1 Introduction

For my dental practice named KOUTSOUKOS PETROS dental surgeon ORADENT (hereinafter dental practice or practice or controller), the protection of your personal data is of primary importance, in whatever capacity you communicate or cooperate with me, such as indicatively prospective or active patients, website visitors, suppliers, individuals, collaborating third parties, etc.

Please read carefully these terms and the relevant Security and Privacy Policy of the clinic. By using our website and signing the relevant declaration of consent, you unconditionally accept the practices described herein, the terms of which shall henceforth govern the contractual relationship between us and are incorporated into the terms of use of each of our services.

2. What is your personal data.

Your personal data includes any information on paper or electronic media that can lead, either directly or in combination with others, to your unique identification or identification as a natural person. This category includes, as the case may be, information such as name, VAT number, physical or electronic addresses, your landline and mobile telephone numbers, calling and called telephone numbers, recipients of SMS/MMS messages, bank/debit/prepaid card details, email addresses you, identification details of your equipment or terminal devices, computer, smart phone, tablet, history of your online searches (log files, cookies etc.), Also belong special categories of data (sensitive personal data) such as social security number (AMKA), medical history , dental history, treatment planned, treatment carried out, x-rays, 3D x-rays – CBCT, patient casts and any other information that allows your unique identification under the provisions of the General Data Protection Regulation (GDPR 2016/679), Law 4624/2019, of the currently applicable Greek legislation as well as the decisions of the Personal Data Protection Authority (PDPA).

3. The nature of the dental practice's operations – data controller

I inform you that my office operates exclusively as a dental office. In order to carry out his work, he is required to keep a file of personal data for the processing of which I am the dentist KOUTSOUKOS PETROS dental surgeon ORADENT • KAVKASOU 55B KORYDALLOS • PO Box: 18121 TEL: 2105616853 • [email protected] VAT number: 165901246 • SEE: NIKAIAS AMKA: 19059600759

4. The practice's "filing system", ("file").

A. The dental practice maintains a filing system ("file") of personal data of its patients. This information is processed under automated (digital) and non-automated (paper) processing. To protect this file, the necessary measures have been taken, so that it is inaccessible and the information remains confidential and secure.
B. With regard to suppliers and, possibly, other natural persons who deal or will deal with the dental office (e.g. companions of minor patients), the information collected is stored in a digitized but non-automated processing system, having taken all the necessary measures protection and security of personal data.
5. Subjects whose data is processed

As a Data Controller I may process necessary information such as:

• Personal data of patients who choose the practice for dental work.
• Personal data of my suppliers.
• Personal data of dentists, doctors (usually maxillofacial surgeons) with whom I work in order to carry out dental work on patients, which requires a combination of specialties and knowledge.
• Personal data of the dental technicians I work with.
6. Personal data, processing purposes and legal bases of processing

A. As a Data Controller I may process simple personal data of my patients such as:
• Patient's first name, patronymic, date of birth, home address, telephone number, (mobile - landline), occupation, email, details of insurance provider, type of insurance. patient photos.
Furthermore, I may process data of special categories of patients ("sensitive data") such as:
• Medical history, dental history, treatment planned, treatment performed, x-rays, 3D x-rays – CBCT, patient casts, AMKA.
The purposes of processing the above patient data are the following:
• The processing of dental work.
• Keeping electronic prescriptions.
• Informing the patient's insurance company.
• The payment of dental work by the patient and issuance of a receipt or invoice for this purpose.
• Maintaining and Archiving the patient's file.
I process the above data with the express consent of the subject - patient (Article 6 para. 1 GDPR) and since it is a minor over 16 years old based on Article 8 para. 1 a GDPR. If it is a minor under the age of 16 based on article 8 paragraph 1 b GDPR. The processing may also be based on compliance with my legal obligation as a controller (Article 6 par. 1 c, GDPR), since as an orthodontist I am obliged to offer my services to my patients. The processing of special categories of data (sensitive data) is carried out with the application of article 9 para. 2 a GDPR for adult patients and with the application of article 9 para. 2 c GDPR if it concerns the protection of the vital interests of the data subject, if the data subject is physically or legally unable to consent. Moreover, with regard to the processing of "sensitive data" (special categories), the legality of the processing can be established on the basis that it is necessary for the purposes of medical diagnosis, provision of health or social care or treatment or management of health and social systems and services pursuant to a contract with a professional of the health sector and subject to the conditions and guarantees referred to in paragraph 3 of article 9 GDPR (article 9 par. 2 GDPR).
B. As a Data Controller, I may process personal data of the suppliers of my practice including the cooperating dental technicians such as:
• The supplier's full name, patronymic, full address, telephone number (mobile - landline), VAT number, DOU, etc., e-mail address, etc.
The purpose of processing the above personal data of the clinic's suppliers is:
• The purchase and supply of logistical infrastructure, consumable products, but also any necessary medical and non-medical product to carry out the work of my practice.
• The accounting arrangement of suppliers' files.
• The payment and repayment of the price of the above products that I procure to serve the needs of the clinic.
• Filing the file.
I process the above personal data of the suppliers with their express consent, (Article 6 para. 1 a GDPR) or with the legal basis of contract execution, in accordance with Article 6 para. 1 b GDPR or with the legal basis of compliance with a legal obligation of the data controller (article 6 par. 1 c GDPR).
C. As a controller, I may process personal data of collaborating doctors and dentists such as:
• Doctor's name, address, phone number, email.
The purpose of processing the above personal data of the cooperating doctors and dentists is our cooperation for the overall treatment of dental cases of patients which is not possible without the services of other medical and dental specialties.
I process the above personal data of the above collaborating doctors and dentists on the legal basis of their express consent (Article 6 para. 1 a GDPR) or due to the execution of a contract (Article 6 para. 1 b GDPR).
7. Recipients of personal data

