Privacy Policy

Personal Data - all information relating to you that we process. For example: first name, last name, email address, phone number, health information, etc.

Clinic – the clinic operated by the administrator of your personal data, i.e., Braniborska Clinic, located at Braniborska Street 10e/U6, 53-680 Wrocław.

Processing - any actions performed on Personal Data. For example: collecting, storing, updating, deleting data.

The administrator of your personal data is Izabela Rubisz, conducting business under the name Braniborska Clinic Praktyka Lekarska Izabela Rubisz, Braniborska Street 10E/U6, 53-680 Wrocław, NIP: 8942986867, email address: info@braniborska.clinic, contact phone: 71 716 67 90.

1. Processing of Patients' Personal Data

The administrator of your personal data is Braniborska Clinic Sp. z o.o., ul. Braniborska 10E/U6, 53-680 Wrocław, NIP: 8971954864, email address: info@braniborska.pl, contact phone: 71 716 67 90.

If you are our patient, we may process your Personal Data, particularly in the form of identification data (e.g., name and surname, date of birth, PESEL number, and for a person who has not been assigned a PESEL number – series, number, and name of the identity document), contact data (e.g., address of residence, phone number), health data.

The basis for processing your Personal Data may be:

• Your explicit consent (Art. 9(2)(a) GDPR),
• purposes of health prevention, medical diagnosis, provision of healthcare, and treatment (Art. 9(1)(h) GDPR in connection with Art. 3(1) of the Act on Medical Activity),
• necessity to perform a contract (Art. 6(1)(b) GDPR).

Additionally, in the case of processing your Personal Data for the purpose of:

• pursuing or defending against potential claims, the basis for processing your data will be our legitimate interest (Art. 6(1)(f) GDPR) or Art. 9(2)(f) GDPR;
• fulfilling the legal obligations of the administrator (e.g., tax, accounting), the basis for processing your data will be the fulfillment of legal obligations imposed on the administrator (Art. 6(1)(c) GDPR);
• statistical, analytical, and marketing purposes – the legal basis for their processing in such cases is the legitimate interest of the administrator (Art. 6(1)(f) GDPR).

Providing your Data is voluntary, but necessary for us to provide services.

As a rule, we will process your Personal Data until you withdraw your consent or for a period of 20 years from the last entry in your medical records, unless the regulations provide for a longer period (e.g., in the case of medical records concerning children up to the age of 2, which are stored for a period of 22 years). These periods may be appropriately extended, if necessary, in the case of any claims and court proceedings – for the duration of these proceedings and their settlement.

Only our duly authorized employees or associates, partners, accounting, legal, or auditing advisors will have access to your personal data – to the extent necessary to perform their duties. Your data may be, for example, transferred to a hosting service provider or IT services, other entities that support us technically or organizationally, e.g., courier companies. We may also be obliged – if there is a legal basis – to provide certain information to public authorities (e.g., the National Health Fund). All these entities have access only to the information necessary for their actions.

In the case of storing data outside the EEA, we use necessary technical and legal safeguards, including model contractual clauses approved by the European Commission (you can access such safeguards and a list of data recipients) by contacting us.

We remind you that the GDPR grants you, in certain situations, the right to access your data, rectify your data, withdraw consent without affecting the lawfulness of processing carried out before its withdrawal, request data deletion, request restriction of processing, data portability, object if we process data based on our legitimate interests (if the objection is effective, we will cease processing), lodge a complaint with the supervisory authority, which in Poland is the President of the Personal Data Protection Office (a detailed description of the complaint procedure is available at: https://uodo.gov.pl/pl/83/155).

In case of questions regarding your Personal Data, we encourage you to contact us first.

2. Processing of Data of Our Contractors and Their Employees/Collaborators

The administrator of your personal data is Braniborska Clinic Sp. z o.o., ul. Braniborska 10E/U6, 53-680 Wrocław, NIP: 8971954864, email address: info@braniborska.pl, contact phone: 71 716 67 90.

If you are our contractor or an employee/collaborator of our contractor, we may process your identification data, contact data, and data regarding the performance of your contract, i.e., in particular, your name and surname, the name of the employing entity, contact phone number, email account, your position/held authorizations, our possible correspondence. If you are a party to a contract concluded with us, we will also process your registration data or those concerning our settlements.

