ELDRED’S PRIVACY POLICY AND NOTICE CONCERNING THE USE OF CAMERAS
In force as of 25 January 2023
Eldred’s Privacy Policy sets out the terms and conditions of the processing of personal data which are followed by all Service Providers belonging to the Eldred and other Service Providers providing Services to Customers on behalf of Eldred.
Depending on the Service selected by the Customer, Eldred may determine specific terms and conditions for the processing of personal data.
Eldred has the right to unilaterally supplement and/or amend this Privacy Policy from time to time. In this case, Eldred notifies Customers of the implemented changes.
The terms used in this Policy have the following meanings:
Eldred Companies include Eldred Tervisekliinik 24 and all other persons acting under Eldred’s trademark and on behalf of Eldred.
Remote Service – A telemedicine service used online (webchat or video call) or by phone for the provision of Services.
Customer – A person to whom Eldred provides Services or who has expressed their wish to be provided Services by Eldred.
Advice Line – An advisory service provided via the phone number + 372 6 778 448
Privacy Policy – This Privacy Policy which regulates the processing of Customers’ personal data by Eldred.
Service Healthcare – Services or Health Services provided by Eldred to Customers irrespective of whether they are provided during a visit or as a Remote Service.
Health Service – A Service provided to the Customer that is not a Healthcare Service.
Healthcare Service – A Service provided by a registered healthcare professional and a person holding an activity license for the provision of the relevant Service, if the existence of such a registration or activity license is required for the provision of the relevant Service, following the rules of medical science. A Healthcare Service is the activity of a Healthcare
Service Provider for the prevention, diagnosis and treatment of an illness with the aim of maintaining Customers’ good health and raising their quality of life (including medical examinations, analyses and the provision of medical certificates, etc.). The Healthcare Services provided by Eldred are listed on Eldred’s website: https://www.eldred.ee/ and the list may change over time.
Health Service Provider – A company belonging to Eldred, an employee or another representative of Eldred or a legal or natural person who is a cooperation partner of Eldred and who is not a Healthcare Service Provider (including the services of physiotherapists, speech therapists and psychologists).
Healthcare Service Provider – A company belonging to Eldred, an employee or another representative of Eldred or a legal or natural person who is a cooperation partner of Eldred and who has the right to provide Healthcare Services.
Standard Terms and Conditions – Eldred’s Standard Terms and Conditions for
Service provision.
Appointment – A meeting between Eldred’s representative and a Customer on Eldred’s premises or via a Remote Service for the purpose of providing Services.
GDPR – General Data Protection Regulation (EL) 2016/679.
1. ROLE OF ELDRED IN THE PROCESSING OF PERSONAL DATA
1.1. Eldred can be regarded as the controller of Customers’ personal data within the meaning of the GDPR. As the Service Provider, Eldred determines which personal data must be collected from the Customer in order to provide high-quality Services and, inter alia, determines the objectives and tools of the collection and processing of personal data.
1.2. In certain cases, Eldred may include other controllers in the processing of Customers’ personal data who may be regarded as independent controllers or processors authorised by Eldred. A more detailed overview of such third parties is provided in clause 5 of the Privacy Policy.
2. PERSONAL DATA COLLECTED
Eldred processes the following personal data of the Customer:
- Identification data:
Given name and surname, personal identification code, residency, document number (ID card, passport, driver’s licence).
- Contact details:
Telephone number, address, e-mail address.
- Health insurance information, Information concerning the existence of health insurance, referrals and general medical history.
- Data concerning health.
Data on the Customer’s state of health, including information regarding the doctor the Customer has visited or wants to visit, the Services provided to the Customer and the data collected from them in the course of the provision of such Services, medicines taken by the Customer, X-ray images and/or other clinical images made for the provision of Services. If the provision of the
Healthcare Service requires a referral letter, information on the referral letter.
In addition, the instructions and guidelines given to the Customer by Eldred.
The composition and scope of health data which Eldred processes in a specific case depends largely on the Service selected by the Customer.
- Payment information
Information on payment for the Service, including data of the person paying for the Service.
- Complaints and suggestions
Data related to the complaints or suggestions submitted by the Customer or their parent or guardian, including the booking number and the Service in connection with which the suggestion or complaint has been submitted or the name of the employee in connection with whose activities the complaint has been filed.
- Recording of Remote Service
Recording of the Customer contacting Eldred (recording of the call and video, messages in chat) via a Remote Service platform, including platforms provided by third parties where Eldred provides Services.
- Call recording – The Customer’s call to Eldred, which may include data identifying the caller,
such as their name and personal identification code, information required for providing Healthcare Services, including data concerning health, the caller’s contact details and other information provided by the Customer during the call.
- Video recording – The Customer’s image, appearance and behavior in the field of vision of cameras at a specific time.
