Privacy Policy

Introduction

This Privacy Policy sets out the rules for processing and protecting personal data provided by Users in connection with their use of services offered by StacjaMowa — Speech and Function Therapy Center.

Data Controller

The data controller is StacjaMowa — Speech and Function Therapy Center, operated by Edyta Bykowska (formerly Maciukanis), located at ul. Tytusa Chałubińskiego 1A, 80-807 Gdańsk, Poland, NIP: 844-21-85-176.

Contact Information

For matters related to personal data protection, you can contact the Controller at: kontakt@stacjamowa.pl or by phone: +48 737 394 377.

Legal Basis for Data Processing

Personal data is processed on the following legal bases:

• Provision of Medical Services (Art. 9 para. 2 lit. h GDPR) - patient medical data processed for the purpose of providing healthcare services, medical diagnosis and treatment
• Performance of Medical Services Contract (Art. 6 para. 1 lit. b GDPR) - patient data necessary for scheduling appointments and providing healthcare services
• Legal Obligations (Art. 6 para. 1 lit. c GDPR) - processing to fulfill obligations under the Medical Activity Act, Patient Rights Act, VAT and accounting regulations
• Patient Consent (Art. 6 para. 1 lit. a GDPR) - for processing data for purposes other than those required for medical services (e.g., marketing, newsletter), expressed, voluntary and unambiguous consent is required
• Legitimate Interest (Art. 6 para. 1 lit. f GDPR) - in some cases (e.g., data security, fraud prevention), processing is based on the Controller's legitimate interest

Types of Data Processed

We process the following categories of personal data:

• Identification data: first name and surname, date of birth, gender, PESEL (if available)
• Contact data: phone number, email address, residential address, apartment/house number
• Data of patients under 18 years of age: child's first name and surname, child's date of birth, age, information about legal guardian, educational data (school name, class) - if necessary for therapy
• Medical and health data (sensitive data): medical history, diagnosis, medical recommendations, visit notes, diagnostic test results, information about allergies and sensitivities, information about medications taken, medical documentation, specialist opinions, information about hospitalizations, history of procedures and surgeries
• Technical data: IP address, web browser information, device type, access time and date, pages visited, cookies
• Financial data: payment method information, transaction history, VAT invoice information, bank data (if provided by patient)
• Contextual data: information from contact forms, content of email or SMS messages, information about contact with the office

Purposes of Data Processing

Personal data is processed for the following purposes:

• Provision of Medical and Therapeutic Services: scheduling and conducting therapy appointments, conducting diagnostics, providing healthcare services, monitoring patient progress, consultations with patient, issuing specialist opinions
• Maintaining Medical Records: maintaining documentation in accordance with Medical Activity Act requirements, storing patient medical history, managing access to documentation
• Communication with Patient: sending appointment confirmation, reminders about scheduled appointments (SMS, email), responding to patient inquiries, information about changes in Center schedule, providing information regarding treatment
• Fulfillment of Legal and Tax Obligations: maintaining accounting records, issuing VAT invoices, filing tax returns, settling with Tax Office, documenting healthcare services
• Security and Protection: verifying patient identity, fraud prevention, protection against unauthorized access, logging access to systems
• Analytics and Service Improvement: analyzing anonymous website usage statistics, improving website functionality and services, studying patient satisfaction (based on consent), developing new services
• Marketing (Only with Expressed Consent): sending newsletter, information about new services, promotions and special offers - only patients who have given separate, written consent
• Cooperation with Other Specialists: sharing medical documentation with cooperating specialists, ensuring continuity of treatment, consultations with other doctors/therapists - only based on patient consent

Data Retention Period

Personal data is stored for the following periods:

