General Notice on the Processing of Personal Data

In order to fully understand and comprehend our General Notice, we kindly ask you to carefully read the definitions of the terms listed below. These are the terms mentioned in this General Notice and are important for understanding the information we provide to you in it.

General Regulation means REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

Personal data means any information relating to an identified or identifiable natural person (data subject);

Data subject means an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the personal data processing;

Joint controllers means two or more controllers who jointly determine the purposes and means of personal data processing;

Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not;

Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data;

Consent of the Data Subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;

Supervisory Authority means an independent public authority which is established by a Member State; in the Republic of Croatia this authority is the Personal Data Protection Agency (AZOP), Selska cesta 136, 10 000 Zagreb, Croatia;

European Union (EU) means an intergovernmental and supranational organization of 27 European countries whose objectives are the economic and political integration of the European continent;

International organization means an organization and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.

In this General Notice you can find all important information about the processing and protection of your personal data in our business processes, all as prescribed by the provisions of the General Regulation regarding transparency and provision of information to data subjects.

This General Notice applies almost entirely to MEDILAB ONE in the role of a controller in relation to your personal data. Situations where we are in the role of the processor in relation to your personal data are specifically indicated in this General Notice.

Also, all important information on the processing and protection of personal data of our employees can be found in a special Notice on the processing of personal data for employees, which is a part of our internal documentation.

The General Notice contains the following information:

• Our name, the address of our registered seat and our PIN,
• Contact details of our data protection officer,
• Categories of data subjects whose personal data we process,
• Categories of personal data we process,
• Purposes and legal grounds of personal data processing that we perform,
• Explanation of legitimate interest as the legal ground for personal data processing,
• Categories of recipients of personal data,
• Description of the rights of the data subject and manners of exercising them,
• Explanation of the transfer of personal data to third countries or international organizations;
• Explanation of profiling and automated decision-making on the basis of personal data processing,
• List and description of the safeguards we implement,
• List of the criteria for determining the storage period of personal data,
• Other important information that we are obliged to provide to you under the General Regulation.

We will inform you about changes and/or additions to the information in the General Notice in a timely manner and through our regular means of communication (via e-mail, website and the like).

All terms used in the General Notice that have a gender meaning, whether used in the masculine or feminine gender, refer equally to the masculine and feminine genders.

In order to make it easier to find the requested information, we provide it in relation to the categories of data subjects (candidates for employment, candidates for external associates, candidates for student work, users of our products, recipients of our notices as representatives of health institutions, responsible and contact persons of our corporate clients and business partners, senders of inquiries) and for those categories of data subjects we list the categories of personal data that we collect and process, as well as the purposes and legal grounds of processing.

Candidates for employment, candidates for external associates and candidates for student work

If you are interested in working/ collaborating/ doing student work at/with MEDILAB ONE, we collect and process your personal data, which you have provided to us during the initial communication or by sending your CV and other supporting documentation (for example, applications, letters of recommendation and the like).

We collect and process the following categories of your personal data:

• Identification data: name and surname.
• Location data: address (street and house number, zip code and city).
• Contact data: phone and/or mobile phone number, e-mail address.
• Data on education/ training: completed levels of education, currently attended study programs (for candidates for student work), additionally completed education or training, participation in conferences and projects, etc. (varies depending on the data provided in the CV and supporting documentation of the candidate).
• Data on work experience / experience on student jobs: previous jobs/ student jobs, previous employers, periods of work/ performance of student jobs with previous employers, descriptions of previous work tasks, etc. (varies depending on the data provided in the CV and supporting documentation of the candidate).
• Data on personal characteristics/ skills: language knowledge, communication skills, organizational skills, managerial skills, business skills, digital skills, driver's license category and the like (varies depending on the information provided in the candidate’s CV and supporting documentation).
• Other data: photo (if included in the candidate’s CV or supporting documentation), other personal data included in the CV and other supporting documentation.

