Privacy policy

PRIVACY POLICY, INCLUDING COOKIE USAGE RULES

1. The privacy policy includes:
   1. all necessary information regarding the processing of personal data by MALO CLINIC Polska sp. z o.o. based in Warsaw (02-672) at ul. Domaniewska 37, entered into the Register of Entrepreneurs of the National Court Register kept by the District Court for the capital city of Warsaw in Warsaw, XII Commercial Division of the National Court Register under KRS number: 0000242331, having NIP: 5252341737, REGON: 140078686, hereinafter referred to as "MALO CLINIC", in connection with the applicability of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as the "General Data Protection Regulation" or "GDPR" (POINTS 2 TO 39);
   2. cookie usage rules (POINTS 40 TO 45).

PROCESSING OF PERSONAL DATA IN CONNECTION

WITH THE APPLICABILITY OF GDPR

2. From May 25, 2018, the "General Data Protection Regulation" ("GDPR") applies.
3. GDPR is applied directly, without the need to implement it into the Polish legal order, which means that no Polish laws or executive regulations need to be issued. According to Article 91(3) of the Constitution of the Republic of Poland, GDPR provisions take precedence in the event of a conflict with Polish laws.
4. GDPR applies to the processing of personal data in a completely or partially automated manner and to the processing of personal data in a non-automated manner that is part of a data set or intended to be part of a data set (see Article 2(1) GDPR).
5. GDPR introduces the following concepts relevant to personal data protection:
   1. "personal data" means information about an identified or identifiable natural person, where an "identifiable natural person" is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person;
   2. "processing" means any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction (Article 4(2) GDPR);
   3. "controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data (Article 4(7) GDPR);
      
   4. "processor" means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller;
      
   5. "recipient" means a natural or legal person, public authority, agency, or another body, to which the personal data are disclosed, whether a third party or not;
      
   6. "data concerning health" means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.
6. From the cited legal norms, it follows that the controller under GDPR is the healthcare entity, not the head of this entity, doctor, or other employee.
   
7. The controller of personal data of MALO CLINIC patients, i.e., the entity that independently determines the purposes and means of processing personal data, is MALO CLINIC Polska sp. z o.o. based in Warsaw (02-672) at ul. Domaniewska 37, entered into the Register of Entrepreneurs of the National Court Register kept by the District Court for the capital city of Warsaw in Warsaw, XII Commercial Division of the National Court Register under KRS number: 0000242331, having NIP: 5252341737, REGON: 140078686.
   
8. GDPR provides in Article 5 the following "Principles relating to processing of personal data":
   1. the principle of lawfulness, fairness, and transparency – personal data must be processed lawfully, fairly, and in a transparent manner in relation to the data subject;
      
   2. the principle of purpose limitation – personal data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
      
   3. the principle of data minimization – personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed;
      
   4. the principle of accuracy – personal data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
      
   5. the principle of storage limitation – personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
      
   6. the principle of integrity and confidentiality – personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.
9. As a controller under GDPR, MALO CLINIC is responsible for compliance with the above principles and must be able to demonstrate compliance (accountability principle).
   
10. MALO CLINIC may process data of various categories of individuals, such as potential patients, patients, employees, job applicants, employees of commercial companies, and other entrepreneurs who are MALO CLINIC contractors.
    
11. MALO CLINIC may act as a processor of personal data on behalf of another entity (e.g., another healthcare entity) – in such cases, the entity deciding on the processing and responsible for the legality of the processing will be another data controller.
    
12. The principle of lawfulness means that processing is lawful if it is based on the consent of the data subject or on another legitimate basis provided by law, i.e., in GDPR or another EU legal act or in the law of a Member State, as referred to in GDPR.
    
13. According to Article 6(1)(c) GDPR, processing is lawful if it is necessary for compliance with a legal obligation to which the controller is subject. If processing is carried out for the purpose of fulfilling a legal obligation to which the controller is subject, the basis for processing should be Union law or the law of a Member State, it is sufficient if the legal norm constitutes the basis for various processing operations resulting from the legal obligation to which the controller is subject. In the recitals of GDPR, it is assumed that Union law or the law of a Member State should also specify the purpose of processing.
    
