IPS Clinic takes the privacy and security of the information you share with us seriously and wants you to feel comfortable, safe, and pleasant when using our social networks and applications.

By using the IPS Clinic social networks and/or applications, you accept the terms of the IPS Clinic Privacy Policy (last updated on March 28, 2024).

IPS Clinic Privacy Policy

Personal data refers to information that directly or indirectly pertains to or can relate to an individual. IPS Clinic applies the Personal Data Protection Act ("Official Gazette of RS" No. 88/2021) as the legal basis governing data protection and conditions for processing personal data. IPS CLINIC Niš, located at Hajduk Stanka 2/2 in Niš, as the data controller and processor, hereby informs about the conditions of collecting and processing personal data in accordance with Article 23 of the Personal Data Protection Act.

WHAT INFORMATION DO WE COLLECT?

Public data. It is possible to visit and use the IPS Clinic social networks and/or applications without revealing your identity or any other data related to identity. When visiting social networks and applications, considering the nature of the Internet, data that records users but is not sufficient by itself for the identification of a specific person is collected. This represents statistical indicators used for quality improvement. Such information may include the name of the internet browser, the number of visits, average time spent on the network/application, type of computer, and technical information about the connection used during the visit to the networks/applications, such as the operating system and internet service provider, IP (Internet Protocol) address assigned by providers, which are different for each internet user, as well as similar information. Our application allows users to optionally enter their social media usernames (Facebook, Instagram, TikTok), which are displayed on their profile. This information is:

Personal data: IPS Clinic processes general personal data and certain data considered to be of a sensitive nature for the purpose of fulfilling its existence and obligations in the manner and to the extent prescribed by law:

IPS Clinic processes certain categories of special types of personal data, such as health condition, diagnostic procedures, and interventions, in accordance with Article 17 of the Personal Data Protection Act. IPS Clinic does not process more or different types of personal data than those necessary to fulfill the professional purpose.

During the examination, intervention, and/or control examination, the medical staff of IPS Clinic may take photographs of the face, parts of the face, body, and body parts with the patient's consent. Photographs are an integral part of examinations, interventions, and control examinations. They serve for more precise diagnostics and monitoring of the intervention/therapy results, i.e., as a document related to the entire course of intervention/therapy and its results. Photographs, medical documentation, and other information about the patient(s) at IPS Clinic are available exclusively to the founder, employed healthcare professionals of IPS Clinic, and the individuals to whom the data relates. Photographs and patient information are protected by the following laws of the Republic of Serbia: 1. The Health Care Law (Paragraph 2, Article 73, which guarantees the confidentiality of patient medical documentation data); 2. The Patient Rights Protection Law (Article 14, Article 20); 3. The Personal Data Protection Law (Article 16).

WHO HAS ACCESS TO PERSONAL DATA?

IPS Clinic will transfer personal data to third parties only for the purposes stated below. IPS Clinic will take all necessary measures to ensure that personal data are processed and secured in accordance with applicable regulations.

External service providers – when necessary, IPS Clinic may engage third parties – service providers – to perform certain data processing actions on our behalf and in our name. In these situations, IPS Clinic acts as the data controller, and the service providers act as personal data processors.

In such cases, only the data necessary for achieving the purpose of the contracted processing will be transferred, and processors may not use them for other purposes. In these cases, the conditions of data processing and data protection responsibility will be defined by the contract between IPS Clinic and the processor.

IPS Clinic transfers personal data to public authorities only when legally required.

HOW LONG IS PERSONAL DATA RETAINED?

Personal data will not be retained longer than necessary for the purpose for which they were collected. If the retention period for personal data is prescribed by law, IPS Clinic will retain the data for the specified legal period.

DATA PROCESSING FOR SECURITY REASONS (VIDEO SURVEILLANCE)

Purpose of data processing/legal basis: Your data is processed through video surveillance for your and our protection, based on a legally justified interest in protecting patients/service users and visitors, employees, property, especially for protection against the following identified risks:

The legal basis for data processing through video surveillance is Articles 29 and 30 of the Private Security Law. Recipients/categories of recipients: Video recordings will not be publicly disclosed or transferred to third parties except in cases where this constitutes our legal obligation or authorization. Authorized persons at IPS Clinic have access to video recordings. Additionally, for maintenance of the video surveillance system, we have engaged a serviceman who may have access to video recordings only for the purpose of ensuring its functioning. Retention period/criteria for determining the data retention period: Video recordings are stored for 30 days. Copies of video recordings are stored for longer than 30 days in certain situations. Video recordings that are no longer needed are deleted without delay.

