top of page

Privacy Policy

This Privacy Policy governs the types of personal data, the manner of use, and the processing of users’ personal data collected by the website controller through visits to the Website or through the use of our services. This Privacy Policy also defines the purposes and legal bases for the processing of personal data by the controller, as well as the rights of individuals in this area.

 

The controller of the Website and your personal data is:

 

Center Preventive Medicine d.o.o.
Hrastovec 18, 1236 Trzin
URL: www.cpm.si
Phone: 070 620 899
Email: info@cpm.si

 

The controller devotes great care to the protection of personal data. Personal data is processed exclusively in accordance with applicable data protection regulations, in particular the General Data Protection Regulation – Regulation (EU) 2016/679 (hereinafter: “GDPR”), the applicable Personal Data Protection Act, and other relevant Slovenian legislation governing personal data protection. Personal data is treated confidentially and used solely for the purposes for which it is collected.

 

In connection with the use of the Website, users are also encouraged to familiarise themselves with the General Terms of Use of the Website and the Cookie Policy.

 

This Privacy Policy covers the following information:

  • contact details of the controller,

  • purposes, legal bases, and types of processing of different categories of personal data,

  • retention periods for individual categories of personal data,

  • rights of individuals in relation to personal data processing,

  • the right to lodge a complaint regarding personal data processing,

  • validity of the Privacy Policy.

1. Definitions

The terms used in this Privacy Policy have the following meanings:

“We”, “us”, “CPM” means Center Preventive Medicine d.o.o.

“Personal data” means any information relating to an identified or identifiable individual.

“Controller” generally means a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of processing. The controller is Center Preventive Medicine d.o.o.

 

“Website” means www.cpm.si and any subpages placed on this website by the controller.

 

“Processing of personal data” means any operation or set of operations performed on personal data, whether or not by automated means, including collection, acquisition, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, anonymisation, erasure, or destruction. Processing may be manual or automated. The type, legal basis, and method of processing your personal data depend primarily on the purpose for which the data is processed.

 

 

2. Purpose of processing and legal bases for processing personal data

CPM uses users’ personal data only to the extent necessary to achieve the purposes described in this Privacy Policy and only where we determine that such processing does not harm you or unjustifiably interfere with your privacy in a manner contrary to our legitimate interests.

Processing of personal data based on a contract

For the purpose of fulfilling contractual obligations, the controller may process the following personal data for the following purposes: identification of the individual, appointment booking, management of website registration, notifications regarding appointments and any changes, provision of services, delivery of additional details and/or instructions regarding services, handling of complaints related to services, invoicing, and other purposes necessary for the performance of contractual obligations.

Processing of personal data based on law

Legitimate interest may include the establishment, exercise, or defence of legal claims, or our legitimate interest in handling your request or complaint or responding to legal claims (Article 6(1)(f) GDPR or Article 9(2)(f) GDPR).

 

To a certain extent, in accordance with general regulations, the legal basis for processing may also arise from the controller’s legal obligations or the need to respond to requests from competent authorities or courts (Articles 6(1)(c) and 6(1)(e) GDPR).

 

Processing of personal data based on consent

 

A valid legal basis for processing personal data is also the individual’s valid consent pursuant to Article 6(1)(a) GDPR. This applies in particular to subscriptions to electronic newsletters. Consent may be withdrawn at any time. Withdrawal of consent does not affect the lawfulness of processing carried out on the basis of consent before its withdrawal.

 

 

3. Visiting the Website

Automatic data storage

 

Each time the Website is visited, server log files are automatically stored on the server. This includes, in particular, but not limited to, the following data (hereinafter referred to as “log file data”):

 

  •  information about browser type and version,

  •  information about the user’s operating system,

  •  information about the internet service provider,

  •  IP address of the user,

  •  date and time of access.

CPM also collects data about the user’s use of the Website, time spent on individual subpages, total duration of visits, and navigation patterns. These data are important to us as they enable us to ensure the expected quality and performance of the Website, comply with our legal obligations, and continuously improve the services we provide.

Purpose of processing: Log file data is analysed in anonymised form for the purposes of continuous improvement and adaptation of the Website to users, rapid and efficient error resolution, access to, operation, administration, and improvement of the Website and business operations, analysis of usability and quality to improve the Website, and compliance with legal obligations and the establishment, exercise, and defence of legal claims.

These data are stored using cookies, the use of which you confirm upon each visit to the Website. More information about cookies is available in the Cookie Policy.

Retention period: Data is stored for up to 30 days from the date of the Website visit. Further details are provided in the Cookie Policy.

 

 

4. Use of the online booking form or appointment scheduling

 

If a user actively provides personal data, for example by completing an online booking form, registering, booking an appointment, or in any other way, such data will be collected by the controller.

By providing personal data for the purpose of booking an appointment, the person providing the data guarantees that: (i) they are authorised to provide such information; (ii) the individual concerned has been informed of the contents of this notice; and (iii) they will ensure the accuracy and updating of the personal data after submission.

