Information clause on processing of personal data (GDPR)

Data Controller
The Data Controller of your data is SPEKTRUM Sp. z o.o., with its registered office in Wrocław (53-334), ul. Zaolziańska 4. The data controller can be contacted via the contact form on the website at: www.spektrum.wroc.pl and by telephone: 71 345 31 41 (during company office hours) or by e-mail: biuro@spektrum.wroc.pl and by post at: ul. Zaolziańska 4, 53-334 Wrocław.

Data Protection Officer
The function of Data Protection Officer at SPEKTRUM Sp. z o.o. is performed by Mr. Sebastian Stecyszyn, who can be contacted directly by writing to: iod@spektrum.wroc.pl or by post: ul. Zaolziańska 4, 53-334 Wrocław, marked “to the Data Protection Officer of SPEKTRUM Sp. z o.o.”.

Detailed information on the processing of personal data:

Processing of patients’ personal data

Information obligation towards patients
[Information clause for patients of SPEKTRUM Sp. z o.o.]

Dear Sir/Madam,

Pursuant to Article 13 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC hereinafter referred to as GDPR (Official Journal of the EU.L No.119, p.1), we inform you that the Data Controller of your Personal Data is SPEKTRUM Sp. z o.o. with its registered office in Wrocław, KRS 0000016751, NIP (taxpayer ID No.) 8971658338, REGON (National Business Registry No.) 932632951.

Pursuant to Article 13 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC hereinafter referred to as GDPR (Official Journal of the EU.L No.119, p.1), we inform you that the Data Controller of your Personal Data is SPEKTRUM Sp. z o.o. with its registered office in Wrocław, KRS 0000016751, NIP (taxpayer ID No.) 8971658338, REGON (National Business Registry No.) 932632951. Personal Data Administration – Information clause on the processing of personal data GDPR

DATA CONTROLLER CONTACT DETAILS:

The Data Controller can be contacted at the telephone number: 71 345 31 41 at e-mail: biuro@spektrum.wroc.pl and by correspondence at: ul. Zaolziańska 4, 53-334 Wrocław.

CONTACT DETAILS OF THE DATA PROTECTION OFFICER:

The Data Controller has appointed a Data Protection Officer, Mr. Sebastian Stecyszyn, who can be contacted by e-mail at: iod@spektrum.wroc.pl and by correspondence at: ul. Zaolziańska 4, 53-334 Wrocław.

PURPOSE AND LEGAL BASIS FOR PERSONAL DATA PROCESSING:

The purpose of data processing is medical diagnosis and treatment, preventive health care, provision of health care and management of health care systems and services, provision of social security and management of social security systems and services – the processing is necessary to protect the vital interests of the data subject (Article 9(2)(h) of the GDPR, which lists the health purposes of the processing and in connection with the performance of medical activity in accordance with the Act on Medical Activity, the Act on Patients’ Rights and Patient Ombudsman, the Act of 28 April 2011 on the information system in health care (Journal of Laws no. 113 item 657 as amended), the Regulation of the Minister of Health of 9 November 2015 on types, scope and models of medical records and the manner of their processing (Journal of Laws 2015 item 2069), resulting from the legally justified interests pursued by the data controller, e.g. for the purpose of contact regarding confirmation, change, cancellation of an appointment and marketing activities, if you give separate consent.

LEGAL BASIS FOR PERSONAL DATA PROCESSING:

The legal basis for the processing is Article 6(1)(a-d) and Article 9(2)(h) of the GDPR:

  • Article 6(1)(a): the data subject has given consent to the processing of his or her personal data for one or more specific purposes.
  • Article 6(1)(b): processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
  • Art. 6(1)(c): processing is necessary for compliance with a legal obligation to which the data controller is subject.
  • Article 6(1)(d): processing is necessary in order to protect the vital interests of the data subject or of another natural person.
  • Article 9(2)(h): processing is necessary for the purposes of preventive health care, medical diagnosis and the provision of health care.

RECIPIENTS OF THE DATA:

Recipients of your personal data are entities to which the Personal Data Controller transfers your data in order to duly perform the obligation assumed by him/her at the time of data collection (performance of services covered by the concluded contract) and on the basis of a contract of entrustment of personal data processing concluded with the data recipient, such as, for example, medical and IT equipment service providers – for the time of inspection, repair, and data recipients will be institutions authorised by law.

