Skip to content Skip to footer
Close

Privacy Statement and Data Security

 

CROMEDIC AMBULANCE, a healthcare institution from Zagreb, Sisačka cesta IV odvojak 14a, OIB: 53306211023, and CROMEDIC ASSISTANCE d.o.o. from Zagreb, Sisačka cesta IV odvojak 14A, OIB: 95919289371, jointly process your personal data and protect all information provided by users when using the website www.cromedic.com and our other services, especially regarding the processing of personal data in the provision of our services.

A personal data is any information relating to an identified or identifiable natural person. Specifically, personal data includes all data that identifies the user (e.g., name, email address, residential address, etc.).

Processing of personal data includes any action or set of actions performed on personal data, whether by automated means or not, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, and the execution of logical, mathematical and other operations with such data.

Collection and Purpose of Personal Data We collect your personal data, among other cases, in the following situations:

  • If you directly contact us through the website cromedic.com to request information or a quote for our services via our contact form.
  • If our partners provide us with your data in an authorized manner.
  • If you apply for job vacancies through the website.
  • If you are under 16 years of age, please do not provide us with any data without parental or guardian consent.

We use your personal data solely to respond to your inquiries, provide our services, and comply with our legal obligations, e.g., when responding to your inquiry, scheduling healthcare services and/or appointments, providing healthcare services, issuing invoices, and potentially processing requests for copies of medical documentation or complaints related to the provision of healthcare services.

Depending on the service requested, we may ask for the following types of data: personal data (e.g., name, surname, date of birth, gender, OIB, residential address, etc.), contact data (mobile or phone number, email address), and health-related data (e.g., health status data, diagnosis, treatment, etc.), necessary for the provision of appropriate healthcare services in a quality range.

Use of Your Data The use of personal data in accordance with data protection regulations must be justified by one of the legal bases, which we define here as grounds for using personal data collected via the website.

Legal bases for data processing include, among others, legitimate interests, contractual obligation, legal basis, and consent. We use processing based on legitimate interest for promoting and providing information about our services, to maintain the highest service standards from our offer. The fundamental rights and freedoms of existing and potential users are balanced against our interest in processing data for these purposes.

Personal data may be transferred to third parties provided there is a legal basis for the transfer, such as service fulfillment or transportation, to healthcare institutions with which we have a contractual relationship, whose services are integral to our healthcare services (e.g., laboratory tests), or those providing essential services to us (e.g., entities maintaining our IT system), to third parties to whom we are obliged to provide certain data under applicable regulations (e.g., Ministry of Health, state administration bodies in accordance with special regulations, Croatian Medical Chamber, or judicial authorities).

Consent for direct marketing, which we might request from you for its use, can be withdrawn at any time. We comply with the laws of the Republic of Croatia, as well as supranational regulations, and are obligated to adhere to them, including providing your data to law enforcement bodies, regulatory and judicial authorities, and third-party litigants in proceedings or investigations anywhere in the world where required. Where permitted, we will directly notify you of such a request or inform you before responding, unless this could impact crime prevention or detection.

Providing personal data to comply with mandatory requirements for your data is a legal obligation dependent on the specific request.

Security Measures We employ various security measures, including encryption and authentication, to protect and maintain the security, integrity, and availability of your data.

These measures include:

  • Strict limitation of personal access to your data based on the principle of “need to know.”
  • Secure transfer of collected data.
  • Setting up firewalls on IT systems to prohibit unauthorized access.
  • Continuous monitoring of access to IT systems to detect and prevent misuse of personal data.

All your data is stored on our secure servers and the secure servers of our partners, accessed and used in accordance with our security policies and standards. The privacy protection of your data is ongoing, and we take all necessary measures to protect it. Personal data is processed securely, including protection against unauthorized or unlawful processing, and against loss.

By registering or filling out any contact form on the website www.cromedic.com, we will request your consent to process your personal data provided in the contact form for specific purpose(s). The purposes specified in contact forms require separate consent for each.

We commit to preserving the privacy of your personal data and handling it in accordance with the General Data Protection Regulation (EU) 679/2016, the Law on the Implementation of the General Data Protection Regulation (NN 42/2018), other applicable laws, and other relevant applicable laws that form the basis for providing healthcare services (e.g., Medical Act, Data and Information in Healthcare Act, Healthcare Act, Patient Rights Protection Act, etc.). User and visitor data collected on the website must not be unlawfully used or made available to third parties, except when a special law allows it, if it is our legal obligation, or if it is necessary to fulfill contractual obligations.

We undertake not to misuse personal data from contact forms or collected through cookies without your permission or to transfer them to third parties, except as expressly provided by law or when necessary for the performance of obligations. Personal data includes all data that identifies the User (e.g., name and surname, email address, residential address, etc.), used to respond to User inquiries, statistical purposes, and possibly sending special offers and newsletters, based on separately obtained consent.

