Homepage " Privacy policy

Privacy policy

Data of the Personal Data Administrator

  1. We kindly inform you that the controller of your personal data is the company Institute for Patient Rights and Health Education, ul. Piękna 64A lok. 8, 00-672 Warsaw, hereinafter referred to as "ADO". Contact with the ADO regarding personal data protection is possible at the following e-mail address: kontakt@prawapacjenta.eu.

Purposes and grounds for processing personal data

  1. In order to provide services in accordance with its business profile, the ADO processes the personal data of visitors to this website for various purposes, but always in accordance with the law. Please find below the specific purposes of the processing of personal data, together with the legal basis.
  2. In order to handle enquiries, consultations, telephone contact with clients and persons interested in the company's services, we process personal data such as name, surname, telephone number, e-mail address, gender, order number, date of registration. The legal basis for such data processing is Article 6(1)(a) and (b) of the RODO, which allows us to process personal data if it is necessary for the performance of a contract or to take steps to conclude a contract, e.g. to handle an enquiry from a contact form, and on the basis of voluntary consent, which in this case is given by completing and submitting the contact form on the website;
  3. For analytical purposes, i.e. researching and analysing activity on the website belonging to ASO, we process such personal data as: date and time of website visit, type and version of operating system, approximate location, screen resolution, number of colours supported by the screen, type and version of internet browser, time spent on the website, sub-pages visited, sub-page where contact form was filled in. The legal basis for such data processing is Article 6(1)(f) of the RODO, which allows personal data to be processed if, by doing so, the Personal Data Controller is pursuing its legitimate interest (in this case, the interest is to learn about customer activity on the website);
  4. In order to use cookies and local storage on the website, we process such textual information (cookies will be described in a separate section). The legal basis for such processing is Article 6(1)(a) of the RODO, which allows us to process personal data on the basis of freely given consent (when you first access the website, you are asked whether you consent to the use of cookies);
  5. For the purpose of administering the website, we process personal data such as IP address, port number, server date and time, browser information, operating system information. This data is saved automatically in so-called server logs every time the website belonging to the ADO is used. Administration of the website without the use of the server and without this automatic recording would not be possible. The legal basis for such data processing is Article 6(1)(f) of the RODO, which allows personal data to be processed if, by doing so, the Personal Data Controller pursues its legitimate interest (in this case, the Company's interest is the administration of the website);


  1. ADO uses so-called "cookies" on its website, as do other entities, which are short text information stored on your computer, phone, tablet or other device. They can be read by our system, as well as by systems belonging to other entities whose services we use (e.g. Google and Facebook).
  2. Cookies perform a great many functions on the website, most often useful ones, which we will try to describe below (if the information is insufficient, please contact us):
    • providing security - cookies are used to authenticate users and prevent unauthorised use of the customer panel. They therefore serve to protect the user's personal data from unauthorised access;
    • impact on the processes and performance of the website - cookies are used for the smooth functioning of the website and to enable you to use the functions available on the website, which is made possible, among other things, by remembering your settings between visits to the website. Cookies are therefore used to ensure that the website and its sub-sites can be navigated efficiently;
    • session status - cookies often store information about how visitors use the website, e.g. which pages they view most often. They also make it possible to identify errors displayed on certain sub-pages. Cookies for storing the so-called "session state" therefore help to improve services and enhance the browsing experience;
    • maintaining session status - if the customer logs in to his/her panel, cookies make it possible to maintain the session. This means that you do not have to re-enter your login and password each time you move to another sub-page, which promotes the comfort of the website;
    • creation of statistics - cookies are used to analyse how users use the website (how many open the website, how long they stay on it, which content is of most interest, etc.). This allows the website to be continuously improved and adapted to users' preferences. We use Google's tools, such as Google Analytics, to track activity and produce statistics; in addition to reporting website usage statistics, the Google Analytics pixel can also be used, together with some of the cookies described above, to help display more relevant content to you on Google's services (e.g. Google Search) and across the web;
    • use of social features - we have a so-called Facebook pixel on the website, which allows you to like our Facebook fanpage when using the website. However, for this to be possible, we need to use cookies provided by Facebook.
  3. By default, your web browser allows the use of cookies on your device, so please give your consent to the use of cookies on your first visit. However, if you do not wish to use cookies when browsing the website, you can change the settings in your internet browser - block the automatic handling of cookies completely or request to be notified whenever cookies are placed on your device. You can change your settings at any time.
  4. While we respect the autonomy of all those using the website, we feel obliged to warn you that disabling or restricting cookies may cause difficulties in using the website, e.g. in the form of having to log in to every subpage, longer loading times, restrictions on the use of functionalities, restrictions on liking the Facebook page, etc.

Right of withdrawal of consent

  1. Where the processing of personal data is based on consent, this consent can be withdrawn at any time.
  2. To withdraw your consent to the processing of your personal data, send an e-mail with the relevant information on the subject directly to the ADO by writing to: kontakt@prawapacjenta.eu.
  3. If the processing of personal data was carried out on the basis of consent, revocation of consent does not make the processing of personal data up to that point unlawful. In other words, until consent is withdrawn, we are entitled to process personal data and revoking consent does not affect the lawfulness of previous processing.

Requirement to provide personal data

  1. The provision of any personal data is voluntary and depends on the individual decision. However, in some cases, the provision of certain personal data is necessary in order to fulfil the expectations for the use of the services.
  2. In order to be contacted by telephone on matters relating to the provision of a service or the handling of an enquiry from the contact form, it is necessary to provide a telephone number - without this we are unable to make telephone contact.

