Dear Sir or Madam,
In accordance with art. 13 section 1 and item 2 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (hereinafter: the GDPR), I inform you that:
- The administrator of your personal data is the Institute of Mother and Child ul. Kasprzaka 17A, 01-211 Warsaw.
- You can contact the Data Protection Officer (DPO) on all matters related to the processing of your personal data. Contact details: Tomasz Andrasik, e-mail address: firstname.lastname@example.org, phone number 22 32 77 394.
- Your personal data is / will be processed by us for the following purposes: We first need to receive your application for health care. For this purpose, we need the following set of your data: name, surname, PESEL number, gender and date of birth (in the case of persons without a PESEL number), main place of health care, address of residence, relationship (in the case of persons reported by a family member). We may also receive your e-mail address and telephone number, but this data is not necessary for us to receive healthcare.
When using healthcare, we create your medical records, in which we record all information about the treatment process, in particular, there is information about your health condition, as well as information about your addictions or sexual preferences. We collect this information if it is necessary to make a diagnosis and guide your treatment process properly.
We process your personal data as a medical entity, and the purpose of this processing is to provide healthcare and management of healthcare systems and services, which means:
The purposes of processing and the legal basis for processing:
- Establishing your identity before providing the service, in particular by applying for medical care, verifying data when arranging a distance visit, as well as in our facilities.
- Article 6 para. 1 lit. c and art. 9 item 2 lit. h GDPR in connection from art. 25 points 1 of the Act of November 6, 2008 on Patient Rights and the Patient Ombudsman (hereinafter referred to as the Act on Patient Rights) and §10 para. 1 point 2 of the Regulation of the Minister of Health of 9/11/2015 on the types, scope and templates of medical documentation and how to process it.
- As a medical entity, we are required to keep and store medical records.
- Article 9 2 lit. h GDPR in connection from art. 24 paragraph 1 of the Act on Patient Rights and § 8 para. 1 of the MZ Regulation.
- We exercise your rights as our patients, e.g. we receive and archive statements in which you authorize other people to access your medical records and provide them with information about their health.
- Article 6 para. 1 lit. c GDPR in connection from art. 9 item 3 and art. 26 section 1 of the Act on Patient Rights and § 8 para. 1 of the MZ Regulation.
- We contact you at the phone number or e-mail address provided, e.g. to confirm your booking or cancel your medical consultation, remind you about this consultation, inform you about the need to prepare for the appointment or inform you about the possibility of receiving the test results.
- Article 6 para. 1 lit. f GDPR, as legitimate interest of the administrator, which is care around patient service and efficient graphics management.
- Providing you with adequate care that is a response to your needs and improving the quality of our services are our priority, so during the period of care or after the service we can send you short surveys asking for information on what we can do better; you can inform us at any time that you do not want to receive such surveys.
- Article 6 para. 1 lit. f GDPR, as legitimate interest of the administrator, which is to improve the quality of services and their adaptation to the needs of patients.
- As a data controller being an entrepreneur, we have the right to pursue claims arising from our business activities and thus process your data for this purpose. - Art. 6 para. 1 lit. f GDPR, as the legitimate interest of the administrator, which is the pursuit of our claims and the defense of our rights.
- As an entrepreneur, we also keep accounting books and tax obligations, which may involve the processing of your personal data.
- Article 6 para. 1 lit. c GDPR in connection from art. 74 section 2 of the Accounting Act of 29.09.1994.
- Your data will be shared with the following recipients:
- medical staff employed under an employment contract (other medical practitioners) and other staff, including medical staff employed at the Institute under civil law contracts, to the extent necessary to perform services related to the stay and medical treatment of the State, with the abovementioned obliged persons is to keep secret your personal data obtained in connection with the provision of medical services;
- other support staff who perform auxiliary activities while providing health services, as well as staff performing activities related to the maintenance of the IT system in which your medical documentation is processed and ensuring its security. The Institute's personnel process your personal data on the basis of the Administrator's authorization, to the extent necessary to perform services related to your stay and treatment - the above-mentioned persons are obliged to keep your personal data confidential;
- medical science students participating to the extent necessary for teaching purposes when providing health services - the above-mentioned persons are obliged to keep secret your personal data obtained in connection with the provision of medical services;
- persons performing, in addition to providing medical services, also research for scientific purposes - data for scientific purposes are available only in anonymous form;
- other entities with which the Institute has concluded contracts for the provision of services related to your stay and treatment, in particular this applies to entities providing services in the field of health services, diagnostics, transport, nutrition, consultation, service and maintenance of medical equipment and apparatus.
