1. General terms
1.2. The data subject in this Policy is the Patient, Candidate or any other physical entity, whose data is processed by the Controller.
1.3. A patient in this Policy is a person who signed a medical service contract with the Controller.
1.4. A candidate in this Policy is any person who participates or wishes to participate in staff selection done by the Controller.
1.5. The Controller follows these data processing principles:
1.5.1. Personal data of the Data subject shall be processed in a lawful, fair and transparent way (the principle of lawfulness, fairness and transparency).
1.5.2. Personal data shall be collected for set, clearly defined and lawful purposes, and processed only in ways suitable for that purpose; further data processing for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes shall not be considered incompatible with the primary purposes (principle of purpose limitation).
1.5.3. Personal data shall be adequate, appropriate, and limited to data suitable for the processing purpose (principle of data minimization).
1.5.4. Personal data shall be accurate and updated if necessary; all measures shall be used to ensure that inaccurate personal data be immediately deleted or corrected, according to the processing purpose (principle of accuracy).
1.5.5. Personal data shall be stored in a way that a subject's identity can be revealed only for as long as is necessary for the processing purpose; personal data may be stored for longer periods, if the personal data are stored for archival purposes, for public interest, for scientific or historical research, or for statistical purposes, adhering to appropriate technical and organizational measures, which are necessary for the protection of the Data subject’s rights and freedoms (principle of retention period).
1.5.6. Personal data shall be processed in a way that the safety of the personal data, including protection against unauthorized personal data processing, unlawful personal data processing and unintentional loss, destruction, or damage of the personal data, is ensured by employing technical and organizational measures (principle of confidentiality and integrity).
1.5.7. It is the Controller's responsibility to adhere to the aforementioned principles and to be able to prove the adherence to said principles (principle of accountability).
1.6. Using 3rd party services, e. g., visiting the Controller’s Facebook page, 3rd party terms may apply. E. g., Facebook's terms and conditions apply to all their users and site visitors. Therefore, it is recommended to read with the terms and conditions of 3rd party services.
1.7. This Policy is created based on Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereafter - GDPR), and Personal data protection law of the Republic of Lithuania (“Lietuvos Respublikos asmens duomenų teisinės apsaugos įstatymas” in Lithuanian, hereafter - ADTAI), other laws of the European Union and the Republic of Lithuania. Terms used in the Policy are understood as they are defined in GDPR and ADTAI.
2. Collection, processing, and storage of personal data
2.1. By providing their personal data, the Data subject agrees and consents to the Processor to process and handle the data for the purposes, using measures and terms described in this Policy and relevant regulations.
2.2. If the Data subject does not agree to this Policy and data processing described herein, they shall not visit the Website and/or use Processor's services.
2.3. By providing the personal data, the Data subject grants the Processor the right to gather, store, organize, use, and process all personal data provided directly or indirectly by visiting the Website and using the Processor’s services, for the purposes described in this Policy.
2.4. The Data subject is responsible for providing accurate, truthful, and thorough data. Deliberately providing incorrect data is considered breach of Policy. If data provided change, the Data subject shall immediately correct them; should that not be possible, they shall inform the Processor. The Processor is in no way liable for damage arising for the Data subject and/or 3rd parties due to incorrect and/or incomplete personal data provided by the Data subject, or if they did not contact for completing and/or changing of personal data.
3. Processing personal data for employee selection
3.1. The Processor processes the following Personal data of Candidates for purposes of employee selection:
3.1.1. Full name.
3.1.2. Date of birth.
3.1.3. Phone number.
3.1.4. E-mail address.
3.1.8. Continuous education courses.
3.1.9. Languages spoken.
3.1.10. Computer skills.
3.1.12. Other data voluntarily provided by the Candidate in their resume and/or other data in documents provided.
3.2. The lawful basis for processing personal data is GDPR Article 6, Part 1, points a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; and b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering a contract.
3.3. Data are received directly from Candidates and are not disclosed to 3rd parties.
3.4. In case that law of the Republic of Lithuania provides additional restrictions on which type of Candidate information can be processed, the Processor ensures that only the Candidate personal data that are permitted are processed.
4. Processing personal data for purposes of providing medical services
4.1. The Processor automatically processes the following personal data from consenting Patients for purposes of providing medical services:
4.1.1. First name.
4.1.2. Last name.
4.1.3. Telephone number.
4.1.4. E-mail address.
4.1.5. Date of birth.
4.1.6. Health data.
4.2. In case the Patient is represented by another person, the Processor processes the following personal data of the Representative:
4.2.1. First name.
4.2.2. Last name.
4.2.3. Relation to Patient.
4.3. Data are received directly from Patients or their Representatives and are not disclosed to 3rd parties.
4.4. The lawful basis for processing personal data for purposes of providing medical services is GDPR Article 6, Part 1, points a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract, and c) processing is necessary for compliance with a legal obligation to which the controller is subject.