DATA PROCESSING VIA E-MAIL

Purpose of data processing/legal basis: Personal data submitted via the contact form, phone, or e-mail to IPS Clinic are processed exclusively for the established purpose so that the person to whom the data relates receives an answer to the inquiry. The legal basis for data processing is Article 12, paragraph 1, item 6 of the Personal Data Protection Act (legitimate interest). The interest in such data processing arises from the need for individuals to whom the data relate to receive answers to questions and, if necessary, to resolve existing issues, thus ensuring your satisfaction as a user of IPS Clinic services or users of IPS Clinic social networks and applications. If the person to whom the data relate participates in an IPS Clinic survey, such participation is voluntary. In the case of anonymous surveys, IPS Clinic does not keep data that allow for the conclusion of who the survey participant is. IPS Clinic only keeps the date and time of participation. Any personal data provided through the survey is considered voluntarily given and is kept in accordance with the provisions of the Personal Data Protection Act. In the case of consent given for conducting a survey, the legal basis for data processing is based on the consent of the person to whom the data relate, in accordance with Article 12, paragraph 1, item 1 of the Personal Data Protection Act. In this case, the person to whom the data relate has the right to withdraw consent at any time. Withdrawal of consent does not affect the legality of processing that was performed based on consent before its withdrawal. Details on data processing related to surveys are regulated by the data protection rules of each individual survey. Recipients/categories of recipients: IPS Clinic generally does not transfer data to third parties. Exceptionally, upon the order of IPS Clinic, data will be processed by IPS Clinic partners (processors). All IPS Clinic partners have been selected very carefully and are contractually obligated to keep personal data confidential, in accordance with Article 45 of the Personal Data Protection Act. Additionally, in some cases, there is a need to forward inquiries from individuals to other contractual partners for processing. In these cases, the inquiry is previously anonymized so that it cannot be determined who it pertains to. If there is a need to transfer personal data in a specific case, IPS Clinic will previously inform the person to whom the data relate and seek his consent. Retention period/criteria for determining the data retention period: All personal data submitted when asking a question (suggestions, praises, or criticisms) are deleted or anonymized no later than 90 days after providing the final answer. It has been empirically determined that no further questions related to the answer appear after 90 days.

DATA PROCESSING OF BUSINESS PARTNERS

The following notes on data processing apply if the individual has contacted IPS Clinic, if negotiations are being conducted with the aim of concluding a contract and/or if a contract has already been concluded and if personal data of that individual are processed in this context. Which data are processed in an individual case primarily depends on the contracted services. Therefore, not all parts of this section will be relevant for all individuals. How are data collected and which categories of data are processed? IPS Clinic generally collects data directly from the individuals to whom the data relate. The following personal data may be processed: personal data (e.g., name and surname, personal identification number (JMBG), address, and other contact details, date and place of birth, as well as citizenship), data from identifications and authentications (e.g., extract from the business register, data from the identity card, etc.), data related to the business relationship with IPS Clinic (payment data, order data), data on the company structure and ownership structure, as well as other data similar to the above-mentioned categories of data. Purpose and legal basis for data processing Processing for the purpose of fulfilling contractual obligations (Article 12, paragraph 1, item 2 of the Personal Data Protection Act) Data are processed for the preparation of contract conclusion that precedes the contractual relationship, as well as for the purpose of fulfilling obligations after the conclusion of the contract. Processing for the purpose of fulfilling legal obligations (Article 12, paragraph 1, item 3 of the Personal Data Protection Act) The purpose of data processing arises, depending on the individual case, from legal regulations. Processing for the purpose of fulfilling legitimate interests (Article 12, paragraph 1, item 6 of the Personal Data Protection Act) There may be a need to make personal data available and process them in scopes that go beyond the initial fulfillment of the contract. Legitimate interests of IPS Clinic for such processing are the selection of an appropriate business partner, fulfillment of legal requirements, elimination of liability claims, access control, clarification of possible offenses, prevention of criminal acts, and processing of damages that occurred based on the contractual relationship. Who has access to the data? Within IPS Clinic, access to data is granted to employees for whom it is necessary to fulfill contractual or legal obligations or for the purpose of fulfilling legitimate interests. As part of the contractual relationship, IPS Clinic also engages other service providers who may have access to personal data. Compliance with personal data protection regulations in these cases is ensured by contract. How long are data retained? IPS Clinic retains personal data as long as necessary for the fulfillment of the above-mentioned purposes. In doing so, IPS Clinic takes into account legal obligations of retention.

