SPECIAL ADDICTIVE DISORDERS TREATMENT HOSPITAL “DR VOROBJEV” BELGRADE
Ul. Hemingvejeva br. 6
Dear service users,
When you request one of our services (via website and social networks *9, e-mail, Call center, direct mail, personal contact, by filling out medical documentation and records and including, but not limited to other types and forms of personal data sources) , regardless of your citizenship, residence or domicile, you are entitled to personal data protection. You will be asked to provide us with several types of data *1. These data are necessary so that we could consider your request or need as accurately as possible and send you an appropriate response and/or provide an appropriate service. Giving true, accurate and complete data about you to our institution, as well as making timely changes to the data to be true, accurate and complete is your legal and contractual obligation and providing data is a necessary condition for concluding a contract with us. Your possible refusal or misrepresentation of the requested data may lead to us not be able to provide you with services of satisfactory quality or not providing services at all.
Due to harmonization and in order for national provisions to be understandable to the persons to whom they apply, the Republic of Serbia has harmonized its national law – the Personal Data Protection Law with the provisions of Regulation (EU) 2016/679 of the European Parliament and Council dated 27 April 2016.
Risks of personal data processing
The Internet is creating a turnaround in traditional market structures, providing a common, global infrastructure for delivering a wide range of electronic communications services. Publicly available electronic communications services over the Internet open up new opportunities for users, but also new risks to their personal data and privacy *8.
There is public opinion that there are significant risks to the protection of individuals, especially in relation to online activities. You, as an individual, may, against our will or control and influence, be associated with network identifiers provided by your devices, applications, tools and protocols, such as Internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification. This can leave traces that, especially in combination with unique identifiers and other information received by servers, can be used to profile and identify individuals.
Risks/risk sources (personal data breach) are, including, but not limited to, accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed, which may in particular cause physical, material or non-material damage such as loss of control over your personal data or restriction of your rights, discrimination, identity theft or fraud, financial losses, unauthorized reversal of pseudonymization, reputation damage, loss of confidentiality of personal data protected by trade secrets or other significant economic or social damage.
Special protection of children’s personal data
Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. According to the Law on Patients’ Rights of the Republic of Serbia, a child is considered a human being below the age of 18 years. In the process of obtaining health care, a child who is capable of reasoning, regardless of age, is entitled to confidential counseling even without parental consent, when it is in the best interest of the child. A child who has reached the age of 15 years and who is capable of reasoning can independently give consent to the proposed medical measure. If a child who has reached the age of 15 years and who is capable of reasoning refuses the proposed medical measure, the competent health professional is obliged to request the consent of the child’s legal representative. A child who has reached the age of 15 years and who is capable of reasoning is entitled to the confidentiality of the data contained in his/her medical documentation. The competent health professional, despite the child’s request not to disclose information about his/her health condition to his/her legal representative, is obliged to disclose information about his/her health condition to his/her legal representative in case of serious danger to the child’s life and health. If the patient is a child, the competent health professional is obliged to immediately notify his/her legal representative, i.e. the competent guardianship authority, of leaving the inpatient healthcare institution. If the patient is a child, and the decision to leave the inpatient healthcare care institution is made the legal representative contrary to the best interests of the patient, the competent health professional is obliged to immediately notify the competent guardianship authority of it.
Purpose of intended processing and legal basis for personal data processing
Purpose of processing. Personal data is collected for the purpose of scheduling a service (reservation), preventive medicine, medical diagnostics, providing health care, treatment or managing healthcare services/implementing a treatment plan. According to the regulations of the Republic of Serbia, the stated data are collected and processed by an expert in the field of healthcare who, according to the law and regulations, is obliged to keep the stated data confidential.
Legal basis. According to Article 2 of the Law on Health Documentation and Records in the Field of Healthcare (“RS Official Gazette”, No. 123/2014, 106/2015, 105/2017, 25/2019 (as amended)), we are obliged to keep health documentation and records in the manner and according to the procedure as well as within the deadlines stipulated by this Law. According to Article 50 of the law, keeping, collection and processing of data from health documentation and records is done in accordance with the law regulating personal data protection.
According to Article 54 of the Law on Health Care (“RS Official Gazette”, No. 25/2019), keeping health documentation, data entry and handling health documentation data is done solely by an authorized person, appointed by the Decision of the Director *11.
Data entry in the forms for keeping health documentation and records is done before/on the basis of provided healthcare services, i.e. when taking other measures in the field of healthcare in accordance with the law and on the basis of data contained in public and other documents. Exceptionally, if the data cannot be entered in the forms for keeping health documentation and records on the basis of data contained in public and other documents, it shall be entered on the basis of the statement of the person from whom the data entered in health documentation and records are taken *12. We keep health documentation and records in written and/or electronic form.
