Privacy Policy

Dear Users,

This Privacy Policy document applicable to our website was created to protect your privacy and provide clear guidelines for the processing of your personal data. It describes how we collect, use, store and protect personal data that we receive from you when you use our website or other services that we offer.

The Privacy Policy has also been developed to facilitate the fulfilment of the key obligation imposed on us as the Data Controller – the fulfilment of the information obligation, as well as to ensure full compliance with the provisions on the protection of personal data, including the GDPR. We are aware that understanding and complying with these laws is not only important from a compliance perspective, but also constitutes a foundation for building our customers’ trust.

In our Privacy Policy, you will find clear guidelines on what personal data we collect, how they are used and secured, and what your rights related to the processing of these data are. We make every effort to ensure that you are well informed about how we protect your privacy and how you can control your personal data.

Understanding and complying with our Privacy Policy is important to both you and us. Therefore, we encourage you to read it and contact us if you have any questions or concerns related to the protection of your personal data.

Thank you for the trust you place in our services and for understanding the importance of personal data protection.

  1. Definitions

Controller – Personal Data Controller, the entity which determines the purposes and means of processing personal data. The Controller of the website https://www.eurodiagnosis.pl/ is:

Eurodiagnosis Sp. z o.o.

ul. Plac Bankowy 2, 00-095 Warszawa

NIP: 5213884787

REGON: 385056172

KRS: 0000817988

District Court for the Capital City of Warsaw in Warsaw, 12th Commercial Division,

Personal Data – any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly.

Policy – privacy policy of the website https://www.eurodiagnosis.pl/

GDPR – the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

EEA – European Economic Area, Free Trade Area and Single Market, including the countries of the European Union and the European Free Trade Association (EFTA), with the exception of Switzerland. This is the area where the free flow of personal data takes place.

Data Recipient – a natural or legal person, an organisational unit without legal personality, public authority, agency or another body to which the personal data are disclosed, whether third party or not.

Cookies – small text files that are stored on the User’s end device (computer, tablet, phone) and allow the website to remember the Users’ preferences next time they visit the website.

President of the Office – President of the Office for Personal Data Protection, a supervisory authority as defined in the GDPR, which supervises compliance with the provisions of law in the field of personal data protection in Poland.

Profiling – any form of automated processing of personal data consisting in the use of personal data to evaluate the personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements, where it produces legal effects concerning him or her or similarly significantly affects him or her.

SSL protocol – a network protocol used for secure Internet connections, adopted as an encryption standard on WWW pages. The SSL certificate ensures the confidentiality of data transmission over the Internet.

Processing – performing any operation or a set of operations on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

  1. Contact regarding the processing of your personal data

The Controller has appointed a Data Protection Officer, who can be contacted in all matters related to the processing of personal data via the e-mail address: iod@pca.pl or by sending a letter to the Controller’s address.

  1. Processing of personal data in connection with the use of the website and the services we provide on the website

We would like to inform you about the processing of your personal data in connection with the use of our website. Our goal is to ensure full transparency and protection of your privacy, which is why we have prepared this short notice that will explain how we process your data.

Contact form: When you use the contact form on our website, we will process the contact details you provide, such as your first name, surname, e-mail address, in order to respond to your inquiry or request.

IP Address: When you visit our website, we automatically collect the IP address of your device. The IP address is a unique identifier assigned to your device when you use the Internet, which we process using cookies to manage the website, analyse trends, and track user activity on the website. This information helps us better understand how users use our service and tailor it to their needs. More information on cookies in point 10.

Newsletter: If you choose to subscribe to our newsletter, we will process your data, such as your email address, in order to send you news, product information or promotions. The processing of data for this purpose is based on your voluntary consent, which you can withdraw at any time via the link available in each message you receive.

Social Plugins: There are social plugins, such as Facebook, available on our website. The use of these plugins is voluntary. If you choose to use these plugins, your personal data may be processed by these social networks in accordance with their own privacy policies. We encourage you to review these policies to learn how your data is processed by these platforms.

Order form: in order to properly provide services via the order form, we process personal data such as first name, surname, e-mail address, telephone number, medical history provided by you or your description of symptoms. This information is necessary for the proper processing of the order, ensuring appropriate medical service and adapting the services offered to the individual needs of the user.

