RODO

Respecting your right to privacy and complying with data protection laws, the WILMED Medical Clinic processes personal data securely, ensuring access only to authorized and properly trained personnel, solely to the extent necessary for the tasks performed.

To ensure data security, the WILMED Medical Clinic has implemented appropriate organizational, technical (IT), and physical safeguards. WILMED Medical Clinic also makes every effort to ensure that its subcontractors and other cooperating entities guarantee an adequate level of security whenever they process personal data on behalf of the Data Controllers.

DATA CONTROLLER

• BIOCONCEPT Sp. z o.o. operating the Wilmed Medical Center
  ul. Czerska 18, 00-732 Warsaw;
  phone: 692-407-540;
  email address: [email protected]

DATA PROTECTION OFFICER (DPO)

To ensure data security, the Data Protection Officer Dr. Katarzyna Mączyńska has been appointed, whom you can contact via email: [email protected]

TYPES AND CATEGORIES OF DATA

Depending on the purpose and legal basis of processing, WILMED Medical Clinic may collect and process, among others, the following data:

• identifying data such as: first name, last name, PESEL number, date of birth, company name, NIP, REGON, business address, bank account number;
• contact data such as: correspondence address, residential address, phone number, email address;
• data collected during recruitment procedures: education, previous employment history, skills, references, image, other information voluntarily disclosed in application documents and during the recruitment process;
• data collected and processed for the purpose of diagnosis and treatment, including in particular health data (regarding persons using medical services provided by WILMED Medical Clinic).

For patients, providing personal data is voluntary but constitutes a legal requirement for WILMED Medical Clinic to maintain documentation, including medical records, as specified by law. Failure to provide data may result in refusal to register a visit and refusal to provide medical services. Providing contact details facilitates communication with the patient (confirmation, cancellation of appointments).

For contractors, providing personal data is necessary to perform the contract.

For job candidates, providing personal data as required by law is necessary to participate in recruitment. Failure to provide such data may result in exclusion from the recruitment process. Providing other data by the candidate is voluntary and does not affect the possibility of participation in recruitment.

PURPOSE, LEGAL BASIS, AND DATA RETENTION PERIOD:

Regarding medical services provided by WILMED Medical Clinic

Patient registration, contract execution for medical services, and communication with the patient

• Art. 6(1)(c) GDPR – legal obligation and Art. 9(2)(h) GDPR in connection with Art. 3(1) of the Medical Activity Act and Art. 24 of the Patient Rights and Patient Ombudsman Act
• Medical records are kept for 20 years from the end of the calendar year in which the last entry was made, subject to exceptions specified in Art. 29 of the Patient Rights and Patient Ombudsman Act.

Patient visits for qualification as potential clinical trial participants

• Art. 6(1)(b) GDPR – contract performance
  Art. 6(1)(c) GDPR – legal obligation and Art. 9(2)(h) GDPR in connection with Art. 3(1) of the Medical Activity Act and Art. 24 of the Patient Rights and Patient Ombudsman Act
• Patient personal data resulting from clinical trials will be stored and processed for no less than 25 years after the study’s completion.

Provision of health services

• Art. 6(1)(c) GDPR – legal obligation and Art. 9(2)(h) GDPR in connection with Art. 3(1) of the Medical Activity Act and Art. 24 of the Patient Rights and Patient Ombudsman Act
• Patient personal data are stored for the duration of the medical service, but no longer than 20 years from the end of the calendar year in which the last entry was made in the medical documentation.

Authorization of third parties to information about the patient’s health status and medical documentation

• Art. 6(1)(c) GDPR – legal obligation in connection with Art. 9 of the Patient Rights and Patient Ombudsman Act – exercising the patient’s right to information
  Art. 6(1)(c) GDPR – legal obligation in connection with Arts. 23, 26, and 27 of the Patient Rights and Patient Ombudsman Act and §§ 70(1) and 71 of the Regulation of the Minister of Health dated April 6, 2020, on types, scope, and templates of medical documentation and its processing – exercising the patient’s right to medical documentation
• Authorizations together with medical documentation are stored for 20 years from the end of the calendar year in which the last entry was made, subject to exceptions specified in Art. 29 of the Patient Rights and Patient Ombudsman Act.

Issuing prescriptions for medicinal products, prescriptions for reimbursed: special nutritional foods, medical devices, medicinal products, orders for medical devices

• Art. 6(1)(c) GDPR – legal obligation and Art. 9(2)(h) GDPR – ensuring healthcare
• Prescriptions issued to patients are stored with medical documentation for 20 years from the end of the calendar year in which the last entry was made, subject to exceptions specified in Art. 29 of the Patient Rights and Patient Ombudsman Act.

