of the company group PROGRESS MEDICAL
Controller of personal data and data subject
The joint controllers of personal data within the meaning of Article 26 of the General Data Protection Regulation No 2016/679 are companies in the PROGRESS MEDICAL group of companies. Specifically, these are:
- PROGRESS MEDICAL a.s., ID No: 284 75 682, with its registered office at Praha 3, Pod Krejcárkem 975/2, postcode 13000, registered with the Commercial Register maintained by the Municipal court in Prague, section B, file 14761;
- OB klinika a.s., ID No: 288 92 950, with its registered office at Praha 3, Pod Krejcárkem 975/2, postcode 13000, registered with the Commercial Register maintained by the Municipal court in Prague, section B, file 15268; a
- OB CARE, s.r.o., ID No: 289 53 568, with its registered office at Praha 3, Pod Krejcárkem 975/2, postcode 13000, registered with the Commercial Register maintained by the Municipal court in Prague, section C, file 155493
(jointly referred to only as the controller).
The company PROGRESS MEDICAL a.s. is the operator of the MEDICZECH service (), which provides the supply of foreign patients for clinics in the PROGRESS MEDICAL group. PROGRESS MEDICAL a.s. transfers personal data obtained from data subjects who request medical services through MEDICZECH to OB klinika a.s. and OB CARE, s.r.o. in order to mediate the conclusion of a health care contract with the appropriate health clinic that provides the requested health services.
The company OB klinika a.s. () is an inpatient medical facility with two fully equipped operating rooms, specializing primarily in the surgical treatment of obesity and other metabolic diseases. The company OB klinika a.s. also provides a portfolio of treatments in other areas such as orthopedics and urogynecology.
The company OB CARE, s.r.o. () is a plastic surgery clinic providing a wide range of aesthetic surgery procedures.
The joint contact point is the e-mail address: , through which data subjects can send their requests, comments, complaints or objections. The controller can also be contacted in writing at Praha 3, Pod Krejcárkem 975/2, postcode 13000, to the attention of any of the above-mentioned companies forming the PROGRESS MEDICAL group.
Companies in the PROGRESS MEDICAL group have concluded a contract between joint controllers, according to which all companies in the group are jointly and severally liable in the processing cases described below for the fulfilment of their obligations under the General Data Protection Regulation No 2016/679, including the duty to provide information to the data subjects and the obligation to enable the exercise of data subjects' rights. The data subject may exercise his or her personal data protection rights in respect of and against each of the controllers.
The controller has appointed a Data Protection Officer, who is:
- Mrs Ivana Pešková, e-mail: .
The data subject is a natural person who provided the controller his / her personal data on the basis of a contract on the provision of health care services or on the basis of measures taken before its adoption at the request of that natural person (request of health services). The data subject may also be a natural person whose personal data controller obtained from other legal sources (especially health insurance companies, state authorities, public registers or other providers of health care services).
Scope of processing of personal data
The controller processes the personal data in scope in which they are provided to the controller by the data subject or in scope in which the controller obtains the data from other legal sources. The processed personal data are:
- name and surname,
- business name of a natural person,
- marital status,
- date of birth,
- birth number,
- ID No.,
- passport No.,
- place of residence,
- place of business,
- photo / video sent for the purposes of preliminary health assessment,
- health insurance information,
- personal data contained in medical records (detailed information on the health status of the data subject and his / her relatives, including photo documentation, medical records, height and weight, examination results, etc.),
- data on disability,
- billing and delivery address,
- business and tax ID No.,
- payment details (bank account No., information regarding a credit card),
- network identifiers,
- personal data obtained from cookies.
Purpose and legal basis of personal data processing
The controller processes the personal data of data subjects for the purposes of:
- taking steps at the request of the data subject prior to entering into a contract (demand for health services),
- performance of a contract concluded between the data subject and the controller (provision of agreed medical care),
- compliance with legal obligations (e.g. under the Health Services Act, Public Health Insurance Act, etc.),
- protection of the vital interests of the data subject or of another natural person (provision of medical treatment),
- protection of the legitimate interests of the controller (protection of the controller's assets, performance of rights under the contract in court proceedings, etc.), and
- direct marketing (i.e. offering products and services of the controller), including sending commercial communications within the meaning of the Act No. 480/2004 Coll., on Information Society Services.
