Personal Data Protection Policy
Director's Order No. AHT.LEG02/08 regarding Amendments to the LLC "American Hospital Network" (Registration No.: 402154342), March 12, 2024
The Personal Data Protection Policy applies to LLC "American Hospital Network" (registration number: 402154342; hereinafter - "AHT") a set of rules and conditions applicable to LLC "American Hospital Network" (registration number: 402154342; hereinafter - "AHT"), the purpose of which is to fulfill the obligations provided for by law, to ensure the protection of human rights and freedoms, including the protection of privacy, when processing personal data.
AHT:
Respects and recognizes fundamental human rights and freedoms in the processing of personal data, including the rights to privacy and to communication;
Commits to strictly complying with applicable legislation when processing personal data, to process data only on the basis of a relevant legal ground, and in accordance with established principles.
Recognizing the value and importance of personal data, will strictly protect its confidentiality;
Ensures the appropriate protection and security of personal data;
Personal data will be used only lawfully and in good faith;
Provides the data subject with complete and exhaustive information regarding the processing of their personal data at any time.
AHT respects Georgian legislation and international standards for the protection of human rights. The protection of patients' personal data and privacy is of special importance to us. Given the sensitivity of the special category personal data we process, we take all necessary measures to protect the confidentiality and security of the data.
AHT ensures that internal rules for confidentiality and the protection of personal data/The systems are fully implemented and ensure compliance with mandatory regulations that are in full accordance with the current legislation of Georgia. Accordingly, Each party involved in this relationship is obligated to ensure that its actions are in full compliance with the requirements of the applicable legislation on personal data protection and to process personal data in accordance with the procedures defined by the legislation of Georgia. in compliance with the principles, and in the event that the law requires the data subject's consent for data processing, obtain/record this consent (in a physical or electronic-written form). Consent must be informed, voluntary, explicit, specific, simple, and understandable.
Legal basis for the Personal Data Protection Policy document
We process personal data in accordance with the Georgian Law on Personal Data Protection. Your rights are protected by Georgian legislation and the EU General Data Protection Regulation (GDPR).
In the process of data processing, we also guide the healthcare sector with the legislation that regulates it (Laws of Georgia: "On the Rights of the Patient," "On Public Health," "On Medical Activity," and others) and by the sub-regulatory acts that govern our field of activity and the processing of personal data.
When processing personal data, we take into account international and local recommendations and protocols, including those of the World Health Organization (WHO), the European Centre for Disease Prevention and Control (ECDC), and the instructions of the Georgian Personal Data Protection Service.
For the purpose of conducting medical activities, AHT is based on the Constitution of Georgia, the Georgian laws "On Healthcare," "On Medical Activities"," "On the Rights of the Patient," "On the Protection of Personal Data," as well as the Order No. 108/n of August 15, 2011, of the Minister of Occupied Territories, Labor, Health and Social Protection "On the Approval of the Rules for the Maintenance of Ambulatory Medical Documentation," and the aforementioned Ministry's Order No. 108/n of January 3, 2019, "On the Establishment of the Rules for the Implementation and Maintenance of the Electronic Health Records System (EHR) Implementation and Maintenance Rules," Order No. 101/n of January 3, 2019, "On the Implementation of the Electronic Health Record System (EHR) on the rules for the implementation and maintenance of the electronic health record system," the charter of the medical institution, and other legislative/sub-legislative acts regulating medical activities. Special category data is processed on the basis of these acts.
Definitions of Terms
Principle of Legality and Fairness – We process personal data in accordance with the rules and grounds established by law. We comply with the rules for processing special category data in accordance with the recommendations/protocols of international and local regulatory bodies. We ensure the protection of patients' rights and process personal data in compliance with the principle of equality (non-discrimination). One of our primary goals is to protect patients from stigma and ensure their confidentiality;
Principle of Transparency – The data processing is transparent to the data subject. The patient will be informed about the purpose and scope of data processing and their rights before the processing begins. The data subject may contact us at any time to obtain information about the processing of their personal data in accordance with and within the deadlines established by Georgian legislation, We notify the data subject of personal data incidents that may affect their rights;
Purpose limitation principle – we process personal data only for the specific purpose for which it was collected. For data collected with the patient's consent to be used for another purpose, we will re-obtain their consent.
Principle of data minimization – We process personal data only to the extent necessary to achieve the purposes specified in this document. When processing data, we consider the proportionality between the purpose and the scope of the data, and the impact of the data processing on human rights.
Principle of Data Accuracy – We ensure that the personal data stored with us, obtained by us, and provided by the patient is accurate and authentic. We immediately correct or delete inaccurate data, either at the request of the data subject, We also notify third parties to whom we have disclosed the data about the correction of data if we discover an error or upon request from the data subject.
Limitation of retention principle – we only retain data for the period necessary to achieve the purpose (a specific retention period is defined for each data category). For the storage of personal data, we determine a specific period in advance or indicate the criteria for determining the period, unless the retention period is established by law;
Data security principle – In order to protect data security, we take such technical and organizational measures during data processing that adequately ensure data protection, including from unauthorized or unlawful processing, accidental loss, destruction, or damage. We adhere to the principle of confidentiality and, to ensure its protection, we define a circle of individuals who, by virtue of their functions, have access to personal data.
3. Personal Data Collection/Access to Information
Data is obtained from the data subject through various sources, including:
Communication with the data subject
Existence of a contractual or pre-contractual relationship with AHT
Use of AHT's products/services, including telephone communication, use of the website, and visits to a medical facility and/or home.
Submission of letters/statements by the data subject, including correspondence by mail or email.
