers and is under the supervision of the doctor or the medical assistant in the area where the treatment take place.
II. Reception
Members of our reception have access to and use patients’ record and manage appointments and payments.
The legal basis are on patient’s consent and/or treatment agreement and/or the legitimate interests of our Clinic that are reflected in the purposes of the processing activity.
The purposes of this activity are the following:
- in the intervals of our telephone customer service in order to handle patients’ needs, the schedule of appointment, to manage emergencies,
- to remind patients of appointments via phone calls and / or sms,
- to schedule the time and day for subsequent appointments based on the treatment which has been administered on the relevant patients and the treatment they will be administered,4. to receive payment, to provide patients with information in relation to payment of invoices and to update the patient record of payments and to send reminders for the payment of bills, 5. to receive mechanisms or other forms / radiographs / prescriptions, etc.
The Personal data processed are listed in section “Maintenance and updating of patient records” above.
It is kept in electronic and paper form and the computers and drawers at the reception, they are protected accordingly (see below), are under constant supervision by the Clinic’s staff.
III. Management The management has access to and use patient records. The legal basis of this processing activity is their consent of patients and/or their legal guardians and/or a service/treatment contract with the relevant patient and/or their legal guardian and / or the legitimate interest of the Clinic which reflects the purpose of the activity. The purposes of this activity is the communication with patients in relation to payments, complaints, treatments, and other matters in relation to the coordination of the clinics services to them and the execution of the service/treatment contract and the investigation of trends and statistics in relation to patients, e.g. how many have come within the year, how many have left.
The Personal data processed are those listed in section “Maintenance and updating of patient records” above.
It is kept in electronic and paper form and protected accordingly (see below notes in relation to the method of protection).
- Receipt of complaints and maintenance of Complaints Register
In relation to the complaints, the provision of the Personal data specified below is not necessary for the provision of our services and/or the performance of the contract and/or transaction and/or the conclusion of a contract between the Clinic and the data subject. However, depending on the Personal data that has been withheld, failure to provide them might not enable us to provide any sort of relief to the complaint. The Clinic as a whole but primarily the management and the reception of the Clinic receive complaints which are then stored by the management in the Complaints Register which is kept and maintained by the management. The legal basis for this activity are the consent of Personal data subjects and/or their legal guardians and / or the legitimate interest of the Clinic which mirrors the purpose of this activity. The purpose of the activity is to register the complaint in the Complaints Register, informing the relevant department of the complaint in order to prevent any recurrence of the event giving rise to the complaint and / or to improve the services provided by our Clinic and to handle complaints and their causes. The Personal data processed are the name of patients, and the name of the handling doctor or assistant and the treatment that is and/or has been followed.
Such Personal data are kept for a period of 5 years from the date of receipt.
The relevant department receiving the complaint is informed in relation to the complaint but does not store. The department delivers as soon as possible to the management. The Management is then responsible to close the complaint and file it to the Complaints Register. We maintain a confidentiality agreement with the members of staff and the time for Personal data to be kept by the staff is very limited. The Personal data stored in paper form and are protected accordingly (see below) and only the management has access to the Complaints Register.
- Patients’ photographs
In relation to patients’ photographs, the provision of the Personal data specified below is not necessary for the provision of our services and/or the performance of the contract and/or transaction and/or the conclusion of a contract between the Clinic and the data subject. The Management collects, maintains and updates a file with patients’ photographs in various cases which are then presented on the Clinic’s website, in documents and presentation to the public. The legal basis for this activity is the explicit consent of patents and/or their legal guardians and in the event that the data subject wishes to withhold or withdraw their consent they will not be negatively affected in any way. The purpose of this activity is the presentation of photographs of patients’ incidents on the website, in medical and scientific seminars and presentations, online newspapers and publications with a scientific focus. The Personal Information processed consists of patients’ photos before and after treatment, details of each patient’s case and the treatment that has been followed. Access to these photographs is public to the extent that they have been published and they may be presented in countries outside the European Economic Area. Such Personal data are retained for a period of 10 years following the end of the treatment. To the extent that these photographs have not been printed for presentation purposes, they are in electronic form and are protected accordingly.
