This Policy shall apply to natural persons applying for or using the services of the Identalia Group (hereinafter: the "Users") and/or natural persons interested in using the services of Identalia Group (hereinafter: the "Potential Users").
This Policy describes the method of data collection, processing, purposes of data collection and rights of the Users and Potential Users in respect of the data processed by the Identalia Group.
When used in this document, the name the Identalia Group shall mean a group of related legal persons composed of the Identalia Polyclinic, Identalia Consulting d.o.o., Identalia Travel d.o.o. and Identalia Group d.o.o.
All member companies of the Identalia Group together make a group of undertakings within the meaning of the General Data Protection Regulation. Within the said group of undertakings, Identalia Group d.o.o. shall act as the Controlling Undertaking.
Each member of the Identalia Group shall be deemed to be a Controller within the meaning of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter: the "General Data Protection Regulation").
In accordance with this Policy, each member company of the Identalia Group shall be responsible for data processing.
All member companies of the Identalia Group may exchange the personal data processed by them for the purpose of meeting their internal administrative requirements.
The Identalia Group shall continue to be responsible for the User and/or Potential User personal data even in situations when it engages third party data processing service providers.
How do we collect personal data
The Identalia Group primarily collects the data directly from the Users and Potential Users.
What type of personal data do we collect?
The Identalia Group collects and processes the following User and Potential User data:
- Basic personal data: name and surname, address, personal identification number, date of birth, sex and contact details (e-mail address, telephone number)
- Communication between the Users and Potential Users and the Identalia Group, communication via social networks, records of conversation with the staff of our Patient Consulting and Support Department, etc.
The following data related to treatment of the Users and Potential Users shall be collected and processed solely by the Identalia Polyclinic, in particular: description of past and current health conditions, X-ray images, clinical photos and printouts, treatment and cost plans, consents to treatment.
Data about the treatment of the Users shall be carefully stored by the Identalia Polyclinic throughout the period of such treatment. It is its legal obligation to store such data with equal care for 10 years after completion of the treatment as well. Thereafter, the data shall be either permanently erased or anonymised.
The Potential User data shall be stored by the Identalia Group for a period of one year. Thereafter, such data shall be either permanently erased or anonymised. At a Potential User’s request, this may be done by the Identalia Group even earlier.
Methods and purposes of personal data processing
All types of the User and Potential User data shall be processed by the Identalia Group for the following purposes:
- Contract performance
- Compliance with legal obligations
The Identalia Group shall process personal data primarily for the purpose of conclusion and performance of contracts between the Identalia Group and the Users.
The data processing for the above listed purposes shall be an essential prerequisite for contract performance or undertaking any actions at request of the Potential User prior to entering into a contract. Should the User refuse to provide the data required for the contract conclusion and performance, the Identalia Group shall not be authorised to enter into the contract and/or to undertake any actions related to the contract performance.
Patient treatment data shall be processed by the Identalia Polyclinic for the purpose of complying with its legal obligation of keeping and storing dental documentation under the Dental Medicine Act.
The legal basis for data processing for these purposes is the compliance with relevant legal obligations.
How do we protect personal data
The Identalia Group shall protect personal data by applying different technical and organisational protection measures. Such measures shall include in particular:
- Establishment of appropriate safeguards for the User and/or Potential User data filing systems
- Regular control of data security and protection measures
- Ongoing staff training.
Where are the personal data processed
As a rule, the Identalia Group processes personal data in the Republic of Croatia.
By way of exception, such data may be processed by the Identalia Group in other countries as well, as a rule in the EU Member States.
Regardless of the location of personal data processing, appropriate personal data protection shall be ensured, applying at least the same level of protection as if such data were processed in the Republic of Croatia.
Personal data transmission
The Identalia Group shall never sell the User and Potential User data. It shall not forward or exchange such data with any other natural or legal persons except in the following cases:
- If relevant legal obligation or express legal authorisation exist;
- If it engages a third party contractor or data processor to carry out specific operations, (e.g. specialised medical interventions, dental laboratory activities, passenger transport, etc.). The data processors shall act exclusively upon instructions of the Identalia Group which shall undertake all data protection measures as if such operations were performed by the Identalia Group itself.
Who to contact
The User or Potential User may exercise their rights by submitting a relevant request to the User Support Service of the Identalia Group in writing or via electronic communication.
Addresses for communication:Identalia
Patient Consultation and Support Department
Should the User or the Potential User have any suspicion of a breach of their personal data, they shall report such suspicion to the Data Protection Officer in writing.
Addresses for communication:Identalia
Data Protection Officer