Logo

Rules and Conditions for Processing Patient Personal Data

Last updated: 3 months ago

Last Update: 18/11/2025

This document informs you about the rules and conditions under which LLC "Medical Center Cito" (ID: 204888461, hereinafter referred to as “Cito”) processes patients’ personal data as part of providing medical/ambulatory services.

1. Purposes of Data Processing

"Cito" processes patient personal data for the following purposes:

  • Providing medical/ambulatory services;
  • Monitoring delivered services;
  • Fulfilling obligations under the service contract between the patient and "Cito";
  • Complying with legal obligations under Georgian law;
  • Providing various information to the patient;
  • Other actions necessary to provide the patient with appropriate services.

2. Legal Grounds for Data Processing

"Cito" processes the patient’s personal data on the basis of:

  • The service contract between the patient and "Cito";
  • The patient’s consent;
  • The requirements of Georgian law.

3. Data Retention Periods

"Cito" processes patient data for the duration necessary to achieve the purposes of processing, including:

  • The period for fulfilling obligations under the service contract with the patient;
  • The validity of the patient’s consent;
  • The time required to comply with legal obligations.

Processing durations for certain data may vary. For more information, please contact the representative listed at the end of these rules and conditions.

Retention periods for medical documentation:

Document Type Retention Period
Medical records in physical form (medical card) 5 years (from last visit)
Digital medical information records 25 years

4. Location of Data Processing

"Cito" processes patient data within the territory of Georgia and the European Union - the hosting of "Cito" website and registration platform is located in Germany.

Germany is a jurisdiction included in the list of countries ensuring adequate guarantees for personal data protection (as determined by Order No. 23 of the Head of the Personal Data Protection Service).

If data is transferred outside Georgia to a jurisdiction not included in the so-called "White List" under Georgian law, “Cito” ensures adequate data protection guarantees.

5. Disclosure/Sharing of Data with Third Parties

Patient data processed by “Cito”, except for “Cito” medical professionals (who manage the ambulatory service on the territory of “Cito” laboratories or remotely; for example, such communication takes place for the purpose of supervision after a consultation with a “Cito Baby” service recipient), may be shared/transferred to third parties, including but not limited to:

  • Administrative bodies of Georgia;
  • Courts and investigative bodies;
  • Insurance organizations;
  • Medical laboratories;
  • And/or other third parties selected by the Company for the purposes of the contractual relationship.

Data is provided only if this is required/allowed by law and/or is necessary to deliver proper services to the patient.

6. Uploading Data to the eHr Portal

During each visit, patients will specify whether they want their data uploaded to the Ministry of Health’s electronic portal (eHr) as visible or hidden.

This is a legal requirement and will be verbally confirmed with the patient.

7. Biological Material Brought by a Third Party

If biological/genetic sample is delivered to "Cito" by a third party, "Cito" will not be responsible for the authenticity or suitability of the sample.

8. Sharing Results with Third Party/Parties

Sending Results Electronically to a Third Party

If a patient requests the transfer of test results or any other information outside of "Cito’s" infrastructure (e.g., to another medical professional), "Cito" will not be responsible for the security of such data.

Physical Collection of Results by a Third Party

For each service, the patient must decide whether to designate a third party to receive results or to change such designation - This must be done during each service request.

9. Data Security

"Cito" ensures data security through technical and organizational measures.

10. Patient Responsibility

The patient is responsible for the validity of the contact information they provide.

11. Data Deletion/Destruction

Once the purposes of data processing are achieved or the processing period expires, the data will be deleted or stored in a depersonalized form (except in cases specified by Georgian law).

In certain cases, even if the patient withdraws consent or the service contract ends, Georgian law may require "Cito" to continue processing the patient’s data.

12. Patient Rights

Patients have the right to:

  • Receive information about the personal data processed about them;

  • Request correction, updating, completion, blocking or deletion of their personal data;

  • Withdraw previously given consent (noting that "Cito" may still be legally required to process data despite consent withdrawal);

  • If they are thinking their data protection rights have been violated by "Cito" lodge a formal complaint. Complaints should be directed to "Cito’s" Data Protection Officer, Mari Jamagidze:

    • In writing: at the legal address – 40 Zakaria Paliashvili St., 0179 Tbilisi, Georgia
    • In writing: at any "Cito" branch
    • By e-mail: to the Data Protection Officer’s e-mail address – pdpo@cito.ge
    • By phone: at the officer’s contact number (+995) 551 173 939

Working hours: Monday - Friday, 09:00 - 18:00

Please include the following in your statement:

  • Full name;
  • Contact information (phone, e-mail);
  • Reason for the statement;
  • Clearly defined content of the request.