3. GDPR COMPLIANCE POLICY

Last Updated: 1.6.2025

3.1 Our Commitment to GDPR

We are committed to protecting personal data in accordance with the General Data Protection Regulation (EU) 2016/679. This policy outlines our compliance measures.

3.2 Lawful Bases for Processing

We process personal data under the following lawful bases:

a) Consent

• Newsletter subscriptions
• Marketing communications
• Use of cookies (non-essential)
• Testimonials and case studies

b) Contract Performance

• Providing therapy services
• Processing payments
• Managing appointments
• Client communications

c) Legal Obligations

• Maintaining therapy records (10 years)
• Financial records (7 years)
• Reporting obligations

d) Legitimate Interests

• Website security
• Fraud prevention
• Direct marketing to existing clients
• Internal administration

3.3 Data Protection Principles

We ensure personal data is:

• Processed lawfully, fairly, and transparently
• Collected for specified, explicit, legitimate purposes
• Adequate, relevant, and limited to what is necessary
• Accurate and kept up to date
• Kept no longer than necessary
• Processed securely

3.4 Special Category Data

As a therapy practice, we process special category data (health data):

• Explicit consent obtained before processing
• Necessary for healthcare provision
• Processed by professionals subject to confidentiality
• Additional safeguards implemented

3.5 Data Subject Rights Procedures

a) Responding to Requests

• Acknowledge within 72 hours
• Verify identity before processing
• Respond within one month
• Free of charge (unless excessive/repeated)

b) Right to Access (SAR)

• Provide copy of personal data
• Explain how data is used
• Include retention periods
• List recipients of data

c) Right to Erasure

• Delete data when no longer needed
• Exceptions for legal obligations
• Notify third parties where possible

3.6 Data Breach Procedures

a) Detection and Assessment

• Immediate investigation
• Assess risk to individuals
• Document all breaches

b) Notification

• Supervisory authority within 72 hours (if high risk)
• Affected individuals without undue delay
• Include nature of breach and measures taken

3.7 Privacy by Design

We implement privacy by design through:

• Data minimization
• Pseudonymization where possible
• Default privacy settings
• Regular privacy impact assessments

3.8 Third-Party Processors

We ensure all third-party processors:

• Have adequate security measures
• Sign data processing agreements
• Only process on our instructions
• Allow audits and inspections

3.9 International Transfers

We do not transfer personal data outside the EEA unless:

• Adequate protection exists
• Appropriate safeguards implemented
• Explicit consent obtained

3.10 Staff Training

All staff receive training on:

• GDPR principles
• Handling personal data
• Recognizing data breaches
• Responding to data subject requests

3.11 Documentation

We maintain records of:

• Processing activities
• Consent records
• Data breaches
• Impact assessments
• Third-party agreements

3.12 Supervisory Authority

Our lead supervisory authority is: Croatian Personal Data Protection Agency (AZOP)

• Address: Selska cesta 136, 10000 Zagreb
• Phone: +385 1 4609 000
• Email: [email protected]
• Website: www.azop.hr

3.13 Data Protection Officer

[If applicable – required for healthcare providers processing data on large scale]

• Name: Ivan Čanžek
• Email: [email protected]
• Phone: +385 91 616 7149

3.14 Review and Updates

This policy is reviewed annually and updated as needed to ensure ongoing compliance.