Data protection

DATA PROTECTION NOTICE
sDoktor Application – Information on Personal Data Processing


Introductory Provisions
This document provides transparent, complete, and up-to-date information on the processing of personal data within the use of sDoktor application solutions, which include:
• the mobile application for patients
• the web application for doctors
• the technical and communication infrastructure provided by SKVID d.o.o.

The document defines:
• the categories of data being processed,
• the roles and responsibilities of controllers and processors,
• users’ rights under the GDPR,
• technical and organisational protection measures,
• the distinction between data processing for mobile app users and web app users.

This document has been prepared in accordance with Regulation (EU) 2016/679 (“GDPR”) and applicable laws of the Republic of Croatia.

 

I. CONTROLLER INFORMATION
KVID d.o.o.
Jalševečka cesta 40, 10040 Zagreb
OIB: 27197549120
E-mail: zastitapodataka@skvid.hr

SKVID acts as the data controller solely for:
• the mobile application user’s phone number,
• login credentials of doctors using the web application,
• technical data necessary for system functionality and security (logs).

SKVID is not the controller nor the processor of any content exchanged between mobile app users and doctors. For such content, the data controller is exclusively the medical institution / doctor using the web application.

 

II. FUNDAMENTAL DATA PROTECTION PRINCIPLES
SKVID applies the following GDPR principles:

  1. Data minimisation – only data strictly necessary for identification and system security are processed.
  2. Purpose limitation – data are used solely to provide the application’s functionalities.
  3. Integrity and confidentiality – communication content is encrypted and inaccessible to SKVID.
  4. Transparency – users are clearly informed about the processing of their data.
  5. Security of processing – organisational and technical safeguards follow recognised industry standards.

 

III. CATEGORIES OF DATA PROCESSED
1. Mobile Application User Data (patient)

SKVID processes only:
• the mobile phone number (for registration and identification)
• technical data required for system operation:

  • IP address
  • access date and time
  • technical errors and security logs

SKVID does not process and has no access to:
• data the user enters to identify themselves to a doctor (name, address, etc.)
• message content or attachments
• any communication content voluntarily exchanged with the medical practice
• information the user voluntarily uploads to the Application
• attachments the user uploads
• any other information shared by the user through the Application

These data are visible exclusively to the medical institution / doctor.

 

2. Web Application User Data (doctor)
SKVID processes:
• username and password
• login security logs (IP, time, status)
• technical errors and system logs

SKVID does not process any patient-related information.
The doctor is the sole data controller for all information exchanged with patients.

 

3. Subscriber Data (contracted medical institutions)
SKVID processes:
• basic subscriber information
• contact information for authorised support personnel
• aggregated technical statistics (no possibility of identifying individuals)

SKVID does not process:
• message content
• attachments
• information exchanged between doctor and patient
• any data exchanged between a patient and their medical institution

 

IV. PURPOSE AND LEGAL BASIS FOR PROCESSING

1. Enabling Use of the Application
Legal basis: Art. 6(1)(b) GDPR – performance of a contract
Includes:
• identification of the user (phone number)
• access to the doctor’s web application

2. Technical System Security
Legal basis: Art. 6(1)(f) GDPR – legitimate interest
Includes:
• technical logs
• security incident detection
• protection against misuse

3. User Support
Legal basis: Art. 6(1)(b) GDPR
Covers technical data necessary to resolve issues (without access to communication content).

4. Statistical Processing (anonymised)
Legal basis: Art. 6(1)(f) GDPR
Includes aggregated, anonymised system usage data.

V. DATA STORAGE
SKVID stores data:
• on its own ICT infrastructure
• in a data centre located in the Republic of Croatia
• using encryption and controlled access rights

Data are not transferred outside the EU and are not shared with third parties.

 

VI. RETENTION PERIODS
SKVID retains:
• the mobile phone number – until the user account is deactivated
• technical logs – up to 180 days, in accordance with IT security standards
• all data are deleted within 15 days of receiving a deletion request

Communication content (messages, attachments, other materials) is not stored or processed by SKVID and cannot be deleted by SKVID. Retention of such content is the responsibility of the medical institution / doctor.

 

VII. USER RIGHTS UNDER THE GDPR
Users have the right to:
• access data processed by SKVID
• correct inaccurate data
• request erasure (“right to be forgotten”)
• restrict processing
• object to processing
• data portability
• file a complaint with the Croatian Data Protection Agency (AZOP)

Requests are submitted to the Data Protection Officer.

 

VIII. CONTACT
Data Protection Officer

E-mail: zastitapodataka@skvid.hr
Postal address:
SKVID d.o.o.
Jalševečka cesta 40
10040 Zagreb
(please indicate: “For the Data Protection Officer”

Cookie policy