CPM collects the following data: first name, last name, email address, telephone number, date of birth, health insurance card number, residential address, and gender, solely on the basis of your consent provided via the booking form on the Website or in person at the controller’s premises prior to the medical examination.

In connection with appointment booking, CPM also provides electronic notifications of appointments via SMS and email, offered by a subcontractor or contractual partner. By using the booking form and submitting data, the user expressly consents to the use of personal data for appointment notifications. SMS messages and emails are transmitted to an external system in accordance with this Privacy Policy.

 

Purpose of collection: Personal data obtained through the booking form is processed for the purposes of identification, appointment booking, registration management, appointment notifications and changes, provision of healthcare services, delivery of additional details or instructions, complaint handling, and invoicing. All personal data is treated confidentially by authorised persons contractually bound to data protection obligations.

The legal basis for processing is your consent, legitimate interest, and contractual necessity.

A contractual processor of such personal data is also SOAMED d.o.o. Go, through which the online booking system is managed. Its terms and privacy policy are available via a link on the Website.

Retention period: Data is stored for 5 years from submission of the contact form or longer where required or permitted by applicable law.

 

 

5. Electronic notifications and newsletter subscription

An individual may provide their email address on the Website or by written consent before or after a medical examination and thereby consent to receiving information from CPM regarding promotions, news, and marketing communications related to CPM services.

 

In this case, the controller processes the following data: email address, date and time of subscription.

Purpose of processing: Processing and sending of electronic communications for marketing and promotional purposes, and for providing information about news, business activities, offers, articles, and related content.

The legal basis for this type of data processing is the individual’s consent (point (a) of Article 6(1) GDPR). When completing a form on the Website, when completing a pre-examination questionnaire, or later by providing specific written consent, you indicate that you agree to CPM using your email address for the purposes of notifications, advertising, and marketing. By doing so, you also confirm that you are aware that you may unsubscribe from the e-newsletters at any time by sending an email request to info@cpm.si or by clicking the “Unsubscribe” link at the bottom of each email message.

 

CPM sends e-newsletters exclusively to individuals who have provided their consent on the Website, in person, or otherwise, and who explicitly agree to receive such electronic notifications at their email address.

 

Retention period: We store the data until you withdraw your consent for this type of data processing, which you may do by unsubscribing from receiving newsletters. You can do this by clicking the “Unsubscribe” link at the bottom of each email message or by sending a written request to info@cpm.si.

 

6. Healthcare treatment of patients

When a user books CPM services, personal data is processed for the purpose of outpatient examinations, procedures, or other healthcare services.

During and after medical treatment, we process personal data including name, date of birth, address, telephone number, email address, and health data necessary for professional and comprehensive medical care.

Purpose of processing: Comprehensive healthcare treatment and service provision.

 

Legal basis: Consent provided via pre-examination questionnaire and contractual necessity.

 

Retention period: In accordance with applicable healthcare and data protection legislation.

 

 

7. Service evaluation

If the user agrees at the end of the process of submitting a booking form or an enquiry for a self-pay healthcare service or a related process on the Website, the user may be invited to provide a rating or feedback on the service once it has been completed. The Website user voluntarily decides whether to respond to the questions and provide feedback.

Purpose of processing: For the purpose of sending a questionnaire to the user by email, the provider processes the individual’s personal data, namely the email address, the service appointment date (if available), and information about the healthcare service used by the user. The collection of such personal data is also intended for the analysis of satisfaction with the provided service.

 

The legal basis for this type of data processing is the individual’s consent (point (a) of Article 6(1) GDPR).

 

Retention period: After the completed questionnaire has been submitted and returned by the user, these data are deleted, as the purpose of processing has been fulfilled and the data are no longer necessary for further processing.

 

 

8. User data – limitation of controller liability

All data you provide to CPM, including information and materials submitted as part of your questions, responses, requests for information, and comments (hereinafter referred to as “User Content”), are your sole responsibility, and CPM assumes no liability for them. The user is solely responsible for the data submitted within or through the application and therefore bears full responsibility for the accuracy and timeliness of such data.

By using the Website, you agree and confirm that you are fully responsible for all content you submit to us. CPM does not monitor User Content and does not guarantee its accuracy, completeness, or quality. CPM shall not be liable for any loss or damage that may result from your reliance on the submitted information and data.

Please notify us of any alleged violations related to User Content by sending an email to info@cpm.si. The content you submit will be reviewed, and the data will be used and collected solely by CPM or by persons authorised by CPM for the purpose of resolving the alleged violation related to User Content.

 

 

9. Retention of personal data

CPM stores your personal data in accordance with one of the following retention periods:

  • where your data is processed solely on the basis of your explicit consent, until you withdraw your consent to the processing of personal data;

  • where the purpose for which the personal data was collected has been fulfilled and consent has not been withdrawn prior to that, until the purpose has been fulfilled; or

  • where the retention of personal data is necessary to protect the interests of CPM in connection with the content of communications initiated via the contact form, until the expiry of the statutory limitation periods for the exercise of your rights and obligations or the rights and obligations of CPM.

