Personal Data Processing Statement (GDPR)

PERSONAL DATA PROCESSING STATEMENT

I. Who is responsible for your personal data?

Motol University Hospital, state subsidized organization,
V Úvalu 84, 150 06 Prague 5, ID: 00064203
Email: podatelna@fnmotol.cz
phone: 224 431 111
Mailbox ID: nk8bxj3

as the largest medical facility in the Czech Republic, it provides basic, specialized and super-specialized health care and services in the medical fields, in the form of outpatient and inpatient care for children, adults and seniors (hereinafter referred to as "administrator")

In accordance with Article 12 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC Personal Data Protection Regulation) (hereinafter referred to as “GDPR”) informs about the processing of your personal data and about your rights.

II. Who is the Data Protection Officer?

M.Sc. Radek Knop, LL.M., MBA

University Hospital in Motola
V Úvalu 84, 150 06 Prague 5
Email: dpo@fnmotol.cz
phone: 224 437 151

III. Who is the competent supervisory authority for personal data protection?

Office for Personal Data Protection
Lt. Col. Sochora 27, 170 00 Prague 7
phone: 234 665 111
Email: posta@uoou.cz
http://www.uoou.cz

IV. Scope of personal data processing

Personal data are processed to the extent that the competent data subject has provided them to the controller, in connection with the conclusion of a contractual or other legal relationship with the controller, or otherwise collected by the controller and processed in accordance with applicable law to the extent necessary to comply the purpose for which the personal data are processed.

V. Sources of personal data

Personal data is obtained by the administrator in the following way:

  • from data subjects, especially in the context of registration, in connection with the provision of health services and the management of medical documentation (in the form of oral, written, emails, telephone, website, contact forms, business cards, etc.)
  • in another way, especially from publicly accessible registers, lists and records (eg commercial register, trade register, real estate cadastre, health registers, etc.)
  • from business relations, relations of cooperating subjects on the basis of contractual relations, etc.

VI. Categories of personal data that are subject to processing

The controller of the data subject shall in particular process the following personal data which are necessary for the performance of the controller's duties:

  • address and identification data used for unambiguous and unmistakable identification of the data subject (eg name, surname, title, or birth number, date of birth, permanent residence address, ID number, VAT number) and data enabling contact with the data subject (contact details eg contact address, telephone number, fax number, e-mail address and other similar information)
  • personal data processed as part of the provision of health services (data on health status, data needed to establish a diagnosis and treatment procedure, data transferred to the National Health Registers)
  • descriptive data (eg bank details)
  • other data necessary for the performance of the contract
  • data provided beyond the relevant laws processed within the framework of the consent granted by the data subject (processing of photographs, use of personal data for the purpose of personnel procedures, processing of data within scientific research projects, etc.). Personal data processed with consent are always specified in the specific consent to the processing of personal data, which may be granted
  • records of camera system (video records)
  • financial information (payment for paid services, co-payments for medicines, etc.)
  • recording of phone calls on selected phone numbers (audio recordings, information is communicated to the relevant number before the call starts)
  • data related to the conclusion of an employment relationship (processing statement for employees is available on the hospital's intranet website)

VII. PERSONAL DATA PROCESSED

The following are registered and processed about patients: 

