PRIVACY POLICY
I. Purpose and Scope of the Privacy Policy
1. SIA TRT Baltic (hereinafter – TRT Baltic ) privacy policy (hereinafter – Policy) aims to protect the privacy of natural persons (hereinafter – Data Subject) in order to transparently ensure fair and legal processing of the Data Subject's personal data, to inform about the rights and obligations in relation to the Data processing of the subject's personal data, provide information to the Data Subject about the purpose of personal data processing, the legal basis, scope of processing, processing term and data processing performed by the manager of personal data processing (hereinafter – Data Manager).
2. In the Policy, the Data Manager has described measures to ensure that the interests and freedoms of Data Subjects are protected, while ensuring that their personal data is processed in good faith, lawfully and in a manner transparent to the Data Subject.
3. The Policy applies to the following Data Subjects:
-
TRT Baltic patients (including potential, former and current patients);
-
TRT Baltic visitors, regardless of the reason for visiting TRT Baltic;
-
TRT Baltic website visitors.
II. Information about the Data Manager
4. The Data Manager specified in the policy is SIA TRT Baltic (unified registration number 40203557988, address: Dundagas iela 74, Talsi, Talsu nov., Latvia, LV-3201, telephone: +371 22011911, email address: info@trtbaltic.com).
5. The information included in the policy is applicable to all structural units and locations of TRT Baltic, including in the digital environment where it carries out its economic activity, providing healthcare services.
III. Applicable law
6. The European Parliament and Council Regulation (EU) 2016/679 - Protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter – the Regulation).
7. The Law on the Processing of Personal Data.
8. Medical Treatment Law and the regulations of the Cabinet of Ministers issued in accordance with them.
9. Patients Rights Law.
10. Other applicable legal acts in the field of data processing and protection of natural persons, as well as in the provision of health care services.
IV. Purposes of personal data processing, scope of processing, term and recipients of data
In carrying out its commercial activity, the Data Manager has determined that it has the following purposes of processing personal data and the conditions specified below are applied to the relevant purposes:
11. Processing of personal data for the administration of health care services:
Personal data to be processed: In order to provide the Data Subject's health care services, the Data Manager needs to identify the Data Subject, therefore, when applying for the service, the Data Subject will be asked to provide information about his name, surname, personal code, contact information and the desired service he wishes to receive.
When registering for the service, the Data Subject may additionally be asked to submit a copy of an identity document. Identification may be requested at any time when receiving healthcare services.
In compliance with the aforementioned, the Manager will process the Data Subject's:
-
name and surname;
-
personal identification number (or other equivalent identification number);
-
actual place of residence;
-
telephone number and e-mail;
-
information about applied for and received health care services, their costs.
Data processing legal basis: Article 6, paragraph 1, subparagraph b) of the Regulation - execution of the contract at the request of the data subject and Article 9, paragraph 2, subparagraph h) of the Regulation - processing is necessary for the purposes of preventive or occupational medicine, for the evaluation of the employee's working capacity, medical diagnosis, health or social care or treatment or for the purposes of ensuring the management of health or social care systems and services, based on Union or Member State legislation or in accordance with a contract with a health professional and subject to the conditions and guarantees referred to in paragraph 3.
Patient Rights Act, Accounting Act.
Considering that the Data Manager has a legitimate right to save and process the obtained data in order to ensure the protection of its legal interests, the data mentioned in this paragraph may be used for the Data Manager to defend its legal interests, for example, if claims are received about the provided healthcare services. The legal basis for the processing of this personal data is Article 6, Clause 1, subparagraph f) and Article 9, Clause 2, subparagraph f) of the Regulation - the processing is necessary to raise, implement or defend legal claims, or whenever the courts fulfil their tasks.
Data processing deadline: Information about the services applied for and received, their administration, will be processed for at least 5 years, in compliance with the condition of the Accounting Law that information on the traceability of economic activity must be kept for at least 5 years.
Data recipients: Law enforcement authorities, the State Revenue Service, the Data Manager's cooperation partners – data processors, such as IT infrastructure and solution maintainers.
12. Processing of personal data for the provision of health care services:
Personal data to be processed: In order to ensure the provision of health services, in addition to the personal data specified in paragraph 11., information will be collected about the health condition of the Data Subject as a patient, historical illnesses and treatment episodes, as well as during the provision of health care services. The Data Subject may be sent for additional medical examinations, various measurements and tests and all this information will be collected in the Data Subject's medical documentation. Namely, the Data Manager's medical records will include information that ensures patient recognition, confirms the diagnosis, substantiates examinations and treatment methods, as well as accurately depicts the treatment results – any information recorded in electronic form about the patient, his state of health, the diagnosis and prognosis of the disease, the methods of prevention, diagnosis and treatment used, as well as the results of diagnosis and treatment.
