GDPR Information Obligation

Who is the controller of my personal data?

The controller of your personal data processed for the purpose of providing healthcare services is “Uzdrowisko Busko-Zdrój” Spółka Akcyjna, headquartered in Busko-Zdrój at Rzewuskiego 1.

Who can I contact regarding the processing of my personal data?

For all matters concerning the processing of your personal data by “Uzdrowisko Busko-Zdrój” S.A., you can contact our Data Protection Officer at: iod@ubz.pl
or by posT:
Data Protection Officer
“Uzdrowisko Busko-Zdrój” S.A.
Rzewuskiego 1, 28-100 Busko-Zdrój

What personal data are processed by “Uzdrowisko Busko-Zdrój” S.A.?

First, we need to register you for the provision of healthcare services.
To do this, we need the following data:

These data are essential for the provision of healthcare services.

We also kindly request your phone number to facilitate contact when necessary.

While providing care, we create your medical records, which include all information related to your treatment process – especially data regarding your health status and epidemiological history. We collect this information only when necessary for the provision of healthcare services.

What is the purpose of processing my personal data?

We process your personal data as a medical entity, and the purpose of this processing is the provision of healthcare services and the management of healthcare systems and services.

Legal basis: (Full names of legal acts are listed at the end of this document.)

To confirm your identity before providing services – especially during registration, at reception desks, and in doctors’ offices.
We are legally obliged to maintain and store medical documentation. We fulfil your rights – e.g., we collect and store your authorisations to share your medical information.
We may contact you using the provided phone number or email address to confirm or cancel appointments, remind you of appointments, instruct you on preparation for procedures, or inform you about test results.
Providing appropriate care and improving service quality are our priorities – therefore, during or after the service, we may send you brief surveys asking for feedback. As a business entity, we have the right to pursue claims and may process your data in this regard.

We keep accounting books and meet tax obligations – e.g., by issuing invoices, which may require us to process your personal data.

Who do we share your personal data with?

As a healthcare entity, we ensure the confidentiality of your data. Due to the need to maintain appropriate organization, such as in terms of IT infrastructure or day-to-day matters related to our operations as “Uzdrowisko Busko-Zdrój” S.A., as well as to fulfill your rights as a patient, your personal data may be disclosed to the following categories of recipients:

1. other healthcare providers cooperating with “Uzdrowisko Busko-Zdrój” S.A. to ensure continuity and availability of care (within our own or partner facilities)
2. service providers supplying technical and organisational solutions (especially IT providers, diagnostic equipment suppliers, courier and postal companies)
3. legal and advisory service providers (e.g., law firms, debt collection agencies)
4. payers covering the cost of provided healthcare services

Are my data transferred outside the European Union?

Since we use external service providers (e.g., for diagnostic equipment maintenance), your personal data may be transferred outside the EU. In such cases, we ensure data transfers are governed by agreements between “Uzdrowisko Busko-Zdrój” S.A. and the given entity, including standard data protection clauses adopted by the European Commission.

How long are my data processed?

If you are our patient and medical documentation has been created, we are required to store it for at least 20 years from the date of the last entry.

Subject to this period, if the data have been processed by us for the purpose of pursuing claims (e.g., in debt collection proceedings), we will process the data for this purpose for the duration of the limitation period, as provided for under the Civil Code. All data processed for accounting purposes and tax-related reasons are retained for a period of 5 years, counted from the end of the calendar year in which the tax obligation arose. After the expiry of the aforementioned periods, your data are either deleted or anonymized.

Is providing data mandatory?

Using our services is entirely voluntary. However, as a medical provider, we are legally required to maintain medical records, including confirming patient identity.
Failure to provide necessary data may result in refusal to register or provide services.
Also, due to tax and accounting regulations, we may not be able to issue invoices or receipts without personal data.

Providing your phone number or email address is optional – not providing it will not affect your access to services but will prevent us from sending you appointment confirmations.

Am I required to provide my personal data?

Using our services is entirely voluntary. However, as a healthcare provider, “Uzdrowisko Busko-Zdrój” S.A. is legally obligated to maintain medical records in accordance with the applicable laws, including verifying the identity of the patient using their personal data. In such cases, failure to provide the required data may result in the refusal to book an appointment or provide healthcare services.
We are also legally required to process your data for accounting and tax purposes—failure to provide such data may, for example, prevent us from issuing an invoice or a receipt in your name. If you choose to provide us with your telephone number or email address, it is entirely voluntary—failure to do so will not result in denial of healthcare services, but you will not receive appointment confirmations from us.

What are my rights?

As the controller of your personal data, we ensure that you have the right to access your data. You may also request that your data be rectified, deleted, or that its processing be restricted. You also have the right to object to the processing of your data by “Uzdrowisko Busko-Zdrój” S.A., as well as the right to transfer your data to another data controller.

If “Uzdrowisko Busko-Zdrój” S.A. processes your personal data based on your consent, you have the right to withdraw your consent at any time, without affecting the lawfulness of the processing carried out on the basis of your consent before its withdrawal.

If you wish to exercise any of these rights, please contact us personally at the headquarters of “Uzdrowisko Busko-Zdrój” S.A., by email using the address provided on our website, or in writing to our registered office address. You may also visit the reception desk at “Uzdrowisko Busko-Zdrój” S.A.

Please note that you also have the right to lodge a complaint with the supervisory authority responsible for overseeing compliance with data protection regulations.