Administrator's contact details:
Diabetyk24 sp. z o.o.
02-496 Warsaw, ul. Traktorzystów 28D
telephone number: +48 22 464 86 86
entered by the District Court for the capital city of Warsaw in Warsaw, XIII Commercial Division of the National Court Register, under no KRS 0000365882, Tax ID no (NIP) 7010259045, Regon 142611096.
To ensure high safety standards at Diabetyk24 sp.z o.o. a Data Protection Officer was appointed - attorney-at-law Monika Niedobecka.
You can contact the Data Protection Officer by e-mail: firstname.lastname@example.org or by sending a letter to the following address: Diabetyk24 Sp. z o.o., ul. Traktorzystów 28D, 02-495 Warsaw with the annotation GDPR.
For what purposes do we process personal data
Sales of offered products and medical devices
First of all, we collect only the data that is necessary for us to achieve a specific purpose. What does this mean in practice?
The scope of collected personal data which you will be asked to provide may differ depending on which sales channel the purchase and delivery (collection) of products is carried out through and what type of products you purchase and whether the purchase is reimbursed by the National Health Fund (NFZ).
If you place an order by phone or e-mail, we may collect data such as telephone number, e-mail address, name, surname, address, data necessary for the delivery of goods, type, and quantity of purchased products. This is the minimum scope of data that is needed for the purchase order of the products to be fulfilled. The legal basis for data processing is taking steps at the request of the data subject prior to entering into a contract and performing the contract (Article 6 (1) (b) of the GDPR). The personal data of those of you who make a purchase in our Diabetyk24 online store is processed on the same legal basis. When shopping in the online store, you can take advantage of an additional functionality and make a purchase under the account you have set up. Having such an account is convenient because you have online access to the history of your orders, your personal data, you can manage your consent to data processing, and at any time opt out of having such an account as a free service provided electronically. Having an account requires you to set a password and provide an e-mail address that will act as your login. When purchasing products in one of our stationary stores, you do not need to provide personal data, unless you purchase medical devices which are subject to an issued reimbursement order (prescription), or you want to obtain an invoice document.
Regardless of the purchase method, if you wish to receive an invoice, it will also be necessary to provide necessary data to issue it (in this case the range of data collected may also be different, if the products are purchased by a company, it will be necessary to provide its full name, legal form, tax identification number). The legal basis for data processing, needed for issuing an invoice and storing it, is the legal obligation (Article 6 (1) (c) of the GDPR). On this basis, we will also process your data to the extent necessary to be able to consider any claims under warranty.
In the case of carrying out an order for the purchase of a medical device covered by NFZ reimbursement, you will be asked, among other things, to provide the PESEL number (Polish national identification number) of the person for whom the order was issued, the order number, as well as the name and surname and PESEL number of the person who collects the reimbursed medical devices. This is a legal obligation and, in accordance with the law, we have the right to request and process this data. The legal basis for the processing of your data for the purposes of settlements with the National Health Fund and management of healthcare systems and services is Article 9 (2) (h) of the GDPR and the applicable provisions from the act of May 12, 2011 on the reimbursement of drugs, special purpose foods and medical devices, as well as the act of August 27, 2004 on healthcare services financed from public funds.
If you purchase medical devices (not only as part of the NFZ reimbursement), we may ask you to provide personal data, such as your name and preferred contact details.
We may also process your personal data in our legitimate interest (Article 6 (1) (f) of the GDPR), part of which we consider:
Use of portal functionalities
In the scope of using the www.diabetyk24.pl portal functionalities, a contract for the provision of electronic services is concluded (pursuant to Article 6 (1) (b) of the GDPR).
Consent to personal data processing
If none of the above-mentioned premises apply, your personal data may be processed on the basis of voluntary consent - to the extent and purpose of its expression. The data will be processed until the goal is achieved or until the consent is withdrawn, which you can do at any time, e.g. by sending such a request to the address: email@example.com.
Handling medical incidents
In relation to some medical devices and products, we have a status of a distributor within the meaning of the Act on Medical Devices, and we are obliged, on the one hand, to receive all information about medical incidents, and on the other hand, to provide information about them to authorized state bodies and other entities (e.g. manufacturers). When it comes to reporting medical incidents to us, we will process your personal data as data of a person reporting incidents, including information on the type of incident, time of the incident, type, model, and number of the medical device which the incident concerns, circumstances related to the incident, and effects. The legal basis of that is the necessity of processing to ensure high quality and safety standards of medical devices (Article 6 (1) (c) of the GDPR and Article 9 (2) (i) of the GDPR).
