Privacy regulations for patients (GDPR)

Version 1.0.0
Last revision: January 01, 2021

Data Protection / Responsibilities

Vittorakis Polyclinic is committed to protecting your privacy when you use our services. This privacy policy explains how we use information about you and how we protect your privacy.

The purpose of this privacy policy is, to comply with the European General Data Protection Regulation (GDPR) (EU) 2016/679, which is a part of the Greek Law.

Vittorakis Polyclinic Board members, collectively known as the ‘data controller’ permit the organisation’s staff to use computers and relevant filing systems (manual records) in connection with their duties. Vittorakis Polyclinic Board members have legal responsibility for the notification process and compliance of the GDPR.

Vittorakis Polyclinic Board members whilst retaining their legal responsibilities, they have designated for the purpose of monitoring compliance with the GDPR requirements, a Data Protection Officer.

Data Protection Officer’s (DPO) responsibilities

The Data Protection Officer’s responsibilities include:

  • ensuring that the policy is produced and kept up to date
  • ensuring that the appropriate practice and procedures are adopted and followed by the Vittorakis Polyclinic.
  • provide advice and support to the Board on data protection issues within the organisation.
  • work collaboratively with Board members, to help set the standard of data protection training for staff.
  • ensure compliance with individual rights, including subject access requests.
  • act as a central point of contact on data protection issues within the organisation.
  • implement an effective framework for the management of data protection.

Vittorakis Board’s responsibilities

All senior managers across the organisation are directly responsible for:

  • ensuring their staff are made aware of this policy and any notices.
  • ensuring their staff are aware of their data protection responsibilities.
  • ensuring their staff receive suitable data protection training.

Personal information can be anything that identifies and relates to and can identify a living person.

The GDPR requires Vittorakis Polyclinic to comply with the eight Data Protection Principles and to notify the Vittorakis Board for Personal Data Protection about the data that we hold and why we hold it. This is a formal notification and is renewed annually.

All Vittorakis Polyclinic employees have a legal duty to keep all information provided to the organisation and themselves strictly confidential. This legal obligation is further enforced through the codes of practice of all staff respective professions and by virtue of their contract of employment with the Vittorakis Polyclinic.

Use of the WeSeeDo live chat

The Live Chat WeSeeDo collects consent-based personally identifiable data, specifically visitor name and email address when you start a live chat with one of our employees. This data is used solely for support purposes; to advise our patients about medical issues and or, to assist with emergency-related issues.

What personal information about you handles The Vittorakis Polyclinic?

To provide you with a high standard of medical care and attention, we need to hold your personal information which includes details of your:

  • Past and current medical condition;
  • Personal details such as name, surname, date of birth, age, address, telephone number, email address, name of the hotel and number of the room and attending physician;
  • Radiographs, clinical photographs and study models;
  • Information about the treatment and services that we have provided or propose and the cost of such services and treatment;
  • Notes of conversations and interactions between you and our staff of which a record needs to be kept;
  • Records of consent to treatment; and
  • Any correspondence relating to the above and to other health care professionals or organizations that relate to you.

We may also need to use some information about you to:

  • to enable us to provide healthcare services for patients;
  • manage those services we provide to you;
  • help investigate any worries or complaints you have about your services;
  • check the quality of services;
  • data matching under the national fraud initiative;
  • to help with research and planning of new services;
  • supporting, training and managing our employees who deliver those services; and
  • keep track of spending on services.

Where the personal data originates from

The personal data held by Vittorakis Polyclinic may have been provided by:

  • you;
  • your parents, relatives or carers;
  • GPs;
  • other hospitals;
  • ambulance personnel;
  • local authorities;
  • other private healthcare providers; and
  • other third parties (including education providers and previous employers).

How the law allows us to use your personal information

There are a number of legal reasons why we need to collect and use your personal information.

Generally, we collect and use personal information where:

  • it is necessary to perform our statutory duties;
  • it is necessary to protect someone in an emergency;
  • it is required by law;
  • it is necessary for employment purposes;
  • it is necessary to deliver health or social care services;
  • you have made your information publicly available;
  • it is necessary for legal cases;
  • it is to the benefit of society as a whole;
  • it is necessary to protect public health;
  • it is necessary for archiving, research or statistical purposes;
  • you or your local representative, have given consent; and
  • you have entered into a contract with us

Who the information may be shared with

Vittorakis Polyclinic may need to share the personal information we process with you and also with other individuals and organizations. Where this is necessary we are required to comply with all aspects of the GDPR.

