Data of the Personal Data Controller
The Controller of your personal data is Scanmed S.A. with its registered office in Warsaw, ul. Okrzei 1A, 03-715 Warsaw, NIP [Tax Identification Number]: 6751209442, REGON [National Business Registry Number]: 351618159.
Contact details of the Personal Data Controller and the Data Protection Officer
You can contact the Personal Data Controller via e-mail at biuro@scanmed.pl, or in writing to the address of the Controller’s registered office indicated above.
The Controller has appointed a Data Protection Officer, who can be contacted via e-mail at iod@scanmed.pl or in writing to the Controller’s registered address.
The Data Protection Officer can be contacted on all matters concerning the processing of personal data and the exercise of rights related to data processing.
Data source – where is the data sourced from?
As a rule, personal data is provided by you directly at the time of registration: in person, through the e-registration system, via the helpline, by using the contact form on the Controller’s website or accepting cookies
In the case of occupational health services, data may also be provided by the employer referring you for examination.
In the case of continuation of treatment started elsewhere, data may also be received from other medical facilities.
In special situations justified by your state of health, your personal data may be obtained from your relatives.
Scope of the processing of personal data
For the purpose of scheduling appointments, your data including your first name, surname, gender, PESEL number or date of birth (in case of lack of a PESEL number), telephone number and e-mail address will be processed. The aforementioned data is also used for identity verification prior to providing healthcare services.
As a healthcare provider, the Personal Data Controller is obliged to keep and maintain medical records, the content and scope of which are determined by the applicable legislation. Data contained in the records include, inter alia, a description of the treatment and diagnostic process
If you have provided consent for marketing communications, your data in the form of an e-mail address or telephone number is used, as well as your first and last name
Purposes and legal basis of processing
The processing of your personal data is necessary for the purposes of providing health care services (diagnostics, prevention, therapy) and managing health care services (e.g., billing to the payer, maintaining and storing medical records, identity verification prior to appointments)
* Legal basis: Article 9 section 2 letter h of the GDPR in conjunction with the provisions regulating the process of providing health care services, in particular the provisions of the Act of 15 April 2011 on Therapeutic Activity, the Act of 6 November 2008 on Patient Rights and the Patient’s Rights Ombudsman and the Act of 27 August 2004 on Health Care Services Financed from Public Funds.
Your data may also be processed for bookkeeping and tax purposes.
* Legal basis: Article 6 section 1 letter c of the GDPR in conjunction with the provisions of the Act of 29 September 1994 on Accounting and the Act Of 11 March 2004 On Tax On Goods And Services
The data may also be processed for the purpose of defending rights and asserting claims by the Controller in connection with its conducted activities.
* Legal basis: Article 6 section 1 letters b and f of the GDPR.
If you have given your consent to marketing communications, your data may be used for marketing purposes in relation to the products and services offered by the Controller.
* The legal basis for the processing of this data is your consent, pursuant to Article 6 section 1 letter a of the GDPR.
The Controller also processes your personal data in connection with your visits to the Controller’s social media profiles (e.g. Facebook), including through the use of social plugins (e.g. Like, f, YouTube, Share, Comment buttons). These are tools that make it possible to inform you and your social media friends about the Controller’s activities on other sites.
* The legal basis for processing this data is the legitimate legal interest of the Controller, which is to promote Scanmed’s own services and brand, in accordance with Article 6 section 1 letter f of the GDPR.
In connection with using social media plugins and visiting the Controller’s social media profiles, the social media platform becomes a Joint Controller of your personal data.
The scope of personal data processing, detailed purposes, rights, and obligations of individuals visiting the social media platform are directly determined by the terms and conditions of the respective social media platform (Joint Controller). For additional information, we encourage you to familiarise yourself with the content of the specific terms and conditions of the Joint Controller, available on the social media platform.
