GDPR policy | Klinika Invicta

Who is the Controller of your personal data?	The Controller of your personal data is the group of INVICTA companies (hereinafter referred to as INVICTA), acting as a joint controller of personal data (INVICTA spółka z o.o., INVICTA Management Sp. z o.o., Medyczne Laboratoria Diagnostyczne INVICTA Sp. z o.o., Klinika Antiaging INVICTA Sp. z o.o., INVICTA Software Sp. z o.o., Zarządzanie Nieruchomościami INVICTA Sp. z o.o., INVICTA Nieruchomości Sp. z o.o. based in Sopot (81-740), ul. Polna 64, tel. 58 58 58 800, email invicta@invicta.pl.
Who can I contact in matters related to my personal data?	With regard to all matters related to your personal data, you may contact our Data Protection Officer: Beata Gozdecka email address: daneosobowe@invicta.pl ul. Polna 64 81-740 Sopot
Is providing personal information voluntary?	Providing personal data for the provision of medical services, with the exception of telephone number and email address, which are voluntary, is a statutory requirement. Failure to provide the aforementioned data may prevent the proper execution of the treatment process. Failing to provide an email address and telephone number may make the notifications regarding the organisation of the treatment process, e.g. information on cancelling a medical appointment, difficult to provide. As regards the consent to receiving information and consent to target the provided information: the provision of data is voluntary but may hinder staying in contact and the ongoing service. In other cases (e.g. using the Medipoint.pl account, taking part in the process of qualifying for being a donor), providing data is voluntary; however, a failure to provide data will preclude the patient from using certain services or taking part in selected processes.
For what purpose and on what legal basis is your data processed?	Purpose of data processing	Legal basis for processing Data retention period
Use of medical services
	Your personal data is processed for the purpose of providing health services, including preventive healthcare or occupational medicine, medical diagnosis, providing healthcare, treatment or managing healthcare systems and services. To this end, your personal data will be processed: in order to establish your identity prior to the provision of services, or verify data when making an appointment remotely (by phone, through a form or registration system) and directly at our Clinics, collection facilities and vaccination centres; for the purposes of contacting you (by phone, email) to confirm a booking or remind you to book an appointment or test, inform you to prepare for a scheduled procedure, inform you to collect test results, process your request or complaint; for the purpose of implementing the obligation to keep and maintain medical records; in order to qualify you for a publicly funded Infertility Treatment Programme, and then carry out the treatment and settle it with the funding entity; in reports on immunisation rates, as well as providing data and information on infections and infectious diseases to the relevant authorities; in order to improve the quality of the service, provide constant monitoring of the patients’ needs and expectations, send requests for evaluation of the services or short surveys; We will send the surveys in a way that does not violate your rights. If you do not wish to receive such messages, please let us know.	Article 9(2)(h) of the GDPR, processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services Act on Patients’ Rights and the Patients’ Rights Ombudsman of 6 November 2008 Act on Infertility Treatment of 25 June 2015 Regulation of the Minister of Health of 23 March 2006 on quality standards for medical diagnostic and microbiological laboratories Act of 5 December 2008 on prevention and control of infections and communicable diseases in humans Quality Management System EN ISO 9001 Data retention period: Your personal data shall be kept for the period required for the storage and archiving of medical records as specified by law, in particular the Act of 6 November 2008 on Patients’ Rights and Patients’ Rights Ombudsman (Article 29) and the Act of 25 June 2015 on Infertility Treatment..
Participation in the process of donating reproductive cells:
	Your personal data shall be processed for the purpose of: carrying out an initial qualification for the donation of reproductive cells in non-partner donation; carrying out medical qualification for cell donation; carrying out the process of reproductive cell donation; fulfilling obligations under the law – creating medical records and entering data into the register;	Article 9(2)(a) of the GDPR the data subject has given explicit consent (…) Data retention period: until consent is revoked Article 9(2)(h) of the GDPR, processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services Act on Patients’ Rights and the Patients’ Rights Ombudsman of 6 November 2008 Act on Infertility Treatment of 25 June 2015 Act on Patients’ Rights and the Patients’ Rights Ombudsman of 6 November 2008 Act on Infertility Treatment of 25 June 2015 Data retention period: Your personal data shall be kept for the period required for the storage and archiving of medical records as specified by law, in particular the Act of 6 November 2008 on Patients’ Rights and Patients’ Rights Ombudsman (Article 29) and the Act of 25 June 2015 on Infertility Treatment..
Selling services and tests on the Internet
	Your personal data is processed for the purpose of completing the order you have placed for the sale of services and/or tests and booking biological material, which take place through our websites. Sometimes the provision of the service requires additional data (e.g. PESEL number), for example, for creating the patient’s file.	Article 6(1)(b) of the GDPR Processing is necessary for the performance of the contract Data retention period: 5 years counted from the end of the calendar year in which the purchase was made. Article 9(2)(a) of the GDPR the data subject has given explicit consent (…) Data retention period: until consent is withdrawn, unless the data becomes part of the medical record.
Maintaining accounting books
	INVICTA maintains accounting books and performs tax obligations, including the maintenance of tax records.	The Accounting Act of 29 September 1994 Tax regulations Data retention period: 5 years counted from the end of the calendar year in which the tax liability arose
Exercise of legal claims
