PRIVACY NOTICE - information regarding the processing of personal data by the Clinical Trials Center of the Jagiellonian Center of Innovation (Jagiellońskie Centrum Innowacji sp. z o.o.)

Acting pursuant to Article 13 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: “GDPR”), the Jagiellonian Center of Innovation hereby informs that:

  1. The controller of your personal data is Jagiellońskie Centrum Innowacji Sp. z o.o., the company with its registered office in Kraków (30-348), ul. Bobrzyńskiego 14, which is the owner of the Clinical Trials Center of the Jagiellonian Center of Innovation, (hereafter: "JCI"), website: www.cbkjci.pl.

  1. JCI may process your personal data for the following purposes:
    1. HEALTH (where your consent is not required), namely:
      1. preventive health care, which includes e.g. processing related to the process of informing you about the possibility of providing the service to you (which includes sending invitations to screening tests, invitations to take vaccinations, providing educational materials, providing information about health-promoting events, providing patronage advice, performing patronage visits, check-ups and screening tests) and participating in preventive health programs – pursuant to Article 9(2)(h) of GDPR in conjunction with Article 3(2) of the Act on Medical Activities and Article 24 of the Act on Patients' Rights and Ombudsman for Patients' Rights;
      2. medical diagnostics and treatment, which includes e.g. processing related to the providing of health services (diagnostic and treatment), including keeping medical records - pursuant to Article 9(2)(h) of GDPR in conjunction with Article 3(1) of the Act on Medical Activities and Article 23 or 24 or 25 of the Act on Patients' Rights and the Ombudsman for Patients' Rights;
      3. the provision of healthcare and the management of healthcare systems and services, which includes e.g. your registration, ensuring high quality of services (including a survey of the level of your satisfaction), the implementation of agreements with payers (in particular the public payer), guaranteeing the continuity of healthcare, including in the process of coordination of services, which may include, for example:
        1. reminders of healthcare appointments, appointment confirmations, appointment cancellations;
        2. informing about organizational changes at the Jagiellonian Center of Innovation which may affect the provision of the expected service;
        3. post-service communication to assess your well-being or health status;
        4. collecting and archiving your statements of intent;
        5. verification of entitlements to healthcare services and billing for healthcare services provided;
        6. performing other activities auxiliary to the provision of health services as well as activities related to the maintenance of the ICT system;
        7. exchange of information about your health with other healthcare providers in order to ensure continuity of healthcare (pursuant to Article 26(3)(1) of the Act on Patients' Rights and the Ombudsman for Patients' Rights);
        8. the transfer of your data to registers operating based on the Healthcare Information System Act with regard to public registers maintained in accordance with the aforementioned Act;

pursuant to Article 9(2)(h) of GDPR in conjunction with Article 3(1) of the Act on Medical Activities and Article 24 of the Act on Patients' Rights and the Ombudsman for Patients' Rights;

  1. the provision of social security and the management of social security systems and services, which includes e.g. processing related to the process of issuing medical certificates and the performance of tasks by certifying physicians as defined in other acts of laws - pursuant to Article 9(2)(h) of GDPR, usually in conjunction with Article 54 of the Act on Cash Benefits from Social Security in the Event of Sickness or Maternity or other relevant legal provisions regarding social insurance;

      b. OTHER THAN HEALTH (where your consent is not required):

  1. the performance of a medical services agreement concluded with you - pursuant to Article 6(1)(b) of GDPR;
  2. establishment, assertion or defense of claims (in the scope enabling the fulfilment of this purpose), which is a legitimate interest of the Jagiellonian Center of Innovation pursuant to Article 6(1)(f) or Article 9(2)(f) of GDPR (this also applies to the recording of calls on our hotline);
  3. keeping books of account and fulfilment of tax obligations: issuing bills/invoices for provided services - pursuant to Article 6(1)(c) of GDPR in conjunction with Article 74(2) of the Accounting Act;
  4. reporting and analytical purposes as well as to enable audits to be carried out by authorized entities, to the extent resulting from generally applicable legal provisions and contracts to which JCI is a party (e.g. in connection with the granting of support to JCI as an innovation center), pursuant to Article 6(1)(c) of GDPR in conjunction with Article 74(2) of the Accounting Act or (as JCI's legitimate interest) Article 6(1)(f) of GDPR or Article 9(2)(b), (g), (i) or (h) of GDPR;
  5. to ensure high quality standards and security of healthcare and medicinal products - pursuant to Article 6(1)(c) or (f) of GDPR or Article 9(2)(g), (h) or (i) of GDPR in conjunction with Articles 50 et seq. of Regulation (EU) No 536/2014 of the European Parliament and of the Council of 16 April 2014 on clinical trials on medicinal products for human use and repealing Directive 2001/20/EC;
  6. HEALTH (where your consent is required):
    1. in connection with the conduct of clinical trials or other scientific research (e.g. observational studies), where your consent will not be required for JCI to process data for the purposes of providing healthcare services to a Patient who is a participant in a clinical trial (e.g. treatment of adverse effects, ancillary treatment, etc.) - pursuant to Article 9(2)(a) of GDPR;
  7. OTHER THAN HEALTH (where your consent is required):
    1. the marketing of JCI services, sending a newsletter, exclusively in the scope of your consent - pursuant to Article 6(1)(a) of GDPR.
  1. Our Data Protection Officer can be contacted regarding all matters relating to the processing of your personal data via email at iodo@jci.pl.