Data processing legal basis: Article 6, paragraph 1, subparagraph b) of the Regulation - execution of the contract at the request of the data subject and Article 9, paragraph 2, subparagraph h) of the Regulation - processing is necessary for the purposes of preventive or occupational medicine, for the evaluation of the employee's working capacity, medical diagnosis, health or social care or treatment or for the purpose of ensuring the management of health or social care systems and services, based on the laws of the Union or a Member State or in accordance with a contract with a health professional and in compliance with the conditions and guarantees referred to in paragraph 3, the Law on Medical Treatment, the Law on Patients' Rights.
Considering that the Data Manager has a legitimate right to save and process the obtained data in order to ensure the protection of its legal interests, then the data mentioned in this paragraph may be used for the Data Manager to defend its legal interests, for example, if claims are received about the provided healthcare services. The legal basis for the processing of this personal data is Article 6, Clause 1, subparagraph f) and Article 9, Clause 2, subparagraph f) of the Regulation - the processing is necessary to raise, implement or defend legal claims, or whenever the courts fulfil their tasks.
Data processing deadline: When determining the term of storage of medical documentation, the Data Manager is guided by the criteria provided for in the Minister's Cabinet Regulations No. 256 "Medical document record keeping procedure", which stipulates that the longest personal data storage period is 40 years after the last record or 15 years after the patient's death. Depending on which health care service you have received (one-time consultation or long-term treatment), the duration of storage of the relevant information may change, not exceeding the above-mentioned 40-year period.
Data recipients: Institutions and organisations specified in Article 10, Clause 5 of the Patient Rights Act. The Data Manager's cooperation partners – data processors, for example IT infrastructure and solution maintainers.
13. Processing of personal data for the quality control and claims handling:
Personal data to be processed: When communicating with the Manager or submitting a complaint or suggestion using the contact information provided by the Manager (e.g. phone, e-mail), information related to the specific document and the information reflected in it, as well as the content of the communication, time and information about the communication tool used (including audio recordings that reflect communication content). The Data Subject will be warned about making audio recordings with separate notifications, for example at the beginning of a telephone call.
In the event that the Data Subject makes a claim about the health care service provided, the Data Manager will need to identify the complainant or the person to whom the response must be prepared. In this case, in order to achieve the goal, the Data Manager may process the volume of personal data, which includes the name and surname of the Data Subject, ID number, contact information, information about for the services received, information that is at the Data Manager's disposal and fully reflects the scope of the service provided and information based on which decisions have been made on the scope of health care service provision.
Such information is recorded in the documentation and stored in the Data Manager's data processing systems. The Data Manager has the obligation and the right to process the Data Subject's identifying information and information confirming the identity of the person and the right of representation (if the person represents another person) in contractual relations.
Data processing legal basis: Clause f) of Article 6 of the Regulation – legitimate interests of the manager to provide quality service and defend his legal interests in case of receiving claims.
Data processing deadline: The Data Manager ensures the implementation of the principle of data minimisation in such a way that he has determined a differentiated duration of data processing, taking into account its essentiality for the achievement of the goal, for example, the storage period of audio recordings does not exceed 15 days, while the storage period of e-mail correspondence does not exceed 30 days, on the other hand, taking into account that the limitation period according to the Patient Rights Act is two years from the date of receipt of the service, then in the case of certain disputes, the Manager can retrieve and keep the processed information at its disposal, setting a storage period that does not exceed 2 years from the circumstances of the event.
Data recipients: Employees authorised by the Data Manager, law enforcement authorities, health care supervisory institutions.
14. Processing of personal data for the provision of high quality and safe health care services:
Personal data to be processed: TRT Baltic, as the Data Manager, must regularly conduct a patient survey about the provided healthcare services in order to improve the current processes of providing healthcare services, ensuring not only high-quality, but also safe provision of healthcare services. In this regard, the Data Manager may ask the Data Subject to fill out questionnaires about the Data Subject's experience, as well as the Data Subject may submit a voluntary review of the services received. In order to achieve this goal, information on the period of time when the Data Subject received healthcare services, information on which healthcare services the Data Subject received, to which specialist the Data Subject has consulted, will be processed. In the event that the Data Manager uses technological solutions to conduct surveys, in some cases the Data Subject's e-mail or phone number may be used, where the Data Subject will be sent an invitation to participate in the survey.