Receiving data directly from the data subject, the patient, the patient's relative, the patient's legal representative, or based on a document issued by another medical institution;
Access to data through the Electronic Health Record (EHR) system;
Access to data through electronic systems owned by the implementers of state/local/universal/targeted programs;
through letters/letters of reference issued by the implementers of state/local/general/targeted programs;
-through letters of guarantee/letters of commitment/policies issued by private insurance companies or other organizations and institutions;
as a result of a patient referral/transfer from another medical facility;
Through the accompanying documentation from the ambulance crew (if available) resulting from the patient's admission to the medical facility.
AHT may also collect and process the personal data of the data subject from publicly available sources (if any).
Electronic Health Record (EHR) System
An electronic health record system (hereinafter – EHR system) is a digital repository of data about a patient's health status.
The AHT physician is obligated to submit information on inpatient and outpatient cases to the EHR system from the patient's discharge/Within 14 calendar days of the completion of an outpatient visit (except for unidentified patients, for whom information must be transmitted within 14 calendar days of identification). If data is transmitted/entered into the EHR system after these deadlines, the case is assigned a "past due" status. Data cannot be entered more than 3 months after the case is closed.
b.Episode/visit data transmitted (entered) into the EHR system by an authorized physician, with the patient's informed consent, may be:
a) For all doctors authorized in the visible (shared) system, the data components of the corresponding life history for this episode/visit will also be visible;
b) Masked – This status ensures that the data is masked from all users of the system (except for the patient themselves and the person who entered the episode/visit data into the EHR system). Data with this status is also not reflected in the patient's life history.
c) Partially Visible – This status provides partial coverage of the data, where a detailed description of the partially visible/shared data must be provided.
Internal software
c.AHT the planning/implementation/management/administration/safeguarding/reporting/monitoring/litigation/exercise of rights of claim in relation to and arising from the employment contractfor the purpose of and in connection with employment and tax legal relations, as well as for the purpose of recording services provided to the patient and ensuring transparency of the work process, uses the software AccuracyMed – an electronic automated management system for a medical clinic, which it has acquired with a perpetual, non-exclusive license to use.
4. Purpose of data processing
In accordance with the scope of our activities, we process patients' personal data solely for the purpose of receiving medical services, For public health purposes and scientific research activities, the purpose of processing the information provided by the data subject – the patient – to AHT for the month is:
Providing comprehensive outpatient and inpatient medical services to the data subject, establishing a medical diagnosis, and maintaining the corresponding (outpatient and inpatient) medical documentation.
Protection of the person's vital interests;
Archiving data in accordance with public health, as well as the effective functioning of the healthcare system and the procedures provided for by applicable legislation.
Monitoring and improving the quality of services provided;
Responding to complaints/claims/statements. Identifying the individual for the purpose of establishing the identity of the interested party, their representative, and/or the person submitting the statement;
from the implementers of state and/or local government-funded programs and subprograms as a result of providing medical services/Receiving reimbursement from insurance companies and/or the respective funder(s) or from providers of state and/or local government-funded programs and subprograms for the provision of medical services;
Providing relevant information to state regulatory authorities for the purpose of fulfilling their statutory obligations;
Promoting the prevention of money laundering and the financing of terrorism;
-Accounts receivable management;
Litigation
Fulfillment of an obligation provided for by other legislation.
AHT also processes the candidate's/employee's personal data for the following purposes:
The candidate's data is processed for the purposes of the competition, to determine the candidate's eligibility for the competition;
-Upon successful completion of the competition, The data provided by the candidate during the competition stage will be used to ensure the procedure for appointment to the relevant position, as provided for by legislation and the institution's internal regulatory acts, and in connection with the relevant employment relationship.in connection with the relevant employment relationship, for the purpose of fulfilling the obligations imposed on the institution by law;
Entering into an employment relationship with the data subject. Entering into an internship agreement, issuing a payroll card, or extending payroll terms to an existing account. Issuing a corporate phone number to the employee or connecting them to the corporate network.
-and the performance of other obligations appropriate to the employment and related relationship.
5. Principles of data processing
AHT processes personal data if one of the following grounds exists:
Consent of the data subject;
to fulfill the obligations arising from a contract with the data subject or to enter into a contract at the request of the data subject;
processing of data is provided for by law or by any type of legislative act issued for the purpose of enforcing a relevant law, a relevant state/local public health program/subprogram, etc.;
processing is necessary for the person responsible for the processing to fulfill their legal obligations;
The data is publicly available.
processing is necessary to protect the vital interests of the data subject or another person;
processing of data is necessary to protect a significant public interest;
processing is necessary to protect the significant legitimate interests of the controller or of a third party, except where there is a overriding interest in protecting the rights of the data subject, including a minor;
processing is necessary to consider the data subject's request or to provide a service;
-in the presence of another basis established by the Law of Georgia on Personal Data.
6.Bases for processing special category data
In accordance with the above-mentioned principles and for specified purposes, AHT processes the special category data of the data subject if one of the following grounds exists:
Written consent of the data subject;
processing is necessary to protect the vital interests of the data subject or another person, and the data subject is physically or legally incapable of giving consent to the processing of special category data;
The processing of data is directly and specifically regulated by the Law of Georgia or by any type of subordinate legislative act issued for the purpose of implementing the relevant law, a relevant state/local health protection program/subprogram, etc.);
The processing of data is necessary for preventive, prophylactic, diagnostic, therapeutic, the quality and safety of rehabilitation and palliative care, services, medical devices, and products, for the purposes of public health and healthcare system management, in accordance with Georgian legislation or a contract with a healthcare professional;
The processing of data is necessary in the field of social security and social protection, including, for the management of the social security system and services to perform a duty imposed on the person responsible for processing under Georgian legislation or to exercise specific rights of the data subject;
Processing is necessary for the performance of an employment relationship and its inherent obligations, including to make a decision about employment or to assess an employee's professional skills;
The data was made public by the data subject;
Data processing is necessary to ensure information security and cybersecurity.
