Privacy Policy - iDNA Laboratories

Information on the Processing of Personal Data

The protection of our customers' personal data is of paramount importance to us. For this reason, we take appropriate technical and organizational measures to protect the personal data we process and to ensure that the processing of personal data is always carried out in accordance with the obligations imposed by the legal framework, both by the company itself and by third parties who process personal data on behalf of the company.

The company named "iDNA Laboratories P.C." (hereinafter: "iDNA Laboratories" or "Company") based in Kifissia at 7 Taki Kavalieratou Street, with phone number +30 2111021881 and e-mail address: info@idnalaboratories.com is the Data Controller of the processing of personal data processed through its website https://idnalaboratories.com/.

What is GDPR?

The General Data Protection Regulation (GDPR) 2016/679, is the new regulatory framework of the European Union (EU) in the field of personal data. The purpose of the law is to establish the conditions for the processing of personal data to protect the rights and freedoms of natural persons and, in particular, the right to protection of personal data.

Principles we rely on

We are committed to complying with the following principles for processing personal data:

•Lawfulness, objectivity and transparency - Personal data are processed lawfully and fairly in a transparent manner in relation to the data subject.
• Purpose limitation - We collect personal data for specified, explicit and legitimate purposes and do not further process it in a manner inconsistent with those purposes.
• Data minimisation - Personal data is limited to what is necessary in relation to the purposes for which we process it.
• Accuracy / data quality - We ensure that personal data is accurate and, where necessary, we update it promptly.
• Retention - Storage period limitation - We retain personal data for the period of time necessary or required by law
• Personal data processed for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes are stored for longer periods. In such cases we apply the appropriate technical and organisational measures required to safeguard the rights and freedoms of the data subject.
• Integrity and confidentiality - We are committed to processing personal data securely, protecting them in particular against unauthorised or unlawful processing, accidental destruction or deterioration and using appropriate technical or organisational measures.
• We are committed to and comply with the Accountability Principle, demonstrating compliance with the above principles.

What data will be used by the company?

The data that the Company collects, stores and processes, on a case-by-case basis, are:

Full name for the issue of a retail sales receipt
Address for the issue of the receipt for the retailer's receipt
Contact telephone number
E-mail for sending the results
Financial data (payment information, bank card/account information, VAT, tax office)
- Occupation
- Entry Credentials
- Biometric characteristics (e.g. height, weight)
- Date of birth and gender ONLY if the individual accepts the anonymous use of their results for research purposes
- Insurance details if required
- Personal data of special categories such as: Health data, genetic data, blood tests.

How we collect Personal Data

We collect information about you in the following circumstances, among others:

The collection of personal data is carried out by both physical and electronic means on a case-by-case basis, including but not limited to:

Through this website, when you register on the myEMR platform, you contact us directly, at our reception and service centres, through our call centre, to request information about the services we offer.

When you provide information for the purpose of concluding a contract and during its execution (health service contract, contract, either verbally or by filling in the relevant forms or online fields.
If your personal data is transferred to us by partners or other third parties.
At the pre-service stage, in order to keep in touch with you and plan the best possible service for you.
When you participate in clinical research carried out as part of a research project, having given your consent.
We also collect data occasionally, from third parties who may lawfully pass on information about you or whose records we may lawfully access, such as our external partners, banks etc.

We process personal data for the purposes as detailed below.

Please help us to keep your information up to date by informing us of any changes to your personal data.

What is the Purpose and the Legal Basis for the Processing of Personal Data

To create a customer account on the Company's website, based on the imminent execution of a contract between the customer and the Company.
For the provision of services to the customer, based on the execution of the contract between the customer and the Company.
For the analysis and characterization of the sample submitted to the laboratory, and / or the set of information sent, as well as the conduct and interpretation of the results of genetic analyses, and the sending of the results of these genetic analyses. The processing of simple personal data for this purpose is based on the legal basis of the performance of a contract, whereas the processing of special categories of personal data is based on explicit consent.
For the anonymized or pseudonymized (in coded form) use of test results for the extraction of statistics. The processing of simple personal data for this purpose is based on the legal basis of the Company's legitimate interest (production of anonymized statistics), while the processing of hematological data, genetic data and phenotypic correlations referred to in the results of the analyses is based on the legal basis of processing for statistical purposes.
For the anonymized or pseudonymized (in coded form) use of the results of the tests, for research purposes. The processing of simple personal data for this purpose is based on the legal basis of the Company's legitimate interest (conducting scientific research), while hematological data, genetic data and phenotypic correlations referred to in the results of the analyses, on the legal basis of processing for the need of scientific research.