We process those personal data for the following purposes and on the basis of the following legal grounds:

• For the purpose of establishing initial contact (communication) through selected channels (for example e-mail, telephone/mobile phone, etc.). For example, when we receive your contact information indirectly (via a recommendation) or when you send us your CV and supporting documentation containing your contact data, we process it in order to establish initial contact (communication) with you. In that case, the legal ground for the processing of your personal data is our legitimate interest (Article 6(1)(f) of the General Regulation).
• In order to take the necessary actions to select the best candidate, i.e. gaining insight into the CV and other supporting documentation received, selection of candidates for job/ cooperation/ student work interview, organization of the interview, conducting interview and subsequent contacting of the candidate regarding the outcome of this interview. For example, upon receipt of your CV and other supporting documentation, we gain insight into (process) your personal data in order to select the most appropriate candidates for a job/ cooperation/ student work interview. In that case, the legal ground for the processing of your personal data is our legitimate interest (Article 6(1)(f) of the General Regulation).
• For the purpose of further storage (retention) of your personal data, i.e. CVs and supporting documentation for future possible employment/ cooperation/ student jobs. For example, if you have sent us your CV and supporting documentation on your own initiative, and we currently do not need a new employee/ external associate/ student, but we want to keep your personal data, i.e. CV and supporting documentation for possible future contact in case of a need for a new employee/ external associate/ student. In that case, the legal ground for the processing of your personal data is your consent (Article 6(1)(a) of the General Regulation).
• For the purpose of fulfilling our legal duties, i.e. compliance with applicable regulations and cooperation with competent authorities and services. For example, when competent state authorities are carrying out legal supervision of our business operations, they gain insight into all our documentation, including insight into your CVs, i.e. your personal data included in them. In that case, the legal ground for the processing of your personal data is compliance with our legal obligations (Article 6(1)(c) of the General Regulation).

Users of our products

If you are a user of products that we represent and distribute, we collect and process your personal data that you have provided to us (for example through a warranty card), that we have collected through certain documentation (for example through certificates of entitlement) and that we have learned in the course of our relationship (for example through communication with you).

We collect and process the following categories of your personal data:

• Identification data: name and surname, date of birth, age, sex, PIN, identification card number, insurance policy number, identification number, tax number.
• Location data: address (street and house number, zip code and city).
• Contact data: phone number, mobile phone number, e-mail address.
• Health data: type of diabetes (type 1, type 2, gestational diabetes, other), glucose self-monitoring device (glucose meter, FGM + glucose meter, CGM + glucose meter, other), daily number of glucose meter measurements (less than 1, 1, 2, 3, 4, 5 or more), therapy (insulin, pills, insulin and pills, insulin pump, other), daily insulin therapy (1, 2, 3, 4, 5 and more).
• Other data: the status of the user in the software, the serial number of the user's device, the number of devices owned by the user, data on supplementary insurance and the like (data vary depending on the type of personal data processing).

We process those personal data for the following purposes and on the basis of the following legal grounds:

• For the purpose of enabling the exercise of rights under a warranty. For example, when you provide us with your identification data via a warranty card, along with the serial number of the product (device), we process it in order to give you (at your request) a free replacement product (device). In that case, the legal ground for the processing of your personal data is performance of a contract (Article 6(1)(b) of the General Regulation).
• For the purpose of selling retail goods (products) based on certificates of entitlement of the Croatian Institute for Health Insurance. For example, we process your personal data from the certificate of entitlement of the Croatian Institute for Health Insurance in the software so that we can issue you the goods (products) listed in the certificate of entitlement. In that case, the legal ground for the processing of your personal data is compliance with our legal obligations (Article 6(1)(c) of the General Regulation).
• For the purpose of carrying out our marketing activities, which include informing about special benefits for our loyal customers and users, sending educational brochures, informing about new products and offers, informing about news in relation to existing products, informing about our promotions and sending free promotional materials. For example, we process your e-mail address (contact data) you have provided to us through consent in order to inform you about our new products and offers through the relevant communication channel. In that case, the legal ground for the processing of your personal data is your consent (Article 6(1)(a) of the General Regulation).
• For the purpose of providing administrative and customer support and services to users of our products. For example, depending on the source of your personal data, we enter them in our software that makes it easier for us to provide administrative and customer support in connection with possible problems with products. In that case, the legal ground for the processing of your personal data is our legitimate interest (Article 6(1)(f) of the General Regulation).
• For the purpose of fulfilling our legal duties, i.e. compliance with applicable regulations and cooperation with competent authorities and services. For example, when competent state authorities are carrying out legal supervision of our business operations, they gain insight into all our documentation and data, including insight into your personal data. In that case, the legal ground for the processing of your personal data is compliance with our legal obligations (Article 6(1)(c) of the General Regulation).

