iVF Riga SIA PERSONAL DATA PRIVACY POLICY

INFORMATION ABOUT THE CONTROLLER AND ITS CONTACT INFORMATION

1. The Personal Data Processing Controller is iVF Riga SIA (hereinafter referred to as the Clinic), unified registration No. 40103352569, registered address: 1 Zaļā Street, Riga, LV-1010
2. Contact information for matters related to the processing of personal data:
   • By post: 1 Zaļā Street, Riga, LV-1010
   • By phone: +371 61 111 17 
   • By e-mail: ivfriga@ivfriga.eu

Definitions:

• Data Controller

Data Controller means the natural or legal person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal information is processed.

• Data Processor

Data Processor means any natural or legal person who processes the data on behalf of the Data Controller.

• Data Subject

Data Subject means any living individual who is using the services of our Database.

• Database Services

Information available on this Website.

• Website

www.ivfrigadonors.eu

PRIVACY POLICY

GENERAL INFORMATION

1. The objective of this Privacy Policy is to provide the natural person (the Data Subject) with information about the purpose, legal basis, scope, protection, and duration of the processing of the personal data at the time of data acquisition and processing of the Data Subject’s personal data.
2. This Privacy Policy applies to the protection of privacy and personal data regarding:
   • natural persons – Clients (patients and donors) of the Clinic (including potential, past and present clients);
   • visitors to the Clinic, including those subject to video surveillance;
   • visitors to the Clinic’s Website.
3. The Privacy Policy shall apply to the processing of data irrespective of how or in which environment the Client has provided his/her personal data (in person, on the Clinic’s Website, on paper or by phone).
4. The Clinic shall protect the Patients’ privacy and their personal data, and shall respect the Clients’ right to legitimate processing of their personal data pursuant to the applicable law – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data; the Personal Data Protection Law; the Law on the Rights of Patients; the Medical Treatment Law and other applicable privacy and data processing rules and regulations. 
5. Within its operation, the Clinic:
   • protects the Data Subject’s personal data by implementing administrative, technical and physical security measures as far as they are proportionate to the risks involved;
   • informs and explains what personal data is required for receiving the services and how it will be used;
   • transfers data to third parties in compliance with the applicable regulatory framework;
   • implements measures to provide regular training and information to its personnel on the protection of personal data in order to reduce the likelihood of incidents occurring;
   • implements internal control procedures that help minimize the likelihood and consequences of security incidents.

PURPOSES AND LEGAL BASIS FOR THE PROCESSING OF PERSONAL DATA

1. The Clinic processes personal data for the following purposes:
   • Provision and administration of health care services:
     • identification of the patient;
     • processing the patient’s appointment with the Clinic’s specialists;
     • drawing up of the patient’s medical documentation in accordance with the requirements set out in laws and regulations;
     • reminding the patients of the planned appointments with the Clinic’s specialists;
     • carrying out medical examinations;
     • providing doctors’ advice and carrying out medical procedures;
     • assessing the state of health of patients or other natural persons;
     • administrating payments;
     • debt collection from debtors;
     • examining patients’ objections and ensuring quality control;
     • promoting patients’ loyalty and measuring satisfaction;
     • preparing and signing contracts with patients;
     • website maintenance and performance improvement;
   • conducting scientific activities related to clinical research;
   • providing information to public administration institutions and bodies performing operational activities in the cases and to the extent provided for in external regulations.
   • ensuring the safety and property protection of patients and the Clinic’s staff;
   • entering information into the National Unified Medical Information System (E-health).
2. The Clinic processes patients’ personal data on the following legal basis:
   • for the purposes of medical diagnosis and treatment (Article 9(2)(h) of the Regulation);
   • with the consent of the data subject (patient) (Article 9(2)(a) of the Regulation; Section 10(2) of the Law on the Rights of Patients);
   • for the purposes of complying with laws and regulations – in order to carry out the obligations set out in external laws and regulations binding on the Clinic or exercise the rights of the data subject set out in external laws and regulations (Article 9(2)(b) of the Regulation; Section 10 of the Law on the Rights of Patients);
   • in cases where processing is necessary for the exercise or defense of the Clinic’s legal interests in the court (Article 9(2)(f) of the Regulation);
   • in cases where processing is necessary for the exercise of the Clinic’s legal interests (to organize an efficient process for the provision of health care services, to ensure an efficient process for requesting and canceling patients’ appointments and to receive payments for the provided health care services);
   • in cases where processing is necessary for the performance of a contract to which the data subject (patient) is party or in order to take steps at the request of the data subject prior to entering into a contract (Article 6(1)(b) of the Regulation);
   • in cases where processing is necessary in order to protect the vital interests of the data subject (patient) or of another natural person (Article 6(1)(d) of the Regulation).