How and why do we use your personal data?

1. Create an Account

Personal data is collected when you create an account on www.idnagenomics.com, which is managed by iDNA Genomics. When creating an account, you may be asked for more data, however the minimum required for the conclusion and performance of the contract will be marked as a mandatory field.

The following personal data are required, as mandatory, to create an account: Name/Surname, Postal address, postal code, county, city, region, country, fixed telephone number and your e-mail address. You must then set your personal password, confirming it twice. To complete your registration, you must, after reading the terms of use and privacy policy, check the checkbox in the "I agree" option and fill in the text to verify your registration.

Your registration is complete. Your username is now your email address, and your password is your personal password.

The user should not disclose his/her personal password to third parties, nor should he/she keep it in electronic or paper form, to prevent any unauthorized use. In case of disclosure of the personal password to third parties, the user is obliged to inform iDNA Genomics immediately via its website www.idnagenomics.com. In the event of data leakage, iDNA Genomics shall not be liable, if not previously informed, for the unauthorized use of such data.

Also, by creating an account in the iDNA Genomics e-shop, you can edit data, add or remove data. This data will be used to make the order completion process easier each time you visit the iDNA Genomics e-shop and choose to be logged in.

2. Order Execution

Personal data is also collected when you place an order in our e-shop, https://myemr.idnagenomics.com/. In order to complete your order and create an account, you may be asked for more data, but it will be the minimum required for the conclusion and execution of the contract. These data are marked as mandatory field. The data in this account will be used to complete the order and you will have to fill in some additional data, such as information on the payment method, different shipping address for products (optional), data for invoicing (VAT, Tax, Profession, Name), where necessary.

In the context of completing the order, some of these data are transmitted:

a) to transport companies, for the transport and delivery of your goods. The transport companies may contact you to ask for clarifications and to inform you about the delivery of your goods.

b) when making payment, to payment providers. For our part, we use high security systems to prevent your details from being leaked by malicious systems. Also, this data is accessible to e-shop support and marketing companies, where iDNA Genomics ensures its protection.

3. Sample analysis

The Company shall analyze and characterize the sample submitted to the laboratory, as well as conduct, and interpret the results of the genetic analyses. It is emphasized that any further analysis of the sample submitted to the laboratory for scientific research (or statistical purposes) will only take place with your explicit consent and after anonymization of your personal data.

4. For communication with you in the context of the services provided

It is possible to contact the Company for any query, as well as for sending the results of genetic analyses.

Who may be the recipients of your personal data?

The processing of personal data is confidential and iDNA takes all reasonably necessary technical and organisational means to ensure its confidentiality and protection. Personal data is processed by authorized employees of iDNA, qualified staff, Scientific Partners (Doctors, Biologists, Geneticists, Nutritionists, etc.), doctors/companies involved in any way in the provision of these services, regardless of their legal form, health professionals and collaborating laboratories. All are committed to confidentiality, protection and professional secrecy.

The processing of personal data may also be carried out by the patient's referring doctor, and/or by affiliated companies, genetic laboratories within the European Union, computer, software and medical equipment operators, in vitro diagnostic medical device companies and diagnostic centres, as well as by their staff, under their responsibility. These companies and associates have been informed and contractually committed in advance to the confidentiality of personal data, are aware of and follow the Company's instructions regarding the processing of personal data and take all appropriate measures to protect them.

For the completion of the order, some of the above-mentioned data are transmitted:
a) to transport companies, for the transport and delivery of your goods. The transport companies may contact you to ask for clarifications and to inform you about the delivery of your goods.
b) when making payment, to payment providers. For our part, we use high security systems to prevent your details from being leaked by malicious systems. Also, this data is accessible to e-shop support and marketing companies, where iDNA Genomics ensures its protection.

How long will your personal data be available to the company?