We process personal data to properly execute the contract concluded between us and your employer/entity you represent, including documenting its conclusion and identifying persons authorized to perform tasks specified in the contract. This is necessary to fulfill the legally justified interest of the administrator (Article 6(1)(f) of the GDPR), which is the execution of the contract with our contractor. If, as a natural person, you are a party to a contract with us, your personal data will be processed by us to execute this contract (Article 6(1)(b) of the GDPR).

Additionally, in the case of processing your personal data for the purpose of:

• pursuing or defending against potential claims, the basis for processing your data will be our legitimate interest (Article 6(1)(f) of the GDPR);
• fulfilling the legal obligations of the administrator (e.g., tax, accounting), the basis for processing your data will be the fulfillment of legal obligations imposed on the administrator (Article 6(1)(c) of the GDPR);
• statistical, analytical, and marketing purposes – the legal basis for their processing in such cases is the legitimate interest of the administrator (Article 6(1)(f) of the GDPR).

We received your data directly from you or from your employer/entity you represent. Disclosure of personal data is voluntary, but providing them is a condition that allows the conclusion of a contract or allows you to perform tasks specified in the contract (not providing them will prevent our cooperation).

As a rule, data processed based on our legitimate interest will be processed until an objection is raised or the purpose for which they were processed is fulfilled. We store data related to the execution of the contract for the duration of the contract (and also for the time resulting from the obligation to maintain confidentiality - if a separate statement is signed) and usually for a period of up to 7 years after its termination, which results from tax regulations and the limitation period of certain claims. These periods may be appropriately, necessarily extended in the case of any claims and court proceedings – for the duration of these proceedings and their settlement – as well as if the law in certain cases obliges us to process them longer.

Only our duly authorized employees or collaborators, partners, accounting, legal, or audit advisors will have access to your personal data – to the extent necessary to perform their duties. Your data may, for example, be transferred to a hosting service provider or IT service provider, other entities that support us technically or organizationally, e.g., courier companies. We may also be obliged – if there is a legal basis – to provide certain information to public authorities (e.g., the National Health Fund). All these entities have access only to the information necessary for their actions.

In the case of storing data outside the EEA, we use necessary technical and legal safeguards, including model contractual clauses approved by the European Commission (you can access such safeguards and a list of data recipients) by contacting us.

We remind you that the GDPR grants you in certain situations the right to access your data, rectify your data, withdraw consent without affecting the lawfulness of processing carried out before its withdrawal, request data deletion, request restriction of processing, data portability, object if we process data based on our legitimate interests (if the objection is effective, we will stop processing), lodge a complaint with the supervisory authority, which in Poland is the President of the Personal Data Protection Office (a detailed description of the complaint procedure is available at: https://uodo.gov.pl/pl/83/155).

In case of questions regarding your Personal Data, we encourage you to contact us first.

3. Processing of Employee and Collaborator Data

The administrator of your personal data is Braniborska Clinic Sp. z o.o., ul. Braniborska 10E/U6, 53-680 Wrocław, NIP: 8971954864, email address: info@braniborska.pl, contact phone: 71 716 67 90.

If you are a member of our team, regardless of the legal basis of our cooperation, we process your Personal Data.

The scope of personal data we process depends on the legal basis of our cooperation (e.g., employment contract or other civil law contract), as well as the information you provided us in connection with the conclusion of the contract and during its term – it primarily includes the content of documents, as well as the content of our possible communication.

In the case where the basis of our cooperation is an employment contract, we primarily process personal data indicated in Art. 221 § 1 and 3 of the Labor Code, collected at the stage of recruitment and employment, i.e.:

• first name(s) and surname,
• date of birth,
• contact details,
• education data,
• professional qualifications data,
• previous employment history,
• residential address,
• PESEL number, and in the absence of it - type and number of identity document,
• other personal data, including personal data of your children and other close family members - in case providing such data is necessary due to your use of special rights provided for in labor law,
• bank account number, if you have not submitted a request for payment of remuneration to your own hands.

As a rule, we may also process other Personal Data if it is necessary to exercise a right or fulfill an obligation arising from a legal provision, you have consented to it, or we have a legitimate interest in doing so.