Purchasing examination descriptions: When you purchase examination descriptions on our website, we will process your order data, such as your first name and surname, telephone number, email address, type of examination selected, transaction amount, and payment details. This information is necessary to fulfill your order.

Payments: Payments for the services are made via the PayU platform, which provides safe and convenient methods of conducting transactions. During the payment process, we process users’ personal data such as first name and surname, email address, telephone number, address of residence or registered office (if required to issue an invoice), payment details such as credit/debit card number, card expiration date, CVV code (which are transmitted directly to PayU and are not stored in our resources). The PayU platform uses advanced security technologies, such as data encryption, to ensure the highest level of transaction security. PayU meets international security standards, including PCI DSS (Payment Card Industry Data Security Standard), which guarantees that users’ personal and financial data are protected at every stage of the payment process. More information about PayU’s security policy can be found here.

Sending examination images for descriptions: This is an essential part of the process of our services, in which users send images to us for analysis and preparation of examination descriptions. This process takes place outside our service through the WeTransfer platform. When using the WeTransfer service, users provide us with images obtained in the examinations, and the WeTransfer platform is responsible for sending and storing these data until we collect them. The storage time of user data on the WeTransfer platform does not exceed 72 hours. WeTransfer uses advanced security measures to protect user data. More information about WeTransfer’s security policy can be found here. The website administrator does not have a direct access to the images sent via WeTransfer, which provides an additional level of user privacy protection. The personal data of users processed in this process include an examination image which contains, depending on the device used during the examination, such information as first name, surname, PESEL number, patient ID, date of birth, name of the examination, model of the apparatus, list of sequences performed, referral and description of the examination.

Collection of examination descriptions: After the examination description has been prepared by our specialists, in order to allow users to access their results, the result is uploaded to the specialised RADPOINT system. The examination description is collected outside our website. The user is informed about the availability of the examination description by SMS. The message contains a link and instructions on how to collect the description from the RADPOINT system. To collect the description, the user is asked to provide the PESEL number and a one-time expiring collection code. The examination description is stored in the RadPoint secure cloud, which uses advanced security measures to ensure that users’ data are protected. The RadPoint system guarantees data security through encryption, access authorisation and regular security audits. More information about RadPoint’s security policy can be found here.

If you have any questions related to the processing or security of your personal data, please contact our Data Protection Officer iod@pca.pl

  1. Purpose and legal basis of the processing

We process personal data for the purpose of:

  • entering into and performing the contract in connection with your orders for examination descriptions in our website (Article 6(1)(b) GDPR);

  • pursuing claims related to our business activity, defending against these claims as part of the legitimate interests of the controller (Article 6(1)(f) GDPR);

  • complying with legal obligations imposed on us, such as: keeping accounting books and tax documentation (Article 6(1)(c) GDPR);

  • conducting marketing activities in the form of a newsletter (Article 6(1)(a) GDPR in connection with Article 10 of the Act of 18 July 2002 on Providing Services by Electronic Means);

  • responding to inquiries sent via the contact form as part of the legitimate interests pursued by the controller (Article 6(1)(f) GDPR);

  • setting the configuration of user preferences and facilitating the use of the website through cookies (Article 173 of the Act of 16 July 2004 Telecommunications Law) and as part of the legitimate interests pursued by the controller (Article 6(1)(f) GDPR);

  • running a fan page on social networks, on the terms and conditions specified by the administrators of these websites and in accordance with the terms applied to these websites and informing, through these websites, about our activity and operations, promoting various events that we organise, promoting, building and maintaining the community associated with us and for the purpose of communication through the available functionalities of these websites, such as responses to reactions, comments and private messages (Article 6(1)(f) GDPR).

  1. Data Recipients

The recipients of your personal data may only be entities that are entitled to receive such data under the law. In addition, your data may be made available to other entities on the basis of data processing agreements. For example, these may be companies that provide software or platforms needed to process your orders on our site, or to make online payments. For instance, the data may be shared with the suppliers of the order management system or the PayU platform that processes payments. In some cases, to fulfil your order, data may also be transferred to couriers and postal operators, such as DHL or Polish Post. We make sure that all entities to whom we entrust your data apply appropriate security measures, in accordance with applicable regulations and security standards.

Your trust is most important to us, which is why we always make every effort to keep your data safe.

