CONTENTS:

2. GENERAL DATA PROTECTION REGULATION

4.WHAT DATA DO WE COLLECT ABOUT YOU, WHY DO WE COLLECT IT AND HOW LONG DO WE KEEP IT FOR?

4.2 IF YOU ARE A USER OF THE ADIVA LOYALTY CARD

4.3 IF YOU ARE A HEALTHCARE PROFESSIONAL WITH WHOM WE HAVE CONCLUDED A COPYRIGHT CONTRACT OR SOME OTHER TYPE OF BUSINESS COOPERATION

4.4 IF YOU ARE OUR POTENTIAL EMPLOYEE

4.5 IF YOU ARE A USER OF OUR PHARMACY SERVICES

4.6 IF YOU REPORT SIDE EFFECTS RELATED TO THE USE OF MEDICINES

4.7 IF YOU VISIT OUR BUSINESS CENTERS/VIDEO SURVEILLANCE

5. WHAT ARE YOUR RIGHTS AND HOW TO EXERCISE THEM?

6. HOW WE SHARE DATA

7. MEASURES FOR THE PROTECTION OF YOUR DATA

8. AMENDMENTS TO THE PRIVACY POLICY

1. INTRODUCTION

Thank you for your interest in the data protection implemented by the company PHOENIX Farmacija d.o.o.

PHOENIX Farmacija d.o.o. recognizes the importance of security, privacy protection and the protection of all data, business and personal, obtained in daily business from all stakeholders – employees, customers, suppliers, users of pharmacy services and all other business partners. Given that we are part of the PHOENIX Group, we strive to provide protection within all our business processes, management structures and technical systems and to implement the protection in our daily operations. All of our business operations are based on the principle of transparency.

This Privacy Policy informs you about our practice of privacy and data protection, the use of data and the methods of data collection, for example, when concluding an employment contract, a business cooperation contract, in daily operations or by giving consent for the use of personal data in the ADIVA loyalty program.

The Privacy Policy applies to the company:

PHOENIX Farmacija d.o.o., Zagreb, Ozaljska 95, and the affiliated companies based in the Republic of Croatia
- Zdravstvena ustanova Ljekarne Farmapharm, Pag, Stjepana Radića 2c
- Zdravstvena ustanova Ljekarna Valun, Pula, Zagrebačka 29

(hereinafter: PHOENIX Farmacija)

PHOENIX Farmacija d.o.o. is one of the leading wholesale drugstores in Croatia and is a member of the PHOENIX Group, the leading European wholesale drugstore. The company ensures the delivery of medicines and medicinal products to numerous segments within the health care system: pharmacies, hospitals, health centres and medical-diagnostic laboratories.

This policy also applies to all domains, services, applications, products and services of PHOENIX Farmacija and its affiliated companies.

Data controller and data protection officer

The data controller responsible for the collection, processing and use of your personal data within the meaning of the General Data Protection Regulation (GDPR) is:

PHOENIX Farmacija d.o.o.
Ozaljska 95
10000 Zagreb, Croatia

You can submit all your questions and requests regarding the processing of your personal data by PHOENIX Farmacija and exercising your rights to the Personal Data Protection Officer to the e-mail address: dpo@phoenix-farmacija.hr or to the above address.

2. GENERAL DATA PROTECTION REGULATION

The General Data Protection Regulation (better known as the GDPR) is a binding legislative act that is directly applicable in its entirety in the Republic of Croatia and in other member states of the European Union, as well as in the countries of the European Economic Area.

The General Data Protection Regulation determines the rights of individuals and, accordingly, the obligations of business entities that process personal data, as well as the powers and tasks of supervisory bodies for the protection of personal data.

