Call us

GDPR

With the entry into force of the General Data Protection Regulation REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) represents an important step forward in the field of personal data protection. The Polyclinic MEDICAL BODY BALANCE (hereinafter referred to as "the Polyclinic"), as the Head of the Personal Data Collection, informs you that your personal data is being collected and will be processed.

You are free to contact us via the contact form and request the removal of your personal data from our database. Our obligation is to do the same and within 15 days of receiving the request, remove all your personal data from our database and notify you accordingly when the process is completed. Please note that any form of leaving and sending your personal information on the pages of the Polyclinic is done solely voluntarily by you as an individual who has accessed these pages and no form of coercion has been made when leaving them.

The Medical Body Balance Clinic must protect its intellectual property, including patents, registered trademarks and copyrights. Accordingly, visitors to this website do not acquire a license to use the intellectual property of the Polyclinic Medical Body Balance, as well as third parties presented on it.

What data do we collect and process?

As part of your medical record:

  • first and last name
  • gender
  • date of birth
  • phone/mobile number
  • E-mail address
  • medical diagnoses
  • personal and family history
  • Copy of medical records from other institutions
  • Copy of diagnostic images from other institutions

Contacting:

(1) By e-mail: During the therapeutic process, your e-mail will receive booking confirmations as well as a reminder for the appointment 24 hours before the agreed date.

(2) Telephone: The staff of the Polyclinic may call you regarding checking or changing appointments, checking the condition after and during therapy, as well as other issues related to the therapeutic process.

We will keep your processed data permanently in our archives as part of your medical record. You can object to the processing of personal data for these purposes at any time and revoke the given consent. The Polyclinic will handle your personal data in accordance with the Personal Data Protection Act, i.e. the General Data Protection Regulation (GDPR) applying appropriate physical and technical security measures to protect personal data against unauthorised access, misuse, disclosure, loss or destruction.

The Polyclinic respects and protects the privacy of its patients, keeps the confidentiality of your personal data and prevents access to and communication of your personal data to any third party, except to Processors for the implementation of basic activities related to the activities of the Polyclinic. Your personal data may not be disclosed to third parties without your prior explicit consent, except:

(1) The Polyclinic will forward user data to state institutions when there is a legal obligation to do so.

(2) Other legal persons with whom the Polyclinic and who perform certain services for the Polyclinic, and with whom a part of the user's data will be shared if they are necessary for the purpose of fulfilling contractual obligations.

At any time, you can get an insight into your personal data that is being processed and request correction, modification or supplementation of the data by contacting the employees at the Center's desk or by e-mail: gdpr@bodybalance.hr . At any time, you have the right to file a complaint or revoke your consent to the Management Board of the Polyclinic at the address Ulica Frana Kesterčaneka 2B, 10 000 Zagreb or by e-mail to: gdpr@bodybalance.co.uk.

You can withdraw/revoke your consent given for the processing of your personal data at any time, in whole or in part, free of charge and without explanation, or withdraw from it and request the termination of the activities of processing your personal data and marketing activities directed towards you.

I. GLOSSARY

Personal data – data relating to an identified or identifiable natural person (‘data subject’);

Respondent – means a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Processing of personal data – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

Controller – means the natural or legal person who, alone or jointly with others, determines the purposes and means of the processing of personal data;

Processor – means a natural or legal person who processes personal data on behalf of the controller;

Information system – the comprehensiveness of the technological infrastructure, organisation, people and processes for collecting, processing, generating, storing, transmitting, displaying, distributing and distributing information. An information system can also be defined as an interaction between information technology, data and data processing procedures, and the people who collect and use this data.

