Information on the Processing of Patients' Personal

pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

A. Personal Data Controller

The controller of personal data is DCS Clinic Dejvice s.r.o., ID No.: 17867762, with registered office at Libocká 703/21, Liboc, 162 00 Prague 6, a company registered in the Commercial Register kept by the Municipal Court in Prague under file No. C 378062

Contact details of the data controller:

·       gdpr@dcsclinic.cz

·       +420 731 705 707

The Administrator is a provider of health services in accordance with Act No. 372/2011 Coll., on Health Services and Conditions of their Provision, as amended (hereinafter referred to as the "Health Services Act").

B. Purposes and legal bases for processing

We process your personal data for the following purposes:

(a) the provision of health services;

(b) reporting of covered health services;

(c) billing for non-covered health services;

d) disclosure of health information to you and other authorised persons;

(e) the fulfilment of general legal obligations, in particular in the field of tax and accounting records (records of income and expenditure, payments received and management, as derived from the regulations governing taxation and accounting);

(f) the organisation of the provision of health services (ordering of patients, production of statistics and records); and

(g) protecting our company's legal claims.

We process your personal data for the above purposes on the basis of the following legal titles:

a) compliance with our legal obligations (in particular the Health Services Act, Act No. 48/1997 Coll., on Public Health Insurance, Act No. 563/1991 Coll., on Accounting, Act No. 586/1992 Coll., on Income Taxes, Act No. 634/1992, on Consumer Protection);

b) fulfilling the obligations under the health care contract under which we provide you with health care services (this contract does not have to be in writing);

(c) our legitimate legal interest in ensuring the proper protection and effective exercise of our rights and claims; and

d) our legitimate legal interest in maintaining an internal overview of the activities taking place in our company, evaluating the company's performance, its

employees and members of the company's governing bodies, planning and optimising capacity and evaluating other aspects of our company's operations.

The processing of your personal data for the purposes of providing health services is a legal requirement. Failure to provide your personal data may mean that we are unable to provide you with health services, which may result in damage to your health or a direct threat to your life (Section 41(1)(d) of the Health Services Act). The obligation to disclose the patient's personal data also applies to the patient's legal representative or guardian (Section 41(2) of the Health Services Act).

In the case of minor patients and patients who are not fully competent, the personal data of the patient's legal representative are also processed. We will also process the personal data of persons you report to us as authorised recipients of information about your health condition. We process the personal data of these persons only for the purposes of:

(a) the provision of health services;

b) disclosure of health information to you and other authorised persons;

(c) the organisation of the provision of health services (ordering of patients), production of statistics and records); and

d) protecting our company's legal claims,

on the basis of the following legal titles:

a) compliance with our legal obligations (in particular the Health Services Act, Act No. 48/1997 Coll., on Public Health Insurance, Act No. 563/1991 Coll., on Accounting, Act No. 586/1992 Coll., on Income Taxes, Act No. 634/1992, on Consumer Protection);

(b) our legitimate legal interest in ensuring the proper protection and effective exercise of our rights and claims; and

c) our legitimate legal interest in maintaining an internal overview of the activities taking place in our company, evaluating the performance of the company, its employees and members of the company's bodies, planning and optimising capacity and evaluating other aspects of our company's operation.

C. Personal data processed and retention period

In particular, we process the following categories of personal data for the above purposes:

a) identification data (name, residence, birth number, health insurance company);

b) contact details (name, e-mail, telephone number, contact address);

c) data about your health and treatment - we process this data solely for the purpose of providing health services.

We process and store personal data:

a) in the case of personal data contained in medical records - for the period specified by Decree No. 98/2012 Coll., on medical records;

(b) in the case of personal data whose retention is prescribed by law, for the period prescribed by law; and

c) for other personal data, for as long as you are our patient and for one year after you cease to be our patient.

D. Who processes your personal data and to whom do we transfer it?

All of the above-mentioned personal data are processed by us as the controller. This means that we determine the above defined purposes for which we collect your personal data, determine the means of processing and are responsible for their proper execution.

We generally do not pass on your personal data to other controllers. Exceptions are cases where we transfer your personal data to the following entities in accordance with the provisions of the legislation: health insurance company, health service provider, public authorities and persons authorised to inspect medical records pursuant to § 31, § 32, § 33 and § 65 of the Health Services Act.

In addition to the controller, personal data may also be processed by processors for the purposes described above, solely on the basis of and within the limits of our instructions.

The processors who process your personal data for our company and according to our instructions are mainly:

- Infinity Energy, s.r.o., ID: 273 37 871 - provider of software for dental practices and dental hygiene;

- TECHart systems s.r.o., ID: 261 72 615 - supplier of security system;

- HDT s.r.o., ID No.: 280 65 425 - supplier of dental medical equipment;

- HENRY SCHEIN s.r.o., ID No.: 053 24 271 - supplier of dental medical equipment;

- Renovace IHNAT, s.r.o., ID: 067 85 000 - IT system administration, web;

- Critical works, s.r.o., ID: 289 87 373 - supplier of web pages.

