NOTICE REGARDING THE PROCESSING OF PERSONAL DATA

DATA CONTROLLER

Name: “N.GEORGOGIANNIS Private Gynecological Practice Mon.I.K.E.”
Registered Office: Praxitelous 121 & Tsamadou 57
Tax ID: 801557778, Attica Tax Office
GEMI Number: 159100309000
Email: info@embryowish.com
Website: “www.embryowish.com”

INTRODUCTION

Our sole objective is to provide the best possible service to our users/visitors/clients. Aiming to create a simple and user-friendly environment, we strive to maintain our website and services at a level that meets your expectations. To achieve the desired outcome and deliver the high standards of personalized service we aim for, it is necessary to collect certain basic information from our users/clients. When users/clients utilize our services, they entrust us with some of their data directly related to the provision of those services. We recognize the magnitude of this responsibility and work diligently to protect this information.

Through this Personal Data Protection Statement, as well as the Terms and Conditions of Use of the website (see here ………), we respect the privacy of our clients/visitors/users.

We are obliged to briefly outline the personal information and data we collect, how we utilize them, and the actions that users/clients/visitors may take if, at any point in the future, they no longer wish for their information and data to be collected or further processed during their visit/use of the website, the provision of our services, and/or their visit to our clinic.

This specific Privacy Policy pertains exclusively to the personal information and data provided by users/visitors to this website, as well as the data collected/processed/stored in the context of visits/treatments at our clinic.

1.BASED ON WHAT PRINCIPLES TAKES PLACE THE PROCESSING OF PERSONAL DATA BY THE COMPANY

The Company processes your personal data in a lawful, transparent, and legitimate manner for clearly defined purposes outlined in this privacy policy. The personal data processed by the Company are limited to what is strictly necessary in order to achieve these purposes, they are accurate and up to date, retained only for as long as required by the respective processing purpose and applicable legislation, protected by adequate technical and organizational security measures, and they are not transferred to countries that do not ensure an adequate level of protection and security.

2.WHERE ARE YOUR PERSONAL DATA AND INFORMATION COLLECTED FROM
Your personal data are collected in the following ways:

• Directly from you, when you complete an online form for expressing interest/contact/service or when you communicate via email to the provided email address, for the purpose of informing or/and serving you regarding matters related to healthcare services provided by the Company.
• Automatically, through the browser or mobile device you use to access our website.
• From a third party, provided you have given prior valid written consent/authorization.

3.WHAT TYPES OF PERSONAL DATA DO WE COLLECT
The data collected by the Company fall into the following categories:

• Identity and Contact Information: Name, surname, father’s name, date of birth, ID number, tax identification number (TIN), social security number (SSN), phone number, email address, postal address, profession.
• Other Data/Information: Data and information provided by the user/visitor/patient in the free text field of the online form for expressing interest/contact/service or via email.
• Special Categories of Personal Data / Health Data: Data related to your physical health, including information such as medical history, medical examinations, medical procedures, and information generated during the provision of medical services; any numbers, symbols, or identifiers assigned for the purpose of providing healthcare services, information derived from tests or analyses of a part or substance of your body, including genetic data and biological samples, image data from video recordings of laparoscopic procedures, and any information related to illness, disability, disease risk, medical history, clinical treatment, or your physiological or biomedical condition, regardless of its source, such as from a doctor or other healthcare professional, hospital, clinic, medical device, or in vitro diagnostic test, as well as genetic and biometric data, and data related to any hospitalization in a healthcare facility, etc.

4.DATA OF MINORS

The Company generally does not collect data from minors directly through its websites, unless parents/guardians voluntarily provide data of minors under their care or parental responsibility in the context of seeking information about the healthcare services provided by the Company.

5.PURPOSES OF PROCESSING YOUR PERSONAL DATA THROUGH THE WEBSITE
When using the Company’s website, registering in a contact/interest form, or generally interacting with the website for promotional or other activities, you may be asked to provide certain data related to you.