The most important terms specified in the GDPR are:

Personal data: refers to any information relating to an identified or identifiable natural person such as name and address, telephone number, payment details, age, income, photos in personal documents, information on professional training/occupation, log-in details or location data;

Personal data processing: refers to any operation that is performed on personal data, whether or not by automated means, such as the collection, recording, storage, adaptation or alteration, use, erasure or even destruction of personal data – whether in paper or electronic form;

Special categories of personal data (sensitive personal data): includes racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, processing of genetic and biometric data, data related to health or sexual orientation;

Controller: refers to the natural or legal person that determines the purposes and means of the processing of personal data

Processor: refers to a natural or legal person who processes personal data on behalf of the controller

Personal data breach: refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed, whether in paper or electronic form, e.g. loss/theft of documents, business computer, mobile device, or e-mail message containing personal data sent to the wrong person.

3. PRINCIPLES OF DATA PROTECTION

Lawfulness, honesty and transparency

We process personal data in a lawful, honest and transparent manner. All data processing is carried out:

based on your consent;
for the purpose of fulfilling mutual obligations based on a contract;
for legitimate purposes with the aim of carrying out mutual business activities;
complying with other legal obligations.

PHOENIX Farmacija reserves the right to additionally process personal data in extraordinary situations in compliance with the legal framework, i.e. as part of legal proceedings or criminal investigations. We respect the specifics of each business relationship by applying all data protection measures. We also enable the exercising of the rights of each person whose data we process and the availability of all information in a clear manner, in accordance with the General Data Protection Regulation.

Limiting the purpose and reducing the amount of personal data

Personal data is processed exclusively for the purposes for which it is collected, we will not process them in a way that is inconsistent with the stated purpose and we will limit the collection of personal data to what is necessary in relation to the purposes for which they are processed.

Accuracy and limitation of personal data storage

We take all measures and actions to ensure that personal data is always accurate and up-to-date, and that it is stored only for as long as is necessary to fulfil the purpose for which it was collected.

Data security and integrity

PHOENIX Farmacija takes all reasonable steps to preserve the integrity and security of personal data, including protection against unauthorized or illegal processing and against accidental loss, destruction or damage by applying appropriate technical and organizational measures.

4. WHAT DATA DO WE COLLECT ABOUT YOU, WHY DO WE COLLECT IT AND HOW LONG DO WE KEEP IT FOR?

4.1 IF YOU ARE OUR BUSINESS PARTNER

On the basis of business cooperation, we collect data related mainly to the conclusion of contracts on distribution and storage, but also all other contracts that enable our operations and the execution of business processes: name, surname, address, personal identification number, telephone number, bank account number, e-mail address and others similar data. The legal basis for this processing is a concluded business cooperation contract or a legitimate interest. The collected data is stored for 11 years from the date of expiry of the business cooperation contract, i.e. in accordance with the legal provisions;
if you are a recipient of our marketing messages, we collect the following information: name and surname, title, organization and address of the organization, e-mail address, phone number. The purpose of collecting the data is to carry out the marketing activities of PHOENIX Farmacija. It is collected and processed on the basis of the voluntary consent of the recipients of the messages or on the basis of a legitimate interest. The data is kept until the recipient withdraws the consent or objects to receiving messages. The deadline for deleting data is 30 days from the day of receiving the request;
When organizing various forms of training intended for business partners, we collect the following: name and surname, e-mail address, address of the organization, personal identification number, membership number, information on whether the person is the owner of the organization or an employee. The purpose of processing the data is to provide training on new products and services on the market, and each participant voluntarily accesses online or live training. Data is stored until the user requests data deletion or in accordance with legal provisions. The deadline for deleting data is 30 days from the day of receiving the request. In order to use the Doctrina platform for online education, a contract is concluded with business partners, and data is deleted from the system upon request, but the contract storage period is 11 years;
Data on customer visits: an application that monitors the daily activities of professional sales associates in which they enter data on visiting customers. The following customer data is recorded: name and surname, name of the organization, phone number, e-mail address. The purpose of the processing is based on the contractual obligation and legitimate interests with the aim of achieving business cooperation, and the data is kept until the termination of the business cooperation;
Data on recipients of donations or sponsorships: name and surname, address. The purpose of processing the data is the payment of donations or sponsorships, and this is collected based on the voluntary request of the recipient of the donation or sponsorship and are necessary for concluding a donation or sponsorship contract. The collected data is stored for 11 years from the date of expiry of the donation or sponsorship contract;
If you are our new business partner, we perform due diligence through a special system. Selected future/potential business partners are subject to a due diligence process in order to avoid any legal, financial and reputational risks. The legal basis for this processing is a legitimate interest. For natural persons, the legal basis for data processing is based on their consent. The following data is collected: name and surname, contact information/e-mail address of the business partner, address, title, information on responsible persons, name and surname of the beneficial owners of the business partners. The processor is the company Compliance Solutions GmBH, and the data is automatically deleted from the system after 10 years from the date of entry;