The Institute, under the applicable statutory authorizations, may also transfer your personal data as Patients and their statutory representatives, legal guardians or actual patrons of Patients to public entities that are authorized by law to obtain data, including: Patient Ombudsman, National Health Fund, Ministry Health, Social Insurance Institution, national consultants, social assistance centers, orphanages, childcare centers, Courts, Police, Prosecutor's Office, including as part of proceedings conducted by these entities, as well as other entities and bodies not entitled to access personal data based on separate regulations.
- Your personal data will be processed by the Institute and entities listed in point 4 for the duration of the provision of health services and will be removed immediately after they lose their right to represent and decide on the Patient, as well as the loss or implementation of the authorization granted, however, to the extent that the personal data of the above-mentioned persons form part of the Patient's medical records, will be processed by the time of performing health services and will be stored for a period resulting from separate provisions regarding the storage of medical records, and we would like to inform you that in accordance with the Act of 6 November 2008 on patient rights and the Patient Ombudsman, the entity providing health services keeps medical records for a period 20 years from the end of the calendar year in which the last entry was made, except for:
- medical records in the event of death of the patient as a result of bodily injury or poisoning, which is stored for 30 years from the end of the calendar year in which the death occurred;
- medical documentation containing the data necessary to monitor the fate of blood and its components, which is stored for a period of 30 years from the end of the calendar year in which the last entry was made;
- X-ray images stored outside the patient's medical records, which are stored for a period of 10 years from the end of the calendar year in which the photo was taken;
- referrals for examinations or doctor's orders, which are stored for a period of 5 years, counting from the end of the calendar year in which the health service being the subject of the referral or order of the doctor was granted, or 2 years, counting from the end of the calendar year to which the referral was issued - if the health insurance was not granted because the patient did not report within the set deadline, unless the patient received a referral;
- medical records for children up to the age of two, which is kept for a period of 22 years.
- Pursuant to the provisions of the Act of 14 July 1983 on the National Archives Resource and Archives, and pursuant to the Act of 6 November 2008 on Patient Rights and the Patient Ombudsman, medical documentation containing your personal data may be qualified for perpetual storage as archival documentation because of its special historical value. According to the provisions of art. 16b paragraph 2 point 2 of the Act on the National Archival Resource and Archives, individual medical records may be made available only after 100 years from the year in which the last entry was made.
- You have:
- the right to access data
- the right to receive a copy of the data
- the right to rectify data
- the right to delete data
- the right to limit processing
- right to data portability
- the right to object
- the right to withdraw consent without affecting the lawfulness of processing undertaken prior to its withdrawal.
If it is impossible to fulfill the request, the administrator will inform you giving the grounds for refusal immediately, but not later than within one month from the date of the request.
- The right to object to the processing of personal data, to transfer, request to limit data processing and "The right to be forgotten" do not apply to personal data processed on the basis of art. 17 clause 3 lit. c) GDPR, incl. in particular towards data processed as part of medical records, and other personal data processed based on the above-mentioned premise.
- Your personal data will not be processed for marketing purposes without your explicit consent.
- If you feel that we are processing data contrary to the GDPR, you can lodge a complaint with us to the President of the Office for Personal Data Protection.
- Providing your data is a condition of using medical services, and in the case of data processed on the basis of legal provisions - a legal obligation. You can provide us with a phone number or email address, but failure to do so will not result in refusal to provide medical services.
Personal Data Administrator
GDPR for the patient
We invite you to read the information about the rights of the GDPR for the patient at