Privacy Policy

General provisions

Your Data Controller is UAB „Drops Clinic“ šeimos klinika, legal entity code 306047981, registered office address: V. Putvinskio g. 50A, LT-44211 Kaunas, phone number: +370 614 69309, e-mail: info@dropsclinic.lt. (hereinafter – Drops, Klinika, „Drops Clinic“ šeimos klinika). You can contact our data protection officer for all questions related to personal data protection by e-mail: info@dropsclinic.lt. We understand and respect the right to privacy and data protection of our patients and other natural persons whose personal data we process (hereinafter – Data Subjects), therefore we make every effort to ensure the highest possible level of personal data protection for personal data processed in our clinics.

In this privacy notice, we provide information about how „Drops Clinic“ šeimos klinika processes the personal data of Data Subjects, including information about where and what personal data we receive and to whom we transfer it, for what purposes and on what legal grounds we process it, what security measures we have implemented, what rights we have Data subjects and where they can apply for their implementation or other issues related to personal data processing.

The privacy notice is prepared based on the following legal acts:

• of the European Parliament and the Council in 2016 April 27 regulation (EU) 2016/679 on the protection of natural persons in the processing of personal data and on the free movement of such data and which repeals Directive 95/46/EC (hereinafter – GDPR or the Regulation);
• in 2018 June 30 Law of the Republic of Lithuania on Legal Protection of Personal Data no. XIII-1426 (hereinafter – ADTAĮ);
• in 2004 April 15 Electronic Communications Law of the Republic of Lithuania No. IX-2135;
• Guidelines and recommendations prepared by the State Data Protection Inspectorate and the European Data Protection Board.

Sources of personal data

The clinic processes personal data:

• Received directly from the Data Subjects: when you register for visits by phone, online or live, use the services provided by our Clinic’s family doctor or secondary level specialists, conduct research, submit various types of requests.

Important! Without processing your personal data (except for cases where the data is processed based on your consent), the Clinic will not be able to provide qualified health care services, identify you, maintain contact with you and perform other necessary procedures for providing you services.

• Received from Third Parties – State Sick Fund under the Ministry of Health, territorial sick fund, Ministry of Health, other health care institutions, research laboratories, insurance companies and other institutions.
• Generated by information systems – for example, when browsing our web pages, calling the call service center, etc.

Personal data processing terms

Personal data is stored in accordance with the 1999 Act of the Minister of Health of the Republic of Lithuania. November 29 by order no. 515 and in terms approved by other legal acts. In the absence of data storage terms set in legal acts, the data is stored as long as it is necessary to process the data in order to fulfill the legal goals of the Clinic or the Data Subjects.

Purposes of processing personal data, categories of personal data and legal bases

In the clinic, personal data of Data Subjects is processed for the following purposes:

• Perform visitor registration;
• Provide healthcare services;
• Ensure the quality of service provided by telephone, conducting customer surveys and research;
• Ensure the protection of customers, employees and property;
• Administer arrears of clinic visitors;
• Send personalized offers and notifications about services and news provided by Clinics;
• Administer the Clinic’s websites and social network accounts;
• Carry out selections for vacancies;
• Ensure the smooth supply of Clinics, the necessary means, cooperation with suppliers.

Conditions of legality of data processing:

• General categories of personal data – Article 6, paragraph 1 of GDPR: points a, b, c, d, f;
• Special categories of personal data – GDPR Article 9, Part 2: points a, b, c, e, f, h, i.

Clinics, in order to achieve the above-mentioned goals, process the following personal data:

• Personal data required for patient identification and service provision: electronic personal health history identification number, contact data, declared residential address, first name, surname, marital status, date of birth, gender, personal identification number, actual residential address, billing data, call recordings, as well as call metadata and other data.
• Personal data of special categories: studies, photos, videos, list of diagnoses; descriptions and conclusions of visits to health care specialists, prescription of medicinal products and medical aids, referrals for consultation, tests, anamnesis, other entries in the personal health history, certificates and other data.
• To send personalized direct marketing messages: email postal address and/or telephone number and/or residential address, city, gender, age.
• Selection data of candidates for vacant job positions, such as name and surname, date of birth, place of residence, phone number, e-mail email address, education, work experience information, skill information, driver’s license information, computer literacy, city, position and salary expectations, CV and more
• Data for maintaining relations with suppliers, such as name, surname, contact data (e-mail address, telephone, address), VAT payer code, number of business license or individual activity certificate or farmer’s certificate, its validity date, personal identification number, activity according to business license or individual activity certificate or farmer’s certificate, bank account number, authorizations.
• Website visitor data (“web beacons”), unique identifiers and other tracking tools that collect information about newsletter subscription, (non)receipt, opening, clicking on links, opting out, which application/program is used to read the letter, IP address and according to it assigned country, as well as information provided by visitors on social networks – recommendations, complaints, opinions, suggestions, etc. information;
• Data for maintaining commercial relations with customers, such as name, surname, position, information about indebtedness, contact details, account information.
• Call center data, such as the caller’s name, contact data (e-mail address, telephone, address), opinion on the quality of the service, feedback, orders, audio recordings of conversations, call metadata.

To find out or check what specific personal data of yours the Clinic processes, please apply for the exercise of the rights of data subjects in the manner given below.

How do we protect your data?

