The Protection of Personal Data
Ensuring the protection of your personal data is very important to us. Therefore, when processing personal data, we strictly comply with valid legal regulations, in particular, the principles and requirements arising from Regulation (EU) No. 2016/679 of the European Parliament and of the Council, the so-called GDPR, and relevant provisions of The Slovak Council Act no. 18/2018 Coll. on the Personal Data Protection as amended (hereinafter referred to as the “Personal Data Protection Act”).
1. Information about the operator
The operator of the personal data processing is the company BIONT, a.s., company registration number: 35 917 571, with its registered office at Karloveská 63, 842 29 in Bratislava, registered in the Commercial Register of the District Court Bratislava I, Section: Sa, Insert number: 3505/B, contact : biont@biont.sk, phone number: 02/206 70 749 (hereinafter referred to as “BIONT”).
2. How to contact us
In case of any questions related to the processing of your personal data, please contact our DPO (Data Protection Officer), who is entrusted with the supervision of the processing of personal data in our company. You can contact the DPO via e-mail at gdpr@biont.sk or in writing at the address: DPO, BIONT, a.s., Karloveská 63, 842 29 Bratislava.
3. Why we process personal data
The processing of personal data is necessary on our part mainly so that we can:
- provide health care,
- process information about legal representatives,
- report adverse effects and adverse events,
- keep accounting records,
- communicate with you,
- provide rent and lease,
- sell and distribute radiopharmaceuticals,
- conclude other contractual relationships.
4. For what purposes, for what period of time and based on what legal bases we process personal data
Records of outpatients
Purpose: The principal purpose is to provide outpatient health care to patients. This is mainly about diagnosis, treatment and dispensary care for patients, that cannot be provided to patients without processing and recording of personal data on the patient, records of hospitalization, medical records, schedules of provided health care and estimated costs.
Legal basis according to GDPR: Fulfillment of the legal obligation of the operator in accordance with Article 6(1)(c) of Slovak Council Directive no. 460/1992 Coll., Slovak Council Act no. 576/2004 Coll. on Health Care, on Services related to the provision of Health Care and on the amendment of certain laws as amended, Act no. 577/2004 Coll. on the scope of health care covered on the basis of public health insurance and on the reimbursement of health care services, as amended, Act No. 578/2004 Coll. on health care providers, health professionals, state organizations in the health sector as amended, Act no. 580/2004 Coll. on health insurance, as amended, Act no. 581/2004 Coll. on health insurance companies, health care supervision as amended, Act no. 362/2011 Coll. on medicinal products and medical devices as amended, professional guidance of the Ministry of Health of the Slovak Republic no. 42 – 48 of 15 October 2009 on the management of health documentation published in the Bulletin of the Ministry of Health of the Slovak Republic, No. 307/2014 Coll. on certain measures related to the reporting of anti-social activity as amended, Act No. 374/2014 Coll. on receivables of the State as amended.
Deadlines for deleting personal data: 30 years after the last provision of health care.
Electronic referrals
Purpose: The purpose of personal data processing is the processing of personal data of applicants – attending physicians and their patients – necessary for sending an online referral for examination via an online form on the operator’s website.
Legal basis according to GDPR: Fulfillment of the legal obligation of the operator in accordance with Article 6(1)(c) of Slovak Council Directive no. 460/1992 Coll., Slovak Council Act no. 576/2004 Coll. on Health Care, on Services related to the provision of Health Care as amended, Act no. 577/2004 Coll. on the scope of health care covered on the basis of public health insurance and on the reimbursement of health care services, as amended, Act No. 578/2004 Coll. on health care providers, health professionals, state organizations in the health sector as amended, Act no. 580/2004 Coll. on health insurance, as amended, Act no. 581/2004 Coll. on health insurance companies, health care supervision as amended, Act no. 362/2011 Coll. on medicinal products and medical devices as amended, professional guidance of the Ministry of Health of the Slovak Republic no. 42 – 48 of 15 October 2009 on the management of health documentation published in the Bulletin of the Ministry of Health of the Slovak Republic, No. 307/2014 Coll. on certain measures related to the reporting of anti-social activity as amended, Act no. 374/2014 Coll. on receivables of the State as amended.
Deadlines for deleting personal data: 30 years after the last provision of health care.
Patients’ reports
Purpose: The purpose of processing personal data of natural persons – patients – is to report adverse effects of medicinal products within the framework of pharmacovigilance according to Act no. 362/2011 on medicinal products and medical devices as amended.
Legal basis according to GDPR: Fulfillment of the legal obligation of the operator in accordance with Article 6 (1)(c) Act no. 362/2011 Coll. on Medicines and Medical Devices.
Deadlines for deleting personal data: 10 years after the end of the processing purpose.
Provision of data from medical records to third parties
Purpose: The purpose of processing personal data within the agenda in question is to fulfill the operator’s legal obligations to provide data from the patient’s medical records to third parties who request it and the law allows them to provide this data, while determining the conditions of provision (scope, method, etc.).
