Proton Therapy Center Czech, s.r.o., hereinafter PTCC, processes all personal data in compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter the General Data Protection Regulation or GDPR), and Act No. 110/2019 Coll., on personal data processing.

Who is supposed to adhere to GDPR

First and foremost, the entity processing personal data shall adhere to the GDPR in terms of its responsibilities. Such an entity is called the personal data controller. The GDPR also governs the activities of the processor, which is an entity processing personal data for the controller. Furthermore, the GDPR shall be followed by supervisory authorities, e.g., the Office for Personal Data Protection, which is to exercise the powers vested therein for the performance of assigned tasks.

Personal data controller and contact details

Proton Therapy Center Czech, s.r.o., with its registered office at Budínova 2437/1a, Postal Code 180 00 Prague 8, Czech Republic. Business ID No.: 26466791. E-mail: info@ptc.cz, phone: +420 999 222 000.

Data Protection Officer

Mgr. Kateřina Krejbichová, DiS., e-mail: katerina.krejbichova@ptc.cz, phone: +420 222 999 058.

I. Purpose of personal data processing

The main activities of PTCC rest with the provision of healthcare services; therefore, we need to know a number of your personal data. The necessary personal data provided by you are collected and processed in both paper and electronic form.

II. What is a personal data processing

Zpracování osobních údajů je jakákoli operace nebo soubor operací, která je prováděna s osobními údaji nebo soubory osobních údajů pomocí či bez pomoci automatizovaných postupů, jako je shromáždění, zaznamenání, uspořádání, strukturování, uložení, přizpůsobení nebo pozměnění, vyhledání, nahlédnutí, použití, zpřístupnění přenosem, šíření nebo jakékoli jiné zpřístupnění, seřazení či zkombinování, omezení, výmaz nebo zničení.

Personal data processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Nevertheless, processing as per the Regulation cannot be understood as any handling of personal data. Personal data processing must be considered as an activity carried out by the personal data controller for a specific purpose and in a systematic manner. Handling of personal data which is not processing is governed, e.g., by Act No. 89/2012 Coll., the Civil Code. Besides controllers, only entities processing personal data as per the definition of processing shall comply with the GDPR.

III. What are personal data?

Personal data means any information relating to an identified or identifiable natural person (data subject). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

WHAT ARE SPECIAL CATEGORIES OF PERSONAL DATA?

Special categories of personal data are data indicative of the racial or ethnic origin, political opinion, religion or philosophical beliefs, trade union membership, health status or sexual life or sexual orientation of the natural person. Genetic and biometric data processed for the unique identification of natural persons are also considered as special categories of personal data.

IV. Legal basis for the processing of patients’ personal data

Patients’ personal data are processed at PTCC because it is necessary for PTCC to fulfil its obligations as your personal data controller (as per Article 9(2)(h) of the Regulation and/or Article 6(1)(c) of the Regulation).

LEGAL REGULATIONS AUTHORISING PERSONAL DATA PROCESSING IN HEALTH CARE

The statutory obligation is to render healthcare services in accordance with Act No. 372/2011 Coll., on health care services, Act No. 373/2011 Coll., on specific health care services, Act No. 48/1997 Coll., on public health insurance and change and amendment to certain related acts, Act No. 258/2000 Coll., on protection of public health, Act No. 378/2007 Coll., on pharmaceuticals and on amendments to certain related acts (Pharmaceuticals Act), as amended.

V. Personal data sources

Personal data are collected at PTCC namely in the following manner:

• From data subjects, i.e., you, during registration and in relation to the provision of healthcare services and maintenance of medical documentation (orally, in writing, by e-mail, by phone, web forms, etc.).
• Otherwise, in particular, from publicly available registers, lists and records (e.g., registers of health insurance companies) on the basis of contractual relations, etc.

VI. Categories of processed personal data

PTCC processes about you as the data subject, specifically the following data necessary for the performance of the Controller’s duties:

• Identification data serving for clear and unambiguous identification such as first name, surname, title, personal ID, date of birth, address of permanent residence, ID card type and number, Business ID number, Tax ID number, etc.
• Contact details such as mailing address, telephone number, fax number, e-mail address, and other similar information.
• Data concerning health – data collected and processed in relation to the provision of healthcare services.
• Data provided beyond the scope of the applicable legal regulations are processed upon consent granted by you.

VII. Personal data processing and protection method

Personal data are processed by PTCC. Processing is carried out by individual authorised and trained staff members. Personal data are processed in paper and/or electronic form. Personal data are processed only for the necessary period of time which is individual for each purpose of processing and is stipulated by the PTCC Filing and Shredding Rules. After that period of time, personal data are disposed of or further retained for the period stipulated by the applicable legal regulations. PTCC is authorised by law to provide your personal data to selected recipients of personal data such as health insurance companies, other providers of healthcare or social services, state authorities, mandatory registers, etc.

PERSONAL DATA ARE PROCESSED IN RELATION TO THE FOLLOWING PURPOSES

• Providing specialised outpatient care
• Providing consultations
• Presentation within MDT
• Processing mandatory agendas (health insurance companies, health registers, etc.)
• Operating a security camera system
• Monitoring selected telephone lines

VIII. Rights of data subjects

Data subjects have the right to be informed of their personal data processing. In relation to the processing of your personal data at PTCC, you have the right to have access to your personal data, to have your personal data rectified or erased and/or to limit processing if it is not in contradiction with the legal requirements imposed on PTCC. Furthermore, you have the right to raise an objection or complaint about the method of personal data processing and/or you can exercise the right to data portability in the case of a contractual relationship.

Right of access to personal data

You have the right to acquire confirmation of whether the personal data concerning you are processed or not and if so, you have the right of access to such personal data. You will receive information on the processing of your personal data. However, PTCC is authorised to require for any other copy a reasonable fee corresponding to administrative costs incurred by PTCC.

Right to erasure of personal data

The right to erasure (right to be forgotten) establishes the controller’s obligation to erase personal data where one of the following grounds applies:

• The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
• The data subject withdraws consent and where there is no other legal ground for the processing;
• The data subject objects to the processing and there are no overriding legitimate grounds for the processing;
• The personal data have been unlawfully processed;
• The personal data have to be erased for compliance with a legal obligation;
• The personal data have been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR.

Nevertheless, we would like to point out that it is not possible to require erasure of personal data contained in the medical documentation. Handling of medical documentation is governed by Sections 53–69 of Act No. 372/2011 Coll., on healthcare services, and Decree No. 98/2012 Sb., on medical documentation.

You can exercise your rights and requirements with the data protection officer. Your requirements shall be duly assessed and settled in compliance with the relevant provisions of the Regulation.