Hospital da Ordem Terceira Chiado

Privacy Policy

1. Use of «Personal Data» by the HOSPITAL DA ORDEM TERCEIRA (HOTC)

1.1 This Protection Policy is applied by HOTC in the use of this website or in any situation in which HOTC requests any individual to provide any personal data (hereinafter “Personal Data”), while ensuring that such collected Personal Data are lawfully processed.

1.2 This Personal Data Protection Policy applies to all personal information collected and stored by HOTC through paper forms, as well as the several forms in this site and respective specific areas.

1.3 The processed personal data may regard the User or any Third Party who somehow authorised its use by the User. The User is solely responsible for obtaining the consent of Third Party Data Holders, regarding the third party data he provides.

1.4 Data voluntarily provided by their Holder, and whose processing is HOTC’s contractual or legal obligation or has been unequivocally authorised by the former, are confidentially handled by HOTC, through its workers or representatives duly authorised for such purpose, and following HOTC’s specific instructions for that purpose.

1.5 HOTC shall only process your personal data whenever it is duly qualified to do so. In order for the data processing to be lawful, the GDPR demands that that there is adequate lawful grounds for each specific processing action.

1.6 HOTC ensures the safeguard of the right to protection of all personal data, in accordance with the provisions in the General Data Protection Regulation (Regulation (UE) 2016/679 EP and EC, of April 27) (hereinafter GDPR), and in Portuguese Law n.º 67/98, of October 26 (Personal Data Protection Law), through the workers and representatives duly authorised for that effect.

1.7 HOTC applies adequate technical and organizational safety measures, consistent with the national and international information practices, to protect your personal information. Such measures include the organization of and access to the data on paper and in electronic format, which requires administrative, technical, physical, and organisational measures to protect the personal data from incorrect use, unauthorised access or dissemination, loss, change or destruction.

 

2. Collection and use of Personal Data and other personal information

HOTC collects and processes the necessary personal data to provide healthcare services integrated in the Portuguese NHS, including for hospital system and service management, auditing, and ongoing improvement.

Your data may be collected directly, particularly whenever you book a doctor’s appointment/test, whenever you attend a doctor’s appointment/perform a test, whenever you use the NHS’ Platforms, or whenever you contact us.

We may also receive your data indirectly through our service providers, who provide you services on our behalf our on behalf of our partners.

In this sense, your personal data may include personal data directly or indirectly related to your health.

COLLECTION SUBJECTS, PURPOSES AND/OR MOMENTS AND CATEGORIES OF THE PROCESSED DATA

A – USERS

Grounds (Article 6, paragraph 1, subparagraphs b), c), d) and f) of the GDPR):

  • processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  • processing is necessary for compliance with a legal obligation to which the HOTC is subject;
  • processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  • processing is necessary for the purposes of the legitimate interests pursued by HOTC or by a third party.

Namely:

The data processing necessary to provide healthcare services to Users, as well as to communicate and manage HOTC’s relation with them, will always be grounded on the performance of the healthcare provision contract concluded with the Users, or on the taking of pre-contractual steps requested by the Users (for instance, whenever an appointment or medical act is concerned).

Furthermore, whenever such processing entails the processing of data regarding Users’ health or other special data categories, (such as genetic data, or data regarding the Users’ sex life or their ethnical origin), it will be for the purposes of preventive medicine, medical diagnosis, healthcare treatments, or whenever such processing is conducted by HOTC workers who are not health professionals.

Regarding the processing of personal data performed by HOTC for the purposes of studies or clinical trials, whenever such studies or trials cannot be performed resorting to anonymised or data or data under a pseudonym, the lawfulness grounding such processing shall be the consent of the data subjects, i.e. HOTC’s Users.

Regarding the processing of your data performed by HOTC to improve our services, and achieve our administrative and quality goals, the adequate lawfulness grounds is the pursuit of legitimate interests by the Data Processor. This implies that the data subjects may oppose the processing of their data for the above mentioned purposes, under the GDPR, should they submit valid reasons related to their particular situation. In such an event, the Data Processor may submit imperative and legitimate grounds justifying such processing, in which case it reserves the right to continue to process your data for such purposes, as in the cases in which such processing is necessary for the purposes of declaring, exercising, or defending a right in judicial proceedings.

Although data processing in such scopes tends to be based on anonymised information or information under a pseudonym, it is possible that in certain cases, it is possible that it involves certain data regarding the subjects’ health, such as their clinical file number, the identifiers of performed clinical acts, among others.

Further lawfulness grounds for data processing by HOTC include the need of the Data Processor to comply with legal obligations – such processing mostly consisting of communicating data to outside entities. Should such processing involve special personal data categories – for instance, information regarding the prescription of drugs to a certain HOTC User -, processing will be based on HOTC’s system and service management.