Recipients of our notices as representatives of health institutions

If you are a representative (contact person) of a health institution and we established contact at an event, seminar, education, etc., we collect and process your personal data that you have provided to us during our communication, or that you have entered in the consent you gave us.

We collect and process the following categories of your personal data:

• Identification data: name and surname, title.
• Location data: work location, street and house number at the work location.
• Contact data: phone and/or mobile phone number, e-mail address.
• Employment data: name of the health institution you work at.

We process those personal data for the following purposes and on the basis of the following legal grounds:

• In order to provide the latest information from our field of activity (for example, informing about new products, informing about news in relation to existing products, etc.) and in order to include you in our marketing activities (for example, contacting about research, sending seminar and education invitations, etc.). For example, we process your e-mail address (contact data) you have provided to us through consent in order to inform you about our new products and offers through the relevant communication channel. In that case, the legal ground for the processing of your personal data is your consent (Article 6(1)(a) of the General Regulation).
• For the purpose of a more quality implementation and organization of our business processes. For example, we enter your personal data into our software that makes it easier for us to carry out our marketing activities. In that case, the legal ground for the processing of your personal data is our legitimate interest (Article 6(1)(f) of the General Regulation).
• For the purpose of fulfilling our legal duties, i.e. compliance with applicable regulations and cooperation with competent authorities and services. For example, when competent state authorities are carrying out legal supervision of our business operations, they gain insight into all our documentation and data, including insight into your personal data. In that case, the legal ground for the processing of your personal data is compliance with our legal obligations (Article 6(1)(c) of the General Regulation).

Responsible and contact persons of our corporate clients

If you are a responsible or contact person at our potential or existing corporate client, we collect and process your personal data depending on the needs of our potential or existing business relationship. We collect and process those personal data that you have provided to us during the initial communication or that we have collected during the establishment and maintenance of our business relationship.

We collect and process the following categories of your personal data:

• Identification data: name and surname.
• Contact data: phone and/or mobile phone number, e-mail address.
• Employment data: relationship with the corporate client (founder, director, employee, etc.).
• Other data: company name of the corporate client.

We process those personal data for the following purposes and on the basis of the following legal grounds:

• For the purpose of establishing initial contact (communication), as well as for the purpose of further regular communication through selected channels (for example e-mail, telephone / mobile phone, etc.). For example, if you are a contact person of our corporate client, we process your personal data as part of regular activities within our business relationship, such as regular business communication, organization of meetings, answering inquiries and the like. In that case, the legal ground for the processing of your personal data is our legitimate interest (Article 6(1)(f) of the General Regulation).
•  For the purpose of exercising the rights and obligations from the contractual relationship with the corporate client. For example, if you are a responsible person representing our corporate client and you are in charge of signing the client's business documentation, we process your personal data so that we can establish a business relationship with the corporate client. In that case, the legal ground for the processing of your personal data is our legitimate interest (Article 6(1)(f) of the General Regulation).
• For the purpose of sending season’s greeting cards, gifts, notices and invitations as part of the business relationship with a corporate client. For example, if you are a contact or responsible person with our corporate client and we have regular business cooperation with you, we process your personal data in order to send a season’s greeting card and gift. In that case, the legal ground for the processing of your personal data is our legitimate interest (Article 6(1)(f) of the General Regulation).
• For the purpose of fulfilling our legal duties, i.e. compliance with applicable regulations and cooperation with competent authorities and services. For example, when competent state authorities are carrying out legal supervision of our business operations, they gain insight into all our documentation, including insight into documentation containing your personal data with regard to your role as a contact or responsible person of our corporate client. In that case, the legal ground for the processing of your personal data is compliance with our legal obligations (Article 6(1)(c) of the General Regulation).

