Privacy Policy

1. General information

This Privacy Policy explains how Klinika JA sp. z o.o. processes the personal data of patients, clients, website users, persons using the contact form, persons booking appointments and other persons contacting the Clinic.

Klinika JA sp. z o.o. is a private healthcare provider operating in the field of aesthetic medicine, medical consultations, medical treatments and cosmetology services. In connection with this, Klinika JA sp. z o.o. may process both ordinary personal data and special categories of data, for example data concerning health, treatment data, cosmetology data and data contained in medical records.

Klinika JA sp. z o.o. processes personal data in accordance with the law, in particular the GDPR and the provisions on medical activity, patients’ rights, medical records, accounting, taxes, the provision of services by electronic means and electronic communication.

2. Data Controller

The controller of personal data is:

Klinika JA sp. z o.o.
ul. Jaktorowska 8, lok. 6
01-202 Warsaw
KRS: 0001069085
NIP (Tax ID): 1182273163
telephone: +48 453 630 680
e-mail: info@klinikaja.pl

You can contact the Controller:

  • in writing — at: ul. Jaktorowska 8 lok. 6, 01-202 Warsaw;
  • by e-mail — at: info@klinikaja.pl;
  • by telephone — at: +48 453 630 680;
  • in person — at the place where services are provided, during the Clinic’s opening hours.

3. Contact regarding personal data protection

In matters concerning the protection of personal data, you may contact the Controller by e-mail at info@klinikaja.pl or in writing at ul. Jaktorowska 8, lok. 6, 01-202 Warsaw, or the Data Protection Officer at joanna.obara@adwokatura.pl or by telephone at +48 453 630 680.

4. Who does the Privacy Policy apply to?

The Privacy Policy applies in particular to:

  • patients using health services;
  • persons using consultations, aesthetic medicine treatments and cosmetology services;
  • persons booking appointments via the website, telephone, e-mail, contact form, eGabinet, Booksy or another contact channel;
  • persons contacting Klinika JA to ask a question, obtain information, change an appointment date or submit a request;
  • website users;
  • persons using the Clinic’s social media profiles;
  • contractors and persons representing contractors.

5. What personal data may be processed?

The scope of the data processed depends on the purpose of contact, the type of service, the nature of the service provided and the Controller’s legal obligations.

The Controller may process in particular:

  • identification data, such as first name, surname, PESEL number, date of birth, gender, identity document number — where this is necessary;
  • contact data, such as telephone number, e-mail address, residential address or correspondence address;
  • registration and organisational data, such as the appointment date, type of service, chosen specialist, booking history, the content of a request, appointment confirmation, cancellation or change of date;
  • data provided in the contact form, i.e. first name and surname, e-mail address, telephone number and the content of the message;
  • data concerning health, including information about the state of health, illnesses, allergies, medications taken, contraindications, pregnancy, breastfeeding, past treatments, test results, diagnoses, recommendations, post-treatment reactions, possible complications and other information needed for the safe provision of a service;
  • cosmetology and treatment data, including information about the condition of the skin, skin type, indications and contraindications for a treatment, previous treatments, the patient’s or client’s expectations, the treatment plan and care recommendations;
  • data contained in medical records and treatment records;
  • data concerning persons authorised by the patient to obtain information about their state of health or to access medical records;
  • billing data, including data needed to issue an invoice, bill, receipt or other accounting document;
  • data recorded in photographic documentation — in particular photographs documenting the condition before a treatment, the treatment area, the course of treatment, post-treatment monitoring or the treatment result;
  • technical data related to the use of the website, such as: IP address, cookies, information about the device, browser, operating system, activity on the website and cookie consent settings.

The contact form on the website is not intended for the transfer of detailed medical records or urgent information about your state of health. However, if a user provides health-related information in the form themselves, the Controller will process it only to the extent necessary to handle the request, take action before the visit, provide the service, and protect the rights of the Controller or of the data subject.

