Privacy policy

General Provisions

The Data Controller of your personal data is UAB “Drops Clinic” Family Clinic, legal entity code 306047981, registered address: V. Putvinskio g. 50A, LT-44211 Kaunas, tel. +370 614 69309, email: [email protected] (hereinafter referred to as Drops, the Clinic, or Drops Clinic Family Clinic).

For all inquiries related to personal data protection, you may contact our Data Protection Officer via email: [email protected].

We understand and respect the right to privacy and data protection of our patients and other individuals whose personal data we process (hereinafter – Data Subjects). Therefore, we make every effort to ensure the highest possible level of protection for the personal data processed in our Clinic.

This Privacy Notice explains how Drops Clinic Family Clinic processes the personal data of Data Subjects — including information about the sources and categories of personal data we collect, the purposes and legal bases for processing, data sharing, security measures implemented, and the rights of Data Subjects regarding their personal data.

This Privacy Notice is prepared in accordance with the following legal acts:

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter – GDPR or the Regulation);
The Law on Legal Protection of Personal Data of the Republic of Lithuania (2018-06-30, No. XIII-1426);
The Law on Electronic Communications of the Republic of Lithuania (2004-04-15, No. IX-2135);
Guidelines and recommendations of the State Data Protection Inspectorate and the European Data Protection Board (EDPB).

Sources of Personal Data

The Clinic processes personal data obtained from the following sources:

Directly from Data Subjects: when you register for visits by phone, online, or in person; use our family doctor or specialist services; undergo tests; or submit various requests.
Important: Without processing your personal data (except where data are processed based on your consent), the Clinic cannot provide qualified healthcare services, identify you, maintain communication, or perform other essential actions required for service delivery.
From third parties: such as the National Health Insurance Fund under the Ministry of Health, Territorial Health Insurance Funds, the Ministry of Health, other healthcare institutions, laboratories, insurance companies, and other institutions.
Automatically generated by information systems: e.g., when you browse our website, call our service center, etc.

Personal Data Retention Periods

Personal data are stored in accordance with the retention periods established by the Order No. 515 of the Minister of Health of the Republic of Lithuania (29 November 1999) and other applicable legal acts.

Where no retention period is defined by law, data are retained only as long as necessary to achieve the legitimate purposes of the Clinic or the Data Subjects.

Purposes, Categories, and Legal Bases for Processing Personal Data

The Clinic processes personal data of Data Subjects for the following purposes:

Registering patients and visitors;
Providing healthcare services;
Ensuring service quality (including phone service, surveys, and research);
Ensuring the safety of patients, staff, and property;
Managing patient payments and debts;
Sending personalized offers and updates about the Clinic’s services and news;
Administering the Clinic’s website and social media accounts;
Conducting recruitment for open job positions;
Ensuring smooth cooperation with suppliers and proper Clinic operations.

Legal bases for data processing:

For general personal data – Article 6(1)(a), (b), (c), (d), (f) of the GDPR;
For special category (sensitive) data – Article 9(2)(a), (b), (c), (e), (f), (h), (i) of the GDPR.

Personal data categories processed by the Clinic include:

Identification and service provision data: electronic health record ID, contact details, declared residence address, name, surname, marital status, date of birth, gender, personal ID code, actual residence address, payment details, call recordings and metadata, and other necessary data.
Special category (health) data: medical test results, images, videos, diagnosis list, visit descriptions and conclusions, prescribed medications and medical devices, referrals for consultations or tests, anamnesis, health record entries, certificates, and other medical data.
Marketing data: email address, phone number, address, city, gender, age.
Candidate data for recruitment: name, surname, date of birth, address, phone number, email, education, work experience, skills, driver’s license, IT literacy, expectations (location, position, salary), CV, and other relevant information.
Supplier data: name, surname, contact details, VAT code, business certificate or self-employment number and validity, personal ID, activity type, bank account, authorizations.
Website visitor data: cookies, unique identifiers, tracking data (e.g., email engagement, IP address, country, device information), social media interactions (comments, complaints, feedback, suggestions, etc.).
Client relationship data: name, surname, position, contact information, payment records, account data, debt information.
Call center data: name, surname, contact details, feedback, opinions, orders, call recordings, metadata.