  • personal data needed to establish identity (dates of birth, birth numbers and names, health insurance data)
  • personal data needed for communication (residence, relatives or close persons, for children the names of parents, guardians, legal guardians, telephone, e-mail)
  • personal data obtained within the reservation system of FN Motol for the purpose of reserving health care (e.g. appointment for examination, appointment for vaccination)
  • anamnestic data needed to establish the diagnosis and treatment procedure, including a subjective description of the current medical condition
  • received personal data about patients from other healthcare facilities, from the transport service, from the rescue service
  • objectively determined data on health status, obtained by direct examination and diagnostic procedures (height, weight, heart rate, etc.)
  • objectively determined health data obtained by instrumental examinations of the patient's body (records of ECG, EEG, EMG curves, X-ray and ultrasound images, records from special examination devices, body surface images, etc.)
  • objectively determined data on health status, obtained by laboratory examinations of biological samples (values ​​from body fluids, swabs, tissue sampling, respiration, genetic results at the level of molecular genetics, etc.)
  • established main and secondary diagnosis, classification for the DRG system
  • medicines in the form of an electronic prescription
  • plans of medical activities (treatment plan, nursing care plan, etc.)
  • descriptions of medical activities (record of outpatient examination, surgical protocol, procedure, epicrisis, treatment plan, nursing care plan, etc.)
  • descriptions of the result of care (dismissal report, death certificate, autopsy report, etc.)
  • zdravotní pojišťovna - medical services for reimbursing the medical facility for their implementation
  • financial information (payment for paid services, co-payments for medicines, etc.)
  • records of camera system
  • registration of identification data of a person upon entering non-public objects
  • recording of phone calls on selected phone numbers
  • vehicle registration marks (on the premises)
  • information about the employer and profession (in case of incapacity for work)
  • a detailed breakdown of the categories of personal data that we are obliged to process on the basis of the Act on Health Services as part of the provision of health services is available <a href="https://cdn.shopify.com/s/files/1/1932/8043/files/200721_ODSTOUPENI_BEZ_UDANI_DUVODU__EN.pdf?v=1595428404" data-gt-href-en="https://en.notsofunnyany.com/">here</a> (closer to part six and the Annex to Act No. 372/2011 Coll.) and <a href="https://cdn.shopify.com/s/files/1/1932/8043/files/200721_ODSTOUPENI_BEZ_UDANI_DUVODU__EN.pdf?v=1595428404" data-gt-href-en="https://en.notsofunnyany.com/">here</a> (Decree No. 98/2012 Coll.)
  • if the conditions for transferring data to the National Health Registers, which are managed by the Institute of Health Information and Statistics of the Czech Republic (ÚZIS), are met, other categories of personal data are processed. Their scope varies depending on which national health register is involved (more <a href="https://cdn.shopify.com/s/files/1/1932/8043/files/200721_ODSTOUPENI_BEZ_UDANI_DUVODU__EN.pdf?v=1595428404" data-gt-href-en="https://en.notsofunnyany.com/">here</a>). The scope of the data is set out in Annex k Act No. 372/2011 Coll.  Among other things, this may include data on the country of origin, marital status, employment, education, birth defects in the family, age

The following are registered and processed about employees:

  • identification data, i.e. name including titles, social security number, ID number, passport, driver's license, bank account number, data box identifier
  • contact personal data - residence (permanent, temporary), family members, telephone numbers, e-mail addresses
  • education - certificates, diplomas, documents on professional courses and trainings, etc.
  • professional CV, including job reports
  • job classification - position held, workplace
  • work and work-related activities - performed services, inclusion in shifts and services
  • access to computer systems, setting access to specific processed personal data
  • access to protected areas
  • attendance and working time records
  • company catering - orders and payments
  • wage and salary data - salary classification, provision of remuneration, work reports, amount paid to the bank account, amounts paid by the cashier, holiday and its drawing, incapacity for work, absence from the workplace, amounts of wage deductions sent to the trade union with the consent of the trade union
  • data recorded and sent for pension purposes
  • data provided by employees for the purpose of verifying their income at the banking institution
  • data provided to executors, courts, police and other state or private organizations according to their needs by law
  • records of camera system
  • registration of identification data of a person upon entering non-public objects
  • recording of phone calls on selected phone numbers
  • vehicle registration number (entry card)
  • health data (eg medical examinations, vaccinations, test results)

For more information on the processing of personal data, see the statement on the processing of personal data of employees on the intranet under the GDPR tab.

The following is registered and processed about relatives, persons close to patients, guardians, legal representatives: 

  • identification data - name, surname (including the organization of legal representatives)
  • contact details - residence (organization address), telephone, e-mail, fax number
  • partial data on the state of health (in the patient's family history, if necessary)
  • if the conditions for transferring data to the National Health Registers, which are managed by the Institute of Health Information and Statistics of the Czech Republic (ÚZIS), are met, other categories of personal data are processed. Their scope varies depending on which national health register is involved (more <a href="https://cdn.shopify.com/s/files/1/1932/8043/files/200721_ODSTOUPENI_BEZ_UDANI_DUVODU__EN.pdf?v=1595428404" data-gt-href-en="https://en.notsofunnyany.com/">here</a>). The scope of the data is set out in Annex k Act No. 372/2011 Coll. These are mother's social security number, mother's citizenship, mother's education, mother's occupation, marital status, father's age, father's occupation, birth defect in the family
  • records of camera system
  • registration of identification data of a person upon entering non-public objects
  • recording of phone calls on selected phone numbers
  • vehicle registration plate