6. Purposes and legal bases for processing data

1. Providing health services

Personal data, including data concerning health, are processed in order to provide health services, carry out a medical consultation, qualify a patient for a treatment, perform a treatment, ensure patient safety, provide recommendations and maintain continuity of care.

The legal basis for processing is:

  • Article 6(1)(c) GDPR — a legal obligation to which the Controller is subject as a healthcare provider;
  • Article 6(1)(b) GDPR — performance of a contract or taking steps prior to entering into a contract;
  • Article 9(2)(h) GDPR — the processing of data concerning health necessary for the purposes of preventive healthcare, medical diagnosis, the provision of healthcare or treatment.

2. Keeping medical records

Personal data are processed in order to keep, store, secure and make available medical records in accordance with the law.

The legal basis for processing is Article 6(1)(c) GDPR and Article 9(2)(h) GDPR in conjunction with the provisions on patients’ rights, medical records and medical activity.

3. Cosmetology services

If a given service is cosmetological, care-related, aesthetic or organisational in nature and does not constitute a health service, the data are processed in order to perform the service, qualify the client for the service, establish contraindications, ensure the client’s safety, settle payment for the service and handle contact.

The legal basis for processing is:

  • Article 6(1)(b) GDPR — performance of a contract or taking steps prior to entering into a contract;
  • Article 6(1)(c) GDPR — fulfilment of legal obligations, in particular tax and accounting obligations;
  • Article 6(1)(f) GDPR — the legitimate interest of the Controller consisting in the organisation of work, customer service, ensuring the safety of the service and protection against claims;
  • Article 9(2)(h) GDPR or Article 9(2)(a) GDPR — if, in connection with the service, it is necessary to process data concerning health.

4. Registration and handling of appointments

Personal data are processed in order to book, confirm, change and cancel appointments, handle bookings, provide organisational information and ensure the proper organisation of the Clinic’s work.

The legal basis for processing is:

  • Article 6(1)(b) GDPR;
  • Article 6(1)(c) GDPR;
  • Article 6(1)(f) GDPR — the legitimate interest of the Controller consisting in the efficient organisation of work and the service of patients and clients.

Appointments may also be booked via external platforms, in particular eGabinet and Booksy. In such a case, the data may also be processed by the providers of these platforms under the terms set out in their own terms of use and privacy policies.

5. Contact form, e-mail and telephone

Data provided in the contact form, an e-mail message or a telephone call are processed in order to handle the request, provide a response, contact you back, book an appointment or take action at the request of the data subject.

The legal basis for processing is:

  • Article 6(1)(b) GDPR — if the contact is aimed at concluding a contract, booking an appointment or using a service;
  • Article 6(1)(f) GDPR — the legitimate interest of the Controller consisting in handling correspondence and enquiries;
  • Article 6(1)(c) GDPR — if the contact concerns the Controller’s legal obligations;
  • Article 9(2)(h) GDPR or Article 9(2)(a) GDPR — if the person making contact provides data concerning health.

Data from the contact form are saved in the website’s database and sent by e-mail to the Clinic.

The contact form is not intended for providing urgent medical advice and does not replace a medical consultation. In an emergency, contact the emergency number 112 or the appropriate medical service.

6. Photographic documentation

Klinika JA sp. z o.o. may take photographic documentation in order to document the condition before a treatment, qualification for a treatment, the course of treatment, the results of therapy, post-treatment monitoring, safety assessment and protection against claims.

If photographs form part of the medical or treatment records, they are processed on the basis of the provisions on the provision of health services, medical records, the performance of a contract and the legitimate interest of the Controller.

The use of photographs for marketing, promotional or educational purposes, publication on social media, on the website or in advertising materials requires the separate, voluntary consent of the person to whom the photograph relates.

A lack of consent to the marketing use of photographs does not affect the ability to use a service.

7. Settlements, accounting and taxes

Personal data are processed in order to handle payments, issue invoices, bills and receipts, keep accounting books and tax documentation and fulfil financial and accounting obligations.