  1. Data retention period

Depending on the purposes for which we collect and process your personal data, the storage period may vary. We strive to retain your data only for the necessary time that allows us to achieve the intended purposes of processing. We store your personal data in accordance with applicable laws, including specific storage and retention requirements. However, we try to limit this period to the minimum necessary.

If the data are necessary for the performance of a contract or the provision of services, we will store them for the period required to achieve these purposes. After termination of the contract or the use of our services, the data may be stored for an additional period in order to:

  • pursue claims in connection with the performance of the contract;

  • perform obligations arising from legal provisions, including, in particular, for tax and accounting purposes;

  • prevent abuse and fraud;

  • for statistical and archiving purposes;

  • for a maximum period of 3 years from the end of the year in which the contract was terminated, e.g. in connection with the proper performance of your order.

In the case of data processed on the basis of voluntary consent, the data will be stored until the purpose for which they were collected ceases or until the consent is withdrawn, whichever occurs first.

In the event that you exercise your right to erasure or rectification of your personal data, we will endeavour to comply with this request as soon as possible, unless there are other legitimate legal grounds or legitimate interests that require the continued storage of these data.

If you have any questions about the storage period of your personal data, we encourage you to contact our DPO.

  1. Exercising the rights of data subjects

What are your rights and what do possibilities they give you?

Right of access to data

You have the possibility to check whether a given controller is actually processing your personal data and obtain detailed information about this processing.

You may obtain information to such questions as:

  • For what purpose are the data processed?

  • What specific data does the controller have?

  • How did the controller come into possession of your data?

  • What is the duration of storage of your data and when will they be permanently deleted?

Right to object to processing of data

You have the possibility to object to the further processing of personal data by the controller. This right is granted when the data are processed:

  • in order to pursue the public interest;

  • on the basis of the legitimate interest of the controller (e.g. for direct marketing purposes);

After you have objected to direct marketing, the company is no longer allowed to use the personal data of the data subject and must comply with the request without charging any fee.

However, there are situations in which the entity may continue to process data despite the objection:

  • in the case of scientific, historical or statistical research, the processing of data is necessary for the performance of a task carried out in the public interest;

  • in the case of a legitimate interest or the performance of a task carried out in the public interest or in the exercise of public authority, the company shall demonstrate that its interest overrides the person’s request.

Right to rectification of data

If the data subject considers that his/her data may be incorrect, incomplete or inaccurate, he/she may ask the company or organisation to rectify his/her data. The data must be corrected without undue delay, and if they are not corrected, a justification for the failure to comply with the request must be provided.

Right to restrict processing

The controller may store data, but may not perform any other processing activities on them, e.g. may not include data in statistics or other statements.

When can the right to ‘restrict’ processing be exercised?

  • when a person questions the correctness of data – then the restriction lasts for the time that allows the correctness of these data to be verified;

  • when a person determines that the processing is unlawful but does not request permanent deletion of their data;

  • when a person has objected to the processing of data – the restriction applies for the time needed to determine whether the objection is justified;

  • when the personal data are no longer needed for the purposes for which they were collected, but cannot be deleted due to applicable law.

Right to erasure, ‘right to be forgotten’

The right to request the permanent deletion of personal data from the database or other resources of the controller is granted:

  • when the data are no longer necessary for the purposes for which they were collected;

  • if the person has withdrawn their consent to the processing of data;

  • when they have been used unlawfully.

However, there are situations in which the exercise of this right will not be possible, e.g. if the controller demonstrates that there are still legal grounds for the processing of these data. This may be the case, for example, if the customer has not fully fulfilled the obligation to pay the amount due. In such a case, the customer may not request the deletion of his or her personal data.

Right to data portability

This right gives the data subject the possibility to transfer his or her personal data to another controller. What does it mean in practice? A person may request that the data controller, as far as technically possible, transfer to another controller those personal data that are processed in digital form and the basis for their processing is consent or a contract.

Right not to be subject to automated decision-making

Profiling is when personal factors are assessed in order to make predictions about a person, even if this does not result in a decision. For example, when a company or organisation analyses a person’s traits (such as age, gender, height) or categorises a person, it means that that person has been subjected to profiling.

A decision that is based solely on automated processing means a decision that has been made by technical means without human intervention. It does not have to involve profiling.

The Data Protection Regulation provides that everyone has the right not to be subject to a decision based solely on automated processing, if the decision produces legal effects concerning him or her or similarly significantly affects him or her.