 

Collection purposes/moments, and specific data categories

  • Essential billing information (collected whenever necessary)
    • Name, date of birth, telephone/mobile phone number, tax identification number.
    • The provision of these personal data is mandatory (Users are duly informed of the obligation to make these data available in order to continue with proceedings).
  • Whenever creating a User file in HOTC’s administrative services.
    • Information on your scheduling, appointments, or tests (including the date and hour of the appointment, doctor’s specialty, performed test/test to be performed, data contained in the medical prescription, among others needed to provide the services);
  • Whenever you make an appointment/request information through the one of the multiple channels (e-mail, telephone, and direct contact)
    • Remaining identification data, such as: clinical file number, NHS user number, country, district, and county of birth, address (city, postal code, country, district, county, parish), profession, employment status, health centre, family doctor, marital status, spouse’s name, father’s name, mother’s name (should the User be a minor), data related to your insurance or health subsystem (whenever they cover the services provided by HOTC, namely in case of an accident).
  • When you go to HOTC for the first time, and we create your file in the administrative services.
    • Information on your health; including: reason for the appointment /act, personal history (childhood illnesses, immunisations, habits, gynaecological history, allergies, medication, active diseases, inactive diseases), family history (most frequent situations – diabetes, HT, TP, cancer, alive/deceased, cause of death), clinical tests, diagnosis, supplemental tests, referral, alerts (diabetes, hypertension, etc.), blood group; prescribed drugs, prescriber’s identification, prescription location code, prescription data, and special co-payment system; act and code of performed episode, episode start and end date, episode status, healthcare professional who performed the episode, episode number, episode type, indication of the episode’s results/lack of results, and result identifier.
    • Genetic data, racial or ethnic origin data, and data regarding the subject’s sex life and sex orientation
  • In the course of integrated healthcare service provision, including for the purposes of HOTC system and service management, their continuous auditing and improvement.
  • To communicate, and manage our relation with you
    • We may contact you by traditional mail, email or text message, for administrative or operational reasons, for instance, in order to confirm your appointments and payments, to inform you of any changes or unexpected events regarding you appointments.
    • We will also use your personal data to respond to your requests, suggestions, or contacts, to improve our services and your experience as HOTC User.
  • To perform studies and clinical trials
    • Whenever the studies or clinical trials conducted at HOTC within which HOTC will act as a rule as a Subcontractor (the Data Processors being the promoters of the study/trial), cannot be performed using anonymised data or data under a pseudonym, HOTC will collect your consent to process your personal data in this context.
    • That consent may be requested in a more comprehensive manner, in order to cover several research areas, or to be given exclusively for specific research domains or projects. In any case, HOTC will fully respect the decision of its Users to withdraw from a study or trial, in which case it will stop processing their data for that purpose.
  • To improve our services and meet our administrative and service level goals
    • The service level goals for which we use your data, include accounting, billing, and auditing, namely to protect the vital interests of Users, or for the purposes of certifying, evaluating, and measuring HOTC’s service levels, fraud detection and analysis, safety, legal and procedural purposes, statistical studies, as well as for system development and maintenance.
  • To fulfil our legal obligations
    • Namely, the obligation to provide your personal data to the Central Administration of the Health System (“ACSS”), the Contracting Public Entity, and other healthcare public entities, as well as to the Courts, Solicitors, and criminal police agencies, in exercise of their powers and attributions.

 

B – Staff and Workers

Grounds (Article 6, paragraph 1, subparagraphs b), c), d) and f) of the GDPR):

  • processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  • processing is necessary for compliance with a legal obligation to which HOTC is subject;
  • processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  • processing is necessary for the purposes of the legitimate interests pursued by HOTC or by a third party.

 

Purposes:

  • To recruit, select, and hire permanent and temporary members of staff;
  • To keep biographical and professional registers on employees, workers, and agents, namely:
    • Attendance sheets;
    • Seniority sheets, and training plans;
    • Drafting of vacation sheets and plans;
  • To process the payroll (wages, holiday and Christmas allowances) and/or other payments, such as supplements, namely with information related to bank accounts;
  • To handle requirements, benefits, and legal obligations, namely regarding:
    • Social security duties;
    • Tax duties;
    • Duties regarding compulsory insurance (Insurance companies);
    • Trade Union duties;
    • Reporting duties (issuing the balance sheet, etc.);
  • To handle disciplinary proceedings, and the application of sanctions, and to terminate the legal bound between members of staff/temporary workers and HOTC.