B. Personnel
- Collection, maintenance and access to personnel’s records
The management collects, maintains, updates and has access the personnel files.
The legal basis for this activity is Kokkinou’s legal obligation under the Social Insurance Law and / or Social Insurance Regulations and / or the Income Tax Law and/ or the General Data Protection Regulation and / or the employment contract between members of the personnel and Kokkinou and / or the legitimate interest of the Clinic which reflect the purpose of that activity. Failure to provide the following data might result in the employment being rendered illegal and / or in an inability to perform the employment contract, which might thus result in the termination of the contract and the employment relationship.
The purpose of this activity is to staff the Clinic, to keep accounting books in order and compliance with tax, social security and Personal data protection legislation and to have and maintain the good and efficient operation and organisation of the Clinic, the safe storage of Personal data and the protection of the environment by storing a substantial amount of the records in an electronic form thus reducing the use of paper, to facilitate the coordination and communication between the management and the employees and among the employees themselves in the intervals of their employment .
The Personal data processed are the following: CV, copies of identity cards/passports, medical examinations, medical history (vaccinations), home address, personal phone numbers, social insurance number, salary-payroll, annual leave, sick leave and supporting documents, confidential letters to members of staff, annual performance appraisals, employment contracts, trainings, seminars, debiting of equipment form.
They are kept for 6 years after a member of staff leaves the Clinic, unless there is a suspicion of a lawsuit in which case the period may be extended to up to 10 years after leaving. In case of an ongoing lawsuit, the Personal Information may be kept until the lawsuit is resolved. The Information may be received and / or disclosed to Social Security, Income Tax, and/or other government agencies and public authorities, and/or to the programmer to whom management provides access to the Clinic’s server in the context of his/her technical support. Access to Information is only possible upon permission by the management. The above Personal information is stored in electronic and printed form and protected accordingly (see below).
- Collection and maintenance of computer passwords record and provision of access
The management and the IT provider collect, maintain and update the computer access password of members of staff and may provide access to it. The legal basis for this activity are the legal obligation to protect medical confidentiality and to protect Personal data under the General Data Protection Regulation and/or the legitimate interests mirrored by the purpose of this activity.
The purpose of this activity is to maintain high levels of Personal data protection and the protection of the physical property and intellectual property of the Clinic by restricting access to computers to authorised personnel and enabling the identification of who has entered a particular computer. Failure to provide the following data might result in the Clinic breaching its legal obligations and thus any refusal to such processing might result in the termination of the employment with the relevant member of personnel.
The Personal data that are processed are the Passwords used by members of staff. The Information may be received by the security service provider upon request and permission by the management. These Personal data are deleted as soon as practicable following termination of an employee’s employment. These Personal data are in electronic form and are protected accordingly (see below) and their protection is also governed by a confidentiality agreement between our ΙΤ service provider and our Clinic.
- Presentation of personnel on the website
The management uploads and presents photographs of members of staff and a small CV on their website. The legal base for this activity is the explicit consent of members of staff and/or the legitimate interest of the Clinic for the patients to become more familiar with our personnel and for the legitimate interest of the personnel to be recognised by the patients. In the event that consent is withheld and/or a member of the personnel wishes for their Personal Data not to appear on the website there will be no negative discrimination against him or her based on that fact. The activity is aimed at promoting the members of staff and make them more recognisable and approachable to patients. The Personal data processed include names, photos, titles, studies, work experience and photographs of members of staff. Such Personal data shall be publicly available on the website of the Clinic. The Personal data will be deleted as soon as possible after the individual’s employment is terminated. To the extent that they are not published, the Personal data are stored in an electronic form in our servers and protected accordingly.
- Collection, maintenance and update of records of access cards
The management updates the access card records and the security service provider stores them. The legal basis for these activities are the consent of members of members of staff and / or the legitimate interests of the organisation that mirror the purpose of this activity. The purpose of the updating is to maintain high standards of security in the building and to protect the building, equipment and property within the building against any criminal or other activity and the purpose of the storage is to store the Personal data securely and enable the functioning of the security system of the doors. Failure to provide the following data might result in the Clinic breaching its legal obligations and thus any refusal to such processing might result in the termination of the employment with the relevant member of personnel. The Personal data that are processed are the holder’s name and the number and/or code of each access card. The Personal data may be received by our security service provider. The Personal data are retained for a period of 1 year from the termination of employment. The Personal data is stored in electronic form and to the extent that the security service provider has access there is a contractual relationship of confidentiality with the organization for the protection of Personal data.