• Medical Documentation: stored for at least 20 years from the last visit - in accordance with the Medical Activity Act
• Patient Data Scheduled for Appointment (Reservation): stored for the duration of therapy and at least 3 years after its completion (due to tax and medical requirements)
• Financial Data and Invoices: stored for 6 years from the end of the accounting year, in accordance with tax law requirements
• Emails and Correspondence: stored for 5 years from the last correspondence or until deletion upon patient request
• Technical Data (Logs, IP): stored for 3-12 months, depending on log type and security requirements
• Cookies: stored according to user browser settings and cookie policy
• Data for Marketing Purposes (Newsletter): stored until patient opts out of receiving marketing communications
• Sensitive Data of Patients Under 18 Years of Age: medical documentation at least until patient's 25th birthday, in accordance with minor protection requirements and sensitive data protection regulations

User Rights

In accordance with GDPR, each patient has the following rights:

• Right of Access (Art. 15 GDPR): right to obtain information whether personal data is being processed, right to receive a copy of one's data, right to know about processing purposes and legal bases, right to information about data recipients. Implementation period: 30 days from request date
• Right to Rectification (Art. 16 GDPR): right to correct inaccurate data, right to complete incomplete data, right to request removal of errors from documentation. Implementation period: 30 days
• Right to Erasure (Art. 17 GDPR) - 'Right to Be Forgotten': right to request data deletion in specific cases. Limitations: data necessary for providing medical services, data required by law (e.g., taxes, medical documentation). Implementation period: 30 days
• Right to Restriction of Processing (Art. 18 GDPR): right to request temporary restriction of data processing in specific cases. Effect of restriction: data cannot be processed, except for storage
• Right to Data Portability (Art. 20 GDPR): right to obtain one's data in a structured, commonly used format (e.g., CSV, PDF), right to transfer this data to another controller. Limitations: applies only to data actively provided by patient
• Right to Object (Art. 21 GDPR): right to object to data processing in cases of processing based on legitimate interest, profiling or direct marketing
• Right to Withdraw Consent (Art. 7 para. 3 GDPR): right to withdraw consent for personal data processing at any time. Withdrawal of consent is as easy as giving it. Limitations: withdrawal of consent does not apply to processing required by law
• Right to Information about Data Breach: right to information about data security breach within 72 hours, if the breach poses a high risk to patient rights
• Right to Non-Discrimination: patient cannot be discriminated against for exercising their rights under GDPR

Right to Lodge a Complaint

Users have the right to lodge a complaint with the supervisory authority responsible for personal data protection if they believe that the processing of their personal data violates GDPR provisions. Users may also bring legal proceedings to protect their rights under GDPR.

Data Security

The Center applies the following security measures:

• Technical Measures: SSL/TLS encryption (all communications are encrypted), secure passwords (access data protected with strong passwords), firewalls (systems secured against unauthorized access), backups (regular creation of data backups), antivirus and security tools (regular updates), access restriction (access to medical data limited to authorized employees)
• Organizational Measures: employee training (all persons with access to data are trained in data protection and confidentiality), confidentiality agreements (all employees sign professional secrecy agreements), access policy (defined procedures for data access), security audits (regular security checks of systems), incident procedures (established procedures in case of data breach), time-limited access (access to data is temporarily restricted)
• Sensitive Data Protection: medical data stored in separate, secured locations, access to medical data requires authentication, access logs to medical data are monitored, medical documentation is not stored in cloud without encryption

Data Recipient Categories

Patient personal data may be transferred to the following recipient categories:

• Center Employees: speech therapists, therapists, administrative staff, reception - employees have access to data to the extent necessary to perform their duties
• Cooperating Medical Specialists: doctors (pediatricians, neurologists, laryngologists), orthodontists, dentists, other therapists - only based on expressed patient consent
• Supporting Service Providers: cloud data operators, hosting service providers, patient management system providers, IT security entities - all bound by data processing agreements
• Public Institutions: Tax Office (in scope of tax obligations), Provincial Sanitary Inspector (in scope of supervision), Courts (in case of court proceedings) - only to the extent required by law
• Civil Liability Insurer: in case of insurance claims - only to the extent necessary to process the claim
• Entities to Which Patient Granted Consent: based on patient's written authorization, according to scope specified in authorization
• All entities to which data is transferred are obligated to protect and maintain confidentiality of data