PRIVACY POLICY

DENTAL HERO hereby informs the persons whose personal data it processes of all important aspects of such data processing in accordance with the Law on Personal Data Protection ("Official Gazette of the RS", No. 87/18 - “LPDP").

1. DATA CONTROLLER INFORMATION

1.1. The controller of personal data processing is Srđan Konatar pr Specijalistička ordinacija dentalne medicine iz oblasti stomatološke protetike DENTAL HERO Beograd (Srđan Konatar pr Specialist dental medicine practice in the field of dental prosthetics DENTAL HERO Belgrade) with its registered office at ul. Beogradska 45, 11000 Beograd- Vračar, Republic of Serbia, company registration number: 66707954, TIN: 113279899, email: info@dentalhero.rs ("DENTAL HERO" or “We").

2. CATEGORIES OF PERSONS WHOSE PERSONAL DATA WE PROCESS

2.1. DENTAL HERO processes the personal data of the following categories of persons:

Patients
Individuals who send us inquiries about our services via: the contact form on our website, email, telephone, or social media accounts ("Potential Patients");
Individuals who leave a review, impression, or testimonial about the services provided in the form of a photograph or video recording ("Reviewers");
Visitors to our website
Representatives of our business partners

2.2. DENTAL HERO also processes the personal data of employees and other engaged persons, to whom it provides a separate notice on the processing of personal data

3. LEGAL BASIS, PURPOSE OF PROCESSING PERSONAL DATA, AND RETENTION PERIODS

3.1. 3.1. DENTAL HERO carries out the lawful processing of personal data that is adequate, relevant, and limited to what is necessary in relation to the specific purpose of processing, in accordance with the "data minimisation" principle

3.2. The legal basis and purpose of processing personal data and the retention periods for personal data in relation to specific categories of persons are given below.

Patients

Personal data we process: last and first name, one parent's name, date of birth, sex, Unique Master Citizen Number (JMBG), Personal Identification Number of the Insured (LBO), Health Card Number (BKZO), phone number, email address, address and place of residence, dental record number, previous illnesses and conditions of medical significance, anamnesis, findings, diagnosis, proposed therapy, record of visits, therapy performed.

Legal basis for processing: processing is necessary for compliance with the legal obligations of the controller as determined by the Law on Health Documentation and Records in the Field of Healthcare ("Official Gazette of the RS", No. 92/2023).

Purpose of processing: providing dental services and maintaining mandatory health documentation and records in accordance with the Law on Health Documentation and Records in the Field of Healthcare.

Retention periods: permanently, in accordance with the Law on Health Documentation and Records in the Field of Healthcare.

The provision of personal data is a legal obligation, meaning the patient is obliged to provide the aforementioned personal data; otherwise, we will not be able to provide the dental service.

Health data constitutes a special category of personal data which we process in accordance with Article 17, paragraph 2, item 8) of the LPDP.

Potential patients

Personal data we process: first and last name, email address, phone number, social media username.

Legal basis for processing: processing is necessary to take action, at the request of the data subject, before the eventual conclusion of a contract, i.e., the provision of dental services.

Purpose of processing: to provide answers to inquiries from potential patients.

Retention periods: 3 months from the date of providing a response to the inquiry.

Providing data is a necessary condition for responding to inquiries, meaning the potential patient is not obliged to provide the aforementioned personal data, but in that case, we will not be able to provide a response to the inquiry.

Reviewers

Personal data we process: first and last name, username on a social network or review platform, photographic and/or video recording of their likeness.

Legal basis for processing: consent of the data subject.

Purpose of processing: presentation of patient impressions, i.e., visual presentation of the results of the services we provide.

Retention periods: until the withdrawal of consent by the data subject.

The data subject has the right to withdraw consent at any time, but the withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. You can submit your withdrawal of consent to us at any time at the email address: info@dentalhero.rs. Upon receipt of the withdrawal of consent, we will remove all content containing personal data within a reasonable period and inform the data subject thereof.

Visitors to our website

When you visit our website dentalhero.rs, certain data is collected via cookies in accordance with our Cookie Policy, available at the following link: Policy on the use of cookies

Personal data that can be collected when visiting our website consists of: Name and surname, e-mail address, phone number, IP address together with the date and time of access to the Site, the website/application from which the Site is accessed, the browser and the operating system of the device used to access the Site.

Representatives of our business partners

Personal data we process: first and last name, function/position at the business partner, phone number, and email address.

Legal basis for processing: processing is necessary for the performance of a contract concluded with the business partner or to take action, at the request of the business partner's representative (representative or other authorised person), before concluding a contract.

Purpose of processing: conducting negotiations, concluding, and executing contracts.

Retention periods: 10 years (general statute of limitations for claims in accordance with the law governing contractual relations), unless a different period is prescribed by law, in which case that other period applies;

Providing data is a necessary condition for concluding and executing a contract; if you do not provide us with the above-mentioned data, we will not be able to conclude a contract.