4.2 IF YOU ARE A USER OF THE ADIVA LOYALTY CARD

You have joined the ADIVA loyalty program in an ADIVA pharmacy or through a mobile application, in which we collect the following personal data: name and surname, address, postcode and city, gender, date of birth, phone number, e-mail address and data on the purchase of medicines and other products.
The purpose of processing the data is to implement the ADIVA loyalty program for marketing and statistical purposes, based on data on the purchase of medicines and other products from ADIVA pharmacists. The ADIVA loyalty program includes the right to purchase benefits, such as reward points. The statistical purpose implies that the result of the processing is not personal data but aggregated data from which it is not possible to determine the identity of any individual.
Our partners – ADIVA pharmacies cooperate with PHOENIX Farmacija d.o.o. in the implementation of the ADIVA loyalty program and the processing of personal data as Processors (a list of all pharmacies that implement the ADIVA loyalty program is available on the website vjernizdravlju.adiva.hr or at https://vjernizdravlju.adiva.hr/Geolocation/PharmacyMap). We also entrust the processing of personal data to InSky Solutions d.o.o., Siget 14E, Zagreb,

a provider of IT services, and one of the Processors. Agreements on the processing of personal data have been concluded with the Processors, which oblige them to maximize the protection of the personal data of the users of the loyalty program.

Data is collected based on the voluntary consent of the user of the ADIVA loyalty card, and is kept until the user withdraws the consent or the ADIVA loyalty program is terminated. The deadline for deleting data is 30 days from the day of receiving the request. The ADIVA pharmacy, as the Processor, keeps your completed and signed consents in sealed envelopes for the shortest time possible until they are forwarded to PHOENIX Farmacija.
The personal data will be stored for the entire period of your participation in the ADIVA loyalty program, or until you withdraw your consent. If you withdraw your consent, your personal data will be deleted within 30 days from the date of receiving your request, unless the data needs to be stored for a certain period in accordance with regulations on companies, tax or other regulations.

4.3 IF YOU ARE A HEALTHCARE PROFESSIONAL WITH WHOM WE HAVE CONCLUDED A COPYRIGHT CONTRACT OR SOME OTHER TYPE OF BUSINESS COOPERATION

When concluding a copyright contract with healthcare professionals or during some other type of business cooperation, we collect the following personal data for a number of different purposes:
For concluding a copyright contract: name and surname, address, personal identification number, bank account number. The purpose of collecting this data is the conclusion of the copyright contract and the fulfilment of the associated obligations;
To check for a possible conflict of interest: name and surname, address, workplace, employer, phone number, mobile number, e-mail address, other appointments, jobs, business or professional interests, information about your political or public functions. We need your information to check for potential conflicts of interest. We perform this check in order to detect potential reputational, legal and/or financial risks to which we may be exposed in the business relationship. To process your data, we need your consent in accordance with Article 6 (1) (a) of the GDPR;
To provide monetary and non-monetary transactions: name and surname, title, address/place of work, date of birth, specialization, e-mail address. We need this information because we have provided you with a non-monetary or monetary benefit (or we expect it in the near future), and we are contractually obliged to disclose the provision of monetary and non-monetary benefits according to the EFPIA Disclosure Code and the Code of Conduct for Innovative Pharmaceutical Manufacturers in the Republic of Croatia. However, for an individual publication, we will ask for your consent to publish the data on the transfer of value;
To participate in lectures, congresses, etc., organized or sponsored by PHOENIX: name and surname, organization/place of work, signature. We process data on participants for the purpose of reports related to transparency and compliance in relation to cooperation with healthcare professionals. We base this data processing on our contract with you (Article 6 (1) (b) of the GDPR) and our legitimate interest (Article 6 (1) (f) of the GDPR);
To carry out business partner due diligence and sanctions compliance checks: contact information, information about your work or education, information about your political or public functions, details about your activity for PHOENIX. We perform this check in order to detect any potential reputational, legal and/or financial risks to which we may be exposed in the business relationship. No decision is made based solely on automated data processing. To process your data, we need your consent in accordance with Article 6 (1) (a) of the GDPR;
To interact with you: We need your contact information to respond to your inquiries and provide information when you request it or when we believe our products and services may be of interest to you. If we intend to share electronic marketing messages with you, we will ask for your consent where necessary and you can opt out at any time; to invite you to provide us with feedback, participate in research, surveys or attend events;
when planning engagements with sales representatives or liaisons within the medical sciences; to report adverse events that you have informed us about;