Issuing referrals for tests or doctor’s orders

• Art. 6(1)(c) GDPR – legal obligation and Art. 9(2)(h) GDPR usually in connection with Art. 54 of the Act on Cash Benefits from Social Insurance in case of sickness and maternity or other relevant social insurance law provisions
• Referrals for tests are stored for: 5 years from the end of the calendar year in which the patient received the health service that was the subject of the referral or doctor’s order, and 2 years from the end of the calendar year in which the referral was issued if the health service was not provided due to the patient not reporting within the set deadline (unless the patient collected the referral).

Maintaining medical documentation

• Art. 6(1)(c) GDPR – legal obligation, Art. 9(2)(h) GDPR in connection with Art. 3(1) of the Medical Activity Act and Art. 24 of the Patient Rights and Patient Ombudsman Act
• Medical documentation is stored for 20 years from the end of the calendar year in which the last entry was made, subject to exceptions specified in Art. 29 of the Patient Rights and Patient Ombudsman Act.

Contact with patients via contact forms on the website

• Art. 6(1)(f) GDPR – legitimate interest
• Until the data subject objects to the processing of their personal data for purposes related to responding to messages sent via the contact form.

Establishing, pursuing claims, and defense against claims

• Art. 6(1)(f) GDPR – processing is necessary for purposes of legitimate interests pursued by the Controller
• Limitation period for claims as provided by law

Regarding business contacts with WILMED Medical Clinic

Contract conclusion and execution

• Art. 6(1)(b) GDPR – contract performance
  Art. 6(1)(f) GDPR – legitimate interest
• Up to 3 years from the end of the year in which the contractual obligation expired.

Regarding electronic and traditional correspondence with WILMED Medical Clinic

Conducting electronic and traditional correspondence

• Art. 6(1)(f) GDPR – legitimate interest
• The retention periods applicable to the relevant data set and personal data processing procedure apply.

Regarding candidates participating in the recruitment process at WILMED Medical Clinic

Recruitment of auxiliary, administrative, and medical staff

• Art. 6(1)(b) GDPR – taking action at the request of the data subject prior to contract conclusion
  Art. 6(1)(c) GDPR – legal obligation under the Labor Code and Art. 6(1)(f) GDPR – legitimate interest of the Data Controller
• Documents are deleted immediately after the recruitment process ends

COLLECTION OF PERSONAL DATA

Patients using medical services:

Data are collected directly from you or an authorized person during appointment registration and medical service provision. WILMED Medical Clinic may also obtain your data from other medical entities as part of sharing medical documentation if necessary to ensure continuity of healthcare services.

Contractors establishing business relationships:

Data are collected directly from you before contract conclusion or during its execution.

Candidates participating in the recruitment process:

Data are collected directly from you in application documents.

Persons conducting correspondence electronically and traditionally:

Data contained in correspondence are collected directly from you.

RECIPIENTS OF PERSONAL DATA

Access to your personal data may be granted to:

• employees and associates of WILMED Medical Clinic authorized to process personal data;
  for personal data processed for healthcare services – other medical entities to ensure continuity of treatment and
• availability of healthcare services;
• entities to whom WILMED Medical Clinic has entrusted personal data processing;
• other entities, persons, or authorities – to the extent and under the conditions specified by law, including persons authorized by you in exercising patient rights;
• in the case of personal data processed for potential clinical trials, pseudonymized patient data are made available to clinical trial sponsors

RIGHTS RELATED TO PERSONAL DATA PROCESSING

In connection with the processing of personal data by WILMED Medical Clinic, you have the right to:

• access your personal data (Art. 15 GDPR);
• rectify your personal data (Art. 16 GDPR);
• request deletion of data in cases specified in Art. 17(1), considering exceptions in Art. 17(3) GDPR;
• request restriction of data processing in cases specified in Art. 18 GDPR;
• object to data processing based on legitimate interest, observing appropriate data processing periods (Art. 21 GDPR);
• data portability in cases specified in Art. 20 GDPR;
• file a complaint with the supervisory authority (President of the Personal Data Protection Office, ul. Stawki 2, 00-193 Warsaw) if you believe that the processing of your personal data violates GDPR provisions.

The rights indicated in points 3, 4, and 5 do not apply to personal data collected in medical documentation.

Your personal data will not be subject to profiling resulting in decisions based solely on automated processing (without involvement of medical or administrative personnel) that produce legal effects or similarly significantly affect patients.