We collect information about your activity on our services, which we use for actions such as improving the format and structure of the services we provide. This identification may occur directly or indirectly.

Direct Identification: This can occur voluntarily when you provide information directly, such as your name, postal address, email address, and phone number, through the Company’s services. The purpose of collecting this information is to provide the highest level of communication services to users/visitors, enabling accurate and specific communication between users and the Company, personalized responses to inquiries, and optimal service delivery.

Indirect Identification: This may occur through information related to the above data, such as the unique device identifier (e.g., user’s IP address), the browser used, the device’s operating system, the date and time of each call to our servers, the referrer (where you came from to our site), and other similar data. While these data cannot precisely identify the user/visitor, they are necessary for monitoring the smooth operation of our servers, optimizing our services, and providing information to authorities in case of cyberattacks. Indirect identification also involves measuring website traffic, determining user needs and preferences, and generally optimizing transactions with the business.

The Company and its website are committed to implementing all technical measures to ensure the highest level of protection for your personal data during transmission, management, and storage. However, the nature of the internet means absolute protection cannot be guaranteed. We confirm that appropriate organizational and technical measures are in place to secure and protect your data from any accidental or unlawful processing. Only employees and partners authorized by the Company have access to your data, solely for the purposes mentioned above.

Data provided directly through the Company’s electronic platforms (website, etc.) may be used to improve service delivery. This information may come from data entered by the user/visitor/client during registration, data provided when requesting information or services via phone or email, or data collected during browsing through third-party providers (e.g., iOS, Android apps, Facebook, Instagram, Google).

6.PERSONAL DATA (COLLECTION DURING CLINIC VISITS OR THROUGH OPTIONAL COMPLETION OF AN ELECTRONIC QUESTIONNAIRE)

Under Article 14 of Law 3418/2005 (Code of Medical Ethics), it is mandatory to maintain a medical record for our clients/patients during their visit to our clinic or for medical procedures. This record includes: full name, father’s name, gender, age, profession, patient’s address, visit dates, health complaints, reason for the visit, primary and secondary diagnosis or treatment followed, and results of clinical and paraclinical examinations. This record is legally retained for 10 years following the client/patient’s last visit.

Our clients/visitors/patients consent to the maintenance of a record of photographs and medical video recordings by the clinic’s doctors/partners/employees for the purpose of maintaining their medical file, supporting clinic activities, and conducting further studies or maintaining statistics. This information may be used in printed or electronic form by the clinic’s direct partners or third-party collaborators when deemed necessary, with the utmost protection of the clients’/patients’ personal data.

It is understood that certain data, photographs, or recordings may be permanently retained if published or kept in the clinic’s archive. For promotional/advertising purposes, explicit consent from the clients/patients whose personal data is to be used is required.

We confirm that appropriate organizational and technical measures are taken to ensure the security and protection of clients’/patients’ data from any accidental or unlawful processing. Only authorized clinic employees and partners have access to this data, solely for the purposes mentioned above. These measures are reviewed and updated as necessary, with updates reflected in this notice.

To provide the best possible treatment and support to users/clients/patients, we recommend completing a questionnaire in advance regarding the medical history of users/clients/patients. This enables us to analyze and design the appropriate approach for each case. The following is requested in order to complete the questionnaire:

Women’s Medical History

• Name
• Surname
• Date of birth
• Address
• Country
• Phone
• Profession
• Marital status
• Menstrual cycle (cycle frequency, duration)
• Results of recent hormonal profile (LH, FSH, E2, TSH, PRL)
• Results of recent Pap test
• Medication history
• Previous surgeries
• Hysterosalpingography
• Immunological or autoimmune issues
• Thrombophilia screening
• Testing for mycoplasma, ureaplasma, chlamydia, or other infections
• Karyotype testing
• Health issues (e.g., allergies, chronic conditions, surgeries)
• Other fertility-related findings
• Previous IVF attempts (results, etc.)
• Weight
• Height

