Privacy Policy
1. Who are we?
We (“we”, “us”, “our”) are HIPA, with its Headquarters located at 131 Ethnikis Antistaseos, Kalamaria, Greece, Commercial Registry No. 58998304000.
HIPA Ltd is the owner of oncoEHR and the data controller (contact details below). This means it decides how your personal data is processed and for what purposes.
This privacy policy (“Privacy Policy”) and any other documents referred to in it, sets out the basis on which we collect and process your personal data as a data controller when you use our services (“Services”) and/or our websites (oncoehr.oncorecords.com, www.oncorecords.com), (“Site”) and other interactions with us through other means such as customer service, discussing or contracting one of our professional services or at direct conversations and events.
We have produced this Privacy Policy to communicate and explain how we process personally identifiable information (personal data) that we collect about you when you use the Services or Site.
By using or accessing the Site or the Service and providing us with your personal data, you are accepting the practices described in this Privacy Policy, and you are consenting to our processing of your personal data as set forth in this Privacy Policy.
Please note:
This Privacy Policy does not apply to any personal data you provide to us when we process personal data on your behalf as your data processor i.e. where we process customer data within the service we provide to you, as a service provider. Such policies are described in our Data Processing Agreement. When, under the Terms of Service, your license is provided through a Facilitator, handling of customer data is governed by the provisions of the Data Processing Agreement that we have signed with your Facilitator.
2. How we collect your data
We use different methods to collect data from and about you including via:
Direct Interactions. You may give us your Identity, Contact and Financial Data when you fill in forms or correspond with us by post, phone, email or otherwise. This includes personal data you provide when you register to use our Site or to receive our newsletter, subscribe to use our Services, create an account to use our Site or Services, request marketing to be sent to you, search for a product or place an order on our Site, attend a conference or webinar, give us feedback or contact us and when you report a problem with our Site or Services.
Purchases: If you make purchases via our Site or within any Services, or register for an event or webinar, we may require you to provide your Identity, Contact, Financial and Transaction Data.
Automated Technologies or Interactions. As you interact with our Services, Sites or emails, we automatically collect Technical Information about your device, browsing actions, patterns, Location Data and Usage Data. We collect this personal data by using cookies, server logs and similar technologies about your device, and your use of our Site and Services. We may also receive Technical Data and Location Data about you if you visit other websites employment our cookies. Please see the Cookie section below for further details.
Google user data: Users with Google account can explicitly provide access to oncoEHR at personal Google Calendar in order to sync oncoEHR apppointments to a dedicated Google Calendar automatically created by us: 'oncoEhr cal'. At any time, user can revoke this permission. No Google user data, other than appointments in this dedicated calendar is queried, persisted or processed. Users with Google account can also explicitly provide access to oncoEHR on their Google Drive, in order for it to be used for storing and querying patient files. Only file/folder data is being used by oncoEHR and they are not stored anywhere else than Google Drive. oncoEHR does not share user Google Drive files with any third party organization, company or individual. At any time, users can revoke this permission. oncoEHR use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.
If we don’t collect your personal data, we may be unable to provide you with all the Services, and some functions and features on our Site may not be available to you.
3. Uses made of personal data
We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.
Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.
| Purpose/Activity | Type of data | Lawful basis for processing |
|---|---|---|
| To register you as a new customer | (a) Identity (b) Contact | Performance of a contract with you |
| To process and deliver your order including: (a) Manage payments, fees and charges (b) Collect and recover money owed to us | (a) Identity (b) Contact (c) Financial (d) Transaction (e) Marketing and Communications | (a) Performance of a contract with you (b) Necessary for our legitimate interests (to recover debts due to us) |
| To manage our relationship with you which will include: (a) Notifying you about changes to our terms, this Privacy Policy, the Site or Services(b) Asking you to leave a review or take a survey | (a) Identity (b) Contact (c) Profile (d) Marketing and Communications | (a) Performance of a contract with you (b) Necessary to comply with a legal obligation (c) Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services) |
| To administer and protect our business and this Site (including troubleshooting, data analysis, testing, system maintenance, support, updates, reporting and hosting of data) | (a) Identity (b) Contact (c) Technical | (a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise) (b) Necessary to comply with a legal obligation |
| To use data analytics to improve our Site and Services, marketing, customer relationships and experiences | (a) Technical (b) Usage | Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy) |
| To make suggestions and recommendations to you about goods or services that may be of interest to you | (a) Identity (b) Contact (c) Technical (d) Usage (e) Profile (f) Marketing and Communications | Necessary for our legitimate interests (to develop our Services and grow our business) |
| To transfer appointment related information from oncoEHR to your Google Calendar | Patient appointments | User explicitly grants access |
| To query Google Drive files related to a particular patient | Patient-related documents | User explicitly grants access |
We will not sell or rent your personal data to anyone.
