On May 25th, 2018, European Union regulation on GDPR came into force, which aimed at update and unification of regulation concerning personal data protection in European Union. Below you can find information on data protection processing and patient rights in this matter.
INFORMATION REGARDING PERSONAL DATA PROCESSING
INFORMATION REGARDING THE DATA CONTROLLER
The controller of your personal data is BEAUTY doc Barbara Parda-Głomska with its registered office in Piaseczno at ul. Gruszek i Jabłuszek 7, NIP: 7391279121, REGON: 510686416.
DATA CONTROLLER CONTACT INFORMATION
The data controller can be contacted by e-mail at email@example.com or via telephone by calling the following number +48 517 535 878 or in writing to the address of the administrator’s registered office.
DATA SOURCE – HOW IS THE DATA COLLECTED
As a rule, personal data is provided directly by you at the moment of application: in person, via the e-registration system or via the hotline.
If treatment is continued elsewhere, data may also be collected from other medical facilities.
In special situations substantiated by your health condition, personal data may be collected from relatives.
THE SCOPE OF PERSONAL DATA PROCESSING
For the purpose of scheduling visits, your name, surname, gender, PESEL no. or date of birth (in the absence of a PESEL number), telephone number, e-mail address are processed. The aforementioned data are also used for the purpose of verifying your identity prior to granting the benefit.
The data controller as a medical entity is obliged to keep and store medical records, the content and scope of which shall be specified by the applicable provisions of law. The data contained in the documentation include, among others, a description of the course of treatment and diagnostics.
If you have granted your consent to marketing communication, we process your data in the form of your e-mail address or telephone number, as well as your name.
AIMS OF PROCESSING AND THE LEGAL BASIS FOR PROCESSING
Processing your personal data is necessary for the purpose of providing health services (diagnostics, prevention, treatment) and management of health services (e.g. payer billing, keeping and storing medical records, pre-visit verification of identity).
Article 9(2)(h) of the GDPR in connection with the regulations governing the process of providing health services, in particular the provisions of the Act of 15 April 2011 on medical activity, the Act of 6 November 2008 on the rights of the patient and the Patient Ombudsman and the Act of 27 August 2004 on health care services financed from public funds and the Act on medical professions.
Your personal data may also be processed for the purposes of keeping accounting books and tax settlements.
Article 6(1)(c) of the GDPR – in connection with the provisions of the Accounting Act of 29 September 1994 and the Act of 11 March 2004 on the tax on goods and services.
Data may also be processed for the purpose of defending the rights of and pursuing claims by the data controller against the activities carried out by it.
Article 6(1)(b) and (f) of the GDPR and in the event of sensitive data, Article 9 (2)(f) of the GDPR
If you have consented to marketing communications, your data may be used for marketing purposes with respect to the products and services offered by the data controller.
The legal basis for processing of the aforementioned data is your consent, in accordance with Article 6(1)(a) of the GDPR.
PERIOD FOR WHICH THE DATA IS STORED
Your data will be stored for a period specified by law, and in particular for the period specified in Article 29 of the Act of 6 November 2008 on Patients’ Rights and the Patient Ombudsman. The medical record shall, as a general rule, be kept for at least 20 years from the end of the calendar year in which the last entry was made. After the statutory retention period, the medical records shall be destroyed in a way that makes it impossible to identify the patient concerned or will be issued to you or a person authorised by you.
Data used for the purpose of accounting for health services, as well as data used to pursue claims shall be processed for the period of limitation of these claims in accordance with the provisions of the Civil Code.
Data processed for the purposes of accounting and tax settlements are processed for a period of 5 years from the end of the calendar year in which the tax obligation arose.
If you have consented to communication for marketing purposes, the data shall be processed until your consent to the processing of personal data for marketing purposes is withdrawn.
Your data may be made available to entities authorised on the basis of legal provisions, in particular in accordance with Article 26 of the Act of 6 November 2008 on patients’ rights and the Patients’ Ombudsman, including i.a., health care providers to ensure the continuity of health services as well as public authorities, including Patient Ombudsman, National Health Fund, Self-government bodies for medical professions, national and voivodship consultants to the extent necessary for the performance by these entities of their responsibilities, in particular in terms of supervision and inspection.
Your data may be transferred to personal data processors at the data controller’s request, i.a., to IT service providers; and processors, where such processors process data under a contract with the data controller and only in accordance with the data controller’s instructions.
In addition, if you have consented to communication for the purposes of marketing, your data may be passed on to third party personal data processors at the order of the data controller, i.a., IT service providers, marketing agencies and processing entities, where such entities process the data based on a contract with the data controller, and only in compliance with the instructions given by the data controller.
TRANSFERRING DATA OUTSIDE OF EEA
Your personal data may be transferred to recipients located in countries outside the European Economic Area. In such a case, the transfer shall be based on an appropriate contract between the data controller and the recipient which contain the standard data protection clauses adopted by the European Commission.
DATA SUBJECT’S RIGHTS
You have the right to:
access your personal data – to obtain confirmation from the controller whether your personal data are being processed and, if so, to obtain access to them and to provide you with information within the scope indicated in Article 15 of the GDPR.
rectify your personal data – request the controller to rectify without delay the personal data that are incorrect, and to supplement incomplete personal data.
delete your personal data – request the controller to delete your personal data immediately if one of the conditions set out in Article 17 of the GDPR is met, i.a. personal data are no longer necessary for the purpose for which they were collected. The right to erasure may be limited by the obligations of the controller to keep medical records.
limit the processing of your personal data in the cases indicated in Article 18 of the GDPR, i.a., by questioning the correctness of personal data. The right to limit the processing of data may be limited by the obligations of the data controller to keep medical records.
transfer of personal data – receiving personal data from the data controller in a structured, commonly used, machine-readable format, if your data are processed on the basis of your consent and the processing is automated. You may transfer the data to another controller or request that the personal data be transferred directly from the controller to another controller, as far as it is technically possible.
Object to the processing of personal data
in the cases provided for in Article 21 of the GDPR.
You also have the right to lodge a complaint with a data protection supervisory authority.
In order to exercise these rights, please contact the data controller or the data protection officer. Contact details are provided above.
INFORMATION REGARDING VOLUNTARY PROVISION OF PERSONAL DATA
The provision of personal data is a necessary condition for the provision of health services due to the legal requirements imposed on the controller, including, i.a. the need to maintain medical records. A refusal to provide data may constitute a basis for refusal to provide health care. Providing the information is also necessary to issue a bill or an invoice.
Providing personal data for marketing purposes is entirely voluntary, lack of consent for marketing communication cannot be a basis for refusal to provide health care.
INFORMATION REGARDING AUTOMATED DECISION MAKING
Your personal data shall not be used for automated decision making.