For the company D. PAPAIOANNOU GENERAL CLINIC OF ELPIS (with VAT number 081231083, DOU Volos) which operates at its headquarters (at 118 Anth. Gazi Street in Volos) the General Clinic "ELPIS" the respect and protection of the personal data of its patients, customers and visitors, as well as of its employees and partners is a commitment. We understand and take seriously the fact that you are aware and concerned about your personal data.

Our company strives to conduct its business activities in accordance with privacy principles, as we believe they demonstrate our unwavering commitment to ethical and responsible practices. We recognise the constant changes in risks, expectations and privacy legislation and therefore we follow our privacy accountability standards and aim to adapt how we implement them in a timely manner in response to these changes.

For these reasons, we follow this Privacy Policy, which complies with the applicable legal framework on the protection of personal data as established by the General Data Protection Regulation (EU) 2016/679, which enters into force on 25 May 2018, as in force from time to time, as well as any national law in force and applicable (hereinafter "applicable legal framework").

This Policy sets out the terms and conditions observed by our company for the protection of the privacy of patients, companions, family members and any kind of co-sponsors, whose personal data are processed for the purpose of providing healthcare services. With this Policy we inform you about how we collect, maintain and process information about you, such as personal data provided by you or your insurance provider, choosing to receive health services from our company, or health data resulting from the provision of our services and from your (electronic) medical record.

This Policy also applies to all natural persons whose data we process, including, but not limited to, prospective, current and former employees and their dependents, partners, investors and shareholders, government officials and other stakeholders.

All Employees of the Company and its Management have important privacy responsibilities which they must respect.

We recognize that unintentional errors and poor judgment about data protection can cause risks to the privacy of individuals and risks to our reputation, processes, compliance and finances. Each company employee and other individuals who process data for our company are responsible for understanding and complying with their obligations to this Policy and existing laws.

YOUR PERSONAL DATA WE PROCESS - PURPOSE OF PROCESSING

In accordance with the applicable legal framework, our company collects and processes personal data of patients, companions, family members and any kind of co-sponsors or users of the websites or employees and any kind of collaborators for the purposes listed below and only to the extent strictly necessary for the effective service of these purposes. Such data shall in each case be relevant, relevant and no more than is necessary in view of the purposes set out below and shall be accurate.

First of all, we mention that the personal data we process depending on our relationship with you include, but are not limited to:

• Just personal data: any information relating to a specific natural person or a person whose identity can be verified (e.g. name, identification number, address, etc.).
• Special categories of personal data:

'genetic data' means personal data relating to the inherited or acquired genetic characteristics of a natural person, resulting from the analysis of a biological sample of that natural person, in particular DNA or RNA analysis, or from the analysis of any other element enabling equivalent information to be obtained.

"biometric data" means personal data which result from specific technical processing linked to physical, biological or behavioural characteristics of a natural person and which allow or confirm the unambiguous identification of that natural person, e.g. Facial images, fingerprints.

"health data" means personal data relating to the physical or mental health of a natural person, including the provision of health care services, which disclose information about the health status of that person.

• Our company collects data and health information from its patients: We collect your personal and health data relating to medical or nursing services provided by the company (such as in-patient hospitalisation, medical or diagnostic procedures or paraclinical examinations) or health data for medical services and procedures not performed by us but reported to us either by you or by third parties (medical records).

• When you enter our clinic, information about you, your contact and identification information as well as your demographic data, your clinical symptoms, the medical treatments you have received, your personal medical history, the medication you are taking, your family medical history will be recorded, both in paper and electronic form, to help us provide you with excellent medical care and treatment and the full range of medical services deemed appropriate for your diagnosis, treatment and treatment in general. This information will henceforth form part of your health record and will be retained for twenty (20) years, as required by applicable law (as detailed later in this Policy) and for the continuity and sequencing of your medical follow-up in the event that we need to see you again or receive new health care within our clinic.

Your health record, or patient record, is the collection point for all the information that is recorded in every contact you have as a patient with any healthcare professional within our clinic. A record is created for each of our patients to support their assessment, diagnosis and treatment, continuity in the health care provided, clinical information sharing, safety and improvement of the health care provided and to meet the requirements set out by current legislation (in particular Law 3418/2005).

In addition to the patient, the patient's legal representative (parent, person exercising parental care or guardianship of the patient, legal guardian, temporary legal guardian) and a person specifically authorised by the patient have the right to access the patient's file and to receive a copy of the file during the patient's hospitalisation.

After the patient is discharged, our clinic will provide a copy of the patient's file, upon request and submission of any required documents, except for the patient, to anyone who has proven parental care or guardianship, to the patient's legal guardian, to a person specially authorized by the patient and to the patient's heirs.

• Contact details: We collect your simple personal data, such as your name, address and general contact details (including email address and telephone number), from you or your family or friends.
• Pricing information: We collect your data necessary for the payment, such as VAT number, bank card information, etc.
• State and other official identification numbers: We collect your social security number, identity card or passport number, tax registration number, driving licence number or other identification number issued by public authorities.
• Other sensitive information: Information on religious beliefs, ethnicity, sexual life and orientation and genetic or biometric information. Information voluntarily provided to us (for example, preferences expressed about medical treatment based on religious beliefs) and collected in accordance with what is set out in the applicable legal framework.
• Email address (email): We may collect the email address of our customers and contact persons of our customers when they express their interest in our services or when they subscribe to our newsletters or contact form or participate in our competitions and promotions.
• Online activity data: We may collect personal data when you use our digital services. This may include your social media account ID and profile picture, IP address and other online identifiers and other personal data and information you provide to us online. If you choose to link your social media account provided by another social media service provider to your account with any of the Company's Digital Services, your Personal Data from the other social media account may be shared, which may include Personal Information that is part of your social media account profile or the profiles of your friends and other connected individuals.

