home-icon-lt-bl

Home
operating-table

Treatment

x

Surgeries & Treatments

cardiac-icon-bl

Cardiac
general-icon-bl

General
cosmetic-icon-bl

Cosmetic
gynaecology-icon-bl

Gynaecology
gastric-icon-bl

Gastric
orthopaedic-icon-bl

Orthopedic
about-us-icon-lt-bl

About Us
sucess-stories-icon-bk

Success Stories
mhq-icon

MHQ

x

MHQ

general-mhq

General MHQ
gastric-mhq

Gastric MHQ
cosmetic-mhq

Cosmetic
cardiac-mhq

Cardiac
contact-us-icon-lt-bl

Contact Us

x

Contact Us

return-call-icon-bl Call Back
phone-icon-bl Call Us
message-us Message Us
whatsapp-icon

Whatsapp
email-icon2

Email Us
messenger

Facebook

Direct Healthcare International (DHI)  GDPR Policy

The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world, it was passed by the European Union (EU) and put into effect on May 25, 2018.

Direct Healthcare International (DHI) upholds the highest standards of privacy and security, ensuring full compliance with GDPR regulations. Safeguarding data privacy and security is paramount to our operations. Given the sensitive nature of the information we manage, especially private and personal medical data, it is our firm policy to abstain entirely from utilizing cloud services for storage. Instead, we exclusively store all private and personal data on our secure servers, situated within our own premises.

Data Processing Principles

Direct Healthcare International Limited (DHI) is committed to processing personal data in accordance with the following principles to ensure the highest standards of privacy and data protection:

Lawfulness: DHI processes personal healthcare data, including personal details, medical history, and lifestyle information, strictly on a lawful basis. Explicit consent from our patients is obtained for the processing of their sensitive personal and medical information, ensuring compliance with the highest data protection standards. Our processing activities also extend to scenarios necessary for medical diagnosis, the provision of health or social care, and the management of healthcare services, operating within the legal confines, including GDPR, and adhering to the professional duty of care required in medical practice.

Fairness: DHI ensures fairness in data handling through clear consent, obtained when patients agree to our Terms and Conditions and Privacy Policy before submitting their Medical History Questionnaire. Consent is also clear for data collected via email, phone calls, or letters. Data is processed without explicit consent only in emergencies or as legally required, always prioritizing patient welfare and transparently communicating the care benefits of data use.

Transparency: All patients are informed about the nature of the data collection, the specific purposes for which their data is processed, and their rights concerning their personal data. This information is provided in a clear, understandable manner.

Purpose Limitation: We collect personal medical data solely for the provision of healthcare services, pre-surgery assessments, and follow-up care. Data is not used for any purpose other than those explicitly stated at the time of collection or without the patient’s express consent.

Data Minimization: Only the minimal amount of data necessary for the specified purpose is collected. This includes only relevant aspects of medical history, physical statistics, and contact information required for effective healthcare delivery and emergency contact.

Accuracy: We are committed to maintaining the accuracy of patient data. Patients have the right to request corrections to their data, and we take proactive steps to ensure that information is kept up-to-date.

Storage Limitation: Direct Healthcare International keeps patient data for the duration necessary to serve its intended medical and legal purposes. If there's no activity from a patient for 8 years, we securely archive their data. Upon a patient’s request, we will confidentially dispose of their information, in line with GDPR requirements.

Integrity and Confidentiality: We protect personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage using appropriate technical and organizational measures. With an emphasis on confidentiality, we ensure that healthcare data is accessible only to authorized personnel bound by duties of professional secrecy and who require the information to fulfil their job responsibilities. Data is stored securely within our own facilities, and electronic data is encrypted to safeguard against data breaches.

Lawful Basis for Processing 

DHI meticulously processes personal data in compliance with GDPR, grounding each activity in a legitimate legal basis. Below are the contexts and examples that delineate our lawful grounds for data processing:

Consent: Prior to engaging in specific healthcare services or treatments, explicit consent is obtained from patients. An instance of this would be a patient consenting to the use of their medical data for customizing their treatment plan upon enrolment in a specific healthcare program.

Contractual Requirements: We process necessary patient data to meet our healthcare service obligations as stipulated in our patient agreements. Processing necessary health information for conducting pre-operative evaluations or ensuring post-surgery care exemplifies this basis.

Legal Compliance: Adhering to the healthcare regulations of the UK and EU, we undertake data processing activities required by law, such as mandatory disease reporting to appropriate public health entities.

