1.1 Controller – NZOZ Centrum Stomatologii Civil Partnership Justyna Wichlińska Jarosław Wichliński, ul. 3 Maja 1 6 ,38-300 Gorlice, entered in the Register of Entrepreneurs under KRS [National Court Register:] 0000007053, NIP [Tax Identification Number:] 7381956637, REGON [Central Registry Business Number:] 356761890 e-mail: firstname.lastname@example.org.
1.2. Personal data – all information concerning the natural person identified or identifiable by one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity, including the IP of the device, location data, the Internet identifier and information collected through cookies and other similar technology.
1.4. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC.
1.5. Portal – the Internet portal operated by the Controller at https://www.stomatologiawichlinscy.pl.
1.6. User – each natural person visiting the Portal or using the services or functionalities described in the Policy.
2. Data processing in connection with the use of the Portal
2.1 In connection with the use of the Portal by the User, the Controller collects data to the extent necessary to provide the offered services as well as the information about the User’s activity in the Portal. The detailed principles and purposes of the processing of personal data collected during the use of the Portal by the User are described below.
3. Objectives and legal basis of data processing in the Portal
Use of the Portal
3.1 Personal data of all persons using the Portal (including the IP address or other identifiers and information collected via cookies or other similar technologies) are processed by the Controller:
3.1.1. for the purpose of providing services electronically within the scope of making the content collected in the Portal available to the Users, making contact forms available – then the legal basis for processing is the necessity of the processing for performance of the agreement (art. 6 section 1 letter b of GDPR);
3.1.2. for analytical and statistical purposes – then the legal basis for processing is the legitimate interest of the Controller (art. 6 section 1 letter f of GDPR) consisting in conducting analyses of activity of the Users as well as of their preferences in order to improve the applied functionalities and provided services;
3.1.3. for the purpose of possible determination and assertion of claims or defence against them – the legal basis for processing is the legitimate interest of the Controller (art. 6 section 1 letter f of GDPR) consisting in protection of the Controller’s rights;
3.1.4. for marketing purposes of the Controller, in particular the ones related to presenting behavioural advertisement – the rules of processing personal data for marketing purposes are described in the section
The activity of the User in the Portal, including his/her personal data, is recorded in system logs (a special computer program used for storing the chronological record containing the information about events and activities concerning the IT system used for providing services by the Controller). The information collected in the logs is processed in connection with functioning of the Portal. The Controller processes it also for technical purposes, in particular, data may be temporarily stored and processed in order to ensure security and proper functioning of the IT systems, e.g. in connection with making security copies, tests of changes in the IT systems, detection of irregularities or protection against abuse and attacks.
3.2 The Controller provides the possibility to contact him/her using electronic contact forms. Using the form requires providing personal data necessary to contact the User. The User may also provide other data to facilitate contact or handling of the enquiry. Providing data marked as obligatory is required for accepting and servicing the enquiry and their omission results in failure to provide the service. Provision of other data is voluntary.
3.3 Personal data is processed:
3.3.1. for the purpose of identification of the sender and handling his/her enquiry sent via the provided form – the legal basis for processing is the necessity of processing for performance of the service contract (art. 6 section 1 letter b of GDPR) ;
3.3.2. for analytical and statistical purposes – the legal basis of processing is the legitimate interest of the Controller (art. 6 section 1 letter f of GDPR) consisting in keeping the statistics regarding enquiries submitted by the Users through the Portal in order to improve its functionality.
4.1. The Controller processes the personal data of the Users in order to implement the marketing activities that may consist in:
4.1.1. displaying marketing content that is not tailored to the User’s preferences (contextual advertising) to the User;
4.1.2. displaying marketing content corresponding to the User’s interests (behavioural advertising);
4.1.3. sending e-mail alerts about interesting offers or content that – in some cases – include commercial information.
4.2 In order to implement the marketing activities, the Controller uses profiling in specific cases. This means that due to automated data processing, the Controller evaluates selected factors concerning natural persons in order to analyse their behaviour or create a forecast for the future.
