Privacy Policy – General principles of personal data processing and privacy protection at St. George's Medical Center

Dear Sir or Madam, this general information clause is addressed to all natural persons to whom we have not addressed a specific clause. Therefore, it is indicated that the recipients of this document are primarily:

⦁ people interested in the services of St. George's Medical Center

⦁ people visiting this website and social media accounts belonging to St. George's Medical Center

⦁ individual contractors whose services are used by St. George's Medical Center, as well as representatives, proxies, or so-called contact persons acting on behalf of contractors

⦁ persons covered by the scope of video surveillance

⦁ persons using the newsletter service

I. Preliminary information – who is the personal data controller?

1. The personal data controller is Global Solutions Sp. z o.o. with its registered office in Warsaw at ul. Polna Róży 6/U4 (02-798 Warsaw), entered into the Register of Entrepreneurs under the number KRS 0000834736, NIP: 9512499941

1. The Controller addresses this information to natural persons in connection with the necessity to fulfill the obligations specified in Art. 13(1) and (2) and Art. 14(1) and (2) of the General Data Protection Regulation of April 27, 2016 (hereinafter referred to as GDPR).

1. The Controller has identified specific categories of data subjects and, if appropriate, sends separate communications containing information on personal data processing to them. Examples of such actions are information clauses addressed to patients of St. George's Medical Center, job candidates, or persons participating in marketing events organized by St. George's Medical Center

1. The Controller has carefully selected and applied technical and organizational measures ensuring the protection of processed personal data. Personal data is protected against disclosure to unauthorized persons and against processing in violation of applicable laws

II. How can you contact the representative of the Controller to obtain more information about the processing of personal data?

1. The Controller has appointed a Data Protection Officer who can be contacted via e-mail: 1. iodo@swjerzymed.pl1

⦁ Processing of personal data of persons interested in the Controller's services

⦁ Purpose and legal basis for processing, which is performed on the personal data of persons interested in the Controller's services:

⦁ processing purpose: responding to questions asked in connection with contact established by potential clients and individual contractors (possibly also through representatives and persons associated with contractors),

⦁ legal basis for processing activities: necessity of processing for the performance of an action undertaken by St. George's Medical Center at the request of the data subject before entering into a contract, i.e., Art. 6(1)(b) GDPR, and/or the legitimate interest of the personal data controller, i.e., Art. 6(1)(f) GDPR – where the legitimate interest is primarily contact with potential clients and contractors, responses to sent messages, and the implementation of statutory activities.

 

IV. Processing of personal data of visitors to the website and social media accounts belonging to the Controller

⦁ Purpose and legal basis for processing, which is performed on the personal data of persons visiting the website and social media accounts belonging to the Controller:

⦁ processing purpose: providing the possibility to use the content presented on the website and within the subpages of social media platforms of St. George's Medical Center, including analytical activities using external tools,

⦁ legal basis for processing activities: realization of the legitimate interests of the data controller, i.e., Art. 6(1)(f) GDPR – where the legitimate interest is indicated as primarily providing access to the content, carrying out analytical activities, and ensuring the proper functioning of the website and social media accounts.primarily marketing of own services and activities taken to maintain and improve the proper functioning of websites, as well as the consent of the data subject, i.e., Art. 6(1)(a) GDPR, which refers to the acceptance of certain analytical activities.

 

V. Processing of personal data of individual contractors whose services are used by the Controller, as well as the processing of data of representatives, proxies, or so-called contact persons acting on behalf of contractors

1. Purpose and legal basis for processing, which is performed on the personal data of individual contractors whose services are used by the Controller, as well as the processing of data of representatives, proxies, or so-called contact persons acting on behalf of contractors:

⦁ processing purpose: implementation of the contract with a service provider or another type of individual contractor and processing of personal data of employees or representatives carrying out activities on behalf of service providers and other contractors, which may arise during the performance of concluded contracts

⦁ legal basis for processing activities: necessity of processing for the purpose of contract performance and/or action taken by St. George's Medical Center at the request of the data subject before entering into a contract, i.e., Art. 6(1)(b) GDPR, and realization of the legitimate interests of the data controller, i.e., Art. 6(1)(f) GDPR – where the legitimate interest is indicated as the implementation of the statutory activities of the Controller and the fulfillment of legal obligations incumbent upon the data controller, i.e., including accounting and tax obligations – processing basis: fulfillment of legal obligations incumbent upon the data controller, i.e., Art. 6(1)(c) GDPR.

