Cookie Policy
Web cookies provide us with information about how the website is used, allow us to compile statistics on website traffic, display potentially interesting marketing content, and ensure the functionality and user-friendliness of the website. Web cookies are divided into persistent and session cookies based on their retention period. Persistent cookies remain on your device until their retention period expires (or until you decide to delete them), even after closing your browser or turning off your device. Session cookies, on the other hand, are deleted immediately when you close your browser.
Essential Cookies
ALWAYS ACTIVE
Strictly necessary web cookies ensure the basic functionality of the website, including allowing navigation on the website and the use of many of its features (e.g., filling out fields, accessing different sections of the website).
Functional Cookies
Advertising cookies collect data about users' browsing habits, which in turn allows the website to present advertising content that aligns with users' preferences. Additionally, this type of cookie makes it possible to measure the effectiveness of advertising campaigns.
Advertising cookies
Advertising cookies collect data about users' browsing habits, which in turn allows the website to present advertising content that aligns with users' preferences. Additionally, this type of cookie makes it possible to measure the effectiveness of advertising campaigns.
icon
icon

Privacy policy

Last updated on 29 December 2024

1. Introduction

This Privacy Policy provides an overview of the data processing related to the activity of AS Medita Baltics (hereinafter "Medita" or "We"), and its details.

More specifically, this Privacy Policy describes the following:

  • Contact details of the controller
  • Purposes of personal data processing
  • Legal basis for personal data processing
  • Origin of personal data
  • Retention of personal data
  • Transmission of personal data to third persons
  • Security and references to external websites
  • Data protection rights and exercise thereof
  • Acting in case of questions and complaints
  • Updating the Privacy Policy

Our Privacy Policy includes information that is primarily relevant to you when you visit our website (www.medita.ee), use our services, or apply for job vacancies at Medita clinics.

We value your privacy and your right to privacy, and therefore process your personal data in compliance with all requirements set out in the General Data Protection Regulation (EU) 2016/679 (hereinafter "GDPR") and other legal acts.

By publishing our Privacy Policy, we also meet the notification obligation imposed on us by Articles 13 and 14 of the GDPR. 

2. Contact details of the controller

  • The controller of your personal data is  AS Medita Baltics
  • registry code: 12526983
  • address: Teguri 37b, Tartu 50107, Republic of Estonia.
  • If you have any questions about processing your personal data, send us an email to: andmekaitse@medita.ee

3. Purposes of personal data processing

We strictly limit the processing of personal data to the minimum required for achieving the purposes described in this chapter. We only process personal data if there is a specific and delimited purpose and legal basis for that, as described in more detail in the next chapter.

3.1. Planning and providing health services and related support activities

In order to plan and provide health services, and perform related supporting activities (e.g., managing reservations), Medita processes the following personal data of patients:

  • first name and surname;
  • contact details (address, telephone number, email);
  • data of the contact person (for emergencies);
  • personal identification code;
  • health data (incl. medical history);
  • data concerning health services provided;
  • data concerning appointments (place, time);
  • data on the identity document (for identification of a person);
  • payment data.

3.2. Ensuring the quality of health services

In order to ensure the quality of health services, e.g., meet the customer service standards as required by law, assess patient satisfaction, prevent and resolve any complaints, Medita processes the following personal data of the patient:

  • first name and surname;
  • contact details (address, telephone number, email);
  • health data (incl. medical history);
  • data concerning the health services provided;
  • data concerning a complaint (its content, time of submission);
  • data concerning any correspondence or other type of communication between the patient and Medita;
  • data concerning the phone calls received through the general phone line of Medita (time of the phone call, phone number of the caller) and the content thereof.

Ensuring the quality of health services and systematic management is a legal obligation imposed on Medita as the provider of health services under the Republic of Estonia Health Services Organisation Act.

3.3. Recruitment

Every now and then, Medita searches for new staff members to fill vacant posts. In order to ascertain the interest of a potential candidate, we may contact the candidate using contact details disclosed on social media platforms that focus on creating professional contacts.

