PRIVACY POLICY OF WARSAW GENOMICS

When offering its services, “Warsaw Genomics spółka z ograniczoną odpowiedzialnością” spółka komandytowa puts special emphasis on the protection of data entrusted to it by you. Before starting to use our service, please familiarise yourself with the Privacy Policy presented below, setting out the principles of the processing of personal data provided by you. The Privacy Policy constitutes an integral part of the Regulations.

Personal Data Controller

A“Warsaw Genomics spółka z ograniczoną odpowiedzialnością” spółka komandytowa with its registered office in Warsaw at ul. Kiwerska 33A, 01-682 Warsaw (hereinafter “Warsaw Genomics”) is the controller of personal data.

Any questions concerning the Privacy Policy or data processed and collected on the Service website should be addressed by email to: This email address is being protected from spambots. You need JavaScript enabled to view it.

Basis of Personal Data Processing

Warsaw Genomics processes personal data, including sensitive data, on the basis of:

  • the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (“GDPR”),
  • the Regulation of the Minister of Interior and Administration of 29 April 2004 on Documentation of Personal Data Processing and Technical and Organisational Conditions That Should Be Met by Devices and IT Systems Used to Process Personal Data (J. L. No 100, item 1024),
  • the Act on Patients’ Rights and the Patients’ Rights Ombudsman of 6 November 2008 (uniform text, J.L. of 2017, item 1318),
  • the Act on Medical Activity of 15 April 2011 (uniform text, J.L. of 2016, item 1638),
  • the Act on Providing Services by Electronic Means of 18 July 2002 (uniform text, J.L. of 2017, item 1219),
  • and the Patient’s consent (with respect to tests requested directly by the Patient).
Processing Objective Legal Grounds Period of Personal Data Processing
Performance of the service /a request that you placed Article 6 (1) (b) of the GDPR, i.e. processing is necessary for the performance of a contract to which the data subject is party. Your personal data will be processed for a period during which the request/service is performed and for a term necessary after its completion.
Reply to your query Article 6 (1) (a) of the GDPR, i.e. a consent. Your data will be processed as long as the grounds of its processing exist – i.e. in case a consent was granted, until the consent is withdrawn, limited or other actions are taken on your part limiting the consent. Your personal data will be processed for a period during which the reply to the query will be given and for a term necessary after the reply is given.
Commencement and completion of the registration of an account on the website initiated by you Article 6 (1) (b) of the GDPR, i.e. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. Your data will be processed for a term necessary to perform the contract.
Performing SARS‑CoV‑2 tests at the request of the sanitary and epidemiological station Article 6 (1) (d) and (e) of the GDPR, i.e. processing is necessary to protect the vital interests of the data subject or of another natural person and to perform a task carried out in the public interest [in the area of public health in connection with SARS‑CoV‑2 pandemic]. Your data will be processed for a term necessary to perform the test and transfer the test result.
As an entity performing SARS‑CoV‑2 tests we are obliged to provide results of the tests to sanitary and epidemiological station. Article 9 (2) (i) of the GDPR, i.e. processing is necessary for reasons of public interest in the area of public health. Your data will be processed for a term necessary to perform the test and transfer the test result.
Being a healthcare entity we are obliged to keep and store medical documentation. Article 9 (2) (h) of the GDPR in connection with Article 24 (1) of the Act on Patients’ Rights A period arising from law. Creating medical documentation we have the right to store it for 20 years from the date of making the last entry therein.
Contacting you at a telephone number or email address given by you, for example, to present an offer to you Article 6 (1) (a) of the GDPR, i.e. a consent. You give us your telephone number or email address on voluntary basis – the failure to provide such information will not result in the refusal to complete registration, or providing the service but you will not receive information from us about our new services, promotions, promotional campaigns, benefits, etc. Period of marketing campaign
In order to complete complaint process initiated by you Article 6 (1) (c) of the  GDPR, i.e. compliance with a legal obligation A period of complying with a legal obligation and any potential further period of using the services offered by the Controller
We have the right to pursue claims in connection with business activities conducted by us and therefore to process your data for that purpose. Article 6 (1) (f) of the GDPR, as the Controller’s legitimate interests, being pursuing our claims and defending our rights, as well as Article 9 (2) (f) of the GDPR. A period of pursuing claims by the Controller
We keep accounting books and we have accounting and tax obligations – for example we issue invoices for services provided by us which may involve the necessity to process your personal data. Article 6 (1) (c) of the GDPR in connection with Article 74 (2) of the Accounting Act. A period necessary to perform tax obligation. Any data processed for the purposes of accounting and due to tax reasons will be processed by us for 5 years counting from the end of a calendar year in which tax obligation was created

Providing us with personal data is completely voluntary but necessary to achieve the purpose of processing for which such data is given.

Any personal data provided to us is not subject to automated decision-making, including profiling.

After completion of the Service, isolated genetic material (DNA) may be stored by Warsaw Genomics for re-use in the future. For that purpose, the Participant must sign an appropriate consent in the Informed Consent Form (attachment no 2). In case no consent is given to such use, genetic material (DNA) will be destroyed.

After completion of the Service, isolated genetic material (DNA) and medical data may be stored and anonymously used by Warsaw Genomics for educational purposes and for the purpose of scientific research aimed at determining the frequency and clinical significance of pathogenic mutations in the Polish population. For that purpose, the Participant must sign an appropriate consent in the Informed Consent Form (attachment no 2). In case no consent is given to such use, genetic material (DNA) will be destroyed.

Biological material other than specified above may be used by Warsaw Genomic, after the requested tests have been completed, for the purposes of scientific research carried out by Warsaw Genomics.

Consents mentioned above may be destroyed at any time.

Participant’s Rights

Each Participant will have the right to obtain from the Controller:

  1. access to his or her personal data,
  2. rectification of own personal data,
  3. erasure of own personal data which will result in immediate deletion of the Participant’s personal data from database,
  4. restriction of personal data processing,
  5. lodging a complaint regarding processing of personal data with supervisory authority, which in Poland is Urząd Ochrony Danych Osobowych, www.uodo.gov.pl,
  6. data portability
  7. withdrawal of a consent to personal data processing at any time. The withdrawal of the consent will not affect the lawfulness of processing based on the consent before its withdrawal, however, it will prevent us from providing services,
  8. objection against personal data processing – in case processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller and when processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, including in case of profiling. The Controller will no longer process such personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

Providing Access to Personal Data to Third Parties

Warsaw Genomics may entrust the processing of personal data to service providers whose services it uses in connection with the operation of the Service and to the suppliers of courier services. In order to provide services for Warsaw Genomics, such entities may obtain access to Participants’ personal data. Warsaw Genomics ensures that in such a case these entities will be obliged to ensure the same data protection standards and will not be authorised to use personal data for own purposes, including for marketing purposes.

Security Policy

Personal data of Participants, including sensitive data, are stored in compliance with all security standards aimed at safeguarding them against unlawful disclosure to unauthorised persons.

Changes

Warsaw Genomics reserves the right to make changes of the Privacy Policy. You will be notified of all changes at www.badamygeny.pl and www.warsawgenomics.pl