Personal Data Administrator
- Our Clients’ personal Data Administrator is Barbara Zdrojewska who is an entrepreneur listed in the Central Register and Information on Economic Activity under the name of MEDICAL TOURISM CENTER Barbara Zdrojewska based in Lublin at 16 Laurowa Street, Flat 15, Lublin 20-153 (hereinafter referred to as ‘MTC’).
- In case when Clients give marketing consent or consent to data processing for marketing and administrative purposes, MTC is the Data Administrator as well.
Personal Data Protection Inspector
Personal Data Protection Inspector provides necessary guarantees for the protection of our Clients’ personal data. You can contact Personal Data Protection Administrator by email: firstname.lastname@example.org or by phone: +48 696952705
Processed Personal Data
- MTC processes personal data given by its Clients on the grounds of a signed agreement, based on this document and to the extent specified in information clauses and consents given on the Website: www.meditourcenter.com or in any other clear way.
- MTC processes Clients’ data necessary to deliver services ordered by the Client. In particular, the data include: name, surname, PESEL number (or any other identification numbers e.g. passport number), gender, date of birth, medical history, current health discomforts, delivered medical tests, scope of medical care received, process of receiving medical care, location of receiving medical care, home address. Moreover, MTC processes contact data (in particular: an email address and a phone number) and information about a current place of stay in Poland, all of which is necessary to deliver arranged services. All data mentioned above will be essential to verify Client’s identity before medical care or other services are rendered. This information is collected if it is vital for diagnostic purposes and the consecutive treatment planning. A diagnosis is made by entities providing medical care in cooperation with us.
- Processed data, essential to render services specified in the agreement (in particular: medical care services, accommodation bookings, SPA packages or rehabilitation treatments) are confided (handed over) to proper clinics (Trusted Partners).
- During delivering medical care services, entities create an individual treatment plan and medical records (containing information about the process of treatment and doctor’s orders – which will be referred to as medical records). A copy of an individual treatment plan will be given to MTC. After medical service is delivered and medical records are created by the proper subject, a copy of such documentation or its part may be given to MTC.
The Aim of Processing
MTC aims to process personal data to:
- establish client’s identity before medical services are delivered, in particular when registering the Client to medical care service providers, booking/buying accommodation or other services e.g. SPA packages, verifying data when making appointments or buying services from other subjects both at a distance and throughout Poland at the reception desk or doctor’s surgeries (Art. 6 paragraph 1 point c and art. 9 paragraph 2 point h from GDPR in connection with art. 25 point 1 from Act of Patients’ Rights and § 10 art. 1 point 2 from Ordinance of Minister of Health).
- create and store medical records – MTC, as a contractor in delivering medical services, creates and stores medical records together with health care entities which cooperate with MTC (Art. 9 paragraph 2 point h from GDPR in connection with art. 9 paragraph 3 and art. 26 paragraph 1 from Act of Patients’ Rights and Ordinance of Minister of Health).
- perform the contract in accordance with patients’ rights i.e. MTC collects and archives declarations where patients authorise other people to have access to medical records and information about patients’ health (Art. 6 paragraph 1 point c from GDPR from Act of Patients’ Rights and § 8 paragraph 1 from Ordinance of Minister of Health).
- contact patients at the phone number given by them or by e-mail to e.g. confirm the reservation or cancellation of an appointment with the doctor, remind of an appointment, inform about a necessary preparation before receiving treatment or give other important information (Art. 6 paragraph 1 points b and f from GDPR).
- conduct business activities MTC and as the Data Administrator can process clients’ data (patients’ data) to:
- claim assertion due to conducting business activities (Art. 6 paragraph 1 points b and f from GDPR);
- keep the books and pay taxes (Art. 6 paragraph 1 point c from GDPR in connection with art. 74 paragraph 2 from Act of 29 September 1994 on Accounting).