C. Personnel candidates
- Collection, maintenance and updating of and access to personnel records
The management maintains and has access to the record of personnel candidates. The legal base for this activity is their consent and / or the need to take steps to conclude an employment contract and / or the legitimate interest of the Clinic that is reflected in the purpose of the activity. The purpose of this activity is to investigate the probability of employing an individual and/or to suitable staff, to communicate with them in relation to the appointment of interviews, to request any due diligence information for the purpose of entering into an employment contract and to examine their suitability for a position in the Clinic. Failure by the candidates to provide the below Personal data may result in their elimination from the interviewing process and/or in an inability to communicate with them to arrange for the continuation of the interviewing process.
The Personal data processed are the following: CVs and evaluation forms during interviews. During the second interview, we also ask for and / or receive proof of the data listed in CVs eg. Degrees / diplomas. These Personal data are maintained for a period of up to 1 year after the vacancy has been filled. These Personal data are stored in electronic and paper form and protected accordingly (see below).
D. Associate doctors
The management collects, maintains and updates a record of associate doctors.
The legal basis of this activity are the legal obligations of the Clinic under the Social Insurance Law and / or the Social Insurance Regulations and / or the Income Tax Law and/or the General Data Protection Regulation and / or the contracts between associate lawyers and the Clinic and / or the legitimate interest of the Clinic that is reflected in the purposes of that activity. Failure to provide the following data might result in the employment being rendered illegal and / or in an inability to perform the employment contract, which might thus result in the termination of the contract and the professional relationship.
The purpose of this activity is to enable associate doctors to effectively work in the Clinic, to provide their services, to cooperate with the rest of the Clinic’s personnel, for them to be identifiable by the Clinic, to keep our accounting books in order and comply with tax and social security laws. The Personal data that are stored are of the same type with the Personal data that are stored in relation to the members of staff (see above). The Personal data may be obtained if requested by the public authorities. The above Personal data is retained for a period of 6 years after termination of the cooperation, unless there is a suspicion of a lawsuit, in which case they are kept for a period of 10 years. In case of an ongoing lawsuit the above information may be kept until the lawsuit is resolved. They are in paper form and are protected accordingly (see below).
E. Website users
Our website collects information related to the activity of persons entering the website of the Clinic and monitors the behaviour of visitors in the website, e.g. through the use of cookie. ‘Cookies’ are small files which may be installed on your device when you visit a website and their purpose is to act as tracking devices that track your activities on our websites and to help the site provide a better user experience. They cannot access, read or change any of the Personal data that is stored on your device. In general, cookies are used to retain user preferences, store information for things like shopping carts, and provide anonymised tracking data to third party applications like Google Analytics. As a rule, cookies will make the data subject’s browsing experience better. However, they may prefer to disable cookies on this site and on others. The most effective way to do this is to disable cookies in the internet browser (e.g. Google Chrome, Firefox, Safari etc.) used by the data subject. We suggest consulting the Help section of browser or taking a look at the About Cookies website which offers guidance for all modern browsers The legal base is the consent given on entering the website and / or the legitimate interest of the Clinic which reflects the purposes of this activity and supported by the cookies warning which appears when people enter the site. The Personal data processed are information related to the behaviour and activity of the persons visiting the website, such as the IP of their device. The purpose of this activity is to collect information about the behaviour and activity visitors of the website, to generate usage statistics of our website and enforce the terms and conditions of use of our website. The collection of information ends when people leave the site and the Personal data are stored for 3 years. These Personal data may be received by the designer of the Clinic’s website.
