In connection with the implementation of the requirements of the Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data“ and repealing Directive 95/46/EC (General Data Protection Regulation), Eurodiagnostic spółka z ograniczoną odpowiedzialnością based in Warsaw, at ul. Kielecka 41a/8, 02-530 Warsaw, entered into the register of entrepreneurs of the KRS kept by the District Court for the capital city of Warsaw 13th Economic Department of the National Court Register under the number 0000902024, NIP (Tax ID) 5252386042, with a share capital of PLN 33,500, hereby provides information about the principles of processing your personal data and your rights related to it.

How do we process personal data?

Under the regulations, Eurodiagnostic Spółka sp. z o.o. is the Controller of your personal data. This means that we are responsible for the use of the data in a secure manner, in accordance with the contract if we have entered into one with you, and any applicable regulations.

What is the purpose and legal basis for processing your personal data, and how long can we do so?

Your personal data will be used (processed) for the following purposes:

1) taking steps aimed at entering into a contract with us:

– for the time it takes to conclude a contract, but no longer than one year from the time it becomes reasonably certain that a contract will not be concluded;

Legal basis:

(a) Clients/Contractors who are natural persons and who carry out activities on their own – Article 6(1)(b) of GDPR;

(b) persons who represent Clients/Contractors (e.g. the Client/Contractor is a legal entity) – Article 6(1)(f) of the GDPR;

2) the performance of the contract concluded between us:

– for the time required to perform the contract (or terminate the contract) and for the period required by law for the retention of accounting documents;

Legal basis:

(a) Clients/Contractors who are natural persons and who carry out activities on their own – Article 6(1)(b) of GDPR;

(b) persons who represent Clients/Contractors (e.g. when the Client/Contractor is a legal entity) – Article 6(1)(f) of the GDPR.

3) establishing, defending and asserting claims (legitimate interest)

– until the statute of limitations for your potential claims against us or until our potential claims against you expire – which is our legitimate interest;

Legal basis: Article 6(1)(f) of the GDPR;

4) performing our legal obligations – in particular:

a) issuing and storing accounting documents;

b) making tax settlements;

c) responding to complaints;

d) storing data for archiving purposes;

– for the duration of such an obligation. Retention periods are specified by law – such as the accounting law;

Legal basis: Article 6(1)(c) of the GDPR;

5) proving due performance of the obligations incumbent on the Controller with regard to the processing of personal data (e.g., providing this information)

– for a period of time during which the Controller may face legal consequences for failing to comply with the obligation, such as receiving a financial penalty from government agencies;

Legal basis: Article 6(1)(c) and (f) of the GDPR;

6) creating compilations, analyses and statistics for our internal needs; this includes, reporting, satisfaction surveys, marketing research, planning the development of sales of services, development work in information systems – which constitutes our legitimate interest;

– for the duration of our legitimate interest in processing them.

Legal basis: Article 6(1)(f) of the GDPR;

7) conducting correspondence with you – to the extent arising from or related to its content – e.g. in matters related to the execution of a contract, taking action to conclude a contract – for a period of time in which the content of this correspondence is of legal significance to us, to you or to the persons on whose behalf you are acting (the time limits specified in points 1-6 above will then apply), and in other cases for a period of 3 months from the last correspondence on the matter;

Legal basis: Article 6(1)(b)(c)(d) and (f) of the GDPR;

Consent

In other cases, your personal data will be processed only on the basis of the consent previously obtained from you to the extent and purpose specified in the content of that consent.

If you give consent to the use of your data, the content of this consent will specify the purpose for which we will process the data and the duration of processing. You may withdraw the consent you have given us at any time (this will not affect the lawfulness of the use of your data prior to the withdrawal of such consent).

Profiling

We do not profile your data (profiling means the automatic analysis of your personal data performed electronically by software designed for this purpose).

Which data need to be submitted?