	Your data may be processed for the purpose of exercising or defending legal claims for the services we provide.	Article 9(1)(f) of the GDPR processing is necessary for the establishment, exercise or defence of legal claims Data retention period: until the expiration of the statute of limitations for any claims.
Enabling the use of an account on the Medipoint.pl Portal
	INVICTA provides Users with the possibility to create an account on the Medipoint.pl Portal and use the functionalities that the Portal provides. Patients can have their medical data sent to their account from the patient’s file.	Article 9(1)(a) of the GDPR the data subject has given explicit consent to the processing of those personal data Data retention period: until consent is revoked
Video surveillance system
	Your image may be recorded in order to secure the persons and property located at the Clinic.	Article 6(1)(f) of the GDPR processing is necessary for the purposes of the legitimate interests pursued by the Controller Data retention period: 14 days
Recording telephone conversations
	Your personal data is processed for the purpose of improving the quality of service and verifying the provided information.	Article 9(1)(a) of the GDPR the data subject has given explicit consent to the processing of those personal data Data retention period: until the expiration of the statute of limitations for any claims.
Recording conversations in the form of a video conference (ZOOM)
	Your personal data is processed for the purpose of archiving consents, submitted declarations or statements. The recordings are archived in medical records.	Article 9(2)(h) of the GDPR processing is necessary for the purposes of the provision of health or social care or treatment or the management of health or social care systems and services Data retention period: Your personal data shall be kept for the period required for the storage and archiving of medical records as specified by law, in particular the Act of 6 November 2008 on Patients’ Rights and Patients’ Rights Ombudsman (Article 29).
Information about INVICTA activities, services and promotions
	Your data may be processed for the purpose of receiving (by email, sms, mms, incoming calls to your phone number) information from INVICTA about INVICTA’s activities and events, including services, products and news, as well as discounts, promotions and benefits.	Article 9(1)(a) of the GDPR the data subject has given explicit consent to the processing of those personal data Data retention period: until consent is revoked.
Image
	If you agree to share your image, it may be used on our website, on our social media profile, and in our communication materials, depending on the extent of your consent.	Article 9(1)(a) of the GDPR the data subject has given explicit consent to the processing of those personal data Data retention period: until consent is revoked
Automated data processing
	Your personal data may be processed in order to tailor the provided information to your needs and expectations (profiling). If you give consent to the automated processing of personal data, including profiling for the purpose of tailoring the provided information, the data received from you will be linked to the information on characteristics, behaviours or preferences in order to match commercial information to known or anticipated needs or expectations (profiling). This will provide you with the kind of information that suits your needs and interests.	Article 9(1)(a) of the GDPR the data subject has given explicit consent to the processing of those personal data Data retention period: until consent is revoked.
What authorisation do I have?	you have the right to demand access to your personal data, its rectification, erasure or restriction of processing; you have the right to object to the processing of your data and the right to transfer your data. Please submit requests directly to the Clinic or by email to daneosobowe@invicta.pl; the following data: surname and first name (middle name), date of birth, gender designation, address of residence, PESEL number (if assigned), in the case of a newborn – the mother’s PESEL number, and in the case of persons who have not been assigned a PESEL number – the type and number of an identity document, if the patient is a minor, incapacitated or incapable of providing informed consent – the surname and first name (middle name) of the legal representative and the address of their residence, as well as data on past, present or future physical or mental health status, including genetic data, is part of the medical record and cannot be removed by the Controller. This does not apply to the consent to transfer information or consent to profiling; you have the right to lodge a complaint with a supervisory authority (President of the Personal Data Protection Office (PUODO)) if you recognise that the processing of your personal data violates the provisions of the GDPR or other data protection laws; you have the right to withdraw your consent to the processing of your email address and phone number, as well as your consent to the transmission of information and consent to profiling at any time, without affecting the lawfulness of the processing based on the consent given before the withdrawal.
Who will receive my personal data?	Your personal data, especially data concerning your health, is confidential and subject to protection of a high degree. Your personal data may be transferred to entities that take part in the treatment process, if this is necessary for the purposes covered by the consents provided or by law. Your personal data may be transferred to the following: entities that participate in the handling of the treatment process, to whom we entrusted personal data under an entrustment agreement; other medical entities that cooperate with INVICTA in order to ensure continuity of treatment and are the subcontractors of medical services; providers of technical and marketing services, in particular, providers of ICT services, diagnostic equipment, courier and postal companies, providers of marketing services (advertising agencies, companies that handle sms and email sending campaigns), providers of legal services in the situation of exercising claims; persons authorised by you to access your medical records and health information; entities that provide financing to medical services, in particular the National Health Fund and state and local government entities, with regard to infertility treatment programmes. The transfer of your personal data to a third country will only be possible upon your explicit request.

