Personal Data Protection Policy


Pursuant to Regulation (EU) 2016/679 of the European Parliament and the European Council from April 27, 2016 on the protection of individuals regarding processing of their personal data, which comes into full force and effect from May 25, 2018 in the Republic of Croatia and all the the European Union member states, as well as the Law on the Implementation of the General Data Protection Act (Official Gazette 42/18, hereinafter: the Law), in accordance with the legal framework for the protection of personal data in the Republic of Croatia and the European Union and according to the highest level of European practice, St. Catherine Specialty Hospital, located in Zagreb, Kneza Branimira 71E OIB: 41170172944, hereinafter referred to as the Processing Manager, has issued a Policy on the Protection of Personal Data of the users of their services. The Personal Data Protection Policy is a unilaterally binding legal act based on the basic principles of processing personal data, which regulates which service user's data is collected, how that information is processed and for which purposes. The Personal Data Protection Policy also introduces service users to their rights regarding collecting and processing personal data, for the purpose of protecting their privacy in the broader sense.

The Personal Data Protection Policy is based on the following principles of personal data processing: the principle of legality, transparency and highest level of practice, the principle of limited processing and the reduction of the data volume, the principle of accuracy and completeness of personal data, the principle of limited storage, the principle of integrity and confidentiality of data, the principle of trust and fair treatment, the principle of opportunity (processing purposes), the principle of processing in unnamed (anonymised) form.

All services provided by the Processing Manager apply the Personal Data Protection Policy. The aim of the Policy is to familiarize users of services, in a clear and transparent manner, with the processing of their personal data and their rights. First of all, service users can at any time contact the Processing Manager with a request for modification or update of their data, as well as to request for an explanation of the purposes for which they want or do not want their data to be processed.


The services provided by the Processing Manager require collecting service user’s personal data, and the basic data is collected in following ways:

1.) Directly from the users of the service in such way that the service users themselves provide St. Catherine Specialty Hospital as the Processing Manager with their signed request (consent), which is defined in a certain range of data essential to providing health services. For the purpose of providing health care services, the user is required to provide the Processing Manager with the following information which is necessary for performing certain health services within the registered activities:
a) name and surname;
b) address;
c) national registration identity card (NRIC) or passport number
d) date of birth;
e) gender;
f) telephone or mobile phone number;
g) e-mail;
h) bank account or credit card number for the purpose of regulating payment obligations;

2) Personal information related to their health: hospital chart, insurance card number, insurance data (insurance category, HZZO regional office, country of insurance, supplementary insurance card number, EU health insurance card number, if applicable), current health and treatment information, diagnosis (referred / final) and required parameters needed for performing particular health care services (height, weight, allergies, blood type, RH factor, etc.), physicians data (referred specialist's code / referred health care institution code / code of the doctor who was treating the patient), medical documentation, code for work injuries (if applicable);

3) From other sources or from our collaborative institutions.
Patients’ personal information - HZZO insured persons using healthcare based on referrals (based on the HZZO Act, regulations controlled by CEZIH and the lawfully binding health care relationship with HZZO) are transmitted, depending on their functionality, through CEZIH ( medical records on the performed health services) and individual personal information HZZO statements;
Personal Information of service users (medical documentation) – For the persons insured by health insurance companies and based on their signed requests, medical documentation could be passed on to insurance companies where they are insured for the purpose of performing contractual relations and issuing calculations for the performed health care services to the insurers;
Personal data could be forwarded to the cooperative health care facilities contracted by the Processing Manager for the purpose of performing a certain part of the service (eg, certain lab tests, PHD analyses, etc.) so that the required health care service could be fully completed. The same cooperative institutions are also subjected to and obliged to keep personal data in accordance with the Personal Data Protection Regulation (GDPR);
Your personal data contained in the medical documentation, on the basis of the current Article 23 of the Medical Practice Act, shall be submitted to the Ministry of Health, state administration bodies in accordance with special regulations, to the Croatian Chamber of Physicians or the judiciary upon request.