Our health institution, as well as every employed health worker, i.e. health associate and other authorized persons, keep medical documentation and records in accordance with the Law on Patients’ Rights and the law governing health documentation and records in the field of health, as well as regulations adopted to implement this law, and are obliged to protect medical records and patient records from unauthorized access, insight, copying and misuse, regardless of the form in which the data from medical records are stored (paper, microfilm, optical and laser disks, magnetic media, electronic records etc.).
Our health institution has established and maintains a security system that includes measures to ensure the security of data we have in accordance with the law. We apply security procedures, technical and physical restrictions on access to and use of personal data. Only authorized employees/administrators can access personal data to perform tasks related to the services we provide. We store the obtained data indefinitely, i.e. in accordance with deadlines prescribed by law.
We occasionally use third parties – attorneys who perform certain tasks and functions for us and on our behalf, but they are subject to the confidentiality obligation due to which they cannot use, provide or disclose your data for any other purpose.
Our health institution does not sell or concede the collected personal data.
We may restrict the exercise of your rights and we may disclose your personal data and information about you in the following cases:
- if it is provided by law;
- to protect the rights of our health institution;
- in the case of crime prevention or national security;
- in the case of personal or public security protection;
- if this information is necessary to prevent and resolve various disputes;
- other important general public interests;
- rights and freedoms of other persons;
- realization of claims in civil matters.
Our health institution will process your personal data for the purpose of informing about our services through the established printed or electronic directory/Newsletter.
Our health institution has installed video surveillance that ensures protection of vital interests of persons, especially life, health and physical integrity, control of entry and exit, protection of trade secrets, as well as protection of property, which is at the same time the purpose of data processing. Video surveillance has been introduced only in parts of the workspace where these interests must be protected, namely:
Special Addictive Disorders Treatment Hospital “DR VOROBJEV” – 2e Sremskih boraca St.
- Ground floor hallway
- First floor hallway floor
- Dining room
- First floor procedure room
- Ground floor procedure room
- Pharmacy hallway
- Part behind the building
- Ground floor hallway
- Meeting room
- Admission office
- Dining room
- Kitchen hall
- Second floor balcony
- Billiard room
- Part behind the building
- Laundry room
As for the data collection method, we collect data through a video surveillance system consisting of 44 cameras, which record only image without sound.
At the recorded places there are visible signs that the area is under video surveillance, with a graphic symbol of video surveillance, the name of the operator and the phone number on which additional information can be obtained. The data retention period is 30 days.
By entering the premises of our health institution under video surveillance, you have given your consent to the processing of your data by action implied by conduct.
Processing under the controller or processor authorization
The processor and any person who acts upon the authorization of the controller or processor, and has access to personal data, processes these data only on the order of the controller.
The controller *3 of personal data processing is: Special Addictive Disorders Treatment Hospital “DR VOROBJEV”, based in Belgrade, 2s Sremskih boraca St., contact phone: 011/316-6289, e-mail: email@example.com, representative/authorized person: Dr. Aleksey Elistratov.
The joint controller *4 of personal data processing is: Special Addictive Disorders Treatment Hospital “DR VOROBJEV”, based in Belgrade, 2s Sremskih boraca St., contact phone: 011/316-6289, e-mail: firstname.lastname@example.org, representative/authorized person: Dr. Aleksey Elistratov.
The personal data protection officer is: Živka Rangelov. Contact phone: 011/316-6289, e-mail: email@example.com, address: 2s Sremskih boraca St. Belgrade.