Personal Data Processing
MTC takes great care of its Clients’ confidentiality of personal data when assisting in organizing medical services, reservations, accommodation and purchasing. In order for MTC to run smoothly, in particular when it comes to the delivery of medical services by health care entities, use of information infrastructure, handling ongoing issues in regard with conducting business activities or patients’ rights, Clients’ personal data may be given to following categories of recipients:
- Health care entities which provide medical services in order to guarantee continuity and availability of treatment.
- Service suppliers cooperating with MTC to provide technical and organizational solutions which enable to deliver medical services and manage the organization (in particular tele information service providers, diagnostic tools suppliers, post and delivery companies),
- Service providers assisting MTC in the field of marketing (advertising agencies, companies handling email and sms services),
- Legal and consulting service providers supporting MTC with vindicating claims (in particular law offices and debt collection agencies),
- People authorised by the patient regarding patients’ rights.
- Transport and insurance companies, hotel service providers, additional service providers (e.g. car parks, airport services), local or national chambers of tourism, contractors cooperating with MTC based on signed agreements. Personal data may be also given to other trip participants within the same agreement.
The Period of Personal Data Processing
Clients’ personal data can be processed only as long as it is necessary for MTC to deliver services ordered by the Client. Data processed on the grounds of agreements with MTC will be stored as long as it is necessary to execute the contract and not shorter (i.e. up to 10 years after execution of the contract). Health care entities, which are given patients’ personal data to create medical records, have the right to store them up to 20 years from making the last notification in the records. Only when the data were processed by MTC with the aim of vindicating claims (e.g. debt collection proceedings) can this period be extended. In this case MTC processes the data for vindicating purposes throughout claims’ period of prescription according to the Civil Code. All data processed for accounting and tax purposes are stored for 5 years counting from the end of calendar year when tax liability incurred. After periods of time mentioned above all clients’ data (patients’ data) are deleted or anonymized.
Personal Data Processing outside the EU
The personal data of Clients who use MTC services may be transferred outside the EU. MTC cooperates with tele information and transport companies which might be based or have operating offices outside the EU. MTC guarantees that in this case Clients’ personal data will be given based on an appropriate agreement between MTC and the entity, which will contain standard clauses regarding data protection accepted by European Commission.
Clients’ Obligations with regard to Giving Personal Data
- Using MTC services is voluntary, nonetheless as the subject assisting in contacts with other subjects including health care entities, MTC collects and stores its patients’ medical records according to provisions of law, which means MTC identifies the Client using their personal data. Not submitting data results in refusal to make a medical appointment, buy services or deliver a medical treatment. Legal obligation to process Client’s data also results from accounting or tax reasons and lack of data results in e.g. inability to issue an invoice or bills including Client’s name.
- In the event when a Client has not given their phone number or email address there are no consequences resulting in refusal to make an appointment / a purchase as giving such information is voluntary. However, when there is a lack of information concerning a phone number or email address, a Client will not receive an sms confirmation and as a result will not have a possibility to cancel an appointment by e.g. SMS.
- Consent to Clients’ personal data processing and transferring in concordance with § 3 is not obligatory, nevertheless a refusal to give it results in inability to use MTC services.
- Regardless of the above, MTC informs that a Client can always withdraw their consent to personal data processing.
Client’s Rights connected with Personal Data Processing
According to provisions of law, a Client is guaranteed the right to access their data and to correct, withdraw or limit processing them. They are also given the right to object to the processing of personal data by MTC or to transfer personal data to another administrator. If a Client does not want to use any of these privileges they should contact us calling our helpline or visit our office. We also inform that a Client has the right to make a complaint to an institution safeguarding personal data protection.
List of Definitions and Abbreviations
GDPR – Regulation on the protection with regard to the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC made by European Parliament and the Council of the European Union of 27 April 2016;
- Act of Patient’s Rights – Act of 6 November 2008 on patient’s rights and the Patients’ Ombudsman;
- Ordinance of Minister of Health – Regulation of the Minister of Health of 9 November 2015 on the type, scope and templates of medical records and methods of their processing.