The legal basis for processing is Article 6(1)(c) GDPR and tax and accounting provisions.

8. Complaints, grievances, claims and the defence of rights

Personal data may be processed in order to handle complaints, grievances, requests, investigations, inspections and audits, and to establish, exercise or defend claims.

The legal basis for processing is:

  • Article 6(1)(f) GDPR — the legitimate interest of the Controller consisting in protecting the rights and interests of the Controller;
  • Article 9(2)(f) GDPR — if the matter involves data concerning health and this is necessary for the establishment, exercise or defence of legal claims.

9. Own marketing

Personal data may be processed in order to market the Controller’s own services, including informing about offers, promotions, events or new services, only where there is an appropriate legal basis.

The sending of marketing information by electronic means or marketing contact by telephone takes place on the basis of separate consent required by law.

A lack of marketing consent does not affect the ability to use the Clinic’s services.

10. Website, statistics and security

Technical data of website users are processed in order to ensure the proper functioning of the website, security, error diagnosis, the handling of cookie consents and the keeping of statistics and analytics — to the extent resulting from the cookie settings.

The legal basis for processing is Article 6(1)(f) GDPR and, as regards cookies and similar technologies, also the provisions on electronic communication.

The website uses domena.pl hosting. According to the information provided, the servers are located in Poland or the European Union.

The website uses Google Analytics 4 via Google Tag Manager.

Google Analytics is used to keep statistics of website visits. Data may be transferred to Google, including to the United States, in accordance with the mechanisms provided for in the GDPR and Google’s rules. Google Analytics should only be activated after the user has given consent to analytics cookies.

In accordance with the implementation assumptions, the website should not load fonts directly from Google Fonts servers. In order to limit unnecessary connections with external providers, the use of system fonts or the local hosting of font files on the website’s server is recommended.

7. Sources of data

Data are obtained primarily directly from the person to whom they relate.

Data may also come from:

  • a legal representative, actual guardian or authorised person;
  • a person booking an appointment on behalf of a patient or client;
  • an external booking platform, in particular eGabinet or Booksy;
  • another healthcare provider, doctor, laboratory or diagnostician — insofar as such data are transferred in connection with treatment or documentation;
  • a social media service — if a person contacts Klinika JA via such a service;
  • public registers — where this is needed to verify a contractor’s data or fulfil legal obligations.

8. Recipients of personal data

Personal data may be transferred to entities that support Klinika JA in conducting its business — only to the extent necessary to achieve the specified purposes.

The recipients of the data may in particular be:

  • persons practising medical professions and other persons authorised to process data at Klinika JA;
  • entities providing IT, hosting, servicing, website maintenance, e-mail, IT systems and cybersecurity services;
  • the hosting provider domena.pl;
  • providers of registration, practice-management and communication systems;
  • providers of external booking platforms, in particular eGabinet and Booksy — to the extent that the user uses these platforms;
  • Google — as regards the use of Google Analytics 4 and Google Tag Manager, if the user consents to analytics cookies;
  • a law firm, accounting office, advisers, insurers;
  • payment-handling entities;
  • entities providing postal or courier services;
  • laboratories, diagnosticians, other healthcare providers or specialists — where this is needed to provide a service or continue treatment;
  • public authorities, e.g. courts, the prosecutor’s office, tax authorities, the Patient Ombudsman, the President of the Personal Data Protection Office (UODO) or other authorised entities — where the obligation to disclose the data results from the law or a final or immediately enforceable ruling.

Where data are entrusted to processors, the Controller concludes data processing agreements with them or applies other data protection mechanisms required by law.

9. Transfer of data outside the European Economic Area

As a rule, the Controller seeks to use providers that process data within the European Economic Area.

Where tools of providers that may process data outside the European Economic Area are used, in particular Google Analytics 4, the transfer of data takes place in accordance with the mechanisms provided for in the GDPR, including on the basis of an adequacy decision, standard contractual clauses or other appropriate safeguards.

