Personal data protection policy

The National Institute of Public Health (hereinafter: NIJZ) is aware of the responsibility of handling personal data, therefore all personal data is processed, used, managed, maintained, stored and controlled lawfully, carefully, securely and transparently and in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – GDPR), the Personal Data Protection Act (ZVOP-2), the Healthcare Databases Act (Official Gazette of the Republic of Slovenia, No. 65/00, 47/18, 31/18, as amended; hereinafter referred to as the ZZPPZ) and other relevant legislation that gives NIJZ the legal basis for processing personal data.

The purpose of the personal data protection policy is to inform individuals, employees and other persons (hereinafter: “data subjects”) who cooperate with NIJZ of the purposes, legal basis, security measures and rights of data subjects regarding the processing of personal data carried out by NIJZ.

DEFINITIONS

“CONTROLLER” means a natural or legal person, public authority or other entity which, alone or jointly with others, determines the purposes and means of processing, or a person designated by law who also determines the purposes and means of processing.

“PROCESSOR” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

“DATA SUBJECT” means any identified or identifiable natural person whose personal data are processed by the controller responsible for the processing.

“PERSONAL DATA” means: any information relating to an identified or identifiable natural person (hereinafter referred to as: data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“CONSENT/AGREEMENT” means any freely given, specific, informed and unambiguous declaration of the data subject’s intent by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to him or her.

“SPECIAL CATEGORIES OF PERSONAL DATA” means data revealing racial, national or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, data concerning health or data concerning a natural person’s sex life, biometric data and genetic data, and data relating to the entry in or deletion from the criminal or misdemeanour records.

“PROCESSING” means any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, as well as the application of logical, mathematical or other operations on such data.

“PERSONAL DATA BREACH” means a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

“FILING SYSTEM” means any structured set of personal data accessible in accordance with specific criteria, which may be centralised, decentralised or dispersed on a functional or geographical basis;

“RECIPIENT” means a natural or legal person or another body in the public or private sector to which the personal data are given or disclosed, whether a third party or not. Public authorities which receive personal data in the framework of a particular inquiry in accordance with Union Member State law shall not be considered as recipients; the processing of such data by such public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

“THIRD PARTY” means a natural or legal person, public authority, agency or body other than the data subject, the controller, the processor and persons who are authorised to process personal data under the direct authority of the controller or the processor.

PURPOSE OF DATA PROCESSING

The National Institute of Public Health collects and processes personal data for the purposes of performing legally defined tasks in the field of public health:

• studying the health and health status of the population,
• monitoring and evaluating healthcare and studying accessibility from the perspective of meeting the needs of the population and preparing expert bases for planning healthcare capacities,
• managing and administering databases in the field of health and healthcare in accordance with special regulations,
• planning, coordinating the development and monitoring the operation of information systems that support the collection and exchange of health data and public health indicators,
• providing statistical and other publicly available data in the field of healthcare for reuse in accordance with regulations,
• monitoring and studying factors that affect health and preparing proposals for measures for early detection and mitigation of their impact,
• producing comprehensive health risk assessments,
• monitoring infectious diseases, including healthcare-associated infections, and early detection and response to events that pose a threat to public health,
• planning programs, including the vaccination program and protection with medicines, and measures to control infectious and other diseases associated with specific exposures in the natural environment,
• planning, monitoring, evaluation and implementation of health promotion and disease prevention programs,
• planning, monitoring, evaluation, management and implementation of preventive and screening programs in health care,
• providing expert support to the ministry and the inspectorate responsible for health,
• expert support in environmental health impact assessment procedures in accordance with special regulations,
• preparing expert bases for the formulation of public policies and programs in the field of public health and health care,
• participating in the preparation of expert bases for the introduction of new work methods in health care and the assessment of health technologies,
• cooperating with the National Laboratory of Health, Environment and Food and other scientific research institutions in the field of public health,
• participating in working bodies of official institutions at the national, European Union and international levels,
• informing the professional and general public about the state of affairs, research and findings in the field of public health,
• informing and raising awareness of the general public to raise health literacy,
• pedagogical, scientific research and educational work in the field of public health, in accordance with special regulations.

LEGAL BASIS FOR DATA PROCESSING

** Fulfilment of legal obligations – (Article 6(1)(c) GDPR), when the collection and processing of data is necessary for compliance with a legal obligation

The National Institute of Public Health performs tasks that are based on the laws of the Republic of Slovenia, therefore, in accordance with the legal bases, it collects and processes the personal data of data subjects that are necessary to fulfil legal obligations. The basic law that determines the basis for the processing of personal data is the Healthcare Databases Act (Official Gazette of the Republic of Slovenia, No. 65 / 00, 47/18, 31/18, as amended; hereinafter referred to as the ZZPPZ). Among other laws that are the basis for the processing of personal data, we highlight the Health Services Act (ZZDej), the Patients’ Rights Act (ZPacP), the Medical Practitioners Act (ZZdrS), the Infectious Diseases Act (ZNB). This includes keeping registers, filing systems, reporting on diseases, statistical data.

