The purpose of this Policy is to inform you about the purposes for which your personal data will be collected and how it will be used, what your rights are in relation to the data we hold about you and how to exercise them.
We are committed to use the personal data collected in accordance with this Policy, to protect the confidentiality of your personal data and to use the data collected only for the purposes for which you have provided it to us and not to disclose it to unauthorised third parties without your explicit permission. We will do everything in our power to protect your personal information from any breach and misuse.
2. Who is your data controller?
The controller of your personal data is GRIDTECH, Knafelčeva ulica 15, 2000 Maribor, email address: firstname.lastname@example.org, telephone number: +386 40 149 007.
All topics and content discussed in relation to the protection of your personal data are subject to strict confidentiality.
3. Which of your personal data can we collect and process?
Personal data is any information that identifies you as an identified or identifiable living individual. An individual is identifiable when they can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or by reference to one or more factors specific to the individual’s physical, physiological, genetic, mental, economic, cultural or social identity.
Depending on the circumstances of each case, the controller may collect and process the following personal data about you:
patients’ contact details (name, address, email address, telephone and mobile number, workplace and employer, date, time and content of postal or electronic communication) and health information for the purposes of medical treatment;
data on users of the controller’s websites (IP address, dates, times and duration of visits to the websites, data on the location or entry point of access to the Internet, data on subpages visited, data on settings made, etc.);
data on entries in online forms;
other data that you voluntarily provide to us at any of the contact addresses on our website or that we process for the purpose of providing a healthcare service.
4. How, when and why do we collect and process your personal data?
The controller does not collect or process your personal data except where it is based on the law or where you consent to the processing and where the processing of your personal data is necessary for the fulfilment of our legal obligation or where we have a legitimate interest in processing your data (e.g. in the case of making an appointment for a treatment, in the case of providing you with information related to a medical treatment).
Any personal data you provide to us will be treated confidentially and will only be used for the purposes for which it was provided and collected. If there is a need to further process your data for another purpose, we will contact you in advance and ask for your prior written consent.
By providing the data, the data subject gives their consent to the processing of the data and confirms the truthfulness of all the personal data provided.
4.1 Processing on the basis of consent
If the controller does not have a legal basis based on the law, on the performance of a public task, a contractual obligation or a legitimate interest, it may request the individual’s consent. Thus, it may also process certain personal data of the individual for the following purposes, where the individual has given their consent to this:
name and email address for information and communication purposes,
photographs, videos and other content relating to the individual (e.g. photographs of events) for the purposes for which the individual has consented.
If the individual has given consent to the processing of personal data and no longer wishes to do so, they may, at any time, request the termination of the processing of their personal data by e-mail to email@example.com or by regular mail to the Controller’s address.
5. Website visit and cookies
Each time you visit our website, we may collect certain information about your visit, such as your IP address, the name of your Internet service provider, the date and time you access the website, the pages you visit on the website, the number of visits and the Internet address of the website from which you came to our website, and so on, by placing a so-called “cookie” on your computer’s browser. Using this information alone, it is not possible to uniquely identify the visitor at this time, given the state of technology. A more detailed definition of cookies is available on the website:
We will ask for your consent each time before installing more invasive cookies, while certain other information may already be collected on the basis of our legitimate interests.
6. Sending enquiries and other communication with the operator
When you send a healthcare enquiry or submit a referral to our contact details (address, email addresses, telephone numbers) published on our website, we process your personal data solely for the purposes of the healthcare treatment, to provide you with the necessary information and to provide you with healthcare services. For this purpose, we only collect personal data that you provide to us and that is necessary for the professional provision of the healthcare service.
We may also process the contact data provided on the basis of our legitimate interest for the purpose of basic personalised communication with you via email for the purpose of providing a healthcare service (e.g. notifying you of appointments, sending you medical reports, etc.). We do not use any (automated) profiling in this respect.
7. How and when do we share your personal data with others?
We undertake not to disclose your personal data to unauthorised third parties without your consent, unless otherwise required by applicable law. At the request of law enforcement authorities, in the event of any misuse or breach, personal data, email addresses and IP addresses of users may be passed to the police and other competent authorities for further action.
Please note that we may entrust certain tasks relating to your data to our business partners (so-called contractual processors). The contractual processors may process the entrusted data only on our behalf and within the limits of our authorisation (in a written contract or other legal act) and in accordance with the purposes set out in this Policy. The data provided shall be carefully protected by the said sub-processors and shall not be kept in stock or used for their own purposes. The sub-processors shall be entitled to use the data provided only for the performance of their work.
Within the scope of our legal powers, your personal data may be disclosed to the following data users:
IT service providers in the context of software servicing and maintenance;
the website administrator and webmaster;
an accounting service;
cloud computing service providers and email messaging service providers;
providers of file and media destruction services.
We are committed that neither we, nor other users, will transfer or transmit your personal data to a third country outside the European Union and/or the European Economic Area or to an international organisation without an adequate level of protection.
8. How long do we keep your personal data?
The controller will keep the personal data only for as long as necessary to fulfil the purpose for which the personal data were collected and processed. If the controller processes the data on the basis of a law, the controller will keep the data for the period prescribed by the law. In this respect, some data must be kept permanently.
Personal data processed by the controller on the basis of a contractual relationship with the individual shall be kept by the controller for the period necessary for the performance of the contract and for a period of 6 years after termination of the contract, except in cases where there is a dispute between the individual and the controller in relation to the contract. In such a case, the controller shall retain the data for 5 years after the final judgment, arbitration or court settlement or, in the absence of litigation, for 5 years from the date of amicable settlement of the dispute.
