Privacy Policy for Patients
Affidea is a healthcare provider operating with high ethical standards. The terms “Affidea” (“we”, “us” or “our”) refer to “AFFIDEA – PRIVATE DIAGNOSTIC LABORATORIES AND MULTI-PHYSICIAN MEDICAL CENTRES – MEDICAL SINGLE-MEMBER S.A.”, with its registered address at 122 Vouliagmenis Avenue, Elliniko, as well as its subsidiary companies, which act as healthcare service providers. Our Data Protection Officer can be contacted via the details provided in section 9.
1. Legal basis for processing your personal data
We are legally committed to protecting and processing your personal data securely. Our healthcare professionals are subject to a professional duty of confidentiality.
1. It is necessary for us to process your personal and medical data in order to provide you with the required medical services.
The processing of your basic personal data (e.g., name and contact details) is required for scheduling your appointments and for the delivery of the medical services you need. The contract for the provision of medical services constitutes the legal basis for the processing of your basic personal data.
Your health data includes information relating to your health (e.g., information concerning a requested diagnosis/treatment and our own medical opinion/evaluation). The provision of a medical diagnosis and/or treatment forms the legal basis for our processing of your health data. Affidea is also subject to a legal obligation to process (in particular, to retain) your health data (see clause 3 and Annex 1 for further information).
If you are in an emergency situation or a life-threatening condition, we will use your medical data to protect your health and well-being, in line with the protection of your vital interests.
2. We continuously strive to improve our services.
At Affidea, we are always looking for better ways to deliver our services.
A) Patient surveys We believe that feedback about your patient experience is essential to understanding how we can better serve you. Therefore, we invite you to participate in our patient satisfaction survey, and we thank you in advance for your contribution. Participation is optional and will not affect the services we provide to you. If you prefer, we will refrain from contacting you.
B) Statistical analysis of aggregated data We may analyse some of your personal data in aggregated form in order to derive useful statistical insights for our sales and marketing teams—for example, to understand which services are most in demand in specific areas. If you prefer, we will exclude your data from such analysis.
C) Quality assurance We consider it vital to learn from any unintended incidents occurring at our clinics. We record and analyse near misses (events that are prevented) and incidents that may result in harm of any kind in order to ensure health and safety. This type of data processing is strictly limited to what is necessary, and we typically do not use directly identifiable personal data for this purpose.
We carry out the above on the basis of our legitimate interest in understanding how to improve our services and their quality. Please refer to section 7.6 regarding your right to object.
3. You may also voluntarily consent to the following Affidea processing activities, which are designed for your benefit.
By selecting the appropriate checkbox in the relevant section of your Data Privacy Statement, you may voluntarily consent to the following activities at no additional cost. If you choose not to provide consent, there will be no impact on the medical services provided to you.
2. The data we process
During the course of your relationship or cooperation with Affidea, we receive your personal data from three sources: (1) from you, (2) from others, and (3) through our medical activities.
(1) In order to provide you with healthcare services, we ask you to provide us with your basic personal data (in particular, identifying information), your payment and insurance details (necessary for billing purposes), and medical data (especially information relating to your state of health). If you choose to share previous medical images or diagnostic reports for our use, we will store and process them in our systems for the purposes of providing you with a medical diagnosis and/or treatment.
If you voluntarily provide contact details of family members or close contacts, we will use this information only when we are unable to contact you or in the event of an emergency.
(2) We collect personal data from others in the following cases:
a) If you are referred to our clinic by a healthcare provider (such as a private physician or hospital), we may inform that provider about your condition and/or treatment, provided you have given your consent or it is strictly necessary to deliver the medical service to you.
b) If your medical diagnosis and/or treatment is covered by a health insurance provider (public or private), we are required to verify your insurance coverage before delivering the service.
(3) When we provide a medical diagnosis and/or care, we generate health data about you. As a healthcare provider, Affidea is legally required to document the services provided to you and to maintain the corresponding medical record.
For more information about the data we process, please refer to this Annex or contact the reception staff at any of our diagnostic centres.
3. How long we retain your data
Affidea retains your personal data for a period that is necessary to provide medical services and to comply with applicable medical, tax, accounting or other legal requirements. Specifically:
– your personal and medical data are kept in our records for a period of ten (10) years from the date of your last visit to one of our diagnostic centres,
– your financial and insurance-related data are retained for twenty (20) years, as required under Greek tax legislation.
