- DETAILS OF THE PERSONAL DATA CONTROLLER EN
The controller of personal data is Renata Tłustowska entered in the Central Registration and Information on Business and trading as Renata Tłustowska Centrum DER-MED with its registered office in Kraków, ul. Krzywa 8 lok. 1, 31-149 Kraków, Taxpayer Identification Number (NIP): 9441348547, National Business Registry Number (REGON): 120031097, providing health care services in the form of a health care entity and centre: Centrum DER-MED, entered with No. 000000208390 in the Register of Health Care Service Providers by the Governor of Małopolskie Province.
- CONTACT DETAILS OF THE PERSONAL DATA CONTROLLER:
You may contact the data controller by e-mail at: [email protected]
, by phone at: 122920303, or by post at: Centrum DER-MED RENATA TŁUSTOWSKA ul. Krzywa 8 lok. 1, 31-149 Kraków. The data controller may be contacted in any matters relating to the processing of personal data or the exercise of rights connected with personal data processing.
- SOURCE OF DATA – WHERE DO DATA COME FROM?
As a matter of principle, personal data are provided by you directly upon registration: a) personally, b) by phone, c) through authorised third parties, or d) via the ITC system. In the case of occupational medicine services, data are also provided by the employer who refers you for examination. In the case of continuation of treatment started somewhere else, data may also be received from other medical establishments. In special cases justified by your health condition, your personal data may also be obtained from close relatives.
- SCOPE OF PERSONAL DATA PROCESSING:
For the purposes of making appointments, your data, including name, surname, sex, PESEL number or date of birth (if you do not have a PESEL number), telephone number, e-mail address, are processed. The above-mentioned data are also used for verification of identity prior to provision of personal services. As a health care entity, the data controller is obliged to keep and store medical documentation, the contents and scope of which are provided for in the provisions of law. Data contained in the documentation include e.g. description of diagnostics and treatment process. Provision of personal data by the Patient is voluntary
for achievement of intended purposes. If you do not provide your personal data, we may refuse to provide services, except for urgent cases, i.e. where there is a threat to human life or health. Any person who would like to use health care services is obliged
to provide his or her personal data as specified in the provisions of law. Categories of personal data subject to processing:
- name and surname;
- PESEL number;
- residence address;
- date of birth;
- telephone number;
- e-mail address;
- name and surname of statutory representative of a minor, a fully incapacitated person or a person incapable of giving consent in an aware manner, together with residence address;
- information relating to health condition and illness as well as diagnostics and therapeutic, nursing or recovery process, in particular in respect of description of health care services provided, identification of health problems, pregnancy, recommendations, information about medical reports, opinions or certificates, information about medicines and dosage or prescribed or non-prescribed medical products .
If you agree to receive marketing communications, your personal data in the form of e-mail address or telephone number as well as name and surname are used.
- PURPOSES OF AND LEGAL GROUNDS FOR DATA PROCESSING:
a) The processing of your personal data is necessary for taking steps before provision of a health care service and for the service itself which consists in taking steps intended for maintaining, rescuing, restoring or improving health and other medical steps arising from treatment process or separate provisions regulating the rules of taking such steps (health care purposes); for preventive health care, medical diagnostics, provision of health care and social security, and management of health care services (e.g. settlements with the payer, keeping and storing of medical documentation, verification of identity before visit). Legal basis: Article 9(2)(h) of the GDPR in connection with the provisions regulating the health care service provision process, in particular the provisions of the Health Care Services Act of 15 April 2011, Section 24(1) of the Patient Rights and the Patient Rights Ombudsman Act (i.e. of 2017, item 1318, as amended) in connection with Section 41(1) of the Act of 5 December 1996 (“Dziennik Ustaw” [Journal of Laws
] of 2018, item 617, i.e. of 26 March 2018), and the Publically Funded Health Care Services Act of 27 August 2004. b) your data may also be processed for the purposes of keeping accounting books and for tax settlements. Legal basis: Article 6(1)(c) of the GDPR in connection with the provisions of the Accounting Act of 29 September 1994, the Value Added Tax Act of 11 March 2004 and the Personal Income Tax Act of 26 July 1991. c) Data may also be processed for the purpose of defence of rights and pursuit of claims by the data controller in connection with its activity. Legal basis: Article 6(1)(b) and Article 6(1)(f) of the GDPR. d) If you gave consent to receiving marketing communications, your data may be used for marketing purposes in relation to products and services offered by the controller. The legal basis for processing of such data is your consent, in accordance with Article 6(1)(a) of the GDPR.
