The privacy policy (hereinafter: Policy) of the Special Hospital for Orthopedics and Rehabilitation "Martin Horvat" Rovinj-Rovigno (hereinafter: Hospital Rovinj) explains the way of processing personal data of respondents in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals in connection with the processing of personal data and on the free movement of such data and on the repeal of Directive 95/46/EC (hereinafter: General Data Protection Regulation).
This Policy determines the basic principles by which Hospital Rovinj processes personal data of patients, workers, suppliers, business associates and others, and establishes basic roles and responsibilities when processing personal data.
With this Policy, Rovinj Hospital creates a unique and high level of protection of the personal data it processes.
Defining and understanding key terms
For the purpose of a better understanding of terms that will be present in numerous provisions of the Policy, the following definitions are given below:
- Personal data - all data relating to an individual whose identity is determined or can be determined directly or indirectly, i.e. with the help of identifiers such as name, identification number, location data, network identifier or with the help of one or more factors characteristic of physical, physiological , genetic, mental, economic, cultural or social identity of that individual
- Processing and storage of personal data - any procedure or set of procedures performed on personal data or on sets of personal data, either by automated or non-automated means such as collection, recording, organization, structuring, storage, adaptation or modification, retrieval, inspection, use, disclosure by transmission, by disseminating or otherwise making available, matching or combining, limiting, erasing or destroying personal data.
- Examinee - a natural person whose personal data Rovinj Hospital collects, i.e. a person who has submitted said data to Rovinj Hospital or whose personal data has been submitted to Rovinj Hospital for reasons provided for by law (patients, workers, associates, etc.).
- Recipient of personal data – natural or legal person, public authority, agency or other body to which personal data is disclosed for certain reasons.
- Processing manager – Rovinj Hospital, which independently or together with another data controller, determines the purposes and means of personal data processing.
- Processor – natural or legal person, public authority, agency or other body that processes personal data on behalf of Rovinj Hospital.
- Manager of personal data processing
The manager of personal data processing is responsible for the processing of personal data.
Data Protection Officer
Rovinj Hospital ensures that the data protection officer is appropriately and timely involved in all matters regarding the protection of personal data.
Data subjects may contact the data protection officer regarding all matters related to the processing of their personal data and the exercise of their rights under the General Data Protection Regulation.
The personal data protection officer of Rovinj Hospital is:
Luana Božac
Contact details of the Data Protection Officer
Name and surname: Luana Božac
Address and place of work: Luigi Monti 2, 52210 Rovinj
Phone number: 052 537 109
E-mail address: luana.bozac@bolnica-rovinj.hr
Repository of protection documents
Basic principles of personal data processing
In implementing the Policy, Hospital Rovinj follows the following basic principles of personal data processing:
- Lawful, fair and transparent processing – personal data in Rovinj Hospital is processed in a legal, fair and transparent manner in relation to the respondent.
- Limitation of purpose - personal data were collected in accordance with legal obligations and legitimate interests of Rovinj Hospital, and may not be processed in any way that is not in accordance with these purposes.
- Minimum amount of data – personal data correspond to and are limited to the subject that is necessary to fulfill the purpose of the processing. Rovinj Hospital, when defining the purpose of processing, applies anonymization and pseudonymization of personal data if possible, in order to reduce the risk for the respondent.
- Accuracy - personal information is accurate and updated as necessary. If during the processing some incorrect data appears, Rovinj Hospital takes measures to delete or correct this data without delay.
- Storage time limitation – personal data must be kept only as long as necessary for the purposes for which they are processed.
- Inviolability and confidentiality - Rovinj Hospital has implemented appropriate technical and organizational measures in order to process personal data in a way that provides security of personal data and, among other things, protection against accidental or illegal destruction, loss, alteration, unauthorized disclosure or access.
- Reliability – Rovinj Hospital is always able to prove that personal data is processed in accordance with regulations.
Application of the Policy
The policy applies to every collection and processing of personal data of natural persons, regardless of the stage, i.e. whether initial preparations are being made or the procedure is already underway.
Personal data exempted from the application of this Policy are:
- data on legal entities (e.g. trading companies, associations, public bodies),
- data on deceased persons, and
- data on the basis of which identification of a natural person is not possible, neither independently nor by bringing it into connection with some other data (e.g. anonymization, pseudonymization, etc.).
This Policy is the basic act of the Rovinj Hospital applicable to all personal data processing activities performed by the Rovinj Hospital, which in particular include:
- processing of personal data of patients that are necessary for their treatment,
- processing personal data of workers when concluding, executing and processing employment contracts and for contacting potential workers in selection procedures before making a decision on employment,
- processing of personal data of natural persons engaged by Rovinj Hospital on the basis of work contracts, copyright contracts and similar contracts,
- processing of personal data of students who perform professional practice at the Rovinj Hospital,
- processing of personal data of employees' family members in the part that is necessary for the implementation of legal obligations or the realization of a right according to the applicable regulations (e.g. the realization of the right to tax relief, paid leave, assistance for the birth of a child, the right to a special gift for a child, etc.),
- processing of personal data related to the conclusion, implementation and processing of another type of contract, the subject of which is the provision of some of the services that are part of the registered activities of Rovinj Hospital,
- all other personal data processing activities that Rovinj Hospital performs or may perform in the future either on an occasional or continuous basis.