Who is the Controller of personal data?	The controller of your personal data is the Invicta group of companies (hereinafter Invicta), acting as a co-controller of personal data (Invicta spółka z o.o., Invicta Management Sp. z o.o., Medyczne Laboratoria Diagnostyczne Invicta Sp. z o.o., Invicta Software Sp. z o.o., Zarządzanie Nieruchomościami Invicta Sp. z o.o., Invicta Nieruchomości Sp. z o.o. based in Sopot (81-740) at Polna 64, phone: 58 58 58 800, e-mail invicta@invicta.pl.
Who can I contact regarding my personal data?	In all matters related to personal data you can contact our Data Protection Officer: Beata Gozdeckae-mail address daneosobowe@invicta.plul. Polna 64 81-740 Sopot
Is providing personal data voluntary?	Providing personal data (name, telephone number, e-mail address, title, name of the represented entity and registered office of this entity) is completely voluntary but necessary to get acquainted with the offer, participate in the tender procedure, conclude the Agreement, and the refusal to provide the data results in the impossibility of establishing cooperation, signing and implementing the Agreement, participating in the tender procedure, including the one financed from public funds (e.g. EU funds).
For what purpose and on what basis are the data processed?	Purpose of data processing		Basis of processing Data retention period
Establishment of cooperation
	Your personal data will be processed in order to get acquainted with the offer presented by you or the company on behalf of which you act. Your personal data will also be used in proceedings for the award of contracts, including contracts carried out as part of projects financed by EU funds or other public funds.	· Article 6(1)(b) GDPR processing is necessary to take steps at the request of the data subject prior to entering into a contract · Article 6(1)(c) GDPR the processing is necessary to fulfil the legal obligation imposed on the Controller Data retention period: a maximum of 10 years for proceedings conducted as part of projects financed by EU funds or other public funds.
Conclusion and performance of contract
	Your personal data are necessary for the conclusion and performance of a contract (including making payments) to which you or the person on whose behalf you are acting is a party Personal data may also be used in the performance and settlement of the contract concluded in the procurement procedure, including contracts carried out as part of projects financed by EU funds or other public funds.	Article 6(1)(b) GDPR processing is necessary for the performance of the contract Data retention period: until the expiry of the limitation period for potential claims. · Article 6(1)(c) GDPR the processing is necessary to fulfil the legal obligation imposed on the Controller
Bookkeeping
	Invicta keeps accounting books and performs tax obligations, including keeping tax records	The Accounting Act of 29 September 1994. Tax regulations Data retention period: 5 years calculated from the end of the calendar year in which the tax obligation arose.
Pursuit of claims
	Your data may be processed in order to assert or defend claims in respect of the services we provide.	Article 6(1)(f) GDPR processing is necessary to establish, assert or defend claims Data retention period: until the expiry of the limitation period for potential claims.
Recording of conversations in the form of videoconferencing (ZOOM)
	Your data may be processed to archive conversations, training sessions, meetings.	Article 6(1)(a) GDPR the data subject has given their explicit consent to the processing of this personal data Data retention period: until you withdraw your consent.
What rights do I have?	you have the right to request access to your personal data, rectification, erasure or restriction of processing; you have the right to object to the processing, as well as the right to data portability. Please submit your requests by email to daneosobowe@invicta.pl; data which are processed on the basis of legal regulations and whose storage is a legal obligation (e.g. on the basis of tax regulations) cannot be deleted by the Controller. Other data may be deleted at your request; you have the right to lodge a complaint with the supervisory authority (President of the Office for Personal Data Protection, POPDP) if you consider that the processing of your personal data violates the provisions of the GDPR or other regulations on personal data protection.
To whom is my personal data transferred?	Your personal data may be transferred to: providers of technical or banking services, in particular ICT service providers, courier and postal companies and banks; providers of legal services in the event of redress; management and intermediary bodies (in the case of participation in competitive procedures for projects financed by EU funds or other public funds). The transfer of personal data to a third country will only be possible upon your explicit request.
Is my data processed in any other way?	Your personal data will not be processed by automated means, including profiling.

How do we process personal data in Invicta Medical Clinics and Laboratories

INFORMATION ON PERSONAL DATA PROCESSING FOR PATIENTS

INFORMATION CONCERNING THE PROCESSING OF PERSONAL DATA FOR CONTRACTORS