AMOUNT OF INFORMATION ACCUMULATED

1. In its core activities, the Clinic primarily obtains basic information from the Data Subject that is needed to unambiguously identify the individual concerned for the provision of medical services and communication:
   • Given name
   • Surname
   • ID number (identification number) 
   • Address 
   • Phone number and/or e-mail address 
2. As part of the provision of the Services, the Clinic may obtain additional information from the Data Subject and other third parties, which includes, but is not limited to, referral information, information about previous medical treatment cases and information obtained in the context of a specific treatment episode.
3. The specific amount of information depends on the nature of the service to be provided and the applicable laws and regulations governing the provision of the service.
4. The Clinic is aware that in the course of providing its services, it processes health data which is considered to be special categories of personal data in the context of the Regulation.

PROCESSING AND PROTECTION OF PERSONAL DATA 

1. The Clinic processes the Patient’s data by means of advanced technologies, taking into account the current risks to privacy, as well as organizational, financial and technical resources available to it the Clinic.
2. The Clinic is constantly developing and supplementing the technical solutions at its disposal, taking into account the current industry trends and opportunities, based on the identified risks.

CONDITIONS OF USE AND RELEASE OF DATA

1. Personal data available to the Clinic and obtained during the provision of services are used:
   • to ensure the operation of the Clinic and to the extent necessary for the provision of the highest quality services possible;
   • to build cooperation with other third parties and to implement the patient’s treatment process.
2. The Clinic, in cooperation with third parties, carries out its activities only in accordance with the laws and regulations governing the Clinic’s capabilities for the exchange of personal data in relation to the collection and transfer of necessary data.
3. In its daily work, the Clinic takes measures to minimize the amount of personal data processing for its staff by ensuring that the staff has access only to the data of patients they need in order to perform their job duties.
4. The Clinic ensures that personal data available to it are transferred only to the Data Subject himself or herself. The data are transferred to third parties, including persons related to the Data Subject, only in cases where the Data Subject’s written consent has been received or the case where such transfer of data is permitted is prescribed in laws and regulations.
5. The Clinic does not transfer data if it cannot verify the Data Subject’s identity or suspects that the Data Subject’s presented identity does not match his or her true identity.
6. In cases where the transfer of data is implemented via the means of e-mail communication, the Clinic ensures that such an operation is carried out only after receipt of the consent of the Data Subject.
7. When transferring data via the means of e-mail communication or other online data exchange solutions, including self-service information system platforms, the Clinic implements measures to protect the relevant data by applying data access protection or encryption methods.
8. The Clinic transfers personal data to third parties, ensuring that such third parties maintain the confidentiality of personal data and provide appropriate protection.
9. The Clinic has the right to transfer personal data to the Clinic’s service providers that assist the Clinic in the performance of its functions. In this case, the principle of minimizing the data to be transferred is respected.
10. In the case referred to in Paragraph 22, the Clinic’s service providers receiving and processing personal data are regarded as personal data controllers within the meaning of the Regulation, and a written contract is concluded with them stating that the Clinic requests the data recipients to commit to use the information received only for the purposes for which they have been transferred and in accordance with the applicable laws and regulations in the field of data processing and data protection.
11. The Clinic transfers data to third countries (countries outside the European Union and the European Economic Area) only in cases where the Data Subject’s written consent has been received.