The processing of data is necessary for the protection of a significant public interest;
Processing of special category data is necessary for archiving in the public interest, scientific or historical research, or statistical purposes in accordance with the law, if the law provides for appropriate and specific measures to protect the rights and freedoms of the data subject. This ground for processing special category data does not apply if processing of such data is explicitly provided for by a special law under additional and different conditions;
on another legal basis;
7. Processing of personal data of minors
AHT always adheres to the principle of protecting the best interests of the minor when processing their personal data.
The processing of special category data concerning a minor is permitted only with the written consent of their parent or other legal representative, except in cases directly provided for by law.
The consent of a minor, their parent, or another legal representative to the processing of data shall not be considered valid if the processing of data endangers or harms the minor's best interests.
A parent or legal guardian has the right to receive complete, objective, timely, and understandable information from the treating physician about a minor's health condition, unless the minor objects to the disclosure of information.
a) A minor patient who is considered legally incapable of consenting under the procedures established by Georgian legislation;
b) 14a minor patient between the ages of 14 and 18 who, in the opinion of the healthcare provider, has a proper understanding of their own health condition and who has consulted a physician for the treatment of a sexually transmitted disease or drug addiction, for consultation on non-surgical methods of contraception or for the purpose of terminating a pregnancy;
c) A minor patient between the ages of 14 and 18 who, in the opinion of the healthcare provider, has a proper understanding of their own health condition and who has consulted a physician for an HIV infection/for the purpose of diagnosing AIDS, except when a positive test result for HIV infection/AIDS has already been obtained. In this case, the parent or legal representative of a minor patient between the ages of 14 and 18 shall be provided with the information referred to in paragraph 1 of this article only if there is the patient's informed consent to the disclosure of this information or/and the patient refuses the appropriate treatment and the patient is not considered legally competent under Georgian legislation.
The procedure for notification provided for in paragraph 'g' of this Article shall be determined by the Minister of Labor, Health, and Social Affairs of Georgia for Refugees from the Occupied Territories of Georgia.
a minor patient between the ages of 14 and 18 who, in the opinion of the healthcare provider, has a proper appreciation of their own health condition, has the right to give informed consent for the provision of medical services if they have approached the AHT for the purpose provided for in subparagraph (b) or (c) of the preceding article.
A minor patient under the age of 16 shall receive medical services only with the consent of a parent or legal guardian, except in the cases provided for in subparagraphs "b" and "c" of the preceding paragraph of this article; Furthermore, the patient's participation in the decision to provide medical care is mandatory, taking into account their age and mental development.
A minor patient over the age of 16 who, in the opinion of the healthcare provider, is capable of properly assessing their own health condition, has the right to give informed consent or refuse medical treatment. The patient's relative or legal representative shall be informed of this decision.
A minor patient has the right to receive information about their health condition and treatment. The information provided must be appropriate for their age and level of mental development.
8. Storage and protection of the deceased person's personal data
In accordance with our operational objectives, we process the personal data of deceased individuals for public health purposes, to prevent the spread of acute infections, as well as for statistical and research purposes.
In accordance with Georgian legislation, we process the following data of a deceased person without obtaining consent from their heir: the deceased person's first name, last name, gender, date of birth, and date of death.
For the processing of any other data (including special category data), we obtain consent from the parent of the deceased person, child, grandchild, or spouse, unless there is no other legitimate basis for processing the data besides consent, or the data subject prohibited the processing of data about them after their death in writing before their death.
9. Processing of biometric data
The processing of biometric data may only be done if it is necessary:
to carry out the activity;
for security, the protection of proprietary information, and to prevent the disclosure of confidential information, and where these purposes cannot be achieved by other means or would involve disproportionate effort;
-In other cases expressly provided for by law.
The processing of biometric data for other purposes and in an unnecessary volume is prohibited. The retention period for the data shall not exceed the period established by law, if any, and in the absence of such a period, 15 years. Upon the expiration of the applicable period, the data shall be destroyed (including deletion). The data subject has the corresponding rights established by law.
10. Pre-contractual relationship and exchange of information before/after the employment contract
AHT, as an employer, has the right to obtain information about a candidate, except for information that is not related to the performance of the job and is not necessary to assess the candidate's ability to perform a specific job and make a corresponding decision.
The candidate is obligated to inform the employer of any circumstances that may interfere with their ability to perform the job or pose a threat to the employer's interests.
The employer has the right to verify the accuracy of the information provided by the candidate.
Information about a candidate obtained by the employer and information submitted by the candidate may not be made available to any other person without the candidate's consent, except in cases provided for by Georgian legislation.
11. Categorization of personal data of the data subject
In accordance with the aforementioned purposes, we process the following categories of data:
Category of patients' personal data:
-Patient's identifying information – first name, last name, gender, personal ID number, citizenship, address, date of birth, place of residence, education, profession, place of employment;
Contact information - address, phone number, email;
-Medical history (special category data) – information about a patient's medical condition, treatment, medications, and past illnesses;
-Diagnostic data (special category data) – test results, medical images, and other diagnostic information used to assess a patient's health condition.
