Please ensure Javascript is enabled for purposes of website accessibility Privacy Policy

Privacy Policy

Introduction

Since 25 May 2018, the General Data Protection Regulation (GDPR) — Regulation (EU) 2016/679 — has been in force across the European Union. You may access the text of the Regulation at the following URL:

https://eur-lex.europa.eu/legal-content/EL/TXT/?uri=CELEX:32016R0679

This Privacy Policy (hereinafter the “Data Policy” or “Privacy Policy”) concerns the Web Portal of the National Electronic Health Record (hereinafter “the Portal”) of the Ministry of Health (hereinafter “the Ministry”), operating under the domain name: https://ehealthrecord.gov.gr

The Ministry places particular emphasis on the protection of the personal data of citizens and all individuals who visit this website. For this reason, it has drafted this Privacy Policy to inform such individuals about the manner in which their personal data is collected, used, and disclosed.

Definitions of Personal Data

(Note: Definitions follow Article 4 of the GDPR)

“Personal Data”: any information relating to an identified or identifiable natural person (“Data Subject”).

“Controller”: the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

“Processor”: the natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Controller.

“Data Subject”: natural persons whose personal data is collected and processed by the Controller (in this Privacy Policy, the Data Subjects are the users of the abovementioned website, whether authenticated or not, for the purpose of using a service).

“Recipient”: any natural or legal person, public authority, agency, or other body to whom personal data is disclosed, whether a third party or not.

Collection of Personal Data

When a visitor/user accesses the National Electronic Health Record Web Portal and:

⦁    interacts with it, or

⦁    makes use of the provided services,

certain information may be collected, such as:

A. For Identifying the Users of Electronic Services

Identification of service “users” is provided via the Interoperability Center of the General Secretariat for Information Systems of Public Administration (GSIS) of the Ministry of Digital Governance, using the credentials assigned to the “user” through the TaxisNet system, in accordance with Ministerial Decision No. 3981ΕΞ2020 “Provision of OAuth2.0 User Authentication Services to Information Systems of Third Entities” (Government Gazette B’ 762/10.3.2020).

Exclusively for the purpose of authenticating users of the service, the Ministry receives — via the above authentication (OAuth 2.0) — and processes, as Controller, the following personal data:

⦁    First name

⦁    Surname

⦁    TaxisNet username

⦁    Father’s name

⦁    Mother’s name

⦁    Year of birth

⦁    Tax Identification Number (AFM)

B. For the Provision of Electronic Services

For use of the service and for its effective and lawful operation, the Ministry processes — as Controller — the following personal data:

⦁    IP address of the device through which the user connects to the service

⦁    Browsing data within the website through the installation of data-collection “cookies”

⦁    Timestamp of service usage

⦁    Device information (operating system, browser software)

⦁    All information contained in the document (application, declaration, authorization) submitted electronically by the user

C. Special Categories of Personal Data

The Ministry does not collect or process special categories of data (racial or ethnic origin, religion, health data, etc.) for the purposes of identification or service provision.

However, such data may be processed if they are entered by the user themselves in “free-text” fields of the electronic services.

Purpose of Processing Personal Data

The Ministry processes personal data to fulfil its statutory responsibilities, to comply with its legal obligations under national and EU law, to perform tasks carried out in the public interest, and in the exercise of public authority vested in it.

Legal Basis for Processing

Processing of users’ personal data is necessary for the operation of the service and is based on Law 4635/2019 (Government Gazette A’ 167) and the Legislative Act of 20032020.

Purposes of Processing

Personal data collected through the Portal serve the following purposes:

a) the operation of the Portal and provision of its services to citizens,

b) provision of information about the Portal’s services and their operation,

c) generation of statistical reports regarding the use of the website.

Personal Data stored in the database or in the Greek Government Cloud (Hcloud) are used for:

⦁    User authentication (e.g., for electronic applications, declarations, authorizations)

⦁    User identification via GSIS using TaxisNet credentials

⦁    Provision of electronic services

⦁    Smooth operation of the website and service

⦁    Technical support for service administrators

⦁    User-friendly and easy website operation

⦁    Improvement of user experience

⦁    Creation of statistical reports and charts monitoring service performance (based on anonymized data only)

The Ministry collects and processes personal data exclusively for the above purposes and only to the extent necessary. The data collected are relevant, adequate, and not excessive, accurate, and updated where required.