Vital Interests: In emergency situations where patient consent cannot be obtained, we process necessary medical information to safeguard the patient's critical health interests, such as emergency medical interventions.

Public Task: Our involvement in public health initiatives or compliance with government health directives represents processing based on public interest. This includes our participation in studies or campaigns aimed at addressing public health issues.

Legitimate Interests: For the purpose of enhancing our healthcare services and operational effectiveness, we process data based on our legitimate business interests, such as the analysis of anonymized data to improve treatment efficacy, provided such processing does not infringe upon the rights of our clients.

 Our adherence to these principles underlines our commitment to processing our clients' data with the utmost integrity and confidentiality, carefully balancing our operational requirements against their privacy rights.

 DHI diligently ensures that our privacy and data protection measures are in strict compliance not only with the General Data Protection Regulation (GDPR) but also with specific national laws across Ireland, the United Kingdom, Belgium, France, Switzerland, The Netherlands, and Germany. In Ireland, we adhere to the provisions of the Data Protection Acts 1988-2018, harmonizing our practices with the robust privacy standards set forth by the Irish Data Protection Commission. For our operations in the UK, we align with the UK Data Protection Act 2018, a legislation that adapts and supplements GDPR within the UK context. Similarly, in Belgium and Germany, we are committed to upholding the Belgian Data Protection Act and the German Federal Data Protection Act (Bundesdatenschutzgesetz - BDSG), respectively. These national laws refine and specify GDPR requirements within each country's legal framework, ensuring that DHI's operations meet the highest level of data protection and privacy standards across our European footprint. By integrating these diverse legal requirements into our data protection ethos, DHI affirms its dedication to safeguarding personal data and privacy rights in every aspect of our healthcare services.

Data Subject Rights

DHI empowers data subjects with comprehensive rights under GDPR, ensuring they have full control and oversight over their personal data. To exercise these rights, individuals can contact our designated Data Protection Officer (DPO) at Beatrix.farkas@dhi-care.com. Our DPO is available to facilitate requests related to accessing, correcting, deleting, or transferring personal data, as well as restricting processing or objecting to it.

Exercising Your Rights

Right to Access: Individuals have the right to access their personal data and obtain copies of it. This right ensures transparency and allows individuals to verify the lawfulness of the processing.

Right to Correction and Deletion: Individuals have the right to correct inaccurate data and, under certain conditions, have their data deleted.

Right to Data Portability: Individuals can request their data in a structured, commonly used format, and have it transferred to another organization.

Right to Restrict Processing: Individuals can request a restriction on the processing of their personal data under certain conditions, such as if the accuracy of the data is contested or the processing is unlawful.

Right to Object: Data subjects have the right to object to the processing of their personal data based on DHI’s legitimate interests or the performance of a task in the public interest/exercise of official authority, including profiling. They can also object to processing for direct marketing purposes.

Lodging a Complaint

If individuals believe their data protection rights have been breached, they have the right to lodge a complaint with a supervisory authority. In Ireland, this authority is the Data Protection Commission (DPC). Contact details and procedures for lodging a complaint can be found on the DPC's website at www.dataprotection.ie.

DHI is committed to respecting and protecting the rights of all our data subjects, ensuring transparent and accessible processes for exercising these rights.

Consent

This section details how we obtain, record, and manage consent when it is the basis for processing personal data. Consent is a cornerstone of our data processing activities, ensuring that our patients have control over their personal information.

Obtaining Consent

Consent is freely given by our patients, clearly signifying their agreement to the processing of personal data relating to them for one or more specific purposes. When collecting consent, DHI ensures that it is presented in a manner that is easily accessible and understandable, avoiding any form of ambiguity. Our consent requests are designed to be separate from other terms and conditions, clearly stating the purpose of data processing in plain language. Patients have the option to give their consent in various forms, including but not limited to, written form, ticking a box when visiting our website, or choosing technical settings for information society services.

Recording Consent

DHI meticulously records the consent obtained from patients to demonstrate compliance with GDPR. This record includes information about when and how consent was given, as well as the specific purposes for which the personal data will be processed. Our digital systems securely store these records, ensuring the integrity and confidentiality of the information.

Managing Consent

We empower our patients with the ability to manage their consent easily. Patients can withdraw their consent at any time, and DHI has established straightforward procedures for consent withdrawal, which are as easy to use as the procedures for giving consent. Upon withdrawal of consent, DHI ceases the processing of the individual's personal data for the purposes for which the original consent was obtained, unless there is another legal ground for processing.

