Personal Data Protection Policy


Introduction:

The National eHealth Authority of Cyprus (hereinafter referred to as the 'Authority') is committed, under the General Data Protection Regulation of the European Union (Regulation 2016/679 - GDPR) and the ‘Protection of Natural Persons Against the Processing of Personal Data and the Free Movement of Such Data Law of 2018 (L. 125(I)/2018)’, to ensuring and safeguarding your right to protection against unlawful processing of personal data by protecting the personal data it holds concerning you.

The National eHealth Authority of Cyprus has developed cross-border healthcare electronic services to provide secure access to patient information when cross-border healthcare is needed, contributing to the delivery of high-quality cross-border healthcare for all European Union citizens (NCPeH Cy).

The eHealth Digital Service Infrastructure (eHDSI) ensures that European citizens can continue their care while traveling to another EU country. It enables EU countries to exchange health data in a secure, efficient, and interoperable manner. Electronic medical data support the mobility of European citizens within the European Union (EU).

Personal data is any information relating to an identified or identifiable natural person, directly or indirectly, particularly by reference to an identifier such as a name, ID number, or one or more factors specific to the physical, physiological, genetic, psychological, economic, cultural, or social identity of that person. The term personal data also includes, among other things, some sensitive data (or special categories of data) such as health data, criminal convictions, and data revealing race or ethnicity. At the same time, the National eHealth Authority understands that maintaining the security and confidentiality of your personal data is a significant responsibility that we take very seriously. For this reason, we have developed, among other measures, this Policy, which aims to inform you about the data we collect and process, the reasons for its collection, and its use.


Our Role According to the Regulation

According to the provisions of the Regulation, the National eHealth Authority of Cyprus, within the framework of the NCPeH Cy Project, is the Data Controller for all personal data it collects and processes for its own activities and procedures. As the Data Controller, it collects, maintains, and processes the personal data of patients, visitors, clients, and collaborators.


How We Collect Personal Data

This Policy applies to the collection of data by the National eHealth Authority of Cyprus for the provision of cross-border healthcare services through the electronic application it has created (eHDSI). The services from which we collect personal data are as follows:

Creation of the Patient Summary (Patient Summary – PS A) by the patient's chosen doctor at the national level and registration in the National Contact Point (NCP) system.

  • Providing each Cypriot citizen the ability to obtain the Patient Summary (Patient Summary – PS A) from a doctor of their choice.
  • Updating the Patient Summary (Patient Summary – PS A) by the patient’s chosen doctor when requested by the patient.
  • Retrieval of the Patient Summary (Patient Summary – PS B) by the treating physician in another Member State (MS) the patient visits.
  • Sending the Patient Summary (Patient Summary – PS B) to the country the patient is visiting.
  • Creation of Original Clinical Document A for the patient/Cypriot citizen (OrCD A).
  • Retrieval of Original Clinical Document A for the patient/Cypriot citizen located in a European Union country.
  • Retrieval of Original Clinical Document B for the patient/EU citizen.
  • Creation of the Cross-Border Electronic Prescription (ePrescription – eP) at the national level for execution of the prescription in another MS (eDispensing – eD).
  • Execution of the Cross-Border Electronic Prescription for a European citizen visiting Cyprus (eDispensing – eD).
  • Updating the execution status of the Cross-Border Electronic Prescription executed in another MS.

It is noted that we collect personal data:

  • Directly from you,
  • From parents, guardians, or those with parental responsibility or authorized representatives,
  • Through our collaborators.

What is the Legal Basis for Processing Your Personal Data?

The provided services (eHDSI) are available to you only with your explicit consent (Article 9.2(a), GDPR).


What Types of Personal Data Do We Collect?

We collect and use various types of data, including data that leads to the identification of individuals (otherwise known as 'data subjects who can be directly/indirectly identified'). The personal data we collect and process may relate to:

  1. Health:
    • Identification details (name, date of birth, gender, ID/ARC, patient identification number).
    • Patient contact information (address, email, phone number).
    • Health Data: Clinical patient data, allergies, medical history (chronic and non-chronic conditions), history of medical procedures, dates of recent surgeries (last six months), medical implants and their identification, medication (description of drugs, dosage and duration of treatment), blood type, pregnancy history, blood pressure index, medical analyses, radiological reports and discharge data, laboratory results.
    • Other Patient Data: Dietary habits, smoking, details of parent/guardian/authorized representative (for vulnerable groups).
    • Doctor's Details: Name, unique identifiers for doctors as collected by the Cyprus Medical Association (PIS), workplace address, mobile phone number, specialty, specialty registration number.
  2. Contracted Doctors / Pharmacists:
    • Details from the PIS Registry: Name, date of birth, ID/ARC, Specialty, Doctor's Registration Number, Mobile Phone Number, Work Phone Number (landline), Email, Full Postal Address.
    • Details from the Pharmacy Council Registry: Name, ID/ARC, Mobile Phone Number, Email, Pharmacist Registration Number with the Cyprus Pharmaceutical Association.
  3. Personal or Collaborators:
    • Name and email address.

Sharing of Your Personal Data

In cases where it is deemed necessary to transfer your personal data, such as to doctors or pharmacists, strict controls, measures, and data processing agreements are applied, outlining the extent and manner in which the data can be used.

