Privacy Policy


In accordance with Regulation (EU) 2016/679 of the European Parliament and the European Council of April 27, 2016 on the protection of individuals regarding processing of their personal data, which has been in full force and effect from May 25, 2018 in the Republic of Croatia and all member states  of the European Union, as well as the Law on the Implementation of the General Data Protection Act (Official Gazette 42/18, hereinafter: the Law), in accordance with the legal framework for the protection of personal data in the Republic of Croatia and the European Union, as well as with the best European practice, St. Catherine Specialty Hospital, with headquarters in Zagreb, Kneza Branimira 71E, OIB: 41170172944, hereinafter referred to as the Processing Manager, has issued a Policy on the Protection of Personal Data of the services' users. The Personal Data Protection Policy is a unilaterally binding legal act based on the fundamental principles in the processing of personal data, which regulates which service users' data is collected, how such data is processed and for what purposes it is used. The Personal Data Protection Policy also informs service users of their rights regarding collecting and further of processing personal data, all for the purpose of protecting their privacy in the broader sense.

The Personal Data Protection Policy is based on the following principles of personal data processing: the principle of legality, transparency and best practice, the principle of limited processing and reduction of the data volume, the principle of accuracy and completeness of personal data, the principle of limited storage, the principle of integrity and confidentiality of data, the principle of trust and fair processing, the principle of opportunity (processing purposes), the principle of processing in unnamed (anonymised) form.

All services provided by the Processing Manager apply the Personal Data Protection Policy. The aim of the Policy is to familiarize users of services, in a clear and transparent manner, with the processing of their personal data and their rights. First of all, service users can at any time contact the Processing Manager with a request for modification or update of their data, as well as to request for an explanation of the purposes for which they want or do not want their data to be processed.

The Personal Data Protection Policy applies to all services offered by the the Processing Manager, whereby the goal of the Policy is to inform service users in a clear and transparent manner about the procedures for processing their personal data and their rights. First of all, services users can contact the Processing Manager at any time with a request for modification or supplementation and/or updating the data relating to them, as well as with a request for a statement on the purposes for which they want or do not want their data to be processed.


The services provided by the Processing Manager require the collection of personal data of services users', whereby basic data is collected in the following ways:

1.) Directly by the users of the service in such way that the service users themselves provide St. Catherine Specialty Hospital as the Processing Manager with their signed consent, which is defined in a certain scope of data essential to providing health services. For the purpose of providing healthcare services, the user of the service is obliged to submit following data to the Processing Manager, which is necessary for performing certain healthcare service within the registered activities:

a) name and surname;

b) address;

c) personal identification number (OIB) or identification number of the insured person (MBO)

d) date of birth;

e) gender;

f) telephone or mobile phone number;

g) e-mail address;

h) medical data

i) bank account or credit card number for the purpose of regulating the payment obligations;

2.) Personal data related to their health: hospital chart, identification number of the insured person,  insurance information (insurance category, HZZO regional office, country of insurance, supplementary insurance card number, EU health insurance card number, if is applicable), current health status and treatment information, diagnosis (referral / final), and necessary parameters needed for performing particular health care services (height, weight, allergies, blood type, RH factor, etc.), physicians data (referred specialist's code / referred health care institution code / code of the doctor who treated the patient), medical documentation, work-related injuries code (if applicable);

3) From other sources, i.e. from our collaborative institutions

Patients’ personal data - insured persons of the HZZO using health care based on a referral (based on the Acts of the HZZO, regulations controlled by CEZIH and the mandatory legal relationship on the implementation of health care with HZZO) are being forwarded, depending on the functionality, through CEZIH (medical records on the performed health service) and certain personal information for the purpose of accounting to the HZZO;

Personal data of service users (medical documentation) – For the persons insured by voluntary health insurance companies and based on their signed consents, medical documentation could be passed on to insurance companies where they are insured for the purpose of performing contractual relations and issuing calculations for the performed health care services to the insurers;

Personal data could be forwarded to the cooperative health care institutions contracted by the Processing Manager for the purpose of performing a certain part of the service (e.g. certain laboratory tests, PHD analyses, etc.) so that the required health care service could be fully performed. The same cooperative institutions are also subjected to and obliged to keep personal data in accordance with the Personal Data Protection Regulation (GDPR);

Based on the current Article 23 of the Medial Practice Act, we are obliged to submit your personal data contained in the medical documentation to the Ministry of Health, State Administration Bodies in accordance with special regulations, to the Croatian Chamber of Physicians or the Judicial Authorities upon request.

