A. EVANGELOU BIODIAGNOSTICS LTD
A. EVANGELOU CLINICAL LABORATORY
Personal Data Protection Policy

TABLE OF CONTENTS
–Introduction
– Terms
– General Principles of Personal Data Processing
– Aim
– Personal Data Protection Policy
– Rights

1.  INTRODUCTION
The security and confidentiality of information and data are highly prioritised at “A. EVANGELOU BIODIAGNOSTICS LTD”- A. EVANGEOU CLINICAL LABORATORY (hereinafter “Company”).
To achieve the above, the Company executes all modern and appropriate regulations for the purposes of processing technical and organisational measures, the compliance of which is monitored at regular intervals. The PERSONAL DATA PROTECTION POLICY provides information regarding the personal data collected and processed by the Company during its professional activity in both printed and electronic form.
The present Policy describes the type of personal data or personal information which the Company collects, the way in which the data and information are used, the way in which the information collected is processed and protected, period of data storage, to whom the Company shares the information, to whom it transmits them and the rights that data subjects can exercise with regards to the use of personal data. 

Personal Data Processor
Personal Data Processor is the Company, namely "A. EVANGELOU BIODIAGNOSTICS LTD" - A. EVANGELOU CLINICAL LABORAOTRY based in Larnaca, 20-22 Giannou Kranidioti Avenue, Megaro Orfanidis 1st & 5th floor. Contact telephone 00357 24818183.

2.  TERMS

PERSONAL DATA:  Any information related to an identified or identifiable person (DATA SUBJECT), i.e., the person whose identity can be directly or indirectly verified. The crucial element is the connection of the information with the person and not the quality of the information, as e.g., the name, the ID number, the National Insurance Number etc.
SPECIAL CATEGORY OF PERSONAL DATA (or sensitive personal data):
Any information which reveals the racial or ethnic origin, political views, religious or philosophical beliefs, membership in a trade union, genetic data, biometric data, health data, data on sexual life or sexual orientation.
DATA REGARDING HEALTH:  Personal data associated with previous, current or future physical or mental heath of an individual, are including the provision of health care services and from which information about his health is obtained.
PROCESSING:  The collection, registration, organisation, structure, storage, adaptation, alteration, search retrieval, use, transmission, dissemination, deletion or destruction.
PROCESSING OFFICER (P.O.):   Any natural or legal personal in the public or private sector, the personnel that keeps and processes personal data. The P.O. determines the purpose and method of processing.
EXECUTIVE OF PROCESSING (E.U.):  Any natural or legal personal in the public or private sector, the personnel that processes personal data on behalf of the Processing Officer.
ADDRESSER:  The natural or legal person, public authority or other person to which the data is disclosed.
SUPERVISORY AUTHORITY:  An independent public authority set up by the Member State. In Cyprus is the PRINCIPLE OF PERSONAL DATA PROTECTION.
CONSENT:  Collected from the personal data subject. Any indication of will, free, specific, explicit, and fully informed by which the data subject agrees with the statement or with a clear positive action to process the personal data that are related to the data subject.
VIOLATION OF PERSONAL DATA:   The breach of security resulting in destruction, loss, alteration and unauthorized disclosure and access to data.
HEALTH DATA:   Data on a person’s physical or mental health that reveals information about the person.

3.     GENERAL PRINCIPLES OF PERSONAL DATA PROCESSING
According to the Regulation, every company must:
-    Collect the personal data in a lawful manner,
-    Keep only the required data, for explicit and specified purposes,
-    Keep the data safe,
-    Keep the data only for the period of time required for the completion of purposes of the collection and processing,
-    Inform the data subjects about the compliance which will take place accurately and up to date,
-    Take appropriate organisation and technical measures for the security of the data and their protection from any potential accidental or unlawful destruction, loss, deterioration, or access; and,
-    Be able at any time to prove all the above.

4.    AIM
The purpose of this Policy is to provide information and guidance to suppliers, costumes, patients and associates of the Company regarding the maintenance of the personal data, i.e., what personal information the Company retains, for how long and for what purpose.
Regarding the employees of the Company (candidates, supervisors and previous employees) the Privacy Policy of Employee Personal Data of the Company is applied.  

5.    PERSONAL DATA PROTECTION POLICY
A)    Legal Basis of Processing
-    The consent of the data subject.
-    The Company’s compliance with its obligations under law (such as the Code of Medical Ethics).
-    The fulfilment of the contractual obligations of the Company.
-    Ensuring the smooth operation of the Company in the context of its activities.
-    The satisfaction of information and communication of the data subjects.
-    Securing the Company’s staff, facilities and equipment.
-    The fulfilment of the Company’s contractual obligations towards third parties, such as product manufacturers.
-    The protection of the data subject.

B)    Type of personal data and method of processing
The Company, on a case-by-case basis is expected to keep the following personal data:

Visitors of the Company’s website

• Browser details and internet protocol (IP) address of the visitor’s device while browsing the Company’s website. Regarding the use of the online service of our Company, http://weblis.aevangeloulab.com/, please go to this website and to the PRIVACY POLICY that has been posted by our Company.
• In case that through our website there are links that lead to websites of third parties, our Company does not control nor is responsible for the content of these websites and the processing method of your personal data.