Data processing legal basis: Clause e) of Article 6 of the Regulation requires the processing to fulfil a task carried out in the public interest or in the exercise of the official powers legally granted to the manager.
Data processing deadline: The results of the surveys are collected within the next 30 days after the survey has taken place and are further used only in a summarised form.
Data recipients: Employees authorised by the Data Manager, health care supervisory institutions.
15. Processing of personal data in order to promote the recognition of the Data Manager's brand and the services provided:
Personal data to be processed: Information materials, events, news, photos of people, video and audio recordings of the Data Manager, events organised by the Data Manager and information about the Data Manager's participation in events organised by cooperation partners may be posted in various mass media, on the Data Manager's website trtbaltic.com, on the Data Manager's social network platforms (for example facebook.com, youtube.com), as well as saved in the Data Manager's archive with the aim of promoting the visibility of the Data Manager's brand. In certain cases, these materials may also contain personal data of visitors to events organised by the Manager - photos, video materials, audio materials, event descriptions, information provided during the interview and other data.
Data processing legal basis: The processing of personal data is carried out on the basis of Article 6, Clause 1, subparagraph f) of the Regulation - processing is necessary to respect the legitimate interests of the Data Manager or a third party, except if the interests or fundamental rights and fundamental freedoms of the data subject, which require the protection of personal data, are more important than such interests. This means that the Data Manager has a legitimate interest in reporting events organised by it, to provide information about its services, in the mass media and on the Data Manager's website and social networking platforms (for example, facebook.com, youtube.com), therefore when choosing to publish any information in the mass media, on the Data Manager's website and on social network platforms, the Data Manager always tries to ensure that the rights and freedoms of the Data Subject are not violated. The Data Manager respects the individual's right to privacy. The Data Manager is aware that he does not know all the facts and circumstances about the possible impact of the mentioned activities, therefore, in order to ensure fair data processing, any person has the opportunity to contact the Data Manager and the right to object to the display of his personal data on the Data Manager's website or on the aforementioned social network platforms. In such a case, the Manager must be informed about it at the e-mail address specified in this Policy. Observing the principle of good faith, in certain cases when video recording or photo recording is intended in places where the Data Subject expects increased privacy (for example, during a consultation), the Data Subject may be asked to give consent or permission to the relevant Data Subject's involvement in video recording or photography. We draw attention to the fact that if the Data Subject refuses to participate in photo or video recording, the Data Subject will not be limited or changed in any way in the expected health care service that he intends to receive. On the other hand, if the Data subject gives permission or consent to participate in the preparation of video material or photo material, then the legal basis for the processing of the personal data of the Data subject is his consent, or Article 6, paragraph 1, subparagraph a) and Article 9, paragraph 2, subparagraph a) of the Regulation and their data the Data Subject can withdraw at any time by contacting the Data Manager.
Data processing deadline: Personal data is stored until the goal is achieved, that is, as long as the information made public for the purpose of promoting the Data Manager's recognition is current, except for information that is permanently stored in the Data Manager's archive. The administrator conducts a periodic review of the published information to ensure that information that does not meet the purpose of personal data processing is regularly deleted, except for data processing for archival purposes.
Data recipients: The Data Manager's authorised employees and any third party after making the video or photo material public. Transfer of data to a third country – when posting photos and videos on social network platforms, personal data will be transferred to a cooperation partner in the United States (META group companies, Google group companies).
V. Rights of the Data Subject
16. The Data Subject has the right to request access to his/her personal data from the Data Manager and to receive detailed information about what personal data about him/her is at the disposal of the Data Manager, for what purposes the Data Manager processes this personal data, categories of recipients of personal data (persons to whom personal data has been disclosed or to whom it is intended to disclose, if the regulatory acts in a specific case allow the Data Manager to provide such information), information about the period for which personal data will be stored, or the criteria used to determine the said period.
17. If the Data Subject believes that the information held by the Data Manager is outdated, inaccurate or incorrect, the Data Subject has the right to request correction of his/her personal data.
18. The Data Subject has the right to request the deletion of his personal data, or to object to the data processing, if the person believes that the personal data have been processed unlawfully, or are no longer necessary in relation to the purposes for which they were collected and/or processed (implementing the principle of the right "to be forgotten").
