1. General

MED-ONA Centre for Gynaecology and Women’s Health d.o.o. Motnica 5, 1236 Trzin, registration number: 8506434000, tax number: SI 93452071 (hereinafter referred to as MED-ONA, the company or the controller) is the controller of the personal data processed in the framework of this privacy policy.

The purpose of this Privacy Policy is to inform patients, customers and other visitors to the website (hereinafter referred to as users) of the purposes, legal bases, security measures and rights of individuals with regard to the processing of personal data carried out by the Company.

The Company collects and processes personal data in accordance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as the “General Regulation”) and the provisions of the Personal Data Protection Act (Official Gazette of the Republic of Slovenia, No. 163/22, hereinafter referred to as the “PDPA-2”).

2. Information about the controller of the personal data

MED-ONA d.o.o.

Motnica 5

1236 Trzin

E-mail: info@medona.si

3. Data Protection Officer

In accordance with Article 37 of the General Regulation, we have not appointed a Data Protection Officer (DPO).

If you have any questions about the processing of your personal data, please contact us at: info@medona.si.

4. What personal data is collected and processed?

The personal data collected and processed through the website are the personal data of users who submit a request for an appointment via the online form. This personal data includes name and surname, email address and telephone number (optional).

5.   Why is personal data collected and processed?

The Company processes users’ personal data for various purposes:

(1) Processing of personal data of guests on the website for the purpose of tracking orders received and obtaining analytical data for marketing purposes.

Processing of the following personal data of the user: name and surname, email address, telephone number. The provision of this personal data by the user is voluntary, but constitutes a condition for the use of the above services. Failure to provide personal data will result in the Company being unable to provide the user with access to the services.

(2) Processing of personal data for the purpose of booking a consultation

For the purpose of using the “Contact us” service, the following personal data of the user are processed: name and surname, telephone number, e-mail address and message. The provision of this personal data by the user is voluntary, but constitutes a condition for the use of the above services.

Failure to provide personal data will result in the Company being unable to provide access to the services to the User via the Website.

(3) Processing of personal data for compliance with legal obligations

The Company may process the personal data of the User in order to comply with legal obligations imposed by public authorities. This includes, in particular, (a) the processing of information about payments for services in order to comply with tax and accounting obligations and (b) the disclosure of information required by public authorities, including courts, on the basis of and to the extent of generally applicable provisions.

(4) Processing of personal data for the purposes of legitimate interests pursued by the company or a third party, provided that such legitimate interest does not override the interests or fundamental rights and freedoms of the user

The Company may process the personal data of the User for the purposes of asserting, exercising or defending legal claims, to protect the rights and interests of other Users or third parties, to exercise and enforce rights and obligations under the Contract.

6. To whom do we provide personal data?

The Company may disclose personal data of the user:

• to service providers who provide services to the Company and enable the Company to provide the service to Users. Examples of services that may be requested are: provision of infrastructure and IT services, postal and shipping service providers, provision of customer service, enhancement of services provided by the Company, optimization of the website, processing of debit/credit card payments or any other payments made by the user, accounting service. Unless absolutely necessary or required by law, service providers are not authorized to disclose or use the user’s personal information for their own purposes, but act on behalf of and at the direction of the Company;
• service providers who provide services to the Company to enable the Company to carry out marketing activities, including direct marketing of its own services and products, processing market research and carrying out statistical analysis and remarketing through social networks such as Facebook, Instagram and Google. Unless strictly necessary or required by law, service providers are not authorised to disclose or use the user’s personal data for their own purposes, but act on behalf of and under the instructions of;
• to public authorities, including courts, regulators and other public authorities to the extent necessary to:

1. compliance with the legal obligations imposed on the company;
2. protect and pursue the Company’s rights, the rights of another user or third parties, including intellectual property rights;
3. protect the safety, security or safety of another user or third party;
4. the performance and enforcement of rights and contractual obligations;
   – to parties to transactions, advisors and consultants for purposes of reorganization, including the sale, merger or other disposition of the Company’s business, in whole or in part, and provided that such third parties will be bound by a privacy policy that provides an adequate level of protection for the User’s personal information that is at least equivalent to this Privacy Policy.

The Company does not transfer personal data to third countries.

7. User rights in relation to personal data

The User may request the Company to exercise the following User Rights:

• the right to access, rectify, transmit and delete his/her personal data;
• the right to restrict the processing of his personal data for marketing purposes;
• the right to object to the processing of his personal data;
• the right to erasure of his personal data, in the event that:

1. the personal data are no longer necessary for the purposes set out in point 3 above;
2. the user withdraws the consent on which the processing is based and there is no other legal basis for the processing;
3. the user objects to the processing and there is no overriding legitimate reason for the processing;
4. the personal data have been processed without a legal basis;
5. the personal data must be erased in order to comply with a legal obligation imposed by law;

Medical data and data on outpatient visits of users who have used any of the Company’s healthcare services remain stored in the health information system in the individual’s written record kept by the Company, even in the event of cancellation. These data are stored in accordance with the Act on databases in the field of health care (Official Journal of the Republic of Slovenia, No 65/00 et seq.).

• the right to obtain a restriction of processing, in the event that:

1. the user contests the accuracy of the personal data, i.e. for a period allowing the Company to verify the accuracy of the personal data;
2. the processing is unlawful, but the user objects to the erasure of the personal data and instead requests the restriction of its use;
3. the Company no longer needs the user’s personal data for the purposes set out in point 3 above, but the user requests the data for the establishment, exercise or defence of legal claims.

Any of the above requests and/or notifications may be sent by ordinary mail or by email to the Controller’s addresses.