The controller shall only send a commercial communication if the data subject has subscribed to newsletter or if the controller has obtained the details of the data subject's electronic contact in connection with the sale of its products or services. The data subject has the possibility to unsubscribe from the newsletter by sending an email to or by using the link provided in each individual commercial communication.
There is no automated decision-making, including profiling, done by the controller referred to in Article 22 of the General Data Protection Regulation No 2016/679.
Evaluation of necessity of the processing
The controller pays attention to the privacy of the data subjects, and therefore, processes only personal data that is necessary for the intended processing purposes.
Duration of processing of personal data
In case the personal data are processed solely for the purpose of performance of the contract, the controller processes the personal data for the duration of the contractual relationship and for a further period of 3 years, taking into account the limitation period for damages. In case of processing of personal data for the purpose of fulfilment of a legal obligation of the controller the controller processes the personal data for the period stipulated by legal regulation (in particular the Decree No. 98/2012 Coll. on Medical Documentation).
Personal data processed for marketing purposes based on a legitimate interest (obtaining an electronic contact in connection with the sale of the controller's product or service pursuant to Act No. 480/2004 Coll.) or based on a consent with the processing of personal data (subscription to newsletter) are processed by the controller for the period of 3 years, unless an objection has been raised against such processing by the data subject or the consent with the processing of personal data has been withdrawn.
Withdrawal of consent with processing of personal data
If the data subject granted the controller a consent with processing of his/her personal data, the data subject has the right to withdraw its voluntarily given consent with processing of personal data at any time and free of charge by sending an e-mail message to the e-mail address: email@example.com. The withdrawal of consent does not affect the lawfulness of the processing based on the consent given before its withdrawal. The withdrawal of the consent also does not affect the processing of personal data which is being done by the controller on another legal basis than a consent (e.g. in particular if the processing is necessary for the performance of a contract, fulfilment of a legal obligation or due to other reasons stated in the valid legal regulation).
Access to personal data
The personal data can be accessed by the controller and in some cases also by third parties – the recipients who provide appropriate guarantees and whose processing complies with the requirements of applicable laws and which ensures the proper protection of the data subject’s rights. The recipients of the personal data are:
- providers of accounting/payroll/IT services and systems (Asseco Solutions, a.s., ID No.: 64949541; STAPRO s. r. o., ID No.: 13583531; NSG Morison Outsourcing a.s., ID No.: 27426572),
- IT system administrators (PELIT servis s.r.o., ID No.: 28909399),
- legal and tax advisors,
- clinical laboratory service providers (CITYLAB spol. s.r.o., ID No.: 28442156),
- marketing service providers and administration of websites (eBRÁNA s.r.o., ID No.: 25984764; New Logic Studio s.r.o., ID No.: 24202207);
- provider of the Mailchimp mailing service (The Rocket Science Group LLC, with its registered office at 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308 USA);
- provider of the Google Analytics service for the purpose of monitoring website traffic (Google Ireland Limited, reg. No. 368047 andGoogle Inc., with its registered office at 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA);
- provider of the Hotjar service for the purpose of monitoring website traffic (Hotjar Limited, reg. No. C 65490, with its registered office at Level 2, St Julian’s Business Centre, 3, Elia Zammit Street, St Julian’s STJ 1000, Malta);
- health insurance companies (VZP, ID No.: 41197518; Health Insurance Company of the Ministry of the Interior of the Czech Republic, ID No.: 47114304; Professional Health Insurance Company of employees of Banks, Insurance companies and Construction companies, ID No.: 47114321; Military Health Insurance Company of the Czech Republic, ID No.: 47114975; Czech Industrial Health Insurance Company, ID No.: 47672234; Employee Insurance Company Skoda, ID No.: 46354182);
- public authorities to whom the controller is obliged to provide personal data.
Personal data are transferred only within the Member States of the European Union, with the exception of Google Analytics (monitoring of website traffic), which may transfer the personal data to Google Inc. based in the United States, and the Mailchimp service, which is also based in the United States. The transfer to these recipients is based on a system of transfer of personal data between the EU and the US in commercial relations called Privacy Shield.
Proof of identity of data subjects
The controller is entitled to require a proof of identity of the data subjects in order to prevent unauthorized persons from accessing the personal data.
