Medis Intago, d.o.o., with its affiliates, undertakes to use the collected personal data provided by you in accordance with this Policy, to not sell, lend or otherwise transfer your personal data to third parties, except in the cases defined in this Policy.
2. Data controller
The controller of your personal data is Medis Intago, d.o.o., Brnčičeva ulica 3, 1231 Ljubljana - Črnuče, gdpr(at)medis-health.com, 00386 1 589 69 00 (hereinafter referred to as the “employer”, “we” or “us”).
Your privacy is extremely important to us, which is why we have appointed a data protection officer whom you can contact should you have any questions regarding the processing of your personal data. The company serving as data protection officer is JK Group d.o.o, Stegne 27, SI-1000 Ljubljana. Matija Jamnik is the responsible person.
To contact the data protection officer, write an email to gdpr(at)medis-health.com or call the telephone number (003861) 589 69 00.
You can address any questions about the processing of your personal data or the execution of your rights related to the processing of personal data, to any of the contacts listed in this chapter (both the contacts of the employer and the contacts of our data protection officer). We will answer any questions or requests free of charge.
All the issues and materials that will be addressed by the data protection officer shall be subject to strict confidentiality.
This Privacy Statement applies to:
3. The purpose of data processing
All personal data you provide to us will be treated confidentially and will be used only for the purposes for which they were provided. If there is a need for further processing of your data for any other purpose, we will contact you in advance and ask for your consent.
The purposes for which we may use your personal data are as follows:
a) The purposes of the processing related to the employees:
The purposes pertaining to the employment contract and / or employees also apply mutatis mutandis to all who perform work as high school or university students.
b) The purposes of the processing related to the candidates:
The retention of potential candidates’ data is possible only with a prior consent of the potential candidate. Such retention shall last one year from the receipt of the personal data of each individual. After this time period, the data shall be permanently deleted.
4. Categories of personal data
Your personal data are processed solely on the basis of clearly defined and legitimate purposes as defined in this Policy. We are committed to the principle of “data minimisation”, which means that we collect, keep and process only the data we need to fulfil the purposes for which they are collected.
We obtain your personal data directly from you (for example, when you provide us with a CV or if you provide us with the information when concluding an employment contract).
Personal data are kept in records available to you in the HR department of the employer. Certain records are also accessible through internal applications. Such records are marked with *.
The employer keeps the following records of the processing activities:
5. Data users
At the employer, your personal data are processed only by people who are authorised to process personal data. The authorisation can be explicit (for example, given by the director or the head of the department) or general (such authorisation is evident from the description of the tasks of a particular position).
The data controller can forward your personal data to third parties. The access of third parties to data and the processing of data by these persons are limited to the purposes for which such data were collected. All third parties to whom we can forward your personal data are bound to comply with the applicable law as well as the provisions of this Privacy Statement.
We can forward your personal data:
Personal data that may be forwarded to affiliated companies defined in section 1 are provided in the framework of joint management and on the basis of the “Agreement on sharing of personal data” concluded between group companies. In accordance with this agreement, the data from the field of HR are processed both by us and by other relevant companies in the group. With regard to the processing of personal data carried out by Medis Intago, d.o.o., you can contact us or Medis, d.o.o. at gdpr(at)medis-health.com. You can also exercise your rights in relation to processing with all companies (the rights are defined in more detail in section 9 below). We would like to inform you that any requests for the erasure of personal data will be handled by all relevant companies. Personal data may only be processed for the purposes defined in this Policy.
When we share personal data with third parties referred to in section 2, we will ensure that access to third parties is made possible only for the purposes set out in this Policy. Furthermore, the access to your data will be limited to those employees of any of those third parties who need access to the personal data to perform their work. All employees who have access to personal data are obliged to protect the personal data they process.
When we forward the data to third parties referred to in section 3, they are provided in the scope and in the manner prescribed by the applicable law.
Your personal data may also be processed by the employer and the above-mentioned third parties outside the European Economic Area, including in some countries that may not provide the same level of personal data protection as it applies within the European Economic Area.
In accordance with the relevant data protection and privacy regulations, we will take appropriate measures to ensure that your personal data remains secure and safe in every transfer. We will set out these measures by concluding appropriate contractual frameworks that will define the protection of personal data.
6. Legal bases for the use of personal data
The bases on which we use your personal data are as follows:
We will ask all candidates for the consent to fulfil certain parts of the Employment Form and the Questionnaire upon applying for a job, and we will ask our employees for their consent to publish their birthday in the Outlook business card, to publish photos in the presentation of new employees, to publish a slogan with personal data on the screens and HR ads in the group companies, to publish photos from events, and to process data of children for the purpose of giving them gifts and to publish photographs of children from events. We will also ask non-selected candidates for the consent, i.e. whose personal data we want to keep for future recruitment purposes. Check out the section your rights for information about the rights that you have if we process your data on the basis of your consent.