Once our legal obligation to retain your data has expired, we will delete or anonymise your data (as explained above). Affidea will not delete your data if an alternative lawful basis arises for retaining them — for example, Affidea’s legitimate interest in defending against legal claims. In such cases, we will contact you accordingly.
For more information about the data we process, please refer to this Annex or contact the reception staff at any of our diagnostic centres.
4. Who we share your data with
During your relationship with Affidea, we may share your personal data with three categories of recipients: (1) service providers acting on our behalf,
(2) independent third parties, and (3) others upon your explicit request.
(1) Affidea uses service providers (so-called data processors) to assist with the processing of the personal information we receive and generate (e.g. providers of medical or accounting software and equipment, affiliated physicians). Data processors act on behalf of Affidea under our written instructions. We share only the minimum necessary data.
(2) We share your personal data with third parties (i.e. recipients independent from us) in the following cases: a. When required by law. b. When necessary to fulfill our obligations in cooperation with a healthcare professional or insurer with whom you have a contractual relationship. c. When required to protect your vital interests, such as in emergency situations, where we may share your health data with other medical professionals or your relatives.
Again, we share only the data that is strictly necessary.
(3) You may request that we send your medical data to your referring physician or family doctor. If you ask us to share your data with a third party, we recommend that you first consider how and why this person will process your personal data. Please note that we are not responsible for the data processing activities of independent third-party recipients. If you wish us to share your medical data with another doctor, please consult the reception staff for the available methods of data transmission.
For more information on the recipients of your personal data, please refer to this Annex or contact the reception at any of our diagnostic centres.
5. International data transfers We may need to share your personal data with recipients located outside the European Economic Area ("EEA"). Some countries are recognised by the European Commission as offering an adequate level of data protection and are therefore treated as equivalent to EEA countries.
Before transferring your data outside the EEA (or outside an adequate country), your data will either be anonymised or safeguarded, typically by using Standard Contractual Clauses approved by the European Commission. This Annex contains more details about the actual data transfers and the safeguards in place if any identifiable data is transferred.
You can learn more about the Standard Contractual Clauses here: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en
And more about adequate countries here: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en
6. Keeping your data secure
Keeping your data secure is our top priority. Your personal data is stored securely either by us or by carefully selected service providers. When our service providers process medical data on our behalf, we require them—via written agreement—to meet a high standard of data protection.
We ensure that strict security measures are in place to protect your personal data against loss, misuse, and unauthorised access or disclosure.
7. Your rights
Under data protection law, you have the following rights:
1. Right of access: You have the right to know whether your data is being processed and to access the personal data we hold about you, along with information about what Affidea does with it.
2. Right to rectification: You have the right to correct or complete your personal data if it is inaccurate or incomplete.
3. Right to erasure: You have the right to request the deletion of your personal data in certain circumstances, when there is no legal basis for its continued processing.
4. Right to restrict processing: You can request the restriction (i.e. blocking) of the processing of your personal data. If valid, we may store your data but not process it further.
5. Right to data portability: You have the right to access and reuse the personal data you have provided to us for your own purposes across different services. You may receive a digital copy of your data or request us to transfer it directly to another data controller.
6. Right to object: You have the right to object, on grounds relating to your particular situation, to the processing of your personal data based on our legitimate interest (see section 1.2). You may also object to the use of your data for direct marketing purposes.
If you wish to exercise any of these rights or learn more about them, please contact the reception at one of our diagnostic centres or our Data Protection Officer at: dpo.gr@affidea.com
8. Automated decision-making and profiling
Affidea does not use your personal data for automated decision-making.
We conduct profiling (i.e. automated processing of personal data used to evaluate certain aspects of an individual) only in two cases:
(i) If you have explicitly authorised us to send you personalised marketing messages (see section 1.3/B). The only consequence of this consent is that you will receive personalised information, offers, or reminders about medical examinations. Affidea does not use this marketing profiling to make any decisions regarding you or your medical condition.
(ii) If diagnostic image interpretation by a radiologist is supported by an algorithm (e.g., in cases involving post-processing of MRI images). Your medical diagnosis is always performed with the involvement of a radiologist—no diagnosis is ever made solely by automated processing.
9. If you have further questions
If you have any questions or would like more information about how your data is processed, you may contact Affidea’s Data Protection Officer:
Email: dpo.gr@affidea.com
Postal address: 122 Vouliagmenis Avenue, Elliniko, 16777, Athens, Greece
Telephone: +30 210 6148780
If you are not satisfied with the response you receive or if your request is not met, you may contact the Hellenic Data Protection Authority:
Email: contact@dpa.gr
Address: 1-3 Kifisias Avenue, 115 23 Athens, Greece
Telephone: +30 210 6475600
Annex to the Privacy Policy
Below you will find further information regarding the entities with whom we share your data. We share your data with other recipients only when it is absolutely necessary.