The request and/or notification must include the User’s first and last name, date of birth and email address details in order to verify that such request and/or notification is in fact from the User.

If the User sends the request by email and does not indicate any other means of communication, the Company will comply with the User’s request and will communicate with the User using email.

Notwithstanding the foregoing, any patient who provides a healthcare service to the Company shall also be entitled to all rights under the Patients’ Rights Act (Official Gazette of the Republic of Slovenia, No. 15/08 et seq.).

8. Duration of data processing

The user’s personal data will be processed for the duration of the contract. After the termination of the contract, the personal data may be processed as follows:

(1) for the purpose of asserting, exercising or defending legal claims against the Company – without prejudice to point (4) below;

(2) for direct marketing purposes – until the user withdraws consent to such processing or objects to the processing of personal data for direct marketing purposes;

(3) for compliance, in order to comply with legal obligations;

(4) for any legal, regulatory or administrative process, including compliance with decisions or orders of relevant courts or administrative or governmental authorities to the extent permitted by law.

The Company shall retain personal data only for as long as is necessary to fulfill the purpose for which the personal data was collected and processed. If we are required by law to retain your personal data, we will retain it for the period prescribed by law. In this case, some personal data is kept only for the period of care, while some data must be kept permanently. In the case of processing based on the individual’s personal consent or legitimate interest, we will keep the personal data until the consent is withdrawn or until we receive a request to delete the personal data. Upon receipt of revocation or request, the data shall be deleted without undue delay. After the expiry of the period set out above, the user’s personal data will be deleted.

9. Functions of social media and third-party payment service providers

Our website may use features of social media and payment service providers operated by third parties such as Facebook, Instagram, Google, etc. These features may (i) collect information (name, email address, telephone number, postal address, date of birth, payment details – credit/debit card number, expiry date, CVV/CVC number and cardholder name, your IP address, the pages you visit on our website) and (ii) may set cookies or use similar technologies to enable the relevant features to function properly. If you are logged into your user account with a third party, the third party will be able to link information about your visit to our website to your user account with that third party. Similarly, a third party may also record your interactions with these features when you visit the Company’s Facebook, Instagram or Google page. Your interactions with these features are governed by the privacy policy of the third party providing that feature. To learn more about the third party’s practices regarding the collection and processing of personal information, please see the third party’s privacy policy.

10. Children’s privacy

Our website is not intended for children under the age of 15. You must be at least 15 years of age to use the Website and/or the Services. We do not knowingly collect personal information from children under the age of 15. If you are under the age of 15, please do not use the Services or provide us with your personal information. If you have a child under the age of 15 and you are aware that your child has provided us with his or her personal information, you may contact us at info@medona.si to exercise your rights of access, rectification, erasure and/or objection.

11. Links to other websites

Our website may contain links to external websites. The Company encourages you to review the privacy and security policies of such linked external websites, whose privacy practices may differ from ours. The Company assumes no responsibility for the collection, processing or disclosure of information on external websites that a visitor may access online. We remind you to check the privacy policies of these external websites before providing them with your personal information.

12. Cookies

The Company uses cookies on the website to enable the user to access certain functions and to obtain information about the visit to the website. A cookie is a file that stores the settings of web pages. Websites store cookies on users’ devices used to access the Internet in order to identify the individual devices and settings used by users to access the Internet. Cookies allow websites to recognise if a user has visited that website before and, in the case of advanced applications, they can be used to adjust individual settings accordingly. Their storage is under the full control of the browser used by the user – which can restrict or disable the storage of cookies if desired.

13. Data security

Maintaining data security means ensuring the confidentiality, integrity and availability (for authorised purposes) of personal data. Confidentiality means that only people authorised to use the data can access it. Integrity means that personal data must be accurate and adequate for the purpose for which it is processed. Accessibility means that authorised users are given access to the data if they need it for authorised purposes. Accordingly, the Company will ensure that appropriate measures are taken against unlawful or unauthorised processing of personal data and against accidental loss or damage to personal data. These principles will be enforced through the implementation of appropriate security measures in hardware and software (including physical entry and system access controls, locks, alarms, firewalls, etc.). The Company has procedures and technologies in place to maintain the security of all personal data, from the point of collection to the point of destruction.

14. Rights and remedies

If you have any questions about this Privacy Policy, our use of cookies, or our policies regarding the collection, use, processing, retention and/or disclosure of personal information, you may contact us:

• by post to MED-ONA d.o.o.

Motnica 5

1236 Trzin

• by e-mail to: info@medona.si

In the event of a violation of your rights related to the processing of personal data, you may lodge a complaint with the Information Commissioner at the address Dunajska 22, 1000 Ljubljana, e-mail: gp.ip@ip-rs.si telephone: 01/230-97-30 or on the website: www.ip-rs.si.

In order to resolve data protection issues more quickly and favourably, it is advisable to address complaints or questions to the Company first, before contacting the authorities.

15. Changes to the Privacy Policy

We reserve the right, at our sole discretion and if necessary, to amend this Privacy Policy at any time and to adapt it to the actual situation and to the legislation in the field of personal data protection, which will be published on our website. For this reason, we ask you to check the current version before each submission of personal data to ensure that you are aware of any changes and amendments. Your continued use of the website and services constitutes your acceptance of the revised Privacy Policy. We recommend that you review our Privacy Policy regularly to ensure that you are aware of any changes.

The MED-ONA Ltd. privacy policy has been adopted by the responsible person of MED-ONA Ltd. and is effective as of 1 September 2024.

MED-ONA Centre for Gynaecology and Women’s Health.