to perform analytics, market research and segmentation to improve our products and services and our communications with you.

We store the personal data we collect about you in a secure environment. Your personal data is protected from unauthorized access, disclosure, use, alteration or destruction by any organization or individual.
PHOENIX, the affiliated companies and our service providers selected by PHOENIX may process your data; however, PHOENIX ensures that all transmitted personal data remains protected and secure. We use an external service provider to conduct due diligence and verify sanctions compliance of our business partners.

Please note that in some cases we are contractually obliged to share your data with our business partners with whom we have concluded contracts on exclusive distribution.

PHOENIX Farmacija will not retain your personal data for longer than the period for which the data is necessary to fulfil the purpose of its use. After that, your personal data will be deleted, unless the data needs to be stored for a certain period in accordance with regulations on companies, tax or other regulations.

For example, your information about a non-monetary or monetary benefit may be publicly available for 3 years. We are obliged to keep records of business events related to published value transfers in accordance with the current Croatian regulations on data management and processing, and we will keep the relevant data for at least 5 years from the end of the respective reporting period. The collected data related to a copyright contract is kept for 11 years from the date of expiry of the contract.

4.4 IF YOU ARE OUR POTENTIAL EMPLOYEE

When you send us an open application for the purpose of a potential employment relationship and possible future employment, we will use your data such as name and surname, e-mail address, home address, phone number, information on education and all other information stated in the CV for the purpose of creating a database of potential candidates for employment. Open applications that we receive from you represent a clear affirmative action by which you have expressed your voluntary and unequivocal consent to the processing of your data for the purpose of potential employment. We store the received data for a period of two years from the date of receiving the open application, if you do not request the deletion of your data earlier. After 2 years, the data will be deleted automatically.
When a job vacancy is advertised via websites or other media (for example: a portal specialized in advertising job vacancies), we have the legitimate right to archive your personal data for a period of 30 days from the end of the selection process, and personal data will be deleted after 30 days if you have not given your consent for the collection and processing of data for possible future employment.
Based on the consent of the candidate, and as part of the employment program, i.e. for possible employment in the future, we can store the candidate’s personal data for two years from the date of consent. After the expiry of the specified period, the candidates’ personal data will be permanently deleted, unless you have withdrawn your application earlier. The data collected includes: name and surname, address, gender, date and place of birth, level of professional education, profession, work experience, completed education, phone number, e-mail address, knowledge and skills, photo and other data listed in the CV. The processor is the company AdoptoTech d.o.o. with its registered seat in Ljudevita Posavskog 34a, 10000 Zagreb, Croatia.
If psychological testing is required for a job position, the data we collect includes: name, surname and the results of the psychological testing. Psychological testing is an objective method of candidate evaluation that is carried out for the legitimate interest of PHOENIX Farmacija, and for the purpose of checking who, in terms of personal competencies, is the most suitable for the respective job position. Psychological testing is performed in accordance with the rules of the profession and is performed by an authorized psychologist who is an employee of PHOENIX Farmacija. Data is kept for the duration of the employee’s employment relationship. In addition, the authorized psychologist is obliged to keep your data secret.
Personal data can be collected by an employment agency, as well as from other publicly available business sites such as LinkedIn. Sometimes it will be justified for PHOENIX Farmacija to perform a preliminary screening of potential candidates based on a legitimate interest. As a rule, this will be justified when, due to the nature of the job, it is necessary to check the candidate’s information on social networks, for example in order to assess the special risks associated with the candidates for a certain job position, whereby the candidate has the right to object to such processing.
If an employment contract is to be concluded with the selected candidate, PHOENIX Farmacija shall collect certain other data from the candidate which the company has a legal obligation to collect, and the candidate will be specifically informed thereof.