Automated decision-making and profiling

  1. We do not carry out automated decision-making, including on the basis of profiling. The content of an enquiry that is submitted via a contact form is not evaluated by an IT system. Information systems do not make any assessments based on data extracted from our website.

Recipients of personal data

  1. Like most businesses, we use the assistance of other parties in our activities, which sometimes involves the transfer of personal data. Accordingly, when necessary, we pass on personal data to our cooperating lawyers who perform services, to payment processing companies, to an accounting company, to a hosting company, to a company responsible for sending SMS messages, and to an insurance company (should there be a need to repair a claim).
  2. In addition to this, it may happen that, for example, on the basis of a relevant legal provision or a decision of a competent authority, we may also have to provide personal data to other entities, whether public or private. It is therefore extremely difficult for us to predict who may come forward with a request for personal data. Nevertheless, for our part, we assure you that we analyse every request for personal data very carefully and thoroughly in order not to pass on the information to an unauthorised person.

Transfer of personal data to third countries

  1. Like most businesses, we use a variety of popular services and technologies, offered by entities such as Facebook, Microsoft, Google, Cloudflare or Zendesk. These companies are based outside the European Union and are therefore treated as third countries under the provisions of the RODO.
  2. The RODO introduces certain restrictions on the transfer of personal data to third countries because, since European rules do not, in principle, apply there, the protection of personal data of EU citizens may be insufficient. Therefore, each controller of personal data is required to establish a legal basis for such transfers.
  3. For our part, we assure you that when using our services and technologies, we only transfer personal data to entities in the United States and only to those that have joined the Privacy Shield programme, based on the European Commission's implementing decision of 12 July 2016. - You can read more about this at the European Commission website. Entities that have joined the programme Privacy Shield, guarantee that they will comply with the high standards of personal data protection that apply in the European Union, and therefore the use of their services and the technologies offered in the processing of personal data is lawful.
  4. We will provide further clarification on the transfer of personal data at any time, particularly if the issue is of concern.
  5. You have the right to obtain a copy of the personal data transferred to a third country at any time.

Period of processing of personal data

  1. In accordance with current legislation, we do not process personal data "indefinitely", but for the period of time that is necessary to achieve the designated purpose. After this period, personal data will be irreversibly deleted or destroyed.
  2. When we do not need to perform operations on personal data other than storing them (e.g. when we store the contents of an order for the purpose of defence against claims), we additionally secure them - by pseudonymisation - until permanent deletion or destruction. Pseudonymisation involves encrypting personal data, or a set of personal data, in such a way that it cannot be read without an additional key, so that such information becomes completely useless to an unauthorised person.
  3. Regarding the specific processing periods for personal data, we kindly inform you that we process personal data for a period of time:
    • the duration of the contract - in relation to personal data processed for the conclusion and performance of the contract;
    • 3 years or 10 years + 1 year - for personal data processed for the purpose of establishing, pursuing or defending claims (the length of the period depends on whether or not both parties are businesses);
    • 6 months - with regard to personal data that was collected when the service was priced and at the same time the contract was not concluded immediately;
    • 5 years - for personal data involving compliance with tax law obligations;
    • until the consent is withdrawn or the purpose of the processing is achieved, but for no longer than 5 years - for personal data processed on the basis of consent;
    • until an effective objection is lodged or the purpose of the processing is achieved, but for no longer than 5 years - in relation to personal data processed on the basis of the legitimate interest of the Personal Data Controller or for marketing purposes;
    • until it becomes obsolete or is no longer relevant, but for a maximum of 3 years, with regard to personal data processed mainly for analytical purposes, the use of cookies and website administration.
  4. We count the periods in years from the end of the year in which we started processing personal data in order to streamline the process of deletion or destruction of personal data. Counting the period separately for each concluded contract would involve significant organisational and technical difficulties, as well as a significant financial outlay, so establishing a single date for the deletion or destruction of personal data allows us to manage the process more efficiently. Of course, where the right to be forgotten is exercised, such situations are dealt with on a case-by-case basis.
  5. The additional year associated with the processing of personal data collected for the performance of a contract is dictated by the fact that, hypothetically, you may make a claim moments before the expiry of the limitation period, the demand may be served with a material delay or you may misstate the limitation period for your claim.

Entitlements of data subjects

  1. We kindly inform you that you have the right to:
    • access to their personal data;
    • rectification of personal data;
    • deletion of personal data;
    • restrictions on the processing of personal data;
    • object to the processing of personal data;
    • portability of personal data.
  2. We respect your rights under data protection legislation and strive to facilitate the exercise of these rights to the greatest extent possible.
  3. We point out that the powers listed are not absolute and therefore we may lawfully refuse to comply with them in certain situations. However, if we refuse to comply with a request, we do so only after careful consideration and only if refusal of the request is necessary.
  4. Regarding the right to object, we explain that you have the right to object at any time to the processing of your personal data on the basis of the legitimate interest of the Personal Data Controller in relation to your particular situation. Please note, however, that according to the legislation, we may refuse to take the objection into account if we show that:
    • there are legitimate grounds for the processing which override your interests, rights and freedoms,
    • there are grounds for the establishment, assertion or defence of claims.
  5. Furthermore, you may object at any time to the processing of your personal data for marketing purposes. In such a situation, upon receipt of your objection, we will cease processing for this purpose.
  6. You can exercise your rights by sending an email directly to ADO at kontakt@prawapacjenta.eu.

Right of action

  1. If you believe that your personal data is being processed in violation of applicable law, you may lodge a complaint with the President of the Data Protection Authority.

Final provisions

  1. To the extent not covered by this Privacy Policy, the data protection regulations apply.
  2. You will be notified by email of any changes made to this Privacy Policy.
  3. This Privacy Policy is effective as of 25 May 2018.