In order to conclude a contract, we require you to provide data on the contract form, e.g. first name and surname, e-mail address, company, business address, mailing addresses, entry numbers in the relevant registers – e.g. number in the register of medical entities, NIP (Tax ID) number, REGON (Business ID) number, position or function held within your organization, authorizations held, data of persons participating in the execution of the contract, bank account number. We cannot conclude a contract if you do not provide this information. In addition, we may ask for optional data that does not affect the conclusion of the contract. Providing data at the conclusion of the contract is not a statutory requirement.

To whom do we submit your data?

We submit your data to:

1) entities participating in the performance of our activities that process data on our behalf:

a) operators of our information and communication systems or providers of information technology tools;

b) subcontractors who support us, e.g. in providing the services you have ordered, handling correspondence or in the customer service process;

c) entities that provide us with consulting, advisory, auditing and accounting services;

2) other data controllers who process data on their own behalf:

a) entities that provide postal or courier services;

b) entities engaged in payment activities (banks, payment institutions) in order to make payments or refunds to you;

c) entities that cooperate with us in handling accounting, tax and legal matters.

Data from other sources

1) if you make payments through, e.g. a bank or payment institution, we will come into possession of information about which account you made the payment from at which institution or to which account and to which institution we have made the payment. We will process this data in order to verify that the payment was made correctly, to post and settle it, and, if necessary, to make refunds (basis: Article 6(1) (b) and (c) of the GDPR for the purpose of asserting, investigating and defending claims (basis: Article 6(1)(f) of the GDPR;

2) we may also obtain your data from publicly available registers (e.g. register of medical entities, CEIDG, KRS), records, etc. for the purposes described above (conclusion/performance of a contract, including verification of the information you have provided, performance of statutory settlement/archiving obligations, our assertion of claims or defence against claims by you or third parties, marketing, correspondence);

The scope of the processed data will then be limited to the data publicly available in relevant registers.

3) We may obtain your personal data from entities that are your employers or which you represent. The scope of the data transfer in this case includes the information necessary to handle the cooperation and contact with the contractor.

Your rights

You may submit a request (regarding your personal information) for:

1) rectification (correction) of incorrect data or completion of data;

2) deletion of data processed unjustifiably;

3) restriction of processing (suspension of data operations or non-deletion of data – according to the request);

4) access to data (including: to obtain information about the data we process, the purposes of processing, the recipients of the data or categories of recipients) and a copy of the data;

5) transfer of data to another data controller or to you.

You may exercise these rights by submitting a request to the addresses indicated at the end of this note or by any other means.

In order to make sure that you are eligible to make a request, we may ask you to provide additional information to allow us to achieve the authentication.

The scope of each of these rights and the situations in which they can be exercised are determined by law. Which right you can exercise depends, for example, on the legal basis for our use of your data and the purpose of its processing. This means that in some cases we may deny your request. In such cases, we will explain to you the rationale for our decision and provide the legal basis for it. In any case, we will promptly provide you with the necessary explanations and assistance in exercising your rights.

Right of objection

In specific situations, you may object to our processing of your personal data at any time if the basis for the use is our legitimate interest or the public interest. In such a situation, once we have processed your request, we will no longer be able to process the personal data covered by the objection on this basis unless we can demonstrate that the following exist:

1) valid legitimate grounds for data processing, which are deemed by law to override your interests, rights and freedoms,

or

2) grounds for establishing, asserting or defending claims.

Complaints

You have the right to file a complaint with the President of the Office for Personal Data Protection (at the address of the Office for Personal Data Protection. ul. Stawki 2, 00-193 Warsaw), if you believe that the processing of your personal data violates the law.

Contact and information

Address for correspondence: ul. Szeligowskiego 8/98, 20-883 Lublin, address: e-mail: kontakt@eurodiagnostic.ae

The Eurodiagnostic company has appointed a Data Protection Officer – Piotr Harańczyk, e-mail address: iod@eurodiagnostic.ae