POLICY FOR THE GENERAL DATA PROTECTION REGULATION

ALEXANDRA DALLA & CO. E.E. treats with particular sensitivity and care your personal data that you provide us as natural persons. This Policy defines the terms and conditions maintained by our company for the general protection of the privacy of customers, suppliers,  nursing and medical staff, nursing institutions of all kinds and our employees whose personal data may be under processing.

WHAT PERSONAL DATA WE COLLECT

• "simple identification and communication data" i.e. name, phone number, marital status, email address, postal address, VAT number, ID number, AMKA, AMA, age, paternal name, maternal name, place of birth
• "simple payment data" i.e. bank account, debit/credit and other bank card numbers

WHAT IS THE PURPOSE OF THE PROCESSING

Our company maintains and processes the simple personal data you provide us with the purpose of selling consumables or granting the use of medical equipment to you and/or to safeguard your vital interest and/or to fulfill a legal obligation or interest of our company (ex. for the way of payment of your financial obligations to us, for hiring personnel, issuing payroll) and/or for sending ordered items to our customers and/or for informing you regarding the promotion of medical technology products and consumables and/or your training regarding the correct use of medical technology products and consumables in accordance with the instructions for use of the respective manufacturer, based on your consent to communicate with you and may transmit them within or outside the European Union to private or/and public insurance bodies, collaborators/executors of the processing, and/or competent courts, asty legal or tax authorities in accordance with the applicable legal framework. Our company maintains and processes a special category of data, i.e. your medical condition for the purpose of safeguarding your vital interests, based on your express consent and/or for the performance of obligations and the exercise of our rights or your rights in the field of labor law and social security and social protection law. The above data for the above purposes may be forwarded by our company to private or public insurance bodies in accordance with your own legal relationship with them, to partners acting on behalf of our company, in accordance with the contracts between us, for the service of the above purpose. We may receive from third parties a) IT services/systems used to transmit or store personal data, b) services for keeping our company's tax books and details. Only those personal data that are necessary for the fulfillment of the assigned services are transmitted to these persons and they are committed to our company in terms of confidentiality and secure processing of personal data. We are not going to use your above personal data for other purposes if a) we do not clearly inform you about the further use of your data and for its purpose b) if we do not receive your express consent for each further purpose separately.

WHAT ARE YOUR RIGHTS UNDER THE GDPR LEGAL FRAMEWORK (GENERAL DATA PROTECTION REGULATION):

• Right of access - Right to receive information about whether data is being processed and right to access it.
• Right to information about this processing (who, for what purpose, recipients, retention period, etc.)
• Right to rectification - Right to correct inaccurate personal data and complete incomplete information.
• Right to erasure (Right to be forgotten) - Right to request the erasure of any data concerning yourself under certain conditions (data that is no longer necessary, withdrawal of consent, data that has been unlawfully processed).
• Right to Restriction of Processing in the event that the accuracy of the data is disputed, the processing is unlawful, the data is no longer needed by the controller, or you have objected to possible automated processing.
• Right to data portability - Right to request the transfer of personal data to another Processor (for example another doctor) in case this is technically possible in a structured, widely used and machine-readable form, provided that the processing of your personal data has taken place after of your consent or was necessary for the execution of the contract between us and if this is carried out by automated means.
• Right to be informed during automated processing of personal data and to object when the decision is based solely on automated processing, including profiling, and that decision produces legal effects or significantly affects you. We do not process your data automatically. In the event that this changes, we must inform you in writing. In case you wish to exercise any of the above rights, please contact us via e-mail at contact@therasys.gr.

PROCESSING MANAGER

Responsible for Processing your data, i.e. the legal entity that determines the purpose and manner of processing your data is the company ALEXANDRA DALLA & SIA E.E. Thalias 5, Kantza Pallinis, 15351. To exercise any of your rights, you can contact either by phone at +30 2109700660 or by email at contact@therasys.gr. In the case of a personal data breach, the data controller shall notify the competent supervisory authority within 72 hours of becoming aware of the breach, unless the breach may not cause a risk. Where notification to the supervisory authority is not made within 72 hours, it shall be accompanied by a justification for the delay. The notification shall at a minimum: a) describe the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects affected, as well as the categories and approximate number of personal data records affected; character, b) announces the name and contact details of the data protection officer or other contact point from which more information can be obtained, c) describes the possible consequences of the personal data breach, d) describes the received or proposed to taking measures by the data controller to deal with the breach of personal data, as well as, where appropriate, measures to mitigate its potential adverse consequences. In the event that it is not possible to provide the information at once, it may be provided gradually without undue delay. The company as data controller documents every breach of personal data, consisting of the facts concerning the breach of personal data, the consequences and the corrective measures taken.

DURATION OF RETENTION OF THE FILE WITH YOUR PERSONAL DATA

Your data is kept in a form that allows identification for no longer than is necessary to serve the specific purpose at the time or as required by the applicable legislative and regulatory framework and in any case for a period of ten (10) years from the last date of transaction with our Company. After the end of the decade, the records concerning yourself are destroyed. In case of litigation, your personal data will be kept until the end of the pending litigation.

WHAT TECHNICAL SECURITY MEASURES DO WE APPLY

• We use a strong password to access the systems and applications and change it on a regular basis.
• We use modern computer operating systems and continuously update them.
• We use anti-malware software (antivirus).
• We have Firewall on our computers.
• Our corporate Wi-Fi is password protected.
• We avoid the use of free software (free download).
• We take backups at regular intervals.
• We avoid using free e-mails to send and receive sensitive data, e.g. document that refers to the patient's medical condition.
• The records that are kept in hard copy are only accessible by people authorized by us and are kept in a secure location