Legitimate interest of the controller
The legitimate interest of the controller is:
- Consent of you as a data subject *2;
- Written or oral contract concluded with you as a data subject or for taking action, at your request, before concluding the implied contract;
- Respect for the legal obligations of the controller;
- Protection of vital interests of you or another natural person;
- Performing activities in the public interest or exercising the powers of the controller prescribed by law;
- Personal data processing that is necessary for the purpose of fraud prevention;
- Processing of personal data for the needs of direct marketing;
- The pursuit of other legitimate interests of the controller or a third party for purposes specifically determined on the basis of – including but without limitation to:
- Law on Healthcare
- Law on Health Documentation and Records in the Field of Health
- Law on Patients’ Rights
- Law on Social Insurance
- Law on Protection of the Population from Infectious Diseases
- Law on Sanitary Supervision
- Law on Prevention of Domestic Violence
- Law on Transfusion Medicine
- Law on the Procedure of Abortion in a Health Institution
- Law on Protection of Trade Secrets
- Law on Information Security
- Law on Private Security
- Personal Data Protection Strategy
- Law on Biomedically Assisted Insemination
- Law on Labor
- Law on Chambers for Health Workers
- Law on Human Cells and Tissues
- Law on Psychoactive Controlled Substances
- Law on Prevention of Money Laundering and Terrorist Financing
- Law on Foreigners
- Law on Cultural Property
- Criminal Code of the Republic of Serbia
- Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Consolidated text as amended)
- Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, regarding supervisory authorities and cross-border data flow
- Directive 2002/58/EC of the European Parliament and of the Council dated 12 July 2002, Directive of the European Parliament and Council on the processing of personal data and the protection of privacy in the electronic communications sector (Directive on Privacy and Electronic Communications)
- Directive 2006/24 / EC of the European Parliament and of the Council dated 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or public communications networks and amending Directive 2002/58 / EC
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation)
Records of processing operations and filing systems
Records of processing operations and filing systems * 4: The controller and his representative and the processor *6 and his representative, keep records of processing operations *5 for which he is responsible, and which contain the information about:
- name and contact details of the controller, joint controller, the representative of the controller and the personal data protection officer;
- purpose of processing;
- type of data subjects and type of personal data;
- type of recipients to whom personal data have been or will be disclosed, including recipients in other states or international organizations;
- transfer of personal data to other states or international organizations, including the name of the other state or international organization;
- proof of the performed assessment and application of protection measures if data are transferred to other states or international organizations if such transfer of personal data takes place;
- Notification to the Commissioner of the transfer of data made in accordance with Article 69, paragraph 2 in connection with paragraph 3;
- Notification to the data subject of the transfer of personal data to other states or international organizations and of the legitimate interest of the controller in such transfer;
- the deadline after which certain types of personal data are deleted, if such a deadline has been determined;
- general description of protection measures.
Recording of processing operations: When using a processing/automatic processing system, the following processing operations are recorded in this system: entry, modification, insight, disclosure, including transmission, comparison and deletion. Recording the insight and disclosure of personal data allows determination of the reasons for processing, the date and time of processing and, if possible, the identity of the person who reviewed or disclosed personal data, as well as the identity of the recipient of this data. Recording may be used exclusively for the purpose of assessing the legality of processing, internal supervision, ensuring the integrity and security of data, as well as initiating and conducting criminal proceedings.
The entry of personal data in the records and other activities related to the records is carried out by the authorized person of the personal data controller.
The records of personal data filing systems contain information about: ordinal number; the date of filing system creation; the date of records amendments; type of personal data on which records are kept and name of the filing system; type of processing operation; processing purpose; the legal basis for processing, i.e. creating a filing system; category of data subject; type and degree of personal data confidentiality; the manner of collecting and storing personal data; period of storage and use of personal data; the name, registered office and address of the personal data user; designations for entering or exporting personal data from the Republic of Serbia with the name of the state, i.e. international organization and foreign user; the legal basis and purpose of entering or exporting personal data; data protection measures taken; and note.
Type of personal data and name of filing system. The information about the type of personal data contains a list of all types of personal data contained in the processing records. The name of filing system is determined by the controller by a special decision determining the manner and purpose of personal data processing.
Method of data collection and storage. Through the website, social networks *9, e-mail, Call center, direct mail, personal contact, by filling out medical documentation and records and including but without limitation to other types and forms of personal data sources).
Processing in the field of labor and employment
The provisions of the law governing labor and employment and occupational safety and health are applied to processing in the field of labor and employment, with the application of the provisions of the Personal Data Protection Law. Processing is necessary to fulfill the duties and exercise special rights of the controller or you as data subject in the field of employment rights, execution of employment contracts, planning and organization of work, equality and diversity in the workplace, protection of employer’s or client’s/patient’s property and social security and social protection rights, and the processing of personal data relating to criminal and misdemeanor convictions is done with related protective measures.
Personal data security – Processing security
In accordance with the level of technological achievements, nature, scope, circumstances and purpose of processing, as well as the probability of risk and the level of risk to the rights and freedoms of individuals, the controller and processor implement appropriate technical, organizational and personnel measures to achieve the appropriate level of security relative to the risk concerned. Measures include, in particular:
- encryption of personal data;
- ensuring the re-availability and access to personal data in the event of physical or technical incidents as soon as possible;
- the procedure of regular testing, evaluation and assessment of the effectiveness of technical, organizational and personnel measures of processing security.
In assessing the appropriate level of security, particular account is taken of the risks of processing, in particular the risks of accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed. The controller and the processor take measures to ensure that any individual authorized to access personal data by the controller or processor processes this data only on the order of the controller or if required by law.
Recipients *7 of personal data are: Public Health Institute, insurance companies, banks.
Personal data users or categories of users: bookkeeping, IT, Management, Technical Service and insurance companies.
Data subject categories: persons applying for a job, all employed persons, persons whose employment has been terminated, patients, patient companions.