Responsible and contact persons of our corporate business partners

If you are a responsible or contact person at our potential or existing corporate business partner, we collect and process your personal data depending on the needs of our potential or existing business (partner) relationship. We collect and process those personal data that you have provided to us during the initial communication or that we have collected during the establishment and maintenance of our business (partner) relationship.

We collect and process the following categories of your personal data:

• Identification data: name and surname.
• Contact data: phone and/or mobile phone number, e-mail address.
• Employment data: relationship with the corporate business partner (founder, director, employee, etc.).

We process those personal data for the following purposes and on the basis of the following legal grounds:

• For the purpose of establishing initial contact (communication), as well as for the purpose of further regular communication through selected channels (for example e-mail, telephone / mobile phone, etc.). For example, if you are a contact person of our corporate business partner, we process your personal data as part of regular activities within our business (partner) relationship, such as regular business communication, organization of meetings, answering inquiries and the like. In that case, the legal ground for the processing of your personal data is our legitimate interest (Article 6(1)(f) of the General Regulation).
• For the purpose of exercising the rights and obligations from the contractual relationship with the corporate business partner. For example, if you are a responsible person representing our corporate business partner and you are in charge of signing the partner's business documentation, we process your personal data so that we can establish a business relationship with the corporate business partner. In that case, the legal ground for the processing of your personal data is our legitimate interest (Article 6(1)(f) of the General Regulation).
• For the purpose of fulfilling our legal duties, i.e. compliance with applicable regulations and cooperation with competent authorities and services. For example, when competent state authorities are carrying out legal supervision of our business operations, they gain insight into all our documentation, including insight into documentation containing your personal data with regard to your role as a contact or responsible person of our corporate business partner. In that case, the legal ground for the processing of your personal data is compliance with our legal obligations (Article 6(1)(c) of the General Regulation).

Inquiry senders

If you send us an inquiry using the link on the e-mail address on our website, or the contact form on our website, or you have obtained our contact in any other way, we collect and process your personal data. We collect and process those personal data that you have provided to us during the initial communication or that we have collected during our communication.

We collect and process the following categories of your personal data:

• Identification data: name and surname, sex, age group.
• Contact data: phone and/or mobile phone number, e-mail address.
• Other data: the content of the communication (if it contains personal data).

We process those personal data for the following purposes and on the basis of the following legal grounds:

•  For the purpose of establishing contact and answering your inquiry. For example, if you send us an inquiry by e-mail, we process your contact data so that we can give you a complete and accurate answer to your inquiry through the requested communication channel. In that case, the legal ground for the processing of your personal data is our legitimate interest (Article 6(1)(f) of the General Regulation).
• For the purpose of fulfilling our legal duties, i.e. compliance with applicable regulations and cooperation with competent authorities and services. For example, when competent state authorities carry out legal supervision of our business operations, they gain insight into our entire business operations, including the data we have collected based on your sent inquiry and our further communication. In that case, the legal ground for the processing of your personal data is compliance with our legal obligations (Article 6(1)(c) of the General Regulation).

We use Cookies on our website www.medilabOne.com. For more information on the cookies we use and how to manage these cookies, please read our Cookie Policy.

MEDILAB ONE has accounts on some social networks, which can be accessed (among other things) through links on our website.

