Privacy policy - Medidesk

Privacy policy

Dear User,

We would like to inform you that your use of the service consisting of the websites www.medidesk.pl and www.medidesk.edu.pl (hereinafter referred to as the “Service“) requires the processing of your personal data. Accordingly, when you use certain services available on the Service, the Administrator will process your personal data to the extent necessary for the proper performance of the services you use. In some cases, the activity you undertake within the Service may also justify the processing of your data on the basis of the Administrator’s legitimate interest.

All personal data is processed by the Administrator in accordance with the provisions of generally applicable law, in particular the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (Dz.U.UE.L.2016.119.1) (hereinafter: “RODO”) and the Act of 10 May 2018 on personal data protection (Dz.U.2019.1781).

We would like to clarify that the processing of your data is carried out solely for the purpose of fulfilling your purchases and to enable us to inform you about our offer and tailor it to your needs. We ask that you read the contents of this Privacy Policy to allow you to understand the data processing activities undertaken by the Administrator.

I Administrator.

(1) The Administrator of the personal data you provide to us when using the services available on the Website is Medidesk sp. z o.o. with its registered office in Warsaw, 17/2 Wladyslaw Niegolewskiego Street, 01-570 Warsaw, registered in the Register of Entrepreneurs of the National Court Register under KRS number 0000659580, NIP 7010659520 (hereinafter referred to as the “Administrator“).

(2) Your personal information is collected by the Administrator exclusively from you, in particular when you register a user account, make purchases on the Website, use the newsletter service, contact form, application form (CV), or use other functionalities of the Website, including through saved cookies.

(3) In the event that a User, when making a purchase of certain products on the Website, makes a payment using PayU payment, the administrator of personal data with regard to the payment process will be, respectively:
a) PayU – PayU S.A. based in Poznań, 186 Grunwaldzka Street, 60-166 Poznań, entered in the Register of Entrepreneurs of the National Court Register under KRS number 0000274399, NIP 7792308495.

(4) In the case of use by the User of links of external sites placed on the Website and also links, links and services of social networks made available within the scope of the Website, the Administrator together with the owner of the social network and the service provider of the external site shall act as joint administrators of the User’s data processed as a result of clicking on the link of the aforementioned links, links, services, etc.

(5) The Administrator:
(a) ensures transparency of data processing,
b) keeps personal data confidential and protects it from unauthorized access by third parties,
c) collects data only to the extent necessary for the purpose in question and processes them only for the period necessary for the purpose,
d) provides the opportunity to learn about the processing of data.

II What personal data are collected and processed by the Administrator?

(1) The scope of your data that is collected and processed by the Administrator depends primarily on the scope of services you use and the consents you have given for the processing of personal data.

(2) The use of the Service in the scope of viewing the information content provided – does not cause the Administrator to obtain the identification data of a natural person.

(3) If the User uses the service of the contact form, the Administrator will process the User’s data in terms of:

-identification data – name, surname, name of medical institution;

-address data -e-mail address, telephone;

(4) In order to make a purchase or registration, it is necessary to provide the following personal data:
– user/orderer data – name, surname, e-mail address, telephone number, address;
– recipient’s data – name, surname, address, telephone number (in case the recipient is a person other than the orderer);
– login and password, created by the user (only in case of registration).

(5) The following personal data of users of the Website are collected when using the services on the www.medidesk.edu.pl website:

– First name, last name;

– E-mail address;

– Phone number;

– Company name ;

– Name of the User.

(6) If the user makes a purchase in the framework of his/her business or professional activity, expressing the desire to obtain a VAT invoice, he/she is further obliged to specify the company and provide the Tax Identification Number.

(7) In order to use the Newsletter service, the user is obliged to indicate his e-mail address or telephone number to which the Newsletter will be directed.

(8) Depending on the Service user’s browser settings, the Administrator may process the user’s IP address or other identifier, information collected through cookies or other similar technologies.

(9) If the User clicks on a link to an external site posted on the Site or uses social networking links, the Administrator shall process and send to the service provider of the external site the information collected via cookies or other similar technologies.

(10) Within the Service, the Administrator uses cookies are IT data, which are text files intended for the use of the pages of the Service. First of all, they contain the name of the website of origin, its unique number, the time of storage on the end device.

III How long do we process your data?

(1) In cases where the obligation to process data arises from generally applicable laws (e.g. Accounting Act, Tax Ordinance), personal data will be processed for the period required by law.

(2) Personal data provided by you in the contact form will be processed for the period necessary to respond to the message sent via the form.

(3) Personal data provided by you in the recruitment form with your resume will be processed for the period necessary to complete the recruitment process.

(4) Personal data of a registered User will be processed for the duration of the account / contract period. However, after the expiration of the account / contract, the Administrator may process some of your personal data in connection with statutory obligations (e.g. accounting obligations) and the Administrator’s legitimate interests (e.g. securing claims).

(5) Subject to paragraphs 1-2, where the data are processed on the basis of consent – the data will be processed until the consent is withdrawn, restricted or the user takes other actions limiting such consent.

