This policy describes how “WeCare Medical Centre” a modern, and stylish outpatient Medical Centre with time-sensitive services, careful medical treatment, up-to-date attitude towards patients, and advanced approach to healthcare, owned and operated by 2Work Services Ltd. (12 Dimokratias Avenue, P.O. Box 60443, Paphos, 8028, Cyprus) is committed to protecting and respecting your privacy.

 

1. “WeCare” about your health as well as we care about your personal data

 

• The lawful and correct treatment of your personal data is paramount to the success of WeCare Medical Centre and to maintaining the confidence of its service users and employees. This policy will help WeCare Medical Centre ensure that all person-identifiable information is handled and processed lawfully and correctly.

 

• All person-identifiable information either manual or electronic must be processed (held, obtained, recorded, used and shared) properly to ensure compliance with the Regulation (EU) 2016/679 of the European Parliament and of the Council (known as the “General Data Protection Regulation” or “GDPR”).

 

• The aim of this policy is to outline and explain to you how WeCare Medical Centre meets its legal obligations in safeguarding confidentiality and adheres to information security standards. The obligations within this policy are principally based upon the requirements of the GDPR, as the key legislative and regulatory provisions governing the security of person-identifiable information. Personal data is defined as “information which relates to a living individual and from which they can be identified, either directly or indirectly”. Personal data processing includes collection, verification, storage, use, protection, update, deletion and other actions related to the personal data.

 

• The GDPR gives numerous rights to data subjects to access their own personal information, to have it corrected if wrong, in certain permitted circumstances to ask to control its use, and to seek damages where we are using it improperly.

 

• The GDPR requires WeCare Medical Centre to comply with the eight data protection principles and to notify the Office of the Commissioner for Personal Data Protection about the data that we hold and why we hold it. This is a formal notification and is renewed annually.

 

• WeCare Medical Centre collects and uses person-identifiable information about individuals in order to carry out its functions and fulfil its objectives.

 

• Beyond the GDPR WeCare Medical Centre has a legal obligation to comply also with all relevant legislation in respect of data protection and information / IT security. The organisation also has a duty to comply with guidance issued by the Department of Health, as well as other relevant guidance issued by advisory groups and professional bodies.

 

• All legislation relevant to an individual’s right to the confidentiality of their information and the ways in which that can be achieved and maintained are paramount to WeCare Medical Centre. Significant penalties can be imposed against the organisation or its employees for non-compliance.

 

• We, at WeCare Medical Centre strictly adhere to the rules of legitimate data processing and therefore you can trust us that we will

• always keep your personal data safe and private,
• never sell your personal data,
• not keep or process your data for longer as prescribed or allowed by the applicable laws,
• allow you to manage, review and exert all your rights with respect to your personal data kept by us in accordance with the GDPR and
• respect the highest standards of equality and diversity, and therefore we will refrain from action of discrimination, either directly or indirectly, on the grounds of gender, race, colour, ethnic or national origin, sexual orientation, marital status, religion or belief, age, occupation, union membership, disability, offending background or any other personal characteristic.

 

 

2. Scope of this policy

 

• Individuals can be identified by various types of personal data. Anonymised or aggregated data is not regulated by the provisions, providing the anonymisation or aggregation of the data is irreversible.

 

• All personal data processed in WeCare Medical Centre may include, among others, patients’ records (present and past), employees’ data (present, past and prospective), associated doctors’ data, contractors’ data and third parties’ data. Data processing in WeCare Medical Centre can involve both personal data as well as special categories data, such as data concerning health conditions.

 

• The personal data protection applies to all person-identifiable information obtained and processed by WeCare Medical Centre regardless the source or form of processing. It sets out among others:

• the types and kinds of personal data, the eventual legal basis and purpose of data processing,
• the rights of data-subjects,
• establishes the responsibilities (and best practice) for data protection,
• the key principles and objectives of data protection

 

• All WeCare Medical Centre staff members have a legal duty to keep all information provided to the organisation strictly confidential. This legal obligation is further enforced through the codes of practice of all staff respective professions and by virtue of their contractual relationship with WeCare Medical Centre.

 

• Staff contracts of employment and cooperation agreements are produced and monitored by the Human Resources specialist. All contracts of employment include an information governance/data protection and confidentiality clause. Students are subject to the same rules.