Rights of data subjects in relation to the personal data
In relation to the personal data, the data subject has in particular the following rights:
a) right to withdraw his/her consent anytime;
b) right to correct or amend his/her personal data;
c) right to request restriction of processing of the personal data;
d) right to object to or file a complaint against the processing in certain cases;
e) right to data portability;
f) right of access to the personal data;
g) right to be informed about the breach of security of the personal data in certain cases;
h) right to erasure (“right to be forgotten”) in certain cases; and
i) further rights stipulated in the Act on Personal Data Protection, the Act on Processing of Personal Data and in the General Data Protection Regulation No. 2016/679.
What does it mean that the data subject has the right to object to processing?
According to the Article 21 of the General Data Protection Regulation No. 2016/679 the data subject has, among others, the right to object to the processing of the personal data if the controller processes the personal data on the basis of a legitimate interest, including the processing for the purposes of direct marketing. The objection shall be filed with the controller in writing or via the e-mail address:firstname.lastname@example.org. In the event that the data subject objects to the processing, the controller shall not further process personal data unless it demonstrates serious legitimate reasons for the processing that outweighs the interests or rights and freedoms of the data subject or for the determination, exercise or defense of legal claims. In case that the data subject objects to the processing for direct marketing purposes, the personal data shall no longer be processed by the controller in this scope.
More information about this right can be found particularly in the Article 21 of the General Data Protection Regulation No. 2016/679.
Obligation to provide personal data
The personal data is provided by the data subject voluntarily. The data subject has no obligation to provide it. There are no sanctions pending to the data subject for not providing the personal data. However, if the data subject does not provide his/her personal data to the controller, it will not be possible to conclude and duly perform a contract between the controller and the data subject. Nevertheless, it is solely up to the data subject whether he/she wishes to enter into a contractual relationship with the controller or not.
Security of personal data
All personal data are secured by standard procedures and technologies. Personal data processed electronically are stored within the internal system and are accessible only to authorized users working with the personal data through devices secured by login and password. The controller uses a professional antivirus protection and firewall, which are regularly updated. The controller periodically checks the system for vulnerabilities and attacks, and uses security measures that can reasonably be required of the controller to prevent unauthorized access to the personal data provided and that provide sufficient security with respect to the state of the art. Personal data, which are processed in writing, are stored in the secure premises of the controller, to which only authorized persons have access. All security measures taken are regularly updated.
Even though, the controller secures the personal data by appropriate technological and organizational measures, it is not objectively possible to fully guarantee the security of the personal data. Therefore, it is also not possible to absolutely ensure that no third party may gain access to the personal data, that it cannot be copied, published, changed or destroyed by a breach of security measures of the controller. However, the controller ensures that it does everything possible to keep personal data secure and regularly checks for security breaches.
To ensure the functionality of the following websites:
- ; and
the controller uses the so-called cookies that are stored on the data subject's device. These cookies serve especially for the purpose of maintaining functionality of the website and the analysis of visitors to the website via the Goole Analytics application (cookie files: _ga, _gid and _gat) and Hotjar application (_hjid a _hjIncludedInSample).
The controller uses so-called temporary cookies and persistent cookies on his websites. Temporary cookies are only stored on data subject’s device until the Internet browser is closed. Temporary cookies allow storing information while browsing from one website to another and eliminate the need to re-enter some information. Persistent cookies help to identify the data subjects' devices when they visit the website again.
Publisher/ Cookie Name
Necessary for the website’s functionality
Provides better page functionality (remembers selected settings, etc.)
cookieconsent_status a webfont
Necessary for the website’s functionality
Provides better page functionality (remembers selected settings, etc.)
(11 months after storing/refreshing)
It is used to distinguish individual users for traffic analysis. The cookie is refreshed each time data is sent to Hotjar (a third party based in Malta).
(2 years after storing/refreshing)
It is used to distinguish individual users for traffic analysis. The cookie is refreshed each time data is sent to Google Analytics (a third party based in Ireland and USA).
The data subject has the right to file a complaint concerning the processing of personal data by the controller with the Office for Personal Data Protection, Pplk. Sochora 27, 170 00 Prague 7, website: www.uoou.cz. Alternatively, he/she may apply for judicial protection before the competent court.
This privacy notice becomes effective 2nd October 2019.