A decision that is based solely on automated processing may be allowed when:

  • regulations allow the use of algorithms and guarantee appropriate safeguards at the same time;

  • it is necessary (i.e. it is the only possible way to achieve a common goal) to conclude or perform a contract with the data subject;

  • the data subject has given his or her explicit consent.

How can you exercise your rights?

You as a data subject may contact us with a request that we exercise your rights. Before responding, we will need to verify the identity of the person submitting the request. For this purpose, a correct request for the exercise of rights should contain the following elements:

  • Identification data: The request should include your full identification data, such as your first name, surname, residential address, email address and contact telephone number. This will allow us to identify you as the person to whom the request relates.

  • Indication of the right you want to exercise: The request should clearly state which specific right related to the protection of personal data you want to exercise.

  • Scope of the request: The request should precisely indicate what specific actions you want us to take in connection with the exercise of the requested right. For example, if you want to exercise your right to access personal data, specify exactly what information you want to obtain and on what medium.

  • Signature and date: The request should be signed by you personally. The signature confirms that you are the person submitting the request. In addition, provide the date of the request so that we can determine when it was submitted.

  • How to provide a response: The request should include information about the manner in which you want us to respond to your request. This could be an email address, mailing address, or any other contact you feel is appropriate.

It is important that the request is clear, precise and complete so that we can effectively and efficiently fulfill your request. If you have doubts about the content of the request or procedures related to the exercise of rights, we recommend consulting the controller or our Data Protection Officer.

Where to submit the request?

The request must be submitted in person at the headquarters of our organisation, by letter or via e-mail. Contact with the Controller

Eurodiagnosis Sp. z o.o.

 mailing address: ul. Ceramiczna 1, 20-148 Lublin

telephone number: +48 800 707 072

e-mail address: kontakt@eurodiagnosis.pl

Contact with the Data Protection Officer:

 e-mail address: iod@pca.pl;

When will a response be given?

Response to the request will be given without undue delay, but no later than one month from the date of request.

In justified cases, i.e. due to the complicated nature of the request or the number of requests, we may extend this period by a maximum of another two months. In this case, while maintaining the one-month deadline for responding, we will inform you that we are unable to consider the request on time, provide the reason for the delay and the planned deadline for responding.

If we refuse to fulfil the request, we will notify you of the reasons for which actions were not taken and of the possibility to lodge a complaint with the President of the Office for Personal Data Protection.

  1. Transfer of personal data outside the EEA

As a data controller, we do not transfer your information outside the European Economic Area (EEA). However, there is a possibility that your personal data will be transferred to countries outside this area, such as the United States, and to international organisations, such as the Google Group. This may be due to the use of social media platforms such as Facebook or YouTube. In the case of such a transfer, these entities usually use standard contractual clauses approved by the European Commission or rely on decisions of the European Commission that confirm these specific countries offer an adequate level of data protection. More information on this can be found on the websites of the aforementioned social media platforms.

In addition, we would like to inform you that we and the partner companies through which we provide services to you, such as WeTransfer, Payu and Radpoint, have been obliged to store data within the European Economic Area (EEA). Rest assured that we take all necessary measures to protect your personal data and guarantee its security in accordance with applicable data protection laws.

The use of appropriate safeguards and standard contractual clauses gives us confidence that the protection of your data is at the highest level, regardless of where it is processed.

  1. Profiling and automatic data processing

In some cases, the processing of your personal data may take place automatically, without human intervention. This means that we use tools and technologies that analyse your data in an automated way in order to perform certain functions, such as personalising content, sharing recommendations or analysing user behaviour.

We may use profiling techniques that rely on automated processing of personal data to evaluate, analyse or predict certain aspects of your preferences, behaviour, interests or needs. This allows us to provide you with more personalised content, offers or recommendations that may be more relevant to you. Most web browsers allow users to manage their privacy settings, including blocking cookies and tracking scripts that are often used to profile users.

  1. Cookies

  2. The website www.eurodiagnosis.pl uses cookies. These are small text files sent by the web server and stored by the browser computer software. When the browser reconnects with the site, the site recognises the type of device the user connects with. Parameters allow the reading of information contained in them, exclusively by the server that created these files. Cookies therefore make it easier to use previously visited websites. The information collected relates to the IP address, type of browser used, language, type of operating system, Internet service provider, time and date information, location and information sent to the website via the contact form.