 

• As part of the induction process, both corporate and departmental, all employees of the WeCare Medical Centre will be made aware of their responsibilities in connection with the GDPR and commitments mentioned in this policy. This will be provided through their Statement of Terms and Conditions and targeted training sessions carried out by application managers and/or other trainers/specialists.

 

• WeCare Medical Centre applies transparent rules and timeframes relating to retention and disposal of personal data which have been set according to data protection principles of the GDPR.

 

• We do not intend to transfer your personal data abroad.

 

 

3. Types and different sources of personal data collected and processed in WeCare Medical Centre

 

• We collect and process different types of personal data from you and others, namely:

• information you give us when you fill in any forms, sign contracts or corresponds with us, when you register to use our app, assign for membership or health plans, take part in promotions or surveys, speak with or consult with any of our medical or support personnel,
• information from your device whenever you use our website or app (for details kindly read WeCare Medical Centre Cookies Policy) including your location for provision of medical urgent support,
• information from third parties for example the Health Insurance Organization which has the sole responsibility for the implementation, monitoring and management of the General Health System in Cyprus.

 

• We will collect the following information: your name, address, date and place of birth, nationality, ID number and special healthcare identification number (if you were assigned such identification), gender, number of children, login details, credit card or banking payment details, contact details like residential address, email address, phone number of yours and yours next of kin, information about your health condition, physical and mental status, medical case history (anamnesis), list of fought off illnesses, treatment, medication and vaccination record, health insurance and the information if you are a beneficiary of GeSY in Cyprus or not.

 

• We inform you that the above information and data are obtained, stored and processed in WeCare medical Centre manually in hard copy, scanned soft copy or other electronic (computer) form (for example RTG, CT, ultrasound images etc.).

 

• As long as minor´s personal data are concerned additional protection is granted to this type of personal data since children are less aware of the risks and consequences of sharing data and of their rights. For our services to be provided to a minor the consent of the parent or guardianwill be required in order to process a child’s personal data on the grounds of consent.

 

 

4. Legal basis for processing of personal data

 

• We must have a legal basis (a valid legal reason) for processing of your personal data. We use your personal data so we can provide the best service, tell you about products and services you may be interested in, and meet our legal obligations towards you and the public interest.

 

• Our legal basis will be one of the following:

• keeping to our professional commitments and agreements concluded with you, including your identification, setup and execution of the requested service, treatment, medical examination, prescription of medication etc.,
• legal and regulatory obligations (for example the annual notification of information commissioner),
• legitimate interests of WeCare Medical Centre (we sometimes collect and use your personal data, or share it with other organisations, because we have a legitimate reason to use it and this is reasonable when balanced against your right to privacy),
• your consent (where you’ve agreed to us collecting your personal data, for example when you have ticked a box to indicate you are happy for us to use your personal data in a certain way),
• substantial public interest (where we process your personal data to adhere to government regulations or guidance).

 

• We obtain and process person-identifiable information for a variety of different purposes, including but not limited to:

• provision of medical services including maintaining of up-to-date medical records of its patients,
• protection of public order and public interest (prevention of spread of foreign diseases or pandemic),
• staff records and administrative services (membership programs and medical plans),
• matters relating to the prevention, detection and investigation of fraud and corruption,
• protection of our lawful legal interests, staff and property,
• ensure third party services for the needs of our lawful operation (legal services, accounting and bookkeeping, audit, marketing and promotion etc.),
• inspections of security threats, complaints processing and requests for information,
• other purposes addressed with your prior consent.

 

• We will generally keep your personal data for such period as may be required by applicable laws.

 

 

5. Objectives of data protection at WeCare Medical Centre

 

• The objectives of overall data protection efforts conducted by us are – in accordance with relevant legislation – the following:

• to ensure regulatory cooperation with the respective authorities, including timely and proper notification (annually notify the Information Commissioner about the WeCare Medical Centre use of person-identifiable information),
• ensure that person-identifiable information is processed, handled, transferred, disclosed and disposed of lawfully,
• to ensure professionalism (all information is obtained, held and processed in a professional manner in accordance with the provisions of the GDPR),
• to preserve security person-identifiable information should be obtained, held, handled, disclosed and disposed in the most secure manner by authorised staff only, on a need-to-know basis,
• to ensure awareness (provision of appropriate training and promote awareness to inform all employees of their responsibilities (eLearning training),
• data subject´s access with provision of choice to patients (patients have different needs and values – this must be reflected in the individual way that they are treated, both in terms of their medical condition and the handling of their personal information.