(6) Where the basis for data processing is the legitimate interest of the Administrator – data will be processed until the user raises an effective objection.

IV What is the purpose of processing your data?

The Administrator collects personal data in order to conclude and perform a contract for the sale of products, provision of services, within the service of the contact form for the purpose of responding and contacting you, and for other purposes specified by generally applicable law and the Administrator, in particular to:

1. for the purpose of performing contracts concluded by the Administrator with customers (legal basis of Article 6(1)(b) of the DPA);

2. for purposes arising from the legitimate interests pursued by the Administrator (legal basis of Article 6(1)(f) RODO):
1) for the purpose of providing services to customers,
2) for the purpose of marketing the Administrator’s services,
3) for analytical and statistical purposes, as well as for ICT security.

3. for the purpose of recruiting individuals interested in working or cooperating with the Administrator (legal basis, respectively, Article 6(1)(c), Article 6(1)(a) and Article 6(1)(f) of the DPA).

(4) The Administrator shall also process personal data to the extent necessary to fulfill the Administrator’s legal obligations (legal basis Article 6(1)(c) RODO),

(5) If you address correspondence to the Administrator that is not related to the services provided to the sender or pertains to another contract with the Administrator via traditional mail or e-mail, the personal data provided there will be processed for the purpose of responding to the letter received (legal basis Article 6(1)(f) RODO),

(6) If you use the newsletter, contact form, available on the website, personal data shall be processed for the purpose of determining the sender and responding to the questions asked (legal basis art. 6 (1) lit. a, b RODO),

7. when contacting the Administrator by telephone, on matters unrelated to the services provided by the Administrator, the Administrator may require personal data necessary to assist in the matter (legal basis Article 6(1)(f) RODO).

V To whom may we provide data?

(1) In accordance with applicable law, the Administrator may provide personal data to entities that process them on our behalf, e.g. subcontractors of our services, entities providing IT support, maintenance of the Service, marketing agencies and entities entitled to obtain data under applicable law, e.g. courts or law enforcement agencies – of course, only if they make a request based on an appropriate legal basis.

(2) Your personal data, as a rule, is not transferred to countries outside the European Union or international organizations, except when such access is provided under applicable law. In case of transfer of personal data to third countries (located outside the EU), the Administrator shall apply the regulations in paragraph VII.

(3) Your personal data may be subject to profiling, as well as any other form of automated decision-making, in which case the provisions of paragraph 12 shall apply.

(4) In the event of transfer of personal data to third countries (located outside the EU), by addressing an appropriate request to the Administrator, you may at any time obtain a copy of your personal data subject to transfer to a third country, if such transfer has occurred.

(5) The Administrator collects logs of the Service, however, does not associate them in any way with personal data. Based on the log files, statistics may be generated to assist in administration. Aggregate summaries in the form of such statistics do not contain any identifying characteristics of visitors to the Service.

VI Transfer of data to third parties.

(1) Personal data may be transferred to third-country contractors, in particular to the USA and the United Kingdom, based on contractual clauses obliging the Administrator and processors to ensure an adequate level of personal data security at least equivalent to the requirements of the RODO.

(2) The Administrator shall verify the entities referred to in paragraph 1 before entrusting them with personal data, including an assessment of whether the country to which the personal data is transferred allows for the exercise of the user’s rights and whether it provides adequate legal protection measures for personal data – in case of doubt, the Administrator shall verify whether it is possible to provide adequate protection with other additional measures.

(3) The Administrator, in order to ensure the highest standards of security, shall periodically inspect the processing of data by contractors and make recommendations to them, and shall be entitled to terminate cooperation if it is not possible to ensure adequate standards of personal data security.

(4) If the European Commission issues a legal act stating that a certain third country provides an adequate level of personal data protection, then the transfer of personal data to that country may be carried out on the basis of that legal act

(5) In the absence of contractual clauses or an act of the European Commission, the transfer of personal data may take place only if it is necessary for the performance of the concluded contract.

VII External links.

(1) The Website may contain links to websites, plug-ins and applications of external companies. When you visit external sites through links/applications/plug-ins on the Site, the operators of those sites may collect or share information about you.

(2) The use of information by companies administering external sites shall be in accordance with the privacy policy adopted by them, which may differ from the principles of this Privacy Policy.

(3) The Administrator of the Service does not control external sites, and therefore we recommend that you read the privacy policy terms published on the sites in question to obtain information on the principles of collection, use and disclosure of personal information adopted by the administrators of external sites.

(4) In addition, social media links Facebook, Instagram, Tweeter, Youtube, Linkedin are provided on the Site. The link to the social media website can be identified by the logo of the respective company. If you click on the link, you are redirected to a page equivalent to the Service on the social media site. Redirection to the page of the social media portal results in the establishment of a connection to its servers.

(5) In the cases specified in paragraph 1-4, information about a visit to the Site may be transmitted to the server of external sites and social media. In addition, further data may be sent to the social media provider and offered on the external site. These include, for example, the address of the site where the activated link is located, the date and time of your visit to the site or activation of the link, information regarding the browser used, operating system and IP address.

