Personal Data Protection Policy

At the National Institute of Public Health (hereinafter referred to as the NIJZ), we are aware of our responsibility to handle personal data, and we process, use, manage, maintain, store and control all personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – GDPR) and the Personal Data Protection Act (ZVOP-2), as well as other relevant legislation that provides the NIJZ with a legal basis for processing personal data.

The purpose of the Personal Data Protection Policy is to inform the individual with information on how and which personal data the NIJZ, as the controller, processes based on the legal grounds described below.

The NIJZ undertakes to process the personal data collected in accordance with the Personal Data Protection Policy and not to disclose such data to third parties, except in cases where it has a legal or other appropriate legal basis for such disclosure.

Contact details of the data controller

NATIONAL INSTITUTE OF PUBLIC HEALTH

Trubarjeva cesta 2, 1000 LJUBLJANA
Telephone number: +386 1 2441 400
Website: www.nijz.si
E-mail: info@nijz.si

Data Protection Officer

For any further clarifications regarding the protection of personal data, please contact the Data Protection Officer, who can be contacted at the following email address: vop@nijz.si.

Explanation of terms under the General Data Protection Regulation

»CONTROLLER« means the natural or legal person, public authority, or other body which, alone or jointly with others, determines the purposes and means of the processing, or the person designated by law who also determines the purposes and means of the processing.

»PROCESSOR« means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

»INDIVIDUAL« the data subject is any identified or identifiable natural person whose personal data are processed by the controller responsible for the processing.

»PERSONAL DATA« means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

»SPECIAL TYPE OF PERSONAL DATA« means data concerning racial, national or ethnic origin, political, religious or philosophical beliefs, trade union membership, health, sex life, biometric and genetic characteristics, and data concerning entry in or removal from a criminal or offence record.

»PROCESSING« means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction as well as the application of logical, mathematical and other operations to this data.

»PERSONAL DATA BREACH« means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

»COLLECTION« means any structured set of personal data that is accessible according to specific criteria, which may be centralised, decentralised or dispersed on a functional or geographical basis.

»PERSONAL DATA USER« means a natural or legal person or other person in the public or private sector to whom personal data are held or disclosed, whether a third party or not. Public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

»THIRD PARTY« means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

Legal basis for processing

Compliance with a legal obligation

The NIJZ carries out tasks that are based on the laws of the Republic of Slovenia, and therefore, in accordance with the legal basis, collects and processes personal data of individuals that are necessary for the fulfilment of legal obligations. The fundamental law that determines the basis for processing personal data is the Healthcare Databases Act (ZZPPZ, Official Gazette of the Republic of Slovenia, No. 65/00, 47/18, 31/18, 152/2020-ZZUOOP). Other laws that are the basis for the processing of personal data include the Health Services Act, Patients’ Rights Act, Medical Services Act and other legislation.

Performing a task of public interest

In exceptional cases, the NIJZ also processes personal data of individuals based on public interest.

Notice to data subjects pursuant to Article 13 of the General Data Protection Regulation (GDPR) concerning the processing of personal data – Video surveillance (ENG)

Obvestilo posameznikom po 13. členu Splošne uredbe o varstvu podatkov (GDPR) glede obdelave osebnih podatkov  – Izvajanje videonadzora (SLO)

Informativa ai sensi dell’articolo 13 del Regolamento generale sulla protezione dei dati (GDPR) riguardante il trattamento dei dati personali – Attuazione della video sorveglianza (ITA)

Implementation of the contract

Where a specific contract is concluded with the NIJZ, this constitutes the legal basis for the processing of personal data. The NIJZ processes personal data for the conclusion and the implementation of the contract. If the individual does not provide personal data, the NIJZ cannot conclude the contract, nor can it provide the service in accordance with the contract, as it does not have the necessary data for the implementation.

Processing based on the consent of the data subject

Exceptionally, the NIJZ collects and processes personal data based on prior consent of data subjects as follows:

• Name and surname and email address for the specific purpose of notification and communication about events organised by the NIJZ;
• To register a message (opinion or question) via the contact form https://www.nijz.si/ – to enable the NIJZ to reply, the data subject must provide their name and surname and email address;
• Photographs, videos and other content relating to data subject (e.g. photographs from events) for the purposes of documenting activities and publicising the work and events of the NIJZ;
• Other purposes for which the data subject has consented.

