Mercury Clinical Hospital. (hereinafter referred to as the Hospital) and the Ruđer Bošković Institute (hereinafter referred to as the RBI) strive to comply with all relevant legal provisions and regulations relating to personal data in all countries in which it operates. This document sets out the basic principles according to which the Hospital and the RBI process personal data of patients, business associates, employees and others, and determine the roles and responsibilities in all departments of organizations in the processing of personal data.
This policy applies to Hospitals and RBIs operating in the European Economic Area (EEA) or processing personal data of entities inside or outside the EU.
The definitions given in this document are defined in Art. 4. General data protection regulations:
Personal data: all data relating to an individual whose identity has been established or can be established;
Sensitive personal data: personal data, which by their nature are particularly sensitive in terms of fundamental rights and freedoms, deserve special protection because their processing could pose significant risks to fundamental rights and freedoms. These personal data include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data when processed by special technical means enabling unique identification of an individual, health data or sexual data. the life or sexual orientation of the individual;
Processing manager: a natural or legal person, public authority or other body, which alone or together with others, determines the purposes and means of personal data processing;
Processor: a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller;
Processing: any operation or set of operations performed on personal data or on sets of personal data, whether automated or non-automated, such as collection, recording, organization, structuring, storage, adaptation or modification, retrieval, insight, use, transmission detection , by disseminating or otherwise making available, harmonizing or combining, restricting, deleting or destroying;
Anonymization: Personal data will be irreversibly identified in such a way that a person cannot be identified within a reasonable time, cost or technology, either by the controller or some other person who could identify that individual. The principles of personal data processing do not apply to anonymised data;
Pseudonymization: the processing of personal data in such a way that personal data can no longer be attributed to a particular respondent without the use of additional information, provided that such additional information is kept separate and subject to technical and organizational measures to ensure that personal data cannot be attributed to the individual. whose identity has been established or can be established. Pseudonymization reduces, but does not completely eliminate, the association of personal data with the respondent. As pseudonymisation still constitutes personal data, the processing of pseudonymised data should be in accordance with the principles of personal data processing;
Cross-border processing of personal data: processing of personal data that takes place in the EU in the context of business activities in more than one Member State of the controller or processor, and the controller or processor is established in more than one Member State; or the processing of personal data which takes place in the EU in the context of the activities of the sole establishment of the controller or processor, but which significantly affects or is likely to significantly affect respondents in more than one Member State;
Supervisory body: an independent public authority established by a Member State in accordance with Art. 51. General Data Protection Regulations;
Leading supervisory authority: the supervisory authority primarily responsible for cross-border data processing, for example when the respondent objects to the processing of personal data; is also responsible for receiving notifications on personal data breaches, on risky actions in processing, and has full authority in the process of harmonization with the provisions of the General Regulation on Data Protection;
Local supervisory authority: will be competent in its territory and will monitor any local processing of data concerning respondents or processing carried out by an EU or non-EU manager or enforcement agent when their target respondents reside in its territory. Their tasks and powers include conducting investigations and enforcing administrative measures and penalties, promoting public awareness of risks, rules, safeguards and rights regarding the processing of personal data, and ensuring access to all facilities of managers or executors, including all equipment and facilities;
Main establishment of the processing manager: as regards the processing manager with establishments in more than one country no Member State, the place of its central administration in the EU, unless decisions on the purposes and means of personal data processing are taken in another establishment of the controller in the EU and the latter establishment is authorized to implement such decisions, in which case such decisions should be considered as the principal place of business;
Main establishment of the processor: in the case of a processor established in more than one Member State, the place of its central administration in the EU, or, if the processor does not have an EU central administration, the establishment of the processor where the main processing activities take place in the context of the activities of the establishment of the processor to the extent that the processor is subject to specific obligations under this Regulation;
The group of entrepreneurs includes the entrepreneur in a dominant position and his subordinate entrepreneurs.
