Information on the processing of personal data in the MediCloud information system
Prepared pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as "GDPR").
This document explains how personal data is processed in the MediCloud Information System ("MediCloud IS").
The controller and provider of the MediCloud IS is the trading company MediCloud Ltd, which provides it to customers as a communication channel between customers as employers on the one hand and customers as providers of occupational health services and/or medical examinations on the other hand. Through the MediCloud IS, the customers - employers fulfil their legal obligations towards their employees arising from the applicable legislation, in particular legislation regulating the occupational health service and regular medical examinations of employees.
The use of IS MediCloud by customers and their designated users is mainly for:
- keeping records of medical examinations of employees,
- scheduling appointments for regular medical examinations of employees in accordance with applicable legislation,
- confirming appointments for medical examinations of employees,
- keeping a record of employees' medical examinations,
- keeping records of medical examinations provided to employees,
- collecting, organising and archiving data related to the process of carrying out regular medical examinations of employees and occupational health service activities,
- sending information/notices to ensure communication between the parties concerned.
The use of the MediCloud IS requires access to users' personal data (e.g. to create a profile) and by this document, MediCloud s.r.o. provides the data subjects (i.e. users) with information on the processing of their personal data, while users' personal data are processed in the MediCloud IS by MediCloud s.r.o. in its capacity as an intermediary, and hence this information on the processing of users' personal data is provided by MediCloud s.r.o. to the users in the capacity of a controller on behalf of its customers, who are in the capacity of controllers.
1 Identification and contact details of joint operators
The personal data processed in the MediCloud IS are processed by the joint controllers, which are the MediCloud IS user's employer and the occupational health service/medical examination provider, on the basis of an agreement concluded pursuant to Article 26 of the General Data Protection Regulation (hereinafter referred to as "GDPR").
Pursuant to the joint controllers' agreement, the processor has been appointed as the contact point of the joint controllers for :
- Correspondence address: Nálepkova 1333/47, 053 11 Smižany,
- email contact: support@medicloud.digital
2 Identification and contact details of the intermediary
MediCloud s.r.o., with registered office at Nálepkova 1333/47, 053 11 Smižany, ID No.: 55 764 878, registered in the Commercial Register of the Municipal Court of Košice, Section: Sro, Insert No.: 57770/V, as the provider and operator of the MediCloud IS, processes the personal data of users (data subjects) on behalf of the joint operators
3 Purposes and legal bases for processing personal data
The provision of personal data by the user is voluntary, as the use of the MediCloud IS itself is voluntary. However, without the provision of some personal data by the user, it is not possible to use all the functionality of the MediCloud IS.
Within the MediCloud IS, personal data is processed for the following purposes:
(a) recording the user's medical examinations (as an employee),
b) making appointments for regular medical check-ups,
c) confirming appointments for medical check-ups,
(d) recording the completion of medical examinations,
(e) keeping a record of medical examinations given,
(f) collecting, organising and archiving data relating to the process of carrying out periodic medical examinations and occupational health service activities,
(g) sending information/notices to ensure communication between the parties concerned.
The legal basis for the processing of personal data is for the purposes of:
- (a), (d), (e) and (f)) the fulfilment of the legal obligation of the joint controllers - the employer, the occupational health service/medical examination provider pursuant to Article 6(1)(c) of the GDPR; and
- under (b), (c) and (g) the legitimate interest under Article 6(1)(f) of the GDPR, which is the addressing and scheduling of regular medical check-ups as well as the communication between the data subjects.
4 Scope of personal data
The following personal data are processed in the MediCloud IS:
- User login and authentication data,
- User identification data (first name, last name, date of birth, permanent residence, contact details - email address, mobile phone number),
- Information about the profession and its (i) risk factors at work and working environment and (ii) selected activities,
- Number of medical examinations attended (including dates),
- Details of the extent of medical examination passed and the medical fitness of the user (employee) to practise the occupation.
5 Source of personal data
The personal data processed in the MediCloud IS are obtained through authorised employees of the joint operators from the user (employee).
6 Retention period of personal data
The processing of personal data in the MediCloud IS only occurs during the period of use of the MediCloud IS by the user.
7 Recipients of personal data
Authorised employees of the joint controllers and the processor have access to the processing of personal data.
8 Cross-border transfer of personal data
There is no cross-border transfer of personal data to third countries or to an international organisation.
9 Absence of automated decision-making and user profiling
There is no automated decision-making or profiling of users within the MediCloud IS.
10 Rights of the data subject in the processing of personal data
The user as data subject has the right to request the joint controllers, directly or through an intermediary, to:
- access to their personal data pursuant to Article 15 GDPR,
- rectification and completion of personal data pursuant to Article 16 GDPR, if the personal data are processed incorrectly or incompletely,
- erasure of personal data pursuant to Article 17 of the GDPR if one of the grounds set out in this Article is met and none of the exceptions applies,
- restriction of the processing of personal data pursuant to Article 18 of the GDPR if one of the grounds set out in this Article is met,
- objection to the processing of personal data pursuant to Article 21 GDPR. In the event of exercising this right, the joint controllers will demonstrate to you the manner in which they have assessed their legitimate interests as overriding the rights and freedoms of data subjects.
As a data subject, the user also has the right to:
- file a complaint with the supervisory authority, which is the Office for Personal Data Protection of the Slovak Republic or a proposal to initiate proceedings pursuant to Section 100 of Act No. 18/2018 Coll., on the Protection of Personal Data and on Amendments and Additions to Certain Acts; the Office can be contacted in writing at Hraničná 12, 820 07 Bratislava 27, Slovak Republic, by e-mail at statny.dozor@pdp.gov.sk, by fax at +421 2 3231 3234, or by telephone at +421 2 3231 3214.
11 Changes and effectiveness
This document is effective as of 01.06.2024. The Joint Operators/MediCloud reserve the right to unilaterally change this information by giving appropriate notice of material changes to users as affected persons.