Data storage period
Your data will be stored for a period specified by legal regulations, particularly for a duration outlined by, among others, Article 29 of the Act of 6 November 2008 on Patient’s Rights and the Patient’s Rights Ombudsman. Medical records are generally kept for at least 20 years from the end of the calendar year in which the last entry was made. After the statutory storage period for medical records expires, it will be destroyed in a manner that prevents the identification of the patient it pertained to, or it will be handed over to you or a person authorised by you. Data used for health care settlement purposes, as well as data used for the assertion of claims, will be processed for the period of limitation of these claims in accordance with the provisions of the Civil Code.
Data processed for accounting and tax settlement purposes will be processed for a period of 5 years from the end of the calendar year in which the tax liability arose.
If you have given consent for marketing communications, your data will be processed until you withdraw your consent to the processing of your personal data for these purposes.
Data processed on the basis of the legitimate legal interest of the Controller will be processed until you raise an effective objection or the purposes of the processing expire.
Data recipients
Your data may be made available to entities authorised by law, especially in accordance with Article 26 of the Act of 6 November 2008 on Patient’s Rights and the Patient’s Rights Ombudsman, including, inter alia, entities providing health services to ensure continuity of health services and public authorities, including the Patients’ Rights Ombudsman, the National Health Fund, bodies of the self-government of medical professions and national and voivodeship consultants, to the extent necessary for them to perform their tasks, particularly supervision and control.
Your data may be transferred to entities processing personal data on behalf of the Controller, e.g. to IT service providers, including e-registration systems, and to Personal Data Processors that belong to the Scanmed Group, to which the Personal Data Controller belongs. These entities process data based on an agreement with the Controller and solely in accordance with the Controller’s instructions.
Furthermore, if you have given consent for marketing communication, your data may be transferred to entities processing personal data on behalf of the Controller, including IT service providers or marketing agencies, as well as Personal Data Processors that belong to the Scanmed Group, to which the Personal Data Controller belongs. These entities process data based on an agreement with the Controller and solely in accordance with the Controller’s instructions.
Transfer of data outside the EEA
Your personal data may be transferred to recipients located in countries outside the European Economic Area. In such cases, the data transfer will be based on an appropriate agreement between the Personal Data Controller and the recipient, which will include the standard data protection clauses adopted by the European Commission.
Rights of the data subject
ou have the right to:
Access your personal data – to obtain confirmation from the Controller as to whether your personal data is being processed and, if so, to obtain access to it and to provide you with information to the extent indicated in, inter alia, Article 15 of the GDPR.
Rectify your personal data – to request the Personal Data Controller to promptly correct inaccurate personal data and complete incomplete personal data.
Erase your personal data – to request the Controller to immediately erase your personal data if one of the grounds set out in, inter alia, Article 17 of the GDPR has been met, inter alia, the personal data is no longer necessary for the purposes for which it was collected. The right to erasure may be limited due to the Controller’s obligations in relation to the maintenance of medical records.
Restrict the processing of your personal data in cases specified in, among others, Article 18 of the GDPR, for example, if you question the accuracy of personal data. The right to restrict processing may be limited due to the Controller’s obligations in relation to the maintenance of medical records.
Personal data portability – to receive your personal data from the Controller, in a structured, commonly used machine-readable format, iif your data is processed based on consent and the processing is carried out by automated means. You may send this data to another Controller or request that the personal data be sent by the Controller directly to another Controller, insofar as this is technically possible.
Object to the processing of your personal data in the cases set out in, inter alia, Article 21 of the GDPR.
You also have the right to lodge a complaint to the data protection supervisory authority. To exercise the above rights, please contact the Personal Data Controller or the Data Protection Officer. The contact details are indicated above.
Information on the voluntary provision of data
The provision of personal data is a necessary condition for the provision of health services due to legal requirements imposed on the Personal Data Controller, including but not limited to the need to maintain medical records. Refusal to provide data may be grounds for refusal to provide health services. Providing data is also necessary for issuing bills or invoices
The provision of personal data for marketing purposes is entirely voluntary, the lack of consent for marketing communications cannot be a basis for denying healthcare services.
Information on automated decision-making
Your personal data will not be used for automated decision-making.