Basic principles of personal data processing
Data protection principles define the main responsibilities within the organization that disposes of personal data. Art. 5 (2) of the General Data Protection Regulation stipulates that “the controller is responsible for compliance with paragraph 1 and must be able to prove the same (reliability).”
Legal, fair and transparent processing.
Personal data in the Hospital and the RBI are processed in a lawful, fair and transparent manner in relation to the respondent.
Personal data is collected in accordance with the legal obligations and legitimate interests of the Hospital and the RBI, and may not be processed in any way that is not in accordance with these purposes.
Minimum amount of data
Personal data is appropriate and limited to the topic necessary to fulfill the purpose of processing. When defining the purpose of processing, the hospital and the RBI apply anonymization and pseudonymization of personal data if possible, in order to reduce the risk for the respondent.
Personal information is accurate and updated as necessary. If some inaccurate data appear during the processing, the Hospital and the RBI, as the Processing Managers, shall take measures to delete or correct this data without delay.
Storage time limit
Personal data must be kept only as long as necessary for the purposes for which they are processed. Deadlines and data retention procedures are defined in the Data Retention Policy of the Hospital and the RBI.
Inviolability and confidentiality
Taking into account technological advances and other available security measures, implementation costs and different probabilities of serious risk to data protection, the Hospital and the RBI have implemented appropriate technical and organizational measures to process personal data in a way that ensures personal data security and protection from accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access.
The hospital and the RBI are serious organizations and are able to demonstrate compliance with the principles outlined above at all times.
The General Regulation on Data Protection prescribes the methods of informing and communicating with the respondent about his personal data (Articles 12 and 13 and Articles 15-22) and notification of data breaches (Article 34).
Art. 12. Requests in particular that information and communication with the respondent must be carried out in such a way as to follow the following rules:
it must be precise, transparent, unambiguous and easy to understand
communicated in clear and simple language
must be in writing (electronic or paper)
where requested by the respondent must be informed both orally and
must be free
Respondent’s choice and consent
Art. Paragraph 4 of the 11th stipulates that the consent of the respondent must be freely given, specific, informed and unambiguous, and by which he consents to the processing of personal data relating to him.
The hospital and the RBI collect the least possible amounts of personal data. If personal data is collected from a third party, the Director of the Hospital and the Director of the RBI must ensure that the collection is lawful in the preparation and definition of the purpose of the processing.
Use, storage and disposal
The purpose, methods, storage limitation and retention period of personal data must be consistent with the information contained in the Privacy Statement. The hospital and the RBI are able to preserve the accuracy, integrity, confidentiality and relevance of personal data based on the purposes of the processing it has in its business process. Appropriate security mechanisms aimed at protecting personal data are used to prevent theft, infringement or misuse of personal data.
Disclosure to third parties
In cases when and if the Hospital and the RBI engage a third party supplier or business partner to process personal data, the Hospital and the RBI are obliged to ensure that the Processor takes security measures to protect personal data appropriate to possible risks that may arise during processing. For this purpose, the Questionnaire on compliance with the General Data Protection Office is used.
The hospital and the RBI contract define and require that the supplier and whether the business partner ensures the same level of data protection that is represented in its business process. The supplier or business partner may process personal data only when fulfilling its contractual obligations to the Hospital and the RBI or by order of the Hospital and the RBI. When the Hospital and the RBI process personal data together with an independent third party, they will explicitly specify their own as well as the responsibilities of the third party, through an appropriate contract or any other legally binding document.
Respondents’ rights to access data
When in the role of Processing Manager, the Hospital and the RBI are required to provide respondents with an acceptable mechanism for accessing their personal data. Respondents are also provided with updating, correcting, deleting or transmitting personal data if this is applicable or prescribed by law.
Respondents have the right, upon request, to receive a copy of their data processed by the Hospital and the RBI, in a structured format, and to transfer this data free of charge to another controller. The Director of the Hospital and the Director of the RBI are responsible for ensuring that such requests are processed within 30 (thirty) days, that they are not excessive and that they do not affect the personal data protection rights of other individuals.
