Privacy Policy - Mazan Surgery Clinic

A PRIVACY AND COOKIES POLICY (hereinafter referred to as the “Policy”)

This Policy sets out the principles for the processing and protection of personal data provided by Users in connection with their use of the website www.klinika-mazan.pl (hereinafter referred to as the “Website”).

The controller of the personal data contained on the Website is Zbigniew Mazan, conducting business under the name Klinika Chirurgii Mazan, ul. Brzozowa 54, 40-170 Katowice, NIP: 6252029012 (hereinafter referred to as the “Controller”).

In the event of any questions or doubts regarding the provisions of this Policy, please contact the Data Protection Officer (DPO) at the following e-mail address: iod@klinika-mazan.pl.

This Policy is for informational purposes and applies to the Website. The Controller reserves the right to introduce changes to this Policy, and each Website User is obliged to familiarize themselves with the provisions of the current version of the Policy. Changes may result, in particular, from the development of internet technology, changes in generally applicable law, or the development of the Website through the implementation of new functionalities by the Controller. Any changes will be communicated to Website Users by publishing an updated version on the Website or in a manner customarily adopted by the Controller in contacts with Users, in particular via e-mail.

In addition, the Website may contain links to websites belonging to entities with which the Controller cooperates or whose services it uses. These websites may process personal data; therefore, the Controller recommends reviewing the privacy policies or other personal data protection documents available on those websites (more information can be found in Section II of this Policy).

PROCESSING OF PERSONAL DATA IN CONNECTION WITH THE USE OF THE WEBSITE

In connection with the User’s use of the Website, the Controller collects data to the extent necessary to provide the individual services offered, both data provided by the User and data obtained and recorded automatically.

Below are the detailed principles and purposes of processing personal data collected during the User’s use of the Website.

Purpose of personal data processing
Legal basis and data retention period

Performance of medical activities, including the organization and provision of healthcare services, implementation of patient rights, etc.
Legal basis: Article 6(1)(c) GDPR, Article 9(2)(h) GDPR – legal obligation and the purposes of preventive healthcare, medical diagnosis and the provision of healthcare.
Retention period: Data are processed for the period resulting from applicable legal provisions. As a rule, this period is 20 years from the end of the calendar year in which the last entry was made in the patient’s medical records.

Fulfilment of legal obligations incumbent on the Controller under applicable law
Legal basis: Article 6(1)(c) GDPR – legal obligation.
Retention period: Data are processed for the period resulting from applicable legal provisions. In the case of accounting and bookkeeping documentation, as a rule, this period is 5 years from the end of the year in which the event occurred in connection with which the accounting document was issued.

Conducting correspondence in order to handle a matter, including responding to questions submitted via e-mail, telephone or the contact form available on the Website
Legal basis: Article 6(1)(f) GDPR – legitimate interest of the Controller.
Retention period: No longer than necessary to provide a response and/or handle the matter, subject to the possibility that after this period the data may be processed for the duration of the limitation period for potential claims.

Verification of the quality of services provided in connection with the performance of an agreement for the provision of electronic services
Legal basis: Article 6(1)(f) GDPR – legitimate interest of the Controller.
Retention period: No longer than necessary to provide a response and/or handle the matter, subject to the possibility that after this period the data may be processed for the duration of the limitation period for potential claims.

Analysis of network traffic, ensuring security within the Website and adapting content to Users’ needs
Legal basis: Article 6(1)(f) GDPR – legitimate interest of the Controller.
Retention period: Data related to network traffic analysis collected via cookies and similar technologies may be stored until the cookie expires. Some cookies never expire; therefore, the retention period will correspond to the time necessary for the Controller to achieve the purposes related to data collection, such as ensuring security and analyzing historical data related to website traffic.

Establishing, pursuing and defending against claims
Legal basis: Article 6(1)(f) GDPR – legitimate interest of the Controller.
Retention period: Until the limitation period for potential legal claims expires.

Voluntary provision of data:

Providing data is voluntary but necessary for the achievement of the purposes indicated above by the Controller. Refusal to provide data may result in the inability to achieve the above-mentioned processing purposes.

Profiling

Data will not be used to make decisions based solely on automated processing of personal data, including profiling within the meaning of Article 22 GDPR.

Data recipients

The Controller may disclose the processed data of Website Users to:

its employees and associates who, within a specified and limited authorization, may have access to Users’ data in connection with the performance of their official duties;

external entities to whom the Controller has entrusted the processing of personal data of Website Users, in particular providers of technical services (i.e., IT services, IT system providers), etc.;

authorized entities, within the scope and on the principles specified by law.