DURATION OF STORAGE OF PERSONAL DATA

1. The Clinic stores and processes the Clients’ personal data as long as at least one of the following criteria exists:
   • as long as the obligations arising from the contract signed between the Clinic and the Client are being fulfilled or the Client is being provided with health care services;
   • as long as the Clinic has a statutory obligation to store the relevant data;
   • as long as the Client’s request/application is being fully examined and/or fulfilled;
   • as long as the Client’s consent to the relevant processing of personal data is valid, unless there is another legitimate basis for the data processing;
   • personal data (video recordings) obtained through video surveillance are stored for a maximum of 30 days from the date of the recording.
2. Upon the occurrence of conditions which provide that further storage of the Client’s data is not necessary, the Client’s personal data shall be deleted.

ACCESS TO PERSONAL DATA AND OTHER CLIENTS’ RIGHTS

1. The Clinic provides the patient with the right to receive statutory information regarding the processing of his/her data.
2. In accordance with laws and regulations, the Client also has the right to request the Clinic to provide him/her with access to his/her personal data, as well as to request their completion, rectification or erasure from the Clinic, or restriction of processing concerning the Client or the right to object to processing, as well as the right to data portability. These rights shall be exercised insofar as the data processing does not result from the obligations imposed on the Clinic by the applicable laws and regulations.
3. The Client may submit a request for the exercise of his/her rights:
   • in person at the Clinic in writing, presenting an identification document;
   • by e-mail, signing the letter with a secure electronic signature and sending it to the following e-mail address: ivfriga@ivfriga.eu;
   • by sending a letter to the Clinic by post.
4. Upon receipt of the Client’s request for the exercise of his/her rights, the Clinic verifies the Client’s identity, assesses the request and fulfils it in accordance with laws and regulations.
5. The Clinic sends a reply to the Client as soon as possible, taking into account the method of receipt of the response indicated by the Client.
6. If the reply is sent by post, it is addressed to the Data Subject (the person whose personal data is requested) by a registered letter. If the reply is provided electronically, it is signed with a secure electronic signature (if the application has been submitted with a secure electronic signature).
7. The Clinic ensures fulfilment of data processing and protection requirements in accordance with laws and regulations and in case of the Client’s objections takes action to resolve the objection.
8. The Client has the right to receive one copy free of charge containing his/her personal data processed by the Clinic.
9. The receipt and/or use of the information referred to in Paragraph 34 of this document may be limited in order to prevent adverse effects on the rights and freedoms of other persons (including the Clinic’s staff).
10. The Clinic undertakes to ensure the accuracy of the personal data and relies on its Clients, suppliers and other third parties providing the personal data to ensure that the transferred personal data are complete and correct.

CLIENTS’ CONSENT TO DATA PROCESSING AND RIGHT TO WITHDRAW IT

1. The Client may consent to the processing of personal data, the legal basis of which is the consent, in person at the Clinic, by sending it in paper format by post or by sending it by e-mail signed with a secure electronic signature.
2. The Client has the right at any time to withdraw the consent given to the data processing in the same way as it was given, in which case further processing of the data based on the previously given consent for the specific purpose will not be carried out anymore.
3. Withdrawal of the consent will not affect the data processing carried out at a time when the Client’s consent was in force.
4. Processing of data carried out on the basis of other legal grounds (for example, in accordance with external laws and regulations or a contract between the Clinic and the Client) may not be terminated by withdrawing the consent.

VISITING OF WEBSITES AND PROCESSING OF COOKIES

1. The website of the Clinic may use cookies.
2. Cookies are files that websites place on users’ computers in order to recognise the user and facilitate his/her use of the website. Internet browsers can be configured to alert the visitor to the use of cookies and allow him/her to choose whether or not he/she agrees to accept them. Not accepting cookies will not prohibit the visitor from using the Clinic’s website, but may limit the visitor’s ability to use the website.
3. The website of the Clinic may include links to third party websites that have their own terms of use and personal data protection for which the Clinic is not responsible.
4. The websites of the Clinic may include links to third-party internet websites, which have their own usage and personal data protection rules, and which are not the responsibility of the Clinic.

CHANGES TO PRIVACY POLICY

1. The Clinic reserves the right to make changes to its Privacy Policy if certain circumstances change that affect the regulation of the processing of personal data. The clinic recommends that you visit this section regularly for current information.
2. The Clinic keeps the previous versions of the Privacy Policy which are available on the Clinic’s website.