 

C – Workers and Third Parties whose data is provided by HOTC suppliers

Grounds (Article 6, paragraph 1, subparagraphs b), c), and f) of the GDPR):

  • processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  • processing is necessary for compliance with a legal obligation to which HOTC is subject;
  • processing is necessary for the purposes of the legitimate interests pursued by HOTC or by a third party.

 

Purposes:

  • To manage supplier contracts.

 

D – Data Subjects approaching HOTC facilities

Grounds (Article 6, paragraph 1, subparagraph f) of the GDPR):

  • processing is necessary for the purposes of the legitimate interests pursued by HOTC or by a third party.

 

Purposes:

  • To ensure the safety of HOTC facilities and materials, as well as of the people (and personal data) under HOTC’s care.

 

E – Any non-Users contacting HOTC by any means, and for any legitimate or illegitimate purposes

Grounds (Article 6, paragraph 1, subparagraphs a), c), and f) of the GDPR):

  • the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  • processing is necessary for compliance with a legal obligation to which HOTC is subject;
  • processing is necessary for the purposes of the legitimate interests pursued by HOTC or by a third party.

 

Purposes:

  • To register requests to HOTC, and allow for their processing and reply;
  • To register the contact to defend HOTC’s legitimate interests.

 

3. Subject’s consent

3.1. Whenever Consent is expressly requested (i.e., whenever lawfulness of the treatments at issue need the data subject’s consent) the User and data Subject authorises HOTC to:

  1. a) Provide his data to entities fulfilling the obligations established by the GDPR, without prejudice of their confidentiality, ensuring that their use is both in accordance with such entities’ corporate purposes, and compatible with the purposes of collection;
  2. b) Collect additional personal data from public bodies, specialised companies, and other private entities, to confirm or complete the collected elements needed to manage the established relation;
  3. c) To magnetically register telephone calls made within the scope of the proposed relation, being previously informed of such a procedures, both during the contract formation stage and during the latter’s validity, thus using it for any lawful purposes, namely the performance of contract services, in order to improve and control them, and as a means of proof.

3.2 The data transmitted to HOTC are incorporated and processed into files under its care, its sole purpose being the management of the requested service, in order to fulfil the applicable legal requirements.

3.3 The data provided by the User (either regarding himself or third parties) meant to make contracts effective will also be processed confidentially and in accordance with the legislation in force, and may be given to other entities according to contract aims and objects.

3.4 The User authorises said data to be processed and accessed by HOTC Workers performing any of the activities necessary to provide and promote the services.

3.5 The User is free to provide or refuse to provide the requested information (without any legal obligations), and to authorise or refuse to authorise its processing, whenever submitting a duly filled out form.

3.6 The User accepts that should he fail to provide all the requested information, he may not be able to obtain the correct operation of some of the website’s current and/or future functionalities, nor the effectiveness of a subsequent sending, computer processing, query, or contact.

3.7 The data User/Subject has the right to withdraw his consent at any time, without jeopardising the lawfulness of the processing already carried out on the basis of the previously given consent.

3.8 Knowing that HOTC declares that it will collect and process (possible sensitive) Personal Data for which the User’s express consent is requested, the User acknowledges that by ticking the check-box “I agree to the use of the data provided under the terms and for the purposes herein set forth” he ensures that the provided information is correct and true, that he wishes to submit the requested data, and that he therefore expressly authorizes the use of his Personal Data by HOTC exclusively for the purposes of the form he filled out, considering:

  1. a) That the User authorises the processing of and access to said data by HOTC Workers performing any of the activities necessary to provide the services, by electronically accepting this private policy, including the Data Subject’s authorization to collect and process his Personal Data;
  2. b) The information will only be used to evaluate his request, and in the context of possible procedures relating to the corresponding form.
  3. c) The application software of the information database, which stores the provided data, also protects your personal data under applicable law.
  4. d) It may be necessary to retain provided information before your revoke your consent, for the sole purposes herein established, regarding the procedure of this form.

 

4. Communication of Personal Data

4.1 Data may be provided to judicial or administrative authorities, should the fulfilment of HOTC’s legal obligations demand it.

4.2 Personal data may be communicated to public and private bodies related to HOTC’s activity, for statistical and fraud prevention purposes, as well as for public record purposes.

4.3 HOTC shall not market its user database with third parties.

4.4. Depending on the purpose for which they were collected, data may be provided to the following recipient categories:

  • Public entities;
  • Other healthcare service providers;
  • Banking entities;
  • Insurance companies;
  • Healthcare and/or occupational safety and health service providing companies which were subcontracted by HOTC;
  • Trade Unions;
  • Service providers subcontracted by HOTC; or
  • Other entities subcontracted by HOTC, which corporate purpose is essential to pursue the aim for which the data was collected.

