Date drafted: 04.05.2020
General terms and conditions of personal data processing of OÜ Antegenes
OÜ Antegenes, registry code 14489312, hereinafter ‘Antegenes’, provides various healthcare and other services. To provide these services, Antegenes processes personal data. This document describes how Antegenes processes your personal data if you contact us to receive services. Please read these terms and conditions and if you have any questions regarding how we process your personal data or if you wish to send us a request to exercise your personal data processing rights, please contact us using the contact information provided below.
Antegenes may change these terms and conditions of personal data processing. Updated terms and conditions of personal data processing will be available on the Antegenes’ website.
‘GDPR’ – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
‘Personal data’ – any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. For example, personal data includes your name, identification number, email, health data, and genetic data.
‘Valid legislation’ – all valid legislation of the European Union and of the Republic of Estonia, including but not limited to, the Personal Data Protection Act or other GDPR implementing acts in force in Estonia and acts regulating healthcare service provision.
‘Patient’ or ‘data subject’ – a natural person who contacts or has contacted Antegenes to receive services.
‘Antegenes’ or ‘controller’ – OÜ Antegenes, registry code 14489312.
‘Processing’ – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
‘Controller’ – the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. For the purposes of these terms and conditions of personal data processing, the controller of the customer’s personal data is Antegenes.
‘Processor’ – a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
2. General provisions
2.1. The terms and conditions of personal data processing will apply if you contact Antegenes to receive services.
2.2. The terms and conditions of personal data processing describe the general principles of personal data processing of Antegenes.
2.3. Antegenes ensures that the patients’ personal data is processed in accordance with valid legislation.
The main legal acts Antegenes adheres to when processing the patient’s personal data, are the Health Services Organisation Act, Health Insurance Act, Medicinal Products Act, Personal Data Protection Act, and the GDPR.
3. When and for what purposes Antegenes processes personal data
3.1. Antegenes processes patients’ personal data only for specified purposes and in accordance with valid legislation.
3.2. If you contact Antegenes to receive a healthcare service, we will process your personal data for the purposes of providing you with the specific healthcare service. In that case, we process your personal data in accordance with the Health Services Organisation Act and the contract concluded with you for the purposes of providing you with the healthcare service you requested. To provide you with the healthcare service, we process your data that enables personal identification, such as your name and identification number, and data necessary for providing you with the healthcare service, including health data. The particular health data that we process will depend on the specific healthcare service that will be provided. To provide you with a healthcare service, we may also process you contact data and bank account data for the purposes of billing you for the healthcare service and sending you organisational information before or after you visit; for example, we may send you a notification about the time of the visit. Antegenes will not transmit your personal data or health data to third parties, except to the extent permitted by valid legislation.
3.3. If you contact Antegenes to receive a non-healthcare service, we will process your personal data for the purposes of providing you with the requested service. To provide you with the service, we process your data that enables personal identification, such as your name and identification number, and data necessary for providing you with the service, including your health data, if processing health data is necessary for providing the service. We may also process you contact data and bank account data for the purposes of billing you for the service and sending you organisational information before or after you visit; for example, we may send you a notification about the time of the visit. Antegenes will not transmit your personal data or health data to third parties, except to the extent permitted by valid legislation.
3.4. For the purposes of analysing and assessing patient satisfaction, Antegenes will have the right to ask you for feedback about the provided service. If the patient is underage, their parent or legal guardian may be asked to provide feedback.
3.5. If you have consented to your personal data being processed by us, your consent is the legal basis for processing your personal data. In that case, we process your personal data in accordance with the purposes described in the consent document and to the extent described therein. If you have consented to your personal data being processed by us, you have the right to withdraw your consent at any time.
4. Transmission of personal data and use by processors
4.1. Antegenes will not transmit your personal data to third parties, except when legally permitted by valid legislation.
4.2. In accordance with valid legislation, Antegenes has the right to use processors for processing personal data. Antegenes’ processors may process patients’ personal data in limited circumstances. Antegenes only uses such business partners as processors who have agreed to processing personal data in accordance with these terms and conditions of personal data processing and with valid legislation. The processors of Antegenes are not limited to the entities mentioned in this chapter, and Antegenes has the right to use entities not mentioned in this chapter as processors. As processors, Antegenes mostly uses various healthcare service provision business partners (business partners providing general or specialist medical services used by Antegenes for providing services to the patient); IT partners (various providers of server services, IT support services, communication services, and other information technology service providers), marketing partners, payment service providers (e.g. Maksekeskus AS) and other service providers and business partners.
