Policy for processing personal data

This document shall apply from 25 May 2018.

Policy for processing personal data at the Institute for Cellular Therapies


Pursuant to Article 13(1) and (2) and Article 14(1) and (2) of the Regulation (EU) No 14 of the European Parliament and of the Council of 1 April 2 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 2016/EC ("GDPR"), we inform you about the manner and purpose for which we process your personal data, as well as about your rights arising under the GDPR.

  1. Data controller and person responsible for processing the data
    The data controller of your personal data is Instytut Terapii Komórkowych Spółka Akcyjna with its registered office at Al. Warszawska 30, building No 7, 10-082 Olsztyn (hereinafter referred to as "ITK").
    ITK has appointed a person responsible for processing personal data, i.e. the Data Protection Officer who may be contacted in all matters concerning the processing of personal data and the exercise of rights relating to the data processing, at the following e-mail address: inspektor@itkmed.pl.
  2. Necessity of transfer of personal data
    The provision of data shall be voluntary but may be required for the implementation of the contract.
  3. Scope of personal data including special categories of data
    Pursuant to Article 25(1) of the Act of 6 November 2008 on Patients' Rights and the Patient Ombudsman the following data shall be provided as a minimum to keep medical records:
    a) full name,
    b) date of birth,
    c) sex,
    d) place of residence,
    e) PESEL (Polish Resident Identification Number), if assigned, and for persons who do not have this number - the type and number of the identity document,
    f) where the patient is a minor, totally incapacitated or incapacitated of giving informed consent, the name(s) and address of the legal representative,
    g) description of the patient's state of health or the health care provided.

    The consequence of not providing personal data shall be the inability to qualify for therapy and to carry out therapy by ITK.
  4. Purpose of processing your personal data and legal basis of processing
    We process your personal data in accordance with the provisions of the GDPR and the Polish Act on Personal Data Protection. The personal data shall be processed:
    - for the fulfilment of contractual obligations (Article 6(1)(b) of the GDPR) and for the provision of medical services (Article 9(2)(h) of the GDPR)
    The data are processed to perform ITK's activities under the contracts concluded with patients or to perform pre-contractual activities performed upon the patient's request. The data processing is necessary for the qualification for Therapy, Therapy and, if necessary, Hospitalisation, and for the contractual provision of the service.
    - to comply with legal obligations (Article 6(1)(c) of the GDPR) or perform tasks carried out in the public interest (Article 6(1)(e) of the GDPR)
    - As a medical entity, we are subject to a number of legal obligations, i.e. requirements resulting from e.g. the Act on Patients' Rights and the Patient Ombudsman for purposes resulting from legitimate interests pursued by ITK or a third party (Article 6(1)(f) of the GDPR).
    If necessary, we process your data to protect the legitimate interests of you or of any third parties. For example:
    - ensuring information security;
    - claiming and defending against claims.
  5. Personal Data Recipients
    Your personal data will not be made available to any unauthorised persons.
    The personal data may be made available to other recipients to perform a contract with you, to meet a legal obligation of ITK, based on your consent or for purposes arising from legitimate interests of the administrator or a third party.

    The recipients may be in particular: authorised employees of business information offices, payment institutions, and law firms providing services to ITK.

    In addition, the data may only be transferred to entities processing personal data on behalf of ITK and their authorised employees, provided that such entities shall process the data on the basis of a contract with ITK and only in accordance with instructions and on condition that confidentiality is kept.

    Pursuant to Article 26 of the Act of 6 November 2008 on Patients' Rights and the Patient Ombudsman - the healthcare provider shall make medical records available to the patient or his/her legal representative or to a person authorised by the patient. Medical records may also be made available, inter alia, to providers of health services, if such records are necessary to ensure continuity of health services, and where they are expressly provided for under the applicable laws and regulations.
  6. Duration of data retention
    The personal data will be processed for the period necessary for the purposes of the processing as referred to in section 2, id est:
    - with respect to the performance of the contract concluded with ITK - until its completion, and thereafter for the period required by law or for the execution of any potential claims;
    - with respect to the fulfilment of ITK's legal obligations in connection with the conduct of its business, the performance of its contracts and the provision of medical services until ITK has fulfilled its obligations;
    - until ITK’s legitimate interests that gave rise to the processing have been fulfilled or until you object to the processing unless there are legitimate grounds for further processing.
  7. Your rights in respect of processing of your personal data
    You have the right to:
    - require access to and rectification of your personal data, limit the processing of your personal data or delete your personal data;
    - object at any time to the processing of your personal data for reasons relating to your particular situation where ITK processes the data for purposes based on its legitimate interests (Article 21(1) of the GDPR);
    - request the transfer of the personal data. The transfer shall involve the receipt of your personal data from ITK in a structured, commonly used and machine-readable format and the transmission of such data to another controller. The right to transfer data shall not apply to data that constitute a business secret;
    - file a complaint with a supervisory authority, i.e. with the President of the Office for Personal Data Protection, if the processing of your personal data is found to violate the provisions of the GDPR.
  8. Source of your personal data
    ITK collects personal data directly from its patients.