1. PERSONAL DATA PROCESSED AND THE PRINCIPLES OF PROCESSING
1.1. The Clinic processes the following personal data of patients:
general identification data (including name, personal identification code, contact details);
health data necessary for the provision of health services, including answers to the patient screening questionnaire and health data disclosed orally or otherwise to the health care professional. The exact composition of health data depends on the health service provided to you;
data on the services we provide to you, including the content, time, price, regularity, etc. of the service;
your communication with the Clinic, including your emails and other communications, including personal data disclosed by you in the course of such communication;
information about whether you would like to receive offers of HAPPY AGING Tallinn clinic products and services.
1.2. The Clinic is guided by the following principles when processing personal data:
the principle of legality, fairness and transparency – processing is legal, fair and transparent to the data subject;
the principle of purpose limitation – personal data is collected for precisely and clearly defined legitimate purposes and it is not subsequently processed contrary to these purposes;
the principle of collecting as little data as possible – personal data is relevant, important and limited to what is necessary for the purpose of their processing;
the principle of correctness – personal details are correct and, if necessary, updated, and all reasonable measures are taken to delete or correct any personal data that is incorrect from the point of view of the purpose of the processing without delay;
the principle of storage limitation – personal data is stored in a form that allows data subjects to be identified only as long as necessary to fulfil the purpose for which the personal data is processed;
the principle of reliability and confidentiality – personal data is processed in a way that ensures appropriate security of personal data, including protection against unauthorised or illegal processing and accidental loss, destruction or damage, using appropriate technical or organisational measures.
2. THE PURPOSE AND LEGAL BASIS OF PROCESSING PERSONAL DATA
2.1. The Clinic processes personal data for the following purposes and on the following legal bases:
to provide a specific health service to the patient. The legal basis for processing personal data for this purpose is the performance of a contract with the patient for the provision of health services (Art. 6 (1) b) and Art. 9 (2) h) of the GDPR, subsection 41 (1) of the Health Services Organisation Act);
to manage the contractual relationship with the patient and to organise the service (e.g. to confirm appointments and for billing purposes). The legal basis for processing personal data for this purpose is the performance of a contract with the patient for the provision of health services or the taking of pre-contractual measures in accordance with the request of the data subject (Art. 6 (1) b) and Art. 9 (2) h) of the GDPR, subsection 41 (1) of the Health Services Organisation Act);
to meet the requirements arising from legislation. The legal basis for processing personal data for this purpose is Art. 6 (1) c) and Art. 9 (2) h) of the GDPR and the relevant provisions of national legislation that oblige us to process personal data;
to check and assure the quality of the health or other services we provide and to improve your patient experience. The legal basis for processing personal data for this purpose is our legitimate interest and assurance of the quality of health services (Art. 6 (1) f) and Art. 9 (2) h) of the GDPR, subsection 41 (1) 2) of the Health Services Organisation Act);
to send the patient offers for the services of the HAPPY AGING Tallinn clinic. We process the patient’s personal data for this purpose if the patient has given their consent or if we use the patient’s personal data to offer similar services that the patient has already used in the HAPPY AGING Tallinn clinic, and the patient has not refused such use of their contact details (subsection 103 (1) of the Electronic Communications Act).
3. STORAGE OF PERSONAL DATA
3.1. The Clinic processes the patient’s personal data during the provision of health or other services, and then stores the personal data for as long as it is necessary to fulfil the purpose for which we collected the data, including to comply with the legal obligations applicable to us.
3.2. Personal data related to the provision of health and other services may be part of our accounting and business documentation and will be stored for seven years from the end of the year of their recording.
3.3. Unless the applicable law prescribes a longer retention period, we store the collected personal data for as long as it is needed in connection with the provision of health services or for up to three years after the provision of the service.
3.4. Once the retention period has ended, we will delete or anonymise the personal data.
4. TRANSMISSION OF PERSONAL DATA
4.1. The Clinic may transmit your personal data to third parties for the purposes specified in Article 2, if this is permitted under the applicable law. We transmit your personal data (including health data) in the following cases and in the following ways:
4.2. to the e-health patient portal information system, which is located on the website https://www.digilugu.ee/ and the controller of which is the Ministry of Social Affairs and the processor is the Health and Welfare Information Systems Centre. If you have any questions regarding the patient portal, you can contact the Health and Welfare Information Systems Centre;
4.3. to the Prescription Centre, the controller of which is the Estonian Health Insurance Fund, if this is necessary to provide you with health services. If you have any questions regarding the Prescription Centre, you can contact the Estonian Health Insurance Fund;
4.4. to our cooperation partners, whom we use to better organise our activities (such as IT service providers) or to improve and control the quality of our health and other services. In such cases, we ensure that all persons to whom we transmit your personal data for processing in the capacity of a processor, process such personal data strictly in accordance with our instructions, within the scope limited by the legal basis for processing, purposefully, to the minimum necessary extent and otherwise in accordance with the applicable data protection law;
4.5. to public bodies, if the transmission of personal data is necessary to comply with our legal obligations or to prevent or investigate offences;
4.6. to other third parties, if this is necessary to protect our property and rights or defend ourselves against legal claims.
4.7. Your personal data will not be transmitted outside the European Economic Area.
5. RIGHTS OF THE DATA SUBJECT
5.1. Data subjects have the following rights under the applicable data protection legislation, taking into account the limitations arising from such legislation on the exercise of these rights:
the right to receive information about the personal data processed about the data subject;
the right to correct any incorrect personal data;
the right to request the deletion of personal data, except in cases where the data controller can legally refuse it;
the right to request a restriction on the processing of personal data;
the right to object to the processing of their personal data;
the right to personal data portability;
the right to withdraw their consent at any time.
5.2. To exercise your rights or for any questions, please contact us at firstname.lastname@example.org. Please contact us also if you find that we have processed your personal data contrary to the applicable law.
If you find that your data protection rights have been violated, you also have the right to file a complaint with the Data Protection Inspectorate or a court.