In accordance with the implementation assumptions, the website should not load fonts from Google Fonts servers, which limits the user’s additional connections with Google solely for the purpose of downloading fonts.

10. How long are data stored?

The storage period depends on the purpose and legal basis of processing.

  • Medical records — are stored for the period resulting from the law, as a rule for 20 years counting from the end of the calendar year in which the last entry was made, with the exceptions provided for in the applicable Act.
  • Billing, accounting and tax documentation — is stored for the period required by tax and accounting provisions.
  • Data from the contact form — are stored for the period necessary to handle the request and then for up to 24 months from the end of the correspondence, unless the matter leads to a visit, a service, a complaint, a claim or a legal obligation requiring longer storage.
  • Data from e-mail and telephone correspondence — are stored for the time needed to handle the matter and then for a period justified by protection against claims or by legal obligations.
  • Data processed for the performance of a contract or service — are stored for the duration of the contract and then for the limitation period for any claims or for the period required by law.
  • Data processed on the basis of consent — are stored until the consent is withdrawn, unless there is another legal basis for further processing.
  • Data processed for marketing purposes — are stored until consent is withdrawn, an objection is raised or the marketing purpose ceases.
  • Photographs forming part of the medical or treatment records — are stored in accordance with the rules applicable to that documentation.
  • Photographs used for marketing — are processed until consent is withdrawn, a campaign ends or the purpose of publication ceases, taking into account the technical possibility of removing materials that have already been distributed.
  • Technical data and cookies — are stored for the period resulting from the settings of the given cookie or until the user changes their settings.

11. Rights of data subjects

The data subject has the rights set out in the GDPR, in particular:

  • the right of access to their data;
  • the right to obtain a copy of their data;
  • the right to rectification of data;
  • the right to erasure of data — where the grounds provided for in the GDPR apply;
  • the right to restriction of processing;
  • the right to data portability — where applicable;
  • the right to object to the processing of data on the basis of the Controller’s legitimate interest;
  • the right to withdraw consent at any time — where the data are processed on the basis of consent;
  • the right to lodge a complaint with the President of the Personal Data Protection Office.

Some of the rights indicated may be limited by legal provisions, in particular the obligation to keep and store medical records, tax and accounting obligations or the need to establish, exercise or defend claims.

The right to erasure of data does not apply to the extent that the Controller has a legal obligation to continue storing the data, in particular medical records.

12. Voluntary nature or obligation to provide data

Providing data is voluntary but, in some cases, necessary in order to:

  • book an appointment;
  • provide a health service;
  • perform a service;
  • keep medical records;
  • issue an invoice or fulfil tax obligations;
  • respond to an enquiry;
  • handle a complaint, grievance or other request.

A failure to provide data required by law or necessary for the safe provision of a service may make it impossible to provide the service, perform the service, issue an accounting document or handle the request.

13. Consents

If data are processed on the basis of consent, the consent is voluntary, specific, informed and may be withdrawn at any time.

Separate consent may be required in particular for:

  • marketing communication via a specific channel;
  • the use of one’s image;
  • the publication of photographs of treatment results;
  • the use of a review together with data identifying the person;
  • the use of analytics or marketing cookies and similar technologies.

A lack of marketing consent or consent to the publication of one’s image does not affect the ability to use the health services or services of Klinika JA.

14. Website and cookies

The website www.klinikaja.pl may use cookies and similar technologies in order to ensure the proper functioning of the website, remember the user’s settings, handle the pop-up, and keep statistics and analytics. Detailed information can be found in the Cookie Policy.

15. Automated decision-making

Personal data are not used to make decisions based solely on automated processing that would produce legal effects concerning the person or similarly significantly affect them.

16. Updates to the Privacy Policy

The Privacy Policy may be updated in the event of changes to the law, the scope of the Clinic’s services, the way the website operates, IT tools, service providers, the method of booking appointments or data processing operations.

The current version of the Privacy Policy is available on the Klinika JA website in the Privacy Policy tab (link in the website footer).

Book an appointment