  1. Your personal data will be processed by JCI for the period required by applicable law, until the expiry of the time limit for the retention of medical records, the archiving of documents or until the expiry of the statute of limitations for claims, in particular:
    1. data processed pursuant to Article 6(1)(a) or Article 9(1)(a) of GDPR - the period until you withdraw your consent;
    2. medical records - as per Article 29 of the Act on Patients' Rights and the Ombudsman for Patients' Rights, the retention period is 20 years from the end of the calendar year in which the last entry was made, subject to the exceptions indicated in this provision:
      1. in the case of a patient's death as a result of bodily injury or poisoning - a period of 30 years from the end of the calendar year in which the death occurred;
      2. the data necessary to trace blood and blood components - a period of 30 years from the end of the calendar year in which the last entry was made;
      3. X-rays stored outside your medical records - for a period of 10 years from the end of the calendar year in which the X-ray was taken;
      4. referrals for examination or doctor's orders - for a period of:
        1. 5 years counted from the end of the calendar year in which the health care service that was the subject of the doctor's referral or order was provided;
        2. 2 years counted from the end of the calendar year in which the referral was issued - in case the health care service was not provided due to your failure to attend a scheduled appointment unless you have taken the referral back;
      5. medical records of children up to the age of two - for a period of 22 years;

the medical records which are to be destroyed may be given to you, your legal representative or an authorized person;

  1. data processed pursuant to Article 6(1)(b) of GDPR - the period until the completion of all factual and legal actions necessary for the performance of the contract or the end of the statute of limitations of claims;
  2. data processed pursuant to Article 6(1)(c) of GDPR - the period necessary to fulfil these obligations, including data processed for accounting purposes and due to tax obligations - for a period of 5 years from the beginning of the year following the financial year to which the data refers;
  3. data processed pursuant to Article 6(1)(f) of GDPR - the period necessary for the fulfilment of JCI's legitimate interests which form the basis of such processing or until you raise a legitimate objection to such processing or for a period of 30 days (in relation to the recording of calls on our helpline). If the recorded telephone call constitutes evidence in proceedings before an authority, it will be archived and the retention period is prolonged until the conclusion of the proceedings).

  1. You have the right to withdraw your consent to the processing carried out on its basis at any time, either in the manner in which you gave your consent or via e-mail, provided that you are able to clearly identify the person making the request. The withdrawal of your consent will not affect the lawfulness of processing performed based on the consent prior to its withdrawal.

  1. The data subject has the right to:
    1. access their data and to receive a copy thereof (pursuant to Article 15 of GDPR);
    2. rectify their data (pursuant to Article 16 of GDPR);
    3. restrict data processing only in cases when the purpose of processing does not justify the scope of the processing (pursuant to Article 18 of GDPR);
    4. object to the processing of the data or to request the erasure of the data only if there is no purpose or basis for the processing of the data (pursuant to Article 21 of GDPR);
    5. data portability (pursuant to Article 20 of GDPR);

  1. You do not have the right to the erasure of data in the scope of data contained in your medical records, pursuant to Article 29(1) of the Act on Patients' Rights, in conjunction with Article 17(3) of GDPR.

  1. In accordance with Article 17(3)(e) of GDPR, you do not have the right to have your data erased in the scope necessary to establish, assert or defend your claims.

  1. You may exercise your right to withdraw your consent to the processing of your personal data at any time in relation to the processing based on your consent. The withdrawal of your consent does not affect the lawfulness of processing carried out on the basis of your consent before its withdrawal.

  1. You have the right to lodge a complaint to a supervisory authority in accordance with Article 77 of GDPR if you find that your personal data is not processed by JCI in accordance with GDPR.

  

  1. The provision of personal data is necessary in order for JCI to fulfil its obligations arising out of the performance of health services or the concluded contract for medical services and, in the case of participation in a clinical trial, for research purposes or for statistical purposes. If you fail to provide personal data, it will be impossible for JCI to fulfil the purposes mentioned above.

  1. JCI shares your personal data in accordance with Articles 26 and 27 of the Act on Patients' Rights and the Ombudsman for Patients' Rights of 6 November 2008.

  1. JCI informs you that the recipients of your personal data may be the following entities:
    1. entities authorized to provide healthcare services (e.g. medical staff, entities performing tests, entities which interpret test results) which provide these services in collaboration with JCI;
    2. entities authorized by you in connection with the exercise of your rights as a patient;
    3. service providers which provide appropriate technical and organizational solutions to JCI (e.g. IT service providers, transport service providers, servicing providers, courier or postal service providers);
    4. entities which provide legal services if there is a need to seek the satisfaction of due claims (including courts or enforcement bodies) or financial services (e.g. banks);
    5. entities authorized in accordance with generally applicable law (including administrative authorities);
    6. entities authorized to carry out inspections, supervision or audits, including Jagiellonian University bodies or certifying bodies, research bodies;
    7. entities which carry out scientific research;