Information Obligation - Attachment

Below you will find all necessary information on the processing of your personal data regarding health care provided by SPORT MEDICA.

Who is my personal data controller?

The controller of your personal data processed for the purpose of providing medical services is SPORT MEDICA S.A. with its registered seat in Warsaw (02-757) at ul. Pory 78 (hereinafter referred to as „SPORT MEDICA”).

Who can I contact regarding the processing of my personal data?

You can contact our Data Protection Officer regarding any issues concerning the processing of your personal data regarding health care services provided by SPORT MEDICA using the contact information provided below:

Katarzyna Pisarzewska

How are my personal data obtained?

Your membership in the SPORT MEDICA Medical Services is based on the agreement between SPORT MEDICA and the your employer. Your employer entrusts your personal data to SPORT MEDICA following the terms and conditions set up for the employees’ benefit system at your workplace. If you are employee’s close person, it is the employee who provides your personal data to the employer.

Are my data processed in any other way?

First of all, we need to receive information on you being covered by our health care services. For the purpose of providing you with the medical services we need your personal data as following: your name, surname, PESEL number, sex and date of birth (if you do not hold a PESEL number), the main city of healthcare, address, affinity (in case of a person who is registered by a family member/partner). You may also provide us with your e-mail address and phone number, however these data are not necessary to ensure you with health insurance coverage.

In the course of your benefiting from our health care services, we keep your medical records, where we store all important information regarding, in particular: information on your health state; information about your addictions or sexual preferences can aslo be found in the medical records. We collect such information if it is necessary for the purpose of diagnosis and further treatment.

That is the purpose for processing of my personal data?

We process your personal data as the healthcare entity and the purpose of this processing is to manage the systems and services of healthcare and provide you with medical services. The above should be understood as following:

Purpose of the processing

Legal basis of the processing

(full names of the legal acts can be found at the end of the Information Obligation form under „Definitions”)

Establishing your identity before providing of the service, in particular through registration for health care coverage, verification of the data during appointing visits remotely (e.g. via our helpline) as well as appointing visits in our own centres and cooperating centres within the territory of Poland, at reception desks or in a doctor’s office.

Article 6 (1)(c) and Article 9 (2)(h) of the GPDR in relation to Article 25 (1) of the Patients’ Rights Act and § 10 (1)(2) of Regulation of the Minister of Health.

As a healthcare entity we are obliged to maintain and store your medical records.

Article 9 (2)(h) of the GPDR in relation to Article 24 (1) of the Patient’s Rights Act and the Regulation of the Minister of Health.

We exercise your rights as our patient, e.g. we receive and archive your declarations in which you authorize other people to have access to your medical documentation and to inform them about your health status.

Article 6 (1)(c) of the GPDR in relation to Article 9 (3) and Art. 26 (1) of the Patient’s Rights Act and § 8 (1) of the Regulation of the Minister of Health.

We contact you at telephone number or email address which you provide us with, in order to, e.g. confirm reservation or cancellation of a medical consultation, remind you about such consultation, inform about necessity to prepare for the appointment for the treatment or inform you that your results are ready to collect them.

Article 6 (1)(b) and (f) of the GPDR, as the legitimate interest pursued by the Controller (managing the systems of the medical services SPORT MEDICA offers and arranging internal schedules)

Providing you with medical services that meet your needs and improving the quality of our service is a priority for SPORT MEDICA. Therefore, during the time you receive medical care from SPORT MEDICA, we may send you short surveys in order to receive your feedback. We would like to ensure you that the surveys you receive will not be onerous and will not violate your privacy right. You can contact us at any time with the information that you are not willing to participate in future surveys and we will block sending of the surveys in accordance with your request.

Article 6 (1)(b) and (f) of the GPDR, as the legitimate interest pursued by the Controller (improving the quality of our services to better fulfil the needs of our patients)

As the personal data controller which is an entrepreneur, we are entitled to enforce claims with regard to the business activity we conduct and by this to process your personal data for this purpose.