** Performance of a task in the public interest or in the exercise of official authority (Article 6(1)(e) GDPR)

The NIJZ processes personal data of data subjects for the performance of public health tasks, the basic assumption of which is the public interest.

** Processing based on the data subject’s consent (Article 6(1)(a) and Article 9(2)(a) GDPR)

Processing is lawful if the data subject gives clear, explicit and informed consent for a specific purpose.

The NIJZ may, based on the prior consent (agreement) of data subjects, collect and process personal data, namely:

• for specific purposes of informing and communicating about events organized by the NIJZ;
• to enter a message (opinion or question) via the contact form https://www.nijz.si/ – to be able to receive a response from NIJZ, a data subject must provide their name and surname and email address;
• collecting data for research that is not part of the tasks specified by law;
• in surveys and questionnaires where participation is not mandatory and data is collected that is not provided for by law
• in the publication of special stories, photos, videos and other content that refers to the data subject and the data subject voluntarily consents to publication;
• for the implementation of and entering into contracts and
• other purposes.

** Processing is necessary to protect the vital interests of the data subject

The NIJZ may process the personal data of a data subject if this is necessary to protect their vital interests only in exceptional cases (e.g. during direct medical treatment, when it would be necessary to take action in the interest of the data subject’s health and life, without their consent and if no other legal basis is available).

Special categories of personal data (e.g. health data) may be processed on the basis of Article 9(2) of the GDPR, in particular under the following points:

• (h) for healthcare and public health purposes – for monitoring, disease prevention, ensuring the quality and safety of healthcare.
• for public interest in the field of public health – including protection against cross-border threats to health, e.g. epidemics, pandemics.

The legal basis for individual personal data filing systems is stated in the record of processing activities, which can be viewed here.

PROCESSING OF PERSONAL DATA FOR SCIENTIFIC AND RESEARCH PURPOSES

NIJZ also processes personal data for the needs of scientific and research projects, in accordance with:

• Article 6(1)(e) of the GDPR: processing is necessary for the performance of tasks carried out in the public interest, including research activities.
• Article 9(2)(j) of the GDPR: the processing of special categories of data is permitted when necessary for scientific research, subject to appropriate safeguards (e.g. pseudonymisation, anonymisation) and specific laws (e.g. ZZPPZ) that determine databases, access and conditions for research use.

The NIJZ ensures that appropriate technical and organisational measures are taken for research purposes to protect the rights of data subjects, such as:

• minimising data,
• anonymisation or pseudonymisation,
• restriction of access to data to authorised researchers,
• compliance with the principles of data minimisation and proportionality.

RIGHTS OF THE DATA SUBJECT WITH REGARD TO DATA PROCESSING

Data subjects have the following rights in accordance with the General Data Protection Regulation:

1. Right of access: the data subject has the right to obtain confirmation as to whether or not personal data concerning them are being processed and, if so, access to these data and information about the processing.
2. Right to rectification: the data subject has the right to request rectification or completion of incomplete or inaccurate data. In this case, if NIJZ is not the original source of data (e.g. data from health institutions), the correction can only be made by the healthcare provider who entered the data.
3. Right to restriction of processing: the data subject may request restriction of processing of personal data in certain circumstances, if the data is disputed or the processing is unlawful.
4. Right to object: when processing is based on a legal basis of public interest, the data subject has the right to object to such processing for reasons related to their particular situation. In the event that the NIJZ does not demonstrate compelling legitimate grounds for further processing which override the interests of the data subject, the processing must cease.
5. Right to erasure (“right to be forgotten”): the data subject has the right to request the erasure of their data in certain cases:

• if the data are not necessary for the purpose for which they were collected,
• if the data subject withdraws consent and there is no other legal ground for the processing,
• if the data subject objects to the processing based on public interest and there are no compelling legitimate grounds for further processing which override the interests of the data subject,
• if the processing was unlawful (e.g. provisions of the data retention legislation that expire);

The right to erasure does not apply when processing is necessary:

• For compliance with a legal obligation,
• For the performance of a task carried out in the public interest or in the exercise of official authority
• For public health (e.g. monitoring of infectious diseases),
• For scientific or statistical research, if erasure would seriously impair the objectives of the research,

1. Right to data portability: the data subject has the right to receive personal data provided by the NIJZ in a structured, commonly used and machine-readable format and to transmit them to another controller, only in certain cases, namely when the processing is based on consent or a contract (e.g. data provided for research purposes).
2. Withdrawal of consent: when data processing is based on consent, the data subject may withdraw this consent at any time. When the NIJZ receives notification from the data subject about the withdrawal of consent to the processing of their personal data, it immediately stops processing the data for the purposes originally given, unless there is another legal basis for the processing that does not allow deletion at the request of the data subject.
3. Right to file a complaint with the Information Commissioner of the Republic of Slovenia: the data subject has the right to file a complaint with the supervisory authority (Information Commissioner) if they believe that the processing of their personal data violates data protection regulations. Link to: Report security violations to Information Commissioner.

