Call Now for more information 24/7:

+357 25 200 000

AAText Size:

General information

This Privacy Notice aims to inform you regarding the processing of information which directly or indirectly identifies you (“personal data”) carried out by Mediterranean Hospital of Cyprus ("Hospital”, “we”). The Hospital treats your Personal Data with great responsibility is determined to always safeguard your privacy rights.

Your personal data are processed in line with our obligations and your privacy rights under Data Protection Law, including the European General Data Protection Regulation 2016/679 (“GDPR”) and the Cypriot Data Protection Law 125 (I) 2018.

Personal data we process

The Hospital processes the following categories of your personal data where necessary for specific purposes:

  • Identity, photograph and contact details such as, name, address, email, phone number, date of birth.
  • Medical history concerning you or (if necessary and relevant) your family, whether provided by you, by referrals or by other authorised third parties.
  • Information about your nationality and the right to receive medical care in Cyprus regarding the provision of cross-border healthcare to insured patients.
  • Information relevant to provided therapies including medical and nursing, surgery, blood tests, radiology or other examinations.
  • Financial data / payment details related to your hospital care.
  • Information about any surveys, complaints or other enquiries.
  • Information about your marital status, relatives, or emergency contacts.
  • Information on the physical and / or your psychological state, including disabilities, allergies, dietary, for which the hospital must make reasonable adjustments.

Why we process your personal data

In order to be able to process your personal data, we ensure that the processing is based on at least one of the following legal grounds:

  1. You have clearly given your consent to the processing. For example, when a patient is asked if he/she wishes to receive informative and promotional messages from the hospital, or to receive the results of examinations via a mobile application.
  2. The processing is necessary for the purposes of performing an agreement between the Hospital and you or when it is necessary to take steps, as per your instructions, prior to entering into the contract. For example, processing for the purpose of providing the services of the hospital or making a payment by you for these services.
  3. The processing is necessary for the purposes of complying with any legal or regulatory requirements to which the hospital is subject. For example, compliance with the Private Hospitals Law, the National Health System Law or Tax Law.
  4. The processing is necessary in order to safeguard your vital interest when emergency incidents occur.
  5. Processing is necessary for the purpose of pursuing the legitimate interests of the hospital or a third party, provided that your interests and rights do not prevail over the interests of the hospital. For example, processing your personal data for the purpose of proper governance, management of our activities, your ensuring your safety and the security of our facilities and systems or informing patients with the necessary information related to their care.

Processing of special categories of data

Due to the nature of our services and activities as a private hospital, special categories of personal data are also processed. This will normally be processing of your health-related data for the purposes of preventive or occupational medicine, medical diagnosis, the provision of healthcare or treatment or the management of healthcare systems and services on the basis of EU or Cypriot law or pursuant to contract with a health professional. Also we may process such data if necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of EU or Cypriot law which provides for suitable and specific measures to safeguard your rights and, in particular professional secrecy.

Sharing / disclosure of personal data

The hospital may disclose your personal data to various categories of recipients, as shown for example in the list below, when necessary to comply with specific legislation or regulations, in order to perform obligations in accordance with the terms and conditions of the hospital, or when it is reasonable and proportionate to do so when pursuing our legitimate interests.

  • Ministry of Health (e.g. Ambulance Services)
  • State Health Services Organisation (SHSO (ΟΚΥΠΙ))
  • Tax Authorities
  • Cyprus Medical Association
  • Insurance companies
  • External medical practitioners
  • External medical centres and / or laboratories, e.g. radiology centres and chemistry labs.

The Hospital may also disclose or allow access to or other processing of your personal data, to consultants, subcontractors or other hospital service providers, for example legal advisors, information security / information technology consultants, auditors, on the basis of pursuing our legitimate interests or complying with our legal obligations .

Data transfers

There are cases where personal data may be transferred to countries outside the European Economic Area ("EEA") provided that we have taken all appropriate technical and organisational measures during the transfer and that the transfer is made on the basis of the appropriate safeguards provided by the GDPR, and the relevant provisions of the Cypriot Legislation 125(I)2018. Such cases may include transfers made to external medical practitioners or medical centres, or where it may be necessary for the hospital to share data (and/or give access to data) to subcontractors / suppliers of services such as suppliers of medical devices or other tools on the basis of existing legislation. In most cases, and where possible, the hospital ensures that the data are transferred anonymously.


The hospital is committed to always adopting and applying the highest data security standards to ensure the confidentiality, integrity and availability of data it processes. This is achieved by carrying out appropriate risk assessments and implement response measures to the risks of accidental or unlawful destruction, loss, alteration, disclosure, access to personal data without authorization, which is likely to compromise the security of your data. The Hospital adopts all necessary resources and mechanisms and always seeks to proactively identify, detect, investigate and address any breaches of security incidents, and to minimize the consequences always with a view to protect the privacy rights of patients.

Staff are trained to understand their duty of confidentiality and their responsibilities regarding the security of patient information both on our premises and when out in the community. Members of staff may be given access to the hospital’s systems holding patient information on a need-to-know basis and provided that they are authorised to do so. In any case, personnel are limited to the type of information they can access.



Data retention

The hospital will retain your personal data for as long as the processing is necessary to fulfil the purposes as described in this Privacy Notice. Also, the retention period will largely depend on the legal obligations or guidance issued by the Office of the Commissioner for Personal Data Protection which normally require the retention of data for specific or minimum period.


Your rights

  • Right to be informed about how we process your data and right to access to your data.
  • Right to correct or rectify inaccurate or incomplete data.
  • Right to erase your data, especially when we have no reason to continue processing your data, when there is no legal basis for the processing or when the processing is unlawful.
  • Right to restrict the processing, e.g. for the purposes of verifying the accuracy of your data.
  • Right to object to the processing, especially when we rely on our legitimate interests.
  • Right to receive your personal data (data portability) in a structured or commonly used and readable format and the right to transfer your data to another data controller. (e.g. another medical centre or hospital)
  • The right not to be subject to automated decision-making, including profiling.
  • Right to withdraw your consent in cases where the processing is based on consent.
  • Right to lodge a complaint with the Office of the Commissioner for the Protection of Personal Data ( This email address is being protected from spambots. You need JavaScript enabled to view it. ).

Please note that these rights are not absolute, they are subject to exceptions and apply only under certain circumstances depending on the legal basis on which we rely in each case.

We will try to respond to all valid requests as soon as possible and within thirty (30) days or two additional months if the request is complicated or disproportionate.


Contact details

You can contact the hospital’s data protection officer (DPO) for any further information or any questions regarding this Privacy Notice, either via

email ( This email address is being protected from spambots. You need JavaScript enabled to view it. ) or telephone (+357 25 200 052)