- PERIOD OF DATA STORAGE:
Your data contained in medical documentation will be processed
for a period complying with the provisions of law applicable in the territory of the Republic of Poland, in particular: the Patient Rights and the Patient Rights Ombudsman Act of 6 November 2008 (i.e. of 2017, item 1318, as amended), the Health Care Services Act of 15 April 2011 (“Dziennik Ustaw” [
Journal of Laws ] of 2011 No. 112, item 654, as amended), the Publicly Funded Health Care Services Act (i.e. “Dziennik Ustaw [
Journal of Laws ] of 2015, item 581, as amended), the Ordinance of the Minister of Health of 9 November 2015 on types and scope of medical documentation forms and the manner of processing thereof (“Dziennik Ustaw” [
Journal of Laws ] of 2015, item 2069, as amended), the Ordinance of the Minister of Health of 20 June 2008 on the scope of necessary information collected by service providers, detailed manner of registration of such information and provision thereof to entities obliged to publically fund services (i.e. “Dziennik Ustaw” [
Journal of Laws] of 2016, item 192, as amended)
; and – in the case of legitimate interests of the Controller – until such interests cease to exist. Your data will be stored for a period specified in the provisions of law, in particular for a period arising from Section 29 of the Patient Rights and the Patient Rights Ombudsman Act of 6 November 2008. Medical documentation is stored for a period of 20 years
from the end of the calendar year in which the last entry was made. In the event of death of the patient as a result of bodily injury or poisoning, it is stored for a period of 30 years
from the end of the calendar year in which the death took place – upon expiration of this time limit it is destroyed in a manner preventing identification of the patient to whom it related. X-ray pictures, stored outside internal individual documentation, are stored for a period of 10 years
from the end of the calendar year in which the picture was taken – upon expiration of this time limit it is destroyed in a manner preventing identification of the patient. Referrals for examinations or doctor’s recommendations are stored for a period of 10 years
from the end of the calendar year in which the service being the subject matter of the referral or recommendation was provided – upon expiration of this time limit they are destroyed in a manner preventing identification of the patient. Upon expiration of the statutory time limit for storage of medical documentation, it will be destroyed in a manner preventing identification of the patient to which it related or it will be released to you or a person authorised by you. Data used for health care service settlements and pursuit of claims will be processed until such claims become time-barred in accordance with the provisions of the Civil Code. Data processed for accounting and tax settlement purposes are processed for a period of 5 years from the end of the calendar year in which the tax obligation arose. If you gave consent to receiving communications for marketing purposes, data will be processed until you withdraw your consent to processing of your personal data for such purposes.
- DATA RECIPIENTS:
Your data may be shared with entities authorised to receive them under the provisions of law, in particular in accordance with Section 26 of the Patient Rights and the Patient Rights Ombudsman Act of 6 November 2008, including: a) entities providing health care services, if such documentation is required for ensuring continuity of health care services; b) public authorities, the National Health Fund, units of self-governing bodies of medical professions and national and provincial consultants, within a scope required for such entities to perform their tasks, in particular control and supervision; c) entities conducting inspections to the order of the minister relevant for health care matters, referred to in Section 119(1) and Section 119(2) of the Health Care Services Act of 15 April 2011, within a scope required for conducting such inspections; d) the minister relevant for health matters, courts, including disciplinary courts, public prosecutors, court physicians and professional accountability agents, in connection with conducted proceedings; e) authorities and institutions authorised to receive them under separate statutes, if examination was conducted upon their request; f) disability pension authorities and disability certification teams, in connection with conducted proceedings; g) registrars of medical services, within the scope required for keeping of registers; h) insurance companies, with the patient’s consent; i) a doctor, nurse or midwife, in connection with the assessment procedure in respect of an entity providing health care services under the provisions on health care accreditation, within the scope required for the procedure; j) the provincial commission adjudicating on medical events, within the scope of conducted proceedings; k) successors, within the scope of proceedings before the provincial commission adjudicating on medical events referred to in Section 67e(1); l) persons conducting inspections under Section 39(1) of the Health Care Information System Act of 28 April 2011 (“Dziennik Ustaw” [
Journal of Laws ] No. 113, item 657, and No. 174, item 1039), within the scope required for conducting them.
Your data may be provided to entities processing personal data to the order of the controller, e.g. to IT service providers and data processors. Furthermore, if you gave consent to receiving communications for marketing purposes, your data may be provided to entities processing personal data to the order of the controller, e.g. IT service providers or marketing agencies, and data processors.
- DATA TRANSFER OUTSIDE THE EEA:
Your personal data may be transferred to recipients in countries outside the European Economic Area. In such case, data will be transferred on the basis of an appropriate agreement between the data controller and the recipient, containing standard contractual clauses on data protection as adopted by the European Commission.
- RIGHTS OF THE DATA SUBJECT:
You have the right to:
- Access your personal data – obtain from the controller confirmation if your personal data are processed and, if this is the case, obtain access to such data and receive information within the scope specified in Article 15 of the GDPR.
- Have your personal data rectified – request that the controller immediately rectify inaccurate personal data, supplement incomplete personal data.
- Have your personal data erased – request that the controller immediately erase your personal data if one of the conditions specified in Article 17 of the GDPR is met, e.g. personal data are no longer needed for purposes for which they were collected. The right to have personal data erased may be limited due to the data controller’s obligations connected with keeping of medical documentation.
- Restrict the processing of your personal data in cases specified in Article 18 of the GDPR, e.g. challenging accuracy of personal data. The right to restrict data processing may be limited due to the data controller’s obligations connected with keeping of medical documentation.
- Personal data portability – receive from the controller your personal data in a structured commonly used machine-readable format, if your data are processed on the basis of consent and processing is done automatically. You may send those data to another data controller or request that personal data are sent by the controller directly to another controller, if technically possible.
- Object to personal data processing in cases specified in Article 21 of the GDPR.
You also have the right to lodge a complaint
with the supervisory authority relevant for personal data protection. In order to exercise the above-mentioned rights, please contact the data controller or the data protection officer. Contact details are stated above.
- VOLUNTARY PROVISION OF DATA:
Provision of personal data is a necessary condition for provision of health care services due to legal requirements imposed on the data controller, including the necessity to keep medical documentation. If you refuse to provide your data, we may refuse to provide a health care service. Provision of data is also necessary for issuance of an invoice. Provision of personal data for marketing purposes is fully voluntary, the lack of consent to receiving marketing communications is no grounds for refusal to provide a health care service.
- AUTOMATED DECISION-MAKING:
Your personal data will not be used for automated decision-making.