Husband/Partner’s Medical History

• Name
• Surname
• Date of birth
• Phone
• Profession
• Recent semen analysis results
• Karyotype testing
• Previous surgeries
• Chronic conditions
• Medication history
• Weight
• Height

7. WHAT IS THE LEGAL BASIS FOR THE DATA CONTROLLER’S PROCESSING OF PERSONAL DATA

The Company processes personal data only when there is a lawful basis for such processing, specifically when:

(a) Processing is necessary for the performance of a contract and the provision of services you have requested from the Company, compliance with legal obligations, and the exercise of the Company’s legitimate rights as the data controller (Article 6 par.1(b), (c), and (f) of the GDPR).

(b) Processing is necessary for preventive or occupational medicine, medical diagnosis, provision of healthcare or treatment, or management of healthcare systems and services (Article 9 par.2(h) of the GDPR).

(c) Processing is necessary to safeguard and protect the legitimate interests of both you and the Company, such as managing medical or auxiliary services, collecting healthcare fees, or covering of said fees through your insurance company or provider, and creating electronic health data records (Article 6 par.1(f) of the GDPR).

(d) Processing is necessary for establishing, exercising, or/and supporting legal claims or/and defending the Company’s rights before administrative or judicial authorities or in extrajudicial proceedings, for the purpose of exercising or defending the Company’s or third parties’ rights before any authority (Article 9 par.2(f) of the GDPR).

(e) Processing is necessary for the Company’s compliance with its legal obligations, as imposed by tax, social security, or other applicable legislation (Article 6 par.1(c) and Article 9 par.2(b) of the GDPR).

(f) Processing is necessary to protect your vital interests in cases of legal or physical inability to consent to the processing (Article 9 par.2(c) of the GDPR).

(g) Processing is necessary for reasons of public interest in the field of public health, such as conducting scientific research for the public interest in healthcare, protecting against serious cross-border health threats, or ensuring high standards of quality and safety in healthcare, medicines, or medical devices, based on national or EU law (Article 9 par.2(7) of the GDPR).

(h) Processing is based on your explicit consent, provided further processing of your personal data occurs only if you have given such consent (Article 6 par.1(a) and Article 9 par.2(a) of the GDPR).

(i) Processing is based on your explicit consent for the purpose of informing you about medical matters (Article 6 par.1(a) and Article 9 par.2(a) of the GDPR), specifically to allow the Company to inform you about its products, services, applications, and offers, to participate in surveys for evaluating and improving the Company’s services, and to use the Company’s websites and register for one or more of them, provided you have given such consent.

8. DATA TRANSFERS OUTSIDE THE EU/EEA

The Company does not transfer the data of website visitors/users outside the European Union (EU/EEA) unless authorized to do so by the subject of data or required by a legal provision or requested by a prosecutorial, judicial, or other competent authority acting within the scope of its assigned public authority. In such cases, the Company will provide the necessary notifications to the data subject, as required by law.

9. RETENTION PERIOD OF PERSONAL DATA

Personal data provided to the Company through the use of the website are retained for a period of two (2) years, after which they are deleted from the Company’s records, unless a different retention period is required or permitted by applicable legislation.

In particular, according to Article 14 of Greek Law 3418/2005 (Code of Medical Ethics), it is mandatory to maintain a medical record for our clients/patients during their visits to our clinic or for medical procedures. This record includes full name, father’s name, gender, age, profession, patient’s address, visit dates, health complaints, reason for the visit, primary and secondary diagnosis or treatment followed, and results of clinical and paraclinical examinations. This record is legally retained for a period of 10 years following the client/patient’s last visit.

