Last Modified: 13/3/2025

The Company THNM GROUP OE (TIN No. 801807760, G.E.MI No. 163720003000), based at 144 G’ Septemvriou Street, Athens, is the Administrator of the website https://myndfultalk.com/ and the corresponding mobile application named MyndfulTalk (hereinafter referred to as “the Company”), which has been established and operates in accordance with Greek law and is under its management.  If you wish to access and use the website and services of MyndfulTalk, you must carefully read this Privacy Protection/Personal Data Policy to be informed about the ways in which we store and process your data. This policy complies with the General Data Protection Regulation (GDPR) of the European Union (Regulation (EU) 2016/679) and adheres to the relevant opinions and decisions issued by the Data Protection Authority, as well as the legislation in force in Greece for the protection of personal data, as provided by Law 4577/2018 for the implementation of the GDPR, law 4624/2019, law 3471/2006 and the other provisions of the applicable Greek legislation on the protection of personal data of any kind.

The Company recognizes as personal data any information concerning individuals who are either identified or identifiable, such as name, address, identification number, IP address, health information, insurance coverage, employment status, father’s or spouse’s name, social Security Number (AMKA), Tax Identification Number (AFM), identity card or passport number, contact information etc. Certain data, such as those relating to health, racial or ethnic origin, trade union activity, etc., are considered special category data and are particularly protected. These rules apply when the collection, processing, or storage of personal data is carried out either digitally or in physical form via an organized filing system. Additionally, the Company may process personal data for legal entities, such as companies or organizations, when required to fulfill legal or contractual obligations, manage client relationships, or engage in other business activities.

Visitors can browse the website to obtain information related to mental health and wellness advisory services. Furthermore, during your interaction with the company’s website, certain data is automatically collected from your device or the web browser you use (“cookies”). For more information on how we use cookies and your options, please click here  https://myndfultalk.com/en/cookie-policy/

Πληροφορίεςrmation regarding minors: Our website is not intended for use by minors, and in such cases, the company does not collect Personal Data of minors under the age of 15 without parental or guardian consent. In any case, the company deletes any personal data of minors under the age of 13. If you are a parent or guardian of a child under the age of 13 and concerned that your child may have provided us with their personal data, please contact us.

The Company is the data controller of your personal data, determining the purposes and methods of their processing. Furthermore, the Company wants to reassure that during the processing of personal data, no automated decision-making process is carried out, as defined in Article 22 of Regulation (EU) 2016/679. Therefore, no processing procedures are undertaken that involve legal consequences for individuals or legal entities through automated methods alone, such as information systems, online programs, or other software without human intervention.

Contact Πληροφορίεςrmation for Data Processing:

Company Name: THNM GROUP O.E
VAT: 801807760
Τηλέφωνο: +30 2103000174
E-mail: info@myndfultalk.com

Definitions

1. User/Visitor is the individual who browses the website without registering or creating an account on the website.
2. User/Recipient is a natural or legal person who uses the website to make bookings and receive mental health and wellness advisory services.
3. Specialist/Partner is the professional who provides advisory services through the website.
4. Employees/Potential Employees/Companies are the professionals or organizations employed by the Company or those it intends to employ in the future, either in the form of dependent or independent work, to serve customers, provide technical support, administrative support, marketing/sales promotion, or other business consulting services for the smooth operation of the Company’s processes.
5. Personal Data: Πληροφορίεςrmation related to a natural person through which can be identified directly or indirectly, such as name, identification number, location data, or information about their physical, mental, or social condition.
6. Processing: Any action performed on personal data, such as collection, storage, retrieval, use, dissemination, or deletion.
7. Restriction of Processing: Marking data for limited future processing.
8. Filing System: An organized collection of data accessible according to specific criteria.
9. Data Controller: The person or entity that determines the purposes and means of processing personal data.
10. Data Processor: The person or entity that processes personal data on behalf of the data controller, subject to terms.
11. Recipient: A person or entity who receives personal data, other than the data subject, the data controller, or the data processor.
12. Third Party: Any person or entity that is neither the data subject, the data controller, nor the data processor.
13. Consent: A free and explicit approval by the data subject for the processing of their personal data.
14. Personal Data Breach: Accidental or unlawful destruction, loss, alteration, or unauthorized access to personal data.
15. Special Categories of Data: Data related to race, political opinions, religion, health, sexual life, sexual orientation, genetic and biometric data, as well as other data that result in the undeniable identification of a person, pursuant to Article 9(1) of the GDPR.