Currently, we have accounts on the following social networks:

• LinkedIn (https://www.linkedin.com/company/medilab-one/),
• Facebook (https://www.facebook.com/Medilab-ONE-102853171556661),
• YouTube (https://www.youtube.com/channel/UCbE64kcIkYGc4uZAuT1bAnw),

all for the purpose of promoting our activities, getting in touch and communicating with potential and existing users of our products, clients and the like.

Our website contains links that lead to our accounts on social networks, whose privacy policies may be different from ours. All information and materials that you provide to us through social networks, as well as all communication that takes place through social networks, is done at your own risk. MEDILAB ONE is not responsible for the actions of social network users, nor for the actions of the social network itself. Your interaction with the social network in relation to the processing of your personal data is governed by the privacy policy of that social network.

You can find out more about the privacy policies of the social networks we use at the following links:

• www.linkedin.com/legal/privacy-policy,
• https://www.facebook.com/policy.php,
• https://policies.google.com/privacy.

MEDILAB ONE uses legitimate interest as the legal ground for certain processing of your personal data. In the previous sections of this General Notice, we state for which categories of data subjects and personal data and for which purposes we use legitimate interest as legal grounds.

Prior to the processing of your personal data the legal grounds for which is our legitimate interest, we take into account your interests and fundamental rights and freedoms, as well as your reasonable expectations about the processing of personal data in our mutual relationship.

In order to prove the existence of our legitimate interest, we conduct the legitimate interest assessment separately for each personal data processing where legitimate interest is the legal ground of processing. The legitimate interest assessment consists of three parts: purpose test, necessity test and balance test, and all parts must have a positive outcome in order to be able to use a legitimate interest as the legal ground for the processing of personal data.

Therefore, our legitimate interest may be different, depending on the business process, i.e. the personal data processing.

If the provision of personal data is your legal or contractual obligation, or a requirement necessary to enter into a contract, we will clearly inform you at the place of collection of your personal data whether the provision of personal data is mandatory or not and what are the possible consequences if you do not provide personal data.

Our current business processes in which your personal data is processed do not include automated decision-making based on your personal data.

However, based on your personal data as a user of the products we represent or distribute, for the processing of which you have given us consent, we create your profiles.

Based on special categories of your personal data, in our software, we create your profiles in order to adapt the content of our marketing activities to your needs as users of our products.

You, as users of our products, provide us with special categories of personal data on the basis of which we create profiles via consent, but you are not obliged to provide them, i.e. it is possible to participate in our marketing activities without providing special categories of personal data and profiling.

Of course, you can withdraw your consent at any time, i.e. object to and/or request the termination of the processing of your personal data for the stated purpose and in the stated manner.

In the event of the introduction of new techniques for the processing of your personal data, we will adequately inform you, as well as warn you of your right not to be subject to a decision made exclusively on the basis of automated processing of your personal data, including profiling.

We treat your personal data confidentially and protect it in accordance with applicable regulations (international, European and national) and best applicable practice.

Certain categories of recipients, to whom we disclose the personal data of data subjects, process your personal data. In the event that we disclose your personal data to these recipients, we take care that we have valid legal grounds and that the business operations of the recipient of your personal data comply with the General Regulation and other regulations on personal data protection. Also, when applicable, we regulate the relations with recipients regarding the processing and protection of personal data in detail by a special contract (in addition to the basic contract).

Below are the categories of recipients of personal data with a brief description of our relationship, as well as the situation when we are the processor of personal data.

Processors as the recipients of your personal data

The recipients of your personal data, among others, can be our processors.

When processors process your personal data on our behalf, we select those processors who sufficiently guarantee the implementation of appropriate technical and organizational measures during the processing of your personal data. Also, any relationship with the processor in relation to the processing of personal data is governed by a special contract on personal data processing.

Our processors, who can be the recipients of your personal data, provide us with the services necessary for our daily business operations:

• Processors as our external associates who provide us with additional operational support such as maintenance and upgrades of IT systems and software, development and maintenance of our website, storage of physical documentation (archiving), provision of accounting services and the like,
• Occasional processors depending on the needs of our business operations, such as translation services, production of marketing materials and the like.