The following are registered about volunteers and medical clowns: 

  • identification data - name, surname, date of birth
  • contact details - residence, telephone, e-mail
  • identification of the sending organization
  • records of camera system
  • registration of identification data of a person upon entering non-public objects
  • recording of phone calls on selected phone numbers

The following are registered about the persons passing through the administrator's premises and the buildings monitored by the camera recording:

  • video recording of the figure and face. Data from the camera system are processed, consisting of the recording of the captured images, which will be used to identify individuals in connection with a particular action.
  • personal data from the camera system is managed only by the administrator. They can be provided in the case of a request to state authorities, resp. public authorities (ie courts, bodies active in criminal proceedings, bodies active in administrative proceedings), or other interested parties to fulfill the purpose of processing (eg commercial insurance companies)
  • the retention period of the camera recordings is 5 days, after which the data are deleted. In the event that camera recordings should serve as evidence, copies of the recordings may be kept longer
  • statement on the processing of personal data through camera system with a record

The following are registered about persons entering non-public parts of buildings:

  • recording the name of the person entering the building, date and time of entry, destination and purpose of entry

The following are registered about persons using accommodation services:

  • name, surname, residential address, telephone, email, date of birth, ID card number

The following is recorded about persons calling (or calling) on ​​monitored telephone lines:

  • calling (called) telephone number, contact details (as needed), health data - according to the reason for the call, other data influencing the service request, call content
  • the data is processed in the form of a telephone call record

About sponsors and financial donors:

  • contact details (name, residence, date of birth, telephone, e-mail, ID number and VAT number of self-employed persons)
  • bank details, account name

About people accessing the administrator's website:

  • technical and analytical cookies, in particular in order to ensure comfortable web browsing and site traffic analysis

For more information, see the privacy statement on the website.

VIII. Categories of data subjects

  • patient
  • client manager
  • employee manager, job seeker
  • service provider
  • another person who is in a contractual relationship with the administrator
  • persons authorized to access medical records

IX. Categories of recipients of personal data

  • health insurance companies to the extent necessary for the billing of health care
  • other health and social service providers (eg the patient's general practitioner, other hospital, laboratory), if necessary in the context of the healthcare provision process, in particular when translating the patient or requesting care
  • patients to whom the personal data relate
  • state and other bodies in the framework of fulfilling legal obligations imposed by relevant legal regulations (eg Institute of Health Information and Statistics of the Czech Republic, State Institute for Drug Control, State Institute for Nuclear Safety, Office for Personal Data Protection, National Office for Cyber ​​and Information Security, Police Czech Republic, courts, bodies active in criminal proceedings, social security bodies, Labor Office, municipal office, executor, social and legal protection body for children, etc.)
  • persons in a contractual relationship (eg processors of personal data)
  • legal representatives of minors
  • with the patient's consent or at his written instruction, personal data may be provided to other entities
  • other recipients (eg transfer of personal data abroad - EU countries, third countries according to the relevant legal regulations or the consent of the data subject)
  • persons authorized to inspect medical documentation pursuant to Act No. 372/2011 Coll., on health services
  • students of secondary and higher education, studying with the administrator, under the supervision of the teacher and only if the patient has given his prior consent and only to the extent necessary
  • Kooperativa insurance company due to accidents at work and occupational diseases of employees
  • forensic experts (in litigation)

X. Purpose of personal data processing

The administrator processes personal data mainly for the following reasons:

