Emmy Medical Privacy Policy (PART PZS)

This Privacy Policy (hereinafter referred to as ”Principles') aim to inform in a transparent manner about the processing of personal data in connection with the operation of the healthcare provider part of the Emmy web application (hereinafter referred to as the “PZS“), which can be accessed athttps://dr.emmy.sk/ (hereinafter referred to as the “Application”). The Principles form an integral part of the Public Terms and Conditions of the Application section designated by the PZS.

1. Emmy Roles and Subjects

1.1.
Emmy Medical s.r.o., company ID: 06785247, with registered office in Levohradecké nam. 1066, 252 63Solutions (hereinafter referred to as “Emmy“) may be in relation to the processing of personal data in connection with the application by the administrator or processor. The role of Emma always depends on the purpose of the processing.

1.2. The data subjects of the processing of personal data in accordance with this Policy are PZS, who is a natural person (hereinafter referred to as ”PZS FO“), or a person representing PZS, which is a legal person (hereinafter referred to as “Representative“), and further all users of the PZS customer account in the Application (hereinafter referred to as ”Customer account“).


2. Emmy as administrator

No automated decision-making, including profiling, takes place in any of the processing referred to in this Article.

Emmy is an administrator for the following purposes:

2.1. Administration of the contractual relationship with PZS and management of the Customer Account

Emmy may process the personal data of PZS FO, or the Representative, for the purposes of administering the contract between Emmy and PZS (hereinafter referred to as the “Agreement”) and establishing and maintaining a Customer Account, which includes the inclusion of PZS FO's personal data in the patient section of the Application or notifications of the Application. Emmy is entitled to provide FO PZS data both under the Agreement and outside the Application as a reference. In addition to this purpose, it includes the provision of support services for the Customer Account.In the case of PZS FO, the legal basis for the processing is a contract or its performance (Article 6 (1) (b) GDPR). In the case of the Representative, the legal basis is the legitimate interests of Emma and PZS (Article 6 (1) (f) GDPR) for the implementation of the contractual relationship.

The categories of personal data concerned may be:
(e.g. first name, last name)(e.g. email, phone, address)(e.g. time data, IP address)(e.g. function, signature)(about support)
The data source is directly the subject, respectively. PCS. Without providing identification and contact details, it is not possible to conclude the Contract.

For this purpose, the data will be processed for the duration of the Contract, and subsequently some data may be further processed on the basis of Emma's legitimate interests (Art. 6 (1) (f) GDPR) for the defense of rights and property, up to the statutory limitation periods.

2.2. Ensuring the operation of the Application and its improvement

Emmy may process personal data of users of the Customer Account of the Application to ensure the security, availability and performance of the Application, as well as for its further development. The legal basis for the processing in question is Emma's legitimate interests in providing quality services (Article 6 (1) (f) GDPR).

The categories of personal data concerned may be:
(e.g. first name, last name)(e.g. e-mail)(e.g. number of visits, time data, IP address, location, device)
The source of the data is primarily their automatic collection (logging), for which we can also use third-party tools, however, when obtaining feedback, we can also use data provided directly by the subject.

The data will be processed for this purpose for the period necessary to fulfill said purpose, which in some cases is 6 months.

2.3. Sending business announcements

This purpose includes the sending of newsletters and other messages that do not fall under another processing purpose specified in this Policy, namely by PZS FO or a Representative. The legal basis for the processing in question is Emma's legitimate interests in maintaining contact with the customer (Article 6 (1) (f) GDPR).

The categories of personal data concerned are:

identification data (e.g. first name, last name), contact details (e.g. e-mail, telephone).

The data source is directly the subject, respectively. PZS, which is the data entered during registration.

For this purpose, the data will be processed until the refusal to send the notification (by unsubscribing) or objection to this processing, but at the latest for the duration of the Agreement.

2.4. Fulfillment of legal obligations

This purpose includes the processing of Customer Account users' data to comply with Emma's obligations under the law - for example, responding to a data breach, responding to the exercise of rights, and the like. The legal basis for such processing is the fulfilment of Emma's legal obligation (Article 6 (1) (c) GDPR).

The categories of data concerned may be:

identification data (e.g. first name, last name), contact details (e.g. e-mail, telephone), details of the contractual relationship, other data necessary to fulfil the relevant obligation.

The data source can be directly the subject, respectively. PZS, or it may be data collected automatically.

For this purpose, the data will be processed for the period necessary to comply with the relevant legal obligation or directly established by law.


3. PZS as administrator and Emmy as processor

In relation to most of the personal data of the users of the Customer Account processed in the Application, Emmy acts as the processor. For the general purpose of the processing set out below, the controller is directly PZS.PZS, as the administrator, is responsible for having a legal basis for the processing and for providing all information about the data processing carried out through the Application to the Users of the Customer Account. The information referred to in this Article 3 is of a general and informative nature only, and its accuracy and completeness is not guaranteed.
PZS processes the data of users of the Customer Account for the following purpose:

3.1. Access to and use of the Customer Account

This includes managing the Users of the Customer Account and their permissions, as well as keeping records of the accesses and activity of the Users of the Customer Account, including the inclusion of personal data in the patient section of the Application.

