Confidentiality and Personal Data Security Policies

(in accordance with Regulation EU 2016/679)

  1. Patient’s Personal Data (PD) collected by KARYO Ltd

The purpose for processing of personal data by KARYO Ltd is the validity of test results as well as the traceability between samples and patients.

KARYO Ltd collects data in order to function efficiently and offer the best medical services. Data is collected for specific, explicit and legal purposes and is not further processed in any way that is incompatible to these purposes.

Data are kept in a form which allows the identification of the data, and only for a period of time required by the purpose for processing personal data.

The provision of accurate and complete information is very important for the security, quality and efficiency of the results that are provided. If the information you provide us with are not precise and are incomplete, this could affect our ability to deliver safe and efficient services.

  1. Collected Data

The data we collect are the following:

Full name and contact details. We record your name and surname, e-mail, postal address, contact telephone numbers and other similar contact details.

Data of your medical history, test results, medical history Demographic data. We collect data regarding your age, your sex Financial data, Tax Registration Number, medical insurance (including your Social Security Number) any private health insurance, referrals for testing (National organization for health care services – EOPPYY).

  1. How will my data be processed by KARYO Ltd

After the patient has submitted their data to KARYO Ltd, the authorized personnel will proceed, for the reasons mentioned above, to perform all acts or a series of acts of processing of the patient’s data with the use of automated or semi-automated means such as the e.g. collection, registration, organization, correction, saving, adjustment, change, recovery, search of data. Through these automated/ semi-automated processes, KARYO Ltd can make decisions faster, more accurately, more transparent and consistent.

  1. How long will KARYO Ltd keep the patient’s data on file

The period that data is kept is ten years in both paper and electronic form. KARYO Ltd lawfully keeps medical data in accordance with the applicable Greek legislation.

  1. What are the rights of the patient regarding the process of their data?

The patient may exercise, on a “case by case” basis, the following rights: the right to access (so as to find out what data is processed, for what purpose and the recipients to whom the data will be disclosed to),to rectify (to rectify possible incomplete or inaccurate data of the submitted information), to erasure (right to be forgotten) (erasure from KARYO Ltd files when the processing of said data is no longer necessary), to restriction of processing (in case the accuracy of the data is contested etc.), to data portability (patient will receive data in a structured and commonly used format).

These rights are exercised without incurring any costs on the patient by sending an e-mail to the Data Protection Officer.

Should the patient exercise any of the above rights KARYO Ltd will take all possible measures in order to address the patient’s request within thirty (30) days upon receipt of said request, once KARYO Ltd has been informed of the request being addressed or the objective reasons barring it from being addressed.

Furthermore, the patient may at any given time object to the processing of his/her personal data for the purposes of the contract of services, by withdrawing his/her consent. However, this will result in the conclusion of the contract of services with the patient and the non-provision of services by KARYO Ltd because (in accordance with the above) no service can operate without the processing of the patient’s personal data (data subject).

  1. How is the safety of the patient’s data ensured?

Data security is KARYO Ltd’s absolute commitment. In order to ensure said security, all the contemporary and appropriate for the purposes of the processing technical and organizational measures are employed, whose effectiveness is assessed by KARYO Ltd on a regular basis. As such, a series of security technologies and processes help us protect your personal data from unauthorized access, use or disclosure. Your data is collected on paper, converted into a safe digital copy and the documents are then safely stored or destroyed.

  1. Where is the data transmitted to

The patient’s data is transmitted to the departments of KARYO Ltd authorized to conclude the provided service and for its correct and smooth function. All the personal data is processed by personnel authorized to handle personal data. In every transmission KARYO Ltd always takes every measure so as the transmitted data are the least required and that the legal and legitimate requirements for their processing apply.

  1. Personal data to third parties

The patient should know that, in accordance with Greek legislation, personal data is provided to public social security institutions (EOPYY) and other private social security institutions where the patient is insured (e.g. private insurance companies).

  1. Patient’s right to deny the provision of data

The patient has the right to deny the provision of his/her personal data as prescribed by the legislation in force. However, he/she should be informed that in such a case where he/she does not provide some or all of his/her personal data that are deemed necessary for the performance or the results of the examination, there is a possibility of a false result. KARYO Ltd reserves the right to cease the provision of services to the patient. The only exception is when the sample is classed as urgent for processing. In that case, the sample is processed and subsequently the client’s/patient’s personal data is requested.

  1. Complaints

For any issue regarding the processing of your data you may contact the Data Protection Officer (DPO) of KARYO Ltd via telephone:2310235233 and e-mail: dpo@karyo.gr

Furthermore, the patient reserves the right to contact the competent authorities and submit the relevant complaints. For Greece that is: Hellenic Data Protection Authority (Kifissias street 1-3, P.C. 115 23, Athens), or digitally www.dpa.gr