INFORMATION ON PERSONAL DATA PROCESSING BY MEDICOVER SP. Z O.O.

1. Personal data administrator

Medicover sp. z o. o., Al. Jerozolimskie 96, 00-807 Warszawa, Poland (hereinafter referred to as “We”) will be your personal data administrator. You can contact Us in the following ways:

- by letter to: Customer Service Department, Medicover sp. z o. o., Al. Jerozolimskie 96, 00-807 Warsaw

- via the contact form at www.medicover.pl

- by email: dok@medicover.pl

- by telephone: +48 500 900 500

2. Data Protection Officer

We have appointed a Data Protection Officer. This is the person you can contact on all matters concerning your personal data processing and the exercise of your rights in relation to data processing. You can contact the DPO in the following ways:

- by letter to: Medicover sp. z o.o., Al. Jerozolimskie 96, 00-807 Warsaw, with the wording “Data Protection Officer”

- by email: IOD@medicover.pl

The post of Data Protection Officer is held by Monika Sobczyk.

3. Purposes of your personal data processing and legal basis for processing

 We will process your personal data in order to:

  • provide you with medical services, including the provision of services under the agreement with Narodowy Fundusz Zdrowia (National Health Fund, hereinafter referred to as "NHF") and to manage the services we provide - in order to achieve this purpose we will process your data in order to, among others, verify your identity, keep the medical records required by law or contact you in relation to the services provided (e.g. reminder about an appointment, information about the possibility of collecting test results), 
  • provide you with a medical care contract and other services such as eyeglasses and corrective lenses,
  • carry out business settlements,
  • handle any complaints, opinions and requests you may have, including requests to exercise your rights under data protection legislation
  • provide you with information material on how to use our services, e.g. on improvements/obstacles to accessing services, on the need to prepare for an examination,
  • archive your data after the services have been provided to you,
  • establish, investigate and defend against any claims,
  • ensure the security of persons and property, in particular through the use of video surveillance,
  • conduct quality and satisfaction surveys (including through profiling),
  • provide you with materials to promote products and services (including using profiling) - only if you have consented to this.

The legal bases for your data processing are:

  • providing you with health care and medical services, health protection, preventing healthcare, treatment and managing the provision of these services - such processing is regulated by law, in particular: the Act on Medical Activity, the Act on Patient's Rights and Commissioner for Patients'​ Rights and, within the scope of services provided on the basis of agreement concluded with the NHF, also the Act on Healthcare Services financed from public funds (Article 6(1)(C) of GDPR (General Data Protection Regulation) and Article 9(2)(H) of GDPR),
  • the agreement performance for the provision of services between us and the coverage of the medical care agreement, (Article 6(1)(B) of GDPR),
  • Your consent to the personal data processing for the purpose specified directly in the content of the consent, (Article 6(1)(A) of GDPR),
  • our legitimate interest, in relation to Article 6(1)(F) of GDPR consisting of:
    • surveying your satisfaction and feedback on your use of our services,
    • establishing, investigating and defending against claims,
    • handling of communicated complaints, requests and feedback,
    • ensuring the security of persons and property, in particular through the use of video surveillance,
    • to provide information material on the use of our services

In situations where the establishment, investigation and defence of claims will require the processing of special categories of personal data (e.g. information about your health condition) we will act on the basis of Article 9(2)(F) of GDPR;

  • applicable law, (Article 6(1)(C) of GDPR) concerning, among others, the keeping of financial accounts, tax accounts and the archiving of such data in particular in connection with the Accounting Act,
    • the exercise of your rights arising directly from GDPR;
  • taking action for diseases prevention in connection with a task carried out in the public interest in the health field (Article 6(1)(E) and Article 9(2)(I) of GDPR).

4. Data source

In most cases, we will obtain your personal data directly from you. However, there may be times when your employer (or other entity) allows you to use our services as part of a medical subscription provided. In order to ensure that this process, which is governed by the agreement between us and your employer (or other entity), is properly handled, it will be necessary to provide us with your data (identification, address and contact details) in accordance with the subscription you have chosen.

