INFORMATION CLAUSE PROCESSING OF PERSONAL DATA  IN CONNECTION WITH MEDICAL SERVICES

In accordance with Article 13 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) ("GDPR") we kindly inform you that:

1.            the Controller of your personal data is Klinika Flebologii sp. z o.o., a limited liability company duly organized and existing under the laws of Poland, with its principal office located at 5, Wawelska St, 02-034 Warsaw, Poland, tax identification No. (NIP): 7010498962, registered in the District Court for the Capital City of Warsaw in Warsaw, XII Commercial Division of the National Court Register under company registration No.: KRS: 0000568625 ("Controller"). You can contract the Controller:

a)            in writing at Klinika Flebologii, ul. Wawelska 5, 02-034 Warszawa, Poland;

b)           via e-mail at: rejestracja@klinikaflebologii.pl;

c)            by phone at: (+48) 735 998 880 or (+48) 22 417 10 00;

2.            the Controller appointed Data Protection Officer, who is responsible for all matters relating to the processing of personal data. In case of any queries regarding the processing of your personal data by the Controller or your rights related to the processing of personal data, please contact the Data Protection Officer:

a)            in writing at Klinika Flebologii, ul. Wawelska 5, 02-034 Warszawa, Poland, with the annotation „IOD”;

b)           via e-mail at: iod@klinikaflebologii.pl;

c)            by phone at: (+48) 535 443 338;

3.            we may process your personal data for the following purposes:

a)            booking an appointment for medical services (Article 6(1)(b) of the GDPR), which applies to general identification data (name and last name, e-mail address, phone number). The Controller retains such data until the service is provided, and if the service is not provided, for a period of up to 3 months from the planned date of providing the service;

b)           conclusion and performance of medical services agreement (Article 6(1)(b) of the GDPR and Article 9(2)(h) of the GDPR), which applies to general personal data (name, last name, date of birth, Personal Identification No. (PESEL), gender, type, series and number of an identity document, address of residence, e-mail address, phone number, etc.) and sensitive data (data about health, genetics; the Controller may also process data revealing racial or ethnic origin, religious beliefs, workplace or family status data). The data mentioned above is stored for the period of archiving medical records indicated in Article 29 of the Act of November 6, 2008, on patients' rights and the Ombudsman for Patients' Rights, i.e., in principle for 20 years. When you provided personal data in connection with the completion of the patient's card available online, and no health services are performed, so the Controller is not obliged to keep medical records, the personal data will be removed immediately upon the cancellation of a health service, no later than 3 months from the planned date of providing the service;

c)            exercising the patient's rights (Article 6(1)(c) of the GDPR and Article 9(2)(c) and (h) of the GDPR), which concerns information on health and keeping, archiving, and sharing medical records. The data mentioned above is stored for the period of archiving medical records indicated in Article 29 of the Act of November 6, 2008, on patients' rights and the Ombudsman for Patients' Rights, i.e., in principle for 20 years;

d)           scientific research purposes, consisting of researching the safety and effectiveness of particular medical procedures, as well as preparing articles, papers, presentations, or other types of scientific publications in the field of medicine, which, in the scope of general personal data, constitutes the implementation of the legitimate interest of the Controller (Article 6(1)(f) and Article 9(2)(j) of the GDPR), which concerns general identification data (name, last name, year of birth, e-mail address) and data concerning health, contained in the survey assessing the safety and effectiveness of the medical procedure. The data mentioned above is stored at most for the period of archiving medical records indicated in Article 29 of the Act of November 6, 2008, on patients' rights and the Ombudsman for Patients' Rights, i.e., in principle, for 20 years;

e)            the legitimate interests of the Controller, that is improving the security and quality of the Controller's services, as well as establishing, pursuing claims, or defending against claims (Article 6(1)(f) of the GDPR, and where the processing concerns sensitive data, Article 9(2)(a) of the GDPR). This applies to the person's voice sound and the data provided during the phone call, recorded in connection with the recording of incoming calls to the Controller. Your continuation of the call after hearing the announcement on the recording signifies your acceptance of recording and data processing. Your consent is voluntary but necessary to make a phone call. The data mentioned above is stored for no longer than 3 months from the date of recording, or for the period necessary for the completion of proceedings under the law or proceedings in which the recordings may or will be evidence;