Additionally, the scope of personal data processed by us includes information resulting from your employment contract, e.g., position, salary, place of work, working time dimension, start date, as well as resulting from the course of employment, concerning, among others, the term and period of used vacation leave, maternity, parental, childcare, sick leave, work-related accidents, additional benefits, or assessment of your work. In order to enable you to exercise your rights related to your life or family situation (e.g., payment of sick pay, etc.) and to fulfill our statutory obligations, we may process your "sensitive" personal data that you have provided us in connection with this right.

If the basis of our cooperation is another civil law contract, e.g., mandate, contract for specific work, or provision of services in a B2B relationship, as a rule, in practice, the scope of data collected by us is analogous to the above, appropriately adapted depending on the content of the cooperation relationship and the obligations of the parties (in each case, however, we collect only the data necessary to properly perform and settle the concluded contract).

In the case where the basis of our cooperation is an employment contract, providing your personal data required by the provisions of the Labor Code and other data necessary to exercise a right or fulfill an obligation arising from a legal provision is necessary for its conclusion and legal performance. Providing other Personal Data (not required by legal provisions) or when we are bound by another civil law contract is voluntary, however, sometimes it may be necessary for purposes related to our cooperation.

The above means that failure to provide the aforementioned data may constitute a basis for refusal to establish cooperation with us or to take steps to terminate the contract, or refusal to grant you certain benefits.

In each case where the basis for processing your Personal Data by us is or may be your consent, its absence or withdrawal will not be a basis for unfavorable treatment and will not cause any negative consequences for you, especially it will not constitute a reason justifying refusal of employment, termination of the employment contract, or its termination without notice by us.

We process your Personal Data for purposes necessary for the realization of employment (management of the employment relationship or other type of established cooperation), i.e., primarily for the organization of work and business trips, payment of remuneration, ensuring you the possibility of using special rights and benefits, fulfilling legal requirements, including those related to tax settlements and resulting from social insurance regulations, and fulfilling other requirements imposed by internal regulations in connection with employment.

The legal basis for processing your Personal Data is primarily:

• the contract binding us (Art. 6(1)(b) GDPR), and
• the fulfillment of a legal obligation incumbent on us (Art. 6(1)(c) GDPR) - in relation to Personal Data, the collection and storage of which is required by generally applicable legal provisions, e.g., tax, accounting, in the field of maintaining personal files or payment obligations towards ZUS, in particular the Labor Code (unless the basis of our cooperation is another contract than an employment contract), executive acts, tax and social insurance laws (in the case of "sensitive" data in this context, the basis for processing is the necessity to fulfill obligations and exercise special rights by us or by you (Art. 9(2)(b) GDPR).

Sometimes we may process Personal Data exceeding the catalog indicated above, e.g., your image, if you have voluntarily provided it during and in connection with our cooperation. In such a case, the legal basis for their processing may be your consent (Art. 6(1)(a) GDPR, and in the case of "sensitive" Personal Data – Art. 9(2)(a) GDPR) or our legitimate interest (e.g., improving the management process and internal communication) – Art. 6(1)(f) GDPR.

Consent may constitute the basis for processing your Personal Data provided by you at our request or provided by you on your own initiative. In the case of "sensitive" personal data, consent may concern only situations where the provision of these data occurs on your initiative.

You can withdraw the expressed consents at any time – however, this will not affect the lawfulness of processing carried out before their withdrawal.

We will also process your Personal Data in connection with the potential possibility of disputes arising between us, for statistical, analytical purposes, to ensure work safety, including the safety of people and property, or control of production or keeping information confidential, the disclosure of which could expose us to harm, or for our marketing purposes (e.g., to send a holiday greeting card) – the legal basis for their processing in such cases is the legitimate interest of the administrator (Art. 6(1)(f) GDPR).

We will generally process certain categories of your Personal Data for the period:

• of employment
• until the withdrawal of consent (in the scope of processing that takes place based on your expressed consent) or the realization of the purpose for which it was expressed,
• of effective objection (in the case of data whose processing is based on legitimate interest) - unless legal provisions require us to process these data for a longer period (in particular for archiving documents) or we will store them longer in case of potential claims for the period of their limitation specified by legal provisions, in particular the Labor Code or the Civil Code (in each case, the longer appropriate processing period applies).

