UAB „Goštauto klinika“ (Klinika GOK)
PERSONAL DATA PROTECTION POLICY
1. Definitions
- LPPDL – The Law on Legal Protection of Personal Data of the Republic of Lithuania.
- ECL – The Law on Electronic Communications of the Republic of Lithuania.
- GDPR – General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC.
- Personal Data – Any information relating to an identified or identifiable natural person (Data Subject). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
- Personal Data Breach – A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
- Data Controller / The Company – UAB „Goštauto klinika“ (operating as Klinika GOK), company code: 124894517, registered address: Žalgirio g. 94-1, Vilnius, email: info@gok.lt.
- Authorized Employee – An employee of the Company who, by virtue of their position and nature of work, has the right to perform specific functions related to data processing.
- Data Recipient – A natural or legal person, public authority, agency, or another body to which the personal data are disclosed, whether a third party or not.
- Data Subject – An employee, client, patient, or any other natural person whose personal data is processed by the Company.
- Data Processing – Any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
- Data Processor – A natural or legal person who processes personal data on behalf of the Company.
Any other terms used in this Policy shall be interpreted in accordance with the definitions set forth in the GDPR and the LPPDL.
2. General Provisions
This Personal Data Protection Policy governs the processing of personal data carried out by UAB „Goštauto klinika“ (the Company) in the course of providing dental services and managing customer service via telephone and/or the official website www.gok.lt.
We take your privacy very seriously. All personal data is collected, stored, and processed in strict compliance with the GDPR, LPPDL, ECL, and other applicable legal acts regulating patient rights. We do not transfer your data to any third parties unless we are legally obligated to do so by law, if it is strictly necessary for the provision of our medical services, or if you have granted your explicit consent.
The Company always operates in accordance with best industry practices to ensure that your privacy is never compromised. This Policy supplementally complements the Dental and/or Oral Care Services Agreement signed with the patient. In the event of any discrepancies between the data protection provisions of the Agreement and this Policy, the provisions of the Agreement shall prevail.Data Protection Officer (DPO) Contact Details:
- Phone: +370 650 69 100
- Email: duomenuapsauga@gok.lt
3. Purposes, Categories, and Retention of Data Processing
A. Provision of Dental Services
- Legal Basis (GDPR): Article 6(1)(a), (b), and (c); Article 9(2)(a), (b), and (h) (processing of special categories of data for health care purposes).
- Data Subjects: Individuals who are currently receiving or have previously received services from the Company.
- Categories of Personal Data: Full name, date of birth, personal identification code (asmens kodas), contact details (phone number, email address), residential address. Special categories of data: medical history, provided services, laboratory test results, diagnoses, specialist visits, clinical photographs, treatment descriptions, and patient health status logs. Also includes the full name and relationship to the patient of any person authorized to receive information regarding the patient's treatment progress and results.
- Retention Period: Personal data is retained for the statutory periods prescribed by the laws of the Republic of Lithuania governing medical archives.
- Data Access and Security: Access is strictly restricted to authorized Company personnel, dentists, and dental assistants.
- Data Recipients: Data is only disclosed to entities legally entitled to receive it (e.g., lawyers, bailiffs, the State Tax Inspectorate (VMI), healthcare regulatory authorities). Data is not transferred to third countries or international organizations. Data may be transferred to specific third parties solely upon the explicit request or consent of the Data Subject.
B. Website Cookie Management
- Data Subjects: Individuals browsing the Company’s website.
- Categories of Personal Data: IP address, network details (browser type and device specifications), and approximate location data collected during website access.
- Data Access: Strictly restricted to the authorized technical staff of the website service provider.
- Data Recipients: Data is not shared with third parties, transferred to third countries, or disclosed to international organizations.
- Cookie Usage: Cookies are small text files placed on your computer or mobile device. The cookies used by the Company are technically necessary for the proper functioning of the website. Most are session cookies, which are automatically deleted when you close your browser.
- Managing Cookies: By continuing to use our platform after receiving the cookie notice, you acknowledge and accept our use of cookies. You can configure your browser to reject some or all cookies, or to ask for your permission before accepting them. For detailed information on altering your browser settings, please visit www.aboutcookies.org or www.allaboutcookies.org.
- Browser-Specific Cookie Management Guides:
• Microsoft Edge
• Google Chrome
• Mozilla Firefox
• Apple Safari
• Opera
• DuckDuckGo
C. Customer Service (via Website, Telephone, Meta, or Alphabet Tools)
- Legal Basis (GDPR): Article 6(1)(a), Article 9(2)(a).
- Data Subjects: Individuals who contact the Company with inquiries.
- Categories of Personal Data: Full name, contact details (phone number, email address), and any other personal information voluntarily provided by the individual during the communication.
- Retention Period: Data is deleted immediately after the inquiry or request has been fully resolved.
- Data Access and Recipients: Restricted exclusively to authorized staff handling customer service. Data is not shared with any third parties.
D. Personnel and HR Management
- Legal Basis (GDPR): Article 6(1)(a), (b), and (c); Article 9(2)(a), (b), and (h).
- Categories of Personal Data & Data Subjects:
• Job Applicants: Full name, photograph, contact details (phone number, email, address), education, professional history, and any other information provided in their CV or cover letter.