- Other general data
Customer’s language of communication.
Eldred processes personal data received directly from the Customer and from third party sources. Such third party sources include the Customer’s legal representative, the Health Insurance Fund, the Patient Portal information system, the prescription canter, the image bank or any other health-related IT environment.
3. PURPOSES OF AND LEGAL BASIS FOR PROCESSING PERSONAL DATA
3.1. Eldred processes the Customer’s personal data only pursuant to applicable law and for the stated purposes. Data sets Purpose, Legal basis, Identification data, To book and provide Services to the Customer.
1. If the Customer contacts Eldred in order to be provided Healthcare Services, Eldred processes personal data in accordance with sections 41 (1), 41 (11) and 41 (12) of the Health Services Organization Act and Eldred’s Standard Terms and Conditions for Services.
2. If the Customer turns to Eldred in order to be provided Healthcare Services upon the referral of their employer, another person in relation to occupational health or to obtain a necessary medical certificate, Eldred processes data for the performance of the contract entered into between Eldred and the Customer’s employer and in accordance with sections 41 (1), 41 (11) and 41 (12) of the Health Services Organization Act and Eldred’s Standard Terms and Conditions for Services.
In this case:
Contact details are needed to book and provide Services to the Customer, to contact the Customer, including transmission of additional guidelines and instructions related to the Service before and after providing the Service.
For example, Eldred may send a reminder about their appointment to the Customer.
Data concerning health is needed to plan the provision of Services, including to prevent, diagnose and treat illnesses, injuries or poisoning in order to alleviate person’s complaints, prevent deterioration of their health or aggravation of the disease and restore their health, to document Services.
3. If the Customer turns to Eldred in order to be provided Services other than Healthcare
Services (e.g. nutrition consultancy, physiotherapy), we process the Customer’s personal data on the basis of their consent.
Payment information: To settle the expenses of Services.
Contact details: To send newsletters and other content that may be of interest to the
Customer. With Customer’s explicit consent.
Complaints: To ensure the quality of Services. Legal obligation.
Recording of Remote Service: To check the quality of Healthcare Services.
Call recording: To check the quality of Healthcare Services.
Video recording: To ensure the safety of property, including equipment and other property belonging to Eldred and property of the Customer. To identify offences and violations committed on the premises.
On the basis of Eldred’s legitimate interest. A large number of Customers visit Eldred’s business premises every day. Cameras help to ensure the safety of the property of Eldred and its Customers if Customers’ property is left unattended in the customer area on Eldred’s premises.
Other general data: To provide high-quality Services; On the basis of Eldred’s, among other things, to use the Net legitimate interest. The Promoter Score. legitimate interest refers to ensuring the best possible quality of Services for Customers.
4. STORAGE OF PERSONAL DATA
4.1. Eldred does not store personal data longer than it is necessary for the purposes of processing personal data or pursuant to applicable law.
4.2. Pursuant to the Health Services Organisation Act and the regulation of the Minister of Social Affairs “The conditions and procedure for documenting the provided health care services, and for the preservation of those documents” Eldred stores:
4.2.1. data proving provision of outpatient and inpatient medical care as a rule for 30 years
starting from the date of confirming the data of the Healthcare Service provided to the Customer;
4.2.2. when ordering medical examinations, we store the results together with the Customer’s health card and the corresponding tissue samples for at least 7 years;
4.2.3. the information system logs of Eldred as a Healthcare Service Provider are stored for five years;
4.2.4. feedback collected in order to assess Customer satisfaction is stored for five years from the moment of receiving the feedback.
4.3. As a Healthcare Service Provider, Eldred stores health check records and medical examination results for 7 years starting from the moment the decision concerning the health check is made.
4.4. Pursuant to the Accounting Act, we store accounting documents for seven years.
4.5. As a general rule, Eldred stores the data collected for entry into a contract with the Customer, the longer retention period of which has not been prescribed by applicable law, as long as they are required for the purposes of the contract during the term of the contract or up to five years after expiry of the contract.
5. TRANSMISSION OF PERSONAL DATA
5.1. Eldred does not transmit Customers’ personal data to third parties unless Eldred has a right to do that pursuant to the law or the transmission of personal data to third parties is required for the provision of high-quality Services.
5.2. For the purposes of convenient and high-quality Service provision, Eldred has engaged various cooperation partners who have the right to process Customers’ personal data to a limited extent on the basis of Eldred’s authorization. Such cooperation partners are, above all, various cooperation partners providing healthcare services (e.g. providers of general or specialist medical services whom Eldred engages in the provision of Services to Customers), IT partners (various providers of server services, IT support services, communications services and other IT services), marketing partners, providers of security services, cooperation partners whom Eldred engages in the assessment of health indicators, providers of payment services and other service providers or cooperation partners.
