GDPR Information Notice for Patients

In accordance with Article 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (GDPR), we hereby inform you:

1. Data controller

The controller of your personal data is:

APERTA Diagnostic Centre The Diagnostic Centre is an organisational unit operated by TESLAMED sp. z o.o..

2. Data Protection Officer

The Controller has appointed a Data Protection Officer (DPO), who can be contacted regarding all matters concerning the processing of your personal data and the exercise of your rights in relation to data processing. DPO contact details:

• email: iod@rezonansbezstresu.pl
• by post: TESLAMED sp. z o.o., DPO, ul. Lwowska 64, 35-301 Rzeszów

3. Purposes and legal bases for processing

Your personal data is processed for purposes related to the provision of healthcare services and the conduct of medical practice. Legal bases:

• Article 6(1)(c) of the GDPR and Article 9(2)(h) of the GDPR — in connection with the Act of 15 April 2011 on medical practice and the Act of 6 November 2008 on patients’ rights and the Patient Rights Ombudsman — for the purpose of providing healthcare services, maintaining, storing and making medical records available, and managing healthcare systems.
• Article 6(1)(b) of the GDPR — for the purpose of concluding and performing a contract for the provision of medical services.
• Article 6(1)(c) of the GDPR in conjunction with the Act of 29 September 1994 on Accounting and the Act of 11 March 2004 on Value Added Tax — for the purpose of issuing a VAT invoice and fulfilling tax obligations.
• Article 6(1)(f) of the GDPR — the Controller’s legitimate interests — for the purpose of pursuing any claims or defending against claims related to the medical activities carried out.
• Article 6(1)(a) of the GDPR — your consent — in the case of data processing for marketing purposes (e.g. newsletter), provided that it has been given voluntarily.

4. Categories of data processed

• Identification data: first name, surname, National Insurance Number (PESEL), date of birth;
• Contact details: residential address, telephone number, email address;
• Health data (special category within the meaning of Article 9 of the GDPR): test results, radiological reports, medical history, referrals, diagnostic images (DICOM);
• Billing data: tax identification number (for invoices issued to a company), payment method;
• Image (if photographs/video are taken during the examination) — only with separate consent.

5. Data retention period

• Medical records — 20 years from the end of the calendar year in which the last entry was made (Article 29 of the Act on Patients’ Rights and the Patient Ombudsman);
• Medical records in the event of a patient’s death — 30 years from the end of the calendar year in which the death occurred, in situations provided for by law;
• Medical records relating to children under the age of 2 — 22 years;
• Referrals for tests or doctors’ orders — 5 years;
• X-rays/MRIs stored separately from medical records — 10 years;
• Accounting and tax data — 5 years from the end of the financial year;
• Data processed on the basis of consent — until such consent is withdrawn.

6. Recipients of data

Your personal data may be disclosed to:

• Other healthcare providers, if necessary to ensure continuity of treatment (referring doctor, consulting doctor, hospital);
• The National Health Fund (NFZ) — in the case of services funded under a contract with the NFZ;
• State authorities authorised under separate regulations (courts, the Crown Prosecution Service, the Social Insurance Institution (ZUS), law enforcement agencies);
• Entities processing data on behalf of the Controller (IT providers, hosting companies, courier firms) — on the basis of a data processing agreement in accordance with Article 28 of the GDPR;
• Your next of kin indicated in the documentation as authorised to receive information.

Your data is not transferred to third countries outside the European Economic Area.

7. Your rights

You have the following rights:

• The right to access your personal data and obtain a copy thereof (Article 15 of the GDPR);
• The right to have inaccurate data rectified or incomplete data completed (Article 16 of the GDPR);
• The right to erasure (“right to be forgotten”) — subject to a significant restriction regarding medical records, the erasure of which is excluded by the provisions of the Patient Rights Act;
• The right to restrict processing in the situations specified in Article 18 of the GDPR;
• The right to receive data processed on the basis of consent or a contract in a structured format (Article 20 of the GDPR);
• The right to object to the processing of data for the purposes of the Controller’s legitimate interests (Article 21 of the GDPR);
• The right to withdraw consent at any time, without affecting the lawfulness of processing carried out prior to withdrawal;
• The right to lodge a complaint with the supervisory authority — the President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw, tel. 22 531 03 00.

8. Voluntary or mandatory provision of data

The provision of personal data is:

• A statutory requirement to the extent provided for by law (including the Act on Patients’ Rights), necessary for the provision of healthcare services. Refusal to provide data in this regard will result in the inability to carry out the examination.
• A contractual requirement for the conclusion and performance of a contract for medical services.
• Voluntary in respect of data processed on the basis of consent (newsletter, marketing communications).

9. Profiling and automated decision-making

Your personal data is not used for automated decision-making, including profiling, within the meaning of Article 22 of the GDPR. Every medical decision is made by a qualified doctor.

10. Source of data

In most cases, personal data is collected directly from the patient. In some situations, it may come from:

• The referring doctor;
• Another medical facility (on the basis of a referral or the transfer of medical records);
• The National Health Fund (as part of the provision of contracted services);
• A legal guardian (in the case of minors or persons under guardianship).