4.3. The Controller processes personal data of the Users for marketing purposes in connection with directing contextual advertising (i.e. advertising which is not tailored to the User’s preferences) to the Users. The processing of personal data is then conducted in connection with the legitimate interest of the Controller (art. 6 section 1 letter f of GDPR).
4.5. This consent may be withdrawn at any time.
5. Social media
5.1 The Controllerprocesses personal data of the Users visiting the Administrator’s profiles held in social media (Facebook). The data is processed exclusively in connection with running the profile, including the purposes of informing the Users about the activities of the Controller and promoting various events, services and products as well as for the purposes of communicating with the Users via the functionalities available in social media. The legal basis for processing of personal data by the Controller for this purpose is the legitimate interest of the Controller (art. 6 section 6 letter f of GDPR) consisting in promoting the own brand as well as building and maintaining the community associated with the brand.
6. Cookies and similar technology
6.1. Cookies are small text files installed on the device of the User browsing the Portal. Cookies collect information facilitating website use, e.g. by storing the User’s visits to the Portal and actions performed by the User.
6.2.1. cookies with data entered by the User (session identifier) for duration of the session (user input cookies);
6.2.2. authentication cookies used for services that require authentication for duration of the session;
6.2.3. security cookies, e.g. the ones used to detect authentication abuse (user centric security cookies);
6.2.4. multimedia player session cookies (e.g. flash player cookies) for duration of the session;
6.2.5. persistent user interface customisation cookies for duration of the session or a bit longer;
6.2.6. shopping cart cookies for duration of the session;
6.2.7. cookies used for monitoring website traffic, i.e. data analytics, including Google Analytics cookies (these are the files used by Google for the purpose of analysing the manner of use of the Portal, for creation of statistics and reports concerning functioning of the Portal). Google does not use the collected data to identify the User nor does it combine this information to enable identification. Detailed information on the scope and principles of data collection in connection with this service can be found under the link: https://www.google.com/intl/pl/policies/privacy/partners.
7. The period of personal data processing
7.1. The period of data processing by the Controller depends on the type of the provided service and the purpose of processing. As a rule, the data is processed for duration of the service provision or order processing until the withdrawal of the expressed consent or filing an effective objection to data processing in cases where the legal basis of data processing is the legitimate interest of the Controller.
7.2. The period of data processing may be extended in the event when processing is necessary to determine and assert or defend against possible claims, and thereafter only in the case and to the extent required by law. After completion of the processing period, the data shall be irreversibly deleted or anonymised.
8. Rights of the User
8.1. Data subjects shall have the following rights:
8.1.1. the right to the information about processing of personal data – on this basis, the person submitting this request shall be provided by the Controller with the information about processing of personal data, including – in particular – the purposes and legal grounds for processing, the scope of the data held, the entities the personal data is disclosed to and the planned date of its erasure;
8.1.2. the right to obtain a copy of data – on this basis the Controller shall provide the person submitting the request with a copy of the processed data;8.1.3. the right to rectification – on this basis the Controller shall rectify any inconsistencies or errors concerning the processed personal data and shall complete or update it if the data is incomplete or has changed;
8.1.4. the right to erasure – on this basis, it is possible to request erasure of data whose processing is no longer necessary for any of the purposes for which the data has been collected;
8.1.5. the right to restrict processing – on this basis the Controller shall cease to conduct the operations on personal data, with the exception of the operations the data subject has given his/her consent to and its storage pursuant to the adopted rules of retention or until the reasons for restriction of data processing cease to exist (e.g. the decision of the supervisory authority allowing further data processing);
8.1.6. the right to data portability – on this basis, to the extent the data is processed in relation to the concluded agreement or the given consent, the Controller shall issue the data provided by the data subject in a computer readable format. It is also possible to request the data to be sent to another entity – however, on the condition that it is technically possible both for the Controller and another entity;
8.1.7. the right to object to processing for marketing purposes – the data subject may at any time object to processing of personal data for marketing purposes, without the necessity of justifying this objection;
8.1.8 the right to object to other purposes of processing – the data subject may at any time object to processing of personal data on the basis of the legitimate interest of the Controller (e.g. for analytical or statistical purposes or for reasons relating to protection of property). The objection in this respect shall include a justification and shall be subject to assessment by the Controller;
8.1.9. the right to withdraw the consent – if the data is processed on the basis of the consent, the data subject shall have the right to withdraw it at any time, which, however, shall not affect lawfulness of the processing performed before the withdrawal of this consent;
8.1.10. the right to lodge a complaint – if processing of personal data is considered to breach the provisions of the GDPR or other data protection legislation, the data subject may lodge a complaint with the President of the Data Protection Authority.