-Financial and insurance information – details related to the patient's insurance data, payment information, and records;
Special category data relating to family status and ethnic origin (marital status, number of children, nationality);
-Genetic data;
-Video monitoring data – recordings of video monitoring conducted by AHT;
Audio monitoring recordings – audio recording made through the AHT hotline;
-any other data that is linked to the data subject and by which the data subject can be identified or characterized or/and grouping them with other patients by a person's physical, physiological, psychological, economic, cultural, or social characteristics.
Category of employees' personal data:
-Employee's identifying information – first name, last name, gender, personal number, citizenship, address, date of birth, place of residence, education, profession, place of work;
-Employee's contact information - address, phone number, email;
-Documents confirming the employee's qualifications to ensure their suitability for the specific position.
-Financial and insurance information – details related to an employee's insurance and the provision of their salary;
-Video monitoring data – recordings of video monitoring conducted by AHT;
-Audio monitoring recordings – an audio recording made through the AHT hotline;
Special category data – a requirement established by law for certain positions, such as periodic medical examinations and other checks. Also, information regarding a conviction for a specific position.
Agreements with third parties:
-Identifying information of the parties to the transaction: first and last name, personal identification number (if necessary), contact information, job titles.
Contact information - address, phone number, email;
-Financial and insurance information – details related to financial settlement;
12. Information to the data subject when data is collected directly from them
When collecting data directly from the data subject, AHT provides the data subject with at least the following information before or at the start of the collection:
a) AHT's brand name and contact information;
b) the purposes and legal basis for the processing of data;
c) about the obligation to provide the data, and if the provision of data is mandatory – about the legal consequences of refusing to provide the data, as well as information about the fact that data collection/collection/processing is provided for by Georgian legislation or is a necessary condition for entering into a contract (if such information exists);
d) about the significant legitimate interests of the controller or of a third party, if the personal data are processed pursuant to Article 6(1)(f) of the Personal Data Protection Law;
e) the identity and contact information of the Data Protection Officer (if any);
e) the identity of the data recipient or categories of data recipients (if any);
z) the existence of appropriate safeguards for the planned transfer and for the protection of the data, including an authorization for the transfer (if any), if such is planned;
e) regarding the retention period for data, or if it is not possible to specify a specific period, the criteria for determining the retention period;
i) Regarding the rights of the data subject.
In order for the clinic to provide medical services to the patient. "On the Approval of the Rules for the Maintenance of Ambulatory Medical Documentation" by the Minister of Labor, Health and Social Affairs of Georgia, August 15, 2011 No. 01-41/n; "On the Approval of the Rules for the Maintenance of Inpatient Medical Documentation in a Medical Institution" Order No. 108/n of the Minister of Labor, Health and Social Affairs of Georgia, March 19, 2009; and In accordance with the Resolution of the Government of Georgia of February 21, 2013, "On Certain Measures to Be Taken for the Transition to Universal Healthcare," it is necessary to process the patient's identifying and contact information. Also, in accordance with the specified and other legal acts regulating the healthcare sector, the patient's medical history is maintained, which involves the processing of the patient's special category data.
If the data is not collected directly from the data subject, AHT provides the data subject with the information required by this article, It also informs the data subject which of their data are being processed and the source of the data, including whether the data were obtained from a publicly available source.
The obligation to provide information does not apply to AHT if:
collection or disclosure of data is established by law or is necessary to fulfill an obligation imposed by Georgian legislation;
The data subject already possesses the specified information;
-providing the information is impossible or would require a disproportionate effort, or the fulfillment of the obligation under this article would seriously harm or make impossible the legitimate purpose of the data processing (of the purposes) is carried out.
13. Rights of the Data Subject in the Processing of Personal Data
We protect the rights of personal data subjects guaranteed by the Georgian Law on Personal Data Protection and the European Union's General Data Protection Regulation (GDPR). We protect the privacy and inviolability of personal life, guaranteed by the Law of Georgia on the Rights of the Patient.
Given the nature of our activities, it is important to protect the following rights of the data subject:
Right to receive information about data processing
The data subject has the right to request, and we will provide, the following information no later than 10 business days: What data we process about them (identifying data, medical history, diagnostic data, financial information, data about family status, and other special category data). The basis and purpose of the data processing; the source from which the data is collected/obtained; the data retention period, and if it is not possible to specify a specific period, the criteria by which the period will be determined. We provide the data subject with information on the legal basis, purpose, and safeguards for the transfer of their data to third parties.
We will provide the data subject with information about the incident without undue delay, at the first opportunity, upon their request (a data security breach that results in the unlawful or accidental destruction, loss, as well as unauthorized disclosure, destruction, alteration, access to, collection/extraction, or other unauthorized processing) if the incident is likely to result in significant damage or a significant risk to the fundamental rights and freedoms of a data subject. In the event of an incident, the data subject is informed of the incident and its circumstances; the likely/actual damage caused by the incident, the measures taken or planned to mitigate or eliminate it, and the contact details of the Data Protection Officer.
Right to access and copy data
The data subject may request copies of their personal data that we process free of charge. We may charge a reasonable fee if the data subject requests the data in a format other than the form in which it is stored, and this requires us to expend additional resources. In this case, the fee charged will not exceed the cost of the resources expended.
We do not disclose data containing a patient's personal information (including analysis/testing data) to other parties unless the patient has given written consent.
Right to correct, update and complete data
The data subject has the right to request the correction, update, or/and completion of inaccurate, incorrect, or incomplete data concerning them. We will correct the error, both upon the data subject's request and if we discover the error ourselves, and will notify the data subject of this, unless the error is of a technical nature. If an error in the personal data has caused or is likely to cause a significant legal, financial, or other consequence for the patient, we will also notify the patient.
In the event of an error, we will also notify all recipients of the data, the person responsible for all other processing of this data, and any authorized party to whom we have disclosed the data.