After the expiry of the personal data retention period, CPM will permanently delete, anonymise, or restrict access to the data, and the personal data will no longer be attributable to you.
 

10. Controller and contractual processors of personal data

Your personal data may be entrusted for processing, on the basis of a contract, to our carefully selected contractual partners who provide sufficient guarantees for an adequate level of personal data protection and lawful processing. We may also share your personal data with authorised auditors and external consultants.

We do not transfer your personal data to third countries. In the event of any such transfer, you will be expressly informed in advance and asked to provide your consent.

11. User rights in relation to collected personal data

In accordance with the GDPR and the applicable legislation governing personal data protection, you have the following rights in relation to your personal data:

a) the right of access to personal data,
b) the right to rectification if personal data is inaccurate,
c) the right to erasure (“the right to be forgotten”),
d) the right to restriction of processing,
e) the right to withdraw consent,
f) the right to data portability,
g) the right to object and to lodge a complaint with the Information Commissioner.

 

All requests to exercise any of the above rights may be submitted to info@cpm.si. CPM reserves the right to verify your identity before proceeding with your request.

a) Right of access to personal data

Every user has the right to obtain confirmation as to whether personal data concerning them is being processed and, where that is the case, access to the personal data (inspection or a copy of the personal data) and the following information: the purposes of processing; the categories of personal data concerned; the recipients or categories of recipients to whom the personal data has been or will be disclosed; the retention period or the criteria used to determine that period; the existence of the right to rectification, erasure, or restriction of processing; the right to object to processing; the right to lodge a complaint with a supervisory authority; the source of the data if the personal data was not collected directly from you; and the existence of automated decision-making, including profiling.

 

b) Right to rectification of inaccurate personal data

Everyone has the right to request that CPM correct or complete personal data if it is inaccurate or incomplete.

 

c) Right to erasure (“right to be forgotten”)

An individual may request the erasure of all personal data relating to them that is processed by CPM in the following cases:

 

  • if the purpose for which the personal data was collected no longer exists;

  • if the individual has withdrawn consent and there is no other legal basis for processing;

  • if the individual has objected to processing and all statutory conditions are met;

  • if CPM has processed personal data unlawfully (without a legal basis); or

  • if erasure is required to comply with a legal obligation under EU law or the law of a Member State applicable to CPM.

 

d) Right to restriction of processing

An individual may request restriction of processing at any time where:

 

  • the accuracy of the personal data is contested, for a period enabling CPM to verify the accuracy of the data;

  • the processing is unlawful and the individual opposes erasure and requests restriction instead; or

  • CPM no longer needs the personal data for the purposes of processing, but the individual requires it for the establishment, exercise, or defence of legal claims.

Restriction cannot be requested where there is a legal basis for processing in law or consent.

e) Right to withdraw consent

Consent to the processing of personal data may be withdrawn at any time without affecting the lawfulness of processing carried out on the basis of consent prior to its withdrawal.

f) Right to data portability

An individual may request their personal data processed by CPM in a structured, commonly used, and machine-readable format and may transmit such data to another controller or request direct transmission where technically feasible, without hindrance from CPM.

 

This right applies primarily where processing is based on consent or a contract and carried out by automated means. Data portability cannot be requested where it would adversely affect the rights and freedoms of others.

 

g) Right to object and to lodge a complaint with the Information Commissioner

The right to object applies to processing based on legitimate interests or tasks carried out in the public interest (Articles 6(1)(f) or 6(1)(e) GDPR). Where processing is based on consent or another legal basis, the right to object does not apply. Where an objection is raised, CPM must cease processing unless it demonstrates compelling legitimate grounds overriding the interests, rights, and freedoms of the individual or for the establishment, exercise, or defence of legal claims.

 

Where personal data is processed for direct marketing purposes, the individual may object at any time, and CPM must immediately cease such processing.

If you believe that CPM is not processing your personal data in accordance with applicable law, you may lodge a complaint with the Information Commissioner (Dunajska cesta 22, 1000 Ljubljana, email: gp.ip@ip-rs.si, phone: +386 1 230 97 30, website: www.ip-rs.si).

h) Contact details of the Data Protection Officer

Employees of CPM and our contractual partners take all reasonable measures to ensure the security of your personal data. We have implemented rules, procedures, and appropriate technical and organisational measures to ensure an adequate level of protection. If you have any questions regarding the processing of your personal data or the exercise of your rights, you may contact us at any time.

 

All enquiries and requests may be sent to info@cpm.si.

12. Changes to the Privacy Policy

We reserve the right to amend or supplement this Privacy Policy at any time and therefore recommend regular review of this Privacy Policy.

 

Center Preventive Medicine d.o.o., Ljubljana, November 2024

bottom of page