In particular, in the case where the basis of our cooperation is:

• an employment contract – we may process your Personal Data contained in employee documentation for a maximum period of 10 years from the end of the calendar year in which the employment relationship was terminated or expired.
• another civil law contract, including B2B – we process your Personal Data for the duration

4. Data Processing Based on Video Surveillance

The administrator of your personal data is Braniborska Clinic Sp. z o.o., ul. Braniborska 10E/U6, 53-680 Wrocław, NIP: 8971954864, email address: info@braniborska.pl, contact phone: 71 716 67 90.

If you are on the premises of the Clinic, your data is processed as part of video surveillance. Providing your data in the form of a recorded image is voluntary, but necessary for entering and staying on the premises of the Clinic (it is not possible to enter and stay on the premises of the Clinic without entering the monitored zone).

Your Personal Data will be processed to ensure an appropriate level of security on the premises of the Clinic and to protect people and property, particularly to limit access to selected zones/areas only to authorized persons. We will also process your Personal Data in connection with the potential possibility of disputes arising between you and us.

The legal basis for processing your Personal Data is our legitimate interest as the administrator (Article 6(1)(f) of the GDPR). To the extent that our actions are intended to ensure your safety and the safety of others, the legal basis for our actions is also the necessity to protect the vital interests of the data subject or another natural person (Article 6(1)(d) of the GDPR).

In the case of video surveillance recordings, your data will be stored for a period of three months, unless the recordings constitute evidence in proceedings conducted on the basis of law or we have received information that they may constitute evidence in proceedings – in such a case, this period is extended until the final conclusion of the proceedings.

Access to your personal data will be granted only to our duly authorized employees or associates, partners, accounting, legal, or auditing advisors – to the extent necessary to perform their duties. Your data may, for example, be transferred to a hosting service provider or IT services, other entities that support us technically or organizationally, such as courier companies, security agencies. We may also be obliged – if there is a legal basis – to provide certain information to public authorities (e.g., the National Health Fund). All these entities have access only to the information necessary for their actions.

In the case of storing data outside the EEA, we use necessary technical and legal safeguards, including model contractual clauses approved by the European Commission (you can access such safeguards and a list of data recipients by contacting us).

We remind you that the GDPR grants you, in certain situations, the right to access your data, rectify your data, withdraw consent without affecting the lawfulness of processing carried out before its withdrawal, request data deletion, request restriction of processing, data portability, object if we process data based on our legitimate interests (if the objection is effective, we will cease processing), lodge a complaint with the supervisory authority, which in Poland is the President of the Personal Data Protection Office (a detailed description of the complaint procedure is available at: https://uodo.gov.pl/pl/83/155).

In case of questions regarding your Personal Data, we encourage you to contact us first.

5. Data Processing Related to Recording Telephone Conversations

We inform you that our telephone conversations are recorded. During a telephone conversation, we may process your Personal Data, such as your identification data (name and surname, phone number), contact metadata (e.g., date of contact, duration of our conversation), the content of our communication, and your voice. If you do not consent to the recording of our conversation, please disconnect.

The administrator of your personal data is Braniborska Clinic Sp. z o.o., ul. Braniborska 10E/U6, 53-680 Wrocław, NIP: 8971954864, email address: info@braniborska.pl, contact phone: 71 716 67 90.

The legal basis for processing your Personal Data in the form of telephone conversation recordings, apart from effectively expressed consent to the recording, is our legitimate interest, which is ensuring security, improving the quality of our services, statistical and analytical purposes, as well as defense or pursuit of potential claims (Article 6(1)(f) of the GDPR). Your consent to record the telephone conversation is voluntary, but if you do not give such consent, you must contact us through another communication channel (e.g., by visiting the Clinic).

Recordings of telephone conversations, and thus your Personal Data – depending on the purpose of our communication – may be processed from a few days (e.g., current communication, appointment scheduling) to the time of limitation of potential claims (e.g., in the case of filing a complaint). Your Personal Data processed based on our legitimate interest may be stored until you object to their processing, except in situations where, despite your objection, we conclude that there are important, legally justified grounds for processing, overriding your interests, rights, and freedoms, or grounds for establishing, pursuing, or defending claims.

Only our duly authorized employees or associates, partners, accounting, legal, or auditing advisors will have access to your personal data – to the extent necessary to perform their duties. Your data may, for example, be transferred to a hosting service provider or IT services, other entities that support us technically or organizationally, e.g., courier companies. We may also be obliged – if there is a legal basis – to provide certain information to public authorities. All these entities have access only to the information necessary for their actions.

