Purposes and legal bases for the processing of personal data

The organisation collects and processes your personal data on the following legal bases:

– processing is necessary for compliance with a legal obligation to which the controller is subject;
– processing is necessary for the performance of a contract to which the data subject is a party or for the performance of measures at the request of such data subject prior to the conclusion of the contract;
– processing is necessary for the legitimate interests pursued by the controller or by a third party;
– the data subject has consented to the processing of his or her personal data for one or more specified purposes;
– processing is necessary to protect the vital interests of the data subject or of another natural person.

For the purpose of providing dental activities

For the purpose of of providing dental services, the organization processes patients’ personal data based on legislation. Based on these grounds, we process the following personal data of patients: name and surname, permanent residence address, telephone number, date of birth, postal code and place of residence, email address, and EMŠO (unique master citizen number).

The legal basis for data processing is the law

The data is retained for the period prescribed by law. Some data is retained only for a specified period, while other data must be retained permanently.

Appointment for dental services

In accordance with the legislation, patients must be able to order services electronically, by post, by telephone and in person at the surgery.
For the purpose of electronic ordering of a patient for a dental service, the organisation processes the following data: name and surname, e-mail address and contact telephone number.

The legal basis for the processing of the data is the law and the patient’s consent.
Personal data is stored for 5 years in accordance with the law.

For contract performance

In cases where an individual enters into a contract with the organization, this represents the legal basis for processing personal data. We may process personal data to conclude and perform a contract, such as the sale of goods and services, participation in various programs, etc.

If an individual does not provide personal data, the organization cannot conclude the contract, nor can the organization provide the service. On this basis, we process only and exclusively those personal data necessary for the conclusion and proper performance of contractual obligations. The legal basis for data processing is the contract, the completed and signed health questionnaire.

The retention period is until the purpose of the contract is fulfilled or up to 6 years after the termination of the contract, except in cases where there is a dispute between the individual and the organisation in relation to the contract.
In such a case, the organisation will keep the data for 10 years after the final decision of a court, arbitration or court settlement, or, if there has been no court dispute, for 5 years from the date of amicable settlement of the dispute.

For informing individuals by email

ThThe organization may, based on the performance of legitimate activities, inform customers and service users about its services, events, education, offers, and other content at their email addresses. An individual can request the cessation of such communication and data processing at any time and unsubscribe from receiving messages either via email or regular mail to the organization’s address.

The legal bases for data processing are legitimate interest and consent.

Data will be processed until the cancellation of receiving messages, or the withdrawal of consent, or until the fulfillment of the purpose of processing. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

For the purpose of preventing abuse

Based on legitimate interest, we process personal data when necessary to prevent abuse. Based on legitimate interest, we process personal data after the conclusion of the contractual relationship, during the period when legal claims can be asserted under the contract.

Video surveillance

Video surveillance is provided by the organisation. With the help of video surveillance (cameras are placed inside the organization and at the entrance to the organization), we monitor the entries and exits to and from the premises (based on Article 77 of the Personal Data Protection Act – ZVOP-2).

We also implement video surveillance to protect individuals (users, employees, and visitors) and the property of the organization (based on legitimate interest as defined in point (f) 1. paragraph 6. Article 76 of the General Regulation, in conjunction with Article 76. and following articles
ZVOP-2). Video surveillance is implemented in certain work areas where it is necessary for the safety of people or property, the protection of confidential data or trade secrets. ideo surveillance will help us in detecting, dealing with, or resolving incidents or extraordinary events, criminal acts, compensation claims, or other claims. The recordings are retained for 30 days. Video surveillance is not conducted in a manner that would have a particular impact on processing. Video surveillance does not enable unusual further processing, such as transfers to subjects in third countries, the possibility of audio intervention in case of live monitoring. Video surveillance allows live monitoring by an authorized person.

All information regarding the implementation of video surveillance can be obtained by calling or emailing the organization. The rights of individuals are described in this Privacy Policy. Additional questions can also be addressed to the authorized person for data protection.

Processing based on compliance or consents

If the organization does not have a legal basis established based on law, contractual obligation, legitimate interest, or the protection of the individual’s life, it may ask the individual for compliance or consent. Thus, it may also process certain personal data of the data subject for the following purposes, where the data subject has given his or her consent:
address of residence and e-mail address: for information and communication purposes:

– photographs, videos and other content relating to the individual (e.g. posting of images of individuals on the organisation’s website);
– for the purposes of documenting the activities and publicising the work and events of the organisation;
– for other purposes for which the individual has consented.