• Name and Surname
• Company registration number
• Address
• Phone number
• Taxpayer identification number/ ID number
• Fax number
• Email address
• Contact persona and relevant contact details.

• Identity and demographic information (such as name, surname, date of birth or age, gender, ID number, home address, phone number, taxpayer identification number).
• Contact details (home address, phone number, email address).
• Information about third parties (i.e., relatives) for the collection of results (name, phone number, email address).
• Health data regarding the services provided by the Company (examination results, doctors’ referrals. Internal trafficking cards, medication, medical and family history, medical reports and medical findings, any disabilities, details of surgery). These data, the Company processes only when necessary for the conduction of a medical test, for which the data are collected from the data subject.
• Biological material and genetic data for medical tests.

It is clarified that during sample processing collected from other doctors or microbiological laboratories (Associates), the samples reach the Company fully pseudonymised i.e., in such a way that when the samples are received by the Company the can not be retuned to the specific subject without using additional information, which is kept, known and is responsible exclusively by the Associate (Doctor or microbiological laboratory), excluding the cases in which is it required by law or by the nature of the examination or the subject has given his explicit consent.

C) Purpose of Processing
-    Execution of order or contract.
-    Fulfilment of legal obligations of the Company towards the insurance company, Clinic or Public Hospital.
-    Collection from the ΟΑΥ or the insurance department or the representatives of the services.
-    Compliance of the Company with the Legislation (e.g., Code of Medical Ethics).
-    Compliance with the manufacture’s requirements.
-    Fulfilment of obligations of the Company.
-    Execution of the legal business purposes of the Company.
-    Respond to requests of Suppliers, Costumers (including the patients) and Associates of the Company.
-    Provide health services within the facilities of the Company. When providing health services within the Company’s facilities, the Company may process the data of the subjects and for the planning of the sampling visit, for the sending/ delivery of the results of the medical examinations and the identification of the data subject.
-    Information, promotion and commercial communication of the Company’s products and services.

In all cases, the personal data submitted to the Company voluntarily from the data subjects themselves or through their representatives. Cases in which these are notified to the Company by public services in order to take actions that fall under its responsibilities, are exceptions.

D) Duration of Personal Data Storage
These data will be kept by the Company only for as long as t is strictly necessary for the fulfilment of the respective collection purpose in combination with the relevant legislation and then they will be destroyed.

E) Processing Method
The company only collects the necessary personal data on a case-by-case basis. Furthermore, the processing in which the case-by-case personal data takes place on both printed and electronic means and is are registered in the Company’s system according to the current legislation- including the provisions on data security and confidentiality and in accordance with the principles of fair and lawful processing.

F) Disclosure of Personal Data
These data are processes by authorised personnel of the Company. Furthermore, these data may be disclosed and made available, on a case-by-case basis and for the purpose of processing, by legal or natural persons, with whom from time to time the Company maintains cooperation, such as Associate Physicians, Private Hospitals and Clinics, Collaborating laboratories, Pasteur Institute etc., by public services and information systems, Ministry of Health and State Statistical Services, by Banks, insurance companies, auditors involved in the Company’s compliance both external and internal regulations or where required by law.

However, in this case, the legal or natural persons will process the said data on the purpose of providing the respective services to the Company and not for their own benefit, acting as performers of the processing having committed with a Declaration of Confidentiality.  
Exceptionally, personal data may be disclosed to third parties, including the competent police and prosecuting authorities, only if there is a legal obligation to do so or by way of a court decision or court order or warrant.

G) Transmission of Personal Data
These data are not to be transmitted to a Third country or international organisation. In case of transmission of data outside the European Economy Area, the Company needs to undertake the necessary measures in ordered the transmitted data to third parties are the minimum necessary and that the conditions for legal and fair processing are always met.

H) Data Evaluation
When one processing may pose a high risk towards the rights and freedom of natural persons, the Company will assess the possible implications for the processing of personal data to assist in risk management and assist in dealing with the issue.

6. RIGHTS
Every personal data subject has in principle the right to know and have access to his personal data held by the Company, according to this Policy, to check the accuracy of the personal data provided to the Company as well as inform and update his personal data.
The personal data subject, any time, can come in contact with the Company, namely the Data Protection Officer (Contact phone number: 00357-24818186 & email: christinalys@live.com) and exercise his rights such as access to his personal data ( in order to find out which data and for what reason are processed by the Company, as well as their recipients), the verification of the content of his data, their origin, accuracy, obtaining a copy of the data kept by the Company, to apply for completion, information, alteration of data, in the cases provided by law to request for restriction of data processing, to request deletion of the data etc. These rights are in principle exercised free of charge for the subject.
In addition, if the personal data subject has consented to a Declaration of Consent, he may at any time withdraw his consent by simply declaring revocation of consent ( email: christinalys@live.com, contact phone number: 00357-24818186 & address: 20-22 Giannou Kranidioti Avenue, Orphanides Palace), without, however affecting the legality of the processing based on the consent of the subject prior to the revocation or compliance with the statutory obligations of the Company.

The current policy can be reviewed when here is a significant change or in the context of upgrading our services. This review will be available on our website.