skip-to-content-text
skip-navigation-text

Privacy Policy

European Union (EU) Privacy Notice (Effective 2018)

INTRODUCTION

Last update: [December 10, 2021]

This Privacy Notice may be updated at any time. Each Privacy Notice mentions the date of its last update.

DATA CONTROLLER INFORMATION

[This notice describes how UPMC Cancer Center Zabok d.o.o. with registered seat in Zagreb, Ulica grada Vukovara 269F, Croatia, e-mail: info@upmc.hr (hereinafter: “UPMC” or “controller” or “we”), an affiliated company of UPMC IRELAND LIMITED, collects and processes your Personal Data, including sensitive health data.]

“Personal Data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

This EU Privacy Notice applies to Personal Data collected by UPMC from individuals who are in the European Union (EU) at the time the Personal Data is provided.

UPMC understands that your Personal Data, particularly health and employment information, is sensitive and confidential. UPMC makes every reasonable effort to protect your Personal Data.

UPMC will not collect Personal Data from you if the collection of such Personal Data is in violation of your fundamental rights as an individual and or minor.

UPMC may create or maintain records containing Personal Data in conjunction with its patient care and employment-related activities at UPMC’s EU-based operations. UPMC may also receive and/or manage Personal Data for organizations within EU member countries that UPMC does business with. UPMC may transfer your Personal Data to the United States for processing. With respect to the handling and protection of your Personal Data, UPMC adheres to the EU General Data Protection Regulation 2016/679 (GDPR). All UPMC operations that have access to Personal Data from an EU member country shall follow this EU Privacy Notice and other Privacy rules required under US law (as applicable), or EU individual provider - based data protection agreements.

UPMC is comprised of a network of hospitals, doctors, rehabilitation services, skilled nursing services, home health services, pharmacy services, laboratory services and other health care related services. Our workforce includes our staff, physicians, students, residents, trainees, volunteers, and others providing services within or for these facilities, who may or may not be directly employed by UPMC.

UPMC may process your Personal Data for the business, treatment, payment, or health care operations purposes that this EU Privacy Notice describes. UPMC takes reasonable security measures to protect your Personal Data from loss, misuse, and unauthorized access, disclosure, alteration, and destruction. These measures include, but are not limited to, password protection for online information systems and restricted access to your Personal Data.

UPMC shall not use your Personal Data in a way that is incompatible with the purposes for which it has been collected unless authorized by you. UPMC will also take reasonable steps to ensure that Personal Data collected is relevant for its intended use, and is accurate, complete and current.

FOR OUR PATIENTS

UPMC may create and maintain records with Personal Data about your care. We may process your Personal Data for purposes such as:

Purpose

Lawful basis for processing
  • Providing healthcare services to you;
  • Designing, implementing and/or maintaining patient care and patient-related information systems;
  • Maintaining medical records (including transcriptions, laboratory results, diagnostic images and other types of clinical information);

It is necessary for the performance of our contract with you, or to take steps for entering into our contract with you (Art.6.1.b).

It is necessary for the provision of healthcare or treatment pursuant to a contract with a health professional (Art 9.2.h).

It is necessary to protect your vital interests (Art. 6.2.d).
  • Performing government reporting; and

It is necessary to ensure high standard of quality and safety of healthcare in accordance with legislation (Art 6.1.c).
  • Conducting auditing, accounting, financial, quality assurance and economic and clinical analyses.

In our legitimate interests to conduct our business in a responsible and prudent manner (Art 6.1.f).

In our legitimate interests of improving the quality and safety of our healthcare services (Art 6.1.f).

With respect to sensitive Personal Data (for example, political or religious beliefs, union membership, health matters etc.), UPMC will not share such information except as otherwise described in this Privacy Notice unless specifically authorized by you. UPMC may disclose sensitive Personal Data if required to comply with the legal process.

In the course of your treatment or utilizing any of the healthcare services of UPMC, your Personal Data (relating to you, your next of kin or legal representative for emergency contact) may be processed by the health and administrative staff of UPMC.

In addition, Data Processors and third parties who provide services to UPMC (such as, professionals, consultants, external laboratories, insurers, etc.), may also access your data. Such processing of Personal Data may include its collection, recording, retrieval, use, retention, and disposal/destruction.

Personal Data may include (but is not limited to):

  • Name
  • Birthdate
  • Address (Phone, email, Contact information)
  • Nationality
  • Sex
  • Medical information (i.e., Diagnosis, Medication, Medical history)
  • Health insurance and payment details
  • Religious affiliation (where relevant)

Also, any other information which is relevant for the purpose of your diagnoses, treatment, and/or availing of healthcare services in a UPMC facility.

Most of the personal data we process is obtained directly from you when you visit our hospitals and clinics, from our website or when you fill out the contact us section of our website. We may receive information from your family, next of kin, friends and carers.

Your electronic Personal/Sensitive data will be stored and processed securely on IT systems owned and managed by UPMC within our premises or in secure cloud-hosted data centres within the EU. If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you (providing you with healthcare services), or we may be prevented from complying with our legal obligations (such as to ensure the health and safety of our Employees). We will tell you when we ask for information which is a statutory or contractual requirement or needed to comply with our legal obligations.

As Data Controller, UPMC may use third-party data processors to assist in processing the data. They are subject to the same professional codes of conduct, national laws, and EU data protection legislation as well as binding contracts.