DHI is dedicated to upholding the highest standards of data privacy and protection, ensuring that our patients' rights are respected and protected. Our consent management practices are regularly reviewed and updated to align with regulatory requirements and best practices, reinforcing our commitment to a healthier future built on trust and transparency.

Data Breach Notification Procedures

Data Breach Notification Procedures are in place to deal with data breaches, including how to notify affected individuals and regulatory bodies.

In compliance with General Data Protection Regulation (GDPR) and under the oversight of Ireland's Data Protection Commission (DPC), DHI has established comprehensive procedures to address any data breaches swiftly and effectively, prioritizing security and privacy of our patients' information. Recognizing the importance of immediate action, our procedures are designed to assess, report, and mitigate the impacts of data breaches, ensuring transparency and accountability at every step.

Immediate Response and Assessment

Upon discovery of a data breach, our dedicated response team is mobilized to quickly assess the scope and impact of the breach. This assessment determines the nature of the data involved, the potential harm to affected individuals, and any steps that can be taken to secure data and prevent further unauthorized access. Our primary goal is to contain the breach and secure our systems.

Notification Procedures

Following the assessment:

  1. Regulatory Notification: If the breach poses a risk to the rights and freedoms of individuals, DHI is committed to notifying the Data Protection Commission (DPC) without undue delay and, where feasible, within 72 hours after becoming aware of it. Our notification includes a detailed description of the nature of the personal data breach, the categories and approximate number of individuals concerned, the likely consequences, and the measures proposed or taken to address the breach. If it is not possible to provide all the information at once, the information may be provided in phases without undue further delay.
  2. Individual Notification: When the data breach is likely to result in a high risk to the rights and freedoms of individuals, DHI will communicate the breach directly to the affected individuals without undue delay. This communication is clear and plain language, explaining the nature of the data breach, the likely consequences, and the measures taken or proposed to address the breach, including any measures to mitigate its possible adverse effects. The notification to individuals is not required if DHI has implemented appropriate technical and organizational protection measures that render the data unintelligible to any person not authorized to access it, such as encryption, or if DHI has taken subsequent steps to ensure that the high risk to the affected individuals is no longer likely to materialize.

DHI's Data Breach Notification Procedures are designed to comply with Irish law and GDPR requirements, reflecting our commitment to data protection and the privacy of our patients. We continuously review and update our procedures to adapt to new threats and changes in regulatory requirements, ensuring that our practices are at the forefront of data protection.

Data Retention Policy

In alignment with Irish laws and the principles of the General Data Protection Regulation (GDPR), DHI is committed to retaining personal data only as long as necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements. Our Data Retention Policy is designed to ensure that we meet our legal obligations and safeguard the privacy of our patients.

Criteria for Determining Retention Periods

DHI's approach to determining the retention periods for personal data is guided by the following criteria:

  1. Purpose of Processing: We assess the purpose for which data is collected and retain it for as long as necessary to fulfil that specific purpose.
  2. Legal Obligation: We retain records for the periods required by law or regulation, such as tax and health care regulations, which dictate specific retention periods for certain types of data.
  3. Statute of Limitations: The duration for which personal data is kept considers the statute of limitations under Irish law, allowing us to manage any potential legal claims.
  4. Operational Necessity: Data necessary for the management of patient records, billing, and customer service is retained according to the operational needs of DHI.

Data Retention Periods

Below is a table outlining key categories of personal data processed by DHI and the corresponding retention periods, designed to comply with Irish law and GDPR principles:

Category of Personal DataRetention PeriodBasis for Determination
Patient Health Records8 yearsHealth care regulations and operational necessity
Financial Transactions6 yearsLegal obligation under tax laws
Employee Records7 years after employment endsEmployment law requirements
Website User Data2 yearsUser consent and operational necessity for marketing

Upon expiration of the retention period, personal data is securely deleted or anonymized, so it can no longer be associated with an individual. DHI regularly reviews its Data Retention Policy to ensure it remains compliant with Irish laws and reflects best practices in data management and protection.

This policy highlights DHI's commitment to responsible data management, ensuring personal data is not kept longer than necessary and is processed in accordance with legal requirements and the principles of data protection. 

International Data Reception

DHI is dedicated to providing world-class healthcare services to a global patient base. While our operations are rooted within the EU, we acknowledge the necessity of receiving patient information from outside the EU, including the UK, USA, and other countries worldwide. Our approach to managing the reception of international patient data is grounded in strict adherence to the General Data Protection Regulation (GDPR) principles, ensuring that all data received is protected with the highest standard of privacy and security measures.

