Α. Processing Manager

The Medical Company under the name ASTREA IΔIΩTIKO IΔIΩTIKO POLYIATIRIO IATPIKI E.E. (and with the distinctive title ASTREA), which has its registered office in Athens (54, Vasilissis Sofias Street, P.C. 115 28, tel. 2168080149 e-mail: info@astrea.health), (hereinafter referred to as the “Medical Company“), hereby informs you, in its capacity as controller, in accordance with Regulation (EU) 2016/679 (hereinafter referred to as the “GDPR”) and the relevant provisions of the Greek legislation on the protection of personal data, as applicable, of the type of personal data it collects, the source of their collection, the reason for their collection and processing, any recipients, the time of their retention, any transfer outside of Greece, the purpose of their collection and processing, any recipients, the time of their retention, any transfer outside of Greece, and any transfer outside of Greece.O.C. as well as your rights in relation to your data as a client of the Medical Company and how you can exercise them.

Β. Information about the processing of your data

B1: Creating a Customer Folder

Data categories	Purpose	Legal Base	Recipients	Compliance times
Identifying information (e.g. full name, date of birth, AMKA)	Creating a client folder	Article 6 par. 1(b) of the GDPR	Processors: accounting service providersIT systems support service providers hosting and cloud providers (cloud providers)Financial institutions, to the extent necessary for the execution of the transactionInsurance companies, for coverage of the insurance caseSocial security institutions and tax authorities, in accordance with the applicable insurance and tax legislation respectivelyLawyers, if this is necessary for the exercise of the rights of the Medical Society and the defence of its legal interestsBailiffs, notaries,	10 years since the patient’s last visit
Payment details, (e.g. credit cards, repayments/debts)
Contact details [e.g. postal and e-mail address, telephone number (fixed, mobile)
Invoicing details (e.g. VAT and tax office)		Article 6 par. 1(c) of the GDPR in conjunction with the tax legislation

B2: Provision of specialized services of the Medical Society

Data categories	Purpose	Legal Base	Recipients	Compliance times
Health data (e.g. medical history, dates of visit, type of service provided, treatment, insurance eligibility, details of any private insurance, genetic/biometric data, etc.)	Provision of medical services by the Company	Article 6 par. 1(b) & Article 9 par. 2(h) GDPR	Collaborating laboratories:CardeaMedical,Eurogenetics,Medicover,Iatropolis,DnaBioLab	10 years since the patient’s last visit
			Associated physicians and health professionals such as dieticians, physiotherapists, psychologists who cooperate with the company and have signed a contract regarding data processing and compliance with the law.
		Article 9 par. 2(a) of the GDPR	Other doctors and health professionals to whom your data and results/ conclusion/ opinion should be communicated
			Third parties you have authorised to collect the tests on your behalf
	Conducting clinical studies	Article 9 par. 2(j) GDPR & Article 89 GDPR (we proceed to the collection of your data and pseudonymisation.	Partner organisations

C3: Sending a newsletter

Data categories	Purpose	Legal Base	Recipients	Compliance times
Contact details[SK1]  e.g. e-mail address)		Article 6 par. 1(a) of the GDPR & Article 11(1)(a) of the GDPR. 1 ν.3471/2006	Processors: accounting service providersIT systems support service providers hosting and cloud providers (cloud providers)Bulk email platform	Until your consent is withdrawn
	Send Newsletter
		Article 11 par. 3 of Law 3471/2006 in conjunction with Article 6 par. 1(f) of the GDPR

The above personal data are provided to the Medical Company directly by our clients (you), as data subjects, and in case they are minors or under legal representation, by their legal representatives having custody.

Γ. Transfer of data outside the EEA

The Medical Company does not transmit your personal data to third countries outside the EU.

If clinical studies are conducted with companies outside the E.U.C., the criteria of Chapter V of the GPDR are met.

D. What rights you have in relation to your data and how you can exercise them

As customers of the Medical Company, you have a number of rights, according to the provisions of articles 15-22 of the GDPR, regarding your personal data, which are processed by the Medical Company.

If you wish to exercise any of your rights, please fill in the corresponding form and send it to info@astrea.health or in writing to Vasilissis Sofias 54, 11528 Athens. Please note that in case of reasonable doubt about the identity of the data subject, we may request additional information to confirm the identity.

Please note that the Medical Company has in any case the right to refuse, in part or in full, to comply with your request for restriction of processing or deletion of your data, if the processing or keeping of your personal data is necessary for the establishment, exercise or support of its legal rights or the fulfilment of its legal obligations.

The Medical Company must respond to your request within one month of receiving it. This deadline may be extended by two more months, if required at the Medical Company’s discretion taking into account the complexity of the request and the number of requests, in which case the Medical Company will inform you within one month of receipt of the request for such an extension and the reasons for the delay.

If the Medical Company fails to act on your request in the exercise of the above rights or after its response you consider that your above mentioned rights are violated, you may file a complaint with the Personal Data Protection Authority, 1-3 Kifissia Street, 115 23, Athens, https://www.dpa.gr/, tel. 2106475600.

For any matter concerning the protection of your personal data, you can contact the Data Protection Officer of our company, at the following e-mail address: g.goumenopoulos@gagdpr.com

---