The right to restrict, erase, or destroy processing of data
The data subject has the right to request that we stop processing their personal data and/or delete or destroy the data we have processed. The request must be fulfilled no later than 10 business days.
The data subject may be refused the deletion and destruction of data only in the exceptional cases provided for by Georgian legislation, namely:
-if there is another legal basis for processing the data (a requirement established by law, public health, etc.);
the data is processed for archiving purposes in the public interest, for scientific or historical research, or for statistical purposes, and the cessation of data processing, Exercising the right to erasure or destruction would make it impossible or significantly harm the achievement of the processing purposes.
if the restriction, erasure, or destruction of processing may lead to significant legal or financial consequences for the data subject (for example, a patient will no longer receive state assistance or be able to participate in a state program) we inform the patient about this before the processing is stopped and/or the data is destroyed.
Right to data blocking
The data subject has the right to request the restriction of processing if one of the following conditions is met by law: The data subject contests the accuracy of the data; the processing is unlawful, but the data subject objects to the erasure of the data and requests that it be restricted instead; The data are no longer necessary for the purposes for which they were processed, but the data subject needs them to pursue a legal claim; The data subject has requested the restriction, erasure, or destruction of the data, and this request is under consideration; there is a need to retain the data for use as evidence.
A data subject may be denied the restriction of data processing only in the cases provided for by the legislation of Georgia.
if the restriction, erasure, or destruction of processing may lead to significant legal or financial consequences for the data subject (for example, a patient will no longer receive state assistance or be able to participate in a state program) we inform the patient about this before the processing is stopped and/or the data is destroyed.
Obtaining consent and the right to withdraw consent
Before processing personal data, we will provide the data subject with full information about our data processing procedures and security guarantees.
The data subject is provided with the consent document for personal data processing in hard copy and signs the document after reviewing it. The privacy policy document is also available on our website.
The data subject has the right to withdraw their consent at any time, without any explanation or justification. If no other basis for processing exists besides the data subject's consent, the processing must be stopped and/or the processed data must be deleted or destroyed no later than 10 business days from the request in the event of consent withdrawal. The data subject has the right to withdraw consent in the same form in which the consent was given (in writing).
We will provide information about the possible consequences of withdrawing consent before the data subject does so (material, legal, and other significant consequences).
Right to appeal
If AHT has not performed the action requested by the data subject, specifically; If the processing of the subject's data was not discontinued and/or the data was not deleted or destroyed despite the subject's request, the data subject must be informed of the reason for the refusal and be explained the procedure for appealing the refusal.
If AHT does not provide for the correction, updating, or/and/or the completion of personal data, the data subject shall be informed of the reason for the refusal of the request and be explained the procedure for appealing the refusal.
The data subject has the right, in case of a violation of their rights and established procedures provided for in the Georgian Law on the Protection of Personal Data, to appeal in the manner prescribed by law to the Personal Data Protection Service and/or the court.
Right to data portability
The data subject has the right to request AHT to receive their personally identifiable data processed automatically in a structured, commonly used, and machine-readable format. Furthermore, the data subject may request that AHT transmit this data to another controller that processes the data.
14. Commission for the Protection of Data Subject Rights
To effectively implement the rights of data subjects as provided for in the policy, a Data Subject Rights Protection Commission is established within AHT, the composition of which is determined by an order of the AHT Director. The Data Subject Rights Protection Commission consists of 3 members, including a chairperson.
The data subject is entitled to submit a request or email regarding the exercise of the rights provided for in the policy. by sending a notification to the Commission for the Protection of Data Subjects' Rights by mail, which will review it in accordance with the procedure established by the Law of Georgia on Personal Data Protection and this Policy.
The data subject's statement/notification is sent to the Personal Data Protection Officer and the Commission for the Protection of Data Subject Rights. The Personal Data Protection Officer sends a corresponding recommendation regarding the statement/suggestion to the Data Subject Rights Protection Commission.
At the discretion of the Chairperson of the Commission for the Protection of Data Subject Rights, a person employed by AHT may participate in the Commission's activities without voting rights, taking into account the specific nature of the matter under consideration.
A member of the Commission for the Protection of Data Subject Rights is obligated to declare all circumstances that could prevent them from making an impartial decision regarding the data subject's request, before reviewing the request. In the presence of such circumstances, a member of the Data Subject Rights Protection Commission is obligated to recuse themselves. If a member of the Data Subject Rights Protection Commission fails to disclose the existence of such circumstances, and the Data Subject Rights Protection Commission becomes aware of this during the review of the statement, The assessment of the application by this member of the Data Subject Rights Commission will not be taken into account when making the final decision.
The Commission for the Protection of Data Subject Rights is authorized to make a decision if more than half of its members are present at the meeting.
The Commission for the Protection of Data Subject Rights makes decisions by vote; A decision is considered adopted if it is supported by more than half of the members present at the meeting. In the event of a tie, the chairperson's vote is the deciding one.
The Commission for the Protection of Data Subject Rights makes decisions in accordance with the Law of Georgia on Personal Data Protection and other legislative and regulatory acts, in the manner established by this policy.
The consideration of issues by the Commission for the Protection of Data Subjects' Rights must be objective, fair, and impartial.
The Commission for the Protection of Data Subject Rights is authorized to consider a data subject's statement/notification by electronic communication.
The Commission's well-reasoned decision on the protection of data subjects' rights is recorded in the minutes of the meeting, which are signed by the chairperson and the members present. A member of the Data Subject Rights Protection Commission may attach their dissenting opinion to the minutes, and a corresponding note is made in the minutes.