Independent controllers as the recipients of your personal data

The recipients of your personal data, among others, can be other independent controllers.

Based on our legal obligation or legitimate interest, we enable the processing of your personal data by other independent controllers. Given the role of independent controllers, they are obliged to independently take care of your personal data based on applicable regulations, their own internal procedures and rules of the profession. In some cases, when possible and in agreement with the independent controller as the recipient of personal data, we conclude a special personal data protection contract. However, we note that the conclusion of this contract is not an obligation.

Independent controllers who may be the recipients of your personal data, provide us with services important to our lawful business operations, as well as some other services necessary for our daily business operations:

• Independent controllers as providers of services for alignment of our business operations with applicable regulations, such as legal advice, tax consulting, audits, etc.,
• Independent controllers as providers of services necessary for our daily business operations, such as postal services, etc.

Competent authorities as the recipients of your personal data

The recipients of your personal data, among others, can be competent authorities.

Competent authorities act within the scope of their legal powers and may process your personal data on the basis of them.

MEDILAB ONE has a legal obligation to disclose your personal data to competent authorities as the recipients of your personal data (conducting supervision, conducting inspections, establishment or defense of legal claims, etc.).

MEDILAB ONE as the processor

MEDILAB ONE has the role of the processor when providing certain types of services.

We have the role of processor in the following situation:

• When providing the service of introducing and maintaining a quality management system in accordance with the international standard ISO 9001.

If we process your personal data in the above situation where we are in the role of the processor, the controller is obliged to inform you about all the details of the processing of your personal data.

You are obliged to send all requests in relation to the processing of your personal data to the controller, who will, in case the request refers to the processing performed by MEDILAB ONE as the processor, inform MEDILAB ONE about the request.

All relations with controllers where we are the processor are regulated by a special contract on personal data processing, which defines the details of the processing of your personal data.

In our current daily business operations, this does not happen and we try to avoid transferring your personal data to third countries or international organizations. Third countries are all those countries that are not members of the European Union.

If in the future our daily business operations involve the transfer of your personal data to third countries or international organizations, we will inform you in a timely manner and in advance of all details of such transfer (including to which third countries and international organizations the data is transferred) and relevant safeguards we use.

In the event of the transfer of your personal data to third countries or international organizations, our internal procedures provide a two-step approach to allow this transfer. The first step consists of identifying the legal grounds of the transfer (including your consent if there is no other relevant legal ground), while in the second step we provide additional measures to protect the transfer, all in accordance with the provisions of Chapter V of the General Regulation.

When determining the means and methods of processing and during the processing itself, MEDILAB ONE implements appropriate technical and organizational measures to protect your personal data, taking into account the latest achievements, implementation costs and the nature, scope, context and purposes of processing.

All our business processes that include the processing of personal data have undergone a risk analysis and, if necessary, the data protection impact assessment, thus assessing the risk and seriousness for your rights and freedoms as a data subject in relation to the processing of your personal data. In doing so, we take into account in particular the risks of accidental or unlawful destruction, loss, alteration, unauthorized disclosure or unauthorized access to your personal data.

The organizational measures we apply are included in and described in our internal procedures, regulations, instructions, reports and the like. The technical measures we apply include various physical safeguards and IT measures.

All our technical and organizational measures are continuously reviewed and improved to ensure that they are appropriate and up-to-date.

We divide our technical and organizational measures into three groups: measures to ensure confidentiality, measures to ensure integrity and measures to ensure the accessibility of personal data, and the resilience of our processing systems.

Measures to ensure the confidentiality of your personal data include, but are not limited to, general physical access control, general logical access control, special access control to personal data, separation of personal data and the like.

Measures to ensure the integrity of your personal data include, but are not limited to, control in the case of personal data transfer, control when entering personal data into our processing systems and the like.

