1.1. Controller – Scandinavian Clinic Sp. z o.o. with its registered seat in Kraków, plac Szczepański 3, 31-011 Kraków, entered in the Register of Entrepreneurs of the National Court Register under (KRS) No. 0000401978, Tax Identification Number (NIP): 6772365041, NATIONAL OFFICIAL BUSINESS REGISTER (REGON): 122439810 e-mail: firstname.lastname@example.org
1.2. Personal data – all information about a natural person identified or identifiable by one or more specific factors determining physical, physiological, genetic, psychological, economic, cultural or social identity, including IP of a device, location data, Internet identifier and information collected through cookie files and other similar technology.
1.4. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC.
1.5. Portal/Website – Internet website maintained by the Controller at www.scandinavian-clinic.pl.
1.6. User – any natural person visiting the Portal or using services or functionalities described in the Policy.
2. PROCESSING OF DATA IN CONNECTION WITH THE USE OF THE PORTAL
2.1. In connection with the use of the Portal by the User, the Controller collects data to the extent necessary to provide the services offered, as well as information about the activity of the User on the Portal. Below are described the detailed rules and purposes of processing personal data collected during the use of the Portal by the User.
3. THE PURPOSES AND LEGAL BASIS OF DATA PROCESSING ON THE PORTAL
USE OF THE PORTAL
3.1. Personal data of all individuals using the Portal (including IP address or other identifiers and information collected through cookie files or other similar technologies) are processed by the Controller:
3.1.1.in order to provide electronic services in the scope of providing Users with access to the content stored on the Portal, providing contact forms – then the legal basis for processing is the necessity of processing in order to perform the agreement, if the inquiry refers to the possibility of concluding an agreement (Article 6(1)(b) of the GDPR) or on the basis of consent, if it concerns other topics (Article 6(1)(a) of the GDPR);
3.1.2. for analytical and statistical purposes – then the legal basis for processing is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR) consisting in conducting analyses of Users' activities and their preferences in order to improve the functionalities and services provided;
3.1.3. in order to possibly establish and assert claims or defend against them – the legal basis for the processing is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR) consisting in the protection of its rights;
3.1.4. for marketing purposes of the Controller – the principles of processing personal data for marketing purposes are described in the "MARKETING" section.
The User's activity on the Portal, including his or her personal data, is registered in system logs (a special computer program used to store chronological records containing information about events and activities concerning the IT system used to provide services by the Controller). Information collected in logs is processed in connection with the functioning of the Portal. The Controller also processes it for technical purposes, in particular data may be temporarily stored and processed in order to ensure security and proper functioning of IT systems, e.g. in connection with making backups, tests of changes in IT systems, detection of irregularities or protection against abuses and attacks.
3.2. The Controller shall ensure the possibility of contacting it using electronic contact forms. Using the form requires the provision of personal data necessary to contact the User. The User may also provide other data in order to facilitate contact or handle the inquiry. Providing data marked as mandatory is required in order to accept and handle the inquiry, and failure to provide such data results in the inability to handle the inquiry. Providing other data is voluntary.
3.3. Personal data is processed:
3.3.1. in order to identify the sender and handle the sender’s inquiry sent by means of the form provided – the legal basis for processing is the necessity of processing in order to perform the contract for services (Article 6(1)(b) of the GDPR);
3.3.2. in order to identify the sender and handle the sender's inquiry sent via the form provided – the legal basis is the consent if the inquiry concerns a matter other than that related to the willingness to conclude a contract (Article 6(1)(a) of the GDPR);
3.3.3. for analytical and statistical purposes – then the legal basis for processing is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR) consisting in keeping statistics of inquiries sent by Users via the Portal in order to improve its functionality.
4.1. The Controller processes personal data of the Users in order to carry out marketing activities, which may consist in:
4.1.1. displaying to the User marketing content corresponding to the User’s preferences (contextual advertising);
4.1.2. displaying to the User marketing content corresponding to the User's interests (behavioural advertising);
4.1.3. sending e-mail notifications about interesting offers or content, which in some cases contain commercial information;
4.2. In order to carry out marketing activities, the Controller uses profiling in some cases. This means that by automatic processing of data, the Controller evaluates selected factors relating to individuals in order to analyse their behaviour or to create a forecast for the future.