f)            evidentiary purposes (confirmation of a scheduled visit or medical procedure), in connection with establishing, investigating, or defending against claims (Article 6(1)(f) of the GDPR, and where the processing concerns sensitive data, Article 9(2)(f) of the GDPR). This applies to patients' voice sounds and data provided during the phone call (in particular, name, date, and type of visit or medical procedure) recorded in connection with the recording of outgoing calls made to confirm with a patient a scheduled visit or medical procedure. The data mentioned above is stored for no longer than 3 months from the date of recording, or for the period necessary for the completion of proceedings under the law or proceedings in which the recordings may or will be evidence;

g)            establishing, exercising, or defending claims (a claim for the refund of the deposit) (Article 6(1)(f) of the GDPR, and where the processing concerns sensitive data, Article 9(2)(f) of the GDPR). This applies to patients' general identification data (name, last name, year of birth) and data regarding health, family status, and others contained in documents or certificates provided to support the claim for a refund of the deposit. In the event the claim is accepted by the Controller, the data mentioned above is stored until the claim is satisfied, and in other cases for no longer than until limitation of possible claim.

Apart from the above, the Controller processes personal data only in order to comply its legal obligations (Article 6(1)(c) of the GDPR), including tax obligations, as well for the purposes of the legitimate interests of the Controller (Article 6(1)(f) of the GDPR), including, among others, (i) transfer of data to the payment services provider due to providing online payment infrastructure, handling and settlements of online payments made by the patients using electronic payment instruments, monitoring the proper performance of the contracts concluded with the Controller, in particular protection of payers’ interests in connection with their complaints, (ii) establishing, pursuing claims or defending against claims;

4.            the Controller shall keep your personal data confidential and prevent unauthorised access to them by third parties in accordance with the applicable legislation;

5.            your personal data included in the survey assessing the safety and effectiveness of the medical procedure may be transferred to Switzerland; this transfer is based on the decision of the European Commission recognizing the adequate level of protection of personal data during data transfer to this country. In other respects, your personal data shall not be transferred to entities outside the European Economic Area or to international organizations;

6.            your personal data shall not be used for automated decision-making, and no profiling will be made based on your personal data;

7.            your personal data may be transferred to our employees and associates, that is, to people with whom we cooperate in business activity, as well as third-party service providers whose services we use when processing your personal data, e.g., IT service providers or payment services providers, and other entities processing personal data on our behalf under the data processing agreement, regulatory bodies or entities entitled to access processed personal data under separate legal provisions;

8.            according to the legislation of data processing and to the extent specified there, you, as a data subject, have the following rights: the right to access to your personal data, to the rectification of any information you believe, is inaccurate (correction), to the completion of the information you believe is incomplete, to the erasure and the restriction of processing of your personal data, to data portability, as well as the right to obtain a copy of your data, to object to the processing of your personal data, and where the processing is based on your consent, you are entitled to withdraw consent at any time (the withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal). If you believe that the processing of your data violates legal provisions, you are entitled to complain to the competent authority, the President of the Personal Data Protection Office (ul. Stawki 2, 00-193 Warszawa, Poland). For more information on the rights of the data subject, please see the list of rights available at our website in the Personal Data tab;

9.            providing your data indicated in points 3(a) and (b) above is necessary to conclude and perform a medical services contract. Providing your data indicated in point 3(d) above (in the survey assessing the safety and effectiveness of the medical procedure) is voluntary. Providing your personal data indicated in: (i) point 3(f) is voluntary, however, failure to provide them prevents from using possibility to confirm the scheduled visit or medical procedure by phone, (ii) point 3(g) is voluntary, however necessary to determine entitlements and obligations related to the refund of the deposit. In the remaining scope, the basis for processing is a legal provision.