Method of data collection and types of data collected
The services provided by the Data Controller require the collection of personal data of service users, whereby basic data is collected in the following ways:
- Directly by the users of the services in such a way that the users of the services themselves give them with a signed consent to the Aksis Special Hospital as the Processing Manager, which is defined in a certain scope of data that is essential for the provision of health services. For the purpose of providing health services, the user of the service is obliged to submit the following data to the Data Controller, which is necessary for the provision of individual health services from registered activities.
- Name and surname
- Personal identification number (OIB) or registration number of the insured person (MBO)
- Date of birth
- Phone number
- E-mail address
- Medical records
- Relevant bank account or credit card numbers for the purpose of regulating payment obligations.
- Personal data related to and related to health: hospital record, identity number of the insured person, insurance information (category of insurance, the HZZO regional office, country of insurance, supplementary insurance card number, EU health insurance card number, if applicable), data on health status and treatment, diagnosis (referral/final) and necessary parameters for the execution of individual health services (height, weight, allergies, blood type, RH factor, etc.), data on doctors (code of referring doctor/code referring healthcare institution/code of the doctor who treated the patient), medical documentation, work injury number (if applicable).
- From other sources, that is, from our cooperating institutions:
Personal data of patients-insured persons of the HZZO who use health care based on a referral (based on the acts of the HZZO, regulations regulating CEZIH and the mandatory legal relationship on the implementation of health care with HZZO) are forwarded, depending on the functionality, through CEZIH ( medical documentation on the performed health service) and certain personal data for the purpose of accounting to the HZZO;
Based on your consent, we may pass on the personal data of users (medical documentation) – insured persons of voluntary health insurance of insurance companies to insurance companies of which you are the insured for the purpose of executing the contractual relationship and accounting for the performed health services to insurers;
Personal data may be forwarded to cooperating healthcare institutions with which the Data Controller has a contractual relationship for the purposes of performing a part of the service (for example, individual laboratory tests, PHD analysis, etc.), and in order to fully perform the requested healthcare service. The same cooperating institutions are themselves subject to and obliged to keep personal data according to the Personal Data Protection Regulation (GDPR);
Based on the current Article 23 of the Act on Medicine, we are obliged to present your personal data contained in the medical documentation to the ministry responsible for health, state administration bodies in accordance with special regulations, the Croatian Medical Chamber or judicial authorities upon request.
- Automatically by visiting the website www.aksis.hr and our social networks, which is data associated with network identifiers (Internet protocol addresses and cookie identifiers, such as Google Analytics for tracking user and/or customer interaction).
Cookies enable Aksis Special Hospital to collect statistical data on user behavior on aksis.hr (e.g. on which parts of the web page users stay the longest and where the shortest), which internet browser (e.g. Microsoft Edge, Opera, Safari, Google Chrome, Firefox) uses, etc.
The network identifiers in question may leave traces that, in combination with other identifiers and information provided by Internet service servers, may be used to identify the user of the service. Also, for the stated purpose, we collect and process the following data:
- IP address data
- data on the use of individual applications
- data on the habits of service users – we create the aforementioned data for the purpose of profiling users and/or customers.
The Data Controller takes care of collecting only the necessary scope of personal data that is required to achieve the legally established purpose for which the data is processed. Our IT systems are protected by technical and organizational measures against unauthorized access, modification, or dissemination of your data, as well as against loss or deletion.
Purposes for which personal data are collected
The Data Controller collects personal data exclusively for the purpose of fulfilling the request for the performance of a specific health service. We use the data only for established, clear, legitimate, and expected purposes, and we do not pass it on or use it for unforeseen or unexpected purposes. We do not collect data that does not serve to perform the requested service. Such data is collected by the Data Controller based on the consent given by the service user for one or more specific purposes, as well as in one of the following cases:
1. For the purpose of providing health services
We process personal data for the purpose of providing health care services in accordance with the current Health Care Act, as well as for the purpose of collecting claims for the same services.
We process personal data in response to your inquiries, requests for copies of medical documentation (Article 23 of the Act on the Protection of Patient Rights), complaints regarding the quality, content, and type of health care provided, requests in accordance with applicable regulations (provisions relating to the rights of respondents according to EU Regulation 2016/679 of the European Parliament and Council – General Data Protection Regulation, etc.).
2. Fulfillment of legal obligations
Personal data related to health may be processed for the purpose of public interest (e.g. the number of certain types of diseases) for statistical purposes in accordance with applicable legal regulations (e.g. in accordance with the Annual Plan of Statistical Activities of the Republic of Croatia) or in accordance with the contractual conditions of the service provider. In this case, your data is processed in an aggregated and anonymized form and cannot be linked to a specific natural person.