The legal basis may be the performance of a contract, generally employment, between PZS and the User of the Customer Account (Article 6 (1) (b) GDPR), or the fulfilment of a legal obligation of the PZS (Article 6 (1) (c) GDPR) or the legitimate interests of the PZS (Article 6 (1) (f) GDPR).

The categories of personal data concerned are:

identification data (e.g. first name, last name)(e.g. email, phone, address)(function, place of work)(e.g. time data, changes)The data source is directly the subject, respectively. PZS, or it may be data collected in the performance of work tasks by the subject. The recipients of the data are employees of PZS, patients (users of the patient part of the Application) and Emmy as a processor.For this purpose, the data will be processed by PZS in the Application for the period necessary to fulfill the purpose of the processing. Data will be deleted from the Application in the event of termination of the contractual relationship between Emmy and PZS.

4. Recipients and data transmission

4.1.
Personal data processed by Emmy as administrator may, to the extent strictly necessary, be disclosed to the persons involved in their processing. These persons are Emma's employees and carefully selected processors, in particular those involved in the maintenance and support of the Application and IT service providers, whose current list can be found at the end of this document.

4.2. The data of PZS FO and the Representative, processed by Emmy as administrator, may be provided to users of the Customer Account. Recipients of PZS FO data can also be patients (users of the patient part of the Application) or the public. Alternatively, the data processed by Emma may also be disclosed to Emma's advisers bound by confidentiality obligations (e.g. lawyers) to the extent required by law, and then to public authorities.

4.3.Personal data processed by Emmy will not be disclosed to third parties other than as set out in this Policy.

4.4.The processed personal data is stored on servers in the data center of the authorized processor Amazon Web Services EMEA SARL, located in the EU. The transfer of processed personal data to third countries (usually the USA) can only take place to a completely limited extent (e.g. in connection with the use of Google Analytics), in which case appropriate guarantees are always provided, through so-called standard contractual clauses, a copy of which you can request.


5. Security

5.1.
We really care about the security of your data, which is why we emphasize strict security measures when processing them, whether in the role of administrator or processor.

5.2.All data exchanged between you and PZS is encrypted during transmission. Our trained employees will only access your data when necessary and in accordance with this Policy, and only a minimum number of designated employees are entitled to access, who are additionally bound by a duty of confidentiality.

5.3.AWS, which Emmy uses as an IT infrastructure provider, holds ISO 27001, ISO 27017, and ISO 27018 security certifications. We use Amazon Cognito services to secure all access to Emma. AWS services are used by banking, financial, and healthcare providers around the world. Learn more about AWS datacenter security (in English) here.

6. Cookies


6.1.The application uses cookies as described in the cookie policy, which is available here.


7. Business premises

7.1.
If PZS FO or the Representative does not refuse to do so at the conclusion of the contract, Emmy is authorized to use registered contacts (e-mail, telephone) to send messages that are in the nature of commercial communications. The processing of personal data in this case is described in Article 2.3. The sending of notifications can subsequently be refused in the manner indicated in each individual notification, for example by means of an unsubscribe link.


8. Entity rights

In connection with the processing of their personal data, whenever the conditions established by law are met, the subjects have the rights listed below. These rights may be exercised against Emma as administrator via the contact details in Article 8. With regard to processing where the controller is the PMI (see Article 3), the rights must be exercised directly with the PMI.
The data subject shall have the following rights:

8.1.The right to access personal data, i.e. the right to request confirmation as to whether your data is being processed and, if so, to obtain information about the processing in question or a copy of the processed data;

8.2. The right to request the correction of inaccurate or incomplete data;

8.3. The right to request the immediate erasure of the processed data, if one of the reasons provided for by law is given;

8.4.The right to request a temporary restriction of the processing of personal data, if one of the reasons provided for by law is given;

8.5.The right to object to the processing of data on the legal basis of legitimate interests or for direct marketing purposes;

8.6.The right to withdraw consent to the processing of personal data at any time;

8.7.The right to the portability of personal data, i.e. the right to request the processed data in a structured, machine-readable format, provided that the conditions are in accordance with the legislation.


9. Contact

9.1.
If you have any questions regarding the exercise of your rights or any questions regarding the processing of personal data, you can contact our Data Protection Officer by e-mail poverenec@sestraemmy.sk, or contact us in writing at the address of the registered office of the company. If the subject has a complaint regarding the processing of personal data, he has the right to contact the supervisory authority, which is the Office for Personal Data Protection of the Slovak Republic, more information can be found at www.dataprotection.gov.sk


List of personal data processors



- Amazon Web Services EMEA SARL, Czech Branch, ID: 09049266, with registered office Sokolovská 689/115, 186 00 Prague- Solitea, a.s. (provozovatel service IdoKlad), IČO 01572377, with registered office Drobný 555/49, Ponava, 60200 Brno- SENDINBLUE, 7 rue de Madrid, 75008 Paris, France- Vocalls Inc s.r.o., IČO 06413421, with registered office Rostovská 314/14, Vršovice, 101 00 Praha 10


Versjon 1.1

Effectiveness from: 1. 1. 2023

Download the document here.

Back to main page