Supervisory authority – an independent public authority established by the Republic of Croatia for the purpose of controlling and ensuring the implementation of the Regulation;

Confidentiality – the property of the information (data) that is not available or disclosed to unauthorised entities;

Integrity – the property of the information (data) and process that has not been tampered with or unanticipated;

Consent – any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

Pseudonymisation – the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;

Personal data breach – means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

Profiling – any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

Third parties – a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

II. FURTHER PROVISIONS

The Polyclinic Medical Body Balance (hereinafter: the Polyclinic) pays special attention to the protection of personal data and privacy of its users, employees, business partners or other persons with whom it achieves business cooperation (hereinafter: respondents). This Policy defines the basic principles and rules of personal data protection in accordance with the business and security requirements of the Polyclinic, as well as legal regulations, best practices and internationally accepted standards.

With the Personal Data Protection Policy, we want to provide our users with clear information about the processing and protection of personal data, the objectives of collection, processing and purposes, and the management of personal data within the Polyclinic.

III. SCOPE

The Personal Data Protection Policy is a basic act of the Polyclinic that has the purpose of establishing a framework for the protection of personal data in accordance with the General Data Protection Regulation.

The Polyclinic operates with legal entities that are distributors of products and services of the Polyclinic and that have also adopted this Policy.

The Policy sets out all the rules relating to the processing of personal data of the users of the products and services of the Polyclinic that the Polyclinic uses or otherwise processes, directly or through its partners.

The Policy applies to all personal data processing within the Polyclinic, except in cases where anonymized data is processed or the processing is of such a nature that it is a statistical analysis from which it is not possible to identify an individual, such data are not considered personal data.

The Polyclinic is, as a rule, a processor in relation to the data of users of its services.

IV. DATA PROCESSING PRINCIPLES

The principles of data processing are the basic rules that the Polyclinic adheres to when processing the personal data of data subjects, and the processing carried out in accordance with the principles listed below is considered lawful.

The management of the Polyclinic is obliged to ensure that all persons authorised to process personal data have committed themselves to confidentiality.

The Polyclinic processes personal data in accordance with the following processing principles:

  1. Lawfully and fairly - with regard to the data subjects and their rights, the Polyclinic will process the personal data of the data subjects in accordance with the applicable laws
  2. Transparent - The Polyclinic will ensure transparency in the processing of personal data and, in accordance with the Regulation, will provide data subjects with all the necessary information and, upon request, provide data subjects with access to their data, explanations of processing, grounds and lawfulness of processing, etc. Through this Policy, but also through other channels that will be available to data subjects, the Polyclinic will provide information to data subjects on how personal data relating to them are collected, used, disclosed or otherwise processed, as well as to what extent these personal data are processed or will be processed. The data subject shall be informed of all relevant information in a timely manner, i.e. before the data are collected.
  3. With purpose limitation – personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes.
  4. With storage limitation - The Polyclinic shall ensure that the personal data of the data subject are kept in a form which permits identification of the data subject only for as long as is necessary for the purposes for which the personal data are processed. The Polyclinic may store personal data for longer periods, but it must have a clear purpose in terms of a legal obligation (e.g. the Accounting Act) or a legitimate interest (e.g. in the event of a legal dispute)
  5. Using only the necessary data (data minimisation) - The Polyclinic collects and processes personal data in such a way that they are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. The processes in the Polyclinic are designed so that no data is collected for which there is no justified need for collection and all employees ensure that this principle is adequately applied.
  6. Accuracy - The Polyclinic ensures that the data are accurate and, if necessary, up-to-date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay. The Polyclinic ensures the application of this principle by establishing regular controls, but also a transparent communication process with data subjects through which data correction can be requested in case the data subject notices that some of his or her personal data is not correctly listed.
  7. Ensures security, supervision and control of data and data processing (Integrity and confidentiality) - The Polyclinic collects and processes data in a manner that ensures appropriate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.

In accordance with the above principles, the data of the respondents will be accessed by the employees of the Polyclinic depending on their authorizations and workplaces, in order to successfully fulfill the tasks defined for their workplace. Also, part of the services for the Polyclinic are performed by other legal entities with which the data subject's data will be shared only if they are necessary for the purpose of fulfilling the obligations under joint Agreements. An example of this are accounting services, postal delivery services, distributors and the like.