4.5. Patient's health data are processed based on GDPR Article 9, Part 2, points a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, and h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.
5. Processing personal data for purposes of reminding Patients about follow-up visits
5.1. In order to achieve the legitimate interest to provide Patients with continuing medical services and to motivate Patients to visit the dentist regularly and consequently ensure their dental and oral health, the Processor processes Patients’ personal data for purposes of reminding Patients about follow-up visits. The following Patient data are processed for this purpose:
5.1.1. First name.
5.1.2. Last name.
5.1.3. E-mail address.
5.1.4. Telephone number.
5.2. Data that are processed with the purpose of reminding Patients about follow-up visits are acquired by the Processor directly from patients and are not disclosed to 3rd parties.
5.3. The lawful basis for processing personal data is GDPR Article 6, Part 1, point f) (lawful interest of the Processor, outlined in paragraph 5.1 of the Policy).
6. Processing personal data for marketing purposes
6.1. The Processor automatically processes the following personal data from consenting Patients for purposes of providing medical services:
6.1.1. First name.
6.1.2. Last name.
6.1.3. E-mail address.
6.2. Data are received directly from Patients and are not disclosed to 3rd parties.
6.3. The lawful basis for processing personal data is GDPR Article 6, Part 1, point a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes.
7. Procedure and time limits of personal data storage
7.1. When processing and storing Data subjects’ personal data, the Processor implements organizational and technical measures, which ensure protection of personal data against unintentional or unlawful destruction, modification, disclosure, and any other unlawful processing.
7.2. The Processor employs different time limits of personal data storage according to the purpose of processing specific personal data.
7.3. The Processor applies the following Personal data storage time limits: Purpose of personal data processing Storage time limit Internal administration Up to 50 years after termination of employment contract according to General document storage term index (“Bendrųjų dokumentų saugojimo terminų rodyklė” in Lithuanian) Selection of Candidates for employment Until the end of the selection process Providing medical services 15 years after the last visit to the clinic Reminding patients about follow-up visits 2 years after the last visit to the clinic Direct marketing 3 years after the last visit to the clinic
7.4. Exemptions to the time limits detailed above may be defined as long as they do not violate the Data subjects’ rights, conform to the requirements of laws and regulations, and are properly documented.
7.5. Data necessary in order to make claims, adhere to legal requirements, and for legal defense, are stored if they are required for these purposes according to judicial, administrative, or extra judicial procedures.
8. Data subjects’ rights
8.1. Data subjects have the right at any time to submit a request to review personal data processed by the Processor to learn how they are processed, request to correct incorrect, incomplete, inaccurate personal data, request to halt the processing of their personal data, except storage, when the data processing does not follow the regulations or the terms of this Policy.
8.2. Where the processing of personal data is subject to consent, the Data subject has the right to revoke the consent at any time without impacting the lawfulness of processing of data that is subject to consent prior to the revocation of consent.
8.3. The Data subject can practice their right by providing a written-form request to firstname.lastname@example.org or by mail to M. K. Čiurlionio g. 19, Vilnius, or by physically visiting the office of the Processor.
8.4. If the Data subject is unsatisfied with the Processors response or if they suspect that their personal data are processed without following the legal requirements, the Data subject can submit a complaint to the State Data Protection Inspectorate of the Republic of Lithuania.
9. Cookies policy
9.2. Cookies are small text files that are stored in a person’s browser or device (personal computer, smartphone, or tablet).
9.3. The person browsing the Website can delete or block cookies by selecting the appropriate browser settings, which allow to decline all or some of the cookies. It should be known that using browser settings to block cookies (including necessary cookies), a person may encounter issues using all or some functions of the Website.
10. Final provisions
10.1. The legal relationships related to this Policy are subject to the law of the Republic of Lithuania.
10.2. The Processor is not liable for damage, including damage related to disruptions of the use of the Website, loss or damage of data caused by the action or inaction of the Data subject or third parties with the knowledge of the Data subject, including providing incorrect data, other errors, voluntary malice, and other inappropriate use of the Website. The Processor is also not liable for disruptions of logging onto and/or use of the Website, and/or damage caused by the disruptions due to action or inaction third parties, unrelated to the Processor or the Data subject, including blackouts, internet service disruptions, etc.
10.3. The Processor has the right to change the Policy in part or in whole.
10.4. Additions or changes to the Policy take effect on the day of publishing on the Website.
10.5. If the Data subject continues using the Website and/or services provided by the Processor after additions or changes to the Policy, it is considered that the Data subject does not object to said additions and/or changes.