In the case of storing data outside the EEA, we use necessary technical and legal safeguards, including model contractual clauses approved by the European Commission (you can access such safeguards and a list of data recipients) by contacting us.

We remind you that the GDPR grants you, in certain situations, the right to access your data, rectify your data, withdraw consent without affecting the lawfulness of processing carried out before its withdrawal, request data deletion, request restriction of processing, data portability, object if we process data based on our legitimate interests (if the objection is effective, we will stop processing), file a complaint with the supervisory authority, which in Poland is the President of the Personal Data Protection Office (a detailed description of the complaint procedure is available at: https://uodo.gov.pl/pl/83/155).

In case of questions regarding your Personal Data, we encourage you to contact us first.

6. Contact

Please be informed that our telephone conversations are recorded. During a telephone conversation, we may process your Personal Data, such as your identification data (name and surname, phone number), contact metadata (e.g., date of contact, duration of our conversation), the content of our communication, and your voice.

When you contact us, e.g., electronically, by phone, etc., examples of Personal Data we may process include: identification data (e.g., email address, IP number, etc.), contact metadata (e.g., date of contact, duration of our conversation), and the content of our communication (e.g., email content). Your Personal Data is processed to respond to your inquiry, improve our communication, enhance customer service quality, and for marketing purposes. The purpose of processing depends on the purpose of our communication, hence sometimes your Personal Data will be used to conclude an appropriate agreement with you, and if we already have an agreement – to provide you with appropriate care within our cooperation (e.g., changing the appointment date, information about the need to collect documents from the Clinic, etc.).

In such cases, the legal basis for processing depends on the context of the communication. If you contact us solely to obtain general information, e.g., what tests we conduct, what are the appointment dates, in principle, there may be no processing of personal data. However, if such processing occurs (you provide specific data identifying you), we process your Personal Data based on our legitimate interest (resulting from the aforementioned purposes; Article 6(1)(f) of the GDPR). However, if your inquiry leads to the conclusion of a contract, the appropriate legal basis for processing will be Article 6(1)(b) of the GDPR - taking action at the request of the data subject before concluding a contract. If we already have a contract, and you contact us regarding its performance, the basis for our actions is Article 6(1)(b) of the GDPR – necessity for the performance of a contract. We may also process your Personal Data for the purpose of considering and pursuing claims - the legal basis for processing is then our legitimate interest (Article 6(1)(f) of the GDPR).

Providing Personal Data is voluntary, but it may be necessary to communicate with us effectively.

If your Personal Data was collected solely in connection with our current communication, we may process it, depending on the category of each piece of information, for a period from a few days to several months (more detailed inquiries and conversations that may be relevant to our contact in the future).

Your Personal Data processed based on our legitimate interest may be stored until you object to its processing, except in situations where, despite your objection, we conclude that there are important, legally justified grounds for processing, overriding your interests, rights, and freedoms, or grounds for establishing, pursuing, or defending claims.

Only our duly authorized employees or associates, partners, accounting, legal, or auditing advisors will have access to your personal data – to the extent necessary to perform their duties. Your data may be, for example, transferred to a hosting service provider or IT service provider, other entities that support us technically or organizationally, e.g., courier companies. We may also be obliged – if there is a legal basis for it – to provide certain information to public authorities (e.g., the National Health Fund). All these entities have access only to the information necessary for their actions.

In the case of storing data outside the EEA, we use necessary technical and legal safeguards, including model contractual clauses approved by the European Commission (you can access such safeguards and a list of data recipients) by contacting us.

We remind you that the GDPR grants you, in certain situations, the right to access your data, rectify your data, withdraw consent without affecting the lawfulness of processing carried out before its withdrawal, request data deletion, request restriction of processing, data portability, object if we process data based on our legitimate interests (if the objection is effective, we will cease processing), lodge a complaint with the supervisory authority, which in Poland is the President of the Personal Data Protection Office (a detailed description of the complaint procedure is available at: https://uodo.gov.pl/pl/83/155).

In case of questions regarding your Personal Data, we encourage you to contact us first.

IV. Current version of the policy

This policy is effective from July 11, 2025.