In case of a violation of the rights and established rules provided for in the Law of Georgia on the Protection of Personal Data, the data subject has the right to appeal to the Commission for the Protection of Data Subjects' Rights.
The data subject has the right to appeal AHT's decision to the Personal Data Protection Service and/or the court.
15. Third parties to whom we disclose data
The purpose of disclosing information to third parties is disease control and prevention, the collection of statistical data, and the facilitation of the implementation of the state health protection program.
Medical data (patient-identifying data, prescription, diagnosis, treating physician) Loaded on the website of the Georgian Ministry of Internally Displaced Persons from the Tskhinvali Region, Labor, Health and Social Affairs, and Social Protection at www.moh.gov.ge.
In accordance with the obligation established by Georgian legislation and in the prescribed manner, we send/upload the data by electronic and material means:
In accordance with the established procedure for implementing the service financing program under state health protection programs, we, as the provider of labor, We submit the reimbursement documentation to the Ministry of Health and Social Protection. The reimbursement documentation is submitted in printed and electronic form. The list of reimbursement documentation includes: The name, surname, personal number, and date of birth of the beneficiary of the State Health Protection Program, or a copy of the birth certificate (in the absence of a personal number);
In accordance with a statutory obligation and in the prescribed manner, we provide information containing personal data to the Social Services Agency, the Insurance Supervision Service, and the Monitoring Service;
Hard-copy documents are, after the expiration of the retention period, transferred by contract for destruction to a company that destroys the personal data without the possibility of recovery.
16. Video Monitoring
The AHT's external perimeter is under video surveillance. On the Approval of the Technical Specifications and Operating Rules for Automatic Photo and Video Equipment, as well as the List of Buildings and Structures Whose External Perimeter Requires Mandatory Automatic Photo or/and the installation of video equipmentinstallation" of the Government of Georgia's Resolution No. 101 of March 2, 2022, and for the purposes of public safety, the safety of patients and employees, crime prevention, and the protection of property.
Prevention of crime, detection/investigation of crime, public safety, protection of the safety of persons and property, confidential to protect information and to carry out other important tasks belonging to the Center's legitimate interests (including incident management and protection of patient rights, process monitoring, risk management, etc.) In compliance with the requirements established by the Law of Georgia on the Protection of Personal Data, video surveillance is conducted at AHT of the exterior and interior perimeters of the building(s), including service areas and work area(s) (specifically, the cashier's office/reception, and medication storage rooms) via a video surveillance system on a 24/7 basis. (hereinafter – Monitoring).
In the case of video monitoring, a corresponding warning sign is posted in a conspicuous place, and additionally, the person employed will be notified in writing of the specific purpose(s) of the video monitoring. The warning sign must include an appropriate inscription, an easily understandable symbol indicating that video monitoring is in progress, and the name and contact details of the person responsible for the processing.
Video surveillance is not permitted in changing rooms and hygiene areas, as well as in spaces where the subject has a reasonable expectation of privacy or/and that video monitoring is contrary to generally accepted moral standards.
When using a video monitoring system in the workplace, all individuals employed at AHT must be informed in writing about the video surveillance and their rights.
The video monitoring system and video recordings are protected from unauthorized interference and use, with access restricted to authorized personnel only. Real-time monitoring can only be performed by duly authorized personnel (security service employees), and the on-screen image is not accessible to any other individuals. Every instance of accessing video recordings is logged, including the time of access and the username, which allows for the identification of the person who accessed it.
Records are retained in the AHT in accordance with established procedures, for a period appropriate to the legitimate purpose.
17. Audio Monitoring
AHT conducts audio monitoring based on legitimate interest to ensure quality of service control and/or with the subject's consent.
Audio monitoring/recording of telephone communications with AHT is conducted in compliance with the requirements established by the Georgian Law on the Protection of Personal Data.
During telephone communication with AHT, the data subject is informed about the recording of telephone calls in a form that complies with the requirements of Georgian law.
Audio monitoring on the hotline is conducted at AHT. () via a call initiated by the data subject, based on prior warning and notification of the recording by a tone signal before the audio monitoring begins for the data subject.
By using the AHT hotline (telephone communication), the data subject consents to the processing of their personal data. If the data subject does not agree with the purposes of the recording and/or does not wish for their data to be processed under audio-monitoring conditions, they must immediately discontinue using the hotline service.
Audio monitoring is conducted for the entire duration of the telephone communication, except in the presence of extenuating circumstances.
When using an audio monitoring system in the workplace, all individuals employed at AHT must be informed in writing of the monitoring and their rights.
AHT is authorized to use the audio recording as evidence for appropriate purposes.
If necessary, the AHT is also authorized to conduct audio monitoring in other cases directly provided for by Georgian legislation and to inform the data subject accordingly.
18. Processing for direct marketing purposes
For its marketing purposes, AHT needs your data and will use it to provide information about services, promotions, products, and offers. Additionally, your data will be analyzed to understand your wants, needs, and requirements, which will result in a decision regarding a service/offer suitable for you.
AHT processes data for direct marketing purposes only with your consent, as well as from sources you provide when using our services.
In addition to your first name, last name, address, phone number, and email address, your written consent is required for the processing of any other data for direct marketing purposes.
AHT will cease processing your data for direct marketing purposes no later than 7 (seven) business days from your request.
You have the opportunity to request that the processing of data for direct marketing purposes be stopped in the same form, by which the direct marketing is carried out, or another available and adequate means for requesting the cessation of data processing is specified (for example, an SMS STOP service and/or other methods).
You have the right to withdraw your consent at any time, without any fee or restriction.