You are obliged to provide us with personal data that we collect and process on the basis of the law. The submission of personal data for the entry into (and execution) of a contract is voluntary. Nevertheless, we warn you that if you do not provide personal data that we absolutely need to provide a service, we cannot provide you with such services (for example, the submission of data on a personal car that an employee wants to use as a company vehicle is necessary for the entry into of a contract on the use of a company vehicle).
When processing your personal data on the basis of a consent, the provision of personal data is always voluntary and without any negative consequences for you. Nevertheless, we warn you that we will not be able to provide you with certain services without your consent or after the withdrawal of your consent (for example, keeping your personal data in order to contact you when a relevant job vacancy opens for you).
7. Retention period
We store all personal data that we process in accordance with the law and only for the time period required to achieve the purposes for which the data were collected.
When the time period for the retention of personal data is prescribed by the law, the data are kept in accordance with the provisions of such act.
With regard to the collection and processing of personal data on the basis of a contract, the time period for the retention of data is the entire period of the validity of the contract, including warranty or any other time periods arising from the concluded contract.
With regard to the collection and processing of personal data on the basis of your explicit consent, we will keep your personal data permanently or until the withdrawal of the consent. If the purpose for which we have processed the data is fulfilled, we will delete your data even if you do not withdraw the consent. For example, if we decide not to post photos of new employees, we will delete all of the already published photos even without a withdrawal of the consent.
8. The manner of protecting your data
The employer undertakes to protect any personal data you provide to us. The employer undertakes to do everything to protect personal data against any violations and abuses.
The personal data are kept in a written form (in personal folders, in locked cabinets) and in computerized form. Our computer systems are protected by technical and organisational measures that prevent accidental or deliberate destruction, loss, damage, alteration and unauthorised disclosure or access to your personal data.
Among other things, technical and organisational measures that we use to protect your personal data include:
Technical and organisational measures for the protection of personal data referred to in this policy are defined in more detail in the Rules on the protection of personal data in force at the employer.
After the expiry of the retention period or the withdrawal of the given consent, the data (including any copies thereof) shall be immediately irretrievably and permanently deleted. Any carriers of personal data where these data are located shall also be destroyed/permanently deleted.
In the event of a personal data breach, we will immediately inform the competent supervisory authority of the violation. In Slovenia, the competent authority for personal data protection is the Information Commissioner. You can find out more about the function of the competent authority on their website: https://www.ip-rs.si/. If, in the event of a personal data breach, a suspicion could arise that a criminal offence was committed, we will immediately notify the police or the competent prosecutor's office.
In the event of a personal data breach where there is a high risk for the rights and freedoms of individuals whose personal data are processed, we will inform you of such a breach without undue delay.
9. Your rights
The employer enables you to exercise all of your rights related to the processing of your personal data.
The data subject can, at any time, request the employer to:
Every data subject has the right to file a complaint against us with the Information Commissioner.
You can exercise your rights by contacting us by e-mail at: gdpr(at)medis-health.com, including “personal data protection” in the subject line, or by calling the telephone number (003861) 589 69 00.
The employer undertakes to respond to the requests of the data subject without undue delay, and at the latest within the statutory deadlines.
The responsible person with the employer and/or the data protection officer will respond to any questions about the confidentiality of your data, the manner of collecting and processing data, or your requests for exercising the rights related to your data. To contact the data protection officer, write an email to gdpr(at)medis-health.com or call the telephone number (003861) 589 69 00.
This section defines the terms used in this Policy.
Personal data is any information relating to an identified or identifiable individual, in particular: name, identification number, web identifiers as well as factors specific to the individual's physical, physiological, genetic, mental, economic, cultural or social identity.
Processing is any operation or set of operations which is performed on personal data and includes, in particular, the collection, editing, storage, alteration, consultation, retrieval and erasure of such data.
Controller is a natural or legal person who, alone or together with others, determines the purposes and means of the processing. For the purposes of this Policy, Medis Intago, d.o.o. is the controller of personal data .
Processor is a natural or legal person, as well as a public authority, agency or another body which processes personal data on behalf of the controller.
Employee is a natural person who performs work at the employer on the basis of an employment contract or as part of student work or compulsory practice of high school or university students or scholarship holders.
Candidate is a natural person who submits their personal data to the employer as a response to a published job vacancy through the Employment Form, or unrelated to the usual recruitment procedures by e-mail or to the employer's registered office.
Potential candidate is a natural person who provided the employer with personal data for the purpose of finding employment at the employer (irrespective of the manner of data submission) but was not selected for employment, however, the employer keeps his/her personal data for the purpose of future employment.
The current version of this policy will be available on our website and in the Human Resources Department.
In force as of: 27/07/2018