The right to forget
Upon request, respondents have the right to ask the Hospital to delete their personal information. When the Hospital and the RBI are also the Processing Manager, the directors must take the necessary actions (including technical measures) to inform third parties who use or process this data, of the need to comply with the request.
Guidelines for fair data processing
Personal data may only be processed if it is explicitly approved by the Director of the Hospital and the RBI. When defining the processing, the hospital and the RBI must decide whether to apply the Data Protection Impact Assessment for each data processing activity in accordance with the Data Protection Impact Assessment Guidelines.
Notifications to respondents
During or before the collection of personal data for any type of processing; including products for sale, services or marketing activities; The director of the Hospital and the director of the RBI are responsible for properly informing the respondents about the following: type of personal data collected, purpose of processing, processing methods, rights of respondents in the context of personal data, retention period, possible international data transfer, possible sharing with third parties and security measures of the Hospital and the RBI on personal data protection.
Depending on the processing activity and the categories of collected personal data, the hospital and the RBI create various notifications that differ according to the processes within the processing (eg for sending letters or for sending goods).
When personal data is shared with a third party, the directors of the Hospital and the RBI must ensure that respondents are notified through a Privacy Statement.
When personal data is transferred to a third country in accordance with the Cross-Border Data Transfer Policy, the Hospital and the RBI clearly state in the Privacy Statement where and to which institution the personal data is transferred.
When collecting sensitive personal data, the Data Protection Officer shall ensure that the Privacy Statement explicitly states for whom the sensitive personal data in question is collected.
When the processing of personal data is based on the consent of the respondents or on some other legal basis, the director of the Hospital and the RBI are obliged to ensure adequate keeping of records of the consents in question. The directors of the Hospital and the RBI are required to provide the respondent with the option to give consent and to inform and ensure that his or her consent (whenever used as a legal basis for processing) can be withdrawn at any time.
When the collection of personal data relates to a child under the age of 16, the Hospital and the RBI will provide parental consent prior to the start of the collection using the Parental Consent Form.
In the case of a request for correction, supplementation or destruction of personal data records; The hospital and the RBI must ensure that such requests are dealt with within a reasonable time. The hospital and the RBI must also ensure that any such requests are recorded.
Personal data at the Hospital and the RBI are processed only for the purposes for which they were originally collected. In the event that the Hospital and the RBI wish to process the collected personal data for another purpose, it always seeks the permission of its respondents in a clear and unambiguous written manner. Each such request shall include the original purpose for which the data were collected, as well as a new or additional purpose (or purposes). The request also includes the reason for the change of purpose. The Data Protection Officer is responsible for complying with the rules in this chapter.
The hospital and the RBI have ensured that collection methods are in accordance with relevant law, good business practices and applicable safety standards.
Organization and responsibilities
The responsibility for providing appropriate data processing lies with everyone who works for the Hospital or with the Hospital, for the RBI or the RBI, and has access to personal data processed by the Hospital and / or the RBI.
Main Areas of responsibility for the processing of personal data are in the following organizational roles:
The Directorate makes decisions or approves the general strategies of the Hospital and the RBI for personal data protection.
The Data Protection Officer is responsible for the management of data protection programs, and for the development and promotion of personal data protection policy from its first to the last element as defined in the Job Description of the Data Protection Officer.
The Data Protection Officer monitors and analyzes personal data laws, changes in regulations, creates compliance requirements, and assists business departments in achieving personal data goals.
Procedure in case of personal data breach
When the Hospital and the RBI suspect or learn that a personal data breach has occurred, the Director of the Hospital and the RBI must undertake an internal investigation and initiate corrective action to repair the damage. If it is determined that there are any risks to the rights and freedoms of the respondents, the Hospital and the RBI must notify the AZOP supervisory body without delay, and within a maximum of 72 hours from the time the risk or incident is detected.