VIII What rights do you have in relation to your data?

(1) You have the right to request access, rectification, deletion or restriction of data processing. You may also withdraw your consent to the processing of personal data, object, and exercise other rights, including the right to:
1) to be fully informed whether the Administrator has a collection of your data, and to determine the administrator of this collection, the address of its headquarters and its full name,
2) to obtain a copy of your data,
3) obtain information on the purpose, scope and manner of processing of the data contained in such collection,
4) obtain information on when the data concerning you are processed in the collection, and the content of such data in a commonly understandable form,
5) obtain information about the source from which the data concerning you originated,
6) obtain information on how the data is made available, and in particular information on the recipients or categories of recipients to whom the data is made available,
7) demand that your personal data be supplemented, updated, rectified, temporarily or permanently suspended or deleted if they are incomplete, outdated, untrue or were collected in violation of the law or are no longer necessary for the purpose for which they were collected,
8) to request the cessation of data processing,
9) withdrawal of consent.

(2) The Administrator shall respond to the request within one month of receiving the request. If it is impossible to respond within the above period, the Administrator shall inform the person making the request about the extension of the deadline and the reasons for it.

(3) If the request was addressed to the Administrator by e-mail, the response will also be in the form of e-mail.

(4) The Administrator shall store information regarding the request for the purpose of establishing, asserting possible claims or defending against claims.

IX What are the legal grounds for processing personal data by the Administrator?

(1) Any processing of personal data must be based on a proper legal basis, in accordance with applicable laws. The legal basis for the processing of personal data for the sale of goods and provision of services is the necessity for the performance of contracts (in the case of the provision of services, these contracts are the regulations or similar documents available in the services you use).

(2) In turn, the legal basis for matching the content of the services to the interests of the users of the Website and the services provided by the Administrator, is to ensure their security and to measure/analyze and improve them, as well as the Administrator’s own marketing is the so-called legitimate interest of the personal data controller.

(3) The processing of data within the framework of activities undertaken by the User on the Website in the form of clicking on links of external websites and social networks also takes place on the basis of the legitimate interest of the Administrator.

(4) Data processing for marketing purposes, including profiling and for analytical purposes will be carried out on the basis of voluntary consent, which can be expressed by checking the consent box provided to the user.

5. giving this consent is voluntary and you may withdraw it at any time, except that withdrawal of consent will not affect the lawfulness of data processing before its withdrawal.

X Additional user rights.

(1) At any time, you have the right to object to data processing undertaken by the Administrator on the basis of the Administrator’s legitimate interest. In such a situation, the Administrator will be entitled to further data processing only if the existence of valid legitimate grounds for processing, overriding the interests, rights and freedoms of the user, is demonstrated.

(2) The User shall also have the right to lodge a complaint with the President of the Office for Personal Data Protection about the processing of his/her personal data undertaken by anyone.

XI Security

(1) The Administrator shall make every effort to ensure respect for privacy and protection of personal data provided by Users while using the Service, taking all necessary measures to that end.

(2) The Administrator shall maintain appropriate documentation on an ongoing basis and has implemented appropriate procedures related to the protection of personal data, and shall regularly conduct a risk analysis to ensure that personal data is processed by the Administrator in a secure manner.

(3) The Administrator shall ensure that only authorized persons and persons with whom the Administrator has entered into appropriate data entrustment or access agreements have access to the data.

(4) The Administrator shall take the necessary measures to ensure that entities cooperating with it provide a guarantee of the application of appropriate security measures whenever they process personal data on behalf of the Administrator.

(5) The Administrator has implemented data encryption in order to minimize the consequences of a possible data security breach.

(6) The User should take care of the confidentiality of the login and password created by him/her, not sharing them with third parties. The Administrator recommends that the User logs out after using the Service.

XII Profiling

(1) The User’s personal data may be processed in an automated manner, including through profiling, in order to tailor the content of the Site to the User’s personal preferences and interests. The Administrator, on the basis of information concerning the products selected by the User, promotions used by the User and materials viewed by the User on the Site, may, based on the User’s consent, present to the User in an automated manner a personalized offer concerning the products and services offered. Neither automated processing nor profiling will have any legal effect or materially affect the User.

(2) Data processing for marketing purposes, including profiling and for analytical purposes will be carried out on the basis of voluntary consent, which can be expressed by checking the consent box made available to the User.

(3) The consent referred to in paragraph 2 above is voluntary and you may withdraw it at any time, except that the withdrawal of consent will not affect the legality of data processing prior to its withdrawal.

XIII Data Protection Officer

The Administrator has appointed a Data Protection Officer to ensure compliance with the data protection principles collected and processed by the Administrator.
If you have questions about data processing, you can contact the appointed inspector by directing a message to the address given in paragraph 13.

XIII Contact

Medidesk limited liability company
Władysława Niegolewskiego 17/2 St,
01-570 Warsaw
e-mail: iod@medidesk.com