Data recipients acting on behalf of (and under the instructions of) Affidea
Sector | Activity Area | Subcategory | Type of Activity | Recipient Identity / Location |
Medical | Healthcare Professionals | Physicians | Provision of medical services | In Greece |
Other healthcare professionals | Provision of medical services | In Greece | ||
Radiologist | Provision of second opinion, if necessary | In Greece or within Affidea Group, if needed | ||
Service Providers | Administration | Call Center | Appointment scheduling via telephone | In Greece |
Medical Equipment Handling | Maintenance | Maintenance of medical equipment | In Greece | |
Marketing | Promotion | Informational emails | Sending newsletters, if marketing consent is given | In Greece |
Customer Database Management | Data Storage | Storage of customer contact information (if marketing consent is given) | In Greece or within Affidea Group, if needed | |
Information Technology | Electronic Communication | Emails | Email system operation and hosting | Microsoft |
Management Software | Call Center Software | Storage of call recordings | In Greece | |
Patient Portal Hosting | Online appointment booking | In Greece | ||
Medical Software | Radiology Information System | Patient registration, scheduling, examination and diagnosis records, billing, report distribution | Biotronics | |
Picture Archiving and Communication System (PACS) | Storage of diagnostic images | Biotronics | ||
Accounting Software | Accounting | Billing for healthcare services | In Greece | |
IT Operations | IT infrastructure operations | Ensuring data access | In Greece | |
Support | User support | Access control to systems | Microsoft | |
Software maintenance | System support | Microsoft | ||
Data Storage | Backup system | Ensuring data access | Infomed |
Third-party recipients (acting independently of Affidea)
Sector | Activity Area | Subcategory | Type of Activity |
Health Insurance | Private health insurance | Financing | Verification of insurance coverage |
Public health insurance | Financing | Verification of insurance coverage | |
Public Health Database Operation | Storage of state-funded medical records | ||
Financial Institutions | Bank | Payment | Payment via debit or credit card |
Private health fund | Payment | Reimbursement of healthcare expenses | |
Medical | Public Health Management | Public Health Authority | Management of national resources for publicly funded healthcare services |
Ambulance Services | – | Patient transport to or from our medical centre | |
Referring Doctor/Health Org. | – | Patient referral | |
Clinical Research Organization | Clinical research | Requests and use of clinical research results, if you participate | |
Public Authority | Medical authority, police, etc. | – | Exercise of investigative powers |
Insurance | Insurance Service | – | If you file a claim related to our medical services |
Audit | External Audit Body | – | Quality standards audit |
Certified Public Accountant | – | Audit of accounting records | |
Communication | Postal Service | – | Mailing correspondence |
Telephone Service | – | Operation and maintenance of telephone system |
Below you can also find further information regarding the types of data we process for various purposes (as outlined in sections 1.1 – 1.3 above) and the duration for which we retain your data for these purposes.
Personal Data Processing Overview
Purpose of Data Processing | Type of Personal Data | Examples of Personal Data | Reason for Processing | Retention Period |
Medical Services | Basic personal data | Name, Social Security Number (AMKA), phone number, address, email | Appointment scheduling, registration, patient identification, maintaining communication with the patient | 10 years after your last visit |
Medical data | Prescriptions, medical history records, diagnosis | Patient safety, verification of proper medical procedures, diagnosis and treatment planning | 10 years after your last visit | |
Financial and insurance details | Proof of insurance coverage, credit card information | Funding and payment | 10 years after your last visit | |
Other personal data | Referring or family doctor’s identity | Communication with another healthcare provider to obtain additional data for optimal care | 10 years after your last visit | |
Extended medical record retention | As specifically described above | – | Based on your explicit consent | As detailed above |
Anonymisation for service improvement | Anonymous medical data | Diagnosis | Research and development | Data retained in non-identifiable form |
General informational communication | Basic personal data | Name, phone number, address, email | Sending general information to you | Until the end of the retention period as described above |
Personalised informational communication | Basic personal data | Name, phone number, address, email | Sending personalised information to you | Until the end of the retention period as described above |
Medical data | Type and date of your diagnosis and/or medical treatment at Affidea | – | – |