A. Recipients of the personal data of patients – clients may be:
• Collaborating doctors (usually maxillofacial surgeons, etc.) – dentists for the overall treatment of certain cases that require a combination of medical and dental specialties.
• Dental technicians collaborating with the clinic.
B. To process the personal data of the suppliers, the clinic, on a case-by-case basis, may communicate personal data to recipients, such as:
• The external partner of the practice – accountant,
• The competent D.O.Y.
• Possibly some other public service as prescribed by law.
C. For the processing of the personal data of the cooperating doctors and dentists, the practice, on a case-by-case basis, may communicate personal data to recipients, such as:
• Collaborating doctors or dentists to find the best solution regarding the patient's medical problem.
D. For the processing of the personal data of dental technicians, the practice, on a case-by-case basis, may communicate personal data to recipients, such as:
• The external partner of the practice – accountant.
• The competent D.O.Y.
• Possibly another competent public agency as prescribed by law.
8. Period of storage and deletion of personal data

The data must be kept for a specific period of time in view of the intended purpose of processing each time. The time to delete the personal data of natural persons varies according to the individual legislative regime applied to each category of data in the file (health, tax, financial, labor etc.).
The practice stores and processes data for predetermined periods of time. The data is then deleted either through an automated deletion process, or through destruction.
The practice deletes – destroys personal data:
• of patients after 10 years from the patient's last visit [(article 14 par. 4 of Law 3418/2005 (Code of Medical Ethics)].
• Suppliers:
The suppliers' personal data is kept for 5 years from each transaction with the practice. In any case, the period of time corresponds to the limitation period of each claim. Data is kept only in the event of a legal dispute, and for a period of time until the finality of the contested case.
Since the above data may also constitute tax data (accounting records, tax electronic mechanisms, tax memories and records created by tax mechanisms), a) at least 5 years from the end of the tax year in which the obligation to submit a declaration exists, or b) until the right to issue a tax assessment by the tax administration expires, or c) until the claim of the tax administration becomes final following a tax audit or until the claim is fully amortized due to payment [(POL. 1026/12-2-2018 , article 13 par. 2 of law 4174/2013 (KFD) article 7 of law 4308/2014 (ELP)].
• For cooperating doctors 5 years from the end of cooperation with the practice.
II. THE PERSONAL DATA PROTECTION POLICY APPLIED BY THE DENTAL OFFICE