5.3. For the provision of Remote Services, Eldred may also use third party cooperation partners who provide an online platform required for the provision of telemedicine services. Such a telemedicine platform may be branded as an Eldred platform or a third party platform. Despite the fact that the platform may be branded as a third party platform, Eldred remains the controller of the Customer’s personal data.
5.4. In addition, the Eldred company providing the Service may transmit the Customer’s personal data to other companies belonging to the Eldred Companies if it is required for providing Services to the Customer.
5.5. When providing Services to Customers, Eldred transmits health information and other data collected when providing Services (including health-related data generated at an appointment with a clinical psychologist, physiotherapist, chiropractor or speech therapist) to the e-health Patient Portal information system located at https://digilugu.ee/ under the current law, the data controller of which is the Health and Welfare Information Systems Centre (registry code 70009770, address Pärnu mnt 132, 11317 Tallinn). For questions related to the Patient Portal, Customers can contact the customer service of the Health and Welfare Information Systems Centre at +372 794 3943 or by e-mail at abi@tehik.ee.
5.6. In order to provide Customers with Services, Eldred may, as appropriate, under the current law, transmit and/or receive Customers’ health data through a prescription center, the controller of which is the Health and Welfare Information Systems Centre (registry code 70009770, address Pärnu mnt 132, 11317 Tallinn), if it is necessary for providing Customers with Services.
For questions related to the prescription center, you can contact the user support of the Health and Welfare Information Systems Centre by calling +372 794 3943 or e-mailing abi@tehik.ee.
5.7. In order to provide Customers with Services, Eldred may, as appropriate, under the current law, transmit and/or receive Customers’ health data through an image bank, the controller of which is the Image Bank Foundation (registry code 90007945, address Puusepa 8, 51014 Tartu, Estonia), if it is necessary for providing Customers with Services. For questions related to the image bank, you can contact the customer service of the Health and Welfare Information Systems Centre at +372 5331 8888 or by e-mail at abi@pildipank.ee.
5.8. When providing Services related to the issue of a motor vehicle driver’s medical certificate to Customers, we may transmit their health data (medical certificate) to the Transport Administration digital environment, the controller of which is the Transport Administration (registry code 70001490, address Teelise 4, 10916 Tallinn). For questions related to data processing by the Transport Administration, please contact the Transport Administration at +372 620 1200 or by e-mail at info@mnt.ee.
5.9. We may transmit Customers’ medical data to the Estonian Health Insurance Fund (registry code 74000091, address Lastekodu 48, 10144, Tallinn) when providing them with Services, the treatment invoice of which shall be paid wholly or partly by the Estonian Health Insurance Fund from the health care funds. For questions related to the Health Insurance Fund, you can contact the Estonian Health Insurance Fund at +372 669 6630 or by e-mail at info@haigekassa.ee.
5.10. Pursuant to current law, Eldred may be obliged to disclose personal data to courts or law enforcement authorities on the basis of a regulation issued by the respective body in accordance with current legislation, or when transmitting of personal data is mandatory on the basis of the Insurance Activities Act in relation to an enquiry submitted by the insurer. In all such cases, Eldred transmits personal data only if it is mandatory pursuant to current legislation and following all principles applicable to the processing of personal data, including the principle of minimalism.
6. SECURITY OF PERSONAL DATA
6.1. Eldred has taken necessary organizational, physical and IT-related security measures to protect Customers’ personal data from any misuse, unauthorized access, disclosure, modification or destruction, even if the data is transmitted to a foreign country. If Customers wish to obtain a copy of the security measures taken with regard to the transmission of personal data to foreign countries, they must submit a relevant request to Eldred.
6.2. Only authorized persons have access to Customers’ personal data. Persons with access to personal data are obligated to comply with the confidentiality obligation.
7. NOTICE CONCERNING THE USE OF CAMERAS
7.1. General. Eldred has installed video cameras that allow for video recording on its business premises. When installing the cameras, Eldred has strictly adhered to the purpose of their installation and prevented the undue infringement of the rights of the persons in the field of view of cameras. An image of the Customer may be recorded by cameras when they visit Eldred. Eldred confirms that none of the cameras are installed in such a manner that their field of vision includes an area where Customers have a heightened expectation of privacy (toilets, doctor’s offices). Areas within the field of vision of cameras are marked using relevant stickers.
7.2. Area of use. Cameras are installed in such a manner that their field of vision includes:
7.2.1. the reception desk and the customer waiting areas on Eldred’s premises;
7.3. Objectives. Eldred has installed cameras for the following purposes:
7.3.1. to ensure the safety of property, including equipment and other property belonging to Eldred and property of the Customer;
7.3.2. to identify offences and violations committed on the premises in order to investigate cases where Eldred, Customers or their property have suffered damage.
7.4. Eldred uses the information collected by means of camera recordings only for purposes explicitly stated in this Privacy Policy.