Communication with persons contacting Diabetyk24 on their own initiative
If you correspond with us by e-mail, traditional letter or via forms available on the website, your personal data may be processed to the extent that you have provided us with. This is mainly data such as name, surname, address, telephone number or e-mail address and details of the case about which you contact us. Providing data is voluntary, but in some cases it may be necessary, in order for us to be able to take certain actions wanted by you, e.g. failure to provide a telephone number in the contact form will prevent us from contacting you by phone. The legal basis for the processing of personal data is our legitimate interest (Article 6 (1) (f) of the GDPR), part of which for us is the handling of correspondence addressed to the Company and its archiving for the purposes of establishing, investigating, and defending claims.
Performance of contracts with counterparties
Running a business without the support of other entities would be almost impossible, therefore our business may involve the processing of personal data of counterparties who are natural persons.
Counterparties' data will be processed for the purpose of:
• performance of the concluded contract and taking steps, at the request of a potential Counterparty, even before concluding the contract (Article 6 (1) (b) of the GDPR),
• fulfillment of legal obligations, in particular those of a tax nature, related to issuing and storing accounting documents (Article 6 (1) (c) of the GDPR),
• our legitimate interest (Article 6 (1) (f) of the GDPR), as which we recognize:
• direct marketing of own services, including those based on consent referred to in the provisions of the Act on the provision of electronic services - if required,
• conducting analyzes, audits, reports for internal business purposes,
• archiving for the purpose of demonstrating the proper performance of legal obligations and contractual obligations, including establishing, investigating, and defending claims.
Communication with persons authorized to represent counterparties in contacts with Diabetyk24 in order to perform the contract
On the occasion of concluding or concluded contracts, personal data of natural persons other than Counterparties may be processed, e.g., of the members of the Management Board, proxies authorized to represent the counterparty when concluding the contract, employees, associates. This is due to the fact that very often, in order to conclude and perform a contract, the parties must agree on the details, and usually they do so through the above-mentioned categories of persons. The legal basis for the processing of personal data of this category of persons is our legitimate interest (Article 6 (1) (f) of the GDPR), part of which we consider:
How long do we store personal data
We will only store personal data for as long as it is necessary to achieve the purposes for which it was collected, including for the duration of the contract, until the fulfillment of a legal obligation or until achieving any goal based on the legitimate interest, and no longer than until the expiry of the limitation period for claims that may be pursued within and in connection with the business processes in which they were collected.
Data recorded via video monitoring will be stored for a period not exceeding 3 months from the date of recording. In a case where the image recordings constitute evidence in legal proceedings or if Diabetyk24, as an employer, becomes aware that they may constitute evidence in the proceedings - the storage period is extended until the finalization of the proceedings.
Sharing personal data with recipients
The recipients of your personal data may only be companies that support Diabetyk24 in achieving the above-mentioned objectives of processing, and in this respect, they provide us with certain services, within which your personal data is processed. These entities include IT service providers (maintaining and providing us with systems for personal data processing), providers of accounting and postal services, as well as legal advisory services (law firms).
Your data may also be transferred to other entities if you consent to that.
In the cases specified in the applicable legal provisions, your personal data may be shared with state authorities for their proceedings, as well as with other legal entities, e.g. producers, when such an obligation arises from legal provisions, in the event of becoming aware of medical incidents.
Where from do we get the data we process
In the vast majority of cases, personal data comes directly from the data subjects, i.e. you provide us with it as clients, persons reporting incidents, persons contacting us, contracting parties or their representatives. In some cases, it may happen that your data will be shared with us by other entities - e.g. your employer, who has authorized you to contact us in matters of a commercial contract concluded with us.
Transferring data outside the EEA
Since the Administrator uses the marketing tools provided by Google, personal data may be transferred outside the European Economic Area, among others, to the USA. The administrator ensures that the transfer of data to entities operating in the USA takes place with the use of appropriate safeguards, based on an appropriate agreement between the Administrator and such entity containing standard contractual clauses adopted by the European Commission.
Do you have to provide data?
Please remember that providing data is voluntary but may be necessary to conclude a contract or perform obligations specified by legal provisions. The consequence of not providing data may be the inability to conclude a contract, to complete an order for a medical device or to perform an action for which we need your consent.
What are the rights of individuals whose data we process?
Depending on the legal basis for the processing of personal data and the premises referred to in art. 7 and 15-21 of GDPR, each person whose data is being processed has the right to:
In order to implement any of the above-mentioned rights, please send an appropriate request to Diabetyk24 sp.z o.o. In case of doubts related to the submission of a request, please contact us by e-mail at firstname.lastname@example.org.
The person whose personal data is being processed also has the right to lodge a complaint with the supervisory authority if they believe that Diabetyk24 sp.z o.o. processes their personal data contrary to applicable law. In Poland, the supervisory body is the President of the Personal Data Protection Office, ul. Stawki 2, 00-193 Warsaw.
The processing of your personal data and its protection is very significant to us. It is important to us that any doubts that arise with the processing of data are immediately resolved. Therefore, we would be grateful if, in case of any doubts regarding the lawful processing of your personal data by us, you would like to contact us, so that we can deal with them immediately.