Legal basis according to GDPR: Fulfillment of the legal obligation of the operator in accordance with Article 6 (1)(c) of the Regulation. Paragraph 23-25 of Slovak Council Act no. 576/2004 Coll. on health vare and services related to the provision of health care as amended.
Deadlines for deleting personal data: 30 years.
Clinical studies, research
Purpose: Keeping records on patients who are enrolled in a clinical study or participated in a clinical study and research organized by the operator and records on the course of the clinical study and research itself.
Legal basis according to GDPR: Fulfillment of the legal obligation of the operator in accordance with Article 6(1)(c) of Slovak Council Directive no. 460/1992 Coll., Slovak Council Act no. 576/2004 Coll. on the provision of health care as amended, Act no. 362/2011 Coll. on medicinal products and medical devices as amended. Directive 96/46/EC of the European Parliament and the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
Deadlines for deleting personal data: 20 years.
Records of entries into the controlled zone
Purpose: The purpose of personal data processing within the agenda in question is to record entries into premises where radioactive materials are worked with.
Legal basis according to GDPR: Fulfillment of the legal obligation of the operator in accordance with Article 6 paragraph 1 letter c) Article 6(1)(c) of Slovak Council Directive no. 87/2018 Coll. on radiation protection as amended, Decree of the Ministry of Health of the Slovak Republic no. 99/2018 on the provision of radiation protection, Decree of the Ministry of Health of the Slovak Republic no. 101/2018, which establishes details on the provision of radiation protection in the course of medical exposure.
Deadlines for deleting personal data: Radiation protection records are archived for 30 years in accordance with the registry regulations.
The documentation is kept until the person has reached or would have reached 75 years of age, but in any case at least 30 years after the termination of the employment.
Camera system
Purpose: The purpose of personal data processing within the subject agenda is the monitoring of premises by a camera system for the reason of:
A) protection of the operator’s property against theft, break-in, robbery, or other vandalism as well as ensuring the safety of the operator and affected persons;
B) protection of life and health of affected persons – patients undergoing radioactive treatment.
Legal basis according to the GDPR: Legitimate interest in the sense of Article 6 (1)(f) of Directive. The main legitimate interest is:
A) protection of the operator’s property against theft, burglary, robbery, or other vandalism as well as ensuring the safety of the operator and affected persons;
B) protection of life and health of affected persons – patients undergoing radioactive treatment.
Deadlines for deleting personal data:
A) 14 days from the day following the day on which the record was made;
B) live streaming without recording.
Public procurement
Purpose: The purpose of processing personal data within the subject agenda is to keep records of natural persons (especially managers of legal entities) who, by law, have participated in public procurement for the provision and procurement of goods, pieces of work and services.
Legal basis according to GDPR: Fulfillment of the legal obligation of the operator in accordance with Article 6(1)(c) of Directive. The processing of personal data is permitted by Slovak Council Act no. 343/2015 Coll. on public procurement and on the amendment of certain laws, as amended.
Deadlines for deleting personal data: within the meaning of the Regulations of the Registry.
Contractual relations
Purpose: The purpose of personal data processing is the processing of personal data of natural persons as part of the preparation of contractual relationships, property transfers, lease agreements, purchase agreements, cooperation agreements, mandate agreements, etc. Furthermore, it is participation in the drafting of contracts within supplier/customer relations, exercising the right to fulfill obligations from contracts and property sanctions, rights to compensation for damages, etc.
Legal basis according to the GDPR: Fulfillment of the contract in accordance with Article 6 (1)(b) and (c) of the Regulation. Act no. 40/1964 Coll. of the Civil Code as amended, Act no. 513/1991 Coll. of the Commercial Code, as amended, Act no. 250/2007 Coll., contracts concluded in accordance with the aforementioned legal regulations.
Deadlines for deleting personal data: 10 years after the end of the contractual relationship.
Records of accommodated guests, records of foreigners
Purpose: The purpose of personal data processing is:
Records of accommodated guests as well as sending a report on the stay of foreigners, mutual communication between the applicant for accommodation, the accommodated guest and the accommodation provider due to the reservation or change of conditions for the provision of accommodation.
Legal basis according to GDPR:
A) Fulfillment of the legal obligation of the operator in accordance with Article 6 (1)(c) of the Regulation. Slovak Council Act no. 253/1998 Coll. on reporting the residence of citizens of the Slovak Republic and on the register of residents of the Slovak Republic, Slovak Council Act no. 404/2011 on the residence of foreigners as amended.
B) Legitimate interest within the meaning of Article 6(1)(f) of the Regulations. The main legitimate interest is mutual communication between the applicant for accommodation, the accommodated guest and the accommodation provider due to the reservation or change of conditions for the provision of accommodation.
Deadlines for deleting personal data:
A) Recording of accommodated guests – 5 years from the registration
B) Contact information for mutual communication – 3 months from the provision of accommodation services.
