We would like to inform you that in accordance with the General Data Protection Regulation (hereinafter referred to as “GDPR”):

Data Controller

The controller of your personal data is Zbigniew Mazan, conducting business under the name Zbigniew Mazan Klinika Chirurgii Mazan, with its registered office at ul. Brzozowa 54, 40-170 Katowice, NIP 6252029012 (hereinafter: the “Controller”). You can contact the Controller at: sekretariat@klinika-mazan.pl or in writing to the registered office address indicated above.

Contact

To obtain additional information about the processing of your personal data, please contact our Data Protection Officer (DPO) at: iod@klinika-mazan.pl.

Purposes and Legal Bases for Processing

We will process your personal data for the purpose of:

  • providing healthcare services, maintaining medical records and fulfilling other legal obligations of the Controller (legal basis: legal obligation – Article 6(1)(c) GDPR and Article 9(2)(h) GDPR);
  • ensuring the exercise of patients’ rights (as well as the rights of their legal representatives or other persons authorized to act on their behalf), in particular with respect to providing information or medical documentation (legal basis: legal obligation – Article 6(1)(c) GDPR);
  • marketing and promotion, e.g. using the patient’s image or providing additional information (legal basis: the patient’s voluntary consent – Article 6(1)(a) GDPR and Article 9(2)(a) GDPR);
  • establishing, pursuing and defending against potential claims (legal basis: Article 6(1)(f) GDPR).

Providing personal data is voluntary; however, refusal to provide such data may result in the inability to achieve the above purposes of processing by the Controller.

Your Rights in Connection with Processing

Under the GDPR, you have the right to:

  • access your personal data and obtain a copy thereof (Article 15 GDPR);
  • rectify your data (Article 16 GDPR);
  • erase your data (Article 17 GDPR);
  • restrict processing (Article 18 GDPR);
  • data portability (Article 20 GDPR);
  • withdraw your consent – if consent was the basis for processing (Article 7(3) GDPR);
  • object to the processing of your data – where processing is based on the Controller’s legitimate interest (Article 21 GDPR);
  • lodge a complaint with the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych) if you believe that the processing violates the GDPR.

Please send requests regarding the above rights to: iod@klinika-mazan.pl. To ensure that you are authorized to submit a request, we may ask you to provide additional information enabling us to verify your identity.

Data Retention Period

Personal data will be stored:

  • for the duration of providing healthcare services,
  • for the period resulting from legal obligations;
  • for the period necessary to secure potential claims (in line with the applicable limitation periods);
  • where data are processed on the basis of your voluntary consent – until it is withdrawn;
  • where data are processed on the basis of the Controller’s legitimate interest – until an effective objection is raised.

Data Recipients

The Controller may disclose processed data to:

  • its employees and associates who, within a specified and limited authorization, may have access to the data in connection with their official duties;
  • external entities to whom the Controller has entrusted the processing of personal data, in particular: providers of technical services (i.e., IT services, IT system providers), etc.;
  • authorized entities, within the scope and on the terms provided for by law.

Data Transfers

As a rule, data are not transferred outside the European Economic Area. Where this becomes necessary (e.g., due to IT systems being serviced by subcontractors), the Controller:

  • ensures that the data are transferred to countries recognized by the European Commission as providing an adequate level of protection, or
  • enters into agreements with the data recipients based on standard contractual clauses approved by the European Commission (Article 46(2)(c) GDPR), or
  • applies other appropriate safeguards in accordance with the GDPR.

Automated Decision-Making

The Controller does not make decisions in an automated manner, including profiling within the meaning of Article 22 GDPR.