4.) Automatically by visiting our online (World Wide Web) pages and social media networks, where you can find data associated with network identifiers (Internet Protocol addresses and cookies identifiers, such as Google Analytics for tracking user and/or customer interactions).

Cookies allow St. Catharine Specialty Hospital to collect statistical data on the behavior of users on their website (e.g. on which parts of the Internet site the users are spending the longest or the shortest amount of time), which Internet browser (e.g. Internet Explorer, Opera , Safari, Google Chrome, Firefox) do they use and so on.

Cookies are a small cluster of data sent from the server of the company's website to a user's computer, and it serve as an anonymous identifier. Cookies are also used for easier navigation through the Internet pages (e.g. you do not have to re-enter your registration data each time). Cookies are not used to access user data or to track user activity after leaving the company's website. St. Catherine Specialty Hospital reserves the right to use cookies on its website, but each user can prohibit the option of receiving cookies by editing/changing settings on their Internet browser.

The subject network identifiers may leave traces which, combined with other identifiers and information provided by Internet service providers, may be used to identify the user of the service. Also, for the stated purpose, we collect and process the following data:

a) IP address data;

b) information on the use of particular applications;

c) User habits data – collected data is used for profiling users and/or customers.

The Processing Manager takes care of collecting only the necessary scope of personal data that is required to achieve the legally established purpose for which the data is processed. Our IT systems are protected by technical and organizational measures against unauthorized access, modification or dissemination of your personal data, as well as agains loss or deletion of them.


The Processing Manager collects personal data solely for the purpose of meeting the requirements for performing a particular health care service. We use your personal data only for clearly identified, legitimate and expected purposes, and the data would not be passed or used for any unidentified or unexpected purposes. We do not collect the data that do not serve to perform the requested service. Such data is collected by the Processing Manager based on the Consent provided by the user of the service for one or more specific purposes, as well as in one of the following cases.

1.) For the purpose of providing health care services

We process personal data for the purpose of providing health care services in accordance with the current Health Care Act, as well as for collecting claims for the provided services.

Personal data is processed according to your inquiries, requests for copies of medical documentation (Article 23 of the Act on the Protection of the Patient Rights), complaints regarding the quality, content and type of health care service provided, requests in accordance with applicable regulations (directives related to the respondents' rights according to EU Regulation 2016/679 of the European Parliament and European Council - General Data Protection Regulation, etc.)

2) Fulfillment of legal obligations

Personal data related to health may be processed for the purpose of public interest (e.g. the number of certain types of diseases) for statistical needs in accordance with applicable legal regulations (e.g. in accordance with the Annual Plan of Statistical Activities of the Republic of Croatia) or in accordance with the contractual conditions of the service provider. In this case, your data is processed in an aggregated and anonymized form and cannot be linked to to a particular physical person.

3.) Direct advertising (marketing)

Contact information of services' users can be used for sending promotional offers regarding the services of St. Catherine Specialty Hospital if the user of the service has given the consent for such processing or if there is a legitimate interest of the Processing Manager for performing such action. The Processing Manager may also use contact information of services' users whose personal data it  already owns, based on the legitimate interest in sending promotional offers regarding all information and services that St. Catherine is providing, by using all available advertising channels, unless the user of the service objects to such processing.

4.) Internal purposes

The Processing Manager uses certain data of services' users exclusively for the purposes of its own records, in order to protect the legitimate interests of the services' users and/or those of St. Catherine Specialty Hospital. For example, the aforementioned includes the use of personal data for purpose of creating offers that meet the needs and desires of services' users, market research and market analysis.

5.) Data on potentional services' users

The Processing Manager is also authorized to collect information on potential users of its services. These data include basic information (name and surname, e-mail address), as well as the interests of potential services' users who contact the Processing Manager to be informed and/or offered a specific health care service. The legal basis for collecting data in the described case is the consent of the service user.