4.5 International Transfers

HOTC shall implement the necessary and adequate measures under the applicable law, to ensure the protection of personal data subject to such a transfer, strictly complying with the legal provisions regarding the requirements applicable to such transfers, namely by informing the Users in this regard.

4.6 In some cases, we may transfer your personal data to third parties (service providers subcontracted by HOTC). In such cases, HOTC shall establish clear contractual rules for personal data processing with its subcontractors, demanding them to adopt the appropriate technical and organisational measures to protect your personal data.

 

5. Personal Data Retention

All Personal Data are kept by HOTC while the relation between the latter and the respective Subjects subsists, or for the legal retention term, or as long as the purpose for their collection exists, in such a way as to allow for the identification of the Subjects until such relations or obligations have definitely ceased. Collected data shall be destroyed by the end of their legal retention term, and they are followed by HOTC

The length of time during which the data are stored and kept varies according to the purpose for which the information is used. However, there are legal requirements for data retention for a certain period of time. To that extent, data regarding your health are kept in the terms of the legislation applicable to the hospital records.

 

6. Safety Measures Adopted by HOTC

HOTC is committed to ensure the confidentiality, protection, and safety of its Users’ personal data, through the establishment of the appropriate technical and organisational measures to protect their data against any type of undue or illegitimate processing, and against any accidental loss or destruction of such data. For that effect, we have systems and teams meant to ensure the safety of the processed personal data, by creating and updating procedures which prevent unauthorised access, accidental losses, and/or personal data destruction, and committing to respect the legislation regarding User personal data protection, and to process such data solely for the purposes they were collected, as well as to ensure that such data are processed with the appropriate levels of safety and confidentiality.

Because we acknowledge the sensitiveness of such information, we shall draft an Information Safety policy and disseminate it among all our workers. Such policy will establish personal data protection principles, in order to ensure the workers’ knowledge regarding their obligations in this context.

We shall also develop training actions for our workers, to ensure their permanent awareness. They will commit to the non-disclosure to third parties and the refusal to unlawfully use any personal information regarding HOTC Users which has come to their knowledge in performing their duties.

 

Within the scope of processing your personal data, HOTC permanently complies with the principles of data protection, from privacy by design to privacy by default. Among other aspects, this commitment entails that your personal data will be limitedly accessed by people who need to know them in performing their duties, strictly insofar as it is necessary to pursue the above listed processing purposes.

Therefore, in compliance with the applicable law, the access to data regarding your health, and other special data categories, will be reserved for doctors and other healthcare professionals assigned to the provision of your healthcare.

In some cases, administrative workers have access to your health data and other special data categories, to process data for the purposes of billing the provided healthcare services, appointment and clinical act booking, or information request and complaint management.

 

7. Data Subjects’ Rights

7.1 Any data subject may request the amendment, updating, processing limitation, portability, and deleting of their data, through the following contacts:

Processing Officer

Hospital da Ordem Terceira Chiado

Address: Rua Serpa Pinto, número 7, 1249-203 Lisboa

Tel./Fax: 213230300

Email: mail@hotc.pt

Data Protection Officer

Jorge Almeida

Address: Rua Serpa Pinto, número 7, 1249-203 Lisboa

Tel.: 213230300

Email: dpo@hotc.pt

7.2 Should it be necessary to fulfil HOTC’s legal obligations, HOTC may reply the Subject by the same means or by the means indicated in the Subject’s communication, with a request for a document proving the identity or accuracy of the data requesting amendment/update.

7.3 Whenever the User must provide Third Party data, he is bound to inform such Party of the contents in the above paragraph, and to obtain their consent, before transferring the data to HOTC.

 

8. Obligations of the entities involved in data processing

8.1 Each of the entities involved in processing your data is bound to comply with the applicable data protection legislation, particularly regarding processing safety and confidentiality.

8.2 Those responsible for Personal Data processing, as well as those who have knowledge of such data in performing their duties, are bound by professional secrecy under the law.

 

9. Contacts

You may contact HOTC’s Processing Officer and the Data Processing Officer (DPO) for more information on the processing of your personal data, as well as for any questions regarding the exercise of the rights assigned to you by the applicable legislation, particularly those mentioned in this Privacy Policy, through the following contacts:

 

Processing Officer

Hospital da Ordem Terceira Chiado

Address: Rua Serpa Pinto, número 7, 1249-203 Lisboa

Tel./Fax: 213230300

Email: mail@hotc.pt

Data Protection Officer

Jorge Almeida

Address: Rua Serpa Pinto, número 7, 1249-203 Lisboa

Tel.: 213230300

Email: dpo@hotc.pt

 

10. HOTC reserves the right to change or update this Privacy Policy at any time. Such changes are duly updated in our Platforms.