4.) By automatically visiting our online (World Wide Web) and social media websites, where you can find data associated with network identifiers (Internet Protocol addresses and cookie identifiers, such as Google Analytics for tracking user and / or customer interactions). Cookies allow St. Catharine Specialty Hospital to collect statistical information on the behavior of users on their website (eg on which parts of the Internet sites users are spending the longest or the shortest amount of time), which Internet browser do they use (eg Internet Explorer, Opera , Safari, Google Chrome, Firefox) and so on.

Cookies are a small cluster of data sent from the company's social network server to a user's computer, and it functions as an anonymous identifier. Cookies are also used to make it easier to navigate through the web pages (eg you do not have to re-enter your registration data each time). Cookies are not used to access user data or to track user activity after leaving the company's website.

St. Catherine Specialty Hospital reserves the right to use cookies on its website, but every user can block the option of receiving cookies by editing / changing settings on their Internet browser.

Network access identifiers may leave traces that, combined with other identifiers and information provided by Internet service providers, can serve to identify the user of the service. Also, for this purpose we collect and process the following data: 
a) IP address;
b) information on the use of particular applications;
c) User habits data – collected data is being used for profiling users and/or customers.

The Processing Manager takes care of collecting only the necessary scope of personal data needed to achieve the legally established purpose for which data is processed. Our IT systems are protected against unauthorized access, modification or dissemination of your personal data, as well as loss or deletion of them by technical and organizational measures.


The Processing Manager collects your personal data solely for the purpose of meeting the requirements for performing a particular health service. We use your personal data only for clearly identified, legitimate and expected purposes, and the date would not be forwarded or used for any unidentified or unexpected purposes. We do not collect the data that does not serve the requested service. This data is collected by the Processing Manager on the basis of the Request (Consent) provided by the Customer Service for one or more specific purposes, as well as in one of the following cases.

1.) For the purpose of providing health care services
We process personal data for the purpose of providing health care services in accordance with the applicable Health Care Act, as well as for collecting claims for the provided services. Personal data is processed according to your inquiries, requests for medical copies (Article 23 of the Act on the Protection of the Rights of the Patient), complaints concerning the quality, content and type of health care provided, in accordance with applicable regulations (rights related to the provisions of the respondents according to EU Regulation 2016/679 of the European Parliament and Council - General Data Protection Act, etc.)

2.) Performing legal obligations
Personal health data may be processed for the purpose of public interest (eg in number of certain types of illness) for statistical purposes in accordance with applicable legal regulations (eg in accordance with the Annual Plan of Statistical Activities of the Republic of Croatia) or in accordance with the contractual terms of the contracted authorites. In this case, your data is processed in an aggregated and anonymous form and can not be linked to a particular physical person.

3.) Direct advertising (marketing)
Contact information of service users can be used for sending promotional service offers by St. Catherine Specialty Hospital if the user of the service had given the consent for such processing or if there is a legitimate interest of the Processing Manager for performing such action. The Processing Manager may use contact information of service users whose personal information he/she already has, on the legitimate interest of sending promotional offers on all St. Catherine’s information and services provided by using all available advertising channels unless the user of the service objects to such processing.

4.) Internal purposes
The Processing Manager uses certain customer service data exclusively for the purposes of his / her own records, in order to protect the legitimate interests of the service users and / or those of St. Catherine Specialty Hospital. This includes, for example, the use of personal data to create offers that meet the needs and desires of service users, or are used for research and market analysis.

5.) Potential customer information
The Processing Manager is also authorized to collect information about potential users of its services. These data include basic information (first and last name, e-mail address), as well as the interests of potential service users who had contacted the Processing Manager with the wish to be informed and / or offered certain health care services. The legal basis for collecting data in the described case is the user's consent.


Depending on the purpose and the legal basis on which the personal data of the service users are collected, the Processing Manager is in certain cases obliged to safekeep personal data for a certain period of time according to relevant regulations prescribed for each purpose.