4.3. The Controller processes personal data of the Users for marketing purposes in connection with targeting contextual advertising to the Users (i.e. advertising that is not tailored to the preferences of the User). The processing of personal data then takes place in connection with the legitimate interest of the Controller (Article 6(1)(f) of the GDPR).
4.5. The legal basis for processing an e-mail address for sending information about current promotions, free check-ups or news is the consent, which may be withdrawn at any time.
5. SOCIAL NETWORKING SITES
5.1. The Controller processes personal data of the Users visiting the Controller's profiles in social media (Facebook, Instagram). This data is processed only in connection with the profile management, including the purpose of informing the Users about the activity of the Controller and promoting various types of events, services and products, as well as for the purpose of communication with the Users through the functionalities available in social media. The legal basis for processing personal data by the Controller for this purpose is the Controller's legitimate interest (Article 6(1)(f) of GDPR) consisting in promoting their own brand and building and maintaining a community associated with the brand.
6. COOKIE FILES AND SIMILAR TECHNOLOGY
6.1. Cookie files are small text files installed on the device of the User browsing the Portal. Cookie files collect information that facilitates the use of the website, e.g. by remembering the User's visits to the Portal and the activities performed by the User.
6.2. The Controller uses the so-called service cookies primarily in order to provide the User with services rendered electronically and to improve the quality of these services. Therefore, the Controller and other entities providing analytical and statistical services to the Controller use cookie files, storing information or gaining access to information already maintained in the telecommunications terminal device of the User (computer, telephone, tablet, etc.). Cookie files used for this purpose include:
6.2.1. cookie files with data entered by the User (session identifier) for the duration of a session (user input cookies);
6.2.2. authentication cookie files used for services requiring authentication for the duration of a session;
6.2.3. cookie files used for providing security, e.g. used to detect authentication frauds (user centric security cookies);
6.2.4. session cookie files of multimedia players (e.g. flash player cookie files), for the duration of the session (multimedia player session cookies);
6.2.5. permanent cookie files used to personalize the interface of the User for the duration of a session or slightly longer (user interface customization cookies),
6.2.6. cookie files used to remember the contents of the shopping cart for the duration of a session (shopping cart cookies);
6.2.7. cookie files used to monitor website traffic, i.e. data analytics, including Google Analytics cookies (these are files used by Google to analyse the use of the Portal by the User, to generate statistics and reports on the functioning of the Portal). Google will not use this information to identify the User, nor combine this information to enable the identification of the User. Detailed information about the scope and rules of data collection in connection with this service can be found at the following link: https://www.google.com/intl/pl/policies/privacy/partners.
- PERIOD OF DATA PROCESSING
7.1. The period of data processing by the Controller depends on the type of service provided and the purpose of processing. As a rule, the data is processed for the duration of the service provision or until the withdrawal of the extended consent or effective objection to the data processing is raised in cases where the legal basis for the data processing is the legitimate interest of the Controller.
7.2 The period of data processing may be extended if the processing is necessary to establish and assert possible claims or defend against them, and after that time only in the case and to the extent required by provisions of law. After the expiry of the processing period, the data is irretrievably deleted or rendered anonymous.
8. USER RIGHTS
8.1. Data subjects shall have the following rights:
8.1.1. Right to information on the processing of personal data – on this basis, the Controller provides the person submitting such a request with information on the processing of personal data, including first of all the purposes and legal grounds for the processing, the scope of data held, entities to which personal data are disclosed and the planned date of their deletion;
8.1.2. Right to obtain a copy of the data – on this basis the Controller provides a copy of the processed data concerning the person making the request;
8.1.3. Right to rectify – on this basis, the Controller removes any inconsistencies or errors concerning the personal data processed, and supplements or updates it if it is incomplete or has changed;
8.1.4. Right to deletion of data – on this basis it is possible to demand deletion of data, the processing of which is no longer necessary for any of the purposes for which they were collected;
8.1.5. Right to limit the processing – on this basis the Controller ceases to carry out operations on personal data, with the exception of operations to which the data subject has consented and to store such information, in accordance with the adopted retention rules or until the reasons for limiting the processing of data have ceased to exist (e.g. a decision of the supervisory authority allowing further processing of data is issued);
8.1.6. Right to transfer data – on this basis, to the extent to that the data is processed in connection with a concluded contract or consent granted, the Controller makes available the data provided by the data subject in a format that allows its reading by a computer. It is also possible to request that such data be sent to another entity, provided that it is technically possible for both the Controller and the other entity to do so;
8.1.7. Right to object to data processing for marketing purposes – the data subject may at any time object to the processing of personal data for marketing purposes, without the necessity to justify such objection;
8.1.8. Right to object to other purposes of data processing – the data subject may at any time object to the processing of personal data on the basis of the legitimate interest of the Controller (e.g. for analytical or statistical purposes or on grounds related to the protection of property). An objection in this respect should include a justification and is subject to the assessment of the Controller;
8.1.9. Right to withdraw consent – if the data is processed on the basis of consent, the data subject has the right to withdraw consent at any time, but this does not affect the lawfulness of the processing carried out before the withdrawal of consent;
8.1.10 Right of complaint – in case of considering that the processing of personal data violates the provisions of the GDPR or other regulations concerning personal data protection, the data subject may file a complaint with the President of the Personal Data Protection Office.
