“SmartFeet RIX” Ltd PERSONAL DATA PRIVACY POLICY at the clinic



INFORMATION ABOUT THE CONTROLLER AND ITS CONTACT DETAILS

  • [1]    The controller of personal data processing is “SmartFeet RIX” Ltd and the medical institution “Podiatry Academy” (hereinafter – the Academy), unified registration No. 40203307684, legal address: Vasarnīcu iela 1b, apt.3, Saulkrasti, LV-2160, medical institution code: 001000023
  • [2]    Contact information for questions related to personal data processing is:
    • a.    By correspondence: Skanstes iela 50, Riga, LV-1013
    • b.    By phone: 25747979
    • c.    By email communication: [email protected]


GENERAL INFORMATION

  • [3]    The purpose of the privacy policy is to provide the individual - the Data Subject - with information about the purpose, legal basis, scope, protection, and retention period of personal data processing at the time of data acquisition and processing of the Data Subject's personal data.
  • [4]    The privacy policy applies to ensuring privacy and personal data protection in relation to:
    • a.    natural persons – patients of the Academy (including potential, former, and current patients);
    • b.    visitors to the Academy, including those subject to video surveillance;
    • c.    visitors to the Academy's website.
  • [5]    The privacy policy applies to data processing regardless of the form or environment in which the Patient provides personal data (in person, on the Academy's website, in paper format, or by phone).
  • [6]    The Academy cares about the privacy and personal data protection of Patients, observes Patients' rights to the lawful processing of personal data in accordance with applicable laws and regulations - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter – the Regulation), the Personal Data Processing Law, the Patients' Rights Law, and other applicable regulatory acts in the field of privacy and data processing.
  • [7]    In its activities, the Academy:
    • a.    protects the Data Subject's personal data by implementing administrative, technical, and physical security measures to the extent reasonably proportionate to possible risks;
    • b.    informs and explains which personal data are necessary for receiving services and how they will be used;
    • c.    transfers data to third parties in accordance with the applicable regulatory framework;
    • d.    implements regular training and information measures for its employees on personal data protection issues to reduce the likelihood of possible incidents;
    • e.    implements internal control procedures to help reduce the likelihood and consequences of security incidents.


PURPOSES AND LEGAL BASIS OF PERSONAL DATA PROCESSING

  • [8]    The Academy processes personal data for the following purposes:
    • a.    Provision and administration of healthcare services:
      • i.    patient identification;
      • ii.    scheduling appointments with the Academy's specialists;
      • iii.    preparation of the patient's medical documentation in accordance with the requirements set by regulatory acts;
      • iv.    reminders to patients about scheduled visits to the Academy's specialists;
      • v.    conducting medical examinations;
      • vi.    conducting doctor consultations and medical procedures;
      • vii.    assessment of the health status of patients or other individuals;
      • viii.    administration of settlements;
      • ix.    debt collection from debtors
      • x.    handling patient complaints and quality control;
      • xi.    promotion of patient loyalty, satisfaction measurements;
      • xii.    preparation and conclusion of contracts with patients;
      • xiii.    maintenance and improvement of websites;
    • b.    conducting scientific activities regarding clinical studies;
    • c.    providing information to state administrative institutions and operational entities in cases and to the extent specified in external regulatory acts.
    • d.    ensuring the safety and property protection of patients and Academy employees;
    • e.    inputting information into the National Unified Medical Information System (E-health).
  • [9]    The Academy processes patients' personal data based on the following legal grounds:
    • a.    for establishing medical diagnoses, for treatment purposes (Regulation Article 9(2)(h));
    • b.    with the data subject's (patient's) consent (Regulation Article 9(2)(a), Patients' Rights Law Article 10(2));
    • c.    for compliance with regulatory acts - to fulfill the Academy's obligations or the data subject's rights specified in external regulatory acts (Regulation Article 9(2)(b), Patients' Rights Law Article 10);
    • d.    in cases where processing is necessary to establish or defend the Academy's legal interests in court (Regulation Article 9(2)(f));
    • e.    in cases where processing is necessary to ensure the Academy's legitimate interests (organizing an efficient healthcare service delivery process, ensuring an effective patient appointment and cancellation process, receiving payment for provided healthcare services);
    • f.    in cases where processing is necessary for the performance of a contract with the data subject (patient) or to take steps at the data subject's request prior to entering into a contract (Regulation Article 6(1)(b));
    • g.    in cases where processing is necessary to protect the vital interests of the data subject (patient) or another natural person (Regulation Article 6(1)(d)).