  • Pursuant to the Act of 6 November 2008 on Patients’ Rights and Patients’ Ombudsman Art. 26:
    • The healthcare provider shall make the medical records available to the patient or the patient’s legal representative or a person authorised by the patient.
    • After the death of a patient, medical records are made available to the person authorised by the patient during his or her lifetime or to the person who was the patient’s legal representative at the time of death.
    • The healthcare provider shall also make medical records available:
      • to healthcare providers if the records are necessary to ensure the continuity of healthcare services
      • public authorities, including the Patient Ombudsman, the National Health Fund, organs of the self-government of medical professions and national and provincial consultants, to the extent necessary for these bodies to perform their tasks, in particular supervision and control
      • entities referred to in Article 119(1) and (2) of the Act of 15 April 2011 on therapeutic activity, to the extent necessary to carry out controls ordered by the minister competent for health matters
      • authorised by the entity referred to in Article 121 of the Act of 15 April 2011 on medical activity, medical practitioners, to the extent necessary to supervise the non-business therapeutic entity
      • to the minister responsible for health, courts, including disciplinary courts, prosecutors, medical examiners and ombudsmen for professional liability in connection with the proceedings
      • bodies and institutions authorised under separate acts, if the examination was carried out at their request
      • disability authorities and Disability Assessment Boards in connection with their proceedings,
      • entities maintaining registers of medical services, to the extent necessary to maintain the registers
      • insurance companies, with the patient’s consent; 7a) medical commissions subordinate to the minister in charge of internal affairs, military medical commissions and medical commissions of the Internal Security Agency or the Intelligence Agency subordinate to the Heads of the respective Agencies
      • medical professionals, in connection with the conduct of an evaluation procedure of a health care provider under the provisions on accreditation in health care or a procedure for obtaining other quality certificates, to the extent necessary for their conduct
      • the provincial commission for adjudicating on medical events, referred to in Art. 67e section 1, within the scope of the ongoing proceedings
      • heirs with regard to the proceedings before the regional commission for adjudication of medical events referred to in Article 67e(1)
      • persons carrying out control activities pursuant to Article 39(1) of the Act of 28 April 2011 on the healthcare information system, to the extent necessary to carry them out
      • the members of the hospital infection control teams referred to in Article 14 of the Act of 5 December 2008 on preventing and combating infections and infectious diseases in humans (Journal of Laws of 2016, item 1866, 2003 and 2173), to the extent necessary for the performance of their tasks

DATA RETENTION PERIOD:

Your personal data contained in the medical records will be kept for 20 years, counting from the end of the calendar year in which the last entry was made, with the exceptions set out in Article 29(1) of the Act of 6 November 2008 on Patients’ Rights and Patients’ Ombudsman (consolidated text Journal of Laws of 2017, item 1318):

  1. Medical records in the event of the death of a patient due to bodily injury or poisoning, which are kept for a period of 30 years from the end of the calendar year in which the death occurred.
  2. Medical records containing the data necessary to monitor the fate of blood and its components, which are kept for a period of 30 years, counting from the end of the calendar year in which the last entry was made.
  3. X-ray images stored outside the patient’s medical records, which are retained for a period of 10 years from the end of the calendar year in which the image was taken.
  4. Referrals for examinations or doctor’s orders, which are kept for a period of:
    a) 5 years, counting from the end of the calendar year in which the health service which is the subject of the referral or doctor’s order was provided
    b) 2 years, counting from the end of the calendar year in which the referral was issued – in the event that the health service was not provided due to the patient’s non-appearance within the established time limit, unless the patient collected the referral
  5. Medical records for children up to the age of two, which are kept for a period of 22 years

In accordance with Art. 29. Paragraph 2 of the Act of 6 November 2008 on Patients’ Rights and Patients’ Ombudsman:

“After the expiry of the periods referred to in paragraph 1, the healthcare provider shall destroy the medical records in such a way that the patient to whom they relate cannot be identified. Medical records to be destroyed may be released to the patient, the patient’s legal representative or a person authorised by the patient”.

