Personal Data Protection Policy of the private practice of George Klarritis
Psychologist George Kalarritis must comply with the General Data Protection Regulation (the GDPR) which came into force on 25 May 2018 in relation to all personal data. GDPR has been designed to give individuals back control of their own personal data, to ensure greater accountability for those that handle personal data, and to simplify regulations across the EU.
The purpose of this Policy is to provide a framework within which every current client who receives counselling or/and psychotherapeutic services, employee, collaborator, enrolled trainee, other client who uses our services, the public who use our electronic pages, and supplier understands, agrees and comply with the regulation, with the aim of ensuring the confidentiality of any personal data held by us, whatever the medium.
The GDPR outlines six data protection principles we must comply with when processing personal data. These principles relate to:
- Lawfulness, fairness and transparency– we must process personal data lawfully, fairly and in a transparent manner in relation to the data subject.
- Purpose limitation– we must only collect personal data for a specific, explicit and legitimate purpose. We must clearly state what this purpose is, and only collect data for as long as necessary to complete that purpose.
- Data minimisation– we must ensure that personal data we process is adequate, relevant and limited to what is necessary in relation to our processing purpose.
- Accuracy– we must take every reasonable step to update or remove data that is inaccurate or incomplete. Individuals have the right to request that we erase or rectify erroneous data that relates to them, and we must do so within a month.
- Storage limitation– we must delete personal data when we no longer need it. The timescales in most cases aren’t set. They will depend on the business’ circumstances and the reasons of collecting this data.
- Integrity and confidentiality– we must keep personal data safe and protected against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
The policy and the GDPR apply to all personal data processed by us in hard copy or electronically regardless of where the data is held and who owns the device on which it is stored so long as its processing is carried out for our practice-related purposes.
We are committed to complying with the GDPR as an employer and a service provider.
We will ensure that we comply with both the law and good practice in all its dealings with personal data that it holds on individuals. In particular, we will respect the rights of individuals and be open and honest with those whose data is held, provide appropriate training and support for staff and members who handle personal data and follow the data protection principles of good information handling which are set out in the General Data Protection Regulation (GDPR) (EU) regulations on data protection and privacy.
In order to do so, we:
- Rely on appropriate lawful grounds for processing personal data or obtain consent when collecting it.
- Inform clients, employees, collaborators, trainees, service recipients, suppliers how their data is processed, on what grounds, for what purposes and for how long as well as who it is shared with.
- Ensure employees, trainees, collaborators are appropriately trained in managing personal data and records containing personal data are effectively managed.
- Keep personal data safe and secure.
- Observe the rights of individuals under the GDPR.
The GDPR can be found in Greek and in English here
The Hellenic Data Protection Authority’s website contains a wide range of policy and guidance around Data Protection. http://www.dpa.gr/
Personal data is any information relating to an individual who can be directly or indirectly identified by reference to its name, identification number, and location of data or online identifier. GDPR applies to both automated personal data and to manual filing systems where personal data is accessible according to specific criteria; for example, chronologically ordered sets of manual records containing personal data.
Special category personal data are sets of sensitive personal data relating to the race or ethnic origin, political opinion, religious belief, trade union membership, genetics, biometrics (where used for ID purposes), health, sex life or sexual orientation of an individual. Processing of such personal data is generally prohibited except for clearly stated reasons in the regulation (art 9). We, after obtaining a written consent, collect and process such data only in the counselling and psychotherapeutic practices within the private practice as long as the individuals who receive counselling from us disclose them during their counselling sessions. Such information is used strictly for counselling purposes and is kept safe by the highest standards.
Confidential data is information given in confidence or agreed to be kept confidential and therefore not in the public domain. Some confidential data may also be personal data and/or special category personal data and therefore fall within the scope of this policy. We also handles research data which comprises materials collected or created for the purposes of analysis to generate original research results, some of which may contain personal data and/or special category personal data; the scope of this policy applies in all such cases.
Data subject is the individual whose personal data is being processed.
Data processing is widely defined and includes every possible form of action that may be undertaken in relation to data, including:
- Obtaining information,
- Recording information,
- Keeping information,
- Using information in any way,
- Sharing or disclosing information,
- Erasing and/or destroying information
The processing of the personal data of an individual shall be lawful where the individual is at least 18 years old. Where the individual is below the age of 18 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the individual.
A controller is any individual or organization that determines the purposes and means of processing personal data. Controllers are not relieved of their obligations where a processor is involved as the regulation places further obligations on them to ensure their contract with processors complies with the GDPR.
A processor is any individual or organization that processes personal data on behalf of the controller. If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of the personal data you hold and your processing activities. You will have a legal liability if you are responsible for a breach.
Personal data of trainees
The Application Form for prospective trainees will include information on data protection so that, in signing-up, the prospective trainee consents to the private practice holding and processing Personal Data including Sensitive Data.
Personal data of employees and collaborators
The private practice’s Contract of Employment for staff provides that staff give their consent to the employer holding and processing Personal Data including Sensitive Data.
