INFORMATION CLAUSE FOR PATIENTS OF NIEBOROWICE CLINIC IN NIEBOROWICE

Dear Sir/Madam,
pursuant to Article 13(1) and (2) of the General Data Protection Regulation of 27 April 2016 (“GDPR”), we inform you that:

I. The controller of your personal data is: Klinika Nieborowice spółka z ograniczoną odpowiedzialnością with its registered office in Nieborowice, ul. Kasztanowa 5, 44-144 Nieborowice, KRS: 0000702549, tel. +48 32 213 42 20, e-mail: info@klinika-nieborowice.pl (hereinafter: the “Clinic”).

II. Data Protection Officer (DPO).
The Clinic’s Data Protection Officer is Ms Katarzyna Kasprzak,
e-mail: incydent@klinika-nieborowice.pl, tel. +48 32 213 42 20, who can be contacted regarding the processing of your personal data by the Clinic.

III. Your personal data will be processed:

1. for the provision of medical services (including medical diagnosis, treatment and health care) and for the Clinic’s statutory obligations (management of medical services and settlement of provided medical services) on the basis of Article 9(2)(c) and (h) and Article 6(1)(c) and (d) GDPR, in connection with in particular:

   • the Act of 27 August 2004 on health care services financed from public funds,

   • the Act of 28 April 2011 on the health care information system,

   • the Act of 6 November 2008 on patients’ rights and the Patients’ Rights Ombudsman,

   • the Act of 15 April 2011 on medical activity, and implementing regulations issued thereunder,

   • the Act of 11 March 2004 on tax on goods and services (VAT);

2. for the performance of a contract for the provision of a medical service, obtaining consent to perform treatment, and carrying out activities arising from that contract — pursuant to Article 6(1)(b) GDPR;

3. for the establishment, exercise or defence of legal claims, as part of the Clinic’s legitimate interests — pursuant to Article 6(1)(f) GDPR;

4. to exercise your patient rights, including receiving and archiving statements authorising other persons to access medical records or information about your health — pursuant to Article 6(1)(c) GDPR in conjunction with Article 9(3) and Article 26(1) of the Act on patients’ rights and § 8(1) of the Regulation of the Minister of Health;

5. for keeping accounting books and fulfilling tax obligations;

6. to ensure social security and manage social security systems and services, e.g., issuing medical certificates and sickness leave — pursuant to Article 9(2)(h) GDPR in connection with Article 3(1) of the Act on medical activity, Article 24 of the Act on patients’ rights and the Patients’ Rights Ombudsman, and Article 54 of the Act on cash benefits from social insurance in case of sickness and maternity;

7. to ensure the safety of persons and property through the use of CCTV monitoring that records images on the Clinic’s premises, which constitutes a legitimate interest of the Clinic — pursuant to Article 6(1)(f) GDPR, and, where applicable, Article 6(1)(d) GDPR (to protect the vital interests of the data subject or another natural person).
   This involves observing those areas where it is necessary by means of devices enabling image recording (CCTV), when there is a need to apply monitoring in given rooms/areas, in order to ensure the safety of patients or employees and, where necessary, in the course of patient treatment.

8. for the use and dissemination of image (likeness) for marketing purposes on the basis of your consent — pursuant to Article 6(1)(a) GDPR (consent to process and use image/likeness).

IV. Providing your personal data to the extent required by applicable medical legislation is obligatory; in other cases it is voluntary. Failure to provide data required by law will make it impossible to provide you with health care services.

V. Recipients of your personal data may include:

• entities authorised by the Clinic to process your personal data;

• entities authorised to obtain data under the law, in particular under the Act of 6 November 2008 on patients’ rights and the Patients’ Rights Ombudsman;

• processors under data processing agreements, in particular laboratories and diagnostic providers, entities administering and servicing IT systems, medical equipment, and other entities supporting the Clinic in providing medical and other services;

• postal operators and courier service providers.

VI. Your personal data will not be transferred to a third country or an international organisation and will not be subject to automated decision-making, including profiling.

VII. Data retention periods depend on the legal basis for processing:

• Data arising from the provision of health care services will be processed for the period specified in Article 29 of the Act of 6 November 2008 on patients’ rights and the Patients’ Rights Ombudsman (medical record retention periods).

• Where data are processed under Article 6(1)(c) GDPR (legal obligation), data collected to fulfil legal obligations, including tax law, will be stored until those obligations are fulfilled and for the period required by law. Data processed for accounting and tax purposes are stored for the period indicated in Article 74 of the Accounting Act, i.e., as a rule for 5 years from the beginning of the year following the financial year to which the data relate.

• Where data are processed under Article 6(1)(b) GDPR (contract), personal data will be processed until completion of all factual and legal activities necessary for performance of the contract or for securing possible claims.

• Where data are processed under Article 6(1)(f) GDPR (legitimate interests), personal data will be processed until those legitimate interests are fulfilled or until you object to such processing. CCTV recordings will be retained for no longer than 3 months. If data are processed to pursue claims, they will be processed until the final conclusion of the dispute.

• Where data are processed under Article 6(1)(a) GDPR (consent), personal data will be processed until you withdraw your consent.

VIII. Your rights.
You have the right to request from the Controller access to your personal data and a copy thereof, rectification, erasure or restriction of processing, to object to processing, and the right to data portability.

IX. Right to withdraw consent.
If the Clinic processes data on the basis of your consent, you have the right to withdraw that consent at any time. This does not affect the lawfulness of processing based on consent before its withdrawal.
You may withdraw consent:

• by e-mail to: info@klinika-nieborowice.pl or incydent@klinika-nieborowice.pl,

• in writing at the Registration Desk or Secretariat of Klinika Nieborowice sp. z o.o.,

• by post to: ul. Kasztanowa 5, 44-144 Nieborowice, Poland.

X. Right to lodge a complaint.
You have the right to lodge a complaint with the supervisory authority — the President of the Personal Data Protection Office (PUODO) — if you believe that the processing of your personal data infringes the law.