Categories, Purpose/Legal Basis, Processing of Personal Data, and Data Retention Period

User/Visitor

The Company collects personal data from users/visitors of its website when they interact with it. This data includes the user’s/visitor’s email address if they provide it on the website to receive updates via email. The processing of personal data is carried out based on your consent, in accordance with Article 6(1)(a) of the GDPR. Specifically, with your consent, your data may be used for sending newsletters and promotional messages. The processing lasts up to three years or until you revoke your consent by unsubscribing. Additionally, the website uses cookies for analytical, statistical, and advertising purposes, as well as for improving the provided services. Further details are available in the Cookie Policy.

User/Recipient

The Company processes the personal data of Users/Recipients for specific purposes, in accordance with the applicable legal framework:

• Contract Formation and Execution (GDPR Article 6(1)(b)) – Data is used for providing services and collaboration with the company. Data is retained for the duration of the contract and includes:
  
  1. Identification data (name, surname, username).
  2. Contact details (email, phone number).
  3. Password.
  4. Demographic data (gender, birth year or age, country of residence, employment status, marital status, education level).
  5. First evaluation data (questions about sleep, nutrition, mood, and description of the request).
  6. Ratings & comments about sessions and therapists.
  7. Financial data (invoices and payments).
  8. Booking system data (session dates, cancellations, communication with therapists outside of therapy sessions).
  9. Employer information (such as business name, VAT number, tax office, company address, phone/email of business contact – if the service is provided to the user/recipient while the employer covers the cost of these services).
• Legal Compliance (GDPR Article 6(1)(c)) – Compliance with legal and tax obligations, with data retained for the legally required period. The following data is processed:
  
  1. Financial data (payments, invoices).
  2. Other relevant data for legal compliance (such as name, surname, VAT number, home or business address (for legal entities), contact details (phone, email), transaction details (payment date and amount, detailed invoice information), bank account information (for payment and tax reporting purposes), labor law-related information (e.g., employee insurance data if employer-provided benefits exist)).
• Legitimate Interest (GDPR Article 6(1)(f)) – Processing for exercising or defending legal claims within the statute of limitations. This includes:
  
  1. Contact details.
  2. Booking system data.
  3. Financial data.
• Service Improvement – Data is retained as long as the account is active. The following data is processed:
  
  1. Contact details.
  2. First evaluation data (questions about sleep, nutrition, mood, and description of the request).
  3. Ratings & comments.
• Direct Marketing – Πληροφορίεςrmational emails are sent for 3 years after the last session or until unsubscribed. The following data is processed:
• Contact details (email address, postal address, landline, and mobile phone numbers).

If you no longer wish to receive our newsletters, you have the right to unsubscribe at any time by sending a request via email to info@myndfultalk.com or using the unsubscribe link included in every newsletter. Your email address will be immediately deleted from our database.

It is important to note that if your personal data is stored in other databases (e.g., as a user of our platform), we may continue processing it for other legitimate purposes, such as fulfilling legal obligations or managing the services we provide. The withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

Specialist/Partner

The Company processes the personal data of Specialists/Partners for specific purposes, in accordance with the applicable legal framework:

• Contract Formation and Execution (GDPR Article 6(1)) – Data is used for providing services and collaboration with the company. Data is retained for the duration of the contract and includes:
  
  • Contact details (name, surname, phone number, email).
  • Billing information and banking data (invoice details such as VAT number, tax office, business address, payments, payment method).
  • Booking system data (session dates, cancellations, communication with clients, excluding session content).
  • Other contract-related and communication information. In this case, you are not obliged to provide us with your data, however, if you do not do so, we may not be able to process your request.
• Legal Compliance (GDPR Article 6(1)) – Compliance with tax and accounting obligations, with data retained for the legally required period (e.g., 5 or 10 years for tax records). The following data is processed:
  
  • Contact details.
  • Billing information and banking data.
  • Other relevant data for legal compliance.
• Legitimate/legal Interest (GDPR Article 6(1)) – Processing for exercising or defending legal claims within the statute of limitations. This includes:
  
  • Contact details.
  • Billing information and banking data.
  • Booking system data.
• Direct Marketing – The Company may send informational newsletters for up to 3 years after the last session, or until the partner/specialist expresses objection. For the purpose of direct marketing, the Company may collect additional information to create a profile of the Specialist/Partner, which may include:
  
  • Contact and identification details.
  • Degrees, postgraduate studies, licenses, specializations.
  • A photo of the partner/specialist for identification or promotional purposes.