F. Website message senders – “Contact Us” online form
The management collects, uses and has access to Personal data provided through the “contact us” form located on the Clinic’s website. The legal basis for this processing activity is the consent of the individual by whom the information is received and / or the taking of necessary steps to enter into a contract and / or the legitimate interest of the Clinic that mirrors the purposes of this activity. Failure to provide the Personal data required will make it impossible to communicate with the sender. The Personal data collected are the name, surname, e-mail address and phone number of the persons who complete the contact form. The purpose of this activity is to respond, if necessary, to individuals who want to communicate with us in relation to the matter/s mentioned in the “contact us” form. These Personal data may be received by the designer of the organization’s website. These Personal data are kept for a period of 1 year following the last communication. The Personal data are in an electronic form and only the management and protected accordingly (see below) and no other member of staff has access to them.
G. Suppliers
- Collection, maintenance and updating of suppliers’ records and access to it
The management collects, maintains and updates records of suppliers and service providers in which Personal data of either the providers themselves and/or their employees may be recorded. The legal basis for this activity are the consent of the data subjects and / or the services and/or product contract with the Clinic and / or the legitimate interests of the Clinic which mirror the purpose of the activity. The purposes of this activity are restricted to the provision of services and / or products by the suppliers and/or service providers and in particular the Personal data are used to facilitate the communication with suppliers in the intervals of the execution of a contract and to receive or request supplies and/or services from suppliers which are needed for the operation of the Clinic and the provision of treatments. Failure to provide the below Personal data will make make it impossible to enter into a contract and/or to communicate for the purposes of the execution of the contract. The Personal data processed may include personal telephone numbers and e-mail addresses of the suppliers and/or their employees.
The above Personal data are kept for a period of 6 years following the end of the cooperation between the suppliers and the Clinic unless there is a suspicion of a lawsuit, in which case the Personal data shall be kept for 10 years. In case of an ongoing lawsuit the above Information may be kept until the lawsuit is resolved.
The above Personal data are in paper form and are protected accordingly (see below).
H. Visitors of the building
- Collection, maintenance, management, access to and transfer of CCTV files and footage
The management collects, maintains and accesses a closed circuit television system (CCTV) on the 2nd and 3rd floor, in public spaces and the outside of the Clinic’s building, such as at the entrance to the building and in the parking area, where the degree of supervision which we may have is limited and/or occasional.
This activity is done on the basis of the legitimate interest of the Clinic or of third parties which is identical to the purposes of the activity and as a means of compliance with the General Data Protection Regulation.
The purpose of the activity is to maintain the safety and security of the building and visitors, to prevent occupier’s liability against the Clinic as the owner of the building and to prevent crime and gather evidence in the event of criminal activity. Monitoring of staff or visitors to the building for any other reason is prohibited.
The Personal data being processed is the visual recording of the users ‘and visitors’ images who move in places where the cameras are located.
The Personal data may be received by and/or disclosed to our security service provider and/or governmental authorities such as the police.
Such Personal data are deleted after 2 weeks.
This Personal data are kept in electronic form and the monitor from where they are accessible is available only to the management and / or under the supervision and / or permission of the management.
There are also signs that inform visitors about the existence of the CCTV, the cameras do not point towards members of staff and any disclosure made to our security service provider is subject to a confidentiality agreement.
I. Recording of Telephone communications and access to the recording
The Management records the telephone communications of the Clinic.
The legal basis of this activity are the existence of a contract with patients and/or their legal guardians and / or the legitimate interest associated with the purpose of the activity.
The purpose of the activity is to provide better services, to train members of staff and to improve the service of the patients and the persons communicating with the Clinic.
The Personal data processed are any personal data that may be recorded in the course of a telephone conversation, including name, telephone number, doctor’s name, treatment and scheduled appointments.
The Personal data may be received by the telephone service provider but only following the permission from the Management for the provider to access the clinic’s server
Such Personal data are held for a period of 1 year from the telephone communication recorded
This Personal data are in electronic form and are protected accordingly (see below) and there is a confidentiality agreement between the service provider and the clinic.
J. Miscellaneous
We may also process any other type of information which you may choose to provide to us or we may obtain about you through third parties with whom we do business during the execution of the purposes explained above.
If you submit any Personal data relating to other people to us, especially Personal data of minors, in connection with the services, you represent that you have the authority to do so and to permit us to use the information in accordance with this Privacy Policy which is provided at the reception desks of our Clinic and/or in our website.