To fill vacancies, we may also organise competitions and publish respective calls on our website and/or through job search channels (e.g., CV-online, CV-keskus).

If you decide to participate in the competition, we consider you as a potential candidate and process the following personal data about you:

  • first name and surname;
  • personal identification code and date of birth;
  • place of residence, email, phone number;
  • data concerning your education and qualifications;
  • your employment records and previous work experience (workplaces and posts);
  • data concerning punishments in force;
  • data concerning language proficiency;
  • data required to sign and perform the employment contract, i.e., work and rest period records, information on wages, data concerning specific employment (only for elected candidates);
  • other information you have shared with us voluntarily during the application period.

To receive further information and assess the suitability of personal qualities, we may contact your previous employers.

3.4. Compliance with legal obligations

In certain cases, we are required to process personal data in order to meet obligations arising from national legislation (e.g., Health Services Organisation Act and Accounting Act) that cannot be listed in detail in our Privacy Policy. This includes, for example, responding to inquiries from supervisory agencies, and notifying supervisory agencies and persons of any violations and respective suspicions.

3.5. Managing the website and enhancing user experience

To inform patients and other persons interested in services and activities of Medita, we have designed our website where we publish general information about services provided by Medita. In addition, patients can make appointments and send other submissions to Medita through the website.

Information sent through the forms provided on the website are forwarded to our registration desk: medita@medita.ee. In doing so, we process the following data, which in combination or in some situations also separately may be regarded as personal data:

  • time of submission;
  • IP-address of the person submitting the inquiry;
  • data provided in the submission (name, personal identification code, phone number, email);
  • other information provided in the submission.

In order to provide better, faster and more secure user experience, our website also uses cookies. These are small text files that are stored on your computer, smart phone, tablet, or any other device you use to visit our website. Cookies give us information on how the website is used, and allow us to gather statistical information on website traffic, display marketing content that might interest you, ensure proper operation of the website’s functionalities, and provide the best user experience.

By the storage period, cookies are divided into persistent cookies and session cookies. Persistent cookies are retained on users’ devices until their expiration date arrives (or until you decide to delete them), i.e., also after you have closed your browser or switched off your device. Session cookies, though, are deleted as soon as you close your web browser.

By the purpose of use, cookies are generally classified into four types:

Strictly necessary cookies - type of cookies essential for the basic functioning of a website; they allow the users to navigate the website and use many of its functionalities (e.g., fill in forms, access different sub-domains of the website)

Functional cookies – are used to ensure smooth user experience, incl. to remember user preferences (e.g., language of interaction).

Analytical cookies - are used to collect non-personalised information on the ways the website is used. For example, analytical cookies allow us to analyse which pages/tabs are used most often.

Marketing cookies - allow us to display personalised ads that might interest the user, measure the efficiency of ads (by the number of clicks on the ad, for example), and control their repetition with regard to the same user.

We use the following cookies on our website:

Name

Purpose

Expiration date

_ga

Analytical use (detection of the number of unique visitors to the website)

1 year 1 month

__ewsa

Statistics (website traffic)

1 year 1 month

_gat

Analytical use (statistical data on visits to the website and its pages)

Visit session

_gid

Analytical use (statistical data on visits to the website and its pages)

1 day

__ewsb

Analytical use (optimising user experience)

30 minutes

site_lang

Functionality (language preference on the website)

1 year 1 month

Cookies used on the website may change over time. By visiting our website, you agree to the use of cookies strictly necessary for the proper functioning of the website, and no cookie consent is asked then for using respective cookies. For the use of other cookies, your consent is asked on the website.

You may reject cookies at any time by changing the settings of the device you use and deleting the cookies stored.

4. Legal basis for personal data processing

Based on the purpose of data processing, Medita acts under the following legal grounds:

Planning and providing health services and related supporting activities

The legal basis for data processing is Medita’s need to perform the contract for the provision of health service to the patient, or to take steps at the request of the data subject that are related to the preparation of the respective contract (GDPR, Article 6(1)(b)). In exceptional cases, providing health services and processing respective data may be necessary for protecting the vital interests of the patient (GDPR, Article 6(1)(d)).