3. Direct promotion (marketing)
The user’s contact information can be used to send promotional information about Aksis Special Hospital services if the service user has given consent for such processing or if there is a legitimate interest of the Data Controller for such actions. The data controller may also use the contact data of service users whose personal data it already owns, based on a legitimate interest in sending promotional notices about all the information and services it provides, using all available channels for promotion, unless the service user objects to such processing.
4. Internal purposes
The Data Controller uses certain data of service users exclusively for the needs of its own records, for the purpose of protecting the legitimate interests of service users and/or Aksis Special Hospital. For example, the aforementioned includes the use of personal data for the purpose of creating offers that meet the needs and wishes of service users, market research, and analysis.
5. Data on potential service users
The Data Controller is also authorized to collect data on potential users of its services. This data includes basic data (name and surname, e-mail address) as well as the interests of potential service users who contact the Data Controller with the desire to be informed and/or offered a specific health service. The legal basis for collection in the described case is the consent of the service user.
Duration and storage of personal data
Depending on the purpose and legal basis on which the personal data of service users is collected, the Data Controller is in some cases obliged to keep personal data for the time period prescribed by the relevant regulations for a specific purpose. We are obliged to keep personal data contained in medical documentation for 10 years after the completion of treatment in accordance with Art. 23 of the Law on Medicine, i.e. after the expiration of all legal storage obligations, with the exception of personal data that we are obliged to keep permanently on the basis of the Law. We do not delete data in the event that the procedure for forced collection of unpaid claims has been initiated and/or there is a judicial or other appropriate procedure in connection with the provided health service, until the final completion of the procedure in accordance with the applicable regulations. After the legal deadline that obliges the Data Controller to keep certain personal data or when the purpose ceases, they are deleted.
Service users’ rights
- Right of access to personal data
As the Data Controller, Aksis Special Hospital undertakes, on the basis of the submitted written request of the service user, which can also be in the form of an electronic mail, to grant access to the personal data it processes about them, to inform them about the purpose of processing the personal data for which they are processed, about the type of personal data that are processed, about recipients or categories of recipients to whom personal data has been disclosed or will be disclosed, about the estimated time period of processing or about the criteria used to determine this period.
- Right to rectify personal data
As the Data Controller, Aksis Special Hospital will allow the rectification of incorrect personal data in each case when it is determined that the personal data collected on the service user are not accurate or that the user data has changed.
- Right to erasure of personal data
Aksis Special Hospital will carry out the erasure of the service user’s personal data in the following cases:
- when the user data is no longer necessary for the fulfillment of the purpose of the processing, i.e. upon termination of the processing purposewhen the user of the service withdraws the consent which is a legal basis for the processing of data, and there is no other legal basis for data processingwhen the service user files an objection to data processingwhen personal data is illegally processed
- when personal data must be erased in order to fulfill legal obligations under EU or Croatian law to which the Data Controller is subject.
- Right to restriction of processing
Aksis Special Hospital shall ensure restriction of processing in cases where the accuracy of the personal data is contested by the user, where the processing is unlawful and the user opposes the erasure of the personal data and requests the restriction of their use instead, where the Data Controller no longer needs the personal data for the purposes of the processing, but they are required by the user and/or customer for the exercise of legal claims, as well as where the user and/or customer has objected to the processing of the personal data based on the Data Controller’s legitimate interest.
- Right to object to processing
The service users have the right to object the processing of their personal data if the related data are processed for the legitimate interests of the Data Controller. Aksis Special Hospital will no longer process personal data in the event of an objection, unless we can prove compelling reasons worthy of protection for the processing, which outweigh the interests, rights and freedoms of the person concerned, or the processing serves to assert, exercise or defend legal claims.
Where personal data of the service user are processed for direct marketing purposes, the user shall be entitled to object at any time to processing for direct marketing purposes.
Where your personal data are processed
The Data Controller shall process the personal data of service users in the Republic of Croatia.
Links to third-party websites
The personal data of service users shall be forwarded by the Data Controller to third parties (including competent authorities) only in the following cases:
- in order to fulfill the legal obligations of the Data Controller
- when such processing is necessary to protect the key interests of service users.
The active role of the service user in the protection of personal data is reflected in giving consent as a voluntary, specifically informed, and unambiguous expression of the wishes of the respondents who, by declaration or by a clear acknowledgment of action, give consent for the processing of personal data. Consent Management implies the possibility that the user, by active and unambiguous action, authorizes the Data Controller to collect and process particular personal data for one or more purposes (consenting to the respondents), or to withdraw in an equal manner the prior consent for the collection and processing of personal data, for one or more purposes.
Aksis Special Hospital
Petrovaradinska ulica, 10000 Zagreb
tel: +385 (0)1 3877 413
Your inquiries and requests will be processed without undue delay and in accordance with legal obligations, and we will inform you of the measures we have taken.
The Data Controller reserves the right to modify this Policy at any time, without giving any special notice to interested parties.
Last update: 23 February 2023