Is there an obligation to provide data? Within the business relationship, there is an obligation to provide IPS Clinic with personal data necessary for the initiation, execution, and termination of the contractual relationship and for fulfilling obligations associated with it, as well as for the collection of which IPS Clinic has a legal obligation or has the right based on legitimate interests. Without these data, IPS Clinic will, as a rule, not be able to initiate a business relationship. What rights do individuals have? Individuals to whom the data relate have the right:

DATA PROCESSING ON SOCIAL NETWORKS AND APPLICATIONS

For the processing of personal data, the operator of the specific social network platform is partly responsible. In addition, in some cases, IPS Clinic is also the operator of the platform, and in this sense, there is joint responsibility in accordance with Article 43 of the Law. IPS Clinic manages the following social network pages and applications:

  1. Operator's responsibility The platform operator manages the entire IT infrastructure of the service, adheres to its own data protection rules, and has a special user relationship with individuals to whom the data relate (if the individual to whom the data relate is a registered user of the social network service). Additionally, the operator is exclusively responsible for all questions related to the data of the user profile of the individuals to whom the data relate, which IPS Clinic does not have access to. More detailed information about data processing by social network platform operators and the possibilities of objection can be found in their data protection rules.
  2. IPS Clinic responsibility
    a) Purpose/legal basis for data processing: On the pages of IPS Clinic social networks and applications, personal data are processed for the purpose of interacting with visitors of social networks and applications, as well as for the purpose of responding to posed questions, praises, suggestions, and criticisms. IPS Clinic reserves the right to delete content if necessary. Additionally, data and contents will be shared by IPS Clinic only if it represents a function of the social network platform and/or application. Personal data are processed also for the purpose of communicating with individuals to whom the data relate. The legal basis for data processing is Article 12, paragraph 1, item 6 of the Law (legitimate interest). Data processing is carried out in the interest of establishing public relations and communication.
    b) Recipients/categories of recipients: Data entered on the IPS Clinic social network pages, such as comments, video recordings, images, likes, public announcements, etc., are published by the platform operator, and IPS Clinic does not process them for any purpose other than the intended one at any time. IPS Clinic reserves the right to delete illegal content if necessary (in the case of offensive or illegal posts, hate speech, comments with explicitly sexual content or attachments, as well as those that infringe copyright, personal rights, represent a criminal offense, or violate the ethical principles of IPS Clinic). Contents of individuals to whom the data relate will possibly be shared on IPS Clinic pages if it represents a function of the social network platform and/or application. IPS Clinic processes data also for the purpose of communicating with individuals to whom the data relate. If individuals to whom the data relate send an inquiry through IPS Clinic social networks and/or applications, they may be directed to other secure communication channels that guarantee confidentiality. Confidential inquiries can always be sent via the e-mail address listed in the general information. Data sent via confidential means (private messages, letters, or e-mail) are generally not forwarded by IPS Clinic to third parties. In exceptional cases, access to data may be granted to IPS Clinic external partners to whom certain tasks are entrusted in order to provide services at the highest level. In this case, it is about processors who use data on behalf of IPS Clinic. All IPS Clinic partners have been selected very carefully and are contractually obligated to keep personal data confidential, in accordance with Article 45 of the Personal Data Protection Act. There may be a need to forward part of confidential inquiries to contractual partners (for inquiries related to specific services) for the purpose of processing inquiries of individuals to whom the data relate. In these cases, the inquiry is previously anonymized so that the third party cannot link it to the individuals to whom the data relate. If the forwarding of personal data is necessary in an individual case, IPS Clinic will previously inform the individual to whom the data relate and request his consent.
    c) Retention period/criteria for determining the retention period: All personal data submitted with an inquiry (questions, suggestions, praises, or criticisms) are deleted or securely anonymized no later than 90 days after providing the final answer. Data are retained for 90 days because in individual cases, it may happen that individuals to whom the data relate as consumers contact IPS Clinic again regarding the response to the same question. In this case, IPS Clinic must have the possibility to refer to the previous correspondence. It has been empirically shown that no further questions related to the initially sent responses appear after 90 days. All public posts - comments made by individuals to whom the data relate on the page will be permanently available unless IPS Clinic deletes them when updating a specific topic or due to legal violations, violation of IPS guidelines, or if the post is deleted by the individual to whom the data relate himself. IPS Clinic has no possibility to influence the deletion of data by the operator itself. In this case, the data protection rules of the specific operator apply.