5. Information on profiling

On the basis of your personal data, we may carry out profiling, i.e. the automated assessment of certain personal factors concerning you. We indicate below in which situations profiling may occur.

We carry out profiling to:

  • appropriately selected communications and promotional materials for our business - for this purpose we use data such as patient number, first name, surname, age, gender, language, date of birth, locality, facilities visited, types of products purchased, data source. In addition, we may also take into account statistical data about your behaviour on websites and mobile applications, your use of Medicover Online and your preferences expressed on Medicover websites and applications;
  • provide a superior service - in certain situations, including but not limited to referrals, we will process your personal data related to the provision of services using an algorithm to assist the people you are served by. We ensure that decisions about you are always made directly by the person providing the service. If you feel that the algorithm may have misjudged your situation you can exercise your right to be subject only to human judgement, and ask us to explain the functioning of the algorithm.

6. Retention period of your personal data

We will process your data, as a general rule:

- for 20 years - in connection with the keeping and storage of medical records - the period is calculated from the last entry made in them; subject to the exceptions set out in Article 29(1) of the Commissioner for Patients'​ Rights;

- for 6 years - in connection with the investigation and defence against claims in relation to the services provided;

- for 5 years - for accounting and tax purposes, the period is calculated from the end of the calendar year in which the tax oblige­tion arose;

- for 5 years in connection with the calls recording to our helpline;

- for 30 days in connection with video surveillance;

- until you object or withdraw your consent to your personal data processing, if we have processed your data on such a basis.

7. Recipients of your personal data

 We will transfer your personal data to:

  • entities authorised by law, in particular:
    • medical entities in order to ensure continuity of treatment and availability of healthcare,
    • insurance companies,
    • public authorities entitled to obtain your data,
    • Narodowy Fundusz Zdrowia (National Health Fund), as part of the provision of benefits from public funds;
  • entities authorised by you;
  • entities that process your data on our behalf and in accordance with our instructions, to whom we outsource services such as IT and marketing;
  • entities that provide us with legal services (where this proves necessary for the establishment, investigation or defence of claims).

If you are a patient of another Medicover Polska entity (Medicover Forsakring AB (Publ) S.A. Oddział w Polsce, Denta Care sp. z o.o.), your contact details, i.e. home address, email address and telephone number will also be updated at this entity in order to ensure the highest quality of the treatment process conducted, in particular to facilitate contact with you.

8. Your rights in relation to your personal data processing

You have the following rights in relation to your personal data processing:

  1. the right to object your data processing for marketing purposes or quality and satisfaction surveys - as we process your data on the basis of our legitimate interest,
  2. the right to object your data processing on grounds of your particular situation - where we process your data on the basis of our legitimate interest for purposes other than in position a) above,
  3. the right to your personal data access,
  4. the right to request the rectification of your personal data,
  5. the right to request the erasure of your personal data, only if we are not obliged by law to process it,
  6. the right to request the restriction of your personal data processing,
  7. the right to your personal data portability.

To exercise the above rights, please contact us or our Data Protection Officer (contact details are at paragraphs 1 and 2 above).

The right to lodge a complaint with the authority

You also have the right to lodge a complaint with the supervisory authority in charge of personal data protection, i.e. the President of the Data Protection Authority.

The right to withdraw consent to the personal data processing

If your data is processed based on your consent, you have the right to withdraw it at any time without negative consequences. This does not affect the lawfulness of the processing carried out before the withdrawal of consent.

9. Data transmission to third countries

In order to ensure the highest possible quality of our services, we use other suppliers, e.g. for IT support. Accordingly, your personal data may be transferred outside the European Union. We assure you that, in such a case, the data transfer will be based on an appropriate agreement between us and such entity, containing standard data protection clauses adopted by the European Commission, or on the basis of a relevant decision of the European Commission.

10. Obligation to provide data

When using medical services, the personal data provision is a legal requirement. The data provision for the use of other types of services or for the conclusion of an agreement is voluntary, although failure to provide data will prevent the performance of services or the conclusion of an agreement.