  • for the purpose of providing health services (outpatient, inpatient and follow-up care, provision of medicines and other preparations, laboratory processing of biological material, provision of rehabilitation care, etc.)
  • for the purposes contained in the consent of the data subject. The specific purpose is specified according to the nature and scope of the relevant consent text with which the data subject is aware
  • within the framework of business relations and negotiations on the contractual relationship, performance of the contract. The purpose of personal data processing is adequate performance of the subject of the contract and cooperation with the contracting party, these are mainly email addresses, names and surnames of contact persons
  • in order to protect the rights of the administrator, the beneficiary or other persons concerned (eg litigation, CCTV recordings, continuity of information, prudence, needs, patient health, control mechanisms or other measures necessary to ensure the administrator's functioning)
  • for the purpose of keeping archiving on the basis of valid legal regulations and internal regulations of the administrator
  • for the purpose of managing the personnel agenda, for the purpose of selection procedures for vacancies
  • concluding an employment relationship, managing the payroll, filing a tax return
  • in proceedings before state administration bodies
  • in order to fulfill the legal obligations of the administrator
  • in order to protect the vital interests of the data subject
  • for the purpose of providing medical transport services
  • in order to implement a volunteer program, internships
  • for some scientific research purposes
  • providing a diet

Legislation authorizing the processing of personal data in the provision of healthcare, in particular:

  • Act No. 372/2011 Coll., on health services and conditions for their provision (Health Services Act)
  • Act No. 373/2011 Coll., on specific health services
  • Act No. 108/2006 Coll., on social services
  • Act No. 378/2007 Coll., on Medicinal Products
  • Act No. 592/1992 Coll. - on public health insurance premiums
  • Act No. 374/2011 Coll., on the ambulance service, as amended
  • Act No. 268/2014 Coll., on medical devices and amending Act No. 634/2004 Coll., on administrative fees
  • Act No. 258/2000 Coll., on the protection of public health and on the amendment of some related acts
  • Act No. 285/2002 Coll., on the donation, procurement and transplantation of tissues and organs and on the amendment of certain acts
  • Act No. 296/2008 Coll., on ensuring the quality and safety of human tissues and cells intended for human use and amending related acts
  • Act No. 89/2012 Coll., Civil Code, as amended
  • Act No. 48/1997 Coll., on Public Health Insurance and on Amendments to Certain Related Acts
  • Act No. 110/2019 Coll., on the processing of personal data
  • Act No. 111/2019 Coll., which amends certain acts in connection with the adoption of Act 110/2019 Coll.
  • Act No. 133/2000 Coll., on population registration
  • Decree No. 98/2012 Coll., on medical documentation
  • Decree No. 84/2008 Coll., on good pharmacy practice, more detailed conditions for handling medicines in pharmacies, medical facilities and other operators and facilities dispensing medicinal products
  • Decree No. 143/2008 Coll., on human blood
  • Decree No. 415/2017 Coll., on the implementation of certain provisions of the Act on Medicinal Products relating to electronic prescriptions
  • Decree 373/2016 Coll., on the transfer of data to the NZIS
  • Government Regulation 201/2010 Coll. - on the method of accident registration, reporting and sending of accident records
  • implementing legislation to the cited laws

Legislation authorizing the processing of personal data outside the provision of healthcare, in particular:

  • Act No. 262/2006 Coll., Labor Code
  • Act No. 563/1991 Coll., on Accounting
  • Act No. 582/1991 Coll., on the organization and implementation of social security
  • Act No. 589/1992 Coll., on social security premiums and contributions to the state employment policy
  • Act No. 592/1992 Coll., on public health insurance premiums
  • Act No. 48/1997 Coll., on Public Health Insurance and on Amendments to Certain Related Acts
  • Act No. 435/2004 Coll., on employment
  • Act No. 258 / 2000 Sb., on the protection of public health
  • Act No. 181/2014 Coll., on cyber security
  • Act No. 110/2019 Coll., on the processing of personal data
  • Act No. 111/2019 Coll., which amends certain acts in connection with the adoption of Act No. 110/2019 Coll.
  • Act No. 133/2000 Coll., on population registration
  • Act No. 187/2006 Coll., on health insurance
  • Act 586/1992 Coll., on income tax
  • Government Regulation No. 201/2010 Coll. - on the method of accident registration, reporting and sending of accident records
  • Act No. 120/2001 Coll., Execution Rules
  • Act No. 133/2000 Coll., on population registration
  • Act No. 89/2012 Coll., Civil Code
  • Decree No. 82/2018 Coll., on cyber security
  • Decree 317/2014 Coll., on important IS
  • implementing legislation to the cited laws

XI. Method of processing and protection of personal data

The processing of personal data is performed by the administrator. Processing is performed by individual authorized and trained employees of the administrator. The processing takes place through computer technology, or also manually for personal data in paper form in compliance with all security principles for the management and processing of personal data. To this end, the controller has taken technical and organizational measures to ensure the protection of personal data, in particular measures to prevent unauthorized or accidental access to, modification, destruction or loss of personal data, unauthorized transfers, unauthorized processing and other misuse of personal data.