Deadline for personal data retention and criteria for determining it
The length of time personal data can be stored is determined by the positive regulations of the Republic of Serbia (listed in more detail in the section: Legitimate interest of the controller) and our autonomous documents. To ensure that personal data are not kept longer than necessary, the controller reviews the legal basis for deleting and/or archiving data and documentation once a year at the beginning of the calendar year. Data on the period of storage and use of personal data contain the date of creation of filing system and the deadlines for retention and use of personal data determined by law or other regulations. If the time of use of personal data is not determined by law or other regulation, the deadline necessary for achieving the processing purpose for which the personal data were collected is entered in the records. The records also contain a mark on the deletion of personal data after the expiration of the data use and retention period.
The right to request access, correction and the right to restrict processing of personal data
You, as the data subject, have the right to have your incorrect personal data corrected without undue delay. Depending on the purpose of the processing, you have the right to supplement your incomplete personal data, which includes giving an additional statement. To exercise these rights, you must contact us with a written request. It is our responsibility to notify all recipients to whom your personal data have been disclosed of any correction or deletion of personal data or restriction of their processing, unless this is impossible or requires excessive time and resources. At your request, we will provide you with information about all possible recipients of your personal data. To exercise these rights, you must contact us with a written request.
The right to have personal data erased
You have the right to request in writing that your personal data be erased by the controller in the following cases:
- if they are no longer necessary to achieve the purpose for which they were collected or otherwise processed;
- revoke the consent on the basis of which the processing was done, but if there is no other legal basis for processing;
- a submitted objection to processing, and there is no other legal basis for processing that overrides your legitimate interest, right or freedom or is related to the submission, realization or defense of any of our legal claims;
- a submitted objection to the processing of personal data processed for the purposes of direct advertising, including profiling, to the extent in which it is related to direct advertising. Upon the objection to the processing for the purposes of direct advertising, your personal data will not be further processed for such purposes;
- if your personal data have been processed unlawfully;
- in order to fulfill the controller’s legal obligations.
Information on the source of personal data, if personal data have not been collected from the data subject
We can also obtain your personal data by collecting data from members of your family and/or extended family who have been or are still users of our services through “Family history (anamnesis familliae, lat.)” by collecting data on diseases in the immediate and extended family, asking questions about inherited diseases (tuberculosis, cancer, diabetes, hypotension, hypertension, heart disease, mental illness, possible suicides in the family, etc.). We keep the data obtained in this way in accordance with the obligation to keep professional secrets prescribed by law.
The right to revoke consent
You can revoke your consent to data processing at any time in writing, provided that the revocation of consent does not affect the admissibility of processing on the basis of consent before revocation: if the processing is based on the processing necessary for the execution of the contract concluded with you as data subject or to take an action, at your request, before the conclusion of the contract or by your “action implied by conduct”; if the processing is necessary to comply with the legal obligations of the controller; if the processing is necessary to protect the vital interests of data subject or another individual; if the processing is necessary for performing activities in the public interest or exercising the legally prescribed powers of the controller;
The intention to further process personal data for purposes other than those for which the data were initially collected
We intend to further process your personal data for the purpose of: direct advertising.
Delivery of a copy of the data being processed
The controller is obliged to submit a copy of the data it processes at your written request. The controller may request reimbursement of the necessary costs to make the additional copies you request. If the request for a copy is submitted electronically, the information shall be provided in the commonly used electronic form, unless you request otherwise.
The right to data portability
You have the right to receive your personal data previously provided/given to the controller in a structured, commonly used and electronically legible form and you have the right to transfer this data to another controller or to have your personal data transferred directly to another controller by the controller to whom data were submitted previously/our institution, if technically feasible. This right of yours cannot be exercised if the processing is necessary for performing tasks of public interest or for the exercise of official powers of the controller.
It is our responsibility to notify all recipients to whom your personal data have been disclosed of any correction or erasure of personal data or restriction thereof, unless this is impossible or requires excessive time and resources. At your request, we will provide you with information about all possible recipients of your personal data. To exercise these rights, you must contact us with a written request.
Presentation or transfer of personal data to other state or international organization
The transfer of personal data to another state, to a part of its territory, or to one or more sectors of certain activities in that state or international organization, may be effected with the approval of the Commissioner or without prior approval if that other state or part of its territory or one or more sectors of certain activities in that state or that international organization are found to have ensured an adequate level of personal data protection. An adequate level of protection is considered to be ensured in states and international organizations that are members of the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, i.e. in states, parts of their territories or in one or more sectors of certain activities in those states or international organizations that have been determined by the European Union to provide an adequate level of protection. The Government of the Republic of Serbia may determine that a state, part of its territory, area of activity i.e. legal regulation or international organization does not provide an adequate level of protection, unless it is a member of the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing. An appropriate level of protection is also considered to have been provided if an international agreement on the transfer of personal data has been concluded with another state or international organization. The controller shall notify all recipients to whom personal data have been disclosed of any correction or erasure of personal data or restriction to their processing, unless this is impossible or requires excessive time and resources. The controller shall notify you as the data subject, at your request, of all recipients in the event of a transfer, as well as of the manner in which you can become acquainted with these measures.