8.2. A request concerning implementation of the rights of the data subjects may be submitted:
8.2.1. in writing to the address: ul.3 Maja 16, 38-300 Gorlice;8.2.2. by e-mail to adres:email@example.com.
8.3. The request should – as far as possible – indicate precisely what the request concerns, i.e. in particular:
8.3.1. what right the person submitting a request wishes to exercise (e.g. right to obtain a copy of the data, the right to erasure, etc.);8.3.2. which processing process the request concerns (e.g. use of a particular service, activity on a particular website, receipt of the newsletter containing commercial information to a particular e-mail address, etc.);8.3.3. which processing purposes the request concerns (e.g. marketing purposes, analytical purposes, etc.).
8.4. If the Controller is not able to determine the content of the request or identify the person making the request on the basis of the notification made, the Controller shall request additional information from the person submitting the request.
8.5. Requests shall be responded to within one month of receipt. If it is necessary to extend this deadline, the Controller shall inform the requestor of the reasons for the above-mentioned extension.
8.6. The response shall be provided to the e-mail address the request was sent from and in the case of the requests sent by letter, by ordinary mail to the address indicated by the requestor unless the content of the letter indicates the intention to receive feedback to the e-mail address (in this case the e-mail address must be provided).
9. Data recipients
9.1. In connection with provision of the services, personal data shall be disclosed to external entities, including – in particular – suppliers responsible for the operation of the IT systems and entities related to the Controller;
9.2. The Controller reserves the right to disclose selected information concerning the User to the competent authorities or third parties who shall submit a request for this information on the basis of the relevant legal basis and pursuant to the provisions of the applicable law.
10. Transfer of data outside the EEA
10.1. The level of protection of personal data outside the European Economic Area (EEA) differs from the one provided by European law. For this reason, the Controller shall transfer personal data outside the EEA only when it is necessary and ensuring the appropriate level of protection, primarily by:
10.1.1. cooperating with processors of personal data in the countries for which the relevant decision of the European Commission has been issued;10.1.2. applying the standard contractual clauses issued by the European Commission;10.1.3. use of the binding corporate rules approved by the competent supervisory authority;10.1.4. in the event of transfer of data to the USA – cooperation with entities participating in the Privacy Shield programme, approved by the decision of the European Commission.
10.2. The Controller shall always inform about the intention to transfer personal data outside the EEA at the stage of its collection.
11. Personal data security
11.1 The Controller shall perform the risk analysis on an ongoing basis in order to ensure that the personal data is processed by the Controller in a secure manner – in particular, ensuring that only authorised persons have access to the data and only to the extent necessary for performance of their tasks. The Controller shall ensure that all operations within the scope of personal data are recorded and performed only by authorised employees and co-workers.
11.2 The Controller shall undertake all necessary measures to ensure that also his/her subcontractors and other cooperating entities guarantee the application of the appropriate security measures in each case they process personal data on behalf of the Controller.
12. Contact details
12.1. Contact with the Controller is possible via e-mail address:
firstname.lastname@example.org or by mailing address: ul.3 Maja n16 38-300 Gorlice.
13.1. The Policy is reviewed on an ongoing basis and updated if necessary.