Dear Patients,
Below You will find all necessary information regarding the processing of Your personal data in connection with the provision of health care in OCHO, due to the commencement of application of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: GDPR).
A. Who is the controller of patients’ personal data?
The joint controllers of personal data are the companies from the OCHO Group. The Group companies include: Spółki grupy to :
- OCHO sp. z o.o. with its registered office in Kraków, ul. Ludwika Solskiego 7C, 31-216 Kraków, KRS: 0000658544, NIP: 9452201865, REGON: 366358927;
- Ośrodek Chirurgii Oka Profesora Zagórskiego sp. z o.o. [Eye Surgery Centre Prof. Zagórski] with its registered office in Kraków, ul. Ludwika Solskiego 7C, 31-216 Kraków, KRS: 0000292587, NIP: 9452092100, REGON: 120543868;
- Ośrodek Chirurgii Oka Prof. Zagórskiego z o.o. with its registered office in Nałęczów, al. Małachowskiego 5, 24-140 Nałęczów, KRS: 000011429, NIP: 7162201554, REGON: 430927391;
- Gabinety Okulistyczne sp. z o.o. [Ophthalmology Practices]. with its registered office in Lublin, ul. Spokojna 17/9, 20-066 Lublin, KRS: 0000134724, NIP: 7122761749, REGON: 432525449;
- Ośrodek Chirurgii Oka Prof. Zagórskiego z o.o. with its registered office in Nowy Sącz, Aleje Stefana Batory 88, 33-300 Nowy Sącz, KRS: 0000541439, NIP: 7343529838, REGON: 360669253;
- Ośrodek Chirurgii Oka Profesora Zagórskiego sp. z o.o. with its registered office in Rzeszów, ul. Moniuszki 8, 35-017 Rzeszów, KRS: 0000173102, NIP: 8133423399, REGON: 180067243;
- Ośrodek Chirurgii Oka Prof. Zagórskiego z o.o. sp. komandytowa with its registered office in Rzeszów, ul. Moniuszki 8, 35-017 Rzeszów, KRS: 0000660608, NIP: 8133736460, REGON: 366463759;
B. Whom can I contact in matters related to the processing of my personal data?
In any matter related to the processing of your personal data by the OCHO joint controllers, you can contact our Data Protection Officer available at the following e-mail address: iod@ocho.pl.
C. What is the scope of personal data processed by OCHO?
OCHO processes the following set of data: first name, surname, PESEL number, gender and date of birth (in the case of persons without PESEL number), main place of the provision of health care, address of residence, e-mail address and telephone number, image (video surveillance cameras). In addition, when you use health care services, OCHO processes all information about the treatment process, in particular information about the state of health.
D. What is the purpose of personal data processing?
OCHO processes personal data as a medical entity and the purpose of this processing is to provide health care and to manage health care systems and services,
by which we mean:
- determining the patient’s identity before providing the service, verifying data when arranging a remote visit (e.g. via the website or by telephone), at reception or in the doctor’s office;
- providing medical services and treating patients in order to execute the contract to which the Patient is party;
- keeping and storing medical records;
- pursuing the legitimate interest of OCHO, which is to perform monitoring on the company’s premises, the development of the company and its employees, planning and organisation of work, performing analyses, summaries, statistics and programs or business or personal strategies, obtaining opinions on the quality of health services provided (surveys), protection and safeguarding of the property of OCHO, defence of rights or establishment and pursuit of OCHO’s claims;
- contacts with the patient at the given telephone number or e-mail address, for example to confirm a reservation or cancel a medical consultation, remind about the consultation, inform about the need to prepare for the agreed procedure or inform about the possibility of receiving the test result;
- pursuing the legitimate interest of OCHO, which is to perform monitoring on the company’s premises, the development of the company and its employees, planning and organisation of work, performing analyses, summaries, statistics and programs or business or personal strategies, obtaining opinions on the quality of health services provided (surveys), protection and safeguarding of the property of OCHO, defence of rights or establishment and pursuit of OCHO’s claims;
- or the need to perform another, specific legal obligation imposed on OCHO by applicable law (tax, accounting issues, etc.).
E. On what basis does OCHO process personal data?
In accordance with the GDPR, the conditions for the processing of personal data may include a) the consent of the person whose personal data are processed, b) the need to perform a contract concluded by OCHO with the person whose personal data are processed, c) a specific legal obligation imposed on OCHO by applicable law, d) the need to protect the vital interests of the person whose personal data are processed, e) the need to perform a task carried out in the public interest by OCHO or f) the need to pursue
a legitimate interest of OCHO or other special cases in the scope
of processing health data.