Transfer or disclosure of personal data based on a decision of an authority of another state
Decisions of a court or administrative body of another state, which require the controller or processor to transfer or disclose personal data, may be recognized or enforced in the Republic of Serbia only if they are based on an international agreement, such as an agreement on international legal assistance concluded between Serbia and that other state. The transfer documentation shall contain information on the date and time of the transfer, data recipient, the reasons for the transfer and the personal data transferred.
Data transfer in specific situations
Your data may be transferred to another state or international organization only in one of the following cases:
- You as the data subject have explicitly agreed to the proposed transfer after being informed about possible risks related to that transfer due to the lack of a decision on the adequate level of protection and appropriate protection measure;
- the transfer is necessary to execute the contract between the data subject and the controller or to apply pre-contractual measures taken at the request of the data subject;
- the transfer is necessary to conclude or execute a contract concluded in the interest of the data subject between the controller and another natural or legal person;
- the transfer is necessary to exercise an important public interest prescribed by the law of the Republic of Serbia, provided that the transfer of certain types of personal data is not restricted by this law;
- the transfer is necessary to submit, realize or defend a legal claim;
- the transfer is necessary to protect the vital interests of the data subject or another individual, if the data subject is physically or legally unable to give consent;
- certain personal data contained in the public register are transferred, which are available to the public or to any person who can prove having a justified interest, but only to the extent that the legally prescribed conditions for insight in that special case are met.
If the transfer cannot be made in accordance with the above points 1) to 7), personal data may be transferred to another state or international organization only if the following conditions are cumulatively met:
- data transfer is not repeated;
- data of a limited number of individuals are transmitted;
- the transfer is necessary to exercise the legitimate interest of the controller that overrides the interests i.e. rights or freedoms of the data subject;
- the controller has ensured the application of appropriate measures for personal data protection on the basis of a preliminary assessment of all circumstances related to the transfer of these data. The controller shall also provide information about this transfer of data, including information on the legitimate interest of the controller in such transfer.
The transfer documentation shall contain information on the date and time of the transfer, data recipient, the reasons for the transfer and the personal data transferred.
The right to object
If you consider this to be justified in relation to a specific situation in which you find yourself, you have the right to object to the processing of your personal data to the controller at any time. The controller is obliged to stop processing the data of the person who objected, except for legal reasons for processing that override the interests, rights or freedoms of you as data subject or in connection with the submission, exercise or defense of the controller’s legal claim.
The right to object to the processing of data for the purposes of direct advertising
You have the right at any time to object to the processing of your personal data that is processed for the purposes of direct advertising, including profiling, to the extent in which it is related to direct advertising. If you object to the processing for direct advertising purposes, the personal data may not be further processed for such purposes.
The right to object to the processing of data for the purposes of clinical trials, scientific or historical research or for statistical purposes
If personal data are processed for the purposes of clinical trials, scientific or historical research or for statistical purposes, you have the right to object to the processing of your personal data based on your specific situation, unless processing is necessary to perform activities in the public interest. Statistical purpose implies that the result of processing for statistical purposes is not personal data, but aggregated data and that this result or data is not used as support for measures or decisions related to a specific individual.
Notifying persons of personal data breaches
If a personal data breach may pose a high risk to your rights and freedoms, the controller is obliged to inform you as data subject about the breach without undue delay so that you can take the necessary precautions. In the notification, the controller shall describe the nature of data breach and give the name and contact details of the personal data protection officer or information about other ways in which data on the breach may be obtained; a description of the possible consequences of the breach; and a description of the measures taken or proposed by the controller in relation to the breach, including measures taken to mitigate the adverse effects; and recommendations so that the individual could mitigate potential adverse effects.
Notifying the Commissioner of personal data breaches
The controller is obliged to inform the Commissioner about personal data breach that may pose a risk to the rights and freedoms of individuals without undue delay, or, if possible, within 72 hours of learning of the breach.
No obligation to notify of personal data breaches
The controller is not obliged to inform you about the violation of personal data if: he has taken appropriate technical, organizational and personnel protection measures in relation to the personal data whose security has been violated, and especially if he has prevented the incomprehensibility of data to all unauthorized persons. to access this data; has subsequently taken measures to ensure that the breach of data on a person at high risk to the rights and freedoms of the data subject can no longer produce consequences for that person; informing the data subject would be a disproportionate waste of time and money. In that case, the controller shall, through public notice or in any other effective way, ensure that the data subject is informed.