4.5 IF YOU ARE A USER OF OUR PHARMACY SERVICES

When issuing prescription drugs in our pharmacies, regardless of whether the prescription is in paper or electronic form, we collect: patient’s name, surname and address, personal identification number, identity number of the insured person, supplementary insurance policy number, date of birth, gender, country of insurance, doctor’s name and surname, identification number, address of the health institution that prescribed the medicine, diagnosis and information about the prescribed medicine for a number of different purposes:
- Register of Prescription Copies: contains the name and surname of the patient and doctor. The records are kept in electronic form based on the Ordinance on the Criteria for Classifying Medicines and the Method of Prescribing Prescription Medicines, and in accordance with the Rules of Good Pharmacy Practice (Article 21) they are kept for 5 years.
- Register of Narcotics, i.e. record of receiving and dispensing narcotic drugs: contains the name and surname of the patient, the name and surname of the doctor and the name, surname, address and identity card number of the person picking up the medicine. The records are kept in electronic form and are stored for a period of 10 years. Copies of prescriptions are kept in locked metal cabinets and are destroyed with a paper shredder after the storage period has expired. The keeping of these records is defined by the following acts:
  - Ordinance on the Criteria for Classifying Medicines and the Method of Prescribing Prescription Medicines (Articles 30, 31, 38 and 40)
  - Ordinance on the Conditions and Methods of Dealing with Narcotics and Psychotropic Substances (Article 20)
  - The Rules of Good Pharmacy Practice (Articles 13 and 15, Article 21 and Annex 3)
  - Act on the Suppression of Narcotic Drug Abuse.
- Invoiced paper prescriptions: after invoicing, the prescriptions become part of the accounting documentation, which is kept for 11 years. The retention period is prescribed by the Accounting Act, Article 10, which defines the retention of accounting documents or due to the possibility of litigation. The prescriptions are kept in locked metal cabinets, and access is allowed only to authorized persons. When invoicing, the data is forwarded to the Croatian Health Insurance Institute, which is our contractual partner.
- Uninvoiced paper prescriptions: until invoicing to the Croatian Health Insurance Institute, they are kept in a locked cabinet and cannot be accessed by third parties who are not employees of the pharmacy.
- Certificates: Record keeping is regulated by the Ordinance on Orthopaedic and Other Aids, Article 13 (3), and the data must be kept for 11 years.
- European Health Insurance Card: as an insured person of the Croatian Health Insurance Institute, you are entitled to a European Health Insurance Card, which enables you to use services during a temporary stay in EU countries, Norway, Iceland and Liechtenstein, and Switzerland. The data stated on the card includes: name and surname, personal identification number, serial number of the card, date of validity of the card. When you receive medicines abroad, your data will be recorded in the country of treatment in accordance with the EU General Data Protection Regulation, the laws and operational practices of pharmacies of that country. What is the purpose of processing your data? Prescription data is only processed for the purpose of dispensing medicines. In some European countries, however, under certain conditions, your data may be used for other purposes, which are regulated by law. Such purposes include, for example, the collection of statistical data and its monitoring and research in order to improve quality. The country processing the data for these secondary purposes has the obligation to ensure the protection of the data in an appropriate way, for example by anonymization. In Croatia as the country of residence, the doctors prescribing prescriptions, CEZIH as the central national system and NCP involved in communication have a recording mechanism while your data may be stored in the information systems of health institutions. Copies of the European Health Insurance Card: personal data from the copy of the European Health Insurance Card are used for the purpose of billing the medicine from the Croatian Health Insurance Institute, according to the issued prescription, and patients confirm that they are familiar with and agree to this by signing their consent;
- Patient card: the legal basis for data collection is the legitimate interest of the Controller and is justified by health purposes, such as public health and the management of healthcare services. Archiving is necessary in order to provide adequate pharmaceutical care (whether the patient picks up their medicines on time, insight into changes in the patient’s therapy – dosage and form, information about the size and type of orthopaedic device that was previously taken over);
- Data on patients related to the interventional import of medicine: name and surname, gender, address, date of birth, personal identification number, health insurance number, name and surname of doctor, name of institution, special category of personal data related to health: diagnosis, symptoms of illness, history of illness. The purpose of the processing is the interventional import of prescription medicines, the data is stored for a period of 5 years from the date of issuing the prescription. Personal data is available for inspection by responsible persons within the company, the pharmacy that receives and forwards the prescription for interventional import and the Agency for Medicinal Products and Medical Devices, Ksaverska 4, 10000 Zagreb.