Measures to ensure the accessibility of your personal data and the resilience of our processing systems include, but are not limited to, accessibility control, resilience of our processing systems, pseudonymization and encryption where possible, periodic audits, assessments and evaluations of our business operations in relation to personal data protection and the like.

Storage periods of your personal data vary depending on the categories of personal data that we process, the purposes and legal grounds of the processing of your personal data (criteria we use when calculating the storage periods of personal data). We also always keep the storage period of your personal data to a minimum.

Below are the general storage periods defined by the legal grounds for the processing of your personal data, but please be aware that these periods may vary depending on the specific processing situations.

When the applicable regulations define the period during which we are obliged to store your personal data, we store them in the period provided by the applicable regulations and delete them in an additional period of 3 (three) months.

When we have signed a contract with you and there is no period defined by applicable regulations during which we are obliged to store your personal data, we store them for the entire duration of our contractual relationship and delete them within an additional period of 3 (three) months from the date of termination of the contractual relationship.

When we process your personal data on the legal grounds of our legitimate interest, we store them for the entire period of existence of our legitimate interest and delete them within an additional period of 3 (three) months from the termination of existence of our legitimate interest. The period of existence of our legitimate interest is determined individually in relation to each personal data processing for which the legitimate interest is the legal ground.

When we process your personal data based on your consent, we store them until you withdraw your consent. When you withdraw your consent, we delete your personal data as soon as possible. If you have given us your consent for a certain period, at the end of this period, we will delete your personal data as soon as possible.

In our internal rules, we have defined the periods during which we review the defined periods of storage of your personal data, all in order for the storage to be limited, i.e. in accordance with possible changes in the purpose of processing your personal data.

After the expiration of the storage period of your personal data, we delete or anonymize them. Also, under certain conditions, as stated under the next point ("Your rights"), you have the right to obtain the deletion of your personal data (read more on page 20 of this General Notice).

Upon the expiration of the storage period of your personal data we have publicly disclosed, taking into account available technology and implementation costs, we will take reasonable steps to delete your publicly disclosed personal data. In doing so, we are not responsible for your publicly disclosed personal data on public sources that we do not manage.

Upon the expiration of the storage period of your personal data processed by the recipients at our request and based on a special contract on the personal data processing, we will notify them of the expiration of the storage period and request the deletion of your personal data.

As a data subject whose personal data we are processing, you have the right to exercise the rights listed and described below.

You can exercise your rights by sending, or making a request through the following available contacts:

• In writing: Hondlova 2/11, 10 000 Zagreb, Croatia
• E-mail: zop@medilabOne.com 
• Call: 0800 600 900

In order to be able to act on your request and provide you with accurate and complete information as soon as possible, please include the following in the request:

Title of e-mail or written request:

"Request for exercising the rights of data subjects”

Necessary data about your identity:

For example, your name, surname, PIN, etc., all in order for us to be able to find your personal data and act on your request

Name of the rights you want to exercise:

See names and descriptions of rights below

Description of the request:

A detailed description of your request to ensure that we act on it correctly

Information about the contact to which you want us to reply to you

For example, if you would like us to reply to you by e-mail, please state this in your request and provide us with your e-mail address

Also, in order to make it easier for you to exercise your rights, you can find a form on our website with already defined fields that need to be filled out when submitting a request for exercising your rights. We can also send you this form by e-mail at your request.

When submitting a request for the exercise of rights, in case of reasonable doubt in regard to your identity, we have the right to ask you to provide additional information necessary to confirm your identity.

We will respond to your request within one month from the date of receipt of your request. We can extend this deadline by an additional two months if it is a complex request or in case there are more of your requests than one. We will inform you in a timely manner about the extension of the deadline for responding to your request and the reasons for the extension.

All information we provide to you in relation to your request for the exercise of rights, as well as our communication, is provided free of charge. However, if we repeatedly receive your unfounded and excessive requests, we may charge a reasonable fee for our administrative costs incurred in providing information and acting on the request, or we may refuse to act on your request.