• Former Employees: Full name, personal identification code, contact details, and statutory employment records.
• Current Employees: Full name, personal identification code, contact details, photograph, educational qualifications, payroll details, and other mandatory employment data.
- Retention Period: Retained in accordance with statutory timelines defined by labor and archival laws. Candidate data not selected for the role is securely destroyed immediately upon the conclusion of the recruitment process.
- Data Recipients: State authorities and regulatory bodies (e.g., State Tax Inspectorate (VMI), SODRA). No data transfers are made to third countries or international organizations.
E. Financial and Bookkeeping Accounting
- Legal Basis (GDPR): Article 6(1)(a), (b), and (c); Article 9(2)(a), (b), and (h).
- Categories of Personal Data: Settlement details, payment history, billing addresses, bank account numbers, and any transaction details included in payment orders.
- Data Subjects: Individuals executing payments to the Company or individuals receiving payments from the Company.
- Retention Period: Stored for statutory periods required for financial reporting and archiving under Lithuanian accounting laws.
- Data Access and Recipients: Accessible only to authorized accounting personnel and external auditors. Data is disclosed to legal recipients (e.g., banks, lawyers, bailiffs, VMI) when required by law.
4. Data Processors
In accordance with the provisions of the GDPR, the Company has the right to engage external Data Processors (e.g., for outsourced bookkeeping or IT infrastructure management).
- All data processing relationships are strictly bound by a written Data Processing Agreement (DPA) that complies with the security requirements of the GDPR.
- Data Processors are prohibited from engaging sub-processors without the prior written consent of the Company.
- External service providers only process data on behalf of and under the direct instructions of the Company. They are carefully vetted and contractually obligated to maintain data security levels equivalent to those maintained by the Company. All data remains under the ultimate control of the Company.
5. Data Subject Rights and Implementation
The Company is committed to facilitating your data rights without undue delay and, in any event, within one month of receiving a valid request. This period may be extended by two additional months if necessary, taking into account the complexity and number of the requests. The Company will inform you of any such extension within one month of receiving your request, stating the reasons for the delay.Upon proper verification of your identity, you hold the following rights under the GDPR:
- Right to Be Informed: The right to receive clear information regarding data processing, storage periods, data recipients, and criteria used to determine retention, as outlined in this Policy.
- Right of Access: The right to obtain confirmation as to whether your personal data is being processed, and to receive a free electronic copy of the data along with processing details (purposes, categories, sources).
- Right to Rectification: The right to demand that the Company correct inaccurate or incomplete personal data concerning you without undue delay.
- Right to Erasure ("Right to Be Forgotten"): The right to request the deletion of your personal data if the data is no longer necessary for its original purpose, or if you withdraw your consent (where processing is based on consent). Note: This does not apply to data we are legally mandated to retain for medical archives or administrative/security compliance.
- Right to Restriction of Processing: The right to restrict processing if you contest data accuracy, if the processing is unlawful, or if you require the data for legal claims while the Company no longer needs it.
- Right to Data Portability: The right to receive your personal data in a structured, commonly used, and machine-readable format to transmit it to another data controller, where technically feasible.
- Right to Object: The right to object at any time to data processing based on the Company’s legitimate interests. If you object to processing for direct marketing purposes, the Company will cease processing your data for such purposes immediately.
Please note: The Company does not currently utilize any automated decision-making or profiling systems.
To exercise any of these rights, please contact the Company using the DPO contact details listed in Section 2. You also reserve the right to lodge an official complaint with a supervisory authority at any time.
6. Personal Data Breaches
The Company will notify the State Data Protection Inspectorate of any personal data breach without undue delay (and within 72 hours where feasible), unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.If a data breach is likely to result in a high risk to your rights and freedoms, the Company will notify you directly via email, SMS, or mail in clear and plain language. The notification will include:
- A clear description of the nature of the breach;
- The contact details of our Data Protection Officer;
- The likely consequences of the breach;
- The mitigation measures implemented by the Company to resolve the incident.
Direct notification to the Data Subject may be waived if the Company had implemented appropriate technical protection (such as encryption) prior to the breach, if subsequent actions have neutralized the high risk, or if direct communication would involve disproportionate effort (in which case, a prominent public notice on our website will be issued instead).
7. Data Security
The Company implements robust administrative, physical, and technical security measures to safeguard your personal data against loss, unauthorized access, or disclosure. These measures include:
- Active and reactive risk management protocols;
- Periodic software and security patching;
- The deployment of advanced firewalls and antivirus tools;
- Strict role-based access control systems and monitored user privileges;
- Regular data protection training for all medical and administrative personnel;
- Thorough security vetting of all third-party Data Processors.
Physical paper documents containing patient data are stored securely in restricted-access facilities equipped with physical lock-and-key protections. All staff members processing personal data are bound by strict statutory and internal confidentiality agreements.
8. Final Provisions
This Personal Data Protection Policy also serves as the official Record of Processing Activities for the Company. As we continually improve our operational procedures, the Company reserves the right to amend this Policy at any time in accordance with updated legislative requirements. All changes will be published immediately on our website. This Policy is reviewed periodically, but at least once every two years.For any inquiries regarding your data or your privacy rights, please contact us:
- Phone: +370 650 69 100
- Email: duomenuapsauga@gok.lt