The legal basis for such processing might be your consent and/or your legitimate interest in carrying out your request.
Ways Personal Information is collected
We and/or agents and/or affiliates may collect Personal data either:
- directly from you (i.e. face-to-face contact or e-mail or fax or courier sent from you);
- indirectly from you (i.e. a person/body acting on your behalf);
- through or with the assistance of a third party who have first obtained your permission to share this information with us (e.g. a person/body providing information in the course of services provided to you or in the course of their legal obligations, your employer, our and/or your associates, introducers and other third parties);
- a publicly available source (e.g. a directory); and/or
- Another source whether these are provided in writing or verbally and in providing any part of our services.
The methods used for the collection of your Personal data are the following:
- requests and/or messages sent through our website;
- when you communicate with us and/or with any member of our staff over the phone or via online chat-texting services or a social media service which may include Viber, WhatsApp, Linked in, WeChat, Messenger, Facebook, or other online social media services when you sign up;
- when you visit our Clinic and/or when you have an appointment with a doctor or any member of our staff whether in our Clinic or in another location; and/or
- from publicly available databases and websites.
In the event that we receive information from third parties, as opposed to directly from you, provided that they are lawfully entitled to share your Personal data with us, we will use and/or disclose and/or share this information in accordance with the purposes described above. Also in the event that your Personal data are collected in this way, then we will bring to your attention the information included in this Policy along with the source from which the Personal data originate, and if applicable, whether it came from publicly accessible sources. This information shall be provided to you within a reasonable period after obtaining the Personal data, but at the latest within 1 month, except where the Personal data are to be used for communication with you, in which case we will provide you with the above information the latest at the time of the first communication with you. However, if the above information is envisaged to be disclosed to another recipient then the above information shall be disclosed the latest when the Personal data are first disclosed to the new recipient, despite the fact that none of the previous deadlines has passed. Of course, no such information would need to be provided:
- where you already have this information;
- where the provision of this information, for some reason, proves impossible or would involve disproportionate effort to obtain;
- obtaining or disclosure is expressly laid down by Union or Member State to which we are subject, and which provide measures to protect your legitimate interest; and/or
- in the event where the Personal Information must remain confidential subject to an obligation of professional secrecy.
Disclosure, Sharing and Transfer of Personal data
KOKKINOU will not, in any way and in any event, directly or indirectly, sell any of your Personal data to any third party. Any information supplied will be confidential and will be handled in accordance with the applicable laws and regulations.
Your Personal Information may be shared with the below entities and/or people, which may involve cross-border transfer of information to third parties in countries outside the European Economic Area:
- our authorised personnel who have been instructed in relation to the processing of personal data which are expected to carry out;
- our information technology specialists and/or suppliers and/or service providers;
- our programmers;
- accountants and/or auditors;
- our office at Nicosia;
- doctors of the Clinic;
- associate doctors and/or dentists who assist as in the provision of our services;
h) associate firms and labs which provide as with necessary dental mechanisms which is used for the treatment of patients;i) our legal consultants and/or advocates and/or solicitors and/or barristers and/or lawyers;j) the Commissioner of Taxation in Cyprus, the Employment office of the Republic of Cyprus, Social Insurance Service and any other regulators or supervisory authorities;k) banks;l) providers of professional indemnity insurance and medical insurance in relation to our employees;m) in the event of any reorganization, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of our business, assets or stock (including in connection with any bankruptcy or similar proceedings), we may share your Personal Information to a third party for the purposes of the aforementioned event;n) with professional and regulatory organisations such Ministry of health, the Cyprus Dental Association, the Council of European Dentists and any other organisation;
Where your Personal Information is transferred by our Clinic to a country outside the European Economic Area (EEA), KOKKINOU shall ensure that the country to which the Personal Information is transmitted and where the recipient of the Personal data keeps satisfactory level of data protection measures.
Where there is no confirmation from the European Commission that a particular country, which is outside the EEA, keeps satisfactory level of protection, then the standard contractual clauses which have been approved by the European Commission will be used for the purpose of data. If this is not possible then the other means of lawful transfer which are provided by the Regulation will be used.