If an individual gives consent for the processing of personal data and at some point no longer wishes it, they can request the cessation of personal data processing by emailing or sending a regular mail to the address. Withdrawal of consent shall not affect the lawfulness of the processing carried out on
on the basis of consent prior to its withdrawal. Upon receiving the withdrawal or request for deletion, the data will be deleted within 15 days at the latest. The organisation may also delete the data before revocation where the purpose of the processing of personal data has been achieved or where provided for by law.
Exceptionally, the organisation may refuse a request for deletion on the grounds set out in the GDPR: the exercise of the right to freedom of expression and information, compliance with a legal obligation to process, grounds of public interest in the field of public health, archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, the exercise or defence of legal claims.

Processing is necessary to protect the vital interests of the individual

The organization may process personal data of the individual if necessary to protect their vital interests. In emergencies, the organization can seek personal data of the individual, check if this person exists in its database, review their medical history, prescribed medicines and products, or contact the individual or their relatives, for which the organization does not need the individual’s consent. This applies only in cases where it is necessary to protect the vital interests of the individual.

Users of personal data, data transfers and automated decision-making

Data users include contractual processors hired to perform certain personal data processing for us. We work primarily with accounting services, courier services, IT system maintenance, security companies, social media providers, online advertising providers (Facebook, Instagram), contractual associates for service provision, X-ray diagnostics providers, dental laboratory service providers. An individual has the right to request information about which (external) users have been provided with personal data about the individual. In the case of a minor child, this can be requested by the legal representative or one of the parents.

Information about transfers of personal data to a third country

We do not export personal data to third countries (countries outside the EU and Iceland, Norway and Liechtenstein) and international organisations, except in the case of social media use, where the data may be exported to the USA, in which case the relationship with the US contract processors is governed by standard contractual clauses adopted by the European Commission and/or binding corporate rules approved by the EU.
We do not use automated decision-making, including profiling.

Cookies

Our website operates using so-called cookies, which are important for providing online services, and are used to store data about the state of individual web pages, help in collecting user statistics and website visits, etc. This website uses essential cookies which are uploaded immediately, but for all other cookies we need your consent, which you can change at any time. Cookies stored by the browser can be deleted by the individual.

Our website uses the following cookies:

Cookie management

Data protection and data accuracy

The organization takes care of information security and infrastructure security (premises and application system software). Our IT systems are protected by antivirus and firewall protection and other. We have implemented appropriate measures to protect personal data from destruction, loss, and unauthorized access. In the case of specific types of personal data, we provide them in encrypted and password-protected form.
It is the individual’s responsibility to ensure that his or her personal data is provided securely and that the data provided is accurate and authentic.

Patients’ rights

The Patient Rights Act defines the rights that patients have as users of healthcare services with all healthcare providers, as well as the procedures for enforcing these rights when they are violated. The law also defines the duties associated with these rights that patients must fulfill.

The patient rights established by the Patient Rights Act in relation to data protection are: the right to access medical records; the right to privacy and data protection; the right to address violations of patient rights; the right to free assistance in exercising patient rights.

A patient who believes that their rights have been violated during medical treatment has the option to request appropriate action. If an individual wishes to exercise any of the aforementioned rights, they may send a request via email or regular mail to the organization’s address.

Individual Rights Regarding the Processing of Their Personal Data

An individual whose personal data is being processed has the right to request access to their personal data, as well as the right to correct or delete their personal data, or to restrict the processing of their data. They also have the right to object to the processing and the right to data portability. The individual’s request is processed in accordance with the provisions of the General Data Protection Regulation (GDPR).

All the mentioned rights and any inquiries can be asserted by the individual through a request sent to our address. We will respond to each request without undue delay, and no later than one month after reciving the request. This period may be extended by up to two additional months considering the complexity and number of requests. You will be informed of this, together with the reasons for the delay. Exercising these rights is free of charge for you. However, we may charge you a reasonable fee if the request is manifestly unfounded or excessive, especially if it is repetitive. In such a case, we may also reject the request. In this case, we will inform you of the reasons for refusal and your right to lodge a complaint with the supervisory authority. If there is doubt about your identity, we may request additional information from you that we need to confirm your identity.

You can exercise your right to lodge a complaint with the supervisory authority at: Informacijskemu pooblaščencu RS na naslovu: Dunajska 22, 1000 Ljubljana (e-naslov:[email protected], spletna stran: www.ip-rs.si).

The Privacy Policy is valid from 12.5.2023.