SCOPE OF INFORMATION COLLECTED

  • [10]    In its core activities, the Academy primarily obtains from the Data Subject basic information necessary for the unambiguous identification of the individual for the provision of medical services and communication:
    • a.    First name
    • b.    Last name
    • c.    Personal code (identification number)
    • d.    Address
    • e.    Phone number and/or email address
  • [11]    In the course of providing services, the Academy may obtain additional information from the Data Subject and from other third parties, which primarily includes, but is not limited to, referral information, information about previous medical cases, and information obtained during a specific medical episode.
  • [12]    The specific amount of information depends on the specifics of the service to be provided and the applicable regulatory acts governing the conditions for providing the service.
  • [13]    The Academy recognizes that by providing its services, it processes health data, which are considered a special category of personal data in the context of the Regulation.


PERSONAL DATA PROCESSING AND PROTECTION

  • [14]    The Academy processes Patient data using modern technological capabilities, taking into account existing privacy risks and the organizational, financial, and technical resources available to the Clinic.
  • [15]    The Academy continuously improves and supplements its available technical solutions, considering current industry trends and offered opportunities, based on identified risks.


CONDITIONS FOR DATA USE AND DISCLOSURE

  • [16]    Personal data held by the Academy and obtained during the provision of services are used for:
    • a.    ensuring the operation of the Academy and to the extent necessary for providing the highest possible quality of service;
    • b.    establishing cooperation with other third parties for the implementation of the patient's treatment process.
  • [17]    When cooperating with third parties regarding the acquisition and transfer of necessary data, the Academy acts only in accordance with regulatory acts governing the Academy's possibilities regarding the implementation of personal data exchange measures.
  • [18]    In its daily activities, the Academy implements measures to minimize the scope of personal data processing for its employees, ensuring that employees have access only to the data of those patients necessary for the performance of their job duties.
  • [19]    The Academy ensures that personal data in its possession are issued only to the Data Subject. Data disclosure to third parties, including persons related to the Data Subject, is carried out only in cases where written consent from the Data Subject has been received or there is a case specified in regulatory acts that allows such data transfer.
  • [20]    The Academy does not transfer data in cases where it cannot verify the identity of the Data Subject or there is suspicion that the identity presented by the Data Subject does not match the true identity.
  • [21]    In cases where data transfer is carried out using email communication, the Academy ensures that such action is performed only after receiving the Data Subject's consent.
  • [22]    When transferring data using email communication or other online data exchange solutions, including information system self-service platforms, the Academy implements measures to protect the relevant data by applying data access protection or encryption methods.
  • [23]    The Academy transfers Personal Data to third parties, ensuring that the respective third parties maintain the confidentiality of Personal Data and provide appropriate protection.
  • [24]    The Academy is entitled to transfer Personal Data to the Academy's service providers who help the Academy fulfill its functions. In such cases, the principle of data minimization applies to the data being transferred.
  • [25]    In the case mentioned in point [24], the Academy's service providers who receive and process personal data are considered data processors under the Regulation, and a written contract is concluded with them, stipulating that the Academy requires data recipients to undertake to use the received information only for the purposes for which the data were provided and in accordance with the requirements of applicable regulatory acts in the field of data processing and data protection.
  • [26]    The Academy transfers data to third countries (countries outside the European Union and European Economic Area) only in cases where written consent from the Data Subject has been received.