⦁ Processing of personal data of persons covered by the scope of video surveillance

⦁ Purpose and legal basis for processing, which is performed on the personal data of persons covered by the scope of video surveillance:

⦁ processing purpose: protection of the property belonging to St. George's Medical Center and ensuring the safety of patients,

⦁ legal basis for processing activities: implementation of the legitimate interests of the data controller, i.e. art. 6 sec. 1 lit. f of the GDPR - where the legitimate interest is the above-mentioned protection of property and safety of patients, and in some cases also the consent of the data subject, i.e. art. 6 sec. 1 lit. a GDPR (at the same time, the Administrator indicates that the issues related to monitoring are described in detail, among others, in the last part of this study).

VI. Processing of data of people using the newsletter service

⦁ Purpose and legal basis for processing that is performed on the personal data of persons using the newsletter service:

⦁ purpose of processing: marketing of the Administrator's own services,

⦁ legal basis for processing activities: consent of the data subject, i.e. art. 6 sec. 1 lit. and the GDPR.

 

VII. Processing of data of beneficiaries and persons using the implemented sales programs, promotions, or gift card programs, whose regulations are available on this website

1. Purpose and legal basis for processing, which is performed on the personal data of beneficiaries and persons using the implemented sales programs, promotions, or gift card programs, whose regulations are available on this website:

a. processing purpose: implementation of the contract or service,

a. legal basis for processing activities: necessity of processing for the purpose of contract performance and/or action taken by St. George's Medical Center at the request of the data subject before entering into a contract, i.e., Art. 6(1)(b) GDPR, and realization of the legitimate interests of the data controller, i.e., Art. 6(1)(f) GDPR – where the legitimate interest is indicated as the implementation of the statutory activities of the Controller and the fulfillment of legal obligations incumbent upon the data controller, i.e., including accounting and tax obligations – processing basis: fulfillment of legal obligations incumbent upon the data controller, i.e., Art. 6(1)(c) GDPR

VIII. Sources of personal data processed by the Administrator

⦁ St. George's Medical Center indicates that if personal data has not been obtained directly from the data subject, the sources of their acquisition may primarily include:

⦁ St. George's Medical Center's contractor (i.e., primarily the employer or the so-called contact persons and representatives mentioned in contracts),

⦁ publicly available information sources (i.e., primarily publicly accessible registers of business entities),

⦁ another personal data controller (e.g., social media platform providers).

IX. What scope of personal data is processed by St. George's Medical Center?

1. During the processing activities, the Administrator applies the principle of data minimization. If the data catalog is not explicitly defined by law or if we do not receive it personally from the data subject, the Administrator limits such a catalog to the necessary data.

1. St. George's Medical Center indicates that data subjects are obliged to provide complete, up-to-date, and truthful data

1. The achievement of processing purposes described above, in the vast majority of cases, does not require the processing of special categories of personal data, including data concerning health. Therefore, persons deciding to provide personal data to the Administrator should not do so in an excessive catalog.

1. JIf St. George's Medical Center processes personal data of individuals obtained from another source, the scope of processed data usually includes: name and surname, basic contact and address information, and indications related to professional affiliation or type of economic activity performed. St. George's Medical Center may also process data such as IP addresses, browsing preferences on websites, or other personal data generated by users of social media platforms.

X. Who may be the recipient of personal data processed by St. George's Medical Center?

⦁ Personal data processed by the Administrator may be disclosed to entities authorized to receive them under applicable laws, including competent state authorities.