When you exercise your rights by submitting a request, we process your personal data so that we can comply with your request, all in accordance with the provisions of the General Regulation.

The right of access

As a data subject, you have the right to ask us to confirm whether we process your personal data and if we do, to access your personal data and relevant information in relation to your personal data (information on the processing purposes, the categories of your personal data that we process, the categories of recipients to whom we disclose your personal data, the envisaged periods of storage of your personal data, etc.).

Also, we provide you with a free copy of your personal data that we process, provided that this does not adversely affect the rights and freedoms of others. We may charge a reasonable fee for our administrative costs for all additional copies requested.

Right to rectification

As a data subject whose personal data we are processing, you have the right to obtain the rectification of your inaccurate personal data. Taking into account the processing purposes, you have the right to request supplementation of your incomplete personal data, among other, by giving an additional statement.

Right to erasure (“right to be forgotten”)

As a data subject whose personal data we are processing, you have the right to obtain the erasure of your personal data if one of the following conditions is met:

• Your personal data are no longer necessary in relation to the purposes for which they were collected or processed,
• You withdrew your consent which was the only legal ground for the processing of your personal data,
• You have objected to the processing of your personal data based on a legitimate interest, i.e. if the processing is done for the purposes of direct marketing,
• Your personal data have been unlawfully processed,
• Your personal data must be deleted in order to comply with the legal obligation arising from the laws of the European Union or the Republic of Croatia,
• The personal data you request to be deleted have been collected in connection with the provision of information society services directly to a child.

If we have publicly disclosed your personal data that we are required to delete based on your request, taking into account available technology and implementation costs, we will take reasonable steps to delete your publicly disclosed personal data and notify other controllers of your request to delete personal data, links to them, their copies and reconstructions. In doing so, we are not responsible for your publicly disclosed personal data on public sources that we do not manage.

Right to restriction of processing

As a data subject whose personal data we are processing, you have the right to obtain the restriction of processing of your personal data if one of the following conditions is met:

• You are contesting the accuracy of your personal data for a period during which we will verify the accuracy of your personal data,
• The processing of your personal data is unlawful, but you are opposing their erasure,
• We no longer need your personal data, but you are requesting them for the establishment, exercise or defense of legal claims,
• You have objected to the processing of your personal data based on a legitimate interest and you expect confirmation of the strength of the legitimate reasons.

Despite your request to exercise the right to restriction of processing, we may continue to process your personal data with your consent, for the establishment, exercise or defense of legal claims, protection of the rights of another natural or legal person and the important public interest of the European Union or a Member State.

Right to data portability

As a data subject whose personal data we process, you have the right to receive your personal data in a structured, commonly used and machine-readable format and transfer them to another controller if the processing of your personal data is based on consent or contract and the processing is automated.

At your request and if technically feasible, we may transfer your personal data directly to another controller.

The right to the portability of your personal data must not adversely affect the rights and freedoms of others.

Right to object

As a data subject whose personal data we process, you have the right, based on your special situation, to object to the processing of your personal data which we process based on our legitimate interest and/or for the purposes of direct marketing, which includes profiling.

Right to the withdrawal of consent

As a data subject whose personal data we process on the basis of consent as legal grounds, you have the right to withdraw your consent at any time. The withdrawal of consent will not affect the lawfulness of the processing of your personal data on the basis of consent, prior to its withdrawal.

The right to object to the supervisory authority

As a data subject whose personal data we process, you have the right to object at any time to an independent public authority for the personal data protection.

The independent public authority in the Republic of Croatia is the Personal Data Protection Agency (AZOP) with seat at the address Selska cesta 136, 10 000 Zagreb, Croatia. You can contact AZOP via e-mail at azop@azop.hr, by calling 00385 (0)1 4609-000 or in writing to the listed seat address.

You can find more information on AZOP on its website www.azop.hr.