4.6 IF YOU REPORT SIDE EFFECTS RELATED TO THE USE OF MEDICINES

In its daily operations, PHOENIX Farmacija represents companies that develop and market prescription and non-prescription medicines, medicinal products and cosmetics. Based on this business cooperation, but primarily for the purpose of protecting the public interest in the field of public health or the key interests of patients, as in the case of reporting a side effect related to the use of a medicine, PHOENIX Farmacija will process your data if you report a side effect of a medicine (a side effect is any unwanted, accidental or harmful phenomenon associated with the use of a certain medicine). Such monitoring of side effects is called pharmacovigilance, and within the framework of the pharmacovigilance program, PHOENIX Farmacija is legally obliged to collect certain data about the patient and/or the person reporting the side effect:
if you are a patient: we may collect your name and surname and/or initials, date of birth, age group, gender, weight, height. We also collect data that is considered particularly sensitive personal data, namely data about health, i.e. medical history and current state of health. Health data is only processed when it is important and necessary for the proper documenting of side effects and to fulfil requirements in the field of pharmacovigilance. In addition to personal data, we may also collect information about the product that caused the side effect, including the dose that you are taking or that was prescribed to you, the reason why you are taking the product or why it was prescribed to you and any subsequent changes in your usual medication schedule, as well as information about side effects that you had, the therapies you received to treat those side effects and any other long-term consequences of those side effects for your health;

if you are reporting a side effect, the information we may collect includes your name, contact information (which may include your address, e-mail address or phone number), occupation (this information may determine the questions you will be asked about the side effect, depending on your presumed level of medical knowledge) and the relationship with the person experiencing the side effect.
In fulfilling our pharmacovigilance obligations, we may share and/or disclose personal data in order to contact you for additional information about the side effect you have reported with certain business partners whose products we market to investigate the side effect, for the purpose of linking information about the side effect with information about other side effects that we have received and with the competent regulatory authorities regarding the reporting of suspected side effects.
Given that patient safety is extremely important, we keep all the information we collect about you as part of collecting reports on side effects so that we can properly assess the safety of product use over time, and the data is kept for a minimum of 10 years from the date of receiving the report, with the note that for legal reasons, we cannot delete the information we have collected as part of reporting side effects, that is, we cannot comply with your request for the deletion or correction of data within the specified period, unless the data is incorrect.