Transfer of data to third countries

As a rule, Users’ personal data are not transferred outside the European Economic Area (hereinafter referred to as the “EEA”). However, this may occur in connection with the Controller’s use of services provided by third parties, in particular in the area of technical support and IT infrastructure maintenance.

If such services are entrusted to entities established outside the EEA, Users’ personal data may be transferred to so-called third countries. If data are transferred to countries in respect of which the European Commission has issued a decision confirming an adequate level of data protection, such transfer takes place in accordance with that decision.

Where data would be transferred to countries not covered by the above-mentioned European Commission decision, the Controller ensures appropriate safeguards in accordance with Article 46 GDPR. This may include, in particular, concluding standard contractual clauses approved by the European Commission with the data recipient or applying other mechanisms provided for by personal data protection regulations.

Rights related to processing

The GDPR specifies certain rights granted to natural persons in connection with the processing of their personal data by data controllers. Accordingly, Website Users have the right to:

access their personal data and obtain a copy thereof (Article 15 GDPR);

rectify or update personal data (Article 16 GDPR);

erase personal data (Article 17 GDPR);

restrict the processing of personal data (Article 18 GDPR);

withdraw consent (Article 7(3) GDPR) – withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal;

object to processing where the legal basis for processing is the Controller’s legitimate interest (Article 21 GDPR);

lodge a complaint with the President of the Personal Data Protection Office if there is suspicion that the Controller’s processing of data violates GDPR provisions.

In order to exercise the above rights, please contact the Controller at the following e-mail address: iod@klinika-mazan.pl or by post at the registered office address indicated above.

At the same time, please note that the above rights are not absolute and do not apply in every case of processing of Website Users’ data by the Controller. Before exercising the above rights, the Controller is obliged to verify the identity of the person submitting the request as the data subject concerned by the request.

PROCESSING OF PERSONAL DATA VIA SOCIAL MEDIA PLATFORMS [FACEBOOK, INSTAGRAM, YOUTUBE, TIKTOK]

In connection with the User’s use of social media platforms, i.e.:

Facebook: https://www.facebook.com/KlinikaChirurgiiMazan/,

Instagram: https://www.instagram.com/klinikachirurgiimazan/,

YouTube: Klinika chirurgii Mazan – YouTube,

TikTok: https://www.tiktok.com/@klinika.chirurgii.

The Controller processes Users’ personal data.

Below are the detailed principles and purposes of processing personal data collected during the User’s use of social media platforms.

Purpose of personal data processing
Legal basis and data retention period

Effective management of profiles on social media platforms, in particular by providing Users with information about products, initiatives and other activities related to the promotion of various events, services and products
Legal basis: Article 6(1)(f) GDPR – legitimate interest of the Controller.
Retention period: No longer than necessary to provide a response and/or handle the matter, subject to the possibility that after this period the data may be processed for the duration of the limitation period for potential claims. Processing may also continue until an objection is raised (or the user’s account on the social media platform is deleted).

Enabling activity on the Controller’s profiles, in particular by conducting correspondence via services offered by the providers of the social media platforms used (including private messages, comments, etc.), in order to handle a matter, including responding to submitted questions
Legal basis: Article 6(1)(f) GDPR – legitimate interest of the Controller.
Retention period: Until an objection is raised (or the user’s account on the social media platform is deleted).

Voluntary provision of data:

Profiling

The Controller will not use the collected User data to make decisions based solely on automated processing of personal data, including profiling within the meaning of Article 22 GDPR.

Data recipients

The catalogue of recipients of personal data processed by the Controller depends mainly on the products and services used by the user of a given social media platform, as well as their consent or applicable legal provisions. The Controller may disclose Users’ processed data to, among others:

its employees and associates who, within a specified and limited authorization, may have access to Users’ data in connection with the performance of their official duties;

external entities to whom the Controller has entrusted the processing of Users’ personal data, in particular providers of technical services (i.e., IT services, IT system providers), transport companies, debt collection service providers, etc.;

authorized entities, within the scope and on the principles specified by law.

Transfer of data to third countries

Rights related to processing

The GDPR specifies certain rights granted to natural persons in connection with the processing of their personal data by data controllers. Accordingly, Website Users have the right to:

access their personal data and obtain a copy thereof (Article 15 GDPR);

rectify or update personal data (Article 16 GDPR);

erase personal data (Article 17 GDPR);

restrict the processing of personal data (Article 18 GDPR);

withdraw consent (Article 7(3) GDPR);

object to processing where the legal basis for processing is the Controller’s legitimate interest (Article 21 GDPR);

lodge a complaint with the President of the Personal Data Protection Office if there is suspicion that the Controller’s processing of data violates GDPR provisions.