• (Article 9, paragraph 2 (h) of the GDPR) Purposes of preventive or occupational medicine, medical diagnosis, provision of healthcare or social care, or treatment, or management of healthcare and social systems and services, in case such services are provided by a company partner/specialist.

• (Article 9, paragraph 2 (i) of the GDPR) Κοινό interest in the field of public health, such as the protection against serious cross-border health threats or ensuring high standards of quality and safety in healthcare and medicines or medical devices, in the event that such an issue arises and medical services are provided by specialized partners of the company.

• (Article 9, paragraph 2 (f) of the GDPR) Establishment, exercise, or defense of legal claims.

Purposes of Use and Collection of Personal Data

The Company collects personal data from users only when voluntarily provided, for the purpose of using the platform and its services. Specifically, the personal data collected includes:

• Username for facilitating communication.
• E-mail address for creating and maintaining a personal user account.
• Password for accessing the user account.
• In case of login via third-party providers (e.g., Facebook, Google, Apple), the declared username, user image, and email address are collected.
• IP address, device type, and location, if explicit consent is given.
• For customers, name, surname, and address are collected for the issuance of receipts (service invoices).
• Remarketing techniques may be used through Google Ads and Facebook Ads, for which location data is collected.
• For psychologists, contact details, TIN number, a copy of the professional license, CV, and other related data are collected for communication and collaboration with the Company.

The Company collects, stores, and processes only the minimum and absolutely necessary personal data, for the purpose of fulfilling the following objectives:

• Registration on the platform and provision of services.
• Billing for the provided services.
• Εθιμοer support (e.g., telephone or online support).
• Ensuring the security of services.
• Statistical analysis.
• Improvement of the provided services and the platform through your activities, interests, and needs.
• Promotion of services (e.g., sending informational emails/SMS).
• Πληροφορίεςrming users on mental health issues.
• Defending the legal interests of the Company and complying with national or/and European legislation.
• • For the purposes of delivery of medical tests or information from your medical record to third parties in the case of providing medical services or for medical research purposes by partners of the company.
• • For communication purposes during the pre-contractual process or during the execution of the contract.
• • For the potential judicial pursuit of our claims.
• • For informing other bodies about disease monitoring by a medical partner, where required based on medical data and to the extent that it is absolutely necessary.
• • For fulfilling our obligations according to applicable legislation towards public authorities and bodies (supervisory, independent, police, judicial).
• • For the proper provision of healthcare services where required and to the absolutely necessary extent for you and/or a third party.
• • For the development and improvement of the services we provide and our platform, based on your activities, interests, and needs.
• • For managing your complaints.
• • For the protection and security of IT systems.

The Company does not store payment data. All payment-related data is stored and processed by Stripe, in accordance with its data protection policy (https://www.stripe.com/en-gr/privacy).

Providing personal data is necessary for the proper provision of services, and failure to provide such data may prevent the provision of those

Management and Transfer of Personal Data

The Specialist/Partner responsible for assisting the user gains access to their personal data and is responsible for processing the data communicated during sessions. The Specialist/Partner is solely required to maintain a record of each session using the software provided by the Company and must be the authorized user with access to such information. The storage, management, and processing of the data should be done with care and with the purpose of maintaining the user’s/service user’s history.

The recipients of the personal data are the Company and the Specialists/Partners with whom the user is connected. In the case of visitors or Specialists/Partners, the recipient of the data is only the Company.

The Company does not transfer users’ personal data to third parties, except to its employees and partners who are responsible for providing their services, provided that the processing of the data is carried out in accordance with the provisions of the personal data protection legislation, ensuring that no illegal processing occurs. All third-party providers, such as payment service providers, telecommunication service providers, and infrastructure providers, are committed to using the data only for the purpose for which it was provided and ensuring its lawful processing in accordance with the applicable Greek and European legislation. All processors acting on behalf of the company are contractually bound by the corresponding guarantees in order to ensure the security, integrity, and confidentiality of your personal data. Your data may also be transferred to any competent supervisory, public, or judicial authority, if required by the applicable legal framework or a court decision.

We do not disclose your personal data to third parties outside the European Union in countries where there is no adequate data protection regime. However, if such a data transfer is necessary, we will take all possible measures to ensure that your data is processed securely.