As health data are a special category of personal data, Medita is exempted from the prohibition for processing, as set out in Article 9(2)(h) of the GDPR. At national level, the service provider’s right to process data for the purpose described in this clause derives from § 41 of the Health Services Organisation Act.

Quality assurance of health services

The legal basis for data processing is the Medita’s legal obligation (GDPR, Article 6(1)(c)), which at national level has been defined in § 41 (1) clause 3 and § 32 (9) of the Health Services Organisation Act, and the regulation of the Minister of Health Requirements for Ensuring the Quality of Health Services and Patient Safety.

Since the quality assurance of health services inherently requires the processing of health data (when resolving complaints, for example), also the derogation excluding the prohibition to process data provided for in Article 9(2)(h) of the GDPR applies to Medita.

Recruitment

The legal basis for data processing is the need to take steps at the request of the applicant for a job as the data subject prior to entering into a contract (GDPR, Article 6(1)(b)).

In certain cases, for example, when we contact a person on our own initiative to ask whether they might be interested in working for Medita, the legal basis for processing data (contacting someone using contact details published by themselves) may also be the legitimate interest pursued by Medita (GDPR, Article 6(1)(f)).

Compliance with legal obligations

Data processing necessary for compliance with legal obligations, including any obligation not specifically noted in the Privacy Policy, is carried out under Article 6(1)(c) of the GDPR. Respective legal obligation may be defined either in the EU law or national legislation of Estonia. For example, according to § 12(1) of the Republic of Estonia Accounting Act, we are required to preserve all accounting source documents for seven years.

Managing the website and enhancing user experience

When we use optional cookies, the legal basis for processing data is the consent given by the user (GDPR, Article 6(1)(a)), and in the case of strictly necessary cookies and technological solutions required for the proper functioning of the webpage, the legal basis is our legitimate interest (GDPR, Article 6(1)(f)).

5. Origin of personal data

The data we process may come from:

  • the data subject, and in some cases from their family members/relatives and representatives;
  • other providers of health services;
  • the Health Portal;
  • national and local agencies and databases of the state information system;
  • former employers (in the case of recruitment);
  • public sources (in the case of recruitment).

6. Retention of personal data

We preserve personal data for no longer than is necessary for the purposes for which the data are processed, as specified in chapter 3 of this Privacy Policy.

Planning and providing health services and related supporting activities

Personal data are preserved in accordance with the regulation Conditions and Procedure for Maintaining Records of the Provision of Health Services, and the terms of preservation specified in § 42 of the Health Services Organisation Act (generally, for 30 years after the approval of data concerning the service provided to a patient).

Quality assurance of health services

Personal data are preserved in accordance with the regulation Conditions and Procedure for Maintaining Records of the Provision of Health Services, and the terms of preservation specified in § 42 of the Health Services Organisation Act (generally, for 30 years after the approval of data concerning the service provided for the patient). Records of the phone calls to the general phone line of Medita are preserved for 30 days or until the relevant complaint has been resolved.

Recruitment

In compliance with the Employment Contracts Act, employment contracts entered into with successful candidates and information received prior to entering into contracts are retained for 10 years after the expiry of the employment contract.

Data related to applications are preserved for one year after the end of the respective competition (in view of the limitation period of a claim provided for in § 25 of the Equal Treatment Act), unless the candidate has given consent for further preservation).

Data processing necessary for compliance with legal requirements

In order to comply with legal obligations, and in other exceptional cases, we may preserve personal data for longer periods than specified above, including for:

(a) meeting our legal obligations;

(b) reasons related to accounting;

(c) reasons related to exercising possible rights of claim.

For example, to be able to bring claims or respond to possible claims brought against us, we may preserve personal data for a maximum of 10 years, subject to respective limitation periods of claims, and in the case of ongoing disputes until their final settlement.