Purpose of data collection and processing
Hospital Rovinj processes personal data for the following purposes:
- Execution of contracts or taking actions at the request of the respondent before concluding a contract, as well as for the purpose of fulfilling legal obligations in terms of providing health care - personal data is processed for the purpose of treating patients and regulating the rights and obligations of workers from employment and relations with suppliers and partners in accordance with valid positive legal regulations (e.g. Health Care Act, Labor Act, Occupational Safety Act, Obligatory Relations Act, Accounting Act, Patient Protection Act, Act on the Protection of Persons with Mental Disabilities, etc.) and internal acts of the Rovinj Hospital for the purpose of execution of a contract in which the respondent is a party and for the purpose of fulfilling the legitimate interests of the Rovinj Hospital and tasks that are carried out in the public interest.
- Debt collection - if the respondent does not fulfill the obligation, Rovinj Hospital can forward the appropriate personal data and use the services of debt collection agents.
- Technical and other protection of the Rovinj Hospital - on the basis of legitimate interests, personal data is processed for the purpose of court cases, ensuring IT security, video surveillance for the protection of respondents and implementing measures to protect the business premises of the Rovinj Hospital.
- Establishing contact and communication with the respondent - the personal data of the respondent is collected for the purpose of establishing contacts in order to achieve contractual relations or health care.
Access to personal data
Within the Rovinj Hospital, only persons authorized to process personal data of respondents have access to personal data according to positive regulations.
Outside the Rovinj Hospital, the personal data of the respondents is shared only in cases where the Rovinj Hospital is obliged to share personal data according to positive regulations - examples of such sharing of personal data would be cases when the Rovinj Hospital submits personal data to public bodies and institutions, e.g. the Ministry of Health, the Ministry of Finance, To the Tax Administration, the State Attorney's Office of the Republic of Croatia, the courts, the Financial Agency, etc.
Protective measures
The Rovinj Hospital implements appropriate technical and organizational measures for the purpose of protecting personal data, such as IT measures that include the use of user names and passwords for accessing computers and programs, then physical archiving of data, application of the principle of reducing the amount of data, physically preventing access to personal data ( eg storage of personal data in locked rooms to which only authorized employees of Rovinj Hospital have access) etc.
Employees of the Rovinj Hospital who process personal data are regularly educated on the protection of personal data and apply all technical and organizational measures necessary for the protection of personal data.
All employees of Rovinj Hospital sign a statement on confidentiality of personal data.
Period of storage of personal data
Personal data is stored in accordance with the terms prescribed in the Special list of materials with storage terms. After the expiration of the terms from the Special list of materials with storage terms, personal data is deleted in a technically acceptable manner that prevents further data recovery.
Rights of respondents
Rights of Respondents, method of exercising rights, period of storage of submitted requests or objections
- The right to access your personal data: The respondent has the right to receive confirmation as to whether personal data relating to him/her are being processed and, if such personal data are being processed, access to personal data and the following information: on the purpose of processing, type/category of processed personal data, including insight into his/her own data, on recipients or recipient categories and the expected storage period.
- Right to rectification: The respondent has the right to request the correction or addition of his personal data if the data is not accurate, complete and up-to-date.
- Right to erasure (right to be forgotten): The respondent has the right to request the deletion of his personal data if one of the following conditions is met:
- the Respondent's personal data are no longer necessary in relation to the purpose for which they were collected or processed;
- The respondent has withdrawn the consent on which the processing is based and there is no other legal basis for the processing;
- The respondent has objected to the processing of his personal data, and the data controller has no stronger legitimate reasons for the processing;
- The Respondent's personal data was illegally processed;
- The Respondent's personal data must be deleted in order to comply with the legal obligation under the law of the Union or the law of the country to which the controller is subject;
- The Respondent's personal data was collected in connection with the offer of information society services.
The Respondent's personal data will not be deleted in the event of:
- in order to exercise the right to freedom of expression and information;
- in order to comply with a legal obligation requiring processing under Union law or the law of a Member State to which the controller is subject, or for the performance of a task in the public interest or in the exercise of the controller's official authority;
- due to public interest in the field of public health in accordance with Art. 9, paragraph 2, point (h) and (i) of the Regulation as well as Art. 9, paragraph 3 of the Regulation;
- for the purposes of archiving in the public interest, for the purposes of scientific or historical research or for statistical purposes in accordance with Article 89 paragraph 1 of the Regulation to the extent that it is likely that the right from paragraph 1 may prevent or seriously threaten the achievement of the goals of that processing ;
- in order to establish, realize or defend legal claims.
- Right to restriction of processing: The respondent has the right to obtain a limitation of processing if: he disputes their accuracy, if the processing is illegal, and he opposes their deletion, if the data must be kept in order to fulfill or defend his legal claims, if he has filed an objection to the processing of his personal data.
- Right to data portability: The respondent has the right to receive his personal data, which he previously provided to the data controller, in a structured form and in a commonly used and machine-readable format, and has the right to transfer this data to another data controller without interference from the data controller to whom the personal data was provided, if the processing is carried out automated way and based on consent or contract.
- Right to object: The respondent has the right to object to the processing of personal data relating to him at any time based on his particular situation:
- when the legality of the processing is based on the execution of tasks of public interest or in the exercise of the official authority of the data controller, that is, when the processing is based on the legitimate interest of the data controller or a third party, including the creation of a profile based on the stated legalities of processing. The data controller may no longer process personal data unless the data controller proves that there are compelling legitimate reasons for the processing that go beyond the interests, rights and freedoms of the Data Subject or to establish, exercise or defend legal claims.
- when the Respondent's personal data is processed for the purposes of direct marketing, which includes the creation of a profile to the extent related to such direct marketing. In this case, personal data may no longer be processed for such purposes.
- Automated decisions: The respondent has the right to oppose the making of automated individual decisions, including the creation of a profile, i.e. the Respondent has the right not to be subject to a decision based solely on automated processing, including the creation of a profile without any human intervention.