4.7 IF YOU VISIT OUR BUSINESS CENTERS/VIDEO SURVEILLANCE

When you visit our headquarters, upon entering the building, we collect your name and surname and the name of the company you work for, for the purpose of protecting property and people and controlling movement in and around our facilities. The processing of this data is based on a legitimate interest, and only responsible persons have access to the data. The data will be stored in the PHOENIX Farmacija system for a period of 30 days and will be deleted after the period has expired. An exception is the storage of data of persons who have been granted access to the storage space for the purpose of maintaining it. In accordance with the provisions of the Good Distribution Practice, the data is retained for a period of 5 years from the date of entry in the entry/exit book, after which it is deleted.
In order to protect property, employees and visitors, each of our branches has a video surveillance system installed. The legal basis for processing this data, which includes recordings of visitors, employees and the facility, is based on the Act on the Implementation of the General Data Protection Regulation (Article 30) and the Occupational Safety Act (Article 43), but also on the legitimate interest of the Controller. Video surveillance does not cover, that is, it is prohibited to establish surveillance over rooms for personal hygiene and changing rooms. Rooms that are under video surveillance are marked with adequate signs that unambiguously let all employees and third parties know that the room is under video surveillance before the person enters the parameter. Notices are displayed in visible places and contain all the necessary information. Data obtained through the use of video surveillance in accordance with the provisions of the Act on the Implementation of the General Data Protection Regulation is adequately protected because only authorized persons have access. Third parties do not have access. The data can be provided to competent authorities at their request. The recordings are stored on a password-protected server, in a room with controlled access, and are permanently deleted after 90 days from the date of creation, except in cases where they are necessary for proceedings before competent authorities.

5. WHAT ARE YOUR RIGHTS AND HOW TO EXERCISE THEM?

Right of access to personal data

At any time, you can exercise your rights related to the protection of personal data according to Article 15 (1) of the GDPR. You can request information from the Controller about the purposes for which the personal data is processed, the categories of personal data that are processed, the recipients or categories of recipients to whom your personal data has been or is still being made available, the expected period in which your personal data will be stored, and the existence of automated decision-making including the creation of a profile from Article 22 (1) and (4) of the GDPR. If personal data is transferred to a third country or an international organization, you have the right to be informed about the appropriate protective measures in accordance with Article 46 of the GDPR associated with the transfer.

Right to the rectification (amendment, change) of incorrect personal data

You have the right to request the rectification of incorrect personal data relating to you. Taking into account the purposes of the processing, you have the right to supplement incomplete personal data, including by providing an additional statement.

The right to be forgotten, i.e. erasure of personal data

You also have the right to have your personal data erased if one of the following conditions is met:

personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
you withdraw the consent on which the processing is based in accordance with Article 6 (1) (a) or Article 9 (2) (a) of the GDPR and if there is no other legal basis for processing;
personal data has been processed unlawfully;
personal data must be deleted in order to comply with a legal obligation;
if we have published any personal data, and we have the obligation to delete the data, we shall take any reasonable measures, taking into account the available technologies and implementation costs, to inform third parties that process personal data that the data subject has requested that all links to them or copies or reconstructions of the data be deleted.

Right to restrict processing

You have the right to request the restriction of processing if one of the following conditions is met:

you dispute the accuracy of the personal data;
the processing is unlawful and you object to the erasure and instead request the restriction of the use of personal data;
the controller no longer needs personal data for processing purposes, but you, as the data subject, request them in order to establish, fulfil or defend legal claims;
You have objected to processing related to profiling based on Article 21 (1) of the GDPR, and it has not yet been determined whether the legitimate reasons of the controller exceed your reasons.

Right to object to the processing of personal data

Under the assumptions from Article 21 (1) of the GDPR, you can object to the processing of data based on your specific situation.

The aforementioned general right of objection is valid for all the processing purposes described in these data protection provisions, which are based on Article 6 (1) (f) of the GDPR. In contrast to the processing of data for the purposes of direct marketing and the right to object to such processing, according to the General Data Protection Regulation, we are only obliged to follow up on a general objection to data processing if you state reasons that are of great importance, for example there is a possible danger to life or health. In addition to the above, you can contact the Data Protection Agency or the Data Protection Officer appointed by us.

