Scope of the Privacy Notice
"Health Units SA" (hereinafter the "Company") based in Acharnes – Olympic Village, 1 Georgiou Damaskou Str, P.C. 13677, 210 2420000 in its capacity as Controller, collects and further processes your personal data only if strictly necessary, for clear and legitimate purposes, under Regulation (EU) 2016/679, Law 4624/2019 and Law 3471/2006, as applicable during the operation of its websites https://www.aemy.gr and https://www.santorini-hospital.gr/ (hereinafter referred to as the 'Websites').
Useful Data Privacy Terms
For the purposes of this, the following terms are important to be defined:
- personal data: any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified in particular by reference to an identifier such as a name, an identification number, location data, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
- personal data of special categories or sensitive personal data: personal information that reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership and genetic data, biometric data which allows to uniquely identify a natural person, health data and/or data regarding sexual orientation. We may collect such data only if you voluntarily provide us, or when we ask you to do so and you provide us your explicit consent.
- minors’ data: personal data of persons under the age of 18; We do not seek or obtain personal data directly from minors, instead we endeavor to collect such data from their legal guardian and when necessary, we obtain relevant consent, as it is analyzed hereinafter. However, as it is impossible to always determine the age of persons who access and use our websites, we encourage parents or guardians to contact us if they notice any case of unauthorized data provision by minors in order to exercise accordingly their rights such as deletion of their data.
- processing: any operation performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
- controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
- processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
- recipient: a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
- third party: a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
- consent of the data subject: any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he/she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him/her;
- personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
- Regulatory Framework: The relevant national and EU data protection regulatory framework, namely the Regulation (EU) 2016/679 (hereinafter referred to as the 'GDPR'); Law 4624/2019, Law 3471/2006, the jurisprudence of the Court of Justice of the European Union (hereinafter referred to as the CJEU) as well as the Decisions, Directives and Opinions of the European Data Protection Board (hereinafter referred to as the 'EDPB') and the Hellenic Data Protection Authority (hereinafter referred to as the “DPA”).
Data collected by the Company through the website https://www.aemy.gr/
Data collected automatically
Data collected by the Company through the website https://www.santorini-hospital.gr/
· Full name
· Content of the user’s message
Direct and effective communication with the users of the website
Communication with the users of the website – Article 6 para. 1 (f) GDPR
Until the subject matter of the communication has been dealt with and after the expiry of legal limitation periods
Competent audit and judicial authorities
2. Patient Satisfaction Questionnaire
· Full name
· Date of visit
· Department of visit
· Personal impressions regarding the quality of the Hospital’s services
· Content of user’s message
Evaluation of the quality of services provided by the General Hospital of Thira
· Article 6 para. 1 (f) GDPR
Until the patient requests its deletion
· Competent audit and judicial authorities
Collection and further processing of Minors Personal Data
In principle, the Company does not collect or further process data of minors directly or indirectly (i.e. persons who have not reached the age of 18). However, since it is impossible to cross-check and verify the age of persons entering or using the Company's websites, it is recommended that parents and guardians of minors contact the Company immediately if they find any unauthorized disclosure of data on behalf of the minors for whom they are responsible, in order to exercise respectively the rights granted to them, such as the deletion of their data. In case Health Units SA realizes that it has collected personal data of a minor, the Company commits to delete them immediately and take every necessary measure for the protection of the minor’s data.
We do not perform automated decision-making processing, including profiling.
Health Units SA transmits the aforementioned personal data to third parties, to whom the Company has entrusted the processing of personal data on its behalf and to partner institutions/companies.
In any case, the third parties to which the personal data of the data subjects are transmitted, are contractually bound to the Company by a confidentiality clause and are subject to all obligations provided by the Existing Legislation to respect the rights of data subjects.
At the same time, the personal data of the data subjects may be transmitted to public authorities, independent authorities, etc. (Competent Ministries, competent public bodies, Public Prosecution and Judicial Authorities, Tax Authorities, Customs Authorities, the DPA, etc.) for the purposes of compliance with the legal obligations of the Company provided for in the Existing Legislation
Transfer of Personal Data outside the EEA.
In principle, the Company does not transmit your personal data to third countries. In case of transfer of your personal data to a country outside the European Economic Area (EEA), the Company carries out this transfer under Chapter II of the Regulation in conjunction with:
- Adequacy Decision of the European Commission (Article 45 GDPR) or
- Appropriate safeguards in accordance with the GDPR for the transmission of such data (Article 46 GDPR).
- Finally, for occasional processing, the transfer is based on one of the exceptions provided for in Article 49 of the GDPR. (e.g. the explicit consent of the user and its information on the risks involved in the transfer, the transfer is necessary for the performance of a contract at the request of the subject, there are reasons in the public interest, necessary to support legal claims and vital interests of the data subject, etc.).
The personal data of the data subjects are collected and retained for a predetermined and limited period, depending on the purpose of processing, after which the data are deleted from our records.
Where the processing is imposed as an obligation by provisions of the applicable legal framework or a specific retention period is foreseen, your personal data will be stored for as long as the relevant provisions require.
The personal data of data subjects collected and processed for the performance of a contract shall be kept for as long as necessary for the performance of the contract and for the establishment, exercise, and/or support of legal claims based on the contract.
The personal data of the subjects that are processed for marketing purposes with the consent of the subjects (e.g. data from the subscription to the Newsletter) are kept until the revocation of the consent, without this revocation affecting the lawfulness of the processing until then.
Breach of Personal Data
In the event of a breach incident, the Company applies a specific Privacy Breach Incident Management Policy. If you become aware or suspect that a personal data breach may/has occurred, please inform the Company without delay either at the e-mail address
Security of Personal Data
Taking into account the latest technological developments, the cost of implementation and the nature, scope, context and purposes of processing, as well as the varying intensity and extent of the risks of occurrence and severity for the rights and freedoms of the data subjects from the processing of their personal data, the Company takes the necessary technical and organizational measures to protect their rights. Although no method of transmission over the Internet or method of electronic storage is completely secure, the Company takes all necessary digital data security measures (e.g. antivirus) in compliance with its obligations under the Existing Legislation.
The Company ensures that it can respond directly to the requests of the subjects, for the exercise of their rights in accordance with the Regulatory Framework. More specifically, every data subject has the following rights:
In case of exercise of any of the above rights, the Company will respond immediately [in any case within thirty (30) days of the submission of the request], informing you in writing of the progress of its satisfaction.
For any complaint you may make regarding this information note or privacy issues, if we do not meet your request, you may contact the Hellenic Data Protection Authority via the following link: www.dpa.gr.
Data protection issues
For the exercise of all the above rights, as well as for any matter relating to the processing of your personal data by the Company, you can contact us by e-mail
Disclaimer for Third Party Sites
The Company does not control or is responsible for any subsequent processing carried out on them by the Joint Controllers.
For more information about data processing policy and options for setting up these networks, you can visit the following web pages:
Updates to the Privacy Notice