XII. Time of personal data processing

In accordance with the deadlines specified in the relevant legal regulations, relevant contracts, in the file and shredding rules of the administrator. This is the time strictly necessary to ensure the rights and obligations arising from both the obligation relationship and the relevant legal regulations, as well as the period of granting consent to the processing of personal data.

XIII. Lessons learned

The controller processes the data with the consent of the data subject, except in cases stipulated by law where the processing of personal data does not require the consent of the data subject.

In accordance with Article 6 (1) of the GDPR, processing is lawful if:

  • the data subject has given his or her consent for one or more specific purposes
  • processing is necessary for the performance of a contract to which the data subject is a party or for the implementation of measures taken before the conclusion of the contract at the request of the data subject
  • processing is necessary to fulfill the legal obligation applicable to the controller
  • processing is necessary to protect the vital interests of the data subject or another natural person
  • processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
  • processing is necessary for the legitimate interests of the controller concerned or of a third party, except where those interests take precedence over the interests or fundamental rights and freedoms of the data subject requiring the protection of personal data

XIV. Rights of data subjects

In accordance with Article 12 of the GDPR, we inform that each data subject has:

1) the right of access to personal data and the following information:

  1. purpose of processing
  2. category of personal data concerned
  3. recipients or categories of recipients to whom personal data have been or will be disclosed
  4. the planned period for which the personal data will be stored
  5. all available information about the source of personal data
  6. whether there is automated decision-making, including profiling

2) the right to repair

  • if you believe that the personal information we process about you is inaccurate or otherwise inconsistent

3) the right of cancellation

  • such requests can generally only be granted if the personal data in question:
  1. we are not obliged to process due to the fulfillment of obligations arising from valid legal regulations or contracts,
  2. we no longer need the data to determine, enforce or defend our legal claims,
  3. after an objection to the processing was raised and we found that our legitimate interest in the processing of this personal data had lapsed,
  4. personal data were processed on the basis of the provided consent, which was revoked.

4) the right to processing restrictions, which may be applied in particular in the following cases:

  1. you deny the accuracy of the processing of personal data,
  2. the processing is illegal, you refuse to delete the personal data and ask instead to restrict their use,
  3. we no longer need personal data for processing purposes, but you require it to determine, enforce and defend legal claims,
  4. you have objected to the processing and it has not yet been verified whether our legitimate interests outweigh your interests or the fundamental rights and freedoms of the data subject.

5) the right to data portability

  • the subject of this right is only those personal data that we process on the basis of your consent and / or performance of the contract,
  • we will provide this data in an electronically structured form upon request.

6) the right to object

  • this right may be exercised in cases where personal data are processed on the basis of our legitimate interest or on the basis of the public interest

XV. Where you can go for more information, where you can exercise your rights in relation to the processing of personal data

Requests for the exercise of rights in relation to the processing of personal data are accepted:

  1. in writing with an officially verified signature and delivery by post or in person to the administrator's registry,
  2. in electronic form with a qualified electronic signature sent to the address
    podatelna@fnmotol.cz,
  3. via the public data network from the applicant's data box to the administrator's data box, data box id - nk8bxj3,
  4. orally in a written report to the trustee.

You can exercise the right to correct personal data directly with our medical staff, who provide you with medical services.

In cases without verified identification, the applicant will be asked for its additional verification.

If you find or believe that the processing of personal data by us or other entities performing processing has violated your rights or violated the obligations stipulated by law, you can seek redress using all means provided by applicable law. In the event that you cannot obtain the rights in any other way, you can also contact or lodge a complaint with the supervisory authority, which is the Office for Personal Data Protection.

This statement is publicly available on the administrator's website at www.fnmotol.cz.

In Prague on June 27, 06

Skip to content