1. Security of personal data

The practice applies appropriate technical and organizational measures aimed at the safe processing of personal data and the prevention of accidental loss or destruction and unauthorized and/or illegal access to them, use, modification or disclosure. To ensure an appropriate level of security against risks and to select appropriate technical and organizational measures, the practice takes into account the latest technological and other developments, the cost of implementation, the nature, context and purposes of the processing, as well as on the one hand, how great is the probability and risk of incidents of accidental loss or destruction and unauthorized and/or illegal access to personal data, use, modification or disclosure, and on the other hand, how serious will the consequences be for the rights and liberties of natural persons.
To deal with possible cases of data breach, the practice has adopted and implements a policy for dealing with and managing personal data breaches.
In the event of a personal data breach, the practice shall notify the Personal Data Protection Authority without delay and, if possible, within 72 hours of becoming aware of the fact, of the personal data breach, unless the breach is unlikely to cause risk to the rights and freedoms of customers. In addition, in the event of a data breach, the practice immediately informs the Data Protection Officer, who takes, in consultation with the practice, every necessary measure and takes every necessary action to limit, not extend the breach and restore it. The Data Protection Officer records the data breaches that occur, assesses the causes that caused them and documents each breach, stating the facts related to it, its consequences and the measures taken to restore it.
When the breach of personal data may put the rights and freedoms of the subjects at high risk, the practice immediately informs them of the breach of personal data, as specifically defined in the GDPR.
The clinic does not transmit the personal data it processes to third parties outside the European Union and/or international organizations.
The practice undertakes to maintain the confidentiality of your data and to use them exclusively in accordance with the requirements of the GDPR General Regulation 679/2016 and Law 4624/2019. Every member of staff working for the practice undertakes the same obligations of confidentiality.
The clinic undertakes not to transmit your data to any third party, without your free and express consent and without your prior information. Exceptional cases e.g. life/death situations lead to a bending of the above declaration obligation. The same happens in cases where the transfer is mandatory by the Current Greek Legislation. In any case, the clinic will transmit your data only in compliance with current legislation, its data protection policy and the requirements of the APDPH.
2. Legislative and regulatory framework
The practice applies this Policy, in its capacity as part of its compliance with the provisions of the General Data Protection Regulation (EU) 2016/679 (hereinafter "GDPR"), Directive 2016/680/EU, as it was incorporated into the Greek legislation through Law 4624/2019, Law 3471/2006, Law 2472/1997 to the extent applicable, as well as the current regulatory framework, including decisions issued by the Personal Data Protection Authority (PDPA), circulars, opinions and acts in general.
3. Definitions
For the purposes of this document, the following terms shall be understood as follows:
Personal Data : Any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one whose identity can be ascertained, directly or indirectly, in particular by reference to an identifier such as a name, to an identity number, to location data, to an online identifier or to one or more factors that characterize the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.
Processing: Any operation or series of operations carried out with or without the use of automated means, on personal data or sets of personal data, such as collection, registration, organization, structuring, storage, adaptation or alteration, retrieval, information retrieval, use, disclosure by transmission, dissemination or any other form of disposal, association or combination, restriction, deletion or destruction.
Pseudonymization : The processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, provided that said additional information is kept separate and subject to technical and organizational measures to ensure that it cannot attributed to an identified or identifiable natural person.
Filing system: any structured set of personal data that is accessible according to specific criteria, whether that set is centralized or decentralized or distributed on a functional or geographical basis.
Controller : The natural or legal person, public authority, agency or other entity that, alone or jointly with others, determines the purposes and manner of processing personal data; when the purposes and manner of such processing are determined by Union law or Member State law, the controller or the specific criteria for his appointment may be provided for by Union law or Member State law.
Processor: The natural or legal person, public authority, agency or other entity that processes personal data on behalf of the controller.
Recipient: the natural or legal person, public authority, agency or other body to which the personal data is disclosed, whether it is a third party or not. However, public authorities that may receive personal data in the context of a specific investigation in accordance with Union or Member State law are not considered recipients; the processing of such data by said public authorities is carried out in accordance with applicable data protection rules depending on the purposes of the processing,
Consent of the data subject: any indication of will, free, specific, explicit and fully informed, by which the data subject manifests that he agrees, by statement or by a clear positive action, to be the subject of processing of the personal data concerning him .
Special categories of personal data: Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as the processing of genetic data, biometric data for the purpose of unambiguous identification of a person, data relating to health or data relating to a natural person's sexual life or sexual orientation.
Encryption: It is the technical transformation of data into a form that is impossible to read without the knowledge of a "key", i.e. the correct sequence of bits, which is used in conjunction with a suitable hash function algorithm.
Personal Data Breach : The breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access of personal data transmitted, stored or otherwise processed.
4. Personal data processing principles
The Personal Data Protection Policy and the processing of personal data based on it, in which the practice proceeds, is based on the following principles:
• Principle of legality, objectivity and transparency. According to this principle, data should be processed lawfully and legitimately in a transparent manner in relation to the data subject. Transparency requires that information to the subject be concise, easily accessible, comprehensible, with clear and simple wording.
• The principle of purpose limitation, according to which data must be collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes.
• The principle of proportionality "minimization of data", according to which the data should be appropriate, relevant and necessary for the intended purposes of processing.
• The principle of data accuracy, according to which data should be accurate, updated and appropriate measures taken to immediately correct or delete inaccurate data in relation to the intended purposes of data processing.
• The principle of "integrity and confidentiality", according to which data must be processed in a way that guarantees their security and protection against illegal processing, loss, destruction or damage.
• The principle of determining the duration of the processing "limitation of the storage period", according to which the data must be kept in a form that allows the identification of the data subjects only for the period necessary to achieve the purposes of the processing.
• The principle of controller accountability, according to which the controller bears responsibility and should be able to demonstrate compliance with the Regulation before supervisory authorities and courts.
.
5. Rights of the subjects of personal data

