Based on Art. 3, paragraph 1 of the General Data Protection Regulation (EU) 2016/679 and the director of the company Make over beautiful inside & out doo, for health activities on October 1, 2020, passed
DECISION ON THE REGULATION ON THE PROCESSING AND PROTECTION OF PERSONAL DATA
In the process of personal data processing and the protection of individuals with regard to the processing of personal data and the rules related to the free movement of personal data, Polyclinic Makeover Beautiful Inside & Out doo, for health activities (hereinafter: the Company) is obliged to apply the General Data Protection Regulation (EU) 2016/679.
The company is in accordance with Art. 4. General Regulation personal data processing manager who alone or jointly with others determines the purpose and means of personal data processing in accordance with national legislation or EU law.
In accordance with the General Data Protection Regulation, certain terms in this Ordinance have the following meaning:
“personal data” means all data relating to an individual whose identity has been determined or can be determined (“the respondent”); an identifiable individual is a person who can be identified directly or indirectly, in particular with the help of identifiers such as name, identification number, location data, online identifier or with the help of one or more factors inherent to physical, physiological, genetic, mental , economic, cultural or social identity of that individual;
“processing” means any process or set of processes performed on personal data or sets of personal data, whether by automated or non-automated means such as collection, recording, organization, structuring, storage, adaptation or modification, retrieval, inspection, use, disclosure by transfer, dissemination or otherwise making available, matching or combining, restriction, erasure or destruction;
“storage system” means any structured set of personal data accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis;
“controller” means a natural or legal person, public authority, agency or other body that alone or together with others determines the purposes and means of personal data processing; when the purposes and means of such processing are determined by the law of the Union or the law of a Member State, the controller or special criteria for his appointment may be provided for by the law of the Union or the law of a Member State;
“recipient” means the natural or legal person, public authority, agency or other body to which the personal data is disclosed, regardless of whether it is a third party;
“third party” means a natural or legal person, public authority, agency or other body that is not the data subject, the data controller, the data processor or the persons authorized to process personal data under the direct authority of the data controller or data processor;
“consent” of the subject means any voluntary, specific, informed and unambiguous expression of the wishes of the subject by which he gives his consent to the processing of personal data relating to him by a statement or a clear affirmative action;
“personal data breach” means a security breach that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access of personal data that has been transmitted, stored or otherwise processed;
“pseudonymisation” means the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separate and subject to technical and organizational measures to ensure that the personal data cannot be attributed to an individual whose identity has been determined or can be determined.
The company processes personal data respecting the following principles:
legality, fairness and transparency of the processing: the processing should be in accordance with a certain legal basis, and that the individual is informed about the processing procedure and its purposes, which the controller is obliged to provide:
• purpose limitation: the data should be collected for specific, explicit and lawful purposes and may not be further processed in a manner inconsistent with these purposes; but further processing is possible for the purposes of archiving in the public interest, for the purposes of scientific or historical research or for statistical purposes;
• reduction of the amount of data: data must be appropriate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
• accuracy: data must be accurate and, if necessary, up-to-date;
storage limitation: data must be stored in a form that enables the identification of the data subject only for as long as is necessary for the purposes for which the personal data is processed; longer storage periods are possible only if personal data will be processed exclusively for the purpose of archiving in the public interest, for the purposes of scientific or historical research or for statistical purposes with the implementation of appropriate protection measures prescribed by the Regulation;
• integrity and confidentiality: data must be processed in a way that ensures an adequate level of security, including protection against unauthorized or illegal processing and against accidental loss, destruction or damage;
• reliability: the controller is responsible for compliance with the principles and the burden of proof is on him.
DATA PROTECTION OFFICER
The company appoints a data protection officer. The data protection officer is appointed from among the Company’s employees. The Company publishes the contact information of the data protection officer on its website and informs the supervisory authority about the person appointed as the officer.
The data protection officer performs the tasks of informing and advising the responsible persons of the Company and its employees who directly process personal data about their obligations under the General Regulation, monitors compliance with the Regulation and other provisions of the Union or a member state on protection, enables the rights of respondents and cooperates with the supervisory authority. The data protection officer is obliged to maintain the confidentiality of all information he learns in the performance of his duties.