Personal data of prospective and current counselling and psychotherapy services recipients
Consent to the psychologist’s private practice holding and processing Personal Data including Sensitive Data will be obtained from prospective counselling/psychotherapy services recipients, by means of a declaration on the information forms which they are required to complete.
Rights for individuals
The GDPR provides the following rights for individuals:
The right to be informed
- Individuals must be provided clear information about the purpose(s) of processing their personal data, their retention periods, with whom the data will be shared and their rights.
- This information must be provided at the point of data collection.
- If personal data from other sources are obtained, one must provide individuals with privacy information within a reasonable period of obtaining the data and no later than one month.
- The information provided to people must be concise, transparent, intelligible, easily accessible, and it must be in plain language.
The right of access
- Data subjects have the right to access their personal data and supplementary information to be aware and verify the lawfulness of the processing.
- Subject Access Requests must be in writing and be forwarded to the Data Protection Officer to coordinate the gathering of information.
- Upon receipt of a Subject Access Request, the psychologist will provide one copy of the specified information free of charge within one month of receipt of the request; additional copies may be provided at an additional cost.
- Information will only be provided using reasonable (and secure) means after verifying the identity of the person making the request.
The right to rectification
- Data subjects have the right to have personal data rectified if it is inaccurate or incomplete.
- All requests for rectification must be dealt with within one month of receipt of the request.
- Where personal data has been shared with others, you must contact each recipient to inform them of the rectification; unless this proves impossible or involves disproportionate effort.
The right to erasure
The GDPR introduces a right for individuals to have personal data erased. The right to erasure is also known as ‘the right to be forgotten’. Requests to be forgotten must be dealt with where:
- The personal data is no longer necessary for the purposes for which it was originally collected the individual objects to the processing and the psychologist has no overriding legitimate interest to continue the processing.
- The personal data was unlawfully processed.
- All requests “to be forgotten” must be forwarded to the Data Protection Officer.
- the psychologist can refuse to comply with a request for erasure if the personal data is processed to comply with a legal obligation in the public interest; or to exercise or defend legal claims.
- Where personal data has been shared with others, the psychologist will contact each recipient to inform them of the erasure; unless this proves impossible or involves disproportionate effort.
The right to restrict processing
- Individuals have the right to request the restriction of processing or suppression of their personal data.
- This is not an absolute right and only applies in certain circumstances.
- When processing is restricted, you are permitted to store the personal data, but not use it.
- An individual can make a request for restriction in writing to the Data Protection Officer and he/she is obliged to process the request within a calendar month.
- The psychologist can refuse to comply with a request for restriction of processing if the personal data is processed to comply with a legal obligation in the public interest; or to exercise or defend legal claims. The psychologist can refuse to comply with a request for restriction if the request is manifestly unfounded or excessive, taking into account whether the request is repetitive in nature and can request a “reasonable fee” to deal with the request; Or refuse to deal with the request.
The right to object
- The GDPR gives individuals the right to object to the processing of their personal data in certain circumstances.
- Individuals have an absolute right to stop their data being used for direct marketing.
- In other cases where the right to object applies, the psychologist may be able to continue processing if it can show that it has a compelling reason for doing so.
- The psychologist must tell individuals about their right to object.
- An individual can make an objection in writing to the Data Protection Officer and the psychologist is obliged to process the request within a calendar month.
Purposes and principles of data collection and processing
The psychologist needs to collect and store certain personal data about its counselling/psychotherapy recipients, employees, collaborators, trainees to allow it to maintain its core operations. Personal data will include staff and trainee records, service recipients, research data, counseling records and details of financial transactions. Other information about its staff and trainees enables the psychologist to monitor its performance and achievements, and compliance with health and safety and other legislation. To comply with GDPR legislation, data must be collected and used fairly, stored safely, and not disclosed to any third party unlawfully. The six Data Protection Principles of Good Practice are the cornerstone of our Data Protection Policy.
For the psychologist to process data fairly, we will:
- Ensure we have a legitimate reason to obtain and process the data.
- Make the data subjects aware that their data is being used and their consent obtained; they must have a clear understanding of the reasons for which the psychologist processes their data and must never be deceived or misled.
- Ensure that personal data is only obtained from a data subject who is legally authorized to provide it.
The following activities are strictly prohibited:
- Using data obtained for one purpose for a supplemental purpose e.g. using contact details provided for HR-related purposes for marketing purposes.
- Disclosing personal data to a third person outside of the psychologist’s private practice without the consent of the data subject.
Managing Data in Compliance with the GDPR
Whenever data is gathered or collected under GDPR for the private practice’s -related purposes, including data obtained for academic research, we must comply with the GDPR.
- We only collect the personal data we need.
- We tell our data subjects in clear terms and preferably in writing what information is being collected, on what bases, for what purposes and with whom it may be shared.
- We keep the data we have collected secure in accordance with the guidelines found within this policy.
Keeping and maintaining data
- We Keep records up-to-date and regularly checked for accuracy; we record any changes and delete any obsolete information.
- We only keep relevant and necessary records; carry out regular administration of files and records to remove duplicates and irrelevant information.
