Based mainly on Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter referred to as GDPR (General Data Protection Regulation), the Controller shall take all the necessary measures to protect personal data processing.
Personal data means any information relating to an identified or identifiable natural person as data subjects. The identified person means a natural person who can be identified directly or indirectly, particularly on the basis of the identifiers such as name and surname, identification number, location data, internet identifier or one or more specific factors which determine physical, pysiological, genetic, mental, economic, cultural or social identity of a natural person.
Medical University of Lodz, 90-419 Lodz, Al. Kościuszki 4. is the personal data Controller, hereinafter referred to as the Controller. The Controller has designated the Data Protection Officer (DPO), who supervises the correctness of data processing. DPO can be conntacted by sending an e-mail on: [email protected]
The Controller shall process personal data taking all the safety measures compliant with Polish Law, GDPR in particular.
The Controller shall obtain the information on data subjects and their behaviour in the following ways:
through the information entered voluntarily in the forms,
through cookies files saved in end-devices (so called “cookies”).
The Service collects the information provided voluntarily by the user.
The Controller shall process the data lawfully, fairly and in a transparent manner in relation to the data subject. The processing of personal data by the Controller in a lawful manner means that the Controller processes personal data only if there is a clear legal basis for it resulting directly from GDPR or other EU or national generally applicable provisions of law.
The Controller shall collect data for specified, explicit and legitimate purposes and shall not further process the data in a manner that is incompatible with those purposes. In the event of having no purpose for data processing, the Controller shall delete the data without delay unless the right to further processing results from generally applicable provisions of law. The Controller makes periodical assessment of the legitimacy of processing specific personal data, taking into account the current purposes for their processing.
The Controller shall process the data which shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. The Controller shall constantly strive for personal data processing minimisation. For this purpose, the Controller shall periodically assess the scope and types of personal data processed in order to specify the necessity of their processing or the option of their permanent deletion.
The Controller shall make sure that the personal data he/she processes are accurate and, where necessary and possible, kept up to date.
The Controller shall keep the data in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; taking into account relevant provisions of law which enable the Controller to process personal data for a specified period of time, which particularly referres to the period of storing medical records, personal files, asserting rights and the period of limitation of claims. When the personal data storage period expires, the Controller, as a rule, shall permanently delete the personal data forthwith, unless separate provisions of law impose on the Controller the obligation to archive documentation that contains personal data.
The Controller shall process personal data for the porpose of responding to the messages received via the Service on the basis of a voluntary consent of the Service user (Art. 6 item 1 a GDPR) and for the purpose of analytical analyses consisting in particular in the study and analysis of traffic on the specified website and collection of statistical data.
Personal data of the users shall be stored by the Controller until he/she receives a reply to a message, or the consent is withdrawn, whichever happens first.
The Controller shall not process the data in an automated manner and shall not use the data for profiling.
The Controller shall not transfer personal data outside European Economic Area (including European Union, Norway, Lichtenstein and Iceland).
Each data subject has the following rights:
to access to the data: to obtain from the Controller the confirmation whether or not their data are being processed. If a person’s data are processed, they have the right to access their personal data and to obtain the following information: the purpose of processing, the categories of personal data concerned, the recipients or categories of recipient to whom the personal data have been or will be disclosed, the period for which the personal data will be stored and the criteria used to determine that period, to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject and to express an objection against their data processing (Art.15 GDPR);
to obtain a copy of the personal data, where the first copy is free of charge and for any further copies requested by the data subject, the Controller may charge a reasonable fee based on administrative costs (Art. 15 (3) GDPR);
to rectify the data: the data subject shall have the right to request the rectification of inaccurate personal data concerning him or her or to have incomplete personal data completed (Art.16 GDPR);
to erasure of personal data when the Controller has no more legal grounds for their processing, or the personal data are no longer necessary in relation to the purposes for processing (Art.17 GDPR);
to restriction of processing: the data subject can request the restriction of their personal data processing (Art.18 GDPR) when:
the accuracy of the personal data is contested by the data subject, for a period enabling the Controller to verify the accuracy of the personal data,
the processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead,
the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims,
the data subject has objected to processing pending the verification whether the legitimate grounds of the Controller override those of the data subject;
to data portability: to receive the personal data concerning him or her, which he or she has provided to a Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another Controller if the data are processed pursusnt to the data subject consent or a contract the data subject entered, and the processing is carried out by automated means (Art. 20 GDPR);
to object: the data subject shall have the right to object to their personal data processing on legitimate grounds for the processing, on grounds relating to his or her particular situation, including profiling. The Controller shall demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. If the interests of the Controller are shown to be overridden by the interests of the data subject, the Controller shall no longer process the personal data for these purposes (Art.21 GDPR);
to withdraw the consent at any time without giving reasons for the withdrawal, without affecting the lawfulness of processing based on consent before its withdrawal. The withdrawal of the consent means that the Contoller shall stop the data processing for the purpose for which the consent was given, this concerns only the cases when the consent provided legal grounds for processing.
Providing personal data is entirely voluntary.
The data subject has the right to lodge a complaint with a supervisory authority i.e., the President of the Personal Data Protection Office, with a registered seat in Warsaw. Complaints can be submitted in the following manners:
written complaint sent to: Stawki 2, 00-193 Warszawa,
electronically: via ePUAP platform.
TYPES OF COOKIES FILES
Two types of cookies files are used:
SESSION i.e., temporary files which remain on the user’s device until logging out of the website or turning off the software (web browser).
PERMANENT i.e., the files remain on the user’s device for the time specified in the parametres of cookies or until they are manually deleted by the user.
COOKIES FILES AND PERSONAL DATA
Personal data collected using cookies can be collected exclusively for the purpose of performing specific functions for the user. Such data are encrypted in the way which prevents access by unauthorised persons.
The software used for browsing websites typically allows cookies to be placed on the end device by default. The settings can be changed in such a way as to block automatic handling of cookies in the web browser settings or to inform about each transfer to the user’s device. Detailed information on the possibilities and ways of cookies handling is available in the software (web browser) settings.
At the top of Chrome browser window, click ‘Chrome menu’ i.e., the icon with three lines on the browser toolbar.
Click ‘Show advanced settings’.
In ‘Privacy’ section click ‘Content Settings’ button.
In ‘Cookies’ section click ‘All cookies and Site Data’ to open ‘Cookies and Other Data’ dialog.
Depending on your decision, select ‘Allow local data storage’, ‘Block attempts to put data from websites on my computer’, ‘Ignore exceptions and block the creation of third-party cookies’ or ‘Delete’.
At the top of Firefox window press ‘Firefox’ button (in XP click the ‘Tools’ menu) and select ‘Options’.
In ‘Privacy’ tab select ‘use the user’s history settings’.
Depending on your decision click ‘Accept cookies’.
At the top of the browser window select ‘Tools’ then click ‘Internet options’.
On ‘Privacy’ tab in ‘Advanced’ tab select your mode of cookies handling.
At the top of the browser window go to ‘Settings’, then ‘Preferences’ and select ‘Advanced’ option.
Select ‘Cookies’ section.
Depending on your decision click ‘Accept cookies’, ‘Accept cookies only from sites I visit’, ‘Delete new cookies when closing Opera’, ‘Manage cookies’.