Depending on the purpose and the legal basis on which the personal data of the services' users are collected, the Processing Manager is in certain cases obliged to keep personal data for a certain period of time prescribed by the relevant regulations for each specific purpose. We are obliged to keep personal data contained in the medical documentation for 10 years after the treatment is completed in accordance with Art. 23. of the Medical Practice Act, i.e. after the expiration of all statutory obligations to storing personal data, with the exception of personal data, which we are required to keep permanently under the Law. The data will not be deleted if the procedure of enforced collection of unpaid claims has been initiated and/or a court order is issued or other required procedure connected to the provided health care service, up until the final completion of the procedure in accordance with the applicable regulations. By passing of the statutory deadline that obliges the Process Manager to keep certain personal data or when the purpose of the process ceases, the data is then deleted.


• The right of access to personal data

St. Catherine Specialty Hospital as the Processing Manager is, according to the written request (consent) of the service users, which can also be submitted in a form of an e-mail, obliged to provide access to their personal data which are being processed, to inform them about the purpose of processing their personal data, about the type of personal data that is processed, about the recipients or categories of recipients to whom personal data have been disclosed or will be disclosed to them, about the anticipated processing time frame or about the criteria used to determine that period.

• The right to rectification of incorrect data

St. Catherine Specialty Hospital as a Processing Manager will enable the correction of incorrect personal data in each specific case when it is determined that collected personal data of the service user is incorrect or when the data of the service user has been changed.

• The right to erasure of personal data

St. Catherine Specialty Hospital will delete the personal data of service users in the following cases:

a) when the personal data of the service user are no longer necessary for the purpose of processing, i.e. when the purpose of processing ceases;

b) when the service user withdraws the consent which as a legal basis for the data processing, and there is no other legal basis for data processing;

c) when the service user lodges a complaint to data processing (see more information under the heading ‘The right to lodge a complaint')

d) when personal data are processed unlawfully;

e) when the personal data must be deleted in order to fulfill legal obligations in accordance with the laws of the European Union or the Republic of Croatia to which the Processing Managar has been subjected to.

• The right to restrict processing of personal data

St. Catherine Specialty Hospital will restrict processing of personal data in cases where the services' user disputes the accuracy of the data, when the processing is illegal and the service user is opposing to the deletion of the data and instead asks for a restriction on their usage, when the Processing Manager no longer needs personal data for processing purposes but the service user requires the data for the fulfillment of legal requirements, as well as in the case when the service user lodges a complaint to the processing of personal data based on the legitimate interest of St. Catherine Specialty Hospital.

• The right to lodge a complaint

The service user has the right to lodge a complaint to the processing of the personal data relating to him if the related data are processed for the purposes of the legitimate interests of the Processing Manager. In that case, St. Catherine Specialty Hospital as the Processing Manager wil cease processing personal data, unless it proves that there are convincing legitimate reasons for processing personal data in relation to the rights of the users' and/or customers', i.e. in the case where the data processing serves to establish, realize or defend legal claims.

If the personal data of the service user are processed for direct marketing purposes, the user has the right to lodge a complaint to the processing of the data used for direct marketing purposes at any time.


Personal data of the services' users are processed by the Processing Manager in the Republic of Croatia.


Personal data of services users' are being forwarded by the Processing Manager to third parties (the competent authorities included) only in the following cases:

1.) to fullfill the legal obligations of the Processing Manager;

2.) when such processing is necessary to protect the key interests of services users'.


The active role of the services' users in the protection of personal data is reflected in giving consent as a voluntary, specifically informed and unambiguous expression of the respondent wishes who, by statement or by a clear affirmative action, gives consent to the processing of personal data. Consent management implies the possibility for the service user to actively and unambiguously authorize the Processing Manager to collect and process certain personal data for one or more purposes (respondent’s consent), i.e. to withdraw the previously given consent for the collection and processing of personal data in one or multiple purposes.


In case of any questions about the protection of personal data by Processing Manager, services' users can contact the Personal Data Protection Officer via e-mail address specified in this Personal Data Protection Policy or by writing to the following address:

Personal Data Processing Manager:

St. Catherine Specialty Hospital

Ulica Kneza Branimira 71E, Zagreb


We will process your inquiries and requests without unnecessary delay and in accordance with statutory obligations. Thenwe will inform you about the measures we have taken.


The Processing Manager reserves the right to modify  and supplement this Policy at any time, without giving any special notice to interested parties.

Last update: 27.02.2024.

Eu Logo
Hamag-Bicro Logo
europski strukturni i investicijski fondovi
Privacy policy | Cookie Declaration | Sitemap