Privacy Policy

This privacy policy sets out the rules for the processing and protection of personal data of users of the websites poradnik.rezonansbezstresu.pl and rezonansbezstresu.pl, operated by the Data Controller indicated below. Updated: May 2026.

1. Data Controller

The controller of personal data collected via this website is:

The APERTA Diagnostic Centre is an organisational unit operated by TESLAMED sp. z o.o.. All personal data obtained in connection with the operation of the website and the provision of medical services is processed in accordance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (GDPR) and the Personal Data Protection Act of 10 May 2018

2. Scope and purposes of data processing

We process the following categories of personal data for specific purposes:

• Contact details (first name, surname, email address, telephone number) — for the purpose of responding to enquiries submitted via the contact form or by email (legal basis: Article 6(1)(b) of the GDPR — pre-contractual measures).
• Patient medical data (National Insurance Number, health data, test results, medical records) — for the purpose of providing diagnostic and medical services and maintaining medical records (legal basis: Article 9(2)(h) of the GDPR and the Act of 6 November 2008 on the rights of patients and the Patient Ombudsman).
• Technical and statistical data (IP address, browser type, operating system, time of visit, pages visited) — for the purpose of ensuring security and analysing traffic statistics (legal basis: Article 6(1)(f) of the GDPR — the Controller’s legitimate interest).
• Invoicing data (first name, surname, address, tax identification number) — for the purpose of issuing a receipt/invoice for the service (legal basis: Article 6(1)(c) of the GDPR — legal obligation under the Accounting Act).

3. Data retention period

• Medical records — 20 years from the date of the last entry, in accordance with Article 29 of the Act on Patients’ Rights and the Patient Ombudsman.
• Accounting data — 5 years from the end of the financial year, in accordance with the Accounting Act.
• Data from the contact form — until the matter is resolved or consent is withdrawn, for no longer than 12 months.
• Technical data (server logs) — up to 12 months.

4. Recipients of data

Your personal data may be disclosed to the following categories of recipients:

• Entities authorised by law (the National Health Fund, courts, law enforcement agencies, the State Sanitary Inspection).
• Other doctors involved in the diagnostic and treatment process (consulting radiologists, referring doctors).
• IT and server hosting service providers (Hostinger International Ltd. based in Cyprus) — on the basis of a data processing agreement in accordance with Article 28 of the GDPR.
• Courier companies in the event of the dispatch of medical records.

Data is not transferred to third countries outside the European Economic Area or to international organisations.

5. Your rights

In connection with the processing of personal data, you have the following rights:

• The right of access to personal data (Article 15 of the GDPR);
• The right to rectification (Article 16 of the GDPR);
• The right to erasure — with the exception of medical records, for which there is an archiving obligation (Article 17 of the GDPR);
• The right to restrict processing (Article 18 of the GDPR);
• The right to data portability (Article 20 of the GDPR);
• The right to object to processing (Article 21 of the GDPR);
• The right to withdraw consent at any time (if processing is based on consent);
• The right to lodge a complaint with the President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw.

6. Profiling and automated decision-making

Your personal data is not subject to automated decision-making or profiling within the meaning of Article 22 of the GDPR.

7. Technical safeguards

The Controller implements technical and organisational measures to ensure the protection of the personal data being processed, appropriate to the risks and the categories of data being protected. In particular:

• The connection to the website is encrypted using the HTTPS protocol (TLS 1.3);
• Access to medical records is restricted to authorised persons on the basis of individual permissions;
• The hosting server is located in a certified data centre within the European Union;
• Backups of medical data are created regularly;
• Medical staff are obliged to maintain medical confidentiality in accordance with Article 40 of the Act on the Professions of Doctor and Dentist.

8. Cookies

This website uses cookies. Detailed information can be found in a separate document: Cookie Policy.

9. GDPR information notice for patients

Patients booking an MRI scan will find a detailed information notice regarding the processing of medical data in a separate document: GDPR Information Notice.

10. Changes to the privacy policy

The Data Controller reserves the right to amend this privacy policy. Users will be informed of any changes by the publication of a new version of the document on the website, bearing the current effective date.

11. Contact

For matters relating to the protection of personal data, please contact the Data Protection Officer by email at: iod@rezonansbezstresu.pl or by post to the Controller’s registered office.