As stated in Art. 3 paragraph 1 of the General Regulation on Data Protection (EU) 2016/679 and the director of the company Make over beautiful inside & out d.o.o., for health activities on October 1, 2020 adopted
DECISION ON THE RULEBOOK ON PROCESSING AND PROTECTION OF PERSONAL DATA
In the action of personal data processing and protection of individuals regarding the processing of personal data and rules related to the free movement of personal data Polyclinic Makeover Beautiful Inside & Out doo, for health activities (hereinafter: the Company) is obliged to apply the General Data Protection Regulation (EU) 2016/679.
The company is in accordance with Art. 4. of the General Regulation, the controller of personal data who alone or together with others determines the purpose and means of the processing of personal data in accordance with national legislation or EU law.
In accordance with the General Data Protection Regulation, certain terms in this Ordinance have the following meaning:
“Personal data” means all data relating to an individual whose identity has been or can be established (“respondent”); an identifiable individual is a person who can be identified directly or indirectly, in particular by means of identifiers such as name, identification number, location data, network identifier or by one or more factors specific to physical, physiological, genetic, mental , the economic, cultural or social identity of that individual;
“Processing” means any operation or set of operations performed on personal data or on sets of personal data, whether automated or non-automated, such as the collection, recording, organization, structuring, storage, adaptation or modification, retrieval, inspection, use, detection by transfer, dissemination or otherwise making available, harmonization or combination, restriction, deletion or destruction;
“Storage system” means any structured set of personal data available according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis;
“Controller” means a natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union law or the law of a Member State, the controller or the specific criteria for his appointment may be provided for by Union law or the law of a Member State;
“Recipient” means a natural or legal person, public authority, agency or any other body to which personal data are disclosed, whether or not he is a third party;
“Third party” means a natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor or any person authorized to process personal data under the direct responsibility of the controller or processor;
“Consent” of the respondent means any voluntary, special, informed and unambiguous expression of the respondent’s wishes by which he or she gives consent to the processing of personal data relating to him or her by a statement or clear affirmative action;
“Personal data breach” means a breach of security which results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed;
“Pseudonymisation” means the processing of personal data in such a way that personal data can no longer be attributed to a particular respondent without the use of additional information, provided that such additional information is kept separate and subject to technical and organizational measures to ensure that personal data cannot be attributed to an individual whose identity has been established or can be established.
The company processes personal data in compliance with the following principles:
legality, fairness and transparency of processing: processing should be in accordance with a certain legal basis, and that the individual is informed about the processing procedure and its purposes, which the controller is obliged to provide:
- purpose limitation: data should be collected for specific, explicit and legitimate purposes and should not be further processed in a way that is inconsistent with those purposes; but further processing is possible for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes;
- reducing the amount of data: the data must be appropriate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accuracy: data must be accurate and up-to-date as necessary;
storage restriction: data must be kept in a form that allows the identification of respondents only for as long as is necessary for the purposes for which personal data are processed; longer retention periods are only possible if personal data will be processed exclusively for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes with the implementation of appropriate protection measures prescribed by the Regulation;
- Integrity and confidentiality: data must be processed in a way that ensures an adequate level of security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage;
- reliability: the controller is responsible for complying with the principle and the burden of proof is on him.
DATA PROTECTION OFFICER
The company appoints a data protection officer. The Data Protection Officer is appointed from among the employees of the Company. The Company publishes the contact details of the Data Protection Officer on its website and informs the supervisory body about the person appointed as the Officer.
The Data Protection Officer provides information and advice to the Company’s responsible persons and employees who directly process personal data on their obligations under the General Regulation, monitors compliance with the Regulation and other Union or Member State provisions on protection, facilitates respondents’ rights and cooperates with the supervisory authority. The Data Protection Officer is obliged to keep confidential all information he / she learns in the performance of his / her duties.