Safeguards for Receiving International Patient Data

Given our exclusive role in receiving, not transferring, patient data from outside the EU, DHI has established robust legal mechanisms and safeguards to ensure the seamless and secure intake of such data:

  1. Adequacy Decisions: We rely on the European Commission’s adequacy decisions for countries that provide an equivalent level of data protection to that of the EU, facilitating the reception of data from these countries with assurance of its protection.
  2. Standard Contractual Clauses (SCCs): For patient data received from countries not covered by adequacy decisions, DHI employs Standard Contractual Clauses as a legal framework to ensure that data is handled in accordance with GDPR standards. These clauses are integrated into our agreements with international partners, binding them to uphold the same level of data protection expected within the EU.
  3. Data Protection Impact Assessments (DPIAs): DHI proactively conducts Data Protection Impact Assessments for the reception of patient data from outside the EU. These assessments help identify and mitigate any potential risks to patient privacy and data security, ensuring that international data is managed responsibly and in line with GDPR guidelines.

DHI's protocols for the reception of international patient data are meticulously designed to maintain and reinforce our commitment to data privacy and security. By implementing these safeguards, we ensure that the process of receiving patient information from outside the EU is conducted with the utmost care and responsibility, aligning with our mission to provide exceptional healthcare services while safeguarding patient data. This commitment underscores our dedication to fostering trust and confidentiality in our global healthcare services, illustrating our adherence to the highest standards of data protection and patient care.

DHI does not transfer personal data outside the European Union, ensuring full compliance with GDPR requirements.

Third-Party Data Sharing

In the course of delivering comprehensive healthcare services, DHI collaborates with esteemed hospitals in Belgium and Germany, necessitating the sharing of patient personal details under specific circumstances to facilitate treatment and care coordination. 

This sharing of data is governed by strict adherence to the General Data Protection Regulation (GDPR) to ensure the protection of patient information throughout the process. 

All third-party partners, including hospitals in Belgium and Germany, have robust data protection policies and practices that are compliant with GDPR. 

Additionally, patients are fully informed about the specifics of the data sharing, including the identity of the receiving hospitals and the nature of the data shared, and their explicit consent is obtained prior to the transfer. 

This process is in line with GDPR’s principles of transparency, purpose limitation, and data minimization, ensuring that only the necessary information for the specific treatment or service is shared.

By adhering to these stringent protocols and leveraging GDPR-compliant safeguards, DHI ensures that patient data is handled with the highest level of care and security, reflecting our commitment to privacy, trust, and excellence in patient care across borders.

Data Protection Officer (DPO)

DHI prioritizes your data privacy and protection. For any inquiries or concerns regarding your personal data, please contact our Data Protection Officer:

Feel free to reach out to Beatrix with questions, to exercise your data rights, or to discuss our data handling practices. Your privacy and data security are our top commitments.

 Reviews and Updates to the Policy

To ensure adherence to GDPR and ongoing compliance, DHI has implemented robust verification processes. 

 We conduct regular reviews of our data protection practices and privacy policy, led by our Data Protection Officer (DPO), to ensure alignment with current data protection laws and regulations. 

 These measures ensure that DHI not only maintains compliance with GDPR requirements but also adapts to any legislative changes or best practices in data protection, reaffirming our commitment to upholding the highest standards of data privacy for our clients.

DHI proactively conducts regular reviews and updates of our privacy policy to remain in strict compliance with EU law, particularly reflecting any alterations in our data processing methods or practices. To ensure transparency and uphold our commitment to keeping our patients duly informed about their data protection, we define "significant updates" as any changes that materially affect the way we collect, use, or share personal data. This includes, but is not limited to, new data collection practices, changes in data sharing agreements, or alterations in data subject rights.

Upon identifying a significant update, DHI commits to notifying data subjects through a clear notice on our website and via direct email communication, no later than 30 days from the implementation of such updates. 

This approach ensures that our patients have ample time to review the changes and understand their implications, maintaining an open and transparent dialogue regarding their privacy and data protection rights under Irish law.

Policy Accessibility

DHI’s Privacy Policy is accessible on our website, designed for ease of use and clarity. For those who prefer or require it, we can also send the policy directly via email. We strive to make our privacy practices transparent and accessible to all, and welcome feedback on how we can improve accessibility.

Whatsapp chat