III. PERSONAL DATA PROCESSING
The company processes personal data only and to the extent that one of the following conditions is met:
that the data subject has given consent for the processing of his personal data for one or more special purposes
that the processing is necessary for the execution of a contract to which the data subject is a party
that the processing is necessary for compliance the Company’s legal obligations
that the processing is necessary to protect the key interests of the data subject or other natural person,
that the processing is necessary for the performance of a task in the public interest or in the exercise of the Company’s public powers,
that the processing is necessary for the legitimate interests of the Company or a third party, except in in the case when these interests are stronger than the interests or fundamental rights and freedoms of the data subject that require the protection of personal data, especially if the data subject is a child.
The consent by which the respondent gives consent to the Company for the processing of personal data relating to him must be voluntary, given in written form with easily understandable, clear and simple language, with a clearly indicated purpose for which it is given and without unfair conditions.
If it concerns the processing of personal data of a child under the age of 16, consent in the manner described in paragraph 1 of this article is given by the holder of parental responsibility over the child (parent or legal guardian of the child).
In the process of processing personal data, the Company appropriately (written or directly orally) provides the respondent with all information related to the processing of his personal data, especially about the purpose of data processing, the legal basis for data processing, the legitimate interests of the Company, the intention of handing over personal data to third parties, the period in which personal data will be stored, about the existence of the respondent’s right to access personal data and to correct or delete personal data and limit processing, the right to file objections, etc.
The processing of personal data through video surveillance in the Company will be carried out for a purpose that is necessary and justified for the protection of persons and property, taking into account the interests of the respondents. The entrance and exit area of the Company is covered by video surveillance.
In visible places, it is marked with stickers that the external surfaces of the object are recorded by video surveillance, which respects the principle of processing transparency. The right to access personal data collected through video surveillance and the protection of collected data is the responsibility of the Company’s director. The retention period for personal data collected through video surveillance is 15 days from the day the record was created. The record is written on the computer memory.
RIGHTS OF RESPONDENTS
The respondent has the right to access the personal data contained in the Company’s storage system that relate to him. The respondent has the right to print personal data contained in the storage system that relate to him. The company will without delay, at the request of the respondent, correct incorrect data relating to him or, based on the request of the respondent, supplement them.
The company will without delay, based on the request of the respondent, delete the personal data relating to him, provided that the personal data are no longer necessary in relation to the purposes for which they were collected or if the respondent withdraws the consent on which the processing is based.
A respondent who believes that a right guaranteed by the General Data Protection Regulation has been violated has the right to submit a request for determination of the violation of rights to the competent authority.
In order to protect personal data, the Company, in all cases where it is possible, and especially when publishing information in accordance with the Law on the Right to Access to Information, implements pseudonymization of data.
The Company collects and processes the following types of personal data:
personal data of employees,
personal data of service users,
personal data on the health status of service users,
personal data on Company employees,
personal data on candidates participating in published invitations to establish employment,
personal data of external associates.
For the personal data specified in Article 11 of this Article, the Company keeps a record of processing activities, which is attached to this Ordinance and is considered an integral part of it.
The records of processing activities contain at least the following information:
name and contact information of the Company representative and data protection officer;
purpose of processing
description of categories of respondents and categories of personal data;
categories of recipients to whom personal data has been disclosed or will be disclosed,
scheduled deadlines for deletion of various categories of data,
general description of technical and organizational security measures for data protection.
The Director of the Company makes a decision on the persons responsible for the processing and protection of personal data from Art. 11 of this Rulebook.
PERSONAL DATA PROTECTION MEASURES
In order to avoid unauthorized access to personal data, data is stored in written form in registers, in locked cabinets, and computer data is protected by assigning a username and password that is known to the employees in charge of data processing, and for further security and secrecy it is stored on portable memories.
Persons in charge of processing personal data are required to take technical, personnel and organizational measures to protect personal data that are necessary to protect personal data from accidental loss or destruction, from unauthorized access or unauthorized change, unauthorized publication and any other misuse.
This Rulebook was published on the Company’s bulletin board on October 1, 2020, and will enter into force on October 1, 2020.