All such processors are bound by a processing agreement to comply with the requirements of data protection legislation, in particular to protect your personal data.

We do not transfer your personal data to countries outside the European Union and the European Economic Area.

E. What rights do you have when processing personal data?

Just as we have rights and obligations when processing your personal data, you also have certain rights when processing your personal data. These rights include:

Right of Access

Simply put, you have the right to know what data we process about you, for what purpose, for how long, where we obtain your personal data, to whom we transfer it, who processes it outside of us and what other rights you have in relation to the processing of your personal data. You have learned all of this in this Information on the Processing of Patients' Personal Data. However, if you are unsure which personal data we process about you, you can ask us to confirm whether or not the personal data relating to you are processed by us and, if so, you have the right to access that personal data. As part of your right of access, you can ask us for a copy of the processed

personal data, whereby we will provide you with the first copy free of charge and additional copies for a reasonable fee.

Right to Rectification

If you find that the personal data we process about you is inaccurate or incomplete, you have the right to have it corrected or completed without undue delay.

Right to erasure

In some cases, you have the right to have us delete your personal data. We will delete your personal data without undue delay if one of the following reasons is met:

a) we no longer need your personal data for the purposes for which we processed it;

(b) you exercise your right to object to processing (see "Right to object to processing" below) in respect of personal data that we process on the basis of our legitimate interests and we find that we no longer have such legitimate interests to justify such processing; and/or

c) it turns out that the processing of personal data by us is no longer in accordance with generally binding regulations.

The right to erasure does not apply in relation to personal data that we process for the purpose of providing health services. We may not erase data that we hold about you for the purpose of providing health services (e.g. in medical records).

The right will also not apply if the processing of your personal data is still necessary for:

(a) fulfilling our legal obligation;

(b) archival, scientific or historical research or statistical purposes; and/or to

(c) establish, exercise or defend our legal claims.

Right to restriction of processing

In some cases, in addition to the right to erasure, you can exercise the right to restrict the processing of personal data. This right allows you in certain cases to request that your personal data be marked and not subject to any further processing operations - in this case, however, not forever (as in the case of the right to erasure), but for a limited period of time. We must restrict the processing of personal data when:

a) you dispute the accuracy of the personal data before we agree what data are correct;

b) we process your personal data without a sufficient legal basis (e.g. beyond what we need to process) but you would prefer to restrict such data before deleting them (e.g. if you expect to provide us with such data in the future anyway);

c) we no longer need your personal data for the above processing purposes but you require them for the establishment, exercise or defence of your legal claims; and/or

(d) you object to the processing. The right to object is described in more detail in the section "Right to object to processing" below. We are obliged to restrict the processing of your personal data for the period of time that we are investigating whether your objection is justified.

Right to portability

You have the right to obtain from us all your personal data that you yourself have provided to us and that we process on the basis of the performance of the contract. We will provide you with your personal data in a structured, commonly used and machine-readable format. In order to be able to easily transfer the data at your request, it can only be data that we process automatically in our electronic databases. Therefore, we cannot always and under all circumstances transfer to you in this form all data that we keep in paper form.

We may only disclose data we hold about you for the purpose of providing health services (e.g. in medical records) to you and, under lawful conditions, to another health service provider or public authority.

Right to object to processing

You have the right to object to the processing of your personal data based on our legitimate interest. We will not continue to process your personal data unless we have compelling legitimate grounds for continuing to do so.

Right to lodge a complaint

Exercising your rights in the above manner does not affect your right to lodge a complaint with the Office for Personal Data Protection in the manner set out in the following section. You can exercise this right in particular if you believe that we are processing your personal data unlawfully or in violation of generally binding legal regulations.

F. How can I exercise individual rights?

You can contact us on all matters related to the processing of your personal data, whether it is an enquiry, exercising a right, lodging a complaint or anything else, using the following contacts:

- E-mail: gdpr@dcsclinic.cz

a) Delivery address: DCS Clinic Dejvice s.r.o. ,ID No.: 17867762, with registered office at Libocká 703/21, Liboc, 162 00 Prague 6

We will process your request without undue delay, but within one month at most. In exceptional cases, in particular due to the complexity of your request, we are entitled to extend this period by a further two months. We will, of course, inform you of any such extension and the reasons for it.

Lodging a complaint with the Data Protection Authority

You can file a complaint against our processing of personal data with the Office for Personal Data Protection which is located at Pplk. Sochora 27, 170 00 Prague 7.