RIGHTS OF THE DATA SUBJECT AND INFORMATION ON TRANSFERS OF DATA OUTSIDE THE EEA AND ON DATA PROFILING:

You have the right to:

a) The patient’s right of access to personal data (Article 15 of the GDPR). The provision relates only to personal data, the Patient’s right to information about his/her health is a separate right (Art. 9 of the Act on Patient’s Rights and Patient’s Ombudsman, and the right of access to medical records referred to in Art. 23 paragraph of the aforementioned Act
b) Patient’s right to rectification and completion of personal data (Article 16 of the GDPR)
c) Patients’ right to be forgotten (Art. 17 of the GDPR) – does not apply to Patients’ personal data processed on the basis of Article 9(2)(h) of the GDPR, including in particular data processed as part of medical records and other data processed on the basis of the aforementioned premise
d) Patient’s right to request restriction of processing of personal data (Article 18 of the GDPR) on the basis of Article 9(2)(h) of the GDPR, including in particular data processed as part of medical records and other data processed on the basis of the aforementioned premise, the healthcare provider may process these data to the existing extent, as a restriction of data processing carried out for health purposes could significantly impede the achievement of these purposes (ineffectiveness of the restriction of processing due to compelling reasons of public interest)
e) Patient’s right to personal data portability (Article 20 of the GDPR) – does not apply to personal data processed by the healthcare provider on the basis of Article 9(2)(h) of the GDPR, including in particular data processed as part of medical records and other data processed on the basis of the aforementioned premise
f) Patient’s right to object to the processing of personal data (Article 21 of the GDPR) – does not apply to personal data processed by the healthcare provider on the basis of Article 9(2)(h) of the GDPR, including in particular data processed as part of medical records and other data processed on the basis of the aforementioned premise
g) Right to lodge a complaint to the supervisory authority, the President of the Personal Data Protection Office

The provision of personal data is a statutory requirement. Failure to provide your data will result in the inability to provide treatment services.

Your personal data will not be profiled and will not be used for automated decision-making with legal consequences for you.

Your personal data will not be transferred outside the EEA or shared with international organisations.

Your personal data will only be processed for the period necessary and as specified by law.

Information obligation towards persons whose data does not come from the data subjects. [Information clause for the person authorised to inspect patient records and receive information about the patient’s health].

Dear Sir/Madam,

Pursuant to Article 13 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC hereinafter referred to as GDPR (Official Journal of the EU.L No.119, p.1), we inform you that the Data Controller of your Personal Data is SPEKTRUM Sp. z o.o. with its registered office in Wrocław, KRS 0000016751, NIP (taxpayer ID No.) 8971658338, REGON (National Business Registry No.) 932632951.

DATA CONTROLLER CONTACT DETAILS:

The Data Controller can be contacted at the telephone number: 71 345 31 41 at e-mail: biuro@spektrum.wroc.pl and by correspondence at: ul. Zaolziańska 4, 53-334 Wrocław.

CONTACT DETAILS OF THE DATA PROTECTION OFFICER:

The Data Controller has appointed a Data Protection Officer, Mr. Sebastian Stecyszyn, who can be contacted by e-mail at: iod@spektrum.wroc.pl and by correspondence at: ul. Zaolziańska 4, 53-334 Wrocław.

  1. Your personal data has been entrusted to us in connection with your authorisation in your patient statement: to obtain information about your health condition and planned and provided healthcare services/ to obtain medical records/ to be informed in the event of a deterioration of your health condition resulting in a risk of life or death.
  2. The purpose of the processing is to inform whom the healthcare provider can provide information about the patient’s condition and the services provided to the patient on the basis of the patient’s statement and to obtain the patient’s records – the processing is necessary for the fulfilment of a legal obligation incumbent on the data controller and is necessary to protect the vital interests of the data subject or of another natural person (6(1)(c) and (d) of the GDPR).
  3. The data entrusted to us includes forename and surname, contact details.
  4. Your personal data may be disclosed to entities authorised by law, to processors authorised by the data controller.
  5. Your personal data will be kept for the legally required retention period for medical records or until the patient withdraws their authorisation.
  6. You have the right to request access to your personal data and, if necessary, to rectify or restrict its processing.
  7. You have the right to lodge a complaint with the supervisory authority, which is the President of the Personal Data Protection Office, if you consider that the processing of your personal data violates data protection regulations.
  8. Personal data is not subject to automated decision-making, including profiling.
  9. The data controller has no intention to transfer personal data to a third country or international organisation.

