This Privacy Notice aims to inform you regarding the processing of information which directly or indirectly identifies you (“personal data”) carried out by Mediterranean Hospital of Cyprus ("Hospital”, “we”). The Hospital treats your Personal Data with great responsibility is determined to always safeguard your privacy rights.
Your personal data are processed in line with our obligations and your privacy rights under Data Protection Law, including the European General Data Protection Regulation 2016/679 (“GDPR”) and the Cypriot Data Protection Law 125 (I) 2018.
Personal data we process
The Hospital processes the following categories of your personal data where necessary for specific purposes:
Why we process your personal data
In order to be able to process your personal data, we ensure that the processing is based on at least one of the following legal grounds:
Processing of special categories of data
Due to the nature of our services and activities as a private hospital, special categories of personal data are also processed. This will normally be processing of your health-related data for the purposes of preventive or occupational medicine, medical diagnosis, the provision of healthcare or treatment or the management of healthcare systems and services on the basis of EU or Cypriot law or pursuant to contract with a health professional. Also we may process such data if necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of EU or Cypriot law which provides for suitable and specific measures to safeguard your rights and, in particular professional secrecy.
Sharing / disclosure of personal data
The hospital may disclose your personal data to various categories of recipients, as shown for example in the list below, when necessary to comply with specific legislation or regulations, in order to perform obligations in accordance with the terms and conditions of the hospital, or when it is reasonable and proportionate to do so when pursuing our legitimate interests.
The Hospital may also disclose or allow access to or other processing of your personal data, to consultants, subcontractors or other hospital service providers, for example legal advisors, information security / information technology consultants, auditors, on the basis of pursuing our legitimate interests or complying with our legal obligations .
There are cases where personal data may be transferred to countries outside the European Economic Area ("EEA") provided that we have taken all appropriate technical and organisational measures during the transfer and that the transfer is made on the basis of the appropriate safeguards provided by the GDPR, and the relevant provisions of the Cypriot Legislation 125(I)2018. Such cases may include transfers made to external medical practitioners or medical centres, or where it may be necessary for the hospital to share data (and/or give access to data) to subcontractors / suppliers of services such as suppliers of medical devices or other tools on the basis of existing legislation. In most cases, and where possible, the hospital ensures that the data are transferred anonymously.
The hospital is committed to always adopting and applying the highest data security standards to ensure the confidentiality, integrity and availability of data it processes. This is achieved by carrying out appropriate risk assessments and implement response measures to the risks of accidental or unlawful destruction, loss, alteration, disclosure, access to personal data without authorization, which is likely to compromise the security of your data. The Hospital adopts all necessary resources and mechanisms and always seeks to proactively identify, detect, investigate and address any breaches of security incidents, and to minimize the consequences always with a view to protect the privacy rights of patients.
Staff are trained to understand their duty of confidentiality and their responsibilities regarding the security of patient information both on our premises and when out in the community. Members of staff may be given access to the hospital’s systems holding patient information on a need-to-know basis and provided that they are authorised to do so. In any case, personnel are limited to the type of information they can access.
The hospital will retain your personal data for as long as the processing is necessary to fulfil the purposes as described in this Privacy Notice. Also, the retention period will largely depend on the legal obligations or guidance issued by the Office of the Commissioner for Personal Data Protection which normally require the retention of data for specific or minimum period.
Please note that these rights are not absolute, they are subject to exceptions and apply only under certain circumstances depending on the legal basis on which we rely in each case.
We will try to respond to all valid requests as soon as possible and within thirty (30) days or two additional months if the request is complicated or disproportionate.
You can contact the hospital’s data protection officer (DPO) for any further information or any questions regarding this Privacy Notice, either via