Personal Data Protection Policy

  1. This Data Protection Policy defines the principles of Personal Data processing by "Aleksandra Nowak PHYSIOCARE, NIP: 6312737564, ul. Mikołowska 9A, 44-100 Gliwice" ("Controller").
  2. The Controller processes Personal Data in compliance with the principles of lawfulness, fairness, and transparency, in particular in accordance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC ("GDPR") and national law provisions.
  3. The Controller performs medical activities based on the Act of 15 April 2011 on medical activity and processes Personal Data of:

    1) Patients:

    • a. for health purposes related to the provision of health services, including maintaining and sharing medical records – based on Art. 9(2)(h) GDPR and Art. 6(1)(b) and (c) GDPR;
    • b. for purposes related to the fulfillment of obligations related to maintaining, storing, and sharing medical records – based on the Act on Patient Rights and the Patient's Rights Ombudsman and Art. 6(1)(c) GDPR;
    • c. for the purpose of pursuing payment for services if such payment is not made – based on Art. 6(1)(f) GDPR;
    • d. for the purpose of protection against claims and for the purpose of pursuing other claims not indicated in point c) above, as well as for the purpose of ensuring the safety of persons and property – based on the legitimate interest of the Controller, in accordance with Art. 6(1)(f) GDPR;
    • e. for the purpose of protection against claims and for the purpose of pursuing claims and ensuring the safety of persons and property – based on the legitimate interest of the Controller, in accordance with Art. 6(1)(f) GDPR;
    • f. for marketing purposes and others not listed in letters a and b – based on the Patient's consent, in accordance with Art. 6(1)(a) GDPR;

    2) other persons:

    • a. within the scope of concluded contracts, in order to ensure their implementation – based on Art. 6(1)(b) GDPR;
    • b. to ensure the management process of the Controller's enterprise and ensure the safety of persons and property – based on the legitimate interest of the Controller, in accordance with Art. 6(1)(f) GDPR;
    • c. for other purposes – based on the consent of the data subject, in accordance with Art. 6(1)(a) GDPR, unless there are other grounds for processing Personal Data referred to in Art. 6 and Art. 9 GDPR.
  4. The Controller ensures the security of Personal Data, including protection against unauthorized or unlawful processing and accidental loss, destruction, or damage, by:
    • 1) applying appropriate personal data processing documentation;
    • 2) allowing access to Personal Data only to persons authorized by the Controller in writing and persons obliged to maintain professional secrecy in connection with the medical profession practiced (physiotherapists, doctors) unless the authorization to process personal data results directly from generally applicable legal provisions;
    • 3) entrusting the processing of Personal Data only on the basis of separate agreements on ensuring the Processing of Personal Data;
    • 4) maintaining and sharing medical records in accordance with generally applicable legal provisions, including, among others, the Act of 6 November 2008 on Patient Rights and the Patient's Rights Ombudsman and the Regulation of the Minister of Health of 6 April 2020 on the types, scope, and templates of medical records and the method of their processing;
    • 5) training Personnel on the principles of Personal Data Processing;
    • 6) keeping a register of Personal Data processing activities;
    • 7) monitoring Personal Data protection breaches and keeping a register of breaches;
    • 8) applying technical measures to protect Personal Data, in particular:
      • a. building alarm system;
      • b. anti-burglary security in door and window joinery;
      • c. using cabinets and containers ensuring an appropriate level of Personal Data security;
      • d. ICT security features (including limited access to systems, antivirus software, firewall, SSL certificates on the website).
  5. The Controller is not obliged to carry out a data protection impact assessment referred to in Art. 35(1) GDPR.
  6. The Controller is not obliged to appoint a data protection officer referred to in Art. 37(1) GDPR.
  7. The Controller is obliged to:
    • 1) maintain and share Patients' medical records in accordance with applicable legal provisions and secure them against loss or destruction;
    • 2) in the case of sharing medical records – to reliably verify the identity of the person whose data is being shared;
    • 3) in the case of sharing medical records in electronic form – to encrypt them beforehand or otherwise secure them against access by unauthorized persons;
    • 4) use devices and ICT systems in a manner ensuring the protection of Personal Data against access by unauthorized persons, including by:
      • a. using individual, unique access passwords,
      • b. not leaving devices unattended,
      • c. locking rooms where devices processing Personal Data operate,
      • d. turning off devices after use,
      • e. not sharing access data (logins and passwords) with unauthorized persons,
      • f. using antivirus software and firewall software.
    • 5) locking rooms where Personal Data is stored;
    • 6) storing documents and other media containing Personal Data in the workplace (office, reception, etc.) only in designated containers/cabinets/desks;
    • 7) applying the "clean desk" principle;
    • 8) not sharing Personal Data with persons whose identity cannot be verified, or regarding whom there are reasonable doubts;
    • 9) not disclosing Patients' Personal Data in publicly accessible areas of the Controller's premises.
  8. In the event of a suspected Personal Data protection breach, the Controller immediately verifies whether a breach has occurred and whether the breach could have caused a risk of violating the rights and freedoms of data subjects. In the event of confirming a breach, the Controller immediately, but no later than within 72 hours of identifying the breach, notifies the President of the Personal Data Protection Office (UODO).
  9. If a Personal Data protection breach may cause a high risk of violating the rights or freedoms of natural persons, the Controller notifies the data subject of such a breach without undue delay, unless the circumstances indicated in Art. 34(3) GDPR apply.
  10. The Controller's website (physiocaregliwice.pl) uses cookies. Strictly necessary cookies — including remembering your consent choice — are always used and do not require consent. With your consent, the Controller uses Google Analytics 4, provided by Google Ireland Limited, to produce anonymous visit statistics that help improve the site. Your IP address is anonymized, and data may be processed by Google LLC outside the European Economic Area on the basis of the Standard Contractual Clauses approved by the European Commission. Analytics is loaded only after you give consent in the cookie banner (legal basis: Art. 6(1)(a) GDPR) and you can withdraw it at any time by changing your cookie settings. The Controller does not use marketing cookies or profiling.