Collections created on this basis must be separate from collections created in the exercise of legal functions or public sector competences.

The legal basis for each personal data collection is set out in the record of processing activities, which can be viewed at the following link.

Rights of the data subject regarding data processing

In accordance with the General Data Protection Regulation, the data subject has the following data protection rights, which are described below:

• Access to and extraction of personal data: you can request information about whether we are processing any personal data about you, what personal data we are processing and on what basis. This right allows the data subject to request a copy of the extract of the personal data collected by the NIJZ about them and to check whether it is being processed in accordance with the law.
• Rectification of personal data: the data subject may request that we rectify or complete incomplete or inaccurate data that we process about them.
• Restriction of processing of personal data: the data subject can request a restriction of the processing of their personal data, which means that NIJZ stops processing their personal data, for example, if they want us to establish the accuracy of their personal data or to check the grounds for further processing of their personal data.
• Erasure of personal data: the data subject can request that NIJZ delete their personal data (we cannot delete personal data that we hold as a result of a legal requirement or as a result of a contractual relationship until the relationship has ended).

Withdrawal of consent: the data subject has the right to withdraw the consent or the assent given to the collection, processing and transfer of personal data for a specific purpose in writing at any time. Upon receipt of a notification from the data subject withdrawing consent to the processing of their personal data, we will immediately stop processing the data for the purposes for which it was originally provided, unless there is already another legal basis for the processing, which does not allow for erasure at the request of the data subject.

The procedure for exercising rights

The data subject shall be informed that any of the aforementioned requests relating to the exercise of the rights concerning personal data may be made in writing, i.e. based on the following forms:

• »Request for access to personal data«,
• »Request for completion, rectification, erasure and restriction of processing of personal data« and address them to the controller by email to vop@nijz.si or by regular mail to NIJZ.

The data subject is aware that the NIJZ may request additional data from him/her for the purposes of reliable identification in the event of exercising rights in relation to personal data, and may refuse to carry out the procedure for exercising the rights only if it proves that the data subject cannot be reliably identified.

Access to your personal data and the rights you have exercise is free of charge. However, we may charge a reasonable fee if the data subject’s request is manifestly unfounded or excessive, in particular if it is repetitive. In such a case, we may also refuse the request.

The NIJZ must respond to a request from data subject exercising rights in relation to personal data without undue delay and, as a general rule, no later than one month after receipt of the request.

The data subject has the right to lodge a complaint with the Information Commissioner of the Republic of Slovenia (Informacijskem pooblaščencu RS) if they consider that the processing of their personal data infringes the provisions on the protection of personal data, in writing using the following form (na tem obrazcu).

Storage and erasure of personal data

The NIJZ will keep the data subject’s personal data only for as long as is necessary to fulfil the purpose for which the personal data were collected and processed. If the NIJZ processes data based on a law, it will keep the data for the period prescribed by the law.

Personal data processed by the NIJZ based on a contractual relationship with an data subject shall be kept by the NIJZ for the period necessary for the performance of the contract and for a period of 5 years after its termination, except in cases where there is a dispute between the data subject and the NIJZ in connection with the contract. In such a case, the data shall be retained for 5 years after the final judgment, arbitration or court settlement, or, if there has been no court settlement, for 5 years from the date of amicable settlement of the dispute.

Personal data processed by the NIJZ on the basis of the data subject’s personal consent will be retained by the NIJZ until the consent is withdrawn or until the data are erased. Upon receipt of a revocation or a request for erasure, the data shall be erased within 15 days at the latest. The NIJZ may also erase the data prior to revocation where the purpose of the processing of personal data has been achieved or where required by law.

Exceptionally, the NIJZ may refuse a request for erasure on the grounds set out in the General Data Protection Regulation, such as: the exercise of the right to freedom of expression and information, the fulfilment of a legal obligation to process, grounds of public interest in the field of public health, archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

After the storage period has expired, the controller shall erase or anonymise the personal data in an effective and permanent manner so that they can no longer be associated with a specific individual.

Publication of amendments

The NIJZ reserves the right to amend and supplement the Personal Data Protection Policy. The NIJZ will publish any changes to the personal data protection policy on its website.

The Personal Data Protection Policy was adopted by Milan Krek, MD, Specialist, in January 2021.