8.2.A request concerning the exercise of data subjects' rights may be submitted: in writing to: pl. Szczepański 3, 31-011 Kraków; by e-mail to: email@example.com
8.3. The request should, as far as possible, indicate precisely what the request is related to, i.e. in particular:
8.3.1. the right the requestor wishes to exercise (e.g. the right to receive a copy of the data, the right to delete the data, etc.);
8.3.2. what kind of processing the request concerns (e.g. use of a specific service, activity on a specific website, receiving a newsletter containing commercial information to a specific e-mail address, etc.);
8.3.3. what processing purposes the request concerns (e.g. marketing purposes, analytical purposes, etc.).
8.4. If the Controller is not able to determine the content of the request or identify the person submitting the request based on the request submitted, the Controller will request additional information from the requestor.
8.5. A response to the request will be provided within one month of the receipt of the request. If it is necessary to extend this deadline, the Controller will inform the requestor of the reasons for such an extension.
8.6. A reply will be provided to the e-mail address from which the request was submitted, and in the case of requests sent by mail, by ordinary mail to the address indicated by the requestor, unless the content of the letter indicates a wish to receive the reply to an e-mail address (in which case the e-mail address should be provided).
9. RECIPIENTS OF THE DATA
9.1. In connection with the provision of services, personal data will be disclosed to external entities, including in particular suppliers responsible for the maintenance of IT systems and entities related to the Controller;
9.2. The Controller reserves the right to disclose selected information concerning the User to the competent authorities or to third parties who submit a request for such information, based on an appropriate legal basis and in accordance with the provisions of applicable law.
10. TRANSFER OF DATA OUTSIDE EEA
10.1. The level of personal data protection outside the European Economic Area (EEA) differs from that afforded by European law. For this reason, the Controller will transfer personal data outside the EEA only when it is necessary and when an adequate level of protection is ensured, in particular by:
10.1.1. cooperation with processors of personal data in countries for which a relevant European Commission decision has been issued;
10.1.2. the use of standard contractual clauses issued by the European Commission;
10.1.3. applying binding corporate rules approved by a relevant supervisory authority;
10.1.4. in case of transfer of data to the USA, cooperation with entities participating in the Privacy Shield programme, approved by a decision of the European Commission.
10.2 The Controller will always notify its intention to transfer personal data outside the EEA at the stage of its collection.
11. SECURITY OF PERSONAL DATA
11.1. The Controller will conduct risk analysis on an ongoing basis in order to ensure that personal data is processed in a secure manner – ensuring, first of all, that only authorised persons have access to the data and only to the extent that is necessary due to the tasks they perform. The Controller ensures that all operations on personal data are recorded and carried out only by authorised employees and co-workers.
11.2. The Controller takes all necessary steps to ensure that its subcontractors and other cooperating entities also guarantee the application of appropriate security measures in every case when they process personal data at the order of the Controller.
12. DATA PROTECTION OFFICER
12.1. Contact with the Controller in all matters relating to data processing is possible through the designated Data Protection Officer via e-mail address firstname.lastname@example.org or postal address pl. Szczepański 3, 31-011 Kraków.
13.1. The policy is reviewed on an ongoing basis and updated as necessary.