10. SECURITY OF PERSONAL DATA

Information provided by users through the website or any other means, and used for the Company’s operations and activities, is retained and protected by the Company through the implementation of all modern technological data protection measures. Users’ data and information are safeguarded against any process that deviates from the Company’s standard operations, including unauthorized access, interference, malicious modification, loss, theft, alteration, or destruction. The Company is permitted to process the provided information in accordance with the General Data Protection Regulation (GDPR) (EU Regulation 679/2016). Access to users’/visitors’ data and information is granted only to authorized personnel and direct partners who are required and permitted to have such access for the purposes of the Company’s operations. These measures are reviewed and updated as necessary. In all cases, the Company’s actions comply and will continue to comply with Greek, European, and international legislation as applicable.

11. DATA SUBJECTS’ RIGHTS AND COMMUNICATION

 (As per Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals against the processing of personal data and on the free movement of such data and the repeal of Directive 95/46/EC).

The rights of users/visitors of the website, as well as patients/visitors/clients, under Regulation (EU) 2016/679 regarding the protection of personal data, are as follows:

• Right to Withdraw Consent: Users/visitors may withdraw their consent at any time.
• Right to Rectification: Users/visitors/patients/clients’ data are stored as provided by them. They have the right to request correction of any inaccurate personal data concerning them.
• Right to Restriction of Processing: Users/visitors/patients/clients may request restriction of the processing of their data if: they believe the processing is unlawful, they request restriction instead of deletion, they need their data for legal purposes after we no longer need them or they object to the processing conducted by us or our partners.
• Right to Access: If we process a user’s/visitor’s/patient’s/client’s data, they may request information about the processing. They can ask us to inform them about the personal data we hold or control, how it was collected, and to receive a copy of their personal data. In such cases, we reserve the right to charge a fee for providing the copy.
• Right to Data Portability: Users/visitors/patients/clients may request their provided data in a readable format or ask us to transfer it to another data controller, as indicated by them, to the extent technically feasible.
• Right to Erasure: Users/visitors/patients/clients may request the deletion of their data if it is no longer necessary for the processing purposes outlined above.
• Right to Object: Users/visitors/patients/clients may object to the processing of their data and withdraw their consent for future use, provided this does not conflict with a compelling legal necessity to defend our broader interests or support legal claims. They may subsequently request the cessation of processing and partial deletion of their data. We are obliged to cease processing unless other legitimate grounds override their right.
• Right to Lodge a Complaint: If a user/visitor/patient/client believes that the use of their personal data by the clinic violates applicable legislation, they may lodge a complaint with the supervisory data protection authority in the country where they reside or where the alleged violation occurred.
• Processing Time: Upon a user’s request, the clinic requires at least 30 days to process and fulfill the request. This period may be extended depending on the nature of the request.
• Access Restrictions: If a user/visitor/patient/client requests access to certain data and the clinic cannot provide it due to legal provisions, the reason for refusal must be communicated. If we are unable to identify the user/visitor/patient/client in our system, we cannot treat them as a data subject to exercise the above legal rights unless they provide additional identifying information. If a user requests that we refrain from future communication, we retain the data provided to ensure compliance with this request.

For any of the above cases or further information regarding the legal rights of users/visitors/patients/clients, they may contact us at any time to object to the use of their email or other data, or to receive updates about new products and/or services, by sending a message to the email address info@embryowish.com.

If they believe the protection of their personal data is negatively affected in any way, they may contact the Data Protection Authority using the following details:

• Website: www.dpa.gr
• Address: Kifisias Avenue 1-3, 115 23, Athens
• Telephone: +30 210 6475600
• Fax: +30 210 6475628
• Email: contact@dpa.gr

Before contacting the Data Protection Authority, we kindly request that you reach out to us by sending an email to info@embryowish.com or calling +30 210 4190301.

This privacy policy applies to all Company promotional channels (website, etc.), particularly the website. In cases where users of the Company’s website are redirected to third-party websites via specific links (links, hyperlinks, banners), the Company is not responsible for the terms of personal data management and protection followed by those third parties.