PATIENT INFORMATION CLAUSE
on data processing as required by the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter “GDPR”),
1. Data of the Personal Data Controller
The Administrator of your personal data (hereinafter: “Administrator”) is EFFI Clinic sp. z.o.o. sp.k., ul. Sokołowskiego 19, 31-436 Kraków.
The Administrator may be contacted in writing, by mail to the address of the company’s registered office indicated above or by e-mail to: firstname.lastname@example.org.
2. The Purposes of the Processing, the Legal Basis and the Processing Period
Patients’ personal data are processed for the following purposes and on the following legal basis:
- 1. the provision of health services, including the maintenance of medical records and activities related to the provision of these services and in order to carry out preventive health care – on the basis of Article 6 (1) (b) or (c) of the GDPR and in the scope of health data or other data of special categories on the basis of Art. 9 (2)(h) GDPR in connection with Article 3 (1) of the Act on Health Care Activities and Article 24 of the Act on Patients’ Rights and Patients’ Rights Spokesman and the Regulation of the Minister of Health on types, scope and models of medical records and the manner of their processing (hereinafter the Regulation of the Minister of Health);
- management of health care services, settlements with the payer, keeping and storing medical records, verification of identity during registration and before the visit – Article Article 6 (1)(c) and Article 9 (2)(h) GDPR in connection with Article 3 (1) of the Act on Health Care Activities and Article 24 and 26 of the Act on Patients’ Rights and Patients’ Rights Spokesman, §10 (1)(2) of the Regulation of the Minister of Health, Article 32 in connection with Article 3 (1) of the Act on Health Care Information System;
- 3. comply with the obligations incumbent on the controller and resulting from legal regulations, i.e. keeping accounting and tax records – on the basis of Article Article 6 (1)(c) of the GDPR in connection with the provisions of the Act on medical activity, Article 74 (2) of the Act on accounting, the Act on patient rights and Patient Rights Spokesman, the Act on information system in health care;
- 4. protection of rights and assertion of claims by the Administrator in connection with its activities – on the basis of Article Article 6 (1)(f) RODO;
- 5. telephone number or e-mail address may be processed e.g. for the purpose of confirming or cancelling an appointment or procedure, informing about the possibility of collecting test results – pursuant to Article 6 (1)(b) and (f) of the GDPR, which constitutes a legitimate interest of the Data Administrator, i.e. services to patients;
- 6. If you have given your consent for marketing communication, your data may be used for marketing purposes in relation to the products and services offered by the Administrator – on the basis of Article 6 (1)(f) of the GDPR, however, the controller may use electronic means of communication only after you have given your consent to receive commercial and marketing materials using this form of communication, in accordance with the provisions of the Act on Rendering Electronic Services and the Telecommunications Law. Giving consent is voluntary.
3. Period of patient data processing
- Patients’ personal data will be processed for the period necessary to fulfil the purposes set out in paragraph 2.1. 2.1 above, unless legal regulations oblige the Data Administrator to store them further.
- 2. Patients’ data obtained in connection with the provision of health services will be processed for the period necessary for the provision of the service and the performance of the contract for medical services, and thereafter in the scope and for the period determined in accordance with Article 29 (1) of the Act on Patients’ Rights and the Patients’ Ombudsman.
- 3. Any data processed for accounting and tax purposes shall be processed for 5 years calculated from the end of the calendar year in which the tax liability arose.
4. information about the voluntary nature of the data
- The provision of personal data is voluntary but necessary in order to receive a health service. The consequence of not providing it will be the inability to receive a healthcare service. Failure to provide data may result in refusal to book an appointment or provide a healthcare service.
- Legal obligations of the Data Administrator resulting from tax law and accounting require processing of personal data; failure to provide such data may result in e.g. inability to issue an invoice or personal bill. Providing a telephone number or an e-mail address is done on a voluntary basis – their failure to provide will not result in a refusal to provide healthcare services, but it may hinder the service and management of healthcare services, e.g. by the inability to receive notifications, confirmation of visits or their cancellation.
- The provision of personal data for marketing purposes is entirely voluntary, the lack of consent for electronic marketing communication cannot be a basis for refusing to provide a health service.
5. Data recipients
- Personal data may be made available to entities entitled on the basis of legal regulations, in particular pursuant to Article 26 of the Act of 6 November 2008 on Patients’ Rights and Patients’ Rights Ombudsman, including, among others, entities providing health services to ensure continuity of health services and public authorities, including the Patients’ Rights Ombudsman, the National Health Fund, regulatory bodies colleges for medical professions and national and provincial consultants, to the extent necessary for these entities to perform their tasks, in particular supervision and control.
- Patient’s data may be transferred to entities processing personal data on behalf of the Data Controller, among others, to processors who provide services to the Data Controller under the contract concluded with the Data Administrator. Examples of the aforementioned entities: IT service providers, doctors, employees and auxiliary staff, nurses, IT companies, accounting offices, law firms, or other entities which are bound by contract with the Data Administrator and exclusively according to the Administrator’s instructions.
- Data may be transferred to persons who have been authorised by the patient;
6. Transfers of data outside the European Economic Area (EEA)
Data shall not be transferred.
7. What rights do you have in relation to the processing of your personal data?
a. Request from the Administrator to access to your personal data,
b. Request from the Administrator to correct your personal data,
c. Request from the Administrator to erase your personal data,
d. Request from the Administrator to restrict processing your personal data,
e. Objection to processing your personal data,
f. Transferring your personal data,
g. Make a complaint to the supervisory authority.
Additionally, where processing is based on consent, you have the right to:
h. withdraw your consent to data processing at any time
I declare that I have read and understood the information clause