INTRODUCTION
The processing of personal data subject to this Privacy and Data Protection Policy will be carried out in strict compliance with the legislation on the protection of personal data, and in accordance with the General Data Protection Regulation (RGPD) – Regulation (EU) 2016/ 679, approved by the European Parliament and the European Council on 27 April 2016.
For the purposes of this Privacy and Data Protection Policy, “personal data” is considered to be any and all information relating to an identified natural person, and “processing” is understood to mean all operations carried out on personal data, by automated or non-automated means. , such as collection, recording, organisation, structuring, conservation, adaptation or alteration, retrieval, collection, use, dissemination by transmission, dissemination or any other form of making available, comparison or interconnection, limitation, erasure or destruction.
The entity responsible for the processing of personal data (which determine the purposes and means of treatment to which the collected personal data will be submitted) is the commercial company Ortoarriaga – Sociedade Médica, Lda. provided directly by the data subject, in person, by letter, by filling in a paper form, by filling in a computer form, by delivery of documents or a curriculum vitae or by email, and if the latter acknowledges and declares that you have become aware of and fully agree with the terms of this Privacy and Data Protection Policy; in turn, the aforementioned commercial company undertakes to comply with all its terms, as well as all the obligations imposed on it by the RGPD.
- RESPONSIBLE FOR THE PROCESSING OF PERSONAL DATA
The entity responsible for collecting and processing personal data is the commercial company Ortoarriaga – Sociedade Médica, Lda., holder of the Tax Identification Number / Corporate Identification Number 511209487, headquartered at Avenida Arriaga, n.º 42-B, Arriaga Building – 5th floor, room 5 – 9000 064 Funchal.
- DATA PROTECTION CHARGE
The Data Protection Officer is Dr. Roberto Henriques, contactable through the telephone number 291 282 590 through the email address info@clinicarriaga.pt or at the address Av. Arriaga, 42B Ed. Arriaga, Room 5.5 (Ed. Loja do Cidadão, 9000-064 Funchal.
- DATA HOLDERS, TYPES AND PURPOSES OF THE PROCESSED DATA AND LEGAL JUSTIFICATION FOR THE PROCESSING OF PERSONAL DATA
The responsible entity processes personal data of its employees (with whom it grants employment contracts), its employees (with whom it grants contracts for the provision of services) and its customers.
WORKERS AND EMPLOYEES
Regarding its workers and collaborators, personal data are processed for the purpose of preparing and/or developing the employment relationship between them and the respective employer (namely for the purposes of drawing up contracts; processing wages; handling all matters related to Social Security, the Tax and Customs Authority, labor inspection, labor statistics departments, unions, banking and insurance institutions; identification of workers before the employer and third parties; and for other situations related to the exercise of their duties. functions that arise from time to time, such as enrollment in training courses, medical appointments, health and safety activities at work, or travel booking).
For this purpose, the responsible entity only processes the following personal and professional data: name, address, date of birth, place of birth, nationality, passport-type photographs or photographs in the context of work, educational and professional qualifications, professional experience, knowledge of foreign languages, telephone and/or mobile phone number, email, Citizen Card number or Residence Permit number, Tax Identification Number, Social Security Registration Number, Bank Identification Number, marital status and other information that may determine the attribution of salary supplements, working hours and place, internal identification number, date of admission, seniority, professional category, seniority in the category, salary level / scale, nature of the contract, basic salary, other certain or variable benefits, subsidies, attendance and absenteeism, leaves, number of dependents and tax identification of dependents, other elements relating to the attribution of supplementary remuneration, amount or rate in relation to mandatory or optional discounts, place of payment, bank account number and identification of the institution, whether they have a driving license and their own vehicle, and, where applicable, respective degree of incapacity and temporary incapacity resulting from an accident at work or occupational disease.
The provision of these personal data is mandatory, as they are necessary for the performance of the employment or service contract to which the data subject is a party, or for carrying out pre-contractual steps at the request and in the interest of the data subject. of the data; in addition, the data subjects give their express consent to the processing of their personal data for the aforementioned purpose, which ensures the lawfulness of the treatment, in accordance with the provisions of article 6, paragraph 1, points a) and b) of the GDPR, and provides a legal basis for its treatment.
In the event that it becomes necessary to process any additional personal data for this or any other purposes, the responsible entities will always be careful to communicate it to their workers or candidates for workers, requesting their consent when applicable, and providing them again with all the necessary information so that they can understand the reason and the conditions of the treatment.