⦁ In addition, personal data processed by the Administrator, depending on the processing purpose, may be disclosed to:

⦁ data processors, such as: an external entity providing accounting services, external entities providing IT support to the Administrator, including email hosting and software providers, external advisory and auditing entities, marketing agencies, and any other entities cooperating with St. George's Medical Center, including those involved in patient care,

⦁ recipients who are separate personal data controllers, such as: postal service providers, couriers, law firms, social media platform providers, and other contractors of St. George's Medical Center.

⦁ The Administrator indicates that personal data may be transferred outside the EEA, i.e., to third countries, in the case of processing personal data on social media platforms or when using certain IT tools. Details on the security of such transfer are available in the regulations of social media platform providers or at the specified email address: iodo@swjerzymed.pl. The country of transfer is predominantly the USA, and the declared security measure is standard contractual clauses. The Administrator informs that it does not anticipate and does not carry out the transfer of personal data to international organizations.

XI. How long does St. George's Medical Center store personal data?

⦁ The main criterion determining the personal data storage period is the time necessary to achieve the processing purpose.

⦁ If the processing is based on consent, such consent can be withdrawn at any time. However, the Administrator indicates that in such a case, there may be other grounds justifying further processing of personal data.

⦁ When processing is due to the necessity to fulfill a legal obligation on the Administrator, or in connection with the implementation of a contract or for the needs of fulfilling the legitimate interest of the Administrator, the periods and criteria determining the storage time may be dictated by, among others:
a. the period of implementation of a given contractual relationship,

b. the obligation to store accounting records - 5 years from the beginning of the year following the financial year in which a given transaction was finally completed or settled,

c. the need to secure or later pursue claims - the basic term is 6 years from the day the claim became due.

XII. What rights do individuals have in connection with the processing of their personal data by the Administrator?

⦁ Depending on the processing activity carried out, the catalog of rights that may be granted to individuals is specified in the following list:
⦁ the right of access to data
⦁ the right to rectify data
⦁ the right to erase data
⦁ the right to restrict processing
⦁ the right to data portability
⦁ the right to object.

⦁ Exercising the rights can be done by sending an appropriate request to the email address: iodo@swjerzymed.pl.

The Administrator also indicates that data subjects have the right to lodge a complaint with the supervisory authority, i.e., the President of the Personal Data Protection Office.

XIII. The necessity of providing personal data to the Administrator and final information

1. If the obligation to provide personal data does not result directly from contractual provisions or legal regulations, providing personal data is a voluntary action, but necessary to establish cooperation with the St. George Medical Center, use the services of the St. George Medical Center, or establish contact with the St. George Medical
Center.

This document collectively presents most of the information regarding personal data processing. Detailed information on specific processing activities can be obtained by contacting the personal data protection officer using the email address: iodo@swjerzymed.pl.

XIV. Information about cookies

1. For the proper functioning of its website, the Administrator uses cookies, including in a way tailored to individual needs.

1. Using the website without changing cookie settings means that cookies will be stored on the end device of the person using the Administrator's website. This person can change the cookie settings in their web browser at any time.

1. Cookies, including session cookies, may also provide information about the end device and the browser version used by the individual. These tasks are carried out for the correct display of content within the Administrator's website.

4. Cookies are short text files that, in no case, allow the personal identification of the person visiting the website, and no information enabling such identification is stored in them.

XV. Additional information on the use of video monitoring

1. St. George Medical Center uses video monitoring in relation to the areas surrounding the facilities belonging to St. George Medical Center and inside these facilities. This refers to monitoring public areas (corridors, reception) and offices, rooms where medical services are provided, and other places where patients stay.

1. The primary purposes of using video monitoring are to protect the property of St. George Medical Center and ensure the safety of patients.

1. Legal basis for processing personal data, depending on the purpose of processing, results from consent or legitimate interest of the data administrator, which is described in separate and detailed information clauses.

1. An external entity with constant access to video monitoring recordings is the external IT support of St. George Medical Center.

1. The basic period for storing video monitoring recordings does not exceed 3 months from the day of recording registration