Your data is accessible only to recognized and authorized healthcare professionals involved in your treatment, under professional confidentiality, in the country of treatment and/or your visit.

Your personal data may also be disclosed to third parties, including government authorities, courts/enforcement authorities, or other public services, as required:

  • In response to a subpoena or similar investigatory request, court order, or other judicial or administrative mandate, or a request for cooperation from law enforcement or other government agency, for the establishment or exercise of our legal rights, to defend against legal claims, to comply with applicable laws, or for cooperation with law enforcement, or for enforcing the terms and conditions as presented on our website or in other agreements and policies implemented by the National eHealth Authority (NEHA), or as otherwise required by law (including responding to any government or regulatory request). In such cases, we may assert or claim any objection or right available to us, at our sole discretion.
  • To the extent necessary for disclosure related to efforts to investigate, prevent, report, or take other actions regarding illegal activity, suspected fraud, or other offenses, for the protection and defense of our rights, property, or safety, as well as for maintaining and protecting the security and integrity of our infrastructure.

Retention Period for Personal Data

The retention period for your personal data, which is necessary for compliance and law enforcement purposes, varies and depends on the nature of our legal obligations and claims in each case. For more information regarding specific retention periods, you can contact us at: (+357)-22436000 or via email at: info@neha.org.cy.

To the extent that we have collected your personal data for the purposes of providing services, customer management, and content customization as described above, we retain your personal data for as long as there is an active relationship, as required for the provision of our services and in accordance with relevant Cypriot laws.

Any personal data collected based on the legal basis of consent, such as contact details for communication purposes, will be deleted when you withdraw your consent. You may also withdraw your consent at any time.


Security of Your Personal Data

We take appropriate technical and organizational measures (including physical, electronic, and procedural measures) to protect your personal data from unauthorized access, illegal use, interference, alteration, or disclosure in accordance with the requirements of the Regulation.


Automated Decisions, Including Profiling.

None of our processes are based on automated decision-making and/or profiling.


Your Rights

Under the provisions of the GDPR, you have the following rights regarding your personal data (please note that these rights are not absolute and, in some cases, are subject to conditions as defined by law):

  1. Right to Access:
  2. You have the right to access the data we hold about you at any time and to:
  3. Right to Rectification:
  4. You have the right to correct any inaccurate or incomplete data about you.
  5. Right to Erasure:
  6. You have the right to request the erasure of personal data if one of the following reasons applies:

Your personal data is no longer necessary for the purposes for which it was collected or for which it was otherwise processed. You wish to withdraw your consent on which the processing is based according to Article 6(1)(a) or Article 9(2)(a) of the GDPR, and there is no other legal basis for the processing.


You object to the processing according to Article 21(1) of the GDPR, and there are no overriding legitimate grounds for the processing, or you object to the processing according to Article 21(2) of the GDPR.


Your personal data has been processed unlawfully.

Erasure of your personal data is necessary to comply with a legal obligation under European Union law or the law of the Republic of Cyprus to which our organization is subject.

Your personal data has been collected in relation to information society services offered in accordance with Article 8(1) of the GDPR.

Right to Object:

You have the right to object to the processing of your personal data at any time for reasons related to your particular situation, unless there are compelling legitimate grounds for the processing that override your interests, rights, and freedoms.


Right to Restriction:

You have the right to request the restriction of the processing of your personal data, even when the accuracy of the data is contested or when the data is no longer necessary but you require its retention for the establishment, exercise, or defense of legal claims.

Right to Data Portability:

You have the right to data portability, which means the right to transfer your personal data to another organization in a structured, commonly used, and machine-readable format.


Right to Withdraw Consent:

You have the right to withdraw your consent for the processing of your personal data at any time, without affecting the lawfulness of processing based on your consent before its withdrawal. Please be aware that withdrawing your consent may result in the termination of related services. Right to Lodge a Complaint:

You have the right to submit a complaint regarding the processing of your personal data to the Data Protection Commissioner.

If you have any questions regarding the personal data we hold about you or if you wish to exercise any of your rights, please send a written request to the email address: info@neha.org.cy or contact us by phone at: (+357)-22436038.

Changes to the Personal Data Processing Policy

We may modify or revise our Policy regarding the Processing of Personal Data from time to time. You can find the updated version on our website, https://www.neha.org.cy/, to stay informed about any changes, as they are binding.


Contact Information:

If you have any questions regarding the Personal Data Processing Policy or the methods we use to manage your personal data, please contact us at: info@neha.org.cy or by phone at: +357 22436038. You can also reach us at the following address:

National eHealth Authority

67A Limassol Avenue, 2121 Aglandjia, Nicosia, Cyprus

Phone: +357 22436038


Email: info@neha.org.cy

Filing a Complaint

If you feel that you have been unfairly treated or if you have doubts about the outcome of your request, you may submit a written complaint to the Commissioner for the Protection of Personal Data at the following address:

Office of the Commissioner for the Protection of Personal Data

Kypranoros 15, 1061, Nicosia, P.O. Box 23378, 1682 Nicosia, Cyprus

Phone: (+357) 22 818456

Fax: (+357)-22 304565

commissioner@dataprotection.gov.cy