General Data Protection Regulation - GDPR Clause - Patients

The following document fulfills the informational obligation specified in Article 13 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of individuals concerning the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Official Journal of the European Union L 119 of 2016, p. 1 as amended) (GDPR).

  1. Identity of the Personal Data Controller

The administrator of our patients’ data is NURT Centrum Terapii spółka z ograniczoną odpowiedzialnością with its registered office in Gdańsk, Aleja Grunwaldzka 505/4, 80-320 Gdańsk (hereinafter: “Data Controller”).

  1. Contact for Matters Related to Personal Data Protection

We invite you to contact our Data Protection Coordinator at tel. 608400506 or email

  1. Source of Personal Data

Patients provide personal data voluntarily when registering for healthcare services provided by the Data Controller and during the process of using our medical services. Providing data is voluntary, but failure to do so may prevent the provision of medical services.

  1. Purposes and Legal Bases for Processing Personal Data

Data will be processed for the purpose of conducting medical activities by the Data Controller, especially for providing medical services and maintaining the medical documentation required by law. The legal basis for processing data to the extent necessary to protect the vital interests of the patient may also be Article 6(1)(d) of the GDPR. In cases where processed data includes special categories, the legal basis for processing is Article 9(2)(c) and (h) of the GDPR. In the case of providing telemedicine services, the purpose of processing is also to verify the patient’s identity to ensure that the patient’s health information does not fall into unauthorized hands. In such cases, the legal basis is Article 6(1)(f) of the GDPR.

  1. Transfer of Personal Data

Recipients of personal data will include:

a) entities supporting the Data Controller in IT services, medical documentation management, including maintaining medical records, especially: MyDr Sp. z o.o., ul. Puławska 465, 02-844 Warsaw, KRS 0000704950, NIP 5252730290, REGON 368795483.

b) entities cooperating with the Data Controller in the management and operation of the appointment booking system, especially: ZnanyLekarz Sp. z o.o., ul. Kolejowa 5/7, 01-217 Warsaw, Poland, KRS: 0000347997, NIP: 701022486, REGON: 142276657.

c) individuals and entities providing healthcare services on behalf of the Data Controller (e.g., other medical entities, laboratories, etc., for the continuation of treatment, conducting prescribed tests, or providing other healthcare services).

d) Minister of Health as the data controller for personal data processed in the Medical Information System within the Electronic Platform for Gathering, Analyzing, and Sharing Digital Resources on Medical Events.

e) individuals authorized by the patient to obtain information about their health status or access to medical documentation.

f) insurers in case of claims against the Data Controller.

g) entities providing legal, accounting, and archiving services on behalf of the Data Controller.

h) public authorities and other bodies within the scope of their statutory powers.

6. Transfer of Data Outside the European Union

Data will not be transferred outside the European Union.

  1. Data Processing Period

Personal data included in medical documentation will be processed in accordance with the requirements of Article 29(1) of the Act of November 6, 2008, on Patient Rights and the Patient’s Ombudsman (Journal of Laws of 2020, item 849), i.e., for a period of 20 years, counting from the end of the calendar year in which the last entry was made, except for:

a) medical documentation in the case of a patient’s death due to bodily injury or poisoning, which will be stored for 30 years, counting from the end of the calendar year in which the death occurred,

b) medical documentation containing data necessary for monitoring the fate of blood and its components, which will be stored for 30 years, counting from the end of the calendar year in which the last entry was made,

c) X-ray images stored separately from the patient’s medical documentation, which will be stored for 10 years, counting from the end of the calendar year in which the image was taken,

d) referrals for examinations or orders of a doctor, which will be stored for 5 years, counting from the end of the calendar year in which the healthcare service covered by the referral or doctor’s order was provided, and in cases where the service was not provided due to the patient’s failure to report within the specified period – for a period of 2 years, unless the patient received the referral,

e) medical documentation concerning children until the completion of the second year of life, which will be stored for 22 years.

8. Patient Rights under the GDPR

Patients have the right to access their data, correct them, request their deletion, restrict processing, and the right to data portability. Patients also have the right to lodge a complaint with the supervisory authority, i.e., the President of the Office for Personal Data Protection (