Information about handling requests
The controller is obliged, with prior verification of the requestor identity, to provide the data subject with information on the procedure based on the request without delay, and no later than within 30 days from the day of receipt of the request. That period may be extended by another 60 days if necessary, taking into account the complexity and number of requests. The controller is obliged to notify the data subject of the extension of the deadline and the reasons for the extension within 30 days from the day of receipt of the request. If the data subject has submitted the request electronically, the information must be provided electronically if possible, unless that person has requested that the information be provided in another way. If the controller fails to act upon the request of the data subject, he is obliged to notify that person of the reasons for non-action without delay, and no later than within 30 days from the day of receipt of the request, as well as of the right to file a complaint to the Commissioner. The controller shall provide information regarding the exercise of rights free of charge. If the request of the data subject is obviously unfounded or excessive, and especially if the same request is frequently repeated, the controller may charge the necessary administrative costs of providing information, or acting upon the request; or refuses to act upon the request.
The right to file a complaint with the Commissioner
You, as the data subject, have the right to file a complaint to the Commissioner if you consider that the processing of your personal data has been done contrary to the provisions of the positive regulations of the Republic of Serbia. The Commissioner is obliged to notify you of the course of the proceedings, the results of the proceedings, as well as the right to initiate court proceedings. The Commissioner prescribes the complaint form and enables its submission electronically, without excluding other means of communication.
The right to judicial protection
You have the right to judicial protection if you consider that, contrary to the positive regulations of the Republic of Serbia, the controller or processor violated the right prescribed by the positive regulations of the Republic of Serbia by processing your personal data.
Processing of the unique personal identification number of citizens
The provisions of the law governing the unique personal identification number of citizens, as amended, shall apply to the processing of the unique personal identification number of citizens, with the application of the provisions of the Personal Data Protection Law relating to the protection of rights and freedoms of data subjects.
Obligation of a foreign citizen
Restrictions in exercising data subject rights
These rights and obligations may be restricted to the protection of:
- national security;
- public safety;
- prevention, investigation and detection of criminal offenses, prosecution of perpetrators of criminal offenses, or execution of criminal sanctions, including prevention and protection from threats to public security;
- other important general public interests, and especially important state or financial interests of the Republic of Serbia, including monetary policy, budget, tax system, public health and social protection;
- independence of the judiciary and court proceedings;
- prevention, research, detection and prosecution of professional ethics violation;
- data subjects or the rights and freedoms of other persons;
- realization of claims in civil matters.
Jurisdiction in case of dispute and applicable law
In case of a dispute on any issue from the initial contact with our institution and/or the institution’s website and further/later, having in mind the published rules/conditions/prerogative agreement – “Jurisdiction in case of dispute”, the parties to the dispute shall first strive to resolve the dispute amicably, within 90 days from the registration of the dispute in the institution.
In the event that the dispute is not resolved within the specified period, taking into account the “Jurisdiction in case of dispute” (regardless of state, country, province, region, place, etc.) – on any existing and future established range of jurisdiction, conditional clauses and/or due to the use of the Internet/website – place of use and/or place from which our website can be accessed and/or determined by “in rem” logic – place of finding the register, or authorized register Internet domain name), competent court in Belgrade, legal means, standards, procedures and regulations of the Republic of Serbia and adopted rules/autonomous documents of our institution in the Serbian language shall be exclusively and only – actually, locally and personally (general and special personal jurisdiction) responsible for resolving the dispute.
If you have questions regarding data protection, please contact Živka Rangelov, a psychologist at the Special Addictive Disorders Treatment Hospital “DR VOROBJEV” Belgrade, orally or in writing, on phone 011/316-6289 or e-mail firstname.lastname@example.org.
By signing a written statement “Consent to the processing of personal data” or by clicking/ticking the box “I accept” you make a clear affirmative action by which you express voluntary, concrete, informed and unambiguous consent as a data subject to the processing of your personal data, which can be used as your written statement or electronic statement or oral statement, or action implied by conduct.
Dr. Aleksey Elistratov, Director
* 1 “personal data” means any information relating to an identified or identifiable natural person, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
* 2 “consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
* 3 “controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
* 4 “joint controllers” where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. They shall determine their respective responsibilities for compliance with the legal obligations, in particular regarding the exercising of the rights of the data subject and their respective duties to provide the information to data subject. Responsibility is governed by an agreement of the joint operators, unless this responsibility is prescribed by the law applicable to the controllers. The agreement must designate a contact person for the data subject and regulate the relationship of each of the joint controllers with the data subject. The essence of the arrangement shall be made available to the data subject. Irrespective of the terms of the arrangement referred to in paragraph 1, the data subject may exercise his or her rights under this Regulation in respect of and against each of the controllers.