 

 

6. Your rights under GDPR

 

• Under the GDPR you have the following rights:

• to obtain access to, and copies of, the personal data that we hold about you,
• to require us to restrict data processing with respect to your data, that we cease processing your personal data,
• to require that we erase your personal data,
• to require us to correct the personal data we hold about you if it is incorrect.
• to receive from us the personal data we hold about you which you have provided to us, in a reasonable format specified by you, including for the purpose of you transmitting that personal data to another data controller,
• to file complaint against the data processing in WeCare Medical Centre,
• to require us to seek your consent prior to using your information in ways that do not directly contribute or support the delivery of their medical care or healthcare service,
• to change your mind and recall any formerly granted consent with respect to data processing,
• to require that we do not to send you marketing communications and promotion materials,
• to be respected in terms of your decisions to restrict the disclosure or use of your data,
• for effective and explanatory communication in order to ensure your comprehension with respect to implications of your choices to agree or restrict the disclosure or use of your personal information.

 

• Please note that the above rights are not absolute, and we may be entitled to refuse requests where exceptions apply subject to the provisions of GDPR.

 

 

7. Data protection management and responsibilities in WeCare medical Centre

 

• WeCare Medical Centre executive personnel, collectively known as the “data controller” permit the organisation’s staff to use computers and relevant filing systems (manual records) in connection with their duties. WeCare Medical Centre Board members have legal responsibility for the notification process and compliance of the GDPR.

 

• WeCare Medical Centre executive personnel whilst retaining their legal responsibilities, they have designated for the purpose of monitoring compliance with the GDPR requirements, the Data Protection Officer (“DPO”).

 

• All senior managers across the organisation are directly responsible for ensuring their direct subordinated staff is made aware of this policy and any notices thereof, the staff is aware of their data protection responsibilities and that the staff receives suitable data protection training.

 

• All WeCare Medical Centre employees, including temporary and contract staff are subject to compliance with this policy. Under the GDPR individuals can be held personally liable for data protection breaches.

 

• All WeCare Medical Centre employees have a responsibility to inform their Department Head and the Data Protection Officer of any new use of personal data, as soon as reasonably practicable after it has been identified.

 

• All WeCare Medical Centre employees will, on receipt of a request from an individual for information held, known as a data subject´s access request or concerns about the processing of personal information, immediately notify the Data Protection Officer.

 

 

• The Data Protection Officer’s responsibilities include:

• ensuring that this policy is produced, applied, enforced where needed and kept up-to-date,
• ensuring that the appropriate practice and procedures are adopted and followed in WeCare Medical Centre,
• provide advice and support to the personnel on data protection issues within the organisation,
• work collaboratively within the Human Resources specialists to help set the standards of data protection training for staff,
• ensure data protection notification with the Information Commissioner’s Office is reviewed, maintained and renewed annually for all use of person-identifiable information,
• ensure compliance with individual rights, including data subject access requests,
• permanent monitoring of compliance with GDPR and this policy within the organisation,
• act as a central point of contact on data protection issues within the organisation, including complaints management and exclusive handler of all data protection issues, losses, breaches, threats etc. within the organisation,
• implement and update an effective framework for management of data protection within the organisation.

 

• Breaches of this policy will be considered as a serious disciplinary offence and will be dealt with accordingly. Examples of offences which may be gross misconduct (the list is not exhaustive) are:

• unlawful disclosure of personal data,
• inappropriate or unauthorized (if applicable) use of personal data,
• misuse of the personal data,
• loss of personal data,
• acting in conflict with the data controller´s interests with respect to its endeavours in the field of data protection.

 

• WeCare Medical Centre’s Data Protection Office may be contacted directly with regards to all matters concerning this policy and the processing of your personal data including the enforcement of all applicable and available rights. Official requests may be made electronically at: dataprotection@wecare.com.cy.

 

• For any complaints you may have you may contact the Data Commissioner of the Republic of Cyprus at http://www.dataprotection
• If we change the way we use and process your personal data, we will update this policy and, as appropriate, let you know by email, through our app or through our website. You always can find the latest version of this policy on our website.