Data are retained only for the period necessary to fulfil these purposes and are deleted thereafter, in accordance with the general terms of use.

Confidentiality

The Ministry does not disclose or transmit personal data of visitors/users to third parties without their consent, except to the aforementioned recipients necessary for Portal operation, or where required by law.

Personal data may be communicated to judicial, police, or other administrative authorities following lawful requests in accordance with applicable legislation.

In cases of legally binding orders (e.g., from prosecutors or other authorities), or during judicial investigations, the Ministry is obliged to grant access to relevant data.

The Ministry does not transfer users’ personal data to third countries or international organizations.

Transfer and Storage of Personal Data

All transfers of personal data are carried out via electronic systems, and data are transmitted in encrypted form.

Data are stored on servers or cloud services (Hcloud) of the Greek Government located within the European Union.

Authorized Ministry employees may access users’ data strictly within the scope of their duties.

IDIKA S.A. (Electronic Governance for Social Security) acts as Processor and provides support services for the operation of the National Electronic Health Record Portal.

Upon the user’s choice, the Ministry may transmit certain personal data to third parties to whom the user chooses to send electronic applications, declarations, or authorizations through the Portal.

Rights of Data Subjects

In compliance with the GDPR, the Ministry ensures and facilitates the exercise of the following rights of Data Subjects, where technically feasible within the operation of the Portal:

⦁    Right of access – to know which of your data are processed, for what purpose, and who the recipients are

⦁    Right to rectification – to correct inaccuracies or incomplete data

⦁    Right to erasure – to request deletion of your data under GDPR conditions

⦁    Right to restriction of processing – e.g., when accuracy is disputed or you have objected to processing

⦁    Right to data portability – to receive your data in electronic form and transmit them to another party

⦁    Right to object – to processing of your data, including withdrawing previously given consent (without affecting prior lawful processing)

Exercise of Rights – Safeguards – Retention Period

The Ministry ensures that:

⦁    Procedures enabling easy exercise of rights are in place

⦁    Requests will be answered without undue delay and no later than 30 days

⦁    If a request cannot be fulfilled, the Ministry will provide full justification

⦁    Unless a request is manifestly unfounded or excessive, all actions relating to Data Subject rights are performed free of charge

⦁    Data are stored in secure systems and processed by trained, authorized personnel

⦁    Personal Data are retained only for as long as necessary to fulfil the service’s purposes or as required by law

Cookie Policy

1. General

The National Electronic Health Record Web Portal uses cookies in compliance with applicable law.

Cookies are small text files stored on the user’s device (computer, smartphone, tablet). They do not cause damage nor access documents stored on the device.

They help:

⦁    measure website performance

⦁    improve and upgrade website content

⦁    tailor the website to users’ needs

⦁    measure effectiveness of presentation and promotion on thirdparty websites

Cookie data may include browser type, device type, operating system, internet service provider, and information about visited pages and external links.

2. Types of Cookies Used

The Portal uses the following categories:

A) Necessary Cookies

Enable essential website functions such as navigation and access to secure areas. The website cannot function properly without them.

B) Preference Cookies

Allow the website to remember user preferences such as preferred language or region.

C) Statistical Cookies

Help website owners understand how visitors interact with the site by collecting anonymized data.

Users may manage or delete cookies via their browser settings. Instructions are usually found in the browser’s Help, Tools, or Edit menu.

More detailed guidance is available at: www.youronlinechoices.com/gr

If cookies are rejected or disabled, some website functionality may be partially lost.

Contact

You may contact the Ministry’s Data Protection Officer by email at: XXX or by post at: XXX, for any question regarding the processing of your personal data.

Upon exercising any of the above rights, the Ministry will take all possible measures to fulfil your request within thirty (30) days and notify you in writing. If necessary due to complexity or number of requests, this period may be extended by two additional months after informing you.

If you are not satisfied with the Ministry’s response or believe that your personal data are being processed unlawfully, you have the right to lodge a complaint with the Hellenic Data Protection Authority (HDPA):

Address: 1-3 Kifisias Ave., 115 23 Athens
Tel.: +30 210 6475600
Email: contact@dpa.gr