V. LEGALITY OF PROCESSING

The Polyclinic considers the personal data of data subjects as their property and treats them accordingly. However, in order for the Polyclinic to be able to provide a service to the data subject, and in accordance with the laws listed below, it is necessary to process a minimum set of data necessary for the quality provision of a particular service. Otherwise, i.e. if the data subject refuses to provide the requested set of data, the Polyclinic will not be able to provide him or her with the service.

Accordingly, the personal data of the data subject are processed when one of the following conditions is met:

  • processing is necessary for the implementation of a therapy to which the respondent is a party, i.e. the patient
  • processing is necessary to comply with the legal obligations of the Polyclinic (applicable legal regulations according to which the Polyclinic is obliged to act)
  • processing is necessary for the purposes of the legitimate interests pursued by the Centre - except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. Under the legitimate interest of the Polyclinic, it means processing the data of its users in order to improve the process and services, develop new products and services and expand its business to additional regions.
  • the data subject has given consent to the processing of his or her personal data for one or more specific purposes – consent must be demonstrable and voluntary, written in easily understandable language and the data subject has the right to withdraw his or her consent at any time (withdrawal of consent must be as easy as giving consent), processing is necessary to protect the vital interests of the data subject or another natural person
  • processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

VI. THE RIGHT OF THE TESTERS

At the time of collecting the information from the data subject, the Polyclinic will provide the following information: the identity and contact details of the controller, the contact details of the data protection officer, the purposes of the processing for which the personal data are used as well as the legal basis for the processing, legitimate interests, recipients or categories of recipients of the personal data, the intention to transfer personal data to third countries (if any), the data storage period or the criteria defining that period, the rights related to consents, the potential existence of automated decision-making including profiling (meaningful information about the logic involved and the potential consequences and importance of the processing itself for the data subject) and the existence of the rights listed below. In the event that the data are not collected directly from the data subject, the source of the personal data shall be indicated in addition to the said data.

The Polyclinic processes personal data in accordance with the rights of data subjects defined within the Regulation, which are listed below:

Right to erasure (‘right to be forgotten’) - the data subject shall have the right to obtain from the Controller the erasure of personal data concerning him or her without undue delay, and the Controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

  • the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  • the data subject withdraws consent on which the processing is based and there is no other legal basis for the processing
  • the data subject objects to the processing, and the legitimate reasons for the exercise of the right to erasure outweigh the legitimate interest of the Polyclinic to process and/or store personal data;
  • Personal data has been unlawfully processed
  • personal data must be deleted in order to comply with a legal obligation

Right of access to data – the data subject has the right to obtain from the Polyclinic confirmation as to whether his or her personal data are being processed and, if such personal data are being processed, access to personal data and the purpose of processing, categories of data, potential recipients to whom the personal data will be disclosed, etc.

Right to rectification - the data subject has the right to obtain from the Polyclinic without undue delay the rectification of inaccurate personal data relating to him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement. In addition, data subjects are required by the Installation/Change Request to update personal data in their business relationship with the Group.

Right to data portability - the data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller. It should be taken into account that the right of transfer relates exclusively to the personal data of the data subject.

Right to object – the data subject has the right to object at any time to the processing of personal data concerning him or her;

Right to restriction of processing - the data subject shall have the right to request from the Controller restriction of processing in the event that the accuracy of the personal data is contested by the data subject, the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead, and in the event that the data subject objects to the processing and expects confirmation as to whether the legitimate grounds of the controller override those of the data subject;

The data subject shall have the right to request the exercise of any of the above rights at any time. Upon request, the Polyclinic provides the data subject with information on the actions taken in relation to these rights, at the latest within 1 month of receiving the request (depending on the amount and complexity of the request).