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.
Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
4. Personal data we share with third parties
We may share your personal data with the following third parties for the purposes set out in the table above.
- Any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries.
- Business partners, suppliers and sub-contractors for the performance of any contract we enter into with them or you to provide services such as IT and system administration services, email communications, hosting services, backup services, credit card processing, research, development, customer support, including: OVH, Google, AWS, ElasticEmail, Mailchimp
- Tax authorities, regulators and other authorities who require reporting of processing activities in certain circumstances.
- Analytics and search engine providers that assist us in the improvement and optimisation of our Site and Services.
5. Personal data we disclose to third parties
We may disclose your personal data to third parties:In the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets.
If we or a member of our group of companies or substantially all of their assets are acquired by a third party, in which case personal data held by them about their customers will be one of the transferred assets.
If we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our terms and conditions, terms of use and/or any other legal agreements; or to protect our rights, property, safety, our customers or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
6. Links to other sites
If you are directed to a website or use an application of a third party via the Services or the Site, the conditions and privacy rules of that partner or third party apply. You are advised to read the privacy statement of this partner or third party. When accessing the Services through any third party services, your login data will be processed by us in accordance with this Privacy Policy.
7. Data Retention
We retain personal data for as long as reasonably necessary to fulfil the purposes for which it was provided or collected, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint, if we reasonably believe there is a prospect of litigation in respect to our relationship with you, to comply with law enforcement requests, maintain security, prevent fraud and abuse, resolve disputes, enforce our legal agreements, or fulfil your request to “unsubscribe” from further messages from us.To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
This will be for as long as we provide access to the Site or Services to you, your account with us remains open or any period set out in any relevant contract you have with us. After you have closed your account or ceased using the Services for a period of at least 3 months, we usually delete personal data as set out in our data retention policies available on request.
We will retain some anonymised information after your account has been closed and we may use this for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.
8. Data security
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. For example all information you provide to us is stored on our secure servers.
Any Sensitive personal data are treated as highly confidential by default, and always transmitted and stored in a strongly encrypted/anonymised form. Good faith efforts are made to securely store all personal data. The relevant data is only accessible to limited staff members in so far as access is necessary to enable them to perform their duties and guarantee the correct working of the Site or Services.
Where we have given you (or where you have chosen) a password which enables you to access certain parts of the Site or Services, you are responsible for keeping this password confidential. We ask you not to share any password with anyone. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
Unfortunately, the transmission of information via the Internet is not completely secure. Although we will endeavour to protect your personal data, we cannot guarantee the security of your personal data transmitted to our Site or the Services. Any transmission is at your own risk. Once we have received your personal data, we will use strict procedures and security features to try to prevent unauthorised access.
9. Your rights and your personal data
You have the following rights with respect to your personal data:
- The right to request a copy of your personal data which HIPA holds about you.
- The right to request that HIPA corrects any personal data if it is found to be inaccurate or out of date.
- The right to request your personal data is erased where it is no longer necessary for HIPA to retain such data.
- The right to withdraw your consent to the processing at any time;
- The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing.
- The right to object to the processing of personal data.
- The right to lodge a complaint with the Data Privacy Authority.
10. Further processing
If we wish to use your personal data for a new purpose, not covered by this Privacy Policy, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions. Where and whenever necessary, we will seek your prior consent to the new processing.
11 Cookies
A cookie is a small file, which asks permission to be placed on the hard drive of your computer. Once you agree, the file is added and the cookie helps analyse web traffic or lets you know when you visit a particular site. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences. In no way does a cookie give us access to your computer or any information about you, other than the data you choose to share with us.
We may use Analytics cookies provided by Google Inc. (Google Analytics) to identify which pages are being used. This helps us analyze data about webpage traffic and improve our Products in order to tailor them to our users’ needs. We only use this information for statistical analysis purposes. Your IP address is recorded, but pseudonymized immediately (by deleting the last 8 bits). As a result, only a rough localization is possible. You can choose to accept or decline cookies. A relevant Google policy applies towards the use of Google Analytics;
When The Site deploys cookies, you will always have the possibility to de-activate them using the relevant settings of the web-browsing software.
12 Contact Details
To exercise all relevant rights, queries of complaints please in the first instance contact as the Data Privacy Officer at dpo@HIPA.gr or on +302314000305.
You can contact the Data Protection Authority at www.dpa.gr or on +30 210 6475600.