Users’ data may be transferred to advertising platforms (e.g., Google, Facebook) for statistical analysis.

The Company does not share, transfer, or disclose personal data to third parties without the explicit consent of the users, except in cases provided by law or in the event of legal obligations, such as search warrants or court subpoenas, prosecutorial orders, orders from independent or other authorities, etc

Transfer/Disclosure of Data to Third Parties

The processing of personal data by the Company extends to collaborations with third-party providers who offer supporting services in various fields, such as IT, cloud storage, website hosting, and communication management. Each partnership involves the transfer and processing of personal data, provided that these partners comply with the rules of the General Data Protection Regulation (GDPR). Below are the specific entities and their services:

1. Accountant The Company’s accountant manages personal data related to tax obligations and legal procedures, ensuring compliance with tax and accounting requirements.
2. Κοινό Authorities Data transfer to public authorities for tax compliance or legal proceedings occurs in accordance with the country’s regulations and legal framework.
3. Video Conferencing and Collaboration Platforms:
   
   • Microsoft Teams and Zoom: These platforms are used for conducting meetings and communications. These platforms may process personal data (e.g., participant details, dates, and times of meetings), although the Company ensures that data is used only for the purposes of collaboration.
4. Payment Platforms:
   
   • Stripe, Inc.: Stripe processes users’ payment data to handle payments. However, the Company does not have access to payment information such as credit/debit card numbers. Only information regarding the status of payments (e.g., whether the payment was completed or rejected) is transferred.
5. Data Processing Tools via Cookies and Social Network Logins (Google & Meta):
   
   • Google Ireland Ltd: Google provides the ability to log in to the website through a Google account. Google also processes cookies from the website and personal data related to their use. The Company works with Google to process this data to improve user experience and website functionality.
   • Meta Platforms Inc. (Facebook): Meta processes data for user logins via the Facebook social network and cookie processing. The Company uses Meta to manage personal data related to Facebook login and analyze website usage.
6. Marketing and Newsletter Tools:
   
   • Mailchimp and SendPulse Inc.: These services are used to send newsletters and other communications, processing personal data related to email dispatch.
7. Cloud Services and Website Hosting:
   
   • Siteground Inc.: Provides website hosting and cloud storage services, managing the data of users visiting the website or using the Company’s services.

In cases where a user utilizes the Company’s services via their employer, the personal data is not transferred to the employer. Only aggregate data regarding the total number of sessions and their nominal value is shared. Personal data is transferred or disclosed to third parties only when required by legal obligations or necessary to fulfill the provided services, with compliance to the relevant guarantees of the applicable legislative framework.

 Measures for the Protection and Security of Personal Data

MyndfulTalk is committed to protecting users’ personal data and ensuring its secure processing in compliance with the applicable national and European data protection laws (GDPR). This protection is achieved through a series of organizational and technical measures:

1. Restricted – authorised Access: Access to personal data is limited to authorized personnel within the Company, who gain access through secure passwords and personal identities (IDs). Access is strictly defined based on each user’s role and responsibilities. For example, customer support staff have access only to the information necessary to handle user requests, without access to other data.
2. Secure Connections and Encryption: All communications involving personal data are protected through encrypted connections (SSL/TLS protocol), ensuring the prevention of data interception during transmission. Additionally, the data stored on servers is encrypted to ensure its protection, even in the event of a security breach.
3. Monitoring and Detection of Illegal Activities: Access monitoring systems are used, which log every action of accessing or modifying data. This monitoring helps in the immediate detection and alerting of any attempts at unauthorized access. Specifically, intrusion detection systems (IDS) are used to record and monitor any suspicious activities.
4. Breach Incident Handling: Procedures have been established for the timely detection and resolution of any personal data security breaches. In the event of a breach, a security team is activated to assess the situation, isolate systems, and notify the relevant authorities in accordance with GDPR requirements. If a breach is confirmed, affected individuals are informed within 72 hours of detecting the incident.
5. Staff Training and Awareness: Company personnel, regardless of the type of collaboration with the company (e.g., dependent or independent form of service provision according to the provisions of Greek Labor law) are regularly trained on personal data protection and the recognition of potential security risks. Training is also provided on the implementation of internal security procedures and understanding the importance of data protection.