4. METHOD OF COLLECTING PERSONAL DATA

4.1. As a rule, we collect personal data directly from the data subjects.

4.2. When we do not collect data directly from the data subject, we first ascertain whether the person providing the data is authorised to forward that data to us. The person providing the data is obliged to inform the data subjects of all important aspects of the processing, i.e., to direct those persons to familiarise themselves with this Privacy Policy.

4.3. If the data is collected directly from the data subject, we will acquaint the person with all the information provided for in Article 23 of the LPDP at the time of collecting the personal data.

4.4. If the data is not collected from the data subject, we will acquaint the person with all the information provided for in Article 24 of the LPDP within a reasonable period after the collection of personal data, and at the latest within 30 days from the date of collection, or at the latest at the time of the first communication with the data subject, with the possibility of exceptions prescribed by Article 24, paragraph 5 of the LPDP.

5. METHOD OF STORING PERSONAL DATA

5.1. We store personal data in our internal records, in paper and/or electronic form, for which we apply all necessary organisational, technical, and personnel protection measures in accordance with the requirements of the current LPDP. We maintain internal records (so-called Records of processing activities), for each category of persons whose data is processed, in accordance with the requirements of Article 47 of the LPDP, which describes the processing activities.

6. RIGHTS OF DATA SUBJECTS

6.1. The person whose data is being processed has the following rights:

the right to request access to personal data (Art. 26 LPDP) - which primarily means enabling adequate insight into your personal data that we process in accordance with the LPDP;
the right to request rectification, supplementation, or erasure of personal data, as well as restriction of processing (Art. 29, 30, 31, and 33 LPDP) - rectification and supplementation refer to the correction of inaccurate data or the completion of incomplete data; erasure refers to the situation when the data is no longer necessary for the purpose, or when the legal basis has ceased to exist, or in other cases provided for in Art. 30 of the LPDP, while restriction of processing applies in situations prescribed by Art. 31 of the LPDP;
the right to data portability (Art. 36 LPDP) - which means the right to request that we transmit the data to you in a machine-readable format or that we transmit it to another controller in the same format, if the processing is based on consent and is carried out by automated means, and if other conditions from Art. 36 of the LPDP are met;
the right to object to processing (Art. 37-39 LPDP), if there are justified reasons and if the conditions from Art. 37-39 of the LPDP are met;
the right to file a complaint with the Commissioner for Information of Public Importance and Personal Data Protection (Article 82 LPDP);
the right to judicial protection, as well as the right to compensation for damages in case of unlawful processing (Art. 84 and 86 LPDP), and
other rights guaranteed by the LPDP.

6.2. You can submit a request to exercise your rights in free form to the email address: info@dentalhero.rs. We will respond to requests within a reasonable time necessary to process such a request.

7. PROTECTION MEASURES

7.1. In relation to personal data, we apply the necessary organisational, technical, and personnel protection measures, including but not limited to:

restriction of physical access to the system and archive where personal data are stored;
control of data access - only authorised persons have physical and electronic access;
control of data entry - only an authorised person collects personal data and stores it in the records;
control of data transfer - transfer to any authorised person is carried out exclusively via standard secure communication channels;
other information security measures, in accordance with best industry practice;
all other measures necessary for the protection of personal data.

8. PROCESSORS AND RECIPIENTS OF DATA

8.1. In certain cases, we provide personal data to third parties, some of whom are processors, and some are recipients of data. A processor within the meaning of the LPDP is a natural or legal person, or a public authority, which processes personal data on behalfof the controller, while a recipient of data is a natural or legal person, or a public authority, to which the personal data are disclosed, whether a third party or not.

8.2. Categories of processors that may have access to certain personal data:

External collaborators who provide ancillary, i.e., related dental services;
Legal advisors and providers of accounting and bookkeeping services;
The IT company that maintains our information and communication systems;
The IT company that develops and maintains our website;
Other persons who perform certain processing activities on our behalf and for our account;

8.3. We conclude a data processing agreement with each processor, i.e., the Standard Contractual Clauses developed by the Commissioner for Information of Public Importance and Personal Data Protection. The Standard Contractual Clauses regulate all important issues concerning the processing activities carried out by the processor, including its obligations regarding that specific processing.

9. ADDITIONAL INFORMATION

9.1. Any additional questions regarding the processing of personal data, including how to exercise the rights of the data subject, can be directed to the email address: info@dentalhero.rs.

10. FINAL PROVISIONS

10.1. We reserve the right to amend and/or supplement this Privacy Policy at any time, so that the achieved level of privacy protection will not be diminished, and all amendments and/or supplements to the Privacy Policy will be published on our website and shall enter into force no earlier than the eighth day from the date of publication.

Date of publication on our website: 19.06.2025