7. Transmission of personal data to third persons

We may transmit your personal data to third persons only when we have an appropriate legal basis to do so.

Please note that while providing some specific services, the transmission of personal data to third persons (e.g., other providers of health or laboratory services) is necessary because of the nature of the health service. To perform such or other tasks, we may also use the processors of personal data. In these cases, however, we have entered into a contract pursuant to Article 28 (3) of the GDPR with a relevant controller, which ensures a high level of the protection of personal data and compliance with all legal requirements and best practices.

Medita does not transmit your health data (and in general, any categories of personal data) to recipients located outside the European Economic Area. When data processing is absolutely necessary for the provision of services, for example, by virtue of the nature of cookies and technological tools used to ensure the functioning of the website, your personal data are only transmitted to the recipients outside the European Economic Area whose host state ensures a sufficient level of protection of personal data and/or the relevant level of protection is achieved by the application of appropriate safeguards (e.g., standard data protection clauses).

8. Security and references to external websites

In order to maintain security, we use different IT tools and have implemented organisational and physical security measures. Access to any personal data depends strictly on the needs or job.

When needed, personal data may be accessed by our employees who perform their duties pursuant to the employment contract or job description. In certain cases, restricted access to personal data may be granted to our partners and service providers who offer us specific services (e.g., accounting).

Our website may include references and links to other websites controlled by third parties. Please note that if you voluntarily click on a link or navigate any other web page referred to on our website, you are redirected to a web page managed by a third party and data processing through this web page is not under our control. Therefore, we recommend reviewing the privacy policies of the relevant third parties and information on cookies they use.

9. Data protection rights and exercise thereof

Under the GDPR, you have the following data protection rights:

Right to request access to your personal data

You have the right to request information on whether and which personal data we process, and on which legal grounds and how we process your personal data. You may also request a copy of your personal data undergoing processing.

Right to request the rectification and erasure

You have the right to request that we rectify inaccurate personal data concerning you (e.g., when your personal data change). You may also request the erasure of your personal data that we process.

Please note that we may or must refuse the erasure of specific personal data, for example in cases where ongoing processing is necessary for safeguarding any rights of claim or performing our legal obligations.

Right to restrict processing

You have the right to request that we restrict the processing your personal data. In this case, we may still process your personal data to a certain extent, e.g., for safeguarding any rights of claim or performing our legal obligations.

Right to object

If the legal basis for processing data is our legitimate interest, you have the right to object to the respective processing of your personal data. In addition, you have the right to object to any automated decisions taken by us, and to processing your personal data if it is related to direct marketing.

Right to data portability

When we process your personal data on the basis of your consent or any contractual obligation, you have the right to receive from us your personal data in a structured, commonly used and machine-readable format. Where technically feasible, you have also the right to have your personal data transmitted by us to another controller you have chosen.

Right to withdraw consent at any time

If your personal data are processed on the basis of your consent, you have the right to withdraw your consent at any time. Please note that the withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

To exercise the above-described rights, please send an email to: andmekaitse@medita.ee.

Please also note that data protection rights are not absolute and for each request we have to decide whether and to what extent the legislation on data protection permits us to grant your request. We respond to your request within a month after its receipt. If we are unable to respond to your request within one month, we may extend the term for responding by two months, informing you of the extension and the reasons for delay within a month after the receipt of your request.

10. Acting in case of questions and complaints

When you have any questions or complaints related to the processing of your personal data, send an email to: andmekaitse@medita.ee. We respond to you within a month after the receipt of the question or complaint.

If you disagree with our response, you may file a complaint with the Data Protection Inspectorate (Tatari 39, Tallinn 10134; email: info@aki.ee; telephone: +372 627 4135).

11. Updating the Privacy Policy

We make every effort to process data and document everything related to it in a simple, clear and transparent manner, and in compliance with all legal requirements and best data protection practices.

For this purpose, we continuously update, specify and improve our Privacy Policy. The updated version can always be found on our website (www.medita.ee/for-the-patient/privacy-policy).