 User Rights According to Regulation (EU) 2016/679

According to Regulation (EU) 2016/679, users have the following rights regarding their personal data:

1. Right of Access: The right to be informed about the personal data processed by the Company, the purpose of the processing, and the recipients.
2. Right to Rectification: The right to request the correction of inaccurate or incomplete data.
3. Right to Erasure: The right to request the deletion of their data under specific conditions.
4. Right to Restriction of Processing: The right to request the restriction of the processing of their data.
5. Right to Data Portability to you or third parties. You have the right to receive your personal data in a structured, commonly used, and machine-readable format, as well as to transmit it, under legal conditions, to another data controller, provided that this does not adversely affect the rights and freedoms of others (only for automated processing of information you provided to us with your consent or for the performance of our mutual contract)..
6. Right to Object: The right to object to the processing of their data. The company may, in exceptional cases, refuse to fulfill this right of yours, provided it demonstrates compelling and lawful reasons for processing that outweigh your interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims.
7. Right to Withdraw Consent: The right to withdraw their consent for the use of their data at any time, without affecting the lawfulness of the processing until the withdrawal.
8. Right to Lodge a Complaint: The right to file a complaint with the Data Protection Authority (www.dpa.gr – postal address: Kifisias 1-3, P.C. 115 23, Athens, phone: 2106475600, email address: contact@dpa.gr) if they believe that the processing of their data violates data protection laws.

To exercise the above rights, users can contact the Company, which will make every effort to respond within 30 days of receiving the request. If the request is not satisfied, the Company will inform the user of the reasons for the rejection, or when the request requires more processing time due to its complexity.

The Company reserves the right to process data where there is a legal basis for the processing or where the withdrawal of consent is limited for specific processing activities, as provided by the law.

Data Protection of Personal Πληροφορίεςrmation

The Company applies appropriate technical and organizational measures to ensure compliance with the General Data Protection Regulation (GDPR), taking into account the nature, scope, context, and purposes of processing, as well as the risks to the rights and freedoms of data subjects. The security policy in place aims to protect personal data from accidental or unlawful destruction, loss, alteration, or unauthorized access.

The Company has adopted policies for the protection of information systems and the effective management of personal data breach incidents to ensure the integrity and confidentiality of data. The data you provide to us is protected with appropriate information security techniques to ensure both secure transmission over the internet and secure storage in Πληροφορίεςrmation Systems. We require all third parties that may process your personal data to have the appropriate technical and operational security measures in place to protect your personal data, in accordance with the laws of Greece and the EU for data protection.

Protection of personal data also requires the training and awareness of human resources regarding data protection issues. Therefore, training programs are implemented according to the Fair Πληροφορίεςrmation Practices (FIP) to ensure a proper understanding of the key concepts of personal data protection.

The Company ensures confidentiality of sessions and data security through the following measures:

1. High Standards for Partners: Professionalism and the safeguarding of users’ personal data are established in collaboration agreements with partners.
2. System Security: Organizational and technical measures are implemented for the security of booking systems and video conferencing, such as identity verification, anonymization, limited and authorized access, and server security.
3. Data Minimization: Personal data processed is limited to the minimum necessary, and access to this data is granted only to authorized individuals.
4. Confidentiality: The confidentiality of data is ensured by all individuals who have access to the Company’s systems.

The Company is committed to implementing all necessary measures to protect personal data and enhance user trust, adhering to legal and regulatory requirements for the security of personal data.

Exercise of Personal Data Protection Rights

The Company is available to resolve any complaints or requests regarding your personal data as quickly as possible.

To exercise your rights or submit requests or complaints, you can contact the Company via the email address info@myndfultalk.com or through the website’s live chat at https://myndfultalk.com/.

Πληροφορίεςrmation on Data Processing on Social Media Platforms

MyndfulTalk has accounts on the following social media platforms:

• Facebook: https://www.facebook.com/MyndfulTalkGR/
• Instagram: https://www.instagram.com/myndfultalk/

MyndfulTalk processes personal data through these platforms for purposes of updating and communicating with users.

The pages https://www.facebook.com/MyndfulTalkGR/ and https://www.instagram.com/myndfultalk/ are created by MyndfulTalk, which acts as the data controller. If you have any questions regarding the processing of your data, you can contact us at info@myndfultalk.com.

MyndfulTalk processes personal data via social networks (Facebook, Instagram) for purposes of updating users on the company’s activities and services, as well as for communication with users.

When you perform actions such as “like” or “follow,” you agree to the processing of your name and possibly your photo. You can withdraw your consent by performing the opposite actions (unlike, unfollow).

