Psyon s.r.o., with its registered office at Čistovická 249/11, Prague 17, 163 00, Czech Republic, Company Reg. No.: 08291080, incorporated in the business registry of the Municipal Court in Prague under file no. C 316419/MSPH, (hereinafter referred to as “Psyon”) has issued this Personal Data Processing Statement (hereinafter referred to as the “Statement”) in accordance with the Regulation 2016/679/EU of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data (General Data Protection Regulation; hereinafter referred to as the “GDPR”), which became effective as of 25 May 2018.
This Statement has been issued by Psyon primarily in order to provide its clients (patients) and contractual partners (including employees and providers of healthcare services), as data subjects, with information about how their personal data is processed, for what purpose and to what extent. Furthermore, the Statement provides the data subjects with information on what rights they have in relation to the processing of their personal data.
I. What will you learn in this document?
- Explanation of key terms (Article II)
- Method of processing (Article III)
- Categories of personal data processed (Article IV)
- Processing based on consent (Article V)
- Contact information of Psyon as the data controller (Article VI)
- Recipients of personal data (Article VII)
- Data processing method and data retention period (Article VIII)
- Data subject rights in relation to personal data protection (Article IX)
- Consequences of failure to provide personal data (Article X)
II. Explanation of key terms
First, we would like to explain the key terms used in this Statement. These terms are adopted from the GDPR, where you can find their precise legal definitions.
For the purposes of this Statement and its clarity, we have taken the liberty of simplifying and clarifying certain legal definitions.
As used in this Statement, the below terms shall have the following meanings:
“personal data” = all information about the data subject;
“data subject” = a natural person (individual) who can be identified, directly or indirectly, on the basis of certain unique information;
“processing” = any operation concerning the personal data, in particular the collection, registration, organisation, structuring, storage, adaptation, modification, retrieval, consultation, use, disclosure by transmission, dissemination or any other disclosure, sorting, combination, restriction, erasure or destruction of such data;
“data controller” = a natural or legal person or an official authority which determines the purposes and means of the processing of the personal data;
“data processor” = a natural or legal person or an official authority which processes the personal data on behalf of the data controller.
III. Method of processing
In relation to the personal data it processes, Psyon acts as the data controller. The data controller is a subject which determines the purposes and methods of the processing of the personal data and is primarily responsible for its processing. The data controller processes the personal data for purposes arising out of its activities (e.g. on the basis of legal obligations or in order to ensure due performance of contractual obligations); however, it can also process the data for its own purposes (e.g. for the purposes of its legitimate interests, provided these interests do not override the interest in the protection of the fundamental rights and freedoms of the data subject).
The processing of personal data is carried out mainly on Psyon’s premises by duly trained staff. Alternatively, in specified cases, the processing may be performed by third party data processors commissioned by Psyon for this purpose. The processing is carried out using computer technology or, where appropriate, also manually, in relation to personal data contained in paper form, in compliance with the security measures adopted in order to ensure the proper handling of personal data, including the maintenance of the data and security integrity of the relevant systems. For this purpose, Psyon has adopted technical and structural security measures, particularly measures to prevent unauthorized or accidental access to personal data, the modification, destruction, loss, unauthorized transfer or unauthorized processing of such data, and any other misuse of such data. In accordance with the GDPR, Psyon can transfer personal data to other EU countries, particularly when using information systems, in which the data storage servers of the individual cloud services may be located in other EU countries.
IV. Categories of personal data processed
Psyon processes personal data primarily for the purpose of providing healthcare services and related activities (in particular for the maintenance of medical records), primarily to comply with its legal obligations. In general, this includes the following categories of personal data:
- Identification information – name, surname, residence address / registered office, personal ID number / insurance number, health insurance company, signature.
- Contact information – delivery address, contact address, phone number, email address and other similar information.
- Health information (a specific category of personal data) – medical history, diagnosis, laboratory test results, medical records, genetic information and similar sensitive information regarding the patient’s health).