In addition, the data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her, unless the decision:

  • necessary for the conclusion or performance of a contract between the data subject and the Polyclinic
  • permitted by law
  • is based on the explicit consent of the data subject;

VII. OBLIGATIONS TO THE POLICIES CONFORMLY REGULATIONS

The Polyclinic continuously implements appropriate technical and organisational protection measures taking into account the nature, scope, context and purposes of processing, as well as the risks of varying likelihood and severity for the rights and freedoms of data subjects.

These measures include the implementation of appropriate data protection policies:

VIII. PROCESSING SPECIFIC CATEGORIES OF PERSONAL DATA

The Polyclinic processes data on the health and health history of the data subject. Processing is necessary for the implementation of therapy.

IX. AUTOMATIC DATA PROCESSING

Polyclinic does not use automatic processing of personal data.

X. TRANSFER OF PERSONAL DATA

When transferring data of data subjects to external partners, the Polyclinic strictly respects the principle of processing limitation with the transfer of the minimum amount of data necessary to realize the requested service. In addition, the Polyclinic has established control mechanisms that require partners to have at least the same level of personal data protection.

XI DATA PROTECTION SERVICE (DPO)

The Polyclinic has appointed a Data Protection Officer who acts as such in the interest of protecting the rights of data subjects and their personal data. It is his responsibility to apply the Personal Data Protection Policy within the Polyclinic and other policies and procedures that define the rules of conduct when collecting and processing the personal data of respondents. He or she shall be involved in an appropriate and timely manner in all matters concerning the protection of personal data. He participates in the processes of the Polyclinic related to change and project management, which allows him timely access to information.

The Data Protection Officer shall not receive any instructions regarding the performance of the above tasks, which shall in addition ensure his or her independence.

The Personal Data Protection Officer is also the primary point of contact for data subjects who wish to exercise their rights (issues related to the processing of their personal data and the exercise of their rights under the Regulation), send an inquiry related to the protection of personal data, request additional information, express concern about the processing of their personal data, file a complaint regarding the protection of personal data and the exercise of their rights under the General Data Protection Regulation. Data subjects may contact the Data Protection Officer via the e-mail address info@bodybalance.hr

The Polyclinic has the right to charge a reasonable fee based on administrative costs or refuse to act on a request if the requests of the data subject are manifestly unfounded or excessive, in particular because of their frequent repetition.

Contact details of the Personal Data Protection Officer are also available on the website www.bodybalance.hr

XII. IMPACT ASSESSMENT

Where a type of processing is likely to result in a high risk to the rights and freedoms of data subjects, the Polyclinic shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data, if it is in the role of the controller. One assessment may relate to a number of similar processing operations presenting similar high risks.

XIII PERSONAL DATA PROCESSING REGISTER

The Polyclinic keeps a record of processing activities for which it is responsible, i.e. in cases where it is in the role of a controller or a joint controller. Those records shall be in electronic form and shall contain at least the following information:

  • the name and contact details of the controller and the Data Protection Officer;
  • the purposes of the processing
  • a description of the categories of data subjects and the categories of personal data;
  • the categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organisations;
  • transfers of personal data to a third country or an international organisation, including the name of the third country or the name of the international organisation;
  • the envisaged deadlines for deleting different categories of data, where possible;
  • a general description of the technical and organisational security measures;

The Personal Data Protection Officer is responsible for maintaining the processing register, and all organisational units within the group are responsible for providing accurate and timely information in order to adequately complete the processing register.

XIV RIGHT TO COMPLAINT

In the event that the data subject considers that his or her rights regarding the protection of personal data have been violated and that the problem has not been resolved with the personal data protection officer, the data subject has the right to lodge a complaint with the supervisory authority (Personal Data Protection Agency) in the event of an incident concerning his or her personal data or if he or she considers that the Polyclinic violates his or her rights defined by the General Data Protection Regulation.

XV FINAL PROVISIONS

This Policy shall enter into force on the date of its adoption and shall apply from 24 May 2018.