Information for persons using medical care

CRISTAL PALACE a.s., reg. no.: 45359172, registered address: Hlavní třída 61/66, 353 01 Mariánské Lázně, registered in the Register of Companies administered by the Regional Court in Plzeň under file no. B 202 (hereinafter referred to as “Controller”), is, among other things, a provider of medical services and the controller of the data processed during the provision of such services. GDPR – the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

Which rights related to personal data protection do I have?

I have the right to ask the controller for confirmation as to whether or not personal data concerning me are being processed, and, where that is the case, access to the personal data.

Pursuant to Article 15 of the GDPR I have the right to obtain from the Controller, confirmation as to whether or not personal data concerning me are being processed, and, where that is the case, access to the following information: a) the purposes of the processing; b) the categories of personal data concerned; c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisation, including safeguards related to the transfer; d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; f) the right to lodge a complaint with a supervisory authority; g) where the personal data are not collected from me, any available information as to their source; h) the existence of automated decision-making, including profiling. Upon request, the Data Controller shall provide a copy of the personal data undergoing processing. For any further copies requested the Data Controller may charge a reasonable fee based on administrative costs. Where the request is made by electronic means, and unless otherwise requested, the information shall be provided in a commonly used electronic form.

I have the right to have any inaccurate personal data concerning me corrected by the data controller without undue delay.

Pursuant to Article 16 of the GDPR I have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning me. Taking into account the purposes of the processing, I have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

I have the right to have personal data concerning me erased by the controller without undue delay.

Pursuant to Article 17 of the GDPR I have the right to obtain from the Controller, the erasure of personal data concerning me without undue delay where one of the following grounds applies: a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; b) I have withdrawn consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing; c) I have objected to the processing pursuant to Article 21(1) of the GDPR (see below) and there are no overriding legitimate grounds for the processing, or the I have objected to the processing pursuant to Article 21(2) of the GDPR; d) the personal data have been unlawfully processed; e) the personal data have to be erased for compliance with a legal obligation in the EU or Czech law; f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR. In relation to the aforementioned, where the Data Controller has made the personal data public and is obliged to erase them, the Data Controller, taking into account available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that I have requested the erasure by such controllers of any links to, or copy or replication of those personal data. The aforementioned right according to Article 17 of the GDPR shall not apply to the extent that processing is necessary: a) for exercising the right of freedom of expression and information; b) for compliance with a legal obligation which requires processing by Union or Czech law or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller; c) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3); d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the GDPR in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; e) for the establishment, exercise or defence of legal claims.

I have the right to have the processing of personal data concerning me restricted by the Data Controller.

Pursuant to Article 18 of the GDPR I have the right to obtain from the Controller restriction of processing where one of the following applies: a) the accuracy of the personal data is contested by me, for a period enabling the controller to verify the accuracy of the personal data; b) the processing is unlawful and I oppose the erasure of the personal data and request the restriction of their use instead; c) the controller no longer needs the personal data for the purposes of the processing, but I require the data for the establishment, exercise or defence of legal claims d) I have objected to processing pursuant to Article 21(1) of the GDPR (see below) pending the verification whether the legitimate grounds of the controller override mine. If I have obtained such restriction of processing, I have the right to be informed by the Controller before the restriction of processing is lifted. Where processing has been restricted, such personal data may, with the exception of storage, only be processed with the Participant’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. I am aware of the fact that the controller will communicate any changes, as stated above, to each recipient to whom the personal data have been disclosed.

The Data Controller shall communicate any rectification or erasure of personal data or restriction of processing carried, as stated above, to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The Data Controller will inform me about it if I request it.

I have the right to receive the personal data concerning me in a structured (electronic or printed) format and I have the right to transmit those data to another controller.

Pursuant to Article 20 of the GDPR, I have the right to receive the personal data concerning me which I have provided to the Data Controller, in a structured, commonly used and machine-readable format and I have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, i.e. the Data Controller, where: a) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1) of the GDPR, and b) the processing is carried out by automated means. I am aware of the fact that the exercise of this right must not adversely affect the rights and freedoms of others. This right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Organiser.

I have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning me or similarly significantly affects me (i.e. silence does not imply consent).

I have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning me or similarly significantly affects me. This right shall not apply if the decision: a) is necessary for entering into, or performance of, a contract between me and a data controller; b) is authorised by Union or Czech law , or c) is based on my explicit consent. In the cases referred to in points (a) and (c), the Data Controller shall implement suitable measures to safeguard my rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.

I have the right to refuse to give consent to the processing of personal data. I have the right to withdraw my consent at any time.

I have the right to refuse to give this consent to the processing of personal data. Pursuant to Article 7 of the GDPR, I have the right to withdraw my consent to the processing of personal data at any time.

If I refuse to give consent to the processing of personal data marked by the word “consent” in the “reason for processing” column, these personal data will not be processed, but it will not be made impossible to perform the intended legal acts lawfully; above, all, it is possible to accomplish the intended performance.

The aforementioned shall similarly apply to the withdrawal of a previous consent to the processing of personal data.

Data pertaining to my health status are specifically protected against unauthorised processing.

Personal data belonging to a special category under Article 9 of the GDPR are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under EU or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies. For processing special category data, the Controller uses specialised software providing security guarantees.

There is always a reason for providing personal data

Personal data are processed for a specific purpose and for specific reasons. The Controller does not require an excessive amount of personal data. During the provision of medical services, there may be situations in which it is suitable to assess the patient’s health with regard to the health of the patient’s family members or with regard to other facts that might be indirectly related to the patient’s health.

The right to object

I have the right to object to the processing of personal data concerning me.

I have the right to object, on grounds relating to my particular situation, at any time to processing of personal data concerning me which is based on point (e) or (f) of Article 6(1) of the GDPR, including profiling. The Data Controller shall no longer process the personal data unless they demonstrate compelling legitimate grounds for the processing which override my interests, rights and freedoms or for the establishment, exercise or defence of legal claims. Where personal data are processed for direct marketing purposes, I have the right to object at any time to processing of personal data concerning me for such marketing, which includes profiling to the extent that it is related to such direct marketing. I am aware of the fact that if I object to processing for direct marketing purposes, the personal data will no longer be processed for such purposes. I may exercise my right to object by automated means using technical specifications.

The right to lodge a complaint with the Office for Personal Data Protection

I have the right to lodge a complaint with the Office for Personal Data Protection.

Pursuant to Article 77 of the GDPR, without prejudice to any other administrative or judicial remedy, I have the right to lodge a complaint with a supervisory authority, in particular in the Member State of my habitual residence (in the Czech Republic this authority is the Office for Personal Data Protection), place of work or place of the alleged infringement if I consider that the processing of personal data relating to me infringes the GDPR.

Right to a judicial remedy

I have the right to a judicial remedy

Pursuant to Article 79 of the GDPR, without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority as stated above, I have the right to an effective judicial remedy if I assume that my rights under the GDPR or any other legal regulations have been infringed as a result of the processing of my personal data in non-compliance with such legal regulations.