19. The Data Manager informs that the personal data of the Data Subject cannot be deleted if the processing of personal data is necessary:
-
for the Data Manager to protect the vital interests of the Data Subject or other natural person, including life and health;
-
for the Data Manager or a third party to raise, implement or defend legal interests;
-
data processing is required in accordance with the regulatory enactments binding on the Data Manager.
20. The Data Subject has the right to request that the Data Manager restricts the processing of the Data Subject's personal data if one of the following circumstances exists:
-
the Data Subject disputes the accuracy of the personal data - for the period during which the Data Manager can verify the accuracy of the personal data;
-
the processing is illegal and the Data Subject objects to the deletion of the personal data and instead requests the restriction of the use of the data;
-
the Data Manager no longer needs the personal data for processing, but it is needed by the Data Subject to bring, exercise or defend legal claims;
-
the Data Subject has objected to the processing until it has been verified whether the legitimate reasons of the Data Manager are not more important than the legitimate reasons of the Data Subject.
21. If the processing of personal data of the Data Subject is limited in accordance with Data Subject's request, the following personal data, except for storage, is processed only with the Data Subject's consent or for the purpose of raising, implementing or defending legal claims, or to protect the rights of other natural or legal persons, or important public interests.
22. Before canceling the limitation of personal data processing of the Data Subject, the Data Manager informs the Data Subject.
23. The Data Subject has the right to submit a complaint to the Data State Inspectorate if he believes that the Data Manager has processed his personal data illegally, at the same time, the Data Manager invites you to first contact the Data Manager to find a solution promptly if your right to personal data protection has been violated.
24. The Data Subject can submit a request for the exercise of their rights by sending an electronically completed application to the Data Manager's email address info@trtbaltic.com. In this case, it is assumed that the Data Subject has identified himself, by submitting a request sent from the Data Subject's previously specified email. At the same time, the Data Manager reserves the right to request additional information from the Data Subject in case of doubt, if it deems it necessary.
25. The data subject is obliged to specify the date, time and other circumstances in his request, as far as possible, which would help to fulfil his request.
26. After receiving a written request from the Data Subject to exercise his rights, the Data Manager:
-
verifies the identity of the person;
-
evaluates the request and acts as follows:
-
if the request can be provided, it is fulfilled as soon as possible and the Data Subject as the requester can receive the information or a copy of the data mentioned in the request;
-
if additional information is needed to identify the Data Subject requesting information or to fulfil the request, then the Data Manager may ask the Data Subject to provide additional information in order to be able to correctly fulfil the request and select information (for example, a specific date, time or place where the Data Subject is identifiable);
-
if the information has been deleted or the person requesting the information is not the Data Subject, cannot be identified, or if the Data Subject has refused to cooperate with the Data Manager and the Data Manager is thus, for example, unable to select relevant information, then the Data Manager may reject the request and refuse to issue the information, based on any of the above considerations. Refusal to provide information will always be made in writing, in accordance with this Policy and/or regulatory enactments;
-
in the event that the Data Manager has received a request, but the Data Subject has not left his contact information, so that the Data Manager can communicate during the review of the request and inform about the result of the Review of the Request, then the Data Manager undertakes to prepare a written response within a month, which will be available in the Data Manager's administration. The relevant reply letter will be kept in the Data Manager's administration for no longer than two months, counting from the date of submission of the request.
-
VI. Protection of personal data
27. The Data Manager provides, constantly reviews and improves personal data protection measures to protect the personal data of natural persons from unauthorised access, accidental loss, disclosure or destruction. To ensure this, the Data Manager uses appropriate technical and organisational requirements.
28. The Data Manager carefully checks all service providers that process personal data of natural persons on behalf of the Data Manager, as well as evaluates whether cooperation partners (personal data processors) apply appropriate security measures so that the processing of personal data of natural persons takes place in accordance with the Data Manager's delegation and the requirements of regulatory acts.
29. In the event of a personal data security incident, if it will create a possible risk to the rights and freedoms of the Data Subject, the Data Manager will notify the respective Data Subject, if possible, or the information will be published on the Data Manager's website trtbaltic.com.
VII. Closing questions
30. TRT Baltic reserves the right to make changes to its Privacy Policy.
31. In the event that the Policy will be amended, all changes, as well as historical versions of the Policy, can be obtained by contacting the Data Manager.
32. The current version of the Policy, to ensure transparent and fair data processing, is published on the website trtbaltic.com in the Privacy Policy section.
33. This version of the Privacy Policy enters into force on August 30, 2024.