MyndfulTalk is not responsible for the collection and processing of your personal data by social networks, nor for any additional actions that these platforms may take. We recommend referring to the Privacy Policies of these platforms for more information.

MyndfulTalk processes personal data through social media for the following purposes:

• Πληροφορίεςrming users about the company’s activities.
• Providing additional communication channels with the public.

The content we post on these pages mainly concerns our activities, photos, and videos. When posts contain personal data, we ensure that these are processed lawfully. If you believe that the content posted violates your rights or the rights of third parties, please contact us directly to address the issue.

The processing of data on this page is based on your consent. Specifically, when interacting with our page, e.g., by clicking “like” or “follow,” you consent to the processing of your name and possibly your profile photo, if you have chosen to make these public on your profile. This consent remains valid for as long as you follow or interact with the page. If you wish to withdraw your consent, you can do so by clicking “unfollow” or “unlike.”

If you simply browse our page without interacting, we do not process your data. However, it is important to note that Meta Platforms, Inc. may process your data as mentioned below.

When interacting with our page, we may collect personal data such as your name, profile photo, and comments or messages you post. Additionally, our page collects anonymous statistical data to monitor traffic.

Meta Platforms, Inc. may process other data about you (e.g., IP address, visit history), which we cannot control or influence. For more information, please refer to the Terms of Use and Privacy Policy of Meta Platforms, Inc.

The collection and processing of data occurs when you interact with our page, such as by liking or following. Additionally, Meta Platforms, Inc. may collect other data through cookies and other tracking technologies, which we cannot control. To learn more, please consult the Terms of Use and Privacy Policy of Meta Platforms, Inc.

Your data is stored in accordance with the Terms of Use and Privacy Policy of Meta Platforms, Inc. We retain your data for as long as necessary for the purposes of processing. Every 3 years, we review the data we have processed and delete it when necessary.

You have the right to comment on our posts. However, please avoid publishing third-party data. If we notice a violation of the rules, such as illegal or unethical content, we will delete the comment without warning.

You have the right to access, correct, withdraw your consent, delete, restrict processing, or request portability of your data. If you believe that the processing of your data violates data protection laws, you have the right to file a complaint with the Data Protection Authority.

The personnel managing our page are committed to adhering to the necessary security and confidentiality practices during data processing. However, we cannot guarantee how Meta Platforms, Inc. processes and safeguards the data on its platform. For further information, please refer to Meta Platforms, Inc.’s Terms of Use and Privacy Policy.

The data collected through our page may be transferred to countries outside the EU, such as the U.S., and other countries. After the cancellation of the “Privacy Shield” by the EU Court, Meta Platforms, Inc. uses standard contractual clauses for data transfers, which are approved by the European Commission. For more information, refer to Meta Platforms, Inc.’s Privacy Policy and the European Commission’s website.

Before taking any action on our page, we recommend you carefully review the Terms of Use and Privacy Policy of the social network you are using. If you upload personal data or photos of third parties, you bear full responsibility for the processing of that data. We encourage you to consider the potential risks involved in disclosing personal data through social networks.Αρχή φόρμας

Telemedicine Applications and Services

The company’s telemedicine applications are equipped with the necessary functionalities for remote monitoring and support of patients, ensuring the security, protection, integrity, and confidentiality of the data, as well as any other matters that concern their smooth operation. The telemedicine applications are compatible with European security protocols and standards and comply with the requirements of Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR) and the relevant national legislation, as applicable, as well as the network and information systems protection measures.

The processing of personal data by the medical partners of the company through the telemedicine applications, as the data controllers, is based on point (b) of paragraph 1 of Article 6 of the GDPR (“(b) the processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract”).

The processing of personal data of patients by the company and any doctor providing telemedicine services, under the meaning of this policy, as separate data controllers, is based on point (b) of paragraph 1 of Article 6 of the GDPR (“(b) the processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract”), while at the same time, for each doctor providing telemedicine services under this policy, point (h) of paragraph 2 of Article 9 of the GDPR applies for the exceptional legitimate processing of health data (“(h) processing is necessary for purposes of preventive or occupational medicine, assessment of the working capacity of the employee, medical diagnosis, provision of health or social care or treatment or the management of health and social systems and services based on Union law or the law of a Member State or pursuant to a contract with a health professional, subject to the conditions and safeguards referred to in paragraph 3”).