14. The purpose and legal basis for processing personal data by MALO CLINIC depend primarily on the context in which the data were collected and to whom the data relate. In some cases, MALO CLINIC may process data of the same person for different purposes and based on different legal grounds. The purpose and legal basis for processing are related to the category of persons whose data MALO CLINIC collects, what the data are needed for, and what legal obligations MALO CLINIC has in connection with the circumstances. These issues primarily determine why MALO CLINIC needs to process certain personal data.
    
15. MALO CLINIC provides information about data processing at the time of data collection from the data subject, and if the data are collected in another way, it informs immediately after obtaining the data or at the first contact with such a person. If providing information is excessively difficult, MALO CLINIC may refrain from direct informing, instead placing information publicly, e.g., on its website.
16. Processing of data by MALO CLINIC is necessary to fulfill legal obligations incumbent on the controller, such as:
    1. establishing identity before providing a health service (e.g., reporting for medical care, verifying data when scheduling a remote or in-office visit – Article 6(1)(c) and Article 9(2)(h) GDPR in conjunction with Article 25(1) of the Act of November 6, 2008 on Patients' Rights and the Patient Ombudsman (Journal of Laws of 2017, item 1318, as amended), hereinafter referred to as "u.p.p.", and § 10(1)(2) of the Regulation of the Minister of Health of November 9, 2015 on the types, scope, and patterns of medical documentation and the manner of its processing (Journal of Laws of 2015, item 2069, as amended), hereinafter referred to as the "Regulation on medical documentation";
       
    2. keeping, storing, and sharing medical documentation – Article 6(1)(c) and Article 9(2)(h) GDPR in conjunction with Article 24(1) u.p.p. and the Regulation on medical documentation;
       
    3. realizing the rights of MALO CLINIC patients, including accepting and storing statements authorizing access to medical documentation and providing information about the health status of MALO CLINIC patients – Article 6(1)(c) and Article 9(2)(h) GDPR in conjunction with Article 9(3) and 26(1) u.p.p. and § 8(1) of the Regulation on medical documentation;
       
    4. keeping accounting records, fulfilling tax obligations, issuing invoices – Article 6(1)(c) GDPR in conjunction with Article 74(2) of the Act of September 29, 1994 on Accounting.
17. Processing of personal data of MALO CLINIC patients is also carried out when it is necessary to achieve purposes resulting from the legitimate interests pursued by MALO CLINIC as the controller, such as:
    1. patient service, including maintaining contact with patients using the phone numbers and email addresses provided by them (confirming or canceling appointments, reminding patients about appointments, informing about facts related to the provided health services, including the need to prepare for a visit or procedure or the possibility of collecting test results – Article 6(1)(b) and (f) GDPR;
       
    2. pursuing claims arising from business activities – Article 6(1)(b) and (f) GDPR.
18. MALO CLINIC may send marketing correspondence to patients regarding its activities, including offers, information about goods, services, or promotions (according to the consent given by the patient – email addresses (emails) or phone numbers (sms, mms, or incoming calls) are used) – Article 6(1)(a) GDPR in conjunction with Article 172(1) of the Act of July 16, 2004 Telecommunications Law (Journal of Laws of 2017, item 1907, as amended) in conjunction with Article 10(2) of the Act of July 18, 2002 on the provision of electronic services (Journal of Laws of 2017, item 1219, as amended). This means that the telecommunications end devices and automatic calling systems used by MALO CLINIC for direct marketing purposes will only be used if the subscriber or end user has given prior consent. The use of these means for direct marketing purposes cannot be at the expense of the consumer (patient). Commercial information will only be sent if the recipient (patient) consents to receive it, in particular by providing an identifying electronic address for this purpose.
    