* 5 “filing system” shall mean any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis
* 6 “processing of personal data” shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;
* 7 “processor” is a natural or legal person, ie a government body that processes personal data on behalf of the controller;
* 8 “recipient” shall mean a natural or legal person, public authority, agency or any other body to whom data are disclosed, whether a third party or not, unless it is a public authority that in accordance with the law receives personal data within the investigation of a particular case and processes this data in accordance with the personal data protection rules relating to the purpose of processing;
- Location data can refer to the latitude, longitude or altitude of the terminal equipment, the direction of travel of the user, the level of accuracy of location information, the identification of the network cell in which the terminal equipment is located at a certain point in time and the time the location information was recorded.
- A communication may include any name, numerical, or address information provided by the sender of a communication or the user of a communication connection. Traffic data may include any translation of this information by the network, through which the communication is transferred for the purpose of transmission. Traffic data may, inter alia, consist of data relating to the routing, duration, time or scope of a communication, the protocol used, the location of the sender’s or receiver’s terminal equipment, the network from which the communication originates or at which it ends, the beginning, end, or duration of a connection. They can also consist of a format in which the network transmits communication.
- Cases when an individual subscriber or user receiving information can be identified, for example in video-on-demand services, the information transmitted is included in the meaning of a communication.
- Consent may be given by any appropriate method that allows a freely given specific and informed indication of the user’s wishes, including by ticking a box when visiting a website.
- Application of certain requirements relating to presentation and restriction of calling and identifying a connected line and the automatic forwarding of calls to subscriber lines connected to analog switchboards
- Service providers offering publicly available electronic communications services over the Internet should inform users and subscribers of measures they can take to protect the security of their communications, for example by using specific types of software or encryption technologies. The request to inform the subscriber about special security risks does not release a service provider from the obligation to take, at its own expense, appropriate and immediate measures to repair any new, unforeseen security risks and to restore the normal level of service security.
- Measures should be taken to prevent unauthorized access to communications, to protect the confidentiality of communications, including the content and any data relating to such communications, through public communications networks and publicly available electronic communications services.
- Prohibition of storage of communications and related traffic data by persons outside the user or without their consent, is not intended to prohibit any automatic, indirect and short-term storage of this information, insofar as it occurs for the sole purpose of transmission in the electronic communications network and provided that such information is not stored for any period longer than is necessary for transmission and traffic management purposes and that confidentiality remains guaranteed during the storage period.
- Confidentiality of communications should also be ensured during legal business practices. Where necessary and legally permitted, communications may be recorded for the purpose of providing evidence of a business transaction/communication. The parties to the communications should be informed before making a record, its purpose and the duration of its storage. The recorded communication should be deleted as soon as possible and in any case no later than the end of the period during which the transaction/communication can be legally challenged.
- Terminal equipment of users of electronic communications networks and any information stored on such equipment is part of the private sphere of users, which requires protection under the European Convention for the Protection of Human Rights and Fundamental Freedoms. The so-called spyware, web-bugs, hidden identifiers and other similar devices can enter the user’s terminal without their knowledge to gain access to information, store hidden information, or monitor the activities of users and may seriously compromise the privacy of those users. The use of such devices should only be permitted for lawful purposes, but the users concerned should be aware of this.
- However, such inventions, e.g. the so-called ‘cookies’, can be a legitimate and useful tool in, for example, analyzing the effectiveness of website design and advertising and in verifying the identity of users engaged in online transactions. Where such inventions, e.g. ‘cookies’, are intended for a legitimate purpose, such as facilitating the provision of information society services, their use should be allowed provided that users are provided with clear and precise information on the purpose of ‘cookies’ or similar inventions, so as to ensure that users are aware of the information placed on the terminal equipment they use. Users should be able to refuse to store ‘cookies’ or a similar invention on their terminal equipment. This is particularly important where users other than the original user have access to terminal equipment and thus any data containing privacy-sensitive information stored on such equipment. The information and the right to refuse may be offered once, for the use of different devices to be installed on the user terminal equipment during the same connection and also including any further use of those devices that may be performed during subsequent connections. Methods for providing information that offer the right to refuse or require consent should be made as user-friendly as possible. Access to the specific content of a website may still be made conditioned by a well-informed acceptance of a cookie or similar invention, if used for a legitimate purpose.
- Data relating to subscribers are processed within electronic communications networks for the purpose of establishing connections and for the transmission of information containing information on the private life of natural persons concerning the right to respect their correspondence, or concerning the legitimate interests of legal persons. Such data may only be stored to the extent necessary to provide the service for billing purposes and for interconnection payments and for a limited time. Any further processing of such data the provider of publicly available electronic communications services may wish to perform, for the marketing of electronic communications services or for the provision of value-added services, may be permitted only if the subscriber has agreed, based on accurate and complete information provided by the provider of publicly available electronic communications services, on the types of intended further processing, and the subscriber’s right not to give or withhold his/her consent to such processing. Traffic data used for marketing communications services, or for the provision of value-added services, should also be deleted or made anonymous after the service has been provided. Service providers should always keep subscribers informed of the types of data they process and the purpose and duration thereof.