• Right to information
You have the right to information about the processing of your personal data. Thus the Processor must provide you with all the information referred to in articles 13, 14, 15 to 22, and 34 GDPR.
• Access right:
You have the right to be aware of and verify the lawfulness of the processing. Therefore, you have the right to access the data and receive additional information about its processing.
• Right to rectification:
You have the right to study, correct, update or modify your personal data by contacting the Data Controller at the above contact details.
• Right to erasure:
You have the right to request the erasure of your personal data when we process it based on your consent or in order to protect our legitimate interests. In all other cases (such as indicatively when there is a contract, an obligation to process personal data imposed by law, public interest), the right in question is subject to specific limitations or does not exist as the case may be.
• Right to restrict processing:
You have the right to request restriction of the processing of your personal data in the following cases: (a) when the accuracy of the personal data is disputed and until verification is made, (b) when you object to the deletion of personal data and request instead of deletion the restriction of its use, ( c) when the personal data is not needed for the purposes of processing, but is nevertheless necessary for the establishment, exercise, support of legal claims, and (d) when you object to the processing and until it is verified that there are legitimate reasons that concern us and override the reasons for which you object to the processing.
• Right to object to processing:
You have the right to object at any time to the processing of your personal data in cases where, as described above, it is necessary for the purposes of legitimate interests pursued by the controller, as well as to processing for the purposes of direct marketing and consumer profiling.
• Right to portability:
You have the right to receive your personal data free of charge in a form that will allow you to access it, use it and process it with commonly used processing methods. You also have the right to ask us, if technically possible, to transfer the data directly to another data controller. This right of yours exists for the data you have provided to us and their processing is carried out by automated means based on your consent or in execution of a relevant contract.
To exercise any of your above rights, you can contact the email ……………………………………………………………………………………………………… ……………………………………………,
• Right of complaint to APDPH
You have the right to submit a complaint to the Personal Data Protection Authority (www.dpa.gr): Telephone Center: +30 210 6475600, Fax: +30 210 6475628, Email: [email protected].
6. Special categories of personal data

The practice may collect and process data belonging to special categories of personal data ("sensitive data"), such as health-related data, in order to meet its legal obligations. Since said processing requires consent, the practice has taken care to obtain the subject's free consent. However, since the processing concerns a minor, the clinic has taken care to obtain the consent of his guardian or guardians.
7. Data of minors

In many cases, the clinic processes personal data of minor patients. This processing is necessary for the execution of the work of the clinic, the receipt of legal benefits from the insurance organizations, the legal prescription of the required preparations - medicines per patient, etc.
8. Internet technologies

The clinic may only collect the necessary information related to the fulfillment of the processing purposes and the general traffic on its website, such as the internet protocol address (IP address) and type of browser (browser) used by the visitor, cookies, invisible pixels and web beacons to receive information about browsing them. Further, relevant information is reflected in the company's Cookies Policy.
The clinic currently does not use cookies. But he can use it in the future. For the processing of data through the use of cookies, it will inform you at the appropriate time with updated policies.
9. Disclaimer for Third Party Sites

On the website of the clinic, links may be provided or may be provided in the future, which further redirect the user to third-party websites. The practice does not control such third-party websites and is not responsible for the content posted on them or further links appearing on them. The practice is not responsible for the privacy practices of third parties or the content of third party websites.
10. Data transmission / access