- Individuals have the right to see their personal data, including any comments about them.
- We restrict access to those employees or individuals who require access for legitimate business, operational, training, counselling, psychotherapeutic, supervision, research reasons.
- Data collected for one purpose cannot be used for another without the individual’s knowledge and consent.
- Information and documents containing personal data to be referred to or used for the private practice’s -related purposes are kept centralized in a single location. In order to avoid duplication or fragmentation of information, no private files are held.
- When employment/training/service ceases, the relevant file is closed and is kept in the archives for different lengths of time depending of the kind of the record/file. Confidentiality must be maintained at all times when personal data is disposed off and in accordance with the guidelines found within this policy.
- Individuals have the right to see all information held about them.
- Personal data should only be disclosed to third parties within or outside the psychologist’s private practice, including members of staff, collaborators, and trainees; if they have a legitimate reason to access the information and only with consent from the data subject.
Any information that employees, collaborators and trainees access when conducting relevant business that pertains to individuals is covered by the GDPR.
Staff and students can avoid the most common causes of data loss and breaches by adhering to the following:
- Always keep personal data secure
- Keep paper files in locked cabinets/drawers or locked offices when not in use and stored securely at the end of business – never leave paper files on desks.
- Lock your office when left unattended during meetings or breaks.
- Log off or lock your computer screen when away from it.
- Use password protection or encryption for electronic files/documents containing special category data.
- Take special care when transferring personal data onto a memory stick, laptop or any other mobile device – use password protection and encryption where appropriate.
- When including personal data in an email, use password protection or encryption where appropriate.
- Change your password frequently.
- Don’t copy personal data unless absolutely necessary.
- Deal with any payment information in a timely manner and dispose of the information securely once work is completed.
- When taking payment information over the telephone, ask the caller to repeat the information if something is unclear – do not repeat any of the information in front of others with no legitimate right to access it.
- Never discuss personal information about individual(s) who are service recipients, members of staff / training programs in front of others with no legitimate right to access such information.
Restrict access to personal data
- Access to personal data should only be granted to the psychologist’s private practice staff who have legitimate reasons to access it.
- Personal data must not be disclosed to third parties without express written consent from the data subject.
- Unauthorized third parties must not be able to view digital screens displaying personal data.
Store personal data securely
- Whenever possible, store personal data on a computer server.
- Never store personal data on a mobile device or home computer unless necessary and the device has been encrypted where appropriate.
- Don’t store or transfer personal data where there is a risk that it will be lost or exposed e.g. on unencrypted USB drives, mobile devices or laptops.
Dispose of personal data carefully
- Shred paper files or dispose of them securely.
- If you store personal data on your own device, you must securely erase it before disposing of it.
Report data breaches
- The psychologist has an obligation under GDPR to maintain a record of all data breaches and to report certain breaches to the Hellenic Data Protection Authority, if possible, within 72 hours of their occurrence.
- All data breaches must be reported immediately to the Data Protection Officer as soon as someone becomes aware of them, including lost or stolen laptops, memory sticks or other mobile devices as well as accidental disclosures of information e.g. sending an email containing personal data to the wrong recipient.
Responsibilities of Employees, Collaborators, Trainees, and other Services Recipients
Compliance with the GDPR is the responsibility of all members of the psychologist’s private practice. Employees, collaborators, trainees service recipients must ensure that they are familiar with the GDPR and this Data Protection Policy and related documents, which they are expected to abide by.
Any breach of the GDPR and this Data Protection Policy, whether deliberate or through negligence, may lead to disciplinary action being taken, or access to the private practice facilities being withdrawn, or even a criminal prosecution.
All employees are responsible for:
- Checking that any information they provide in connection with their employment is accurate and up-to-date.
- Informing the psychologist of any errors or changes. Staff whose work involves the management of trainees’ personal data must ensure they observe the six data protection principles of the GDPR and comply with this Data Protection Policy and any amendments or supplementary guidance issued from time to time.
Trainees are responsible for:
- Ensuring that all personal data provided to the psychologist is accurate and up to date.
- Informing of any errors or changes.
- Trainees who, in the course of their program of study, process personal data must do so in accordance with the provisions of the GDPR, this Data Protection Policy and any amendments or supplementary guidance issued from time to time.
- Trainees who are undertaking placements and/or research projects using personal data must ensure that:
- The client/research subject is informed of the nature of the research and consents to their personal information being used.
- Their Supervisor is informed of the proposed research before it begins, and ensures that there is a is license to undertake this kind of research.
- All personal data are kept securely.
Personal names and other professional data may be published on the psychologist’s external website, unless the individual concerned informs the Data Protection Officer, in writing, that they do not wish this information to be disseminated in this way.
Staff responsible for producing pages for the external website must ensure that any individual named on those pages has not refused permission to publish their details, by checking either with the individual or with the Data Protection Officer.
Data Protection Officer
George Kalarritis has been designated as Data Protection Officer
Data Protection Officer
81, Kyprion Agoniston Street, 15126 Marousi-Athens, Greece
- Reproduction of the above is strictly forbidden in any form