Privacy Policy

DATA PROCESSING POLICY

Notice on the processing of personal data in connection with

the use of the Auron connect application

 

Company for production, trade and foreign trade Springwell doo, Niš, 1 Šumadijska St., Niš, Register No.: 17272411, TIN: 100664696, represented by Boris Brković (hereinafter referred to as the „Operator„), in the capacity of the Operator, processes data of the Auron connect application  users (hereinafter referred to as the „Application„), and in accordance with the Law on Protection of Personal Data („Official Gazette of RS“ No. 87/2018— hereinafter: „Law„).

This document contains all the necessary information in accordance with Article 23 of the Law, as follows, with the aim of informing the person to whom the Personal data, that is the subject of processing refer.

When processing Personal data, the Operator:

• ensures that the collection and further processing of Personal data is always based on an adequate legal basis;
• takes care to carry out the processing respecting the rights of the person to whom the data refer, making sure to always provide such person with adequate assistance in exercising all guaranteed rights;
• publishes and makes publicly available all relevant information related to processing
• ensures that the collection and further processing of Personal data is carried out exclusively for the purposes of achieving a specific purpose;
• collects and processes the minimum set of Personal data that is really necessary for the achievement of a specific purpose;
• collects and processes Personal data only for the period of time necessary to achieve the purpose for which it was collected;
• ensures that the collected Personal data is accurate and up-to-date;
• ensures that data is protected from any unauthorized or illegal access by internal or external parties.

1. Basic concepts related to the protection of Personal data

„Personal data“ is any data relating to a natural person whose identity is determined or determinable, directly or indirectly, in particular on the basis of an identity marker, such as name and identification number, location data, identifiers in electronic communication networks or one, that is, more features of his physical, physiological, genetic, mental, economic, cultural and social identity.

„Processing of personal data“ is any action or set of actions performed automatically or non-automated with Personal data or their sets, such as collection, recording, sorting, grouping, i.e. structuring, storing, matching or changing, disclosure, inspection, use, disclosure by transmission, i.e. delivery, duplication, dissemination or otherwise making available, comparison, restriction, deletion or destruction;

„Sensitive data“ refers to data related to racial or ethnic origin, political opinion, religious or philosophical beliefs, trade union membership, genetic data, biometric data processed for the purpose of unique identification of a person, health data or data about sexual life or sexual orientation of a natural person.

In the specific case, the Operator does not collect or process sensitive data, except for those related to the user’s health condition (blood pressure, body weight and temperature measurement results, as well as the results of other devices) and for which the person to whom the data relates has given express consent for processing, as well as unless they are made available voluntarily or if it is required to do so by applicable regulations.

The Operator does not collect or process any Personal data of the child without the prior, verifiable consent of the holder of parental rights (parent or guardian). The parent or guardian has the right, upon request and/or by contacting the Controller, to exercise or protect the rights of the child in relation to Personal data, in accordance with the Law.

„Processor“ is a natural or legal person, i.e. a public authority, which processes Personal data on behalf of the Operator.

 „Recipient“ is a natural or legal person, i.e. a government body to which Personal data has been disclosed, regardless of whether it is a third party or not, unless it is a government body that, in accordance with the law, receives personal data as part of research of a particular case and process this data in accordance with the rules on the protection of personal data related to the purpose of processing.

2. Type of personal data collected and processed by the O and categories of persons whose data is processed

The Operator collects Personal data directly from the person to whom the data relates, to the extent necessary to achieve the specific purpose of the processing, namely:

• basic identification data (name, surname, gender and date of birth);
• contact information (e-mail address, e-mail address for emergencies) and
• data resulting from the use of the Auron blood pressure monitor and other Auron devices (blood pressure measurement results, body weight and temperature, notes, reminders)

3. Method of collecting personal data

The Operator collects Personal data directly from the person to whom the data relates, and which that person enters into the Application, i.e. fills in during registration or when reporting an error in the Application, at the Operator’s request.

4. Legal basis of data collection and processing

The Operator collects Personal data based on the consent of the person to whom the data relates, in the sense of Article 15 of the Law. With his unequivocal declaration of will, the said person confirms that he has been informed about all important aspects of the processing of Personal data in accordance with Article 23 of the Law, and that he accepts the processing of Personal data. Consent is voluntary and can be withdrawn at any time, which entails the deletion of collected Personal data, with the fact that the withdrawal of consent does not affect the processing of Personal data that was carried out before the revocation (Article 15, paragraph 3 of the Law).