7.5. Personal data collected. Using cameras installed on its premises, Eldred collects and processes only the image of persons within the field of vision of cameras, recording their appearance and behavior. Eldred confirms that none of the cameras installed on its business premises records sounds.
7.6. Legal basis. Eldred processes the personal data collected by means of cameras on the basis of its legitimate interest (Article 6 (1)(f) of the GDPR).
7.7. Nature of cameras. Eldred uses cameras that are installed permanently and with the possibility of magnification. The cameras allow for monitoring in real time or at a later time. As has been mentioned above, the cameras do not record sounds. Eldred carries out monitoring by means of cameras 24/7.
7.8. Storage of recordings. Eldred stores and processes video recordings for one (1) month with the purpose of clarifying and proving circumstances for which video recordings are made (e.g. to provide proof concerning a security incident that occurred within the field of vision of a camera to the body that initiated proceedings). The video recordings will be automatically deleted after the expiry of the term. On reasonable grounds (e.g. upon the occurrence of a security incident or in the investigation of a work-related accident), Eldred has the right to store video recordings longer than a month, i.e. until such grounds cease to exist.
7.9. Access to recordings. Eldred stores the recordings of video cameras in a non-personal form on a server disk with limited access which can be accessed only by certain employees (above all by the administrative specialist). These persons may provide other employees of Eldred with access to such video recordings to the extent required for fulfilling the objectives stated in this notice.
7.10. Secure storage of recordings. Eldred has taken necessary organizational, physical and IT related security measures to protect video recordings and the personal data processed using them from any misuse, unauthorized access, disclosure, modification or destruction. Eldred has notified all the persons authorized to view video recordings that such recordings may be viewed only for the purposes and to the extent provided for in this notice concerning the use of cameras.
7.11. Transfer of recordings. Eldred has the right to transfer recording to the following persons:
7.11.1. public authorities to whom Eldred must provide video recordings and/or personal data collected using them according to relevant legislation;
7.11.2. legal advisors who provide legal services to Eldred in connection with violations identified using video recordings;
7.11.3. camera maintenance service providers, i.e. IT service providers to the extent necessary to identify whether the camera is functioning and to eliminate any errors;
7.11.4. the Labour Inspectorate and/or court, where necessary.
7.12. Rights of the Customer. In connection with video recordings, the Customer has all the rights listed in clause 8 of this Privacy Policy. However, these rights are not absolute and the use of such rights may be limited in the cases stated in clause 8 of the Privacy Policy.
8. RIGHTS OF THE CUSTOMER
8.1. Upon processing personal data, the Customer has all the rights of a data subject pursuant to applicable law, including the following rights:
8.1.1. Right of access. The Customer has the right to ask whether Eldred has any of their personal data and to obtain information about the Customer’s personal data processed by Eldred at any time.
8.1.2. Right to rectification of personal data. The Customer has the right to request that Eldred specify or rectify their personal data if they are inadequate, incomplete or incorrect.
8.1.3. Right to object. The Customer has the right to submit objections to the processing of their personal data by Eldred if the use of personal data is based on the legitimate interest of Eldred.
8.1.4. Right to request erasure of personal data. The Customer has the right to request the erasure of personal data if their personal data is processed with their consent and they have withdrawn their consent.
8.1.5. Right to restriction of processing. The Customer has the right to request that Eldred restrict the processing of their personal data based on current legislation, e.g. if Eldred no longer needs the Customer’s personal data for the purposes of processing or if the Customer has objected to personal data processing.
8.1.6. Right to withdraw consent given for processing of personal data. If the processing of personal data is based on the Customer’s consent, the Customer may withdraw their consent to Eldred at any time.
8.1.7. Right to data portability. The Customer has the right to obtain personal data from Eldred which they have submitted to Eldred and which is processed on the basis of their consent or in order to perform the contract entered into with them, in writing or in a commonly used electronic format, and, if it is technically possible, to request that Eldred transmit the data to a third party service provider.
8.1.8. Right to file a complaint. The Customer has the right to file a complaint with the Data Protection Inspectorate or a court in the case of a violation of their rights.
8.2. The Customer’s rights related to the processing of personal data listed in this chapter do not include all of their rights. In certain cases, the rights of other data subjects or the legal obligations of Eldred may limit the rights of the Customer.
8.3. In order to exercise the rights associated with the processing of personal data or to submit applications, the Customer must contact Eldred (contact information is available in the ‘Contact details’ section).
CONTACT DETAILS
For questions or requests related to the processing of personal data, please contact Eldred or the Data Protection Officer of Eldred by telephone, e-mail or post.
Contact information of Eldred:
Business name: Eldred OÜ
Address: Ahtri 8, Tallinn 10151, Estonia
Telephone: +372 58 200 202
E-mail: eldred@eldred.ee