Procedure for exercising rights

If a data subject wishes to exercise any of the above rights, they must submit a request by completing the form below and sending it by e-mail to vop@nijz.si or by regular mail to the NIJZ.

The NIJZ will respond to a request relating to the rights of a data subject without undue delay and in any case within one month of receiving the request. In the event that this deadline is extended (by a maximum of two additional months), taking into account the complexity and number of requests, the data subject will be informed thereof.

Access to the data subject’s personal data and the rights exercised is free of charge for the data subject, however the NIJZ may charge a reasonable fee if the request of the data subject is manifestly unfounded or excessive, particularly if it is repeated. In such cases, the NIJZ may also reject the request.

In the event of exercising rights, the NIJZ may request an additional identification document from the data subject (identity card, passport, driver’s license or other public document) from which it will be clear that the data subject is actually the person exercising any of the above-mentioned rights. In the event that the applicant is an authorized representative submitting a request on behalf of another person, in addition to their own identification document, they must also submit an identification document and authorization of the person for whom the individual request is being submitted. After reviewing the document or identifying the person, the NIJZ shall immediately physically destroy the identification documents.

• “Request for information about personal data”,
• “Request for completion, correction, deletion and restriction of processing of personal data”

TRANSMITTING PERSONAL DATA

NIJZ may forward personal data to:

• other public authorities (e.g.: Ministry of Health, Health Insurance Institute of Slovenia, Inspectorate, etc.) on the basis of the law,
• contractual processors (infrastructure maintainers, information system maintainers, e-mail service providers and software providers) who process them on the basis of contracts,
• research institutions for scientific and research purposes, taking into account protective measures.

STORAGE AND DELETION OF PERSONAL DATA

NIJZ will store the personal data of a data subject only for as long as it is necessary to achieve the purpose for which the personal data were collected and processed.

If NIJZ processes data on the basis of the law, it will store them for the period prescribed by the law.

Personal data processed by the NIJZ on the basis of a contractual relationship with a data subject shall be stored for the period necessary for the performance of the contract and for 5 years after its termination, except in cases where a dispute arises between the individual and the NIJZ in relation to the contract. In such a case, the data shall be stored for 5 years after the finality of a court decision, arbitration or court settlement, or if there was no court dispute, for 5 years from the date of a peaceful resolution of the dispute.

Personal data processed by the NIJZ on the basis of the data subject’s personal consent shall be stored by the NIJZ until the consent is revoked or until the deadline specified in the consent. After receipt of the revocation, the data shall be deleted no later than within 15 days. The NIJZ may also delete this data before revocation, when the purpose of processing personal data has been achieved or if provided by the law.

After the retention period, the controller shall effectively and permanently delete or anonymize the personal data so that it can no longer be associated with a specific individual.

VIDEO SURVEILLANCE

The areas of NIJZ are subject to video surveillance. Video surveillance monitors entry and exit to and from the NIJZ premises and protects individuals (employees, contract workers, visitors and individuals in the parking lot) and the property of the NIJZ (based on point e) of the first paragraph of Article 6 of the General Data Protection Regulation in conjunction with Articles 76 and 77 of the ZVOP-2). Video surveillance cameras are installed at external locations, where they primarily record entrances to the NIJZ premises and the parking lot.

A notice on the implementation of video surveillance is placed before entering the video surveillance area. This enables individuals to become familiar with the implementation of video surveillance and to refuse entry to the controlled area. All employees are informed about the implementation of video surveillance and the contents of the notice on the implementation of video surveillance. For more information on the implementation of video surveillance, please visit the link below.

Notice to individuals pursuant to Article 13 of the General Data Protection Regulation (GDPR) regarding the processing of personal data – Implementation of video surveillance

Information ai sensi dell’articolo 13 del Regolamento generale sulla protezione dei dati (GDPR) riguardante il trattamento dei dati personali – Attuazione della video sorveglianza

ANNOUNCEMENT OF CHANGES

NIJZ reserves the right to change and supplement the personal data protection policy. Any change to the personal data protection policy will be published on the NIJZ website: https://nijz.si/. By using the website, the data subject confirms that they accept and agree with the entire content of this personal data protection policy.

The personal data protection policy was adopted by Assoc. Prof. Dr. Branko Gabrovec, June 2025