Where necessary or required we share information with:

  • patients;
  • family, associates and representatives of the person whose personal data we are processing;
  • staff;
  • current, past or potential employers;
  • healthcare, social and welfare organizations;
  • suppliers to support systems, service providers, legal representatives;
  • auditors and audit bodies;
  • educators and examining bodies;
  • survey and research organisations;
  • professional advisers and consultants;
  • police forces;
  • security organisations; and
  • central and local government. (in case of a Covid-19 outbreak)

Why do we hold information about you?

We need to keep extensive and accurate personal data about our patients to provide you with safe and appropriate medical care. We will ask you to regularly update your medical history and contact details at your earliest convenience.

Disclosure of information

To provide proper and safe medical care we may need to disclose personal information about you to:

  • Your general medical practitioner;
  • Other hospitals, clinics or medical care services who have or will provide treatment to you;
  • Other health professionals caring for you;
  • Greek Social Security Authority;
  • Any medical insurance or schemes of which you are a member; and
  • Agents and Third parties as required by legal and law.

Disclosure will occur on a ‘’need-to-know‘’ basis. Only those individuals/organizations who need to know in order to provide care for you and for the proper administration by Government authorities and personnel (whose personnel are covered by strict confidentiality rules) will be given the information.

In very limited circumstances or when required by law or court order, personal data may have to be disclosed to a third party not connected with your health care. In all other situations, disclosure that is not covered by this Code of Practice will only occur when we have your specific consent. Where possible you will be informed of these requests for disclosure.

Access to your records

You have the right to access the data that we hold about you and to receive a copy. Parents may access their child’s records if this is in the child’s best interests and not contrary to a competent child’s wishes. Formal applications for access must be in writing to the Vittorakis offices’ Data Protection Officer.

If you do not agree

If you do not wish personal data that we hold about you to be disclosed or used in the way that is described in this Privacy Policy, please discuss the matter with us. You have the right to object; however, this may affect our ability to provide you with medical care.

You have a right to withdraw your consent at any time, however, this will not be retrospective.

How do your records help you?

Your records are used to guide and administer the care you receive. They help us to ensure that:

  • We have accurate, up to date information about your health;
  • You receive the best quality of care;
  • Information is easily accessible by The Vittorakis Polyclinic to assist us to make decisions about your healthcare needs; and
  • Any concerns you may have about your health are properly investigated.


It may sometimes be necessary to transfer personal information overseas. When this is needed information may be transferred to countries or territories around the world. Any transfers made will be in full compliance with all aspects of the GDPR.

Your rights under GDPR

Under the GDPR you have the following rights;

  • to be informed;
  • of access to, and copies of, the personal data we hold about you;
  • to accuracy and making changes (rectification);
  • the right to erasure;
  • the right to restrict processing;
  • to data portability;
  • to object; and
  • the right not to be subject to automated decision-making.

Ask for access to the information we hold on you

You should let us know if you disagree with something written on your file. We may not always be able to change or remove that information but we’ll correct factual inaccuracies and may include your comments in the record to show that you disagree with it.

Ask to delete information

In some circumstances you can ask for your personal information to be deleted, for example;

  • Where your personal information is no longer needed for the reason why it was collected in the first place.
  • Where you have removed your consent for us to use your information (where there is no other legal reason for us to use it).
  • Where there is no legal reason for the use of your information.
  • Where deleting the information is a legal requirement.

Where your personal information has been shared with others, we’ll do what we can to make sure those using your personal information comply with your request for erasure.

Please note that we can’t delete your information where:

  • we’re required to have it by law;
  • it is used for freedom of expression;
  • it is used for public health purposes;
  • it is for, scientific or historical research, or statistical purposes where it would make information unusable; or
  • it is necessary for legal claims.

Ask to limit what we use your personal data for

You have the right to ask us to restrict what we use your personal information for where:

  • you have identified inaccurate information, and have told us of it; and
  • where we have no legal reason to use that information but you want us to restrict what we use it for rather than erase the information altogether.

When information is restricted it can’t be used other than to securely store the data and with your consent to handle legal claims and protect others, or where it’s for important public interests of Greece.