Information clause on video surveillance

At SPEKTRUM Sp. z o.o. (at all 3 of the company’s locations) video surveillance of the facility is used due to the need to provide surveillance of the workplace premises and the area around the workplace in the form of technical means to record images. This is necessary to ensure the safety of employees and co-workers, patients, visitors, the protection of property and to maintain the secrecy of information, the disclosure of which could expose SPEKTRUM Sp. z o.o. to harm.

SPEKTRUM Sp. z o.o. processes image recordings exclusively for the purposes for which they were collected and stores them for a period not exceeding 3 months from the date of recording.

Where the image recordings constitute evidence in proceedings under the law, or knowledge has been taken that they may constitute evidence in the proceedings, the time limit shall be extended until the proceedings have reached their final conclusion. After the expiry of the aforementioned periods, the image recordings obtained as a result of the monitoring containing personal data shall be destroyed, unless otherwise stipulated by separate provisions. The premises and area are marked visibly and legibly with appropriate signs (pictograms).

Information obligation clause for SPEKTRUM Sp. z o.o. video surveillance:

Pursuant to Article 13(1) and (2) of of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (O J L 119, 4.5.2016, p. 1 as amended) – hereinafter referred to as GDPR, I inform you that: 

  1. The data controller of your personal data is SPEKTRUM Sp. z o.o., with registered office in Wrocław at ul. Zaolziańska 4, 53-334 Wrocław. 
  2. The Data Controller has appointed a Data Protection Officer, supervising the correctness of the processing of personal data at SPEKTRUM Sp. z o.o., who can be contacted via e-mail address: iod@spektrum.wroc.pl  
  3. Your personal data will be processed to ensure public safety and order and the protection of persons and property on the basis of Article 6(1)(e) of the General Data Protection Regulation of 27 April 2016.  
  4. Your personal data, in the scope of your image and vehicle licence plate numbers, are processed on the basis of Article 6(1)(c) of the GDPR (legal obligation of the Data Controller) in connection with the provisions of the Act of 26 June 1974 – Labour Code in order to maintain the secrecy of information the disclosure of which could expose the employer to damage in order to protect property and ensure security on the premises of SPEKTRUM Sp. z o.o. and Article 6(1)(f) of the GDPR (the Data Controller’s legitimate interest, which is the possible assertion of claims).
  5. The recipients of your data are the employees of SPEKTRUM Sp. z o.o.
  6. Your personal data will not be transferred to a third country or an international organisation.  
  7. Your personal data collected through monitoring is stored for a maximum of 3 months, after which it is deleted by overwriting the data. Only the image (no sound recording) is recorded and stored on the medium.    
  8. The recording from the video surveillance system may only be made available to authorised authorities within the scope of their legal actions, e.g. the Police, the Courts, the Public Prosecutor’s Office upon their written request. In justified cases on the basis of requests from the aforementioned authorities, in particular when the video surveillance equipment has recorded an event related to the violation of the security of persons and property, the data retention period may be extended by the time necessary to conclude the proceedings involving the event recorded by the video surveillance.  
  9. The processing of personal data by means of the video surveillance system covers: entrance roads to the Data Controller’s facilities, outdoor area around SPEKTRUM Sp. z o.o., parking spaces at SPEKTRUM Sp. z o.o., entrances/exits, as well as part of the area inside the buildings of SPEKTRUM Sp. z o.o. such as public registration and reception rooms, corridors.
  10. Your data will not be processed by automated means, including profiling.  
  11. You have the following rights regarding the processing of your personal data: 
  • access to your personal data  
  • rectification of personal data  
  • deletion in the situations set out in Article 17(1) of the GDPR subject to Article 17(3) of the GDPR  
  • limitation of processing  
  • the right to object to the processing  
  • the right to request data portability
  1. It is possible to lodge a complaint with the supervisory authority (Personal Data Protection Office) about the way and manner in which the data controller processes your personal data if you consider it reasonable that your personal data is being processed in breach of the GDPR.

Privacy policy

https://www.spektrum.wroc.pl/en/privacy-policy/

Security incidents

SPEKTRUM Sp. z o.o., as part of its implemented and maintained Information Security Management System (compliant with ISO/IEC 27001:2022 standard), has within its structure a department responsible for maintaining IT systems as well as ensuring security. If you have noticed that our website or patient portal is not working properly and that using it poses a potential risk, please report this to us. Notifications can be sent to: incydent@spektrum.wroc.pl. The email should include contact details of the reporting person and a detailed description of the incident.

Ikona dekoracyjna
Skip to content