Privacy Policy

Effective since September 2018

 

1. Who we are and what we do

 

OSTEOCELL (hereinafter referred to as the “Company” or “we” or “our”), a company with its registered seat in Athens, at 4 Themistokleous Str., with email address info@osteocell.gr, telephone +30 210 3823007, fax +30 210 3303133 and website www.osteocell.gr, is mainly engaged in importing, storing and distributing human tissue skeletal implants under the applicable national and European legislation.

 

For the purposes of providing its professional services, the Company may proceed to the collection and processing of natural persons’ personal data in accordance with Greek legislation in force, as well as with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, hereinafter “GDPR”) and thus it may act as a “data controller”. At the same time, due to its main activity and frequent transactions with Public and Private Nursing Institutions, the Company may process personal data on behalf of those institutions, therefore it may also act as a data processor for those specific processing activities, always on documented instructions of the relevant data controller.

 

This Privacy Policy aims to clarify our personal data processing practices, by explaining what type of personal data or other personally identifiable information we may gather during the use of our website and our services by you, how and why we gather such information, what we use your personal information for, when and to whom we might share and disclose information about you, as well as how you can manage information about you and exercise your rights, as envisaged under the GDPR.

 

By providing your personal data to us (whether via our website, by email, in person or over the phone), you agree to the processing as per this Privacy Policy.

 

2. What personal information do we collect and how we collect It? 

 

We may collect and further process different types of personal data in the course of operating our business and providing our services. These data may include:

• Basic personal data and contact information, such as your name, job title, postal address, business address, telephone number, mobile phone number, fax number and email address;
• Financial and tax-related data, such as payment related information necessary for processing payments as well as for fraud prevention, such as bank account details, credit/debit card numbers, security code numbers and other related billing information, TIN etc.;
• Identification and other background verification data, such as copy of passports or IDs, dates of birth, utility bills etc.;
• Special categories of personal data, such as health data (sensitive data);
• Records of your communication and visits to our premises.
• Recruitment related data such as your Curriculum Vitae, your education and employment history, details of professional memberships and other information relevant to potential recruitment to the Company;
• Website Usage data, such as details of your visits to our website or information collected through cookies.
• Any other personal data related to you that you may provide.

 

We may collect your personal data through a variety of means and in different ways. In particular:

• You may provide the personal information to us directly, for example through the completion and submission of a form on our website, by corresponding to us via email, letter or telephone or in person during a visit to our premises or your participation in the events that we organize;
• We may collect the information from third party sources, such as when we receive information about you from collaborators and external consultants with whom you may already have a business relationship, for the purposes of further cooperation with our Company;
• We may collect the information from publicly available sources.

 

3. How do we use your personal data and for what purposes?

We collect and further process your personal data for specified, explicit and legitimate purposes, as described in this Privacy Policy, that are justified under European and national data protection laws, and do not process your personal data further in a manner that is incompatible with those purposes and those data protection laws.

In particular, we use the personal data:

• To provide products and services you may have requested;
• To manage our business operations and administer our clients’ business relationship with us, including processing payments, accounting, auditing, billing, supporting services;
• To analyse and improve our services to and communications with you;
• To protect the security of and manage access to our premises, IT systems, communication systems and our website and prevent and detect security threats, fraud or other criminal or malicious activities;
• For investigating purposes and to prevent unauthorized access to the services and other illegal activities;
• To identify persons authorised to trade on behalf of our clients, customers, suppliers and/or service providers;
• To comply with our legal and regulatory obligations, including reporting to and/or being audited by national and international regulatory bodies;
• To ensure the traceability of human tissue data (tissue and bone grafts) as well as data concerning medical devices (implantable orthopedic material), as required by national legislation;
• To comply with court orders and/or defend our legal rights; and
• To communicate with you on the latest legal developments, announcements, and other information about us, via newsletters, briefs etc., upon your explicit consent;
• For the assessment of qualifications and the probability of recruitment in our Company,
• To facilitate your presence at the events we organize and offer you the appropriate service,
• For any other purpose related and/or ancillary to any of the above or any other purpose for which your personal data was provided to us.

 

Any potential marketing-related communication will only be carried out after you have opted in and we will provide you the opportunity to opt out anytime, if you do not wish to continue receiving marketing-related communication from us. We will not use your personal data for taking any automated decisions affecting you or creating profiles other than as described above.

4. What is the lawful basis for processing your personal data?

We process any personal data that we collect as above, based on the following lawful bases:

1. The personal information we hold and process, is necessary for the performance of our services contract or other agreement, to which our clients are a party, or to supply the products and perform the services that our clients have otherwise requested.
2. The personal information we collect and process may also be necessary for our legitimate business interests, in terms of offering the best possible solutions to our clients, in managing our everyday business needs, in providing our clients or prospective clients with information about the products and the services we offer, and about which they have expressed an interest or that we believe will be of benefit to them.
3. In some cases, our ground for collecting and processing the information is based on your explicit consent to our collection and processing of your personal information, such as -for example- when we communicate with you in terms of providing relevant marketing information, when you submit your CV in order for it to be assessed, or for your participation in scientific conferences and similar events that we are organizing.
4. We may also process your personal data in order to comply with a legal obligation to which the Company is subject and for the fulfillment of regulatory and statutory obligations or court or other orders (e.g. compliance with tax procedures, Anti-Money Laundering procedures, fraud detection, ensuring of traceability etc.).
5. We may process personal data, including specific categories of data (sensitive data), which are necessary to protect the vital interests of the data subjects (e.g. patients).