To find out what specific personal data the Clinic processes about you, please refer to the section “Your Rights and How to Exercise Them” below.

How We Protect Your Data

To ensure an appropriate level of data security, Drops Clinic Family Clinic has implemented suitable technical and organizational measures.
In selecting and applying such measures, the Clinic follows:

ENISA Guidelines: https://www.enisa.europa.eu/publications/guidelines-for-smes-on-the-security-of-personal-data-processing
Best practices in information security;
VDAI (State Data Protection Inspectorate) Guidelines: https://vdai.lrv.lt/uploads/vdai/documents/files/VDAI_saugumo_priemoniu_gaires-2020-06-18.pdf

Data Sharing

Drops Clinic Family Clinic engages only those data processors who comply with GDPR and ensure a level of personal data security equivalent to the Clinic’s internal Data Protection Policy.

Categories of data recipients:

Authorized third parties under law, including the National Health Insurance Fund, Territorial Health Insurance Funds, the Ministry of Health, the State Pathology Center, other healthcare institutions, insurance companies, and any other entities to which data must be disclosed under legal requirements or with the patient’s consent.
State authorities, including the State Tax Inspectorate, the State Social Insurance Fund Board (Sodra), Employment Service, and others.
Companies providing data center, hosting, cloud, website administration, IT development and maintenance, and communication services.
Advertising and marketing service providers.
Accounting, archiving, physical/electronic security, asset management, and other business service providers.
Bailiffs, law firms, and debt recovery agencies.
Law enforcement authorities upon request, and other third parties if criminal activity is suspected.

Your Rights and How to Exercise Them

In accordance with the GDPR, Data Subjects have the following rights:

Right of access – to request confirmation whether your data are being processed and, if so, to obtain a copy of such data.
Right to rectification – to request correction of inaccurate or incomplete personal data.
Right to erasure (“right to be forgotten”) – to request deletion of your personal data if they are processed unlawfully or no longer necessary.
Right to restriction of processing – to request suspension of processing (except for storage) in specific cases, such as while verifying data accuracy.
Right to data portability – to receive personal data in a structured, commonly used, machine-readable format and transmit them to another controller.
Right to object – to object to data processing carried out on the basis of legitimate or public interest.
Right not to be subject to automated decision-making, including profiling, that produces legal effects or similarly significant consequences.
Right to withdraw consent – to withdraw your consent at any time for processing activities based on consent (e.g., direct marketing).

You can exercise your rights or report a data breach by:

Sending a signed and scanned request via email: [email protected] (include a notarized copy of your identity document).
Sending a signed request by registered mail to: Krėvės pr. 53, Kaunas, LT-50358, with a notarized copy of your identity document.
Submitting a request in person at the Clinic with your identity document.

Requests must be legible, signed, and contain your name, surname, address, and preferred contact method, specifying which right(s) you wish to exercise.

Response time: We will respond within 30 calendar days of receiving your request. In exceptional cases requiring more time, we may extend the period by up to 60 additional days, notifying you in advance.

Data Provision Obligations

Data Subjects must ensure that the personal data they provide are accurate and up to date. If the data change, Data Subjects must promptly update them. Otherwise, the Clinic may not be able to provide quality services and reserves the right to refuse service if accurate data are not supplied.

Contact Information

If you have any questions regarding this Privacy Notice or the processing of your personal data, please contact our Data Protection Officer:

Email: [email protected]
Address: V. Krėvės pr. 53, Kaunas, LT-50358

If you are unable to resolve a matter with us directly, you have the right to contact the State Data Protection Inspectorate at:
Address: L. Sapiegos g. 17, Vilnius
Email: [email protected]

Final Provisions

We reserve the right to amend this Privacy Policy in part or in full. Any updates will be published on our website and/or sent to you via the email address you have provided.

This Privacy Policy is governed by the laws of the Republic of Lithuania. Any disputes shall be resolved by mutual agreement or, if not possible, through the courts of the Republic of Lithuania.