I. INFORMATION ABOUT THE CONTROLLER
The controller of personal data processing is JSC “Veselības centru apvienība,” registration number 40103464662 (hereinafter – the Clinic), legal address: Andreja Saharova Street 16, Riga, LV1021. Contact email: info@VisitAiwa.ClinicData Protection Officer: For any concerns, suggestions, or questions related to the processing of your personal data by the Clinic, please contact our Data Protection Officer at info@VisitAiwa.ClinicII. GENERAL INFORMATION
The purpose of this Privacy Policy is to provide individuals – Data Subjects – with information about the purpose, legal basis, scope, protection, and retention period of personal data processing at the time of data collection and during processing.This Privacy Policy ensures privacy and personal data protection for:Individuals – patients of the Clinic (including potential, former, and current patients);
Visitors to the Clinic, including those monitored by video surveillance;
Visitors to the Clinic’s website.
The Privacy Policy applies to the processing of data regardless of the format or environment in which the Data Subject provides personal data (e.g., in person, via the Clinic’s website, in paper form, or by phone).The Clinic ensures the privacy and protection of the Data Subject’s personal data, observing patients' rights to lawful data processing under applicable legal acts, including:The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679);
The Personal Data Processing Law;
The Patient Rights Law; and
Other applicable laws and regulations on privacy and data processing.
In its operations, the Clinic:Protects the personal data of the Data Subject through administrative, technical, and physical security measures proportional to the risks;
Provides information about the personal data required for service provision and their intended use;
Transfers data to third parties only in compliance with applicable regulations;
Implements regular training and awareness programs for employees regarding personal data protection;
Conducts internal control procedures to reduce the likelihood and impact of security incidents.
III. PURPOSES AND LEGAL BASES OF PERSONAL DATA PROCESSINGPurpose: Provision and administration of healthcare services.Legal Basis: GDPR Article 6(1)(c) and Article 9(2)(b) – processing is necessary to comply with legal obligations applicable to the Clinic.
Recipients: Authorized employees and medical staff of the Clinic, public authorities, and external service providers (operators).
Purpose: Enabling appointment bookings electronically through the “Book a Visit” platform available on the Clinic’s website visitaiwa.clinicLegal Basis: GDPR Article 6(1)(a) and Article 9(2)(a) – the Data Subject has given consent for their personal data processing.
Recipients: Authorized employees and medical staff of the Clinic.
Purpose: Communication with current/potential clients, providing information about the Clinic, its services, and their availability through:The “Feedback Form” available on the website visitaiwa.clinic;
Social media platforms (Facebook, Instagram) managed by the Clinic.
Legal Basis: GDPR Article 6(1)(a) and Article 9(2)(a) – the Data Subject has given consent for their personal data processing.
Recipients: Authorized employees and medical staff of the Clinic, social media platform owners, and other platform users.
IV. DATA RETENTION PERIOD
The Clinic retains and processes personal data for as long as at least one of the following criteria is met:Obligations arising from a contract between the Clinic and the Data Subject (Patient) or the provision of healthcare services are fulfilled;
The Clinic has a legal obligation to retain the data under applicable regulations;
The Data Subject’s request/inquiry has been fully reviewed and/or executed;
The Data Subject’s consent for data processing is valid unless there is another legal basis for processing.
Video surveillance data (video recordings) are retained for no more than 14 days from the date of recording.
Once the necessity for data retention ceases, the Data Subject’s personal data is deleted.V. ACCESS TO PERSONAL DATA AND OTHER RIGHTS OF THE DATA SUBJECT
The Data Subject has the right to:Access their personal data;
Request the deletion, rectification, or restriction of personal data processing;
Request data portability;
Submit complaints regarding the use of personal data to the supervisory authority if they believe that their personal data processing violates legal requirements.
VI. CONSENT AND WITHDRAWAL OF CONSENT FOR DATA PROCESSING
Consent for data processing, where the legal basis is consent, can be provided in writing at the Clinic, by mail, or via email with a secure electronic signature.
The Data Subject has the right to withdraw their consent at any time in the same manner as it was given. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.VII. WEBSITE VISITS AND COOKIE PROCESSING
The Clinic’s website may use cookies to recognize users and facilitate website usage. Web browsers can be configured to notify visitors of cookies and allow them to decide whether to accept them. Rejecting cookies will not prevent visitors from using the Clinic’s website but may limit its functionality.VIII. CHANGES TO THE PRIVACY POLICY
The Clinic reserves the right to amend this Privacy Policy in response to changes in circumstances affecting personal data processing regulations. Regularly visiting this section is recommended to stay updated.