Article 6 (1)(b) and (f) of the GPDR, as the legitimate interest pursued by the Controller (enforcing our legal claims and protecting our legal rights)

As an entrepreneur we also maintain accounting books and we have tax obligations – we issue e.g. receipts for the performed services, what may involve the necessity of processing your personal data.

 Article 6 (1)(c) of the GPDR in relation to Article 74 (2) of the Accounting Act of 29 September 1994.

Are my data processed for any other purpose?

One of the ways we process your personal data is „profiling”. Profiling is a form of processing during which we evaluate your personal data and based on the analysis we predict your preferences regarding our services. We try to adjust our service and its quality to your needs. We would like to assure you, that during the profiling processes, we neither reach to your medical records, nor process your data in a fully automated form, without any human action. The one and only exception is when the automated decision is made in order to implement the binding Medical Services Agreement (e.g. ensuring you the proper service availability).

You have the right to object to being a subject of a fully automated decision and demand human involvement. In such situation, please contact us immediately (during our helpline, website or by visiting any of our own centres).

To whom are my personal data transferred?

As a healthcare entity we care about the confidentiality of your personal data. In order to secure the appropriate coordination of our services e.g. IT infrastructure, current matter regarding our activity as entrepreneurs and also for the purpose of assuring that you can exercise your rights, your personal data may be disclosed to the following categories of recipients:

1.    other healthcare entities, that cooperate with SPORT MEDICA for the purpose of continuity of care and further treatment, by which we understand our own centres and other centres that cooperate with SPORT MEDICA within the territory of Poland, 

2.    service providers that deliver various technical and organizational solutions, which can include: providing medical services, managing our business (in particular: suppliers of ITC services, suppliers of diagnostic equipment, couriers and postal services providers),

3.    legal and advisory service providers and other parties supporting SPORT MEDICA in asserting claims to which we are entitled (in particular: law offices, collection agencies),

4.    persons authorized by you within exercising your rights as a patient.

Are my personal data transferred outside of the European Union?

Due to the fact that we cooperate with different providers, e.g. regarding the diagnostic equipment, your personal data might be transferred outside of the European Union. We would like to ensure you that such a transfer will be documented in an appropriate agreement between SPORT MEDICA and the entity concerned, and that it will contain standard data protection clauses approved by the European Commission.

For what period will my personal data be processed?

If you are out patient and we maintain your medical records, we are obliged to store it for at least 20 years after the day the last entry to it was made. Subject to this period, we process your personal data for the limitation periods pursuant to the civil code regulations if the data has been processed by us in order to reinforce claims (e.g. debt collection proceedings). We keep all data processed for the purpose of accounting and taxes for the 5 years from the end of the calendar year during which the tax liability occurred.

After the above mentioned periods your personal data is erased or anonymised.

Am I obliged to provide my personal data?

Receiving medical services is fully voluntary, however as a medical entity we are obliged to keep the medical records in a way determined in the provisions of the law, including identification of the patient by using his/her personal data. Failure to provide the data may result in refusing to make an appointment or to provide health care. Also, for accounting or tax reasons we are under legal obligation to process your data. Not providing the data may e.g. make it impossible to issue an invoice or a personalized bill for you. It is voluntary to provide us with your telephone number or email address – not providing such data will not result in refusing to provide health care, however you will not receive a visit confirmation from us nor you will be able to cancel a visit via e.g. SMS.

What rights do I have?

As your personal data controller we provide you with the right to access your personal data, you may also recificate it, request its erasure or restriction of processing. You are also entitled to object to the processing of your personal data by SPORT MEDICA. You have the right to transmit your personal data to another controller. If you would like to execute any of these rights – please contact us by our helpline, website or simply by visiting any of our centres.

We kindly inform you that you have a right to lodge a complain to the supervisory authority.


GDPR –  Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;

Act on patient’s rights – Act of 6 November 2008 on patients’ rights and the Commissioner for Patients’ Rights;

MH Regulation – Regulation of the Minister of Health of 9 November 2015 on the types, scope and forms of the medical documentation and methods of its processing.