DURATION OF PERSONAL DATA RETENTION

  • [27]    The Academy stores and processes Patient personal data as long as at least one of the following criteria applies:
    • a.    while obligations arising from the contract concluded between the Academy and the Patient are being fulfilled or the Patient is receiving healthcare services;
    • b.    while the Academy has a statutory obligation to retain the relevant data;
    • c.    while the request/application submitted by the Patient is being fully considered and/or fulfilled;
    • d.    while the Academy has consent for the relevant personal data processing, if there is no other legal basis for data processing;
    • e.    Personal data obtained through video surveillance (video recordings) are stored for no longer than 30 days from the date of recording.
  • [28]    When the conditions requiring further storage of Patient data no longer exist, the Patient's personal data are deleted.


ACCESS TO PERSONAL DATA AND OTHER PATIENT RIGHTS

  • [29]    The Academy ensures the patient's right to receive information specified in regulatory acts regarding the processing of their data.
  • [30]    The Patient, in accordance with regulatory acts, also has the right to request access to their personal data from the Clinic, as well as to request the Academy to supplement, correct, or delete them, or to restrict processing in relation to the Patient, or the right to object to processing, as well as the right to data portability. These rights are exercised to the extent that data processing does not arise from the Academy's obligations imposed by applicable regulatory acts.
  • [31]    The Patient may submit a request to exercise their rights:
    • a.    in writing in person at the Academy, presenting an identity document;
    • b.    by email, signing the letter with a secure electronic signature and sending it to the email address:  [email protected]
    • c.    sending the Academy a letter by post.
  • [32]    Upon receiving the Patient's request to exercise their rights, the Academy verifies the Patient's identity, reviews the request, and fulfills it in accordance with regulatory acts.
  • [33]    The Academy provides a response to the Patient as soon as possible, taking into account the response method indicated by the Patient.
  • [34]    If the response is sent by post, it is addressed to the data subject (the person whose personal data are requested) in a registered letter. If the response is provided electronically, it is signed with a secure electronic signature (if the application was submitted with a secure electronic signature).
  • [35]    The Academy ensures compliance with data processing and protection requirements in accordance with regulatory acts and, in the event of a Patient's objection, takes appropriate actions to resolve the objection. However, if this is not successful, the Patient has the right to contact the supervisory authority - the Data State Inspectorate.
  • [36]    The Patient has the right to receive one copy free of charge of their personal data processed by the Academy .
  • [37]    The receipt and/or use of the information mentioned in point [36] of this document may be restricted in order to prevent adverse effects on the rights and freedoms of other persons (including the Academy's employees).
  • [38]    The Academy undertakes to ensure the accuracy of Personal Data and relies on its Patients, suppliers, and other third parties who provide Personal Data to ensure that the provided Personal Data are complete and accurate.


PATIENT CONSENT TO DATA PROCESSING AND THE RIGHT TO WITHDRAW IT

  • [39]    The Patient gives consent for personal data processing, where the legal basis is consent, in writing in person at the Academy, by sending in paper format using postal services, or by sending by email signed with a secure electronic signature.
  • [40]    The Patient has the right to withdraw consent for data processing at any time in the same way as it was given, and in such case, further data processing based on the previously given consent for the specific purpose will no longer be carried out.
  • [41]    Withdrawal of consent does not affect data processing carried out during the time when the Patient's consent was valid.
  • [42]    Withdrawal of consent cannot terminate data processing carried out on other legal grounds (for example, in accordance with external regulatory acts or the contract concluded between the Academy and the Patient).


WEBSITE VISITS AND COOKIE PROCESSING

  • [43]    The Academy's website(s) may use cookies.
  • [44]    Cookies are files that websites place on users' computers to recognize the user and facilitate their use of the site. Internet browsers can be configured to warn visitors about the use of cookies and allow the visitor to choose whether to accept them. Not accepting cookies will not prevent the visitor from using the Academy's website, but it may limit the visitor's ability to use the website.
  • [45]    The Academy's websites may contain links to third-party websites, which have their own terms of use and personal data protection rules, for which the Academy is not responsible.


CHANGES TO THE PRIVACY POLICY

  • [46]    The Academy reserves the right to make changes to its Privacy Policy if certain circumstances change that affect the regulation of personal data processing. The Academy recommends visiting this section regularly to learn the latest information.
  • [47]    The Academy retains previous versions of the Privacy Policy, and they are available on the Academy's website.