Professional experience
Purpose: The purpose of processing personal data within the subject agenda is to keep records of natural persons – students – who will participate in professional practice (practical training) at the information system operator lasting for a predefined time.
Legal basis according to GDPR: Performance of the operator’s legal obligation within the meaning of Article 6 (1)(c) of the Regulation. Slovak Council Act no. 245/2008 Coll. on education and training (School Act) as amended.
Deadlines for deleting personal data: 10 years.
5. Are your personal data transferred to third countries?
In case of registration of job applicants via Profesia.sk portal, personal data is transferred to the USA (California). Profesia.sk has concluded Standard contractual clauses on the transfer of personal data to a third country.
In other cases, cross-border transfer does not take place.
6. What rights do you have as a person concerned?
The persons concerned, whose personal data are processed in our information systems for specifically set out purposes may invoke the following rights in writing or electronically:
- The right to access personal data – this is the right to obtain confirmation of whether your personal data is being processed, as well as the right to obtain access to this data, within the scope of the purposes and duration of processing, the category of personal data concerned, the range of recipients, the procedure in any automated processing, or about the consequences of such processing. As an operator, we have the right to use all reasonable measures to verify the identity of the data subject requesting access to the data, in particular in relation to online services and identifiers (Article 15, Recital 63, 64 of the Regulation).
- The right to correct incorrect personal data and to completion of incomplete personal data (Article 16, Recital 65 of the Regulation).
- The right to erasure – “forgetting” of those personal data that are no longer needed for the purposes for which they were processed; in the case of withdrawal of consent, in the case of illegal processing; if personal data were obtained in connection with an offer from information company (in children), subject to the fulfillment of the conditions specified in Article 17, Recital 65, 66 of the Regulation.
- The right to restrict processing can be exercised if you, as a data subject, challenge the correctness of personal data and other details in accordance with Article 18, Recital 67 of the Regulation, in the form of temporary transfer of selected personal data to another processing system, prevention of user access to selected personal data or temporary removal of processing.
- The right to portability of personal data is the right to transfer the personal data provided by you to our information systems based on your consent or fulfillment of the contract to another operator in a structured, commonly used and machine-readable format, as long as it is technically possible and in compliance with the conditions of Article 20, Recital 68 of the Regulation, in case the processing is carried out by automated means. The exercise of this right is without prejudice to Article 17 of the Regulation. The right to data portability does not apply to processing necessary to fulfill a task carried out in the public interest or in the exercise of public authority entrusted to us as the operator.
- Right to complain – without prejudice to any other administrative or judicial means of redress, you as the affected person have the right to file a complaint in accordance with Article 77 of the Regulation with the supervisory authority, which is the Personal Data Protection Office of the Slovak Republic, Hraničná 12, 820 07 Bratislava 27; phone number: +421 2 3231 3214, e-mail: statny.dozor@pdp.gov.sk; website: https://dataprotection.gov.sk, if you believe that the processing of personal data concerning you is contrary to the Regulation or the Act on the Protection of Personal Data.
As a data subject, you also have the right to object at any time for reasons related to a specific situation to the processing of your personal data, which are necessary to fulfill a task carried out in the public interest or in the exercise of public authority entrusted to us as the operator, and also if the processing is necessary for the purposes of legitimate interests, which we monitor as an operator or a third party (except for processing carried out by public authorities in the performance of their tasks), except in cases where such interests are overridden by your interests or fundamental rights and freedoms as a data subject that require the protection of personal data (especially if the person concerned is a child).The company BIONT, a.s., Karloveská 63, 842 29 Bratislava, as the operator of the information system, has adopted all appropriate personnel, organizational and technical measures for the purpose of maximum protection of your personal data in order to reduce the risk of their misuse, leakage and the like as much as possible. In accordance with our obligation arising from Article 34 of the Regulation, we inform you as the affected persons that if a situation arises that we, as the operator, violate the protection of your personal data in a way that is likely to lead to a high risk of violation of the rights and freedoms of natural persons, we will notify you of this fact without undue delay .
NOTICE: Due to the principle of minimization, all personal data provided by you is only a necessary legal or contractual requirement to fulfill the purpose of their processing. Failure to provide the mandatory data necessary to conclude the contract may result in the failure to conclude the contractual relationship.
If your personal data is processed on the basis of consent according to article 6 par. 1 letter a) Regulations and the Act on the Protection of Personal Data, as a data subject, you also have the right to revoke your consent to the processing of personal data at any time, even before the expiration of the period for which this consent was granted, in the following ways:
- by an e-mail request sent to the address gdpr@biont.sk or
- by sending a written request to the address of the operator’s registered office with the text “GDPR – withdrawal of consent” on the envelope.
7. Validity
The Operator is entitled to change or update this Privacy Policy as necessary at any point of time by publishing its updated version on their website.
Valid from 1 April 2024.