Both the company, as the holder of the telemedicine applications, and each doctor providing telemedicine services under this policy, as distinct data controllers, comply with the provisions of EU and national legislation on personal data protection, particularly those of Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR), and carry out the necessary data protection impact assessment as required by Article 35 of the GDPR.

Users/patients/clients, as data subjects, have the rights granted to them by the GDPR and any other regulations for the protection of personal data concerning their personal data that has been collected and processed by the telemedicine application holder as the data controller.

Users/patients/clients, as data subjects, also have the rights granted to them by the GDPR and any other regulations for the protection of personal data that are maintained in medical records and processed by any doctor providing telemedicine services under this policy as the data controller.

Recipients of the personal data collected and processed by the telemedicine application holder as the data controller are the data subjects themselves, the relevant services of the Ministry of Health, and supervised bodies of the Ministry of Health for the exercise of their statutory duties, as well as collaborating doctors for the purpose of providing telemedicine services to patients under this policy. The services of the Ministry of Health and supervised bodies of the Ministry of Health, or possibly other public bodies or international organizations within their jurisdiction, may receive pseudonymized or anonymized information from the telemedicine application holders, as data controllers, where no direct or indirect identification of the concerned data subjects can be derived, for purposes that make such processing (transfer) necessary for substantial public interest reasons. Πληροφορίεςrmation from the archive systems maintained by the telemedicine application holders, as data controllers, may be provided for archival purposes for the public interest or for scientific or historical research or statistical purposes under the terms and conditions of paragraph 1 of Article 89 of the GDPR and relevant national regulations, particularly ensuring anonymization or pseudonymization.

Recipients of the personal data collected and processed by any doctor providing telemedicine services under this policy, as a data controller, include the data subjects themselves, the relevant services of the Ministry of Health, and supervised bodies of the Ministry of Health for the exercise of their statutory duties. The services of the Ministry of Health and supervised bodies of the Ministry of Health, or possibly other public bodies or international organizations, according to their jurisdiction, may receive pseudonymized or anonymized information from the telemedicine application holders as data controllers, where no direct or indirect identification of the concerned data subjects can be derived, for purposes that make such processing (transfer) necessary for substantial public interest reasons. Πληροφορίεςrmation from medical records maintained by doctors providing telemedicine services under this policy, as data controllers, may be provided for archival purposes for the public interest or for scientific or historical research or statistical purposes under the terms and conditions of paragraph 1 of Article 89 of the GDPR and relevant national regulations, particularly ensuring anonymization or pseudonymization.

Κοινό authorities that may request information from either the telemedicine application holders or doctors providing telemedicine services under this policy as data controllers, as part of a specific investigation for the fulfillment of their primary mission according to Union law or national regulations, are not considered recipients. The processing of such data by these public authorities is carried out in accordance with the applicable data protection provisions, depending on the purposes of the processing.

Special Categories of Data

The company, in the event that a medical service is provided by one of its partners, may retain and process special categories of data, such as medical history, medical tests, medical procedures presented by the patient or another natural or legal person acting as the patient’s legal representative, based on the provision of preventive or occupational medicine services, medical diagnosis, and the protection of your vital interests.

The company’s personnel collects, records, and processes your personal data and data related to your health condition, as derived from obtaining your medical history, during your collaboration with the company’s medical partners, from your requests, the performance of medical procedures, as well as from the results of diagnostic and clinical examinations presented within the scope of your treatment as a patient (if you are utilizing medical services through the company’s partners). This is done to provide medical, psychiatric, or psychological services to you, while taking all appropriate and necessary measures to ensure the confidentiality of this information.

The health data you provide to us (or your legal representatives, who must also be aware of this policy) and which are processed by the company’s medical partners are also covered by the confidentiality provisions of the Code of Medical Ethics and the Nursing Code, where applicable, as well as the legislative framework for the provision of medical services in general.

Changes to the Personal Data Protection Policy

MyndfulTalk reserves the right to modify, update, amend, or enhance this Personal Data Protection Policy, in whole or in part, at its sole discretion, at any time. Any modification to this policy will come into effect upon the publication of the new version across all of MyndfulTalk’s platforms and applications.

In the event of any changes, MyndfulTalk will notify users through at least one means, such as sending an informational email, a mobile app notification, a website alert, or any other method deemed appropriate.

Continued use of MyndfulTalk’s services by the user after such updates will be considered as acceptance of the modifications to the Policy.

For any questions or clarifications, please contact us at info@myndfultalk.com.