 

5. Who we share your personal data with?

We do not sell or rent, or exchange or transfer your personal data or personally identifiable information that has been collected by us, as part of a customer list or similar transaction, to any third party.

We may only share your personal data with the following indicative categories of recipients:

• Banking Institutions, Insurance Institutions, Lawyers or other legal specialists (including mediators), consultants or experts or other professional advisors as the case may be (e.g. financial, business or other advisors), auditors, chartered accountants, scientific officers engaged in the course of the services we provide to our clients or prospective clients;
• Third party service providers to whom we outsource certain functions such as technology and IT services, accounting services, translation services, postal and transport services. In such cases, we require all such third party service providers to act in compliance with this Privacy Policy, our instructions and the applicable data protection laws. We commit to use appropriate safeguards as required by applicable law to ensure the confidentiality, integrity and security of your personal data when engaging such service providers;
• We may share your personal data with courts, government, regulatory or other public authorities;

 

6. For how long do we retain your personal data?

In general, we will retain your personal data for as long as is necessary for the fulfillment of the purposes for which this data was collected and any other permitted linked purpose.

When the processing of personal data is related to the establishment, exercise or defence of legal claims, we will retain your personal data until the time limit for claims has expired or the claims have been settled, or in order to comply with legal requirements regarding the retention of such data.

Our retention periods are also based on our business needs and good practice. 

It is noted that our Company, as a licensed tissue and cell foundation, is required to keep all data necessary to ensure traceability at all stages, possibly including personal and sensitive personal data, for a period of at least thirty (30) years after their clinical use.

7. Security of Personal Data

We store your personal data securely on our servers, which are managed internally as well as with third party storage providers.

We maintain the appropriate technical and organizational security measures so as to protect the personal data that we hold on our networks and systems, from unauthorized access, disclosure, alteration, misuse, loss and destruction. The security measures indicatively include physical, technical, administrative, electronic and procedural safeguards, firewalls, physical access controls to our data centres and information access authorisation controls. Our security procedures also mean that we may occasionally request proof of identity, in order to verify your identity before communicating with you or disclosing any personal information to you.

While we try our best to safeguard your Personal Data, once we receive it, especially as regards the data received through our website, no transmission of data over the Internet or any other public network can be guaranteed to be 100% secure.

8. What rights do you have with respect to personal data?

 

Right of Access:

You have the right to access to the personal data that is being processed by us and if necessary to receive a copy of that data and/or supplementary information with respect to their processing.

Right to Rectification:

If the personal information that we hold about you is inaccurate or incomplete, you have the right to rectify, update or amend it, by contacting us at the abovementioned contact details. Alternatively, you may send us a relevant request at the following email address: dpo@osteocell.gr

Right to erasure:

You have the right to ask us to delete or remove your personal information in some circumstances, such as where we no longer need it or if you withdraw your consent (where applicable).

Right to restrict processing:

You have the right to request the restriction of the processing of your personal data in certain circumstances, such as where you contest the accuracy of your personal data or when the processing is unlawful and you object to the erasure of your personal data and you request the restriction of its use instead of its erasure, when your personal data is not required for the purposes of processing, however it is required for the establishment, exercise or defence of legal claims, and when you object to processing and pending the verification whether our legitimate grounds override your rights.

Right to object processing:

You have the right to object at any time to processing of your personal data in cases where this is required for the purposes of legitimate interests we pursue as data controllers.

Right to data portability:

You have the right, in certain circumstances, to obtain personal information that you have provided to us in a structured, commonly used and machine readable format, and to transfer it another data controller in order to resuse it or ask us to transfer this to a third party.

Right to withdraw the consent:

If we rely on your consent as our lawful basis for processing your personal data, you have the right to withdraw that consent at any time. However, please note that withdrawal of your consent does not affect the legality of consent-based processing during the period before such consent was revoked.

Right to lodge a complaint with the Hellenic Data Protection Authority:

To exercise any of your aforementioned rights you have the right to lodge a complaint to the Hellenic Data Protection Authority (www.dpa.gr), Phone Number: +30 210 6475600, Fax: +30 210 6475628, Email Address: contact@dpa.gr

 

9. Updates to this Privacy Policy

We reserve the right to update and change this Privacy Policy from time to time in order to reflect any changes as regards the way in which we process your personal data or changes to legal requirements. In case of any such changes, we will post the updated Privacy Policy on our website or publish it otherwise. The changes will take effect as soon as they are posted on this website or are being published otherwise. We therefore encourage you to review the Policy when you visit the website to stay informed of how we are using personal data.