CUSTOMERS
The responsible entity processes the personal data of its customers in order to record their medical and clinical history, the complementary and diagnostic tests they have carried out, the medical or nursing services they have been provided, and the therapies and recommendations they have provided. have been transmitted to them; to bill the services provided; for processing and sending information to customers; to carry out advertising and promotional campaigns with its customers; They also collect customer opinion and satisfaction data for the purpose of evaluating and improving their services.
For the purposes indicated, the responsible entity only collects the name, the Tax Identification Number, the Social Security registration number and/or a health subsystem; records the medical, complementary and diagnostic exams that have been carried out, as well as data referring to all consultations, therapies, medical or nursing interventions that have been provided to the client; and collects the contacts of its customers, namely the address, telephone and/or mobile number and e-mail address, as well as their opinions and their degree of satisfaction with the services provided.
These data are provided voluntarily and directly by the data subjects, who give their express consent to the processing of their personal data for the aforementioned purposes, which ensures the lawfulness of the treatment, in accordance with the provisions of article 6, paragraph 1. , point a) of the GDPR, and provides a legal basis for its treatment.
In the event that it becomes necessary to process any additional personal data for these or any other purposes, the responsible entity will always be careful to communicate it to its customers, requesting their consent when applicable, and providing them again with all the necessary information to who can understand the reason and conditions of treatment.
PERSONAL DATA STORAGE PERIOD
- WORKERS AND EMPLOYEES
The personal data collected will be kept for a maximum period of ten years after the termination of the employment or performance relationship between the responsible entity and its workers or collaborators, and which justified the processing of the data, since its conservation after the end of the employment contract is legally imposed, and this period is adequate for the fulfillment of these obligations. On the other hand, this data will continue to be part of the candidate pool of the company responsible for the same period of time, so that the workers or collaborators may be hired again by the same or another commercial company with the same title that will be constituted.
- CUSTOMERS
Customers’ personal data will be kept for a maximum period of ten years after the termination of the commercial relationship between the parties, this being considered the date of the last invoice issued in the name of the respective data subject.
RIGHTS OF DATA HOLDERS
All holders of personal data made available under this Privacy and Data Protection Policy enjoy the following rights with regard to the processing of their personal data:
a) Right to information: data subjects have the right to know the identity and contact details of the entities responsible for the processing of personal data, the purpose and legal basis of their treatment, the period of storage of the data and their recipients, this information contained in this Privacy and Data Protection Policy.
b) Right of access: whenever requested, the data subject can obtain confirmation as to whether their personal data are processed by any of the commercial companies that make up the so-called SERLIMA GROUP, as well as the terms in force for such treatment. You also have the right to receive a free copy of your personal data being processed; however, if you request more than one copy, you may be charged administrative fees from the second request.
c) Right of rectification: whenever he considers that his personal data is incomplete or inaccurate, the data subject may request its rectification, update or that they be completed, committing the responsible entities to carry out this rectification or update within the deadline. maximum of fifteen days.
d) Right of opposition and right to erasure: the data subject can oppose that his data continue to be used by the responsible entities, or he can request that his data be erased from the respective databases, provided that they are not essential to the development of the employment or commercial relationship, as the case may be; since some data are mandatory by law for the continuation of the employment relationship, for tax purposes or for the relationship with Social Security, the data subject can only oppose its use or demand its erasure after the termination of the employment relationship. or the commercial relationship, as the case may be, and after the legal deadlines for maintaining the data or documents in question have elapsed, that is, when the personal data are no longer necessary for the purpose for which they were collected and processed.
e) Right to limitation of treatment: the holder of personal data may request the limitation of their treatment if they contest the accuracy of their personal data for a period of time that allows the responsible entity to verify its accuracy, if it considers that the treatment is illegal, if consider that the responsible entities no longer need your personal data, or if you have objected to the processing.
f) Right of portability: the data subject may ask the entities responsible for the treatment to hand over, to himself, the personal data provided by him, in a structured format of current use and automatic reading, and/or may request that his data be transmitted to a third party, provided that this is technically possible.
g) Right to be notified in the event of a breach of your personal data: in the event of any breach of your personal data that may pose a high risk to the rights and freedoms of the data subject, the responsible entities undertake to notify the data subject of that occurrence as soon as possible.
h) Right to file complaints with the supervisory authority: if you wish to file a complaint regarding matters related to the processing of your personal data, the data subject may do so with the National Data Protection Commission, the competent supervisory authority in Portugal. , accessible at www.cnpd.pt.