AHT records the time and fact of you providing and withdrawing consent for the processing of your data, and data processed for direct marketing purposes is retained until the end of the direct marketing period.
19. Processing of data by an authorized person
Your personal data may be disclosed only to those individuals authorized by the clinic to process personal data, including contractor companies that provide the relevant services.
The transfer of personal data to a person authorized to process personal data is carried out on the basis of a contract that defines the grounds and purposes of the processing, the categories of data to be processed, the retention period, and the rights and obligations of the data controller and the data subject and/or on the basis of law.
A person authorized to process personal data is obligated to comply with personal data protection legislation and to ensure the confidentiality of the information available to them.
A person authorized to process personal data is obligated to process the data within the scope of their competence and for a lawful purpose, which is necessary in accordance with applicable law and arising from an existing contractual relationship to provide the relevant services, for the management and functioning of health care systems, for the rights of employees and their exercise, for the management of employee information, for the fulfillment of obligations imposed by law, and for other necessary purposes.
A person authorized to process personal data is obligated not to disclose or transfer personal data to a third party.
A person authorized to process data is obligated to protect personal data, including special category and health-related personal data (if any), to process them fairly, lawfully, and transparently, without infringing upon data subjects' rights.
A person authorized to process data who, in the course of a contractual relationship, processes personal data is responsible for the disclosure, unlawful use, or loss of personal data, illegal acquisition, alteration, illegal destruction, and other unlawful acts.
All authorized persons are obligated to process data for the purpose specified by the clinic and to protect the confidentiality of the information received. Furthermore, the authorized person is obligated to have implemented organizational and technical security measures. The authorized person is fully liable for any damage or loss caused to the clinic and/or any third party for a breach of these obligations.
The person authorized to process personal data, in the event of the termination of the contractual relationship, shall immediately ensure the return of personal data to the person responsible for processing personal data, the cessation of processing and the deletion of personal data from its own database.
Persons authorized to process personal data may be:
Laboratory service providers;
Healthcare providers;
Information Technology (IT) service providers;
Operators of the Electronic Medical Record (EMR/EHR) system;
Health insurance companies (for administering insurance claims);
Telephone and communication service providers (for example, for patient registration or providing information);
The data subject has the right to contact the AHT Patient Administration and Registration Service and/or the Personal Data Protection Officer at any time to obtain detailed information about the persons authorized to process the data.
20. Data Security
AHT ensures the secure protection of personal data and takes all necessary technical and organizational measures to do so.
AHT protects personal data from unauthorized or unlawful access, accidental loss, damage, disclosure, or destruction.
After the purpose of processing personal data has been fulfilled, We regularly delete and destroy personal data beyond the specified retention periods without the possibility of recovery, or we retain it in a depersonalized form for analytical and statistical purposes.
Our employees are bound by confidentiality obligations, both by their employment agreements and by the Center's internal regulations. This obligation to maintain confidentiality continues even after their employment contract has ended.
When processing personal data, for data security, AHT ensures the consistent implementation of the following relevant software, electronic, and digital measures:
Data protection: A multi-layered approach is used, combining physical, technological, and administrative measures.
Security of digital and physical assets: Security protocols are enabled on electronic devices, digital files, and physical storage media to protect systems from unauthorized access and to ensure data integrity.
Access and Control Mechanisms: Security control systems, access restrictions, and surveillance systems were implemented to protect against unauthorized access, misuse, or theft.
- Strict Compliance and Training: Staff are trained and required to adhere to the data protection policy, which complies with both legal and internal regulations.
Monitoring/Logging: All data modifications in electronic systems are recorded in an electronic journal, which allows for the monitoring of all data processing activities.
Confidentiality: At AHT, the confidentiality of personal data is strictly protected. Only employees who need the data to perform their assigned duties have access to it. Hard copy documents are stored in a dedicated room, the security of which is ensured by AHT- by the technical and organizational security measures it has implemented, while access to the electronic database is protected and can only be accessed by an authorized person using a username and password. All employees who have access to the information have signed a confidentiality agreement, which remains in effect even after their employment is terminated.
Waiting area and queue management system – A space is designated for individuals waiting for a doctor's appointment in a way that minimizes the risk of accidental disclosure of patient data. A queue number system is implemented (each patient is called by their corresponding queue number, not by their identifying information), and appropriate intervals are maintained when scheduling doctor's appointments.
Confidentiality during the consultation process – Medical personnel are obligated to maintain the confidentiality of information received from the patient, even during the consultation. During the provision of medical services, medical personnel will not permit the presence of other individuals. An exception is a patient's request for another person to be present. However, even in such cases, it is important for the medical staff to ensure that the patient's consent to have a third party present during a consultation or other medical procedure is voluntary. The medical staff speaks with the patient in a private space to prevent accidental or intentional intrusion by third parties and/or the disclosure of details from the patient interview to outside individuals.
Control of data processing
Compliance with this Personal Data Protection Policy and the applicable legislation in the field of personal data protection is regularly reviewed and monitored. The checks and controls are carried out by employees of AHT's structural units who are duly authorized and/or the Personal Data Protection Officer.
AHT is obligated to provide periodic training for employees to ensure strict compliance with the requirements of this policy and the legislation on personal data protection.
All relevant departments of AHT are obligated to ensure the recording of all actions performed on data in electronic form. When processing data in non-electronic form, AHT must ensure the recording of all actions related to the disclosure and/or modification of the data.
AHT and any of its employees who participate in data processing are obligated not to exceed the scope of their granted authority. Additionally, they are obligated to maintain the confidentiality of the data, including after their termination of employment.