Where restriction of use has been granted, we’ll inform you before we carry on using your personal information. Where possible we’ll seek to comply with your request, but we may need to hold or use information because we are required to by law.

Ask to have your information moved to another provider (data portability)

You have the right to ask for your personal information to be given back to you or another service provider in a commonly used format. However, this only applies if we’re using your personal information with consent (not if we’re required to by law) and if decisions were made by a computer and not a human being. It’s likely that data portability won’t apply to most of the services you receive from The Vittorakis Polyclinic.


The Vittorakis Polyclinic is committed to ensuring that your information is secure. In order to prevent unauthorized access or disclosure, we have put in place suitable physical electronic and managerial procedures to safeguard and secure the information we collect.

Retaining information

We will retain your medical records while you are a patient of The Vittorakis Polyclinic and after you cease to be a patient, for at least eleven years, or for children until age 25, whichever is the longer.

Vittorakis Polyclinic

73014 Platanias Chania
Crete, Greece

Privacy statement website visitors

Version 1.0.0
Last revision: January 01, 2021

Personal data that may be stored

The Vittorakis Polyclinic can process your personal data because you use the services of The Vittorakis Polyclinic and / or because you provide these The Vittorakis Polyclinic yourself when completing a form on the website. The Vittorakis Polyclinic can process the following personal data:
– Your first and last name
– Your address details
– Your phone number
– Your email address
– Your IP address
– Information about your location, device, browser settings and surfing behaviour

Why The Vittorakis Polyclinic needs data

  • Contact us after a contact request
    The Vittorakis Polyclinic processes your personal data in order to be able to contact you by telephone if you request this and/or to be able to contact you in writing (by e-mail and/or by post) if you cannot be reached by telephone.

  • Optimizing, improving and securing the functioning of the website
    General visitor data is kept on the website of The Vittorakis Polyclinic, including the IP address of your computer, the time of retrieval and data that your browser sends. This data is used for analyzes visitor and click behaviour on the website, for securing our website and for the correct operation of our website and associated plugins or web applications. The Vittorakis Polyclinic uses this information to optimize, improve and secure the functioning of the website. The Vittorakis Polyclinic can share this data with third parties or third-party applications such as Google Analytics

  • Cookies
    A cookie is a simple text file that is stored on your computer or mobile device by a website’s server and only that server will be able to retrieve or read the contents of that cookie. Each cookie is unique to your web browser. It will contain some anonymous information such as a unique identifier and the site name and some digits and numbers. It allows a website to remember things such as your preferences or remembers your details when filing out a form. They are controlled by your computer. If you visit the ‘’Tools‘’ section in your browser menu, you will find details of your cookies settings. You can set your browser to warn you before accepting cookies, or you can set it to automatically reject them.
    The Vittorakis Polyclinic does not make direct use of any cookies other than those required to maintain the security of your information.

How long the Vittorakis Polyclinic keeps data

The Vittorakis Polyclinic does not store your personal data longer than is strictly necessary to achieve the purposes for which your data is collected. Your data will not be kept longer than 26 months if no agreement is concluded with you, or after it is dissolved. Cookies can be deleted at any time by you in the browser settings.

Links to other websites

The Vittorakis Polyclinic website may contain links to other websites of interest. However, once you have used these links to leave the Vittorakis Polyclinic website, we do not have any control over that other website. We cannot be responsible for the protection and privacy of any information, which you provide while visiting such websites, and such websites are not governed by this privacy statement.


The Vittorakis Polyclinic takes the protection of your data seriously and takes appropriate measures to prevent misuse, loss, unauthorized access, unwanted disclosure and unauthorized changes. The website of The Vittorakis Polyclinic uses a reliable SSL Certificate to guarantee your personal data.
If you have the impression that your data is not properly secured, there are indications of misuse, or if you would like more information about the security of personal data collected by The Vittorakis Polyclinic, please contact The Vittorakis Polyclinic using the information below:

Future changes

The Vittorakis Polyclinic reserves the right to change this Privacy Policy at any time and notify you by posting an updated version of the statement on our website. Any updated Privacy Policy will apply between us whether or not we have given you specific notice of any change.

Vittorakis Polyclinic

73014 Platanias Chania
Crete, Greece