In order to exercise the above rights, please contact the Controller at the following e-mail address: iod@klinika-mazan.pl or by post at the registered office address indicated above.

Joint controllership of social media users’ data

The Controller may process personal data of Users visiting the Controller’s business profiles on social media platforms (i.e., Facebook, Instagram, YouTube, TikTok) in order to analyze how users use the Controller’s business profile and related content (including following or unfollowing the Controller’s profile on a given social media platform, recommending the business profile in a post, reacting to the Controller’s publications, etc.) (legal basis: Article 6(1)(f) GDPR, i.e., the Controller’s legitimate interest consisting in maintaining statistics). In such a case, the Controller and the owner of the respective social media platform act as joint controllers of users’ personal data.

Details regarding the processing of users’ personal data within the scope of this processing are provided in:

this Policy,

Facebook: https://facebook.com/privacy/policy,

Instagram: https://help.instagram.com/519522125107875,

YouTube: https://policies.google.com/privacy,

TikTok: https://www.tiktok.com/legal/page/eea/privacy-policy/pl.

The owner of the respective social media platform is responsible for informing Users using the products and services of that platform about the processing of data for statistical purposes and for enabling them to exercise their rights in accordance with the GDPR.

USE OF COOKIES

The Website does not automatically collect any information except for information contained in cookies.

Cookies are IT data, in particular text files, which are stored on the terminal device (end device) used by you to use the Website and enable the use of the Website. Cookies usually contain the name of the website from which they originate, the time of storage on the end device and a unique number or identifier.

The Website uses cookies:
With regard to the period for which they are placed on the User’s device, i.e. session cookies (created each time the Website is accessed and deleted when the browser window is closed) and persistent cookies (stored on the User’s end device for a specified period of time or until deleted by the User);

With regard to their source, i.e. first-party cookies (originating from the Website and saved under the Controller’s domain name) and third-party cookies (placed on the Website by external entities whose services are used by the Controller, e.g. Google).

Cookies are used for the purpose of:
adapting the content of the Website to the user’s preferences and optimizing the use of the Website; in particular, these files allow the recognition of your device and appropriate display of the Website, tailored to its individual technical needs;
creating statistics (including through the Google Analytics tool) that help understand how Website users use websites, which enables improving their structure and content;
displaying personalized advertisements tailored to Users’ interests and their online behavior;

verifying the effectiveness of advertising and promotional campaigns conducted.

The following types of cookies are used within the Website:
“essential” cookies, enabling the use of services available within the Website, e.g. authentication cookies used for services requiring authentication within the Website;
cookies used to ensure security, e.g. used to detect authentication abuse within the Website;
“performance” cookies, enabling the collection of information on how Website pages are used;
“functional” cookies, enabling the “remembering” of settings selected by the user and personalization of the user interface, e.g. with regard to the selected language or region from which the user originates, font size, website appearance, etc.;

“advertising” cookies, enabling the delivery of advertising content to users more tailored to their interests.

In many cases, software used to browse the Website (i.e. a web browser) by default allows cookies to be stored on the user’s end device. In such a case, you may change your cookie settings at any time. These settings may be changed in particular in such a way as to block the automatic handling of cookies in the web browser settings or to inform you each time they are placed on your device. Detailed information about the possibility and methods of handling cookies is available in the software (web browser) settings.

The Controller informs that introducing restrictions on the use of cookies may affect certain functionalities available within the Website.

Cookies placed on your end device may also be used by advertisers and partners cooperating with the Website operator.

Information on managing cookies in individual browsers – including in particular instructions on how to block cookies – can be found on the websites dedicated to specific browsers:

Chrome: https://support.google.com/chrome/answer/95647?hl=pl
Firefox: https://support.mozilla.org/pl/kb/ciasteczka
Internet Explorer: https://support.microsoft.com/pl-pl/help/17442/windows-internet-explorer-delete-manage-cookies
Microsoft Edge: https://support.microsoft.com/pl-pl/help/4468242/microsoft-edge-browsing-data-and-privacy-microsoft-privacy
Opera: https://help.opera.com/pl/latest/web-preferences/#cookies
Safari: https://support.apple.com/pl-pl/HT201265.

This version of the Privacy Policy is effective as of 26.08.2025.