Personal data contained in the medical documentation must be kept 10 years after the treatment is completed in accordance with Art. 23. of The Medical Practice Act, or after the expiration date of all statutory obligations to storing personal data, except for the data we are required to keep permanently on the basis of the Act. The data will not be deleted if the procedure of enforced collection of unpaid claims is initiated and / or a court order is issued or other required procedure connected to the provided health care service up until the final completion of the procedure in accordance with the applicable regulations. By passing of the statutory deadline that commits the Process Manager to process personal data or by terminating the purpose of the process, the data is then deleted.


• The right to access personal information
St. Catherine Specialty Hospital as the Processing Manager is, according to the written request (consent) of the service users, which may be submitted in a form of an electronic mail, obliged to provide access to their personal data which is being processed, to inform them about the purpose of processing their personal data, the type of personal data processed, of the recipients or categories of recipients to which the personal data have been disclosed to or will be disclosed to, of the anticipated processing time frame or the criteria used to determine that period.

• The right to correct inaccurate data
St. Catherine Specialty Hospital as a Processing Manager will allow correction of incorrect personal data in every specific case when it is determined that service user’s personal information collected is incorrect or that the service user's data has changed.

• The right to delete personal data
St. Catherine Specialty Hospital will delete personal data of service users in the following cases:
(a) when the personal data of the service users are no longer necessary for the purpose of processing or if the termination of processing occurs;
b) when the user of the service withdraws the consent which is a legal basis for the processing of data, and there is no other legal basis for data processing;
c) when the user of the service complains about the processing of his/her data (more information under ‘The right to invoke complaints’ heading)
d) when personal data is processed unlawfully;
e) when the personal data is required to be deleted as legal obligations have been fullfilled in accordance with the laws of the European Union or the Republic of Croatia to which the Processing Managar has been binded to.

• The right to limit the processing of personal data
St. Catherine Specialty Hospital will restrict processing of personal data in cases where the service user disputes the accuracy of the data, when the processing is illegal and the service user is opposing to the deletion of the data and instead asks for a restriction on their usage when the Processing Manager no longer needs their personal data for processing purposes but the service user requires the data to be used in a legal case, as well as when the service user complains about the processing of personal data based on the legitimate interest of St. Catherine Specialty Hospital.

• The right to invoke complaints
The service users have the right to file a complaint on the processing of their personal data if the related data are processed for the legitimate interests of the Processing Manager. In that case, St. Catherine Specialty Hospital will, as the Processing Manager, cease processing personal data unless he or she demonstrates that there are convincing legitimate reasons for processing personal data related to the users’ and / or customers’ rights, or when data processing serves to establish, enforce or defend legal requirements.
If the personal data of the service user is used for direct marketing purposes, the user has the right at any time to file a complaint if his/her personal data processing is used for direct marketing purposes.


Service users’ personal data are processed by the Processing Manager in the Republic of Croatia.


The Processing Manager forwards service users’ personal data to the third parties (the competent authorities included) only in the following cases:
1.) for fullfilling the Processing Manager’s legal obligations;
2.) when such processing is necessary to protect service users’ key interests.


The active role of the service user in the protection of personal data is reflected in giving consent as a voluntary, specifically informed and unambiguous expression of the wishes of the respondents who, by declaration or by a clear acknowledgment of action, give consent for the processing of personal data. Managing these consents means that service users’ by their active and unambiguous action give consent to the Processing Manager to collect and process certain personal data for one or more purposes (respondent’s consent), or to withdraw the previously given consent for the purpose of collecting and processing personal data for one or more purposes.


If service users will have any questions or need further information regarding processing of personal data by the Processing Manager, they may contact the Personal Data Protection Officer by sending an e-mail to an e-mail address specified in this Personal Data Protection Policy or by writing to the following address:

Personal Data Processing Manager:
St. Catherine Specialty Hospital 
Kneza Branimira 71E, Zagreb

We will process your inquiries and requests without unnecessary delay and in compliance with statutory obligations and we will inform you of the measures we have taken.


The Processing Manager reserves the right to modify this Policy at any time, without giving any special notice to interested parties.

Last update: 01.03.2022.

Eu Logo
Hamag-Bicro Logo
europski strukturni i investicijski fondovi
Privacy policy | Cookie Declaration | Sitemap