The practice may transmit data to third parties and/or allow their access to them (legal or natural persons) who act as executors and/or sub-executors of the processing, to support its operation (e.g. specialized technical assistance and PC support, etc.) and the serving of its purposes.
The practice may transmit the above data to third parties and/or allow classified access by third parties to them, when this is provided for by existing legislation, in accordance with the guarantees provided by it. In these cases, it must adequately inform the data subjects before proceeding with said transmission, as long as it is required for the minimum information required by law, i.e. the identity of the data controller, the purpose of data collection, the identity of the recipient and the rights of the subject.
The practice does not transmit data outside the European Union (EU) or the European Economic Area (EEA).
11. Data Protection Officer (DPO or DPO)

The practice is obliged to appoint a Data Protection Officer (hereinafter DPO or DPO), due to the fact that it processes sensitive personal data of its patients. For this purpose, he appointed the experienced dentist KOUTSOUKOS PETROS as Data Protection Officer (DPO).
Communication for personal data issues will be done directly with the clinic, using the contact information listed at the beginning of this document.
The practice has also assigned to an external partner, a legal advisor, the task of assisting compliance and providing instructions regarding the implementation of the Regulation. The practice has ensured that it has proven experience and knowledge in matters of personal data protection, in particular with regard to applicable law, organizational-technical issues and good practices consistent with the protection of said data.
12. Data Protection Impact Assessment (DPIA)

When a type of processing may entail a high risk for the rights and freedoms of natural persons, the practice carries out, before processing, an assessment of the effects of the planned processing operations on the protection of personal data ("impact assessment"). An impact assessment is a process designed to describe the processing, assess its necessity and proportionality, and assist in risk management by assessing and defining countermeasures. It is not required for every form of processing, but only in cases where a form of processing is considered high risk.
The practice may decide to carry out an impact assessment for treatment. In addition, it is not obliged to draw up a separate impact assessment for each form of processing, but may include in one impact assessment a set of similar processing operations, which entail similar high risks.
13. Technical and organizational data protection measures
A. The data of natural persons being processed is protected within the premises of the practice. To this end, all the prescribed security measures under the GDPR and related laws have been taken. Thus, the case of dealing with natural disasters such as fire has been ensured. In the event of a fire, the workplace is protected with the corresponding fire-fighting means such as fire extinguishers, etc. The dentist KOUTSOUKOS PETROS has been designated as a safety technician. Even the violation of the clinic by malicious intruders (thieves, etc.) is considered extremely difficult since in order to enter the clinic, they would have to breach two front security doors and the alarm system.
B. The digital file of the clinic is adequately protected from cyber-attacks with antivirus, intrusion detection systems, anti-virus software, etc. Furthermore, the internal communication systems are protected with a Firewall on the internet part. Data is also encrypted with a strong security key for further protection. This system has security codes and authorizations.
Each computer user in the enterprise has its own User-ID (permanent identifier for an individual user), with authentication credentials (login code), with date and time so that the administrator can track movements at any time.
The clinic reserves the right to modify the security measures taken at its discretion, with the aim of always ensuring the maximum possible security in data processing.
14. Contact for questions or comments
If you have questions or comments about this Privacy, Security and Personal Data Protection Policy or if you believe that we have not followed the principles set out in it, please email us at [email protected] and [email protected] .
15. Update of the Privacy Policy, Protection and Security of personal data
The practice may modify this Privacy Policy Protection and Security of Personal Data from time to time for reasons of compliance with regulatory changes or in order to respond to the needs of its operation and its legal obligations. Updated versions of this Personal Data Protection Policy will be posted on the website of the practice www.aestheticdentist.gr with a date indication, so that it becomes known which is the most recently updated version.
16. Other policies on file with the dental practice
In addition to this policy, within the file (digital and paper) of the dental office, there are other necessary policies or required documents which are required by law and which will be brought to the attention of the Authorities if deemed necessary.
17. Applicability of Security and Privacy Policy
This Policy since it was announced on the official website of the clinic www, constitutes without notice (articles 12 and 13 and 15 - 22 GDPR), in accordance with the principle of transparency (article 5 par. 1 a GDPR), of all physical of persons whose personal data is processed, as above, by my practice.
This policy was announced on 5-10-2021 and is subject to periodic improvement and revision.