Right to data portability

You have the right to receive personal data relating to you, which you have provided to us yourself, in a structured, commonly used and machine-readable format, and the right to transfer that data to another controller without interference from us if:

processing is based on consent in accordance with Article 6 (1) (a) or Article 9 (2) (a) of the GDPR or a contract in accordance with Article 6 (1) (b) of the GDPR and if the processing is carried out by automated means.

When exercising your rights to data portability, you have the right to a direct transfer from one data controller to another if this is technically feasible.

You can submit all your questions and requests regarding the processing of your personal data by PHOENIX Farmacija and the exercising of your rights in writing to the following address:

PHOENIX Farmacija d.o.o., Ozaljska 95, 10000 Zagreb

to the PHOENIX Farmacija d.o.o. Data Protection Officer to the e-mail address:

dpo@phoenix-farmacija.hr

PHOENIX Farmacija d.o.o. is obliged to respond to your request within 30 days from the day of receiving your request.

If you suspect a violation in the process of processing your personal data, you have the right to file a complaint with the supervisory authority – Personal Data Protection Agency, Martićeva 14, 10000 Zagreb.

PHOENIX Farmacija d.o.o. ensures that, in the event of a breach of personal data, without undue delay, and if feasible, no later than 72 hours after becoming aware of the breach, it notifies the Personal Data Protection Agency, unless it is likely that the breach of personal data will cause a risk to the rights and freedoms of the individual.

In accordance with the provisions of the Data Protection Regulation, we will notify the data subjects of a breach of personal data without undue delay.

6. HOW WE SHARE DATA

Personal data may be forwarded within the PHOENIX Group to our parent company PHOENIX Pharmahandel GmbH & Co as the sole founder of PHOENIX Farmacija d.o.o.

Your data may also be forwarded to trusted third parties, whom we have entrusted to perform certain tasks on our behalf. The data will be only forwarded to such third parties to the extent necessary for them to be able to perform their duties, and we require them not to use the data for any other purpose. We will always make sure that any third parties we work with secure your personal data as much as possible. Your personal data will not be transferred to third countries that are not bound by the General Data Protection Regulation.

The recipients can also be processors. If necessary, and in accordance with the restrictions prescribed by the Regulation, other entities (e.g. IT service providers) may be involved in data processing. A contractual relationship is arranged with such entities and it is ensured that personal data is protected in an appropriate manner and in accordance with the requirements of the Regulation.

If PHOENIX Farmacija d.o.o. determines the purposes and means of personal data processing together with other entities, it shall constitute a joint controller with such entities. In that case, we will determine the responsibilities for compliance with the obligations from the Regulation in a transparent manner, with special attention to exercising the rights of the data subjects.

PHOENIX Farmacija d.o.o. complies with the legal provisions in every segment of its business operations. Accordingly, we may also share your personal information if, in good faith, we believe we need to do so for the following reasons:

pursuant to orders from appropriate law enforcement agencies, legislatures, courts and other public institutions, including requests related to national security or law enforcement;
compliance with any law, regulation, subpoena or order;
investigating and preventing security threats, fraud or some other criminal or malicious activity.

7. MEASURES FOR THE PROTECTION OF YOUR DATA

PHOENIX Farmacija d.o.o. protects your data. To prevent the unauthorized access or disclosure of data and to ensure its appropriate use, we use reasonable and appropriate physical, technical and administrative procedures to protect data. In order to prevent the unauthorized use or disclosure of personal data, we have implemented security measures and procedures to protect personal data from loss, misuse, unauthorized access, transfer, alteration or destruction.

All our employees have attended training on the protection of personal data and signed a Confidentiality Statement in which they undertake to protect the personal data they have access to. PHOENIX Farmacija d.o.o. adopted the Rules on Personal Data Protection.

8. AMENDMENTS TO THE PRIVACY POLICY

The Privacy Policy may be amended from time to time to reflect changes in the way we process personal data. Any changes will remain fully compliant with the applicable law. We will publish any changes to the Privacy Policy on our website with the updated revision date. This Privacy Policy was updated in December 2022.

About cookies