INFORMATION ON PROCESSING OF PERSONAL DATA OF PATIENTS
let us inform you in accordance with Regulation of the European Parliament and of the Council (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and the instruction of data subjects (hereinafter referred to as “General Regulation”) how our company CTshipper, s.r.o., ID 281 24 162, based in Kostelní 292/9, Holešovice, 170 00 Praha 7, registered in the commercial register kept at the Municipal Court in Prague, cection C, insert 69070, as a data controller (hereinafter referred to as “controller”) processes your personal data and on the rights and obligations associated with it.
Personal information is considered to be all information about an identified or identifiable natural person (also referred to as „data subject“); an identifiable natural person is a natural person that can be identified directly or indirectly, in particular by reference to a particular identifier such as name, identification number, location data, network identifier or one or several specific physical, physiological, genetic, psychological, economic, cultural or social identity of this natural person.
1. Scope and purpose of processing personal data
The controller processes personal data to the extent in which the data was provided to him by the data subject in connection with the order for the transport and delivery of human tissues and cells (hereinafter referred to as „distribution“) in accordance with Act No. 296/2008 Coll., On Human Tissues and Cells and its implementing regulations. The controller also processes personal data that was not provided by the data subject but which he receives during the process of distribution. The controller processes personal data in accordance with the valid and generally binding legal regulations of the Czech Republic for the purpose of fulfillment of legal obligations.
Your personal data is processed for the following purposes:
- fulfillment of statutory obligations by the controller;
- process of distribution (conclusion and performance of the contract);
- determination, exercise or defense of legal claims (legitimate interest of the controller);
- provision to the strictly necessary extent for legal, economic and tax advisors as well as auditors for the purpose of providing advisory services to the controller (legitimate interest of the controller);
2. Sources of personal data
The controller processes personal data obtained directly from the data subject or health service provider or other person from whom tissues and cells are taken over in connection with the distribution according to Act No. 296/2008 Coll., On Human Tissues and Cells or in connection with handling complaints or requests.
3. Categories of personal data and category of data subject
The following categories of personal data are subject to processing:
- address and identification data used for clear and unambiguous identification of the data subjects, such as name, surname, date of birth, address of permanent residence and others;
- contact details such as contact address, phone number, e-mail address and others;
- other details, such as bank account;
- other data that is necessary for the distribution.
Data subjects whose data is processed by the data controller and to whom this information is addressed are:
- client / patient;
- potential client / patient;
4. Method of processing and protection of personal data
Personal data is mainly processed in distribution-related documentation and in full compliance with applicable law. Its security and protection is ensured in accordance with these regulations and in accordance with the General Regulation.
The processing is carried out manually in paper form and electronic form or is automatized by computer technology. It is subject to all security policies for administration and processing of personal data. To this end, technical and organizational measures were taken by the controller, in particular measures to ensure that unauthorized or accidental access to personal data, its alteration, destruction or loss, unauthorized transmission, unauthorized processing and other misuse of such personal data is impossible. All entities to whom personal data may be made available respect the rights to privacy of the data subjects and are required to comply with applicable data protection law.
5. Processing time of personal data
The controller shall process the personal data for the time necessary for the given purpose and in accordance with the time limits specified in the relevant generally binding legal regulations of the Czech Republic for shredding and archiving of documents, as long as it is necessary to determine, exercise or defend the legal claims.
6. Categories of recipients of personal data
Recipients of personal data of data subjects are:
- health care providers receiving tissues and cells;
- other distributors of tissues and cells participating in the distribution;
- processors on the basis of a contract with the controller within the scope of the data needed for the purpose of the processing, e.g. companies managing the information systems of the controller, employees in charge of data storage and archiving and others;
- persons providing legal or other advice;
- state authorities in the course of fulfilling legal obligations laid down under relevant legislation.
7. Instructions on the rights of data subjects
You are entitled to the following from our company as the data controller:
- require access to personal data processed by the controller, which means the right to obtain a confirmation from the controller that the personal data concerning you is processed or not, and if so, you have the right to access this personal data and other information referred to in Article 15 of the General Regulation,
- require the correction of your personal data that is processed if it is inaccurate. Taking into account the purposes of processing, you may in some cases also require the addition of incomplete personal data,
- require the deletion of personal data in cases covered by Article 17 of the General Regulation,
- require restrictions on the processing of data in cases covered by Article 18 of the General Regulation,
- obtain personal data relating to you that we process automatically for the performance of a contract concluded with you in a structured, commonly used and machine-readable form. In addition, you have the right to request that the controller forwards that information to another controller; under the conditions and restrictions listed in Article 20 of the General Regulation and
- you have the right to object to processing within the meaning of Article 21 of the General Regulation on grounds relating to your particular situation.
If we receive your request, we will inform you of the measures taken without undue delay and in any case within one month of receipt of the request. This deadline can be extended by another two months if necessary and in view of the complexity and number of applications. In certain cases specified in the General Regulation, our company is not required to comply with the request in whole or in part. This will be the case in particular if the application is clearly unreasonable or inappropriate, especially because it is repeated. In such cases, we may (i) impose a reasonable fee that takes into account the administrative costs associated with the provision of the required information or communication or the performance of the requested action; or (ii) refuse to comply with the request.
If we receive the above request, but we will have reasonable doubt as to the identity of the applicant, we may ask them to provide additional information necessary to confirm their identity.
In addition, you have the right to contact the Office for Personal Data Protection directly if you believe that personal data is not processed in accordance with legal regulations, either in the place of your habitual residence, place of employment, or the place where the alleged violation took place. If you suffered damage other than damage to property as a result of the processing of your personal data, you shall make a claim under a special law.
We also inform you that our company has appointed a data protection officer. Contact details of the data protection officer: Martina Masopustová, e-mail: firstname.lastname@example.org.
Provision of patients´ personal data is a statutory requirement and the patient has an obligation to provide the data just as a healthcare professional has the right to require the data from the patient. A failure to provide personal data may result in a situation that the controller is unable to provide the patient with medical services.