Furthermore, Psyon processes personal data with the purpose of fulfilling its rights and obligations under contracts related to or in connection with the company’s activities which Psyon has concluded with its contractual partners (primarily healthcare providers, self-pay patients, purchasers, suppliers and employees), doing so on the basis of and within the extent stipulated in these contracts. This includes the following categories of personal data:
- Identification information – name, surname, personal ID number, date of birth, residence address / registered office, health insurance company, insurance number, company registration number, tax ID, site/facility ID number, signature.
- Contact information – contact address, phone number, email address fax and other similar information.
- Education/qualifications information – professional competence, continuing education, certificates of formal qualification and its enhancement and other similar information.
- Payment information – bank account number, payment history.
The above-described processing of personal data is necessary for the performance of Psyon’s legal obligations as a provider of healthcare services and for the performance of its contracts. For this reason, Psyon does not need the explicit consent of the data subject to process its personal data in the above cases. Additionally, Psyon processes certain personal data of its clients, contractual partners and third parties where this is necessary to protect its assets and other legitimate interests. In all such cases, however, Psyon shall strictly ensure that such interests are not overridden by the interests or fundamental rights and freedoms of the data subjects whose personal data is to be processed. In order to protect its own assets, Psyon operates a video surveillance system on some of its premises. The operation of the video surveillance system is subject to strict regulations and is performed only to the extent necessary so as not to exceedingly interfere with personal privacy. This processing of personal data is necessary for the purposes of Psyon’s legitimate interests, and, therefore, the company does not need a consent of the data subjects to process this personal data in this case either.
V. Processing based on consent
For the purposes of sending business communications, Psyon also processes certain personal data on the basis of the data subject’s consent.
For the processing of data that does not fall under any of the above categories, we need your explicit consent to process your personal data. In this narrow category of personal data, we process, for example, the data about visits to Psyon’s website (particularly data processed via cookies, the visitor’s IP address and similar data) and marketing data, provided you have given your consent to the provision of such data to Psyon. You are not obligated to provide this information and such information may only by processed with your consent. You can withdraw your consent to the processing of the above data at any time at info@psyon.cz. However, your withdrawal of consent shall not affect the lawfulness of the processing of data prior to such withdrawal.
VI. Contact information of Psyon as the data controller
Company: Psyon s.r.o.
Company registration no.: 08291080
Registered office: Čistovická 249/11, Prague 17, 163 00, Czech Republic
Incorporated in the business registry administered by the Municipal Court in Prague, section C, file 316419
Email: info@psyon.cz
With respect to any issue relating to personal data, you can contact Psyon electronically at the email address
or in writing at the above company address.
VII. Recipients of personal data
In addition to the data controller and its employees, third parties also take part in the processing of personal data to the extent necessary. The data is transferred primarily to data processors, who work with Psyon so as to provide server, web, cloud, IT and other services necessary for the operation of the company. In order to protect personal data, Psyon has set up internal processes in such a way as to ensure that such personal data is only disclosed to specified third parties and only in justified cases and to the extent necessary. In order for Psyon to be able to meet its legal and/or contractual obligations, the company discloses the information about its clients (patients), contractual partners and employees to certain third parties, including but not limited to health insurance companies, other healthcare providers, the tax administrator, and the data processors authorized by Psyon to process personal data for the purposes of meeting Psyon’s legal and/or contractual obligations (data archiving operator, auditors, external lawyers, IT systems operators, entities responsible for the billing of the provided healthcare services, call centre, etc.).
VIII. Data processing method and data retention period
The way in which Psyon processes your personal data includes manual and automated processing in information systems as well as in physical (hard copy) form. However, in no case is your personal data processed by means of automated decision-making and profiling.
Psyon handles your personal data in accordance with the applicable law and protects it by using all technical and structural measures to prevent the misuse, damage or destruction of your personal data.