In connection with the above, personal data needed by OCHO for the purpose described:
- a 1. in D 1), D 4) and D 7) above, we process on the basis of a specific legal obligation imposed on OCHO by applicable law (Article 6(1)(c) of the GDPR);
- a 1. in D 2) and D 5) above, we process because it is necessary for the purpose of performing the contract to which the patient is party (Article 6(1)(b) of the GDPR);
- a in D 3) above, we process because it is necessary for the purposes of preventive medicine, medical diagnosis and delivery of health care (Article 9(2)(h) of the GDPR);
- a in D 6) above, we process as the so-called legitimate interest pursued by the controller (Article 6(1)(f) of the GDPR). a
F. Does OCHO perform profiling of personal data?
OCHO does not perform an automated analysis of the data leading to the automated making of any decisions regarding patients.
G. To whom is personal data transferred?
As a medical entity, OCHO cares about the confidentiality of personal data of its patients. Due to the need to ensure appropriate organisation, e.g. in the field of IT infrastructure or current matters related to our activity as an entrepreneur, as well as the exercise of rights as a patient, personal data may be
transferred to the following categories of recipients:
- other medical institutions cooperating with OCHO in order to ensure continuity of treatment and availability of health care in the form of our own facilities and facilities cooperating with OCHO in Poland, including companies from the OCHO capital group;
- service providers which supply OCHO with technical and organisational solutions enabling the provision of health care services and management of our organisation (in particular, providers of ITC services, suppliers of diagnostic equipment, courier and postal companies);
- providers of legal and advisory services and the entities which support us in asserting claims to which we are entitled (law firms, debt collection companies).
H. Are the data transferred outside the European Economic Area (EEA)?
Due to the fact that OCHO uses the services of other providers, e.g. in the field of diagnostic equipment service, personal data may be transferred outside the EEA, based on standard data protection clauses adopted by the European Commission.
How long are my personal data processed?
If OCHO has created a medical record of the patient, it is obliged to keep it for at least 20 years from the date the last entry was made in it. Subject to this deadline, if the data were processed by OCHO for the purpose of pursuing claims (e.g. in debt collection proceedings), they are processed for this purpose for the period of limitation of claims, resulting from the provisions of the Civil Code.
All data processed for accounting and tax purposes are processed for 5 years, counting from the end of the calendar year in which the tax obligation arose. After the aforementioned periods, your data is erased or anonymised.
I. Is it the obligation of the patient to provide the data?
The use of OCHO’s services is voluntary, and OCHO, as a medical company, is obliged to keep medical records in a manner specified by law, therefore, failure to provide data may result in a refusal to provide health care service. Providing the data necessary to fulfil accounting or tax obligations is needed to issue an invoice or a receipt bearing your name. Providing telephone number and/or e-mail address is voluntary, however, without such consent OCHO will not be able to allow you to use certain services or facilities provided by OCHO to its patients (confirmation of visits, etc.).
J. What are the rights of patients related to data processing?
Patients have the following rights:
- the right of access to the content of their personal data (submitting a request for information about the processed data and obtaining a copy of them, including copies of own personal data that are transferred to a third country) and the right to rectify (correct) them, erase data processed unjustifiably, restrict processing (suspension of operations on data or non-erasure of data according to the submitted request), as well as the right to transfer these data to another data controller or to the patient (within the scope specified in Article 20 of the GDPR).
- the right to withdraw consent to the processing of personal data at any time without affecting the lawfulness of the processing which was carried out on the basis of the consent given by the patient before its withdrawal.
- in special situations, the patient may object to the processing of personal data by OCHO at any time, if the basis for the use of the data is the legitimate interest of OCHO or the public interest. • In such a situation, after considering the objection, OCHO will not be able to process the personal data covered by the objection on this basis, unless OCHO proves that there are:
- o compelling legitimate grounds for the processing of data that are considered by the law to override the interests, rights and freedoms of the patient, or
- o grounds for the establishment, execute, or defence of legal claims.
The scope of each of these rights and the situations in which they can be exercised are specified in the provisions of law.
The patient may also lodge a complaint with the President of the Office for Personal Data Protection if, in his/her opinion, the processing of personal data by OCHO violates the provisions of the GDPR.