21. AHT Staff Obligations
Each employee of AHT is obligated:
-Adhere to the AHT's data protection policy document;
an employee of AHT arising from an employment relationship who, for official purposes and within the scope of their competence, has access to personal data, including, performs its processing and maintains the relevant documentation, whether electronically or in hard copy, is obligated to adhere to proper documentation procedures, maintain the confidentiality of the records contained in the documentation, and store said documentation at AHT – in a secure, dedicated location at AHT where the documentation will be protected from damage/destruction and from access by third parties.
Deriving from an employment relationship, an employee of AHT who, in the course of their duties/for a lawful purpose, maintains relevant documentation and processes a person's personal data within the scope of their competence, is responsible for the protection of the documentation and the disclosure of the personal data contained therein, unauthorized use, loss, unauthorized acquisition, alteration, and unlawful destruction.
AHT personnel is obligated to comply with the Georgian legislation on personal data protection and to ensure the confidentiality of any patient information in their possession.
-Deriving from the employment relationship, AHT personnel, in the course of their official duties/For a lawful purpose, within the scope of their competence and in the course of providing medical services to the patient, has access to and processes the patient's personal data, Responsibility is assigned for the disclosure, unlawful use, loss, unlawful acquisition, alteration, and unlawful destruction of patients' personal data.
-An employee of AHT arising from an employment relationship, who performs official duties/for a lawful purpose and within its competence, stores the relevant documentation, including processing a person's special category personal data within its competence, is obligated to be guided by and to comply with the Georgian Law on Personal Data Protection, relevant regulations, medical guidelines, other legal acts, and the relevant instructions/bylaws/policies of AHT.
In the context of an employment relationship, authorized medical personnel must process patients' personal data within the scope of their competence and for a legitimate purpose, in accordance with applicable legislation and/or from the provision of medical services, it is necessary to ensure the proper delivery of services to the patient, for the management and functioning of health care systems, AHT for the purposes of making appropriate reporting by the AHT, for fulfilling statutory obligations, and for other needs.
-When the issue involves the transfer of personal data of a data subject to third parties/competent authorities, first and foremost, the legality of such a request should be verified with the AHT's Legal Department and/or to the Data Protection Officer, provide them with the necessary information/documentation, and only after receiving consultations and confirmation based on the foregoing, disclose the information on behalf of AHT;
Employees of AHT are prohibited from leaving documents and files containing personal data unattended.
An employee of AHT is obligated not to disclose or transfer another person's personal data to a third party. The obligation to protect personal data remains in effect even after the individual is no longer in an employment relationship with AHT. In the event of a violation of these requirements, AHT is entitled to compensation, and the employee is obligated to reimburse any resulting damages.
-Not to disclose his/her user ID and password for accessing his/her work computer and/or AHT software to any third party, including another employee;
-take all necessary measures to adequately ensure the protection of data against accidental or unlawful destruction, alteration, disclosure, acquisition, any other form of unlawful use, and accidental or unlawful loss.
Violation of the approved rules and existing regulations on the processing of personal data constitutes grounds for imposing disciplinary liability on an AHT employee.
22. Disciplinary Responsibility
In the event of a violation of the requirements of applicable Georgian legislation and policy, AHT is authorized to impose the following disciplinary measures on the respective employee:
i. Warning;
ii. Reprimand;
iii. Withholding from payments;
iv. Termination of employment;
v. Compensation for damages.
The imposition of a disciplinary sanction in accordance with the AHT Disciplinary Sanctions Regulations, determines the level of disciplinary accountability for each individual case based on an assessment of the factual circumstances and the severity of the violation.
23. Data Storage and Deadlines
AHT stores personal data in a secure environment.
AHT determines the retention periods for each data category individually, based on the law, its own legitimate interest, and purpose.
AHT is guided by the following criteria regarding data retention periods:
Statutory deadlines;
Deadlines specified in the contract;
Deadlines based on expiration/archiving rules (except for corrections);
Inspection deadlines by the supervisory authority;
The existence of a legitimate purpose and/or interest;
Specifics/scale of service delivery;
Compliance with the law and, in unregulated cases, adherence to internal regulations.
24. Data Protection Officer
In compliance with the requirements and deadlines established by personal data protection legislation, a Personal Data Protection Officer has been appointed at AHT.
The Data Protection Officer is an independent entity that advises AHT and its data processors, provides expert advice on compliance with data protection requirements and performs other data protection-related functions.
AHT's Personal Data Protection Officer Mariam Gokhidze (P/N 61004059390).
The data subject has the right to contact the Personal Data Protection Officer (pdpo@ahtbilisi.com), and in such a case, the officer is obligated to provide information about the processing of data and his or her rights.
Final Provisions
If any provision may be construed ambiguously or a conflict arises in its application, The Company is obligated to prioritize the highest value of personal data protection and to align its actions with the applicable legislation of Georgia, for the benefit of personal data protection.
Matters fully regulated by these provisions may be approved by additional orders, as well as by amending these provisions and/or by supplementing them with the provisions specified in the current legislation of Georgia.
The issues addressed in these provisions do not imply or confirm that the company processes data; these provisions define the rules that must be followed in the event of data processing.
Policy changes
AHT reserves the right to update this policy at any time, which will be made available to the data subject through all possible means.
Exercise of rights
The customer/patient has the right at any time to contact AHT for information regarding this policy at the following address: Tbilisi; email: — ; or to contact AHT's Personal Data Protection Officer. Mariam Gokhidze (P/N 61004059390), pdpo@ahtbilisi.com and/or to AHT's "Data Subject Rights Protection Commission" at the following email address — chancellery@ahtbilisi.com.
Director
Joseph Shalev
English 
Georgian 
Russian