Privacy Policy

1. Who We Are

Palmotićeva Gynecology Clinic (Palmotićeva 33, 11000 Belgrade, Serbia) respects your privacy. This Privacy Policy explains what data we collect, why we collect it, and your rights regarding that data in accordance with the Serbian Personal Data Protection Act (ZZPL, "Official Gazette RS", No. 87/2018) and EU GDPR principles.

2. Legal Basis for Data Processing

We process your data based on the following legal grounds:

• Consent (Art. 12(1)(1) ZZPL): For online appointment booking, we collect your name, surname and phone number based on your voluntary consent.
• Contract performance (Art. 12(1)(2)): Processing necessary for providing gynecological healthcare services.
• Legal obligation (Art. 12(1)(3)): Maintaining medical records in accordance with healthcare documentation laws.
• Legitimate interest (Art. 12(1)(6)): Website analytics (Google Analytics, Microsoft Clarity) to improve user experience, with data anonymisation.

3. Data Collection and Processing

When you complete the booking form, we collect basic data such as your name, surname and phone number to contact you regarding your requested appointment. We will never forward or sell your health or contact data to third parties.

4. Health Data Processing

As part of providing medical services, Palmotićeva Clinic processes health data classified as a special category of personal data (Art. 17 ZZPL).

Health data we process:

• Reason for visit / symptoms (entered during booking)
• Medical history relevant to gynaecological examination
• Diagnostic results (ultrasound, colposcopy, laboratory analyses)
• Records of procedures and treatments performed

Processing is carried out for the purposes of preventive medicine, medical diagnostics, healthcare provision and treatment, in accordance with Art. 17(2)(8) ZZPL, exclusively by healthcare professionals bound by professional secrecy.

5. Data Retention Periods

• Web form data (name, phone): 12 months from booking (consent)
• Medical records: 10 years from last visit (Healthcare Documentation Act)
• Analytics data (GA4, Clarity): 14 months (GA4) / 30 days (Clarity)
• Consent cookies: Until consent is withdrawn

After the retention period expires, data is permanently deleted or anonymised within 30 days.

6. Cookies and Analytics

We use Google Analytics (GA4) and Microsoft Clarity to track anonymous behavioural analytics on the website for the purpose of improving our services. All sessions are fully anonymised according to strict platform rules, and tracking depends on your explicit consent via the Cookie Banner.

7. Data Transfer to Third Parties

Data processors:

• Google LLC (Analytics 4): Website analytics — EU/US (SCC agreement)
• Microsoft Corp (Clarity): User behaviour analytics — EU/US (SCC agreement)
• Google LLC (Google Ads): Conversion tracking — EU/US (SCC agreement)
• Google LLC (Firebase Hosting): Website hosting — EU/US (SCC agreement)

Data transfer outside the Republic of Serbia is carried out exclusively to countries ensuring an adequate level of protection, or based on Standard Contractual Clauses (SCC) in accordance with Art. 65 ZZPL.

We do NOT share data with: insurance companies, employers, marketing agencies (other than anonymised analytics), or any third party without your explicit consent, unless required by law.

8. Your Rights

Under the Personal Data Protection Act, you have the following rights:

• Right of access (Art. 26): To learn what data we process about you and obtain a copy
• Right to rectification (Art. 29): To request correction of inaccurate data
• Right to erasure (Art. 30): To request deletion when there is no longer a basis for processing (does not apply to medical records within statutory retention period)
• Right to restriction (Art. 31): To restrict processing in certain situations
• Right to object (Art. 37): To object to processing based on legitimate interest
• Right to portability (Art. 36): To receive your data in a structured format
• Right to withdraw consent: At any time, without affecting the lawfulness of prior processing
• Right to lodge a complaint: With the Commissioner for Information of Public Importance and Personal Data Protection (www.poverenik.rs)

To exercise these rights, contact us at [email protected] with "Data Protection" in the subject line. We respond within 30 days.

9. Data Security

Our website is secured with HTTPS SSL encryption, protecting data entered while browsing services and contacting the clinic.

In the event of a personal data breach:

• We notify the Commissioner within 72 hours of becoming aware of the breach (Art. 52 ZZPL)
• If the breach may result in high risk to your rights, we notify you without undue delay
• We launch an internal investigation, implement corrective measures and document the incident

10. Contact and Updates

For all enquiries regarding the protection of your personal data:

• Email: [email protected]
• Address: Palmotićeva 33, 11000 Belgrade, Serbia
• Phone: +381 11 322 6040

This privacy policy was last updated: 6 April 2026.

We reserve the right to update this policy. You will be notified of any significant changes via a notice on the website.