19. MALO CLINIC processes the following range of personal data for the purposes indicated above, including in particular:
    1. health data;
       
    2. identification data, including in particular those found in identity documents of persons using MALO CLINIC health services or representing other persons or entities in contacts with MALO CLINIC (e.g., names, PESEL numbers, identity document numbers);
       
    3. contact and address data (such as residential address, correspondence address, phone numbers, or email address);
       
    4. financial data, including data related to the financing of provided health services;
       
    5. data concerning marital status and family situation;
       
    6. technical data and data related to website searches, which may be personal data (e.g., IP addresses, cookie identifiers, data related to browsing history on MALO CLINIC websites, etc.).
20. Personal data processed by MALO CLINIC include "health data". According to Article 9(1) GDPR – as a rule – the processing of health data is prohibited. Exceptions to this prohibition are specified in Article 9(2) GDPR. In the case of MALO CLINIC, the norm from Article 9(2)(h) GDPR applies, according to which the prohibition on processing "health data" does not apply when processing is necessary for the purposes of preventive health care or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems and services based on Union or Member State law or pursuant to a contract with a health professional and subject to the conditions and safeguards referred to in Article 9(3) GDPR.
    
21. Personal data processed by MALO CLINIC, including "health data", are contained in medical documentation, including in the Medical Interview, which is covered by medical confidentiality.
    
22. MALO CLINIC, in order to provide medical care to the patient and verify their identity, requires the completion of a personal questionnaire, which includes the following data:
    1. patient's surname and first name(s);
       
    2. contact phone number and email address;
       
    3. date of birth;
       
    4. PESEL;
       
    5. residential address.
23. For marketing purposes, MALO CLINIC optionally collects information on whether the patient's employer has a cooperation agreement with MALO CLINIC and whether the patient's family members are also patients of MALO CLINIC, as well as information on the reasons for using MALO CLINIC services and the source of information about MALO CLINIC.
    
24. In connection with the provision of health services, MALO CLINIC creates medical documentation in which it documents information related to the treatment process, in particular information about the health status, as well as information about addictions or sexual preferences of patients. This information is collected if it is necessary for diagnosis and proper management of the treatment process.
    
25. MALO CLINIC asks the patient to provide an email address or phone number to ensure communication during the treatment process and for marketing correspondence.
    
26. Persons whose personal data are processed by MALO CLINIC can contact at the phone number: (+48 22 393 6333).
    
27. Recipients of personal data of persons whose data are processed by MALO CLINIC may be persons and entities listed in the Act of November 6, 2008 on Patients' Rights and the Patient Ombudsman (Journal of Laws of 2017, item 1318, as amended), to whom the Administrator is obliged to provide medical documentation.
    
28. MALO CLINIC does not transfer personal data to a third country (countries outside the European Union) or to an international organization.
    
29. The purpose of the GDPR is to ensure that every person has the possibility to protect their rights and freedoms and to ensure control over the processing of their data. A person whose data is processed by MALO CLINIC has the right to access their data and the right to rectify, delete, and restrict processing – to the extent and under the conditions specified in Articles 15, 16, 17, and 18 of the General Data Protection Regulation.
    
30. Right of access to data – the data subject has the right to obtain information, among other things, about what data MALO CLINIC processes, for what purposes they are processed, and to obtain a copy of them. An individual can request information from MALO CLINIC on whether MALO CLINIC processes their personal data.
    
31. Right to erasure (right to be forgotten) – the data subject can indicate the scope and circumstances justifying the requested deletion of data. For example, data is no longer necessary for the purposes for which it was collected, and there are no legal grounds for further processing, data is processed unlawfully. The right to erasure can be exercised in cases where MALO CLINIC has no legal grounds for processing the data. In the case of personal data contained in medical documentation, personal data cannot be deleted from it for the period specified in the Act on Patients' Rights and the Patient Ombudsman.
    
32. Right to data portability – the data subject has the right to receive in a structured, commonly used, machine-readable format the personal data concerning them that they have provided to MALO CLINIC. The data subject can submit a request for data portability. The information will be provided in the form of a file transferred on a password-protected CD.
    
33. Right to restrict processing – the data subject indicates that the conditions specified in Article 18 GDPR for restricting the processing of their data have been met, e.g., MALO CLINIC does not need certain data, there are no grounds for further processing, and the data subject requests the suspension of data operations or non-deletion of data. Each request to restrict data processing will require individual consideration regarding the existing grounds for data processing, the purpose, and the scope of their processing.
    
