Here is all the necessary information regarding the processing of your personal data in connection with the provision of healthcare services and the marketing consents you have provided to us.

Who is the controller of your personal data?

The controller of your data is “PALEY EUROPEAN INSTITUTE SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ“ with its registered office in Warsaw; address: Al. Rzeczypospolitej 1, 02-972 Warszawa, entered in the Register of Entrepreneurs of the National Court Register kept by the District Court for the Capital City of Warsaw, 13th Economic Division of the National Court Register under KRS No. 731870, Regon: 380240540, TIN: 5223125965.

You may contact the Controller by writing to: PALEY EUROPEAN INSTITUTE SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ with its registered office in Warsaw; address: Al. Rzeczypospolitej 1, 02-972 Warszawa.

For matters pertaining to the processing of personal data and the exercise of your rights in relation to data processing, please reach out to us at: PALEY EUROPEAN INSTITUTE SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ with its registered office in Warsaw; address: Al. Rzeczypospolitej 1, 02-972 Warszawa.

You may also contact the designated Data Protection Officer by sending an email to: iod@paleyeurope.com.

Definitions and abbreviations:

GDPR – Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free flow of such data, and repealing Directive 95/46/EC;

Act on Patients’ Rights of 6 November 2008 on Patients’ Rights and Patients’ Rights Ombudsman;

Regulation of the Ministry of Health – Regulation of the Minister of Health of 9 November 2015 on Types, Scope and Models of Medical Records and the Manner of their Processing; and Regulation of the Minister of Health of 8 May 2018 on Types of Electronic Medical Records.

What data do we process?

The data you provide during the registration process in our facility will be utilized to safeguard your health, deliver medical services, oversee the provision of these services, and facilitate your treatment.

The data we process in connection with the provision of services include: first name and last name, family name at birth, date of birth, gender, PESEL number, or, in the absence of a PESEL number, the series and number of the identity document, address of residence, first and last name of the legal representative, and the address of their residence if the beneficiary is a minor or a person who is completely incapacitated. In addition to the data listed above, optional are telephone number and e-mail address.

While the use of our services is entirely voluntary, as a healthcare entity, we are obligated to maintain medical records in accordance with legal requirements, including the identification of the patient using their personal data. Failure to provide data may lead to a refusal to book an appointment or provide healthcare. Furthermore, we are legally obligated to process your data for accounting or taxation reasons. Failure to comply may result in our inability to issue an invoice or personalized bill to you.

If you choose to provide us with your telephone number or email address, please note that this is done on a voluntary basis. While failure to do so will not result in a refusal to provide you with healthcare, it means that you will not receive a confirmation of your appointment from us, and you won’t have the option to cancel it, for example, by text message. The expression of any marketing consents is also on a voluntary basis. Refusing them does not impede your ability to use the Controller’s services. Additionally, you have the right to revoke the consent given to us at any time.

During the provision of health services, we create a medical record in which we document all information related to the treatment process, including details about the condition. This information is collected when necessary for making a diagnosis and guiding the treatment process appropriately.

To send you marketing communications and stay in regular contact, we require your email address or telephone number, and we may also request your first name to personalize our communications. Your consent for data processing for marketing purposes encompasses any information you have provided while using Paley European Institute services, which may include identification data (such as first name, last name, gender, date of birth, age, locality). However, please be assured that we do not access your medical records – only authorised individuals have access to this information.

For what purpose and on what basis do we process your personal data?

Your personal data is processed for the purposes of:

1. Protection of your health condition, provision of medical services, billing of the services provided, management of the provision of these services and treatment (the legal basis for the processing of the data obtained in the field of medical activity, including the maintenance of medical records, is Article 6(1)(b) and (c) of the GDPR, in connection with the provisions of the Act of 15 April 2011 on Medical Activity and the Act on Patients’ Rights).
2. Improvement of the contact by providing additional data, such as a telephone number or email address. The provision of this data is entirely voluntary and does not affect the scope of healthcare services provided, nor is it necessary for the purpose of providing these services by the healthcare entity. The legal basis for processing voluntarily provided data is consent (Article 6(1)(a) GDPR).

Article 6(1)(d) of the GDPR may also be the legal basis for processing data to the extent that it is necessary to protect the vital interests of the patient. To the extent that the data processed includes special categories of data, the legal basis for the processing is Article 9(2)(c), (h), and (i) of the GDPR.

Who do we transfer the personal data to?

As a healthcare entity, we prioritize the confidentiality of data. This is essential for ensuring proper organization, including IT infrastructure, and addressing day-to-day matters related to our activities. It also contributes to the realization of your rights as a patient. Personal data may be transferred to the following categories of recipients:

1. to other healthcare entities who cooperate with Paley European Institute to ensure the continuity of treatment and the availability of healthcare within their facilities, 2. to service providers who supply Paley European Institute and who manage our organisation (in particular ICT service providers, diagnostic equipment suppliers, courier and postal companies), 3. to service providers who support the Paley European Institute in the area of marketing (text messaging and e-mail companies), 4. to legal and advisory service providers and service providers who support the Paley European Institute in the assertion of due claims, 5. to persons authorised by you in the exercise of your rights as a patient.

As healthcare entities, we care about the confidentiality of your data. Due to the need to ensure that we are properly organised, e.g. with regard to IT infrastructure or day-to-day matters concerning our business as an entrepreneur, we may pass on your data to other recipients if this is necessary for the purposes of our business.

For how long is my personal data processed?

If you are our patient and we have created your medical records, we are obligated to keep them for at least 20 years from the date of the last entry. Beyond this time limit, if we have processed the data for asserting claims (e.g., in debt collection proceedings), we will retain the data for the period of the statute of limitations under the Civil Code. All data processed for accounting purposes and tax reasons will be retained for 5 years, calculated from the end of the calendar year in which the tax liability arose. If you have given us consent to process your data for marketing purposes, we will retain your data from the time you provide consent until you withdraw it. After the specified periods, your data will be deleted or anonymized. After the above-mentioned periods your data is deleted or anonymised.

What rights do you have in relation to data processing?

You have the right to request access to your data, rectification, erasure or restriction of processing, as well as to withdraw your consent at any time or form. The withdrawal of consent does not affect the lawfulness of the processing carried out based on consent before its withdrawal. You also have the right to object to processing and the right to data portability.

If you believe that your personal data is being processed unlawfully, you have the right to lodge a complaint with the President of the Personal Data Protection Office.

The Controller will not make automated decisions, including decisions resulting from profiling, with regard to you based on your personal data. Profiling refers to any form of automated processing of personal data used to evaluate certain personal factors of an individual. This includes the analysis or prediction of aspects related to the individual’s work, economic situation, health, personal preferences, interests, reliability, behaviour, location, or movements.