The retention time of the above data is the time allowed or required by the applicable legislation, according to the legal framework, depending on the nature of the service. The envisaged retention period, according to the provisions of the applicable legislation, is (20) twenty years.

How long does your genetic material last?

The minimum retention period of genetic material for the purpose of conducting pharmacogenetic and genetic analysis has been set at (3) three months after the results are issued. This is because there is little chance that an analysis will not give complete results. Upon confirmation by quality control that the results are complete, the sample is destroyed. Retention of anonymized or pseudonymized data of my results for research and statistical purposes depends on the research cycle in question and in any case does not exceed (2) two years.

How is the confidentiality and protection of your personal data ensured?

The processing of personal data is confidential, and the Company takes all necessary technical and organizational means to ensure their confidentiality and protection, in compliance with the legal requirements.
The Company protects your data through technical and organizational measures to ensure their security and to protect them from any form of accidental or unlawful processing. The Company uses Transport Layer Security ("TLS") software to encrypt the data you provide to us. When using it, the transmission of your personal data to us on the Internet will be encrypted. You can verify that your personal information is transmitted using TLS encryption by confirming that there is a "lock" symbol in the address bar of your browser. You can also verify that your personal information will be encrypted using TLS encryption by ensuring that the prefix for the website address has been changed from "http" to "https".
In addition, all payments made by card are processed through Alpha Bank's "Alpha e-Commerce" electronic payment platform and uses TLS 1.2 encryption with 128-bit encryption protocol (Secure Sockets Layer - SSL). Encryption is a way of encoding information until it reaches the intended recipient, who will be able to decode it using the appropriate key.
We ensure that personal data is processed by adhering to policies and procedures that are consistent with the purposes of processing. For example, the following security measures are used to protect personal data against unauthorised use or any other form of unauthorised processing:

Access to personal data is limited to a certain number of authorised persons for specific purposes.
The staff of the competent departments are bound by confidentiality clauses, having classified and limited access only to the data necessary for the completion of the service.
Sensitive data are stored on computers with authorised access. Also, in paper form they are locked in cabinets where only authorised persons have access.
We choose reliable partners, who are bound in writing in accordance with Article 28 §4 of the GDPR with the same obligations regarding the protection of personal data. And we reserve the right to control them Article 28 §3 (h).
The computer systems used for the processing of data are technically isolated from other systems to prevent unauthorised access, for example through unauthorised access (hacking).
In addition, access to these IT systems is permanently monitored to detect and prevent unauthorised use at an early stage.

These measures shall be reviewed and amended when necessary.

The company is certified with the Information Security Management System ISO 27001:2013

Where the processing takes place

The personal data we collect, and process is processed within the European Union.
If the need arises to transfer personal data to third countries (outside the European Union) or to international organizations, the company undertakes to do so after ensuring compliance, where applicable, with the provisions of Articles 44-50 of the GDPR.

What are your data protection rights?

You can submit a request to iDNA Genomics if you want to access, correct, delete, request portability of your personal data or restrict the processing of your data or be provided with other relevant information. You have the right to object to processing, to object to data processing and transfer, and the right to withdraw your consent.

The exercise of the above rights can be exercised by contacting us by email: dpo@idna.gr

The Company's response to your request will take place within (1) one month of receipt and will not involve any cost to you. The above deadline may be extended for a period of two (2) additional months, due to the complexity or number of requests, in which case you will be informed of the extension and the reasons for it as soon as possible and at the latest within one month of receipt of the request.

If: a) you consider that your request has not been adequately and lawfully satisfied or b) you consider that your right to the protection of your personal data is violated by any processing carried out by us, you have the right to lodge a complaint with the Personal Data Protection Authority (postal address 1-3 Kifissias Street, 115 23, Athens, tel. 210 6475600, e-mail address: contact@dpa.gr).

Links to Other Sites

Our website may contain links to other websites that are not operated by us. If you click on a third-party link, you will be directed to that third party's website. We recommend that you check the privacy policy for each website you visit. We have no control over, and assume no responsibility for, the content, privacy policies or practices of any third-party sites or services.

This policy is reviewed when there is a significant change. This revision will be available on this website.

Where could you contact for more information?

For any information you could contact iDNA Laboratories at tel: 211-1021881 or via e-mail at: info@idnalaboratories.com