§ 1 [general provisions]
2. Any amendments to the Policy apply from their publication at the portal.
3. For the purposes hereof, the (personal data) controller will be understood as Winkler Clinic LTD. in Poznań (61-144), registered address: ul. B. Krzywoustego 114 (Poland), Tax-ID: 953-260-44-82, phone number: +48 602 55 88 78, e-mail address: firstname.lastname@example.org.
4. The controller does not designate a data protection officer.
§ 2 [personal data processing]
1. The use of the portal may result in the processing of the following ordinary categories of personal data such as the user’s first name, surname, e-mail address, IP address, as well as special categories of personal data such as data concerning health, including MRI imaging data. This kind of personal data is being processed as part of the portals functionality called “initial qualification”. Any other data obtained in connection with the use of the portal services, e.g. session data, web browser data, etc., are basically non-personal data as they cannot be directly related to a specific natural person but – as a matter of precaution – the controller secures such data as well.
2. The aforementioned data are being processed for the purpose of providing electronically supplied services and handling any complaints. By using the portals functionality called “initial qualification” the personal data provided within it are being processed for the purpose of providing electronically supplied services, as well as providing health services and running a business by the controller. The processing of personal data with the use of the Facebook Instagram or YouTube plug-ins is aimed to communicate and promote the portal operation in social media.
3. The above mentioned scope of personal data constitutes the maximum scope of data undergoing processing. Under given circumstances it’s possible to process an even lesser amount of personal data.
4. The provision of any personal data is always voluntary, but it may be necessary in order to use the services available at the portal, as well as receive health services provided by the controller.
5. Personal data will be processed for the time arising from the purpose of the processing, but no longer than for the period permitted by mandatory law.
6. Personal data are not subject to processing by automated means or to profiling, with the exception of the following situations:
a) using a Facebook, Instagram or YouTube plug-in; in such cases, the processing of such personal data is the responsibility of the owner of the portals in question.
b) the controller can process the patient’s personal data as part of the portals functionality called “initial qualification”, which may be considered a kind of personal data processing by automated means in regard to the personal data of these patients.
7. The personal data can also be subject to processing by automated means, should the user decide to use the payment feature included within the „initial qualification” service, in which case the Data controller in regard to this payment feature will be the entity, which provides this service.
§ 3 [basis for personal data processing]
1. The legal basis for the processing of personal data is the following:
a) in the case of the provision of electronically supplied services and the handling of complaints – Art. 6, Paragraph 1 (b) GDPR,
b) in the case of the use of a Facebook, Instagram or YouTube plug-in – Art. 6, Paragraph 1 (a) GDPR,
c) in the case of using the portals functionality called “initial qualification” – Art. 6, Paragraph 1 (b) GDPR, Art. 9, Paragraph 2 (h) GDPR, as well as health assessment in accordance with Art. 42 (1) of the Polish Physician’s and Dentist’s Profession Act,
d) Art. 6, Paragraph 1 (f) GDPR, i.e. where necessary for the establishment, exercise or defence of legal claims.
§ 4 [the recipients and transmission of data]
1. The recipients of personal data may be persons or parties working with the controller , as well as the controller’s employees and the competent authorities.
2. Personal data are not being transferred to any third countries or international organisations, except in case of processing the personal data by Facebook, Instagram or YouTube outside of the European Economic Area, which these entities are liable for.
§ 5 [the data subject’s rights]
1. Every data subject has the following rights:
a) the right of access to his or her personal data, including the right to obtain a copy of the data,
b) the right to request the rectification of his or her personal data,
c) the right to request the erasure of his or her personal data in cases indicated in Article 17 GDPR,
d) the right to request the restriction of the processing of his or her personal data,
e) the right to object to personal data processing in cases indicated in Article 21(1) GDPR,
f) the right to personal data portability,
g) the right to withdraw his or her consent, where such consent has been given, which does not affect the lawfulness of processing based on consent before its withdrawal,
h) the right to lodge a complaint with the President of the Personal Data Protection Authority.
2. Any of the aforementioned rights must be exercised by contacting the personal data controller indicated in § 1 point 3 of the Policy
§ 6 [final provisions]
1. The provisions of the GDPR and personal data protection rules apply in all matters not regulated herein.
2. More detailed regulations concerning the protection of personal data by the controller are contained in the internal Personal Data Protection Policy.
3. The treatment of cookies is regulated in a separate document.