All user data is strictly stored and only accessible to employees who require such data to perform their duties. All employees and business partners are responsible for respecting privacy principles. We commit to protecting your personal data by collecting only essential data necessary to fulfill the purpose of the given consent, legitimate interest, contractual, or legal basis. Data automatically recorded by accessing the website (IP address, domain name, browser type, number of visits, time spent on pages, etc.) will be used solely for evaluating website visits, improving its content and functionality, and for statistical purposes, without individual identification of website visitors or creating individual profiles based on collected information.

We inform data subjects about the use of collected data and use it for marketing campaigns exclusively with separately obtained consent.

Under current national and supranational legislation, to protect the confidentiality of personal data, we specifically undertake to handle your data in accordance with the law and good faith, collect data only for precisely defined and lawful purposes, not transmit data to any third party without your prior consent, not transfer personal data to countries outside the EU unless that country provides an adequate level of data protection; ensure adequate, secure storage of personal data, ensuring that it does not exceed the purpose for which data was collected and processed; ensure the accuracy of personal data; ensure processing of personal data only for the time and purpose necessary; take all necessary and appropriate technical and organizational measures to prevent destruction, damage, or loss of personal data of the User.

Your Rights Are as Follows:

  1. Right of Access to Data – You have the right to request information about whether we process your personal data, and what data we process, and to request access (inspection) to the personal data that we process. If a large amount of data is involved, we may ask for a more specific specification regarding the request for the delivery of certain data sets.
  2. Right to Rectification – If you notice that we are processing incorrect or incomplete information about you or if you wish to amend it, you have the right to request correction or completion of incomplete personal data. To ensure that we always process only accurate personal data, please promptly inform us of any changes.
  3. Right to Erasure (Right to be Forgotten) – The deletion of personal data may be requested, for example, if you have withdrawn your consent for the processing of certain data if your data are processed unlawfully, or if they are no longer necessary for the purposes for which they were collected or otherwise processed. However, please consider that we may not be able to delete data if they are necessary to fulfill legal obligations, contractual obligations, or other legal grounds under the General Data Protection Regulation. In all cases where possible, we will permanently delete all your data from our systems and retain only general statistical data that cannot be linked to your identity.
  4. Right to Restriction of Processing – You have the right to obtain restriction of processing of your data, which can be requested, for example, if you have objected to the processing of data, if you doubt the accuracy of personal data being processed, or the legality of their processing, but do not want them deleted, or if they are still needed for the establishment, exercise, or defense of legal claims.
  5. Right to Data Portability – If the processing is based on your consent or is carried out to fulfill a contract concluded with you, and is performed by automated means, you have the right to receive the personal data that you provided to us. Upon request, we will transfer your data directly to another data controller, if technically feasible.
  6. Right to Object – At any time, based on your specific situation, you have the right to object to the processing of personal data concerning you, which will restrict their processing. Also, we will delete and stop processing the mentioned data unless we demonstrate compelling legitimate grounds for their processing. Moreover, at any time, you have the right to object to the processing of your data for direct marketing purposes. After filing an objection, your data will cease to be processed for that purpose.
  7. Right to Withdraw Consent – If the processing of your personal data is based on your consent, you have the right to withdraw it at any time without any negative consequences.

If you no longer wish for us to process your data in any way, or request deletion, correction, or transfer of your data, please inform us via email to the Data Protection Officer at gdpr@cromedic.com. The Officer may contact you to verify the authenticity of the request.

At any time, you can request from us:

  • Access to the Privacy Policy;
  • Confirmation of whether data concerning you are being processed and the possibility of reviewing personal data contained in the personal data storage system;
  • Transmission of your data contained in the data storage system;
  • Provision of a list of third parties to whom personal data have been transferred, when and on what basis, and for what purpose;
  • Information on the sources on which the records containing personal data in the data storage system are based and the processing methods;
  • Information on the purpose of processing and the types of personal data being processed, as well as any necessary explanations in that regard;
  • Explanation of the technical or logical-technical procedures for decision-making if automated decision-making is performed on individual personal data.

The retention period for data submitted through contact forms is 5 (five) years, or until a deletion request is received from the individual to whom the personal data relate, after which personal data are deleted, while other data collected through cookies are stored by the Cookie Policy as stated for each separate purpose. We retain personal data beyond the specified period only if required by applicable laws in the Republic of Croatia or supranational legislation. We specifically note that patient data must be kept for 10 years after completion of treatment by legal obligation.

We keep data for statistical purposes indefinitely. Personal data that are no longer needed are either irreversibly anonymized or securely destroyed.

If you have objections to the processing of your data, you may lodge a complaint with the competent state body, namely the Croatian Personal Data Protection Agency, Zagreb, Selska cesta 136, in accordance with the General Data Protection Regulation and the Croatian Data Protection Act.

Accessibility by WAH