34. Right to rectification – whenever necessary, the data subject informs MALO CLINIC about changes to their personal data. A person whose personal data is processed by MALO CLINIC can request MALO CLINIC to rectify incorrect or complete incomplete personal data.
    
35. Right to object – at any time, an objection can be made to the processing of data in an automated manner, including profiling, as well as to the processing of data for marketing purposes. An objection to data processing can be submitted, for example, at the MALO CLINIC headquarters, by mail to the address of the MALO CLINIC headquarters.
    
36. A person whose data is processed by MALO CLINIC has the right to lodge a complaint with the supervisory authority – the President of the Personal Data Protection Office, if they believe that the processing of their personal data violates the provisions of the GDPR.
    
37. In cases where consent is required for the processing of personal data and MALO CLINIC has obtained such consent, the person whose data is processed by MALO CLINIC has the right to withdraw consent at any time, without any negative consequences. Withdrawal of consent for the processing of personal data is possible only in cases where consent is the sole legal basis for data processing (e.g., consent cannot be withdrawn for data processing when it is processed for the purpose of fulfilling a contract, including pursuing claims by MALO CLINIC related to it). Consent may be the sole legal basis for processing data, e.g., potential patients of MALO CLINIC. All consents are given voluntarily and can always be withdrawn. Withdrawal of consent does not affect the right of MALO CLINIC to process data until the moment of its withdrawal.
    
38. Providing personal data necessary for maintaining medical documentation is a condition for starting the treatment process. The consequence of not providing personal data may be the refusal to provide medical services.
    
39. Data is processed in IT systems.

COOKIE USAGE RULES.

40. For the convenience of users of the maloclinics.pl website, cookies are used to tailor the service to the needs of users and for statistical purposes.
    
41. Cookies (so-called "cookies") are small text files sent by the visited website to the user's device (computer, smartphone, etc.). They do not contain any personal data.
    
42. The maloclinics.pl website uses two types of cookies:
    1. performance cookies (collecting information on how visitors use the website, e.g., most frequently visited pages or error messages, etc.);
       
    2. functional cookies (saving user settings, e.g., language, expressed consents, etc.), such as:

a) cookies google-analytics.com – used to conduct statistics for the gov.pl website; the exact operation and privacy policy of Google Analytics can be found at: http://www.google.com/analytics/learn/privacy.html,

b) cookies inspectlet.com – used to determine how users use the site; the exact operation and privacy policy can be found at: https://www.inspectlet.com/legal,

c) session cookies – these are temporary information stored in the browser's memory until the session ends, i.e., its closure.

43. External services to which we sometimes refer may also use cookies that allow logging in and delivering advertisements tailored to the user's preferences and behavior. In particular, such cookies are:
    1. on youtube.com – containing user preferences and a click counter; the privacy policy of the YouTube service is described at: http://www.google.pl/intl/pl/policies/privacy/;
    2. on player.vimeo.com and av.vimeo.com – allowing logging in, as well as cookies placed by advertisers to match the content and form of advertisements; the cookie policy of the Vimeo service is available at: http://vimeo.com/cookie_policy.
44. In most web browsers, you can: delete cookies from your computer's hard drive (from the browser settings), block all incoming cookies, or set a warning before saving them on the disk. It should be noted that changing these settings to limit the use of cookies may affect some functionalities available on websites that use them, e.g., preventing logging into an email account. Not changing these settings means accepting the use of cookies.
45. Changing cookie settings in the most popular browsers:
    1. Google Chrome: Menu > Settings > Show advanced settings > Privacy > Content settings > Cookies – select the appropriate option;
    2. Internet Explorer: Menu > Tools > Internet Options > Privacy – select the appropriate option;
    3. Mozilla Firefox: Menu > Options > Privacy > History – select the appropriate option;
    4. Opera: Menu > Preferences > Advanced > Cookies – select the appropriate option;
    5. Safari: Menu > Preferences > Privacy > Cookies – select the appropriate option.