We process personal data only for as long as necessary for the purposes of the processing, i.e. particularly for the exercise and performance of all rights and obligations under contracts and legal regulations, or for the period during which claims arising out of the contractual relationship in question may be asserted, but for no longer than 10 years, save as otherwise provided by applicable law. The duration of data processing and retention at Psyon is determined primarily by the statutory time limits as set out in Czech Government Decree No. 98/2012, on medical records, as amended, in Czech Act No. 582/1991, on the organization and implementation of social security, as amended, Czech Act No. 97/2019, on organ and tissue donation, retrieval and transplantation, (here the time limit is 10 years) and in Czech Act No. 563/1991, on accounting, as amended (e.g. for medical records, in certain cases, the time limit is up to 100 years).
Should it be determined that the personal data is no longer needed for any of the purposes for which it is processed, we will delete the data.
Your personal data that Psyon is not entitled to process on any other grounds set out in the GDPR except for your consent will only be processed by Psyon with your consent and for the duration of that consent.
IX. Data subject rights in relation to personal data protection
With respect to the processing of your personal data, you have the following rights, which can be exercised by email: info@psyon.cz.
- Right to access to personal data relating to you – you have a right to request confirmation of whether or not your personal data is being processed and, where applicable, to request a copy of your personal data that Psyon processes;
- Right to rectification of personal data in the case of inaccurate data, or the right to completion in the case of incomplete personal data;
- Right to erasure of personal data relating to you (“right to be forgotten”) – Psyon will erase your personal data and no longer retain it if (a) the personal data is no longer necessary for the purposes for which it was collected or otherwise processed, (b) you withdraw your consent and there is no further legal basis for the processing, (c) you object to the processing and there are no overriding legitimate grounds for processing, (d) the personal data has been processed unlawfully, (e) the personal data must be erased to comply with a legal obligation of Psyon, unless the GDPR allows further processing;
- The right to restrict the processing of personal data relating to you if one of the grounds set out in the legal regulations applies (e.g. because of the unlawfulness of the processing or the inaccuracy of the personal data processed);
- Right to lodge a complaint with the supervisory authority, which is the Czech Office for Personal Data Protection (residing at Pplk. Sochora 27, 170 00, Prague 7, Czech Republic), should you believe that the processing of your personal data violates the GDPR or another legal regulation;
- Right to portability of the data you have provided to Psyon which is processed by automated means on the basis of a contract or your consent.
You also have the following rights in relation to the processing of your personal data:
- The right to object to the processing of personal data relating to you insofar as it concerns the processing of personal data by Psyon for the performance of a task carried out in the public interest or in the exercise of official authority (however, Psyon does not carry out such processing), on the basis of legitimate interests or for direct marketing purposes. Unless Psyon can demonstrate compelling legitimate grounds for the processing which override your interests or rights and freedoms or for the establishment, exercise or defence of legal claims, the personal data will not be further processed. Should you object to the processing of your personal data for direct marketing purposes (including profiling), your personal data will no longer be processed by Psyon for these purposes, regardless of whether there are compelling legitimate grounds for such processing.
- The right to withdraw consent to the processing of your personal data where your consent is the legal basis for the relevant processing of your personal data.
X. Consequences of failure to provide personal data
The provision of personal data of Psyon’s clients or contractual partners which the Company needs for the purposes of the maintenance of medical records to the extent required by applicable law and for the performance of its legal obligations as a healthcare provider is a legal requirement, and, from Psyon’s perspective, it is necessary for the performance of the relevant contract. Without the provision of such personal data, Psyon would not be able to duly perform its legal and contractual obligations; therefore, any failure to provide personal data may result in Psyon not being able to enter into the relevant contract or not being able to provide its services.
With respect to personal data that is processed on the basis of your consent, the provision of such consent is entirely voluntary. In such a case, any failure to provide consent or the withdrawal of consent will not have any consequences for you. However, even if the consent is withdrawn, the processing of personal data prior to the withdrawal of consent will remain to be lawful.