5. Personal data retention
5.1. Antegenes only retains personal data for as long as it is necessary for the purposes of personal data processing or required by valid legislation.
5.2. Antegenes retains documents containing personal data in accordance with time limits specified in legislation.
5.3. Patient DNA and genotype data is stored pseudonymised and processed at the University of Tartu Institute of Genomics (Riga 23b, 51010 Tartu, Estonia). If you have any questions, you can contact the Institute of Genomics by phone +372 737 40 23 or by e-mail email@example.com. At the Institute of Genomics, patient data is stored following the deadlines provided by legislation. The patient has all the rights arising from arising from the Personal Data Protection Act concerning the data stored at the Tartu Institute of Genomics.
6. Your rights as a data subject
6.1. In terms of personal data processing, you have all the data subject rights arising from valid legislation.
6.2. Inter alia, you have the following personal data processing rights:
6.2.1. Access right: you have the right to ask at any time whether Antegenes has any of your personal data or not and receive information about which of your personal data Antegenes processes;
6.2.2. Right to rectify your personal data: you have the right to request that Antegenes clarifies or rectifies your personal data if the data is insufficient, defective, or incorrect;
6.2.3. Right to object: you have the right to object to Antegenes processing your personal data;
6.2.4. Right to demand personal data erasure: you have the right to demand that your personal data be erased; for example, when you have given your consent to personal data processing and have withdrawn your consent;
6.2.5. Right to restrict processing: you have the right to demand that Antegenes restricts the processing of your personal data in accordance with valid legislation; for example, when Antegenes no longer needs your personal data for the purposes of processing or if you have objected to personal data processing;
6.2.6. Right to withdraw your consent to personal data processing: if your personal data is processed on the basis of your consent, you have the right to withdraw your consent at any time;
6.2.7. Right to data portability: the customer has the right to receive from Antegenes the personal data that the customer has given to Antegenes and that is processed on the basis of the customer’s consent or for the purposes of the contract concluded with customer; the customer will receive the personal data in writing or in a common electronic format and, if technically possible, the customer has the right to request that Antegenes transmits this data to a third party service provider;
6.2.8. Right to submit a complaint: if you think that your personal data processing rights have been violated, you have the right to turn to the Data Protection Inspectorate or a court of law to submit a claim or a complaint.
6.3. Your data processing rights listed in this chapter are not absolute rights. In certain circumstances, the rights of other data subjects or the legal obligations of Antegenes may limit the rights of the data subject.
6.4. To exercise your data processing rights or submit your data processing requests, please contact us using the contact information listed below in the section “Contacts”.
7.2. We use the Matomo web analytics tool on our Website that gathers general information about how a visitor uses our Website. For example, Matomo collects data on visitor geography, computer browser and version of the operating system, time and duration of visits and the number of visits to webpages and traffic between them. We only see the data we collect in an un-personalized form. We use the information we receive to make our Website more visitor friendly. For more information, please go to Matomo’s webpage.
7.3. We use pixel tags on our Website to track visitors (e.g. Facebook Pixel). They collect data that helps us optimize Facebook ads, build targeted audiences and display relevant ads to people who have visited our website. It does not store directly personal information, but uniquely identifies your browser and device. For more information, please go to webpages about Facebook Ads or Facebook Pixel.
7.4. You may opt out of the cookies on the Website at any time by changing the web browser settings of the device you are using. If you block all cookies in your web browser settings, you may not be able to access some or all of our Website.
8. Security of personal data
8.1. Antegenes ensures the security of personal data processing in order to protect personal data from accidental or unauthorised processing, disclosure, or destruction.
8.2. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Antegenes implements appropriate technical and organisational measures to ensure the security of personal data.
9.1. If you have any questions or wish to submit requests related to personal data processing, please contact Antegenes or Antegenes’ data protection specialist via phone, email or mail.
Antegenes’ contact information:
Company name: OÜ Antegenes
Address: Raatuse 77, Tartu 50603
Phone number: +372 5377 8141
Antegenes’ data protection specialist:
Berit Kolk; email: firstname.lastname@example.org; phone number: +372 5377 8141