„Drops Clinic“ šeimos klinika has implemented appropriate technical and organizational measures in order to ensure security of a risk-appropriate level when processing data. „Drops Clinic“ šeimos klinika, while selecting and implementing appropriate technical and organizational measures to ensure the security of data processing, is guided by:

• ENISA guidelines: https://www.enisa.europa.eu/publications/guidelines-for-smes-on-the-security-of-personal-data-processing
• Good information security practices;
• VDAI guidelines: https://vdai.lrv.lt/uploads/vdai/documents/files/VDAI_saugumo_priemoniu_gaires-2020-06-18.pdf.

Who do we share your data with?

For data processing, „Drops Clinic“ šeimos klinika uses only those data processors who ensure compliance with the GDPR and the same level of personal data security as established in the approved „Drops Clinic“ šeimos klinika personal data protection policy.

Here is a list of categories of data recipients:

• in the cases and procedures established by legal acts, including personal data of special categories, are provided to third parties: the State Sick Fund under the Ministry of Health, territorial sick funds, the Ministry of Health, the State Pathology Center, other health care institutions, insurance companies and other persons , to whom the Clinic is required by law to provide this data , as well as to persons to whom you have expressed consent to provide data;
• according to the procedure provided by law, state institutions: State Tax Inspectorate, Sodra, Labor Exchange, etc.
• companies providing data centers, hosting, cloud, website administration and related services, creating, providing, supporting and developing software, companies providing information technology infrastructure services, companies providing communication services;
• companies providing advertising and marketing services;
• companies providing accounting, archiving, physical and/or electronic security, asset management and/or other business services;
• bailiffs, entities providing legal and/or debt collection services;
• law enforcement authorities at their request, other third parties, or at our initiative if a criminal offense is suspected.

What rights do you have and how can you exercise them?

Pursuant to GDPR provisions, Data Subjects may exercise the following rights:

1. The right to access personal data. I.e. submit a request for information on whether your personal data is being processed, and if personal data is being processed, you have the right to access your personal data being processed.
2. The right to correct personal data. I.e. submit a request to correct your personal data if you determine that the personal data we process is incorrect, incomplete or inaccurate.
3. Right to erasure (right to be forgotten). I.e. submit a request to delete your personal data if you believe that your data is being processed illegally or unfairly.
4. The right to restrict data processing. I.e. Submit a request to limit (stop) the processing of your personal data, except for storage – in the event that, for example, you request the correction of your personal data (while the accuracy of the personal data is checked and/or they are corrected), it is determined that the personal data is being processed illegally and you do not agree to the data being deleted, you have expressed your objection to the processing of your personal data, etc.
5. Right to data portability. I.e. submit a request to transfer your personal data that is processed by automated means to you and/or another data controller in a structured, commonly used and computer-readable format.
6. The right to object to data processing. I.e. to express objection to the processing of personal data, when the data is processed on the legal basis of legitimate interest or public interest.
7. The right to request that you are not subject to a decision based solely on automated data processing , including profiling, which has legal consequences for you or which similarly significantly affects you; 
8. The right to withdraw consent given to us at any time , regarding the processing of personal data, e.g. for direct marketing.

You can exercise your rights or report a data breach:

1. By sending us a request in the form approved by the Clinic by e-mail. to the email address info@dropsclinic.lt. The application must be signed and scanned, as well as a notarized copy of the personal document, so that we can verify your identity.
2. By sending a request by registered mail to the address V. Putvinskio g. 50A, LT-44211 Kaunas, the application must be signed. The application must be accompanied by a notarized copy of your identity document.
3. After coming to the Clinic and filling out the application form. You must have your identity document with you.
4. A data security breach can be reported in a free form.

The request must be legible, signed, it must contain the data subject’s name, surname, place of residence and other data to maintain the desired form of communication, information about which of the data subject’s rights and to what extent the data subject wishes to exercise them.

We will provide an answer to your request no later than within 30 (thirty) calendar days from the date of receipt of the request. In exceptional cases requiring additional time, we will have the right to extend the deadline for submitting the requested data or examining other requirements specified in your request for an additional 60 (sixty) calendar days after notifying you.

Data provision conditions

Data subjects ensure that the personal data they provide is correct and up-to-date, that is, if personal data changes, data subjects must update it by providing new, correct data. Data subjects understand that otherwise the Clinic may not ensure the provision of quality services, and will have the right to refuse to provide Services to the data subject.

Where can you go for questions related to personal data?

If you have any questions regarding the information provided in this privacy notice or the protection of your personal data and the exercise of your rights at the Clinic, please contact „Drops Clinic“ šeimos klinika data protection officer in any way convenient for you:

• el. paštu: info@dropsclinic.lt
• raštu adresu V. Putvinskio g. 50A, LT-44211 Kaunas

If it is not possible to find a solution suitable for both parties, you have the right to contact the State Data Protection Inspectorate at the address:  L. Sapiegos g. 17, Vilnius, e-mail: ada@ada.lt.

Final Provisions

We have the right to partially or fully change the provisions of this privacy notice by notifying you about it on the website and/or at the e-mail address provided by you.

These Terms are governed by the law of the Republic of Lithuania. All disputed issues are resolved by mutual agreement. If an agreement is not reached – the procedure provided for by the laws of the Republic of Lithuania in the court of the Republic of Lithuania