5. Purpose of Personal data processing

The Operator collects and processes Personal data due to:

• enabling the proper operation of the Application and its use by the user;
• removing errors in the operation of the Application and connecting the reported error with the user who reports the error, in order to check whether the account of the specific user affects the occurrence of the error in the operation of the Application;
• recording the results of the user’s blood pressure measurement (or the results of other Auron devices), for the purpose of saving and monitoring the measurement results by the user and sharing them with the selected doctor.

6. Storage of Personal data and protection measures

Personal data is stored and preserved by the Operator in internal records and electronic records (databases), which are provided by the Processor, in relation to which he applies all necessary organizational, technical and personnel protection measures in accordance with the requirements of the applicable Law, including:

• technical measures within the computer system by which Personal data are permanently protected from possible misuse, unauthorized use, collection, disclosure, as well as all other actions that may threaten the confidentiality of personal data;
• storage of Personal data on servers and computers to which only persons authorized by the Operator to process Personal data have access;
• appointing a person for the protection of Personal data and granting authorization for access and data processing only to persons who are obliged to preserve the confidentiality and secrecy of Personal data and
• other information security measures that are necessary to protect Personal data.

7. Rights of persons whose data is processed

In relation to Personal data, the person whose data is collected has the following rights:

• the right to notification of processing and access to Personal data and information related to processing (Article 26 of the Law);
• the right to request the correction of incorrectly entered Personal data and the addition of such data (Article 29 of the Law);
• the right to request deletion of Personal data (Article 30 of the Law);
• the right to limit processing (Article 31 of the Law); •
• the right to portability of Personal data (Article 36 of the Law);
• the right not to be subject to a decision made solely on the basis of automated processing, including profiling (Article 38 of the Law);
• the right to be informed about a violation of Personal data, if that violation of Personal data can cause a high risk for the rights and freedoms of natural persons (Article 53 of the Law);
• the right to submit a complaint to the Commissioner for Access to Information of Public Importance and Protection of Personal Data, address: Bulevar Kralja Aleksandra No. 15, 11120 Belgrade, phone: +38111 3408 900, e-mail: office@poverenik.rs (Article 82 of the Law);
• the right to court protection if he believes that his rights stipulated by the Law have been violated (Article 84 of the Law) and
• other rights guaranteed by the applicable Law.

The person to whom the data refers can exercise his rights by contacting the Operator, i.e. the contact person. In relation to the exercise of his rights, the Operator will provide the person with all necessary additional information, as well as assistance, in accordance with the conditions and in the manner prescribed by the applicable Law.

8. Access to Personal data

The Operator can also provide Personal data to third parties – data processors and recipients. All Processors conclude special contracts entrusting them with certain actions of Personal data processing and regulating all important aspects of Personal data processing as well as protection measures.

Categories of persons who may have access to Personal data:

• employees and other persons engaged by the Manager and
• IT companies, Processors, which are entrusted with certain actions of personal data processing on behalf of the Operator, that is, which maintain the information systems in which the data is stored.

Exceptionally, Personal data can also be submitted to the competent state authorities, if this is a legal obligation of the Operator, and only to the extent that it is necessary to fulfill a specific legal obligation.

Personal data collected will not be transferred to other countries or international organizations.

9. Term in which Personal data is stored

Personal data will not be stored longer than is necessary to achieve the purpose for which it was collected. Personal data is stored until the moment of withdrawal of consent, and in any case for a period of ten years from the date of collection of personal data, after which the data is deleted.

In the event that Personal data are necessary for other justified purposes (e.g. for the needs of court and other legal proceedings, etc.) they may be processed for a longer period of time than the specified retention period.

10. How to receive notifications about the processing of personal data

The person whose data is processed, in connection with all issues related to the processing of personal data, including the way of exercising rights and the inspection of documents that more closely regulate the method of data processing, can contact the person for the protection of Personal data, Sanja Milošević i/ or e-mail address: sanja.milosevuc@springwell.rs.putem. The person in charge of protecting personal data will respond to each inquiry as soon as possible, depending on the inquiry itself, but no later than 14 working days from the day of proper receipt of the inquiry.

11. Consent to the processing of Personal data

By giving consent to the processing of Personal data, the user confirms that he/she has read and fully understood this notice on the processing of Personal data and agrees to the collection, processing and use of Personal data in the manner described above, in accordance with applicable regulations.