The responsible entities undertake to ensure and respect all the aforementioned rights of the holders of personal data.
To exercise any of these rights, the data subject may contact the Data Protection Officer, using the contacts mentioned in point 3.
- AUTOMATED DECISIONS
The responsible entity will never use the personal data processed for the adoption of automated decisions or for the definition of profiles.
DATA SHARING AND COMMUNICATION
- WORKERS
The responsible entity will only share / communicate the personal data of its workers and collaborators for the purposes of calculating and paying salaries, ancillary benefits, other allowances and gratuities, calculation, withholding at source and operations related to mandatory or optional discounts on remuneration, arising from of legal provision, carrying out non-nominative statistical operations related to the processing of wages within the scope of the processing entity, or to fulfill any obligation and / or legal imposition, with the following entities: ISSM – Instituto de Segurança Social da Madeira, IP- RAM and Social Security management institutes; ATA – Tax and Customs Authority; Banking and Insurance Institutions; DREM – Regional Directorate of Statistics of Madeira; DRTAI – Regional Directorate of Labor and Inspection Action; unions; entity responsible for the performance of functions related to Safety, Hygiene and Medicine at Work; any other entity to which payroll and/or other personnel management-related functions have been assigned.
In specific cases that may occur, the responsible entity may, eventually, communicate the personal data of some data subject(s) to external entities that provide legal, accounting or auditing services.
- CUSTOMERS
The responsible entity will not share the personal data of its customers with any external entity, without prejudice to, in specific cases that may occur, they need to communicate the personal data of some holder(s) to the external entities that provide them. legal, accounting or auditing services.
TRANSFER OF DATA OUTSIDE THE EUROPEAN UNION
The personal data collected, processed and used by the responsible entity are not made available to third parties established outside the European Union.
AUTOMATIC / AUTOMATED DATA TRANSFER
The personal data collected, processed and used by the responsible entity are not made available without human intervention to anyone.
SAFETY COMMITMENT – TECHNICAL, ORGANIZATIONAL AND SAFETY MEASURES IMPLEMENTED
The entities responsible for the collection and processing of personal data of Ortoarriaga – Serviços Médicos, Lda. undertake to guarantee the protection, security and confidentiality of the personal data made available to them, having approved and implemented strict rules on this matter, of a technical and organizational nature, in order to protect the personal data made available to them against their dissemination, loss, misuse, alteration, treatment or unauthorized access, as well as against any other form of unlawful treatment.
In addition, they undertake to comply with all legal and regulatory provisions that govern, or will govern, privacy and the protection of personal data, committing to keep all their rules, practices and IT equipment up to date, in order to to safeguard the integrity and confidentiality of the personal data they process, and to adopt all necessary and appropriate technical and organizational measures to protect the personal data collected and to comply with legal requirements, having already adopted, in particular, the following measures: carrying out audits regular meetings with a view to assessing the effectiveness of the technical and organizational measures implemented; awareness and training of personnel involved in data processing operations to fully comply with the rules defined in this Privacy and Data Protection Policy and legal regulations; elaboration and adoption of an internal regulation that defines and imposes good practices to guarantee the security and confidentiality of all personal data collected and processed; pseudonymisation and encryption of personal data, whenever justified; adoption of technical and technological measures capable of ensuring the confidentiality, security and permanent resistance of information systems; and the adoption of mechanisms that ensure the restoration of information systems and access to personal data in a timely manner in the event of a physical or technical incident.
Whenever there are changes in the treatment of your personal data, or if it is necessary to change this Privacy and Data Protection Policy, the responsible entities will inform all data subjects, and will collect new consents.
- APPLICABLE LAW AND JURISDICTION
This Privacy and Data Protection Policy, as well as, in a generic way, the collection, processing or transmission of personal data, are governed by the provisions of Regulation (EU) 2016/679, of the European Parliament and of the Council, of 27 April 2016 and by the legislation and regulations applicable in Portugal. Any disputes arising from the validity, interpretation or execution of this Privacy and Data Protection Policy, or that are related to the collection, processing or transmission of personal data, must be submitted to Portuguese jurisdiction, more specifically to the Judicial Court of the District of Madeira, without prejudice to the mandatory legal rules applicable.