UPMC will keep your data for as long as necessary for the purposes for which it was collected as described above or as prescribed by the applicable legal, regulatory and medical records law obligation. The criteria we use to determine data retention periods for personal data includes the following:

  • Retention in case of queries; we will retain it for a reasonable period after the relationship between us has ceased;
  • Retention in case of claims; we will retain it for the period in which it may be enforced (this means we will retain it for 10 years in some instances); and
  • Retention in accordance with legal and regulatory requirement under medical records laws; we will consider whether we need to retain it after the period described above because of a legal or regulatory requirement.

FOR OUR WORKFORCE

UPMC creates and maintains records with Personal Data about your employment or staff-related services. UPMC may collect, process, and store your Personal Data, and/or transfer this Personal Data to the U.S. for purposes such as:

Purpose

Lawful basis for processing
  • management and administration of employment-related matters;
  • designing and administering compensation, benefits, and human resource programs;
  • designing and implementing employment-related education and training programs;
  • monitoring and evaluating employee conduct and performance;
  • compliance with contractual and legal obligations.

It is necessary for the performance of our contract with you, or to comply with legal obligations (Art 6.1.b & Art 6.1.c).
  • maintaining plant and employee security, health and safety;

It is necessary (i) for the performance of our contract with you (Art 6.1.b) or (ii) for us to comply with a legal obligation (Art 6.1.b) or (iii) to protect the vital interests of you or other individuals (Art 6.1.d).

  • facilitating communications, negotiations, transactions, and conferences; and

It is necessary to achieve our legitimate interests (Art 6.1.f) of

  • providing a good place to work, job satisfaction and workplace improvement;
  • conducting our business in a responsible and prudent manner and dealing with any disputes that arise;
  • pursuing our social responsibility objectives.

If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you (such as paying you or providing a benefit), or we may be prevented from complying with our legal obligations (such as to ensure the health and safety of our Employees). We will tell you when we ask for information which is a statutory or contractual requirement or needed to comply with our legal obligations.

All Personal Data received and stored by UPMC will be maintained for no less than the minimum number of years as required by applicable laws.

SHARING OF PERSONAL DATA

UPMC may share your data where necessary with the following;

  • Your family, next of kin and your appointed representatives;
  • Medical professionals who are involved with your treatment e.g. consultants, anaesthetists, your family doctor, healthcare specialists whose opinion may aid us in effective medical diagnosis, and healthcare providers e.g. laboratory services;
  • Statutory bodies;
  • Auditors;
  • Legal advisors.

DATA PROCESSORS

UPMC may transfer Personal Data to a third party acting as its agent/Data Processor (e.g., heath care operations, medical consultants, tax advisors and preparers, accountants, auditors, lawyers, financial services and benefit administrators) without the necessity to provide additional notice to you, as long as UPMC has entered into an appropriate agreement under which such third party is obligated to adhere to requirements at least as restrictive as those set forth in this EU Privacy Notice. Personal Data that is transferred shall comply with the EU GDPR and any other applicable EU individual provider-based data protection agreements.

YOUR RIGHTS AS A DATA SUBJECT

Upon request, UPMC will provide you with reasonable access to Personal Data that it holds about you and will take reasonable steps to permit you to correct or amend any Personal Data which is inaccurate or incomplete. If you want access to your Personal Data, you should provide a written request to the Data Controller and/or Data Protection Officer of the facility where you provided your Personal Data. Please see Medical Healthcare Records section of the website for specific information related to your medical record. In addition to the right to access your Personal Data, you also have the following rights:

  • Right to Access
  • Right to Rectification
  • Right to Erasure
  • Right to Restriction of Processing
  • Right to Portability
  • Right to Object
  • Right not to be subject to a decision based solely on automated processing

You have the right to withdraw your consent for the processing of their personal data at any time. To withdraw consent, data subjects may utilize the withdrawal mechanisms provided within our platform or services, or they can contact our designated data protection officer for assistance in the withdrawal process.

Furthermore, you possess the right to object, at any time and based on grounds relating to your specific circumstances, to the processing of personal data concerning you. The UPMC shall no longer process the personal data unless we demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.

Questions or concerns regarding the use or disclosure of Personal Data should be directed to the Data Controller and/or Data Protection Officer of the facility where you provided your Personal Data.

DATA PROTECTION OFFICER CONTACT INFORMATION

Should you need to contact the Data Protection Officer for any of our locations, please email dpo@upmc.hr.

The postal address for Croatia is as follows:

UPMC Cancer Center Zabok d.o.o.

Ulica grada Vukovara 269F

HR-10 000 Zagreb

DISPUTE RESOLUTION PROCESS

If you have a question regarding UPMC’s use of your Personal Data, you may contact UPMC or the Country’s Data Privacy Supervisory Authority. UPMC will investigate and try to resolve your issue. If it cannot be resolved, UPMC will participate in dispute resolution process established by the EU Data Protection Authorities.

The Supervisory Authority in Croatia is the Croatian Personal Data Protection Agency (Agencija za zaštitu osobnih podataka). You can contact the Office of the Data Protection Commissioner at:

Telephone: +385 (0)1 4609-000

E-mail: szop@azop.hr

Postal Address: Agencija za zaštitu osobnih podataka, Selska cesta 136, HR – 10 000 Zagreb

For further information please visit the Croatian Personal Data Protection Agency’s website https://azop.hr/.