The collected data are used to monitor and check how the users use the websites, and to improve the functioning of the website, ensuring more effective and problem-free navigation. We monitor user information using Google Analitics tool, which records user behaviour on the website. Cookies identify the user, which allows us to adapt the content of the website to the individual needs of the user. We use cookies to guarantee the highest standard of comfort of our service, and the collected data are used only within the company to optimise our activities.

The website uses the following cookies:

Essential cookies enabling the use of services available within the website, for example: authentication cookies used for services that require authentication through the website;

User-centric security cookies, for example: cookies used to detect fraud in the authentication through the website;

Performance cookies enabling collection of information about the use of the webpages;

Functional cookies, enabling the website to ‘remember’ the settings selected by the user and personalising the user interface, e.g. in terms of the language or region from which the user originates, size of the font, appearance of the website, etc.

Advertising cookies used to provide users with advertising content more tailored to their interests.

If the user does not wish to receive cookies, he or she may change browser settings. However, it is worth noting that disabling cookies that are necessary for the processes of authentication, security, or maintenance of user preferences can hinder, and in some cases, prevent the use of www pages.

The user may at any time disable or restore the option of collecting cookies by changing the settings in the web browser. Instructions for managing cookies are available on the websites of web browser manufacturers. Below are links to instructions for managing cookies for the most popular browsers:

Changing your cookie settings may affect the functionality of some of the features available on our website.

  1. Safe use of the website

Please be advised that the Controller applies adequate technical and organisational measures to ensure the maximum level of protection for persons using the website and providing their personal data via the website.

In order to guarantee the highest level of security in the use of the website, it is secured with SSL protocol.

Additional security measures used by the Controller include:

  1. Data encryption – All data sent between the user and the server are encrypted using SSL/TLS, which protects them from being intercepted by third parties.
  2. Regular software updates – The Controller provides regular updates of the server software and any applications used on the site to prevent the use of known security vulnerabilities.
  3. Server security – Servers are protected by advanced firewall systems that monitor and control network traffic, preventing unauthorised access.
  4. Intrusion Detection and Prevention System (IDs/IPS) – These systems monitor network traffic for suspicious activity and potential threats, enabling a quick response to intrusion attempts.
  5. Regular backups – The data stored on the servers are regularly copied, which ensures that they can be recovered in the event of a failure or security incident.
  6. Restricted Access – Personal data can only be accessed by authorised employees who must use strong passwords and two-step access verification.
  7. System monitoring – Continuous monitoring of IT systems allows for quick identification and response to potential threats.
  8. Security audit – Regular security audits of systems and processes allow for the identification of weaknesses and their correction.
  9. Strong passwords policy – Requirement to use complex passwords and change them regularly by users and employees.
  10. Education and training – Employees are regularly trained on best security practices and current cyber threats.
  11. Secure data processing procedures – Strict procedures for processing, storing and deleting personal data.
  12. Physical access control – Physical protection of server rooms and other data storage locations, including access control systems and video monitoring.
  13. Multi-factor authentication (MFA) – Use of multi-factor authentication for critical systems and applications to further enhance access security.
  14. Data processing agreements and confidentiality records – Conclusion of data processing agreements and data security and confidentiality records with contractors who have or may have access to personal data when using our website. These agreements ensure that all trading partners have adequate data protection measures in place and are bound by confidentiality obligations.

By applying the above security measures, the Controller strives to ensure the highest level of personal data protection and safe use of the website by its users.

  1. Final provisions

Eurodiagnosis Sp. z o.o. reserves the right to change the Policy at any time due to the scope of services offered and adaptation to the amended law. In any case, if possible, we will try to inform you about the update of the Policy before it is introduced.

Last update of Privacy Policy 06/06/2024.

All rights reserved. No part of this document may be reproduced or distributed by means of electronic, mechanical, copying, recording and other devices – without the written consent of the author. Infringement of copyright will result in criminal liability, as provided for in the law, in particular the provisions of the Act on Copyright and Related Rights, the Act on Combating Unfair Competition, the provisions of press law and the provisions of the Civil Code. The copyright owner is:

Polish Audit Centre

 +48 518 99 99 65

iod@pca.pl

www.pca.pl
Call Now Button