III. PROCESSING OF PERSONAL DATA
The company processes personal data only to the extent that one of the following conditions is met:
that the respondent has given consent to the processing of his or her personal data for one or more special purposes
that processing is necessary for the performance of the contract to which the respondent is a party
that the processing is necessary to comply with the legal obligations of the Company
that processing is necessary to protect the key interests of the respondent or other natural person
that the processing is necessary for the performance of a task of public interest or in the exercise of public authority of the Company
that the processing is necessary for the purposes of the legitimate interests of the Company or a third party, unless those interests are stronger than the interests or fundamental rights and freedoms of the respondent requiring the protection of personal data, especially if the respondent is a child.
Consent by which the respondent gives consent to the Company for the processing of personal data relating to him must be voluntary, given in writing with easy to understand, clear and simple language, clearly indicated purpose for which it is given and without unfair conditions.
If the personal data of a child under the age of 16 are processed, the consent in the manner described in paragraph 1 of this Article shall be given by the holder of parental responsibility over the child (parent or legal guardian of the child).
In the process of personal data processing, the Company provides the respondent with all information related to the processing of his personal data, in particular (for the purpose of data processing, legal basis for data processing, legitimate interests of the Company, intention to hand over personal data to third parties). the period in which personal data will be stored, the existence of the respondent’s right to access personal data and to correct or delete personal data and limit processing, the right to object, etc.
The processing of personal data through video surveillance in the Company will be carried out for the purpose that is necessary and justified for the protection of persons and property, taking into account the interests of respondents. Video surveillance covers the area of entrances and exits in the Company.
In visible places, it is marked with stickers that the external surfaces of the building are recorded by video surveillance, which respects the principle of transparency of processing. The right to access personal data collected through video surveillance and the protection of collected data is the responsibility of the director of the Company. The period of storage of personal data collected through video surveillance is 15 days from the date of creation of the record. The track is stored in the computer’s memory.
The respondent has the right to inspect the personal data contained in the Company’s storage system relating to him. The respondent has the right to print personal data contained in the storage system relating to him. At the request of the respondent, the Company will, without delay, correct inaccurate data relating to it, or supplement it based on the respondent’s request.
The Company will, without delay, at the request of the respondent, delete personal data relating to him, provided that personal data are no longer necessary for the purposes for which they were collected or if the respondent withdraws consent on which the processing is based.
A respondent who considers that a right guaranteed by the General Data Protection Regulation has been violated has the right to submit a request for a violation of rights to the competent authority.
For the purpose of personal data protection, the Company, in all cases when it is possible, and especially during the public disclosure of information in accordance with the Law on the Right to Access Information, performs pseudonymization of data.
The company collects and processes the following types of personal data:
personal data of employees
personal data of service users
personal data on the health status of service users
personal data on the Company’s employees
personal data on candidates participating in published calls for employment
personal data of external associates.
For personal data specified in Article 11 of this Article, the Company keeps records of processing activities, which are attached to this Ordinance and are considered an integral part thereof.
The processing activity log shall contain at least the following information:
name and contact details of the Company, representatives of the Company and data protection officers;
purpose of processing
description of categories of respondents and categories of personal data;
categories of recipients to whom personal information has been disclosed or will be disclosed
deadlines for deleting different categories of data
general description of technical and organizational security measures for data protection.
The Director of the Company makes a decision on the persons in charge of processing and protection of personal data from Art. 11 of this Ordinance.
MEASURES FOR THE PROTECTION OF PERSONAL DATA
To avoid unauthorized access to personal data, the data is stored in writing in binders, in locked lockers, and the data in the computer is protected by assigning a username and password known to employees in charge of data processing, and stored for further security and confidentiality on removable memory.
Persons in charge of personal data processing are obliged to take technical, personnel and organizational measures for personal data protection necessary to protect personal data from accidental loss or destruction, from unauthorized access or unauthorized change, unauthorized disclosure and any other misuse,
This Ordinance was published on the Company’s notice board on October 1, 2020, and enters into force on October 1, 2020.