The company may process personal data (simple and/or those falling under the special categories according to the applicable legal framework) if the processing is necessary for at least one of the following legal bases, namely:

• for the performance of the contract between us or to take action at your request prior to the conclusion of the contract,
• in order to comply with a legal obligation,
• for the purposes of its legitimate interests and/or legal claims,
• when you have given your explicit consent,
• to safeguard your vital interests or those of another natural person,
• for the performance of a task carried out in the public interest,
• for the purposes of preventive or occupational medicine, assessment of a worker's fitness for work, medical diagnosis, provision of health or social care or treatment or management of health and social systems and services, or under a contract with a health professional,
• for reasons of public interest in the field of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of healthcare, medicines or medical devices
• for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes proportionate to the objective pursued
• for the performance of obligations and the exercise of specific rights in the field of labour law and social security and social protection law

In particular, we mention the following:

1. The company retains and processes the simple personal data or special category health data that you or another person on your behalf provide to it, for the purpose of executing the health service contract that you have signed or that another natural or legal person has signed on your behalf, as well as the resulting medical data. The above data may be transmitted to private or public insurance providers (e.g. EOPYY) within and outside the European Union in accordance with your legal relationship with them, to physicians providing independent services to the company, to partners acting on behalf of the company, in accordance with the contracts between us, for the purpose of providing health services. The above processing may also arise to safeguard a vital interest, such as the protection of your life and integrity, which we as a company are required to safeguard.
2. The company, in accordance with the applicable legal framework, has a legal obligation and, where applicable, a duty in the public interest to transmit any kind of personal data concerning you to the competent police, judicial, administrative and tax authorities within and outside the European Union, upon their valid request, without prior notification. It also has a legal obligation to carry out any necessary internal control on personal data concerning you when required or prescribed by law.
3. The company, in accordance with the applicable legal framework, may transmit personal data for the execution of the contracts between us and to safeguard its legitimate interests in the collection and repayment of debts that have arisen and any other legal right, to financial institutions, debtors' information companies, law firms.
4. The company may, with your explicit consent, in accordance with the applicable legal framework, process the personal data concerning you for other purposes, such as, for example, the development, improvement and promotion of its services, as well as the provision of privileges.
5. The company undertakes that it will not process personal data of natural persons under the age of eighteen (18) years old, without having previously obtained the consent of the person exercising parental authority over the child (parent or guardian).

LENGTH OF RETENTION OF YOUR PERSONAL DATA

When we provide you with health services, we keep your personal data (simple and special categories - sensitive) for as long as the relevant legislation requires. Specifically, as defined by the Code of Medical Ethics (Law 3418/2005, Government Gazette A 287/28.11.2005) "Article 14 PAR.4 : The obligation to keep medical records applies: a) in private practices and other primary health care units of the private sector, for one decade from the last visit of the patient and b) in any other case, for twenty years from the last visit of the patient."

When we have to comply with a legal or regulatory obligation (e.g. under tax and/or labour, social security legislation), we keep your personal data (simple and special categories - sensitive) at least as long as necessary to comply with that obligation.

We retain the personal data (both simple and sensitive) of individuals who have registered through contact forms, newsletters, and/or our promotional activities for up to five (5) years unless you inform us that you no longer wish to receive newsletters and/or promotional material from us.

GUARANTEES - SAFETY MEASURES

Our company takes all appropriate physical, technical, and organizational measures to protect your personal data in accordance with the applicable legal framework. We limit access to your personal data to only those employees who need to know this data in order to provide benefits or services to you. Additionally, we train employees on the importance of confidentiality and maintaining the privacy and security of your personal data.

YOUR RIGHTS

You have the right to request access to your personal data that we process. Additionally, you have the following rights:

• The right to rectify your personal data by submitting a relevant statement to the company with your precise personal data.
• The right to erasure (in certain cases) of your personal data.
• The right to restrict processing or object to the processing of your personal data.
• The right (under certain conditions) to receive your personal data in order to use them elsewhere (right to data portability).
• In cases where we process your personal data based on your consent, you also have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

These rights may be restricted due to obligations under another law, such as, for example, in the case where you request data erasure while we are obligated to retain it under the law.

Additionally, you have the right to lodge a complaint with the Hellenic Data Protection Authority (1-3 Kifisias Avenue, Postal Code 115 23, Athens, Greece). http://www.dpa.gr/but also the right to appeal to the competent judicial authorities for the protection of your personal data.

For any questions regarding the above or to exercise your rights, you can contact the Data Protection Officer of our company as follows:

• By mail to: Data Protection Officer, Anth. Gazi 118, Postal Code 38221, Volos, Greece.
• By email at: dataprotectionofficer@elpishospital.gr.

Our company will respond to your request free of charge in accordance with the provisions of the applicable legislation, unless it is manifestly unfounded or excessive, especially due to its repetitive nature, in which case it may impose a reasonable fee, taking into account administrative costs for its satisfaction, or refuse to proceed with your request.

VALIDITY - REVISIONS OF THE PERSONAL DATA PROTECTION POLICY

The present Policy is effective from 25-05-2018.

The Company reserves the right to modify and readjust the present Policy whenever it deems necessary, while any changes come into effect upon their posting on the website www.elpishospital.gr.