The controller will retain those personal data processed on the basis of the individual’s personal consent or legitimate interest until the consent is withdrawn or until the erasure of the data is requested. Upon receipt of a cancellation or a request for erasure, the data shall be erased within 15 days at the latest. The controller may also delete the data before cancellation where the purpose of the processing of the personal data has been achieved or where required by law.
As an exception, the controller may refuse a request for erasure on the grounds set out in the General Regulation, such as the following: the exercise of the right to freedom of expression and information, compliance with a legal obligation to process, grounds of public interest in the field of public health, archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, the exercise or defence of legal claims.
After the retention period has expired, the controller shall erase or anonymise the personal data in an effective and permanent manner so that they can no longer be associated with a specific individual.
9. How do we ensure the security of your data?
We carefully protect the information you provide to us through our websites, telecommunications channels or any other means against loss, misuse, unauthorised access or disclosure, alteration or destruction. Personal data is stored on secure computer devices and servers, encrypted where possible.
We review our information security procedures and processes at regular intervals to ensure that our IT systems are safe and secure. When the need to keep data ceases, i.e. when the purpose for which the data was collected has been fulfilled, the data is immediately and irretrievably deleted permanently.
In the event that our website contains links to other websites which have no connection with us, we do not accept any responsibility for the protection of your data on those websites. Nor can we guarantee the security or privacy of information transmitted by email or on the Internet and cannot be held responsible in this respect.
10. What is your responsibility?
You control the information you provide to us. If your personal information changes (e.g. postal code, email address, address, telephone number, etc.), please also notify us of the changes by email to: firstname.lastname@example.org.
11. What are your rights?
The Controller shall ensure that you exercise all your rights under applicable law in relation to the processing of your personal data. Which rights you are entitled to depends on the circumstances of the specific processing of your data, and you may not necessarily be entitled to all of the rights set out below in a particular case.
Rights: What do they mean?
Right to withdraw consent:
If you, as an individual, have consented to the processing of your personal data (for one or more specific purposes), you have the right to withdraw your consent. Withdrawal of consent does not affect the lawfulness of the data processing that was carried out until the withdrawal of consent.
You may withdraw your consent to the newsletter at any time, free of charge, by sending a written statement to the controller at the following email address: email@example.com. Withdrawal of consent to the processing of your personal data does not have any negative consequences or sanctions.
Right of access to personal data:
As an individual, you have the right to obtain confirmation from the controller as to whether or not data relating to you are being processed. If this is the case, you have the right to be given access to your personal data (i.e. to inspect and copy or reproduce it) and to be provided with information relating to the processing of your personal data (e.g. the purpose of the processing, the type of personal data, the users to whom the personal data have been or will be disclosed, the envisaged period of retention of the data, technical and organisational measures for data protection, the existence of automated decision-making, including profiling, etc.).
Right to rectification:
As an individual, you have the right to obtain the rectification of inaccurate personal data concerning you and to have incomplete personal data completed. To this end, you have the right to provide us with a supplementary declaration containing up-to-date personal data.
The right to erasure of personal data (the so-called “right to be forgotten”):
You have the right to have personal data relating to you erased by the controller without undue delay if one of the grounds set out in Article 17 of the GDPR applies (e.g. if the data are no longer necessary for the purposes for which they were collected or otherwise processed, if you withdraw your consent and there is no other legal basis for the processing, if you object to the processing and there are no overriding legitimate interests, if the personal data have been unlawfully processed, etc.).
Right to restriction of processing:
You have the right to have the controller restrict the processing of your data where one of the following applies:
(i) if you contest the accuracy of the processing, for a period which allows the controller to verify the accuracy of the data;
(ii) if the processing is unlawful and you request the restriction of processing instead of erasure;
(iii) where the controller no longer needs the data but you need them to assert, exercise or defend legal claims; or
(iv) where you have lodged an objection to processing, pending verification that the legitimate grounds of the controller outweigh your grounds.
Right to data portability:
As an individual, you have the right to receive your personal data in a commonly used and machine-readable format and to have that data transmitted directly to another controller, provided that this applies only if the processing of your personal data is based on consent or a contractual relationship and the processing is carried out by automated means.
Right to object:
If the processing is based on our legitimate interests, you have the right to object to the processing of your personal data at any time on grounds relating to your particular situation. In such case, we will only continue to process your personal data if we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
You may object to the processing of your personal data for direct marketing purposes, including profiling, at any time and free of charge, without giving any reason, by sending us an email to firstname.lastname@example.org. If you object to the processing of your data for direct marketing purposes, we will immediately stop processing your data for these purposes.
If you suspect that the processing of your data is in breach of personal data protection legislation, you have the right to lodge a complaint with the Information Commissioner of the Republic of Slovenia, at Zaloška 59, 1000 Ljubljana, Slovenia, telephone number: 00 386 (0)1 230 97 30, email address: email@example.com.
12. How to contact us?
If you have any questions about the confidentiality of your data, how your data is collected and processed, or if you wish to exercise your rights in relation to your data, the Data Controller’s Data Protection Manager will be happy to answer your questions by telephone on +386 40 149 007 or by email at firstname.lastname@example.org.
We are committed to responding to your requests without undue delay and at the latest within the statutory time limits.
We may request additional information from you for the purpose of reliable identification in the event that you exercise your rights in relation to personal data. If we are still unable to identify you reliably, we regret that we will have to refuse your request.
13. Policy change
We reserve the right to adapt this Policy from time to time, as necessary, to the actual situation and legislation in the field of personal data protection. For this reason, we ask you to check the current version before you provide any personal data to ensure that you are aware of any changes and updates.
We will also notify you in advance of any changes that significantly affect the processing of your personal data in an appropriate manner (e.g. by a notice on our website, by email).