    d) Sweepstakes Purpose/legal basis for data processing: Individuals to whom the data relate have the possibility to participate in various sweepstakes via IPS Clinic social networks. Unless otherwise specified in a particular sweepstakes or if the individual to whom the data relate has not given a different explicit consent, IPS Clinic will process the submitted personal data within the participation in the sweepstakes exclusively for the purpose of implementing the sweepstakes (e.g., drawing/determining winners, notifying winners, realization of the prize, if necessary, anonymous publication of winners). If the individual to whom the data relate uses his full name and surname on the social network or is recognizable through photographs on his profile, IPS Clinic cannot exclude the identification of the individual to whom the data relate by other users. The legal basis for data processing within sweepstakes is, in principle, Article 12, paragraph 1, item 2 of the Personal Data Protection Act. In the case of giving consent within the sweepstakes, the legal basis for data processing is consent in accordance with Article 12, paragraph 1, item 1 of the Law. In this case, the individual to whom the data relate has the right to withdraw consent at any time. Withdrawal of consent does not affect the legality of processing that was performed based on consent before its withdrawal. Recipients/categories of recipients: IPS Clinic forwards data to third parties only when necessary for the realization of the sweepstakes, i.e., for sending the prize (e.g., sending the prize by the sweepstakes sponsor or forwarding data to a logistics company) or if the individual to whom the data relate has given explicit consent. It should be taken into account that in some cases, participation in the sweepstakes on pages with public access (e.g., on a bulletin board or through comments) is possible so that other users can publicly see the fact of participation of the individual to whom the data relate through his interaction with us. In such cases, other users on the social network can also have knowledge of the prize of the individual to whom the data relate. If the individual to whom the data relate uses his full name and surname on the social network or is recognizable through photographs on his profile, IPS Clinic cannot exclude the identification of the individual to whom the data relate by other users. Retention period/criteria for determining the retention period: After the end of the sweepstakes and announcement of the winners, personal data of participants are deleted except for those data about winners that IPS Clinic is legally obligated to keep when organizing the sweepstakes. When participating in a sweepstakes on a social network (e.g., through a post or comment), IPS Clinic has no possibility to influence the deletion of data by the operator. In this case, the data protection rules of the operator apply.
  3. Joint responsibility Art. 43 of the Personal Data Protection Act Together with the social network operator, there is a relationship in accordance with Art. 45 of the Law (joint responsibility): For web tracking methods that the social network platform operator enables, the operator and IPS Clinic are jointly responsible. Web tracking can occur independently of whether the individual to whom the data relate is logged in or registered on the social network platform. IPS Clinic can only limitedly influence the web tracking methods of the operator. The legal basis for web tracking methods is Article 12, paragraph 1, item 6 of the Law (legitimate interest). Justified and legitimate interest consists in optimizing the social network platform and the specific fan page (fan-page). Other information on recipients, i.e., categories of recipients, as well as on the retention period, i.e., criteria for determining the retention period, can be found in the data protection rules of the platform operators. IPS Clinic has no influence on these rules. The possibility for individuals to whom the data relate to exercise their rights regarding the prevention of these web tracking methods can be found in the data protection rules of the operators mentioned in point 2. Regarding this issue, the individual to whom the data relate can contact the platform operators through the contact details of the operators listed in their rules. Regarding the statistics that the social network platform operator makes available, IPS Clinic can only conditionally influence and prevent them. IPS Clinic takes care that no additional optional statistics are provided to it. From all the above, individuals to whom the data relate should be aware that it is not possible to exclude the possibility that the social network platform operator uses data from their profile as well as data about their behavior to, for example, assess their habits, personal relationships, tendencies, etc. IPS Clinic has no influence on the processing or forwarding of data by the social network operator.
  4. Rights of individuals to whom the data relate In accordance with Article 26 of the Personal Data Protection Act, individuals to whom the data relate have the right to request information, i.e., details about the processing of their data without charge. Additionally, provided that legal conditions are met, individuals to whom the data relate have the right to correction (Article 29 of the Personal Data Protection Act), deletion (Article 30 of the Personal Data Protection Act), as well as the right to restriction of processing (Article 31 of the Personal Data Protection Act). If the processing of data is based on Article 12, paragraph 1, items 5 or 6 of the Personal Data Protection Act, individuals to whom the data relate have the right to object to data processing in accordance with Article 37 of the Personal Data Protection Act. If an objection is filed, IPS Clinic will be obligated to stop processing data unless there are legal reasons for processing that outweigh the interests, rights, or freedoms of the individuals to whom the data relate. If the individual to whom the data relate has provided data in accordance with Article 36 of the Personal Data Protection Act, he has the right to transfer those data to another controller. As a rule, on social networks, this right can be exercised only directly towards the social network operator because only the operator has access to profile data. If the processing of data of the individuals to whom the data relate is based on their consent in accordance with Article 12, paragraph 1, item 1 of the Law, they have the right to withdraw consent at any time. Withdrawal of consent does not affect the legality of processing that was performed based on consent before its withdrawal. To exercise the mentioned rights as well as in case of additional questions or complaints, the individual to whom the data relate should contact IPS Clinic using the contact details listed in the following point of this text. In accordance with Article 82 of the Law, the individual to whom the data relate has the right to file a complaint to the state authority competent for personal data protection (Commissioner for Information of Public Importance and Personal Data Protection).
  5. Contact for personal data protection at IPS Clinic: If there are any additional questions or uncertainties regarding data processing, contact the person responsible for personal data protection at IPS Clinic for assistance and/or an answer. For this purpose, contact IPS Clinic in writing or via email: IPS Clinic, Hajduk Stanka 2/2, 18000 Niš, E-Mail: ips.irenaplasticsurgery@gmail.com