- The exact moment of completion of the transmission of a communication, after which the traffic data should be deleted, except for billing purposes, may depend on the type of electronic communications service provided. For example, for a voice telephony call, the transmission will be completed as soon as any of the users disconnects. For e-mail, the transmission is completed as soon as the recipient receives the message, typically from the server of his/her service provider.
- The obligation to delete traffic data or to make such data anonymous when they are no longer needed for the purpose of transmitting a communication is not in conflict with procedures on the Internet such as caching (storing in main memory) in the IP address domain name system or caching IP address to connect physical addresses, or use of log-in information to control rights to access networks or services.
- The service provider may process traffic data relating to subscribers and users where necessary in individual cases, to detect technical malfunction or transmission errors. Traffic data for billing purposes may also be processed by the provider, in order to a fraud consisting of unpaid use of electronic communications services was discovered and stopped.
- Where a provider of an electronic communications service or a value-added service subcontracts the processing of personal data necessary to provide those services to another entity, such subcontracting and subsequent data processing should be in full compliance with the requirements regarding controller and personal data processing device. Where the provision of a value-added service requires that traffic or location data be transmitted from an electronic communications service provider to a value-added service provider, the subscribers or users data subjects should also be fully informed of this transmission, before giving their consent for data processing.
- The introduction of itemized bills has improved the ability for subscribers to verify the accuracy of fees charged by the service provider, but at the same time, this may jeopardize the privacy of users of electronic communications services.
- It is necessary, as far as call line identification is concerned, to protect the calling party’s right to retain the calling line identification presentation and the called party’s right to reject calls from unidentified lines. There is an explanation for overriding elimination of a calling line identification presentation in specific cases. Certain subscribers, especially helplines and similar organizations, are interested in guaranteeing the anonymity of callers. It is necessary, as far as the identification of the connected line is concerned, to protect the right and legitimate interest of the called party to keep the identification of the line to which the calling party is actually connected, especially in the case of forwarded calls. Providers of publicly available electronic communications services should inform their subscribers of the existence of the call and the connected line identification in the network and of all services offered on the basis of the call and the connected line identification as well as available privacy options. This will allow subscribers to make informed choices about the privacy benefits they may want to use.
- In digital mobile networks, location data that provide the geographical location of mobile user terminal equipment is processed to enable the transmission of communications. However, in addition, digital mobile networks may have the capacity to process local data that is more accurate than necessary for transmission communication and used to provide value-added services, such as services that provide individualized traffic information and guidance to drivers. The processing of such data for value-added services should only be possible where subscribers have given their consent. Even in cases where subscribers have given their consent, they should have simple means of temporarily refusing location data processing free of charge.
- States may restrict the rights of users and subscribers to privacy, in relation to calling line identification, where necessary to monitor harassing calls and in relation to call line identification and location data where necessary to enable emergency services to perform their tasks as efficiently as possible. To this end, states may adopt specific provisions, entitle electronic communications service providers to provide access to calling line identification and location data without the prior consent of the user or subscriber concerned.
- Subscribers should be provided with measures to protect against inconveniences that may be caused by the automatic forwarding of calls by others. Moreover, in such cases, it must be possible for subscribers to stop calls forwarding to their terminals, by simply requesting from a provider of publicly available electronic communications services.
- Protection measures should be provided for subscribers against intrusion into their privacy through unsolicited communications, for the purposes of direct marketing, in particular through automated telephone calls, faxes and e-mails, including SMS messages. These forms of commercial communications that are not solicited may on the one hand be relatively simple and cheap to send, and on the other hand may impose some burden and/or cost on the recipient. Moreover, in some cases their scope can also cause difficulties in electronic communications networks and terminal equipment. For such forms of unsolicited communication for direct marketing, it is justified to require the express consent of recipients before such communications are sent to them.
* 10 List of domains:
“Identifier in electronic communication” including, but without limitation to, other forms of identification of persons based on their devices, applications, tools and protocols, such as Internet protocol addresses, cookie identifiers, or other identifiers such as radio frequency identifications, biometric data obtained from “Smart Cameras”, etc.
* 11 Data on the purpose of processing contain a description of the purpose for which personal data are collected in a particular filing system, indicating whether the purpose of processing is determined by law or determined by the controller with the consent of the data subject or other authorized person.
* 12 Decision on appointing a person for record keeping, data entry and data handling
* 13 Statement of the person from whom the data entered in the health documentation are taken
“Jurisdiction in case of dispute”