1. Introduction
This document sets out the principles of personal data processing by FLOW Rehab Care s.r.o., Company ID No.: 17843642, with its registered office at Opletalova 600/6, Brno-město, 602 00 Brno (hereinafter the “Company”), which provides healthcare services in the fields of physiotherapy, rehabilitation, and physical medicine.
2. Data Controller
The data controller is the Company. Contact details:
E-mail: info@flowrehabcare.cz
Phone: +420 776 317 510
3. Purposes of Personal Data Processing
The Company processes personal data for the following purposes:
- provision of healthcare services,
- maintenance of medical records,
- appointment booking,
- compliance with legal obligations (in particular pursuant to Act No. 372/2011 Sb., o zdravotních službách),
- communication with patients,
- operation and analytics of the website.
4. Legal Basis for Processing
Personal data is processed on the basis of:
- compliance with a legal obligation (e.g., retention of medical records),
- performance of a contract (e.g., booking a service through the reservation system),
- legitimate interest of the controller (e.g., website traffic analysis),
- consent of the data subject (e.g., sending marketing communications, if applied).
5. Scope of Processed Data
The Company may process the following data:
- first and last name,
- date of birth,
- personal identification number (where required by law),
- residential address,
- telephone number, e-mail address,
- medical documentation and medical history,
- IP address and technical device data (when visiting the website),
- appointment bookings.
6. Recipients of Personal Data
Personal data may be made available to the following processors or recipients:
| Recipient | Purpose of Processing |
|---|---|
| Websupport s.r.o. | Web hosting and website operation |
| WEDOS a.s. | E-mail services |
| Reservanto s.r.o. | Appointment booking and reservation system |
| MSC Advisors s.r.o. | Healthcare information system (electronic documentation) |
| Drábek.digital s.r.o. | Website management and maintenance |
| Vojtěch Vais | Website traffic analytics |
| STORMWARE s.r.o. | Accounting and invoicing |
All processors are bound by a data processing agreement and act in accordance with GDPR.
7. Transfer of Data Outside the EU
The Company does not transfer personal data to third countries outside the EU.
8. Data Retention Period
Personal data is retained:
- for the duration of the provision of healthcare services,
- in accordance with Decree No. 98/2012 Sb. (zdravotnická dokumentace) – typically 10 years from the last entry,
- reservation and communication data for 3 years,
- analytical data for a maximum of 26 months or according to the settings of the analytics tool.
9. Rights of Data Subjects
Data subjects (patients) have the following rights:
- the right of access to personal data,
- the right to rectification or completion,
- the right to erasure (where permitted by law),
- the right to restriction of processing,
- the right to data portability,
- the right to object,
- the right to lodge a complaint with the Office for Personal Data Protection (www.uoou.cz).
10. Personal Data Security
The Company has implemented technical and organizational measures to protect personal data, including:
- access passwords and encryption,
- two-factor authentication,
- restricted access to data based on user roles,
- contractual safeguards with external processors,
- regular data backups.