• Phone orders: +48 22 464 86 86
  • Have a question? shop@diabetic24.com

The privacy policy

The Privacy Policy applies to the processing of personal data collected via the website at www.diabetyk24.pl, as well as the data collected in connection with our business and sales of medical devices and other products we offer, for which orders can be placed by phone, via e-mail and in our stores throughout the country.

The Privacy Policy describes:

  • how we collect personal data of: customers purchasing products, including medical devices, people reporting medical incidents, counterparties who are natural persons, people authorized to represent counterparties when concluding contracts with us and employees/associates authorized by counterparties to contact Diabetyk24 in matters related to the performance of the contract,
  • for what purposes we process the data of the above-mentioned categories of persons,
  • with whom we share the data and on what basis,
  • for how long we store personal data,
  • the rights of persons whose data is processed by us,
  • the manner of exercising the rights of the persons whose data we process.

Whenever you visit our website and use its functionalities, e.g. browse it, read the information contained therein or download it or otherwise use it, and in particular make purchases via the website, you should remember that the Cookies Policy and the Portal Terms and Conditions and, if applicable, the Terms and Conditions of the online store, also apply to the processing of personal data. These documents should be read in conjunction with this Privacy Policy.

Administrator's contact details:

Diabetyk24 sp. z o.o.
02-496 Warsaw, ul. Traktorzystów 28D
telephone number: +48 22 464 86 86
e-mail: rodo@diabetyk24.pl

entered by the District Court for the capital city of Warsaw in Warsaw, XIII Commercial Division of the National Court Register, under no KRS 0000365882, Tax ID no (NIP) 7010259045, Regon 142611096.

To ensure high safety standards at Diabetyk24 sp.z o.o. a Data Protection Officer was appointed - attorney-at-law Monika Niedobecka.

You can contact the Data Protection Officer by e-mail: rodo@diabetyk24.pl or by sending a letter to the following address: Diabetyk24 Sp. z o.o., ul. Traktorzystów 28D, 02-495 Warsaw with the annotation GDPR.

For what purposes do we process personal data

Sales of offered products and medical devices

First of all, we collect only the data that is necessary for us to achieve a specific purpose. What does this mean in practice?

The scope of collected personal data which you will be asked to provide may differ depending on which sales channel the purchase and delivery (collection) of products is carried out through and what type of products you purchase and whether the purchase is reimbursed by the National Health Fund (NFZ).

If you place an order by phone or e-mail, we may collect data such as telephone number, e-mail address, name, surname, address, data necessary for the delivery of goods, type, and quantity of purchased products. This is the minimum scope of data that is needed for the purchase order of the products to be fulfilled. The legal basis for data processing is taking steps at the request of the data subject prior to entering into a contract and performing the contract (Article 6 (1) (b) of the GDPR). The personal data of those of you who make a purchase in our Diabetyk24 online store is processed on the same legal basis. When shopping in the online store, you can take advantage of an additional functionality and make a purchase under the account you have set up. Having such an account is convenient because you have online access to the history of your orders, your personal data, you can manage your consent to data processing, and at any time opt out of having such an account as a free service provided electronically. Having an account requires you to set a password and provide an e-mail address that will act as your login. When purchasing products in one of our stationary stores, you do not need to provide personal data, unless you purchase medical devices which are subject to an issued reimbursement order (prescription), or you want to obtain an invoice document.

Regardless of the purchase method, if you wish to receive an invoice, it will also be necessary to provide necessary data to issue it (in this case the range of data collected may also be different, if the products are purchased by a company, it will be necessary to provide its full name, legal form, tax identification number). The legal basis for data processing, needed for issuing an invoice and storing it, is the legal obligation (Article 6 (1) (c) of the GDPR). On this basis, we will also process your data to the extent necessary to be able to consider any claims under warranty.

In the case of carrying out an order for the purchase of a medical device covered by NFZ reimbursement, you will be asked, among other things, to provide the PESEL number (Polish national identification number) of the person for whom the order was issued, the order number, as well as the name and surname and PESEL number of the person who collects the reimbursed medical devices. This is a legal obligation and, in accordance with the law, we have the right to request and process this data. The legal basis for the processing of your data for the purposes of settlements with the National Health Fund and management of healthcare systems and services is Article 9 (2) (h) of the GDPR and the applicable provisions from the act of May 12, 2011 on the reimbursement of drugs, special purpose foods and medical devices, as well as the act of August 27, 2004 on healthcare services financed from public funds.

If you purchase medical devices (not only as part of the NFZ reimbursement), we may ask you to provide personal data, such as your name and preferred contact details.

We may also process your personal data in our legitimate interest (Article 6 (1) (f) of the GDPR), part of which we consider:

  • conducting analyses, audits, and reporting for internal business purposes,
  • handling reclamations and complaints,
  • ensuring the protection of property, protection of IT systems against abuse and safety of the people staying at our headquarters or in stationary stores, which includes the use of a video monitoring system for recording your image,
  • marketing of own products (if these activities involve sending commercial information - then, in order to be able to take such actions, we will need your consent - Article 10 of the Act on providing services by electronic means),
  • conducting research and evaluation of the quality of provided services and products in order to be able to constantly improve them,
  • recording phone calls for evidence purposes in connection with orders placed and for handling the complaint and reclamation process, as well as to continuously improve the quality of services related to customer service (including it being part of training courses aimed at improving the customer service process),
  • keeping an identification register (if you purchase medical devices, not only as part of the NFZ reimbursement, we may ask you to provide data, such as name and surname and preferred contact details, in case we obtained information about medical incidents, such as device defects etc. and wanted to contact you and provide you with relevant and important information),
  • communicating with you, including informing about the progress in executing the contract, the availability of products and significant changes to the website,
  • archiving information and documents for the purposes of demonstrating the proper execution of legal obligations, contractual obligations, or the proper course of specific processes, within which we collected personal data, including establishing, investigating, and defending the claims.

Use of portal functionalities

In the scope of using the www.diabetyk24.pl portal functionalities, a contract for the provision of electronic services is concluded (pursuant to Article 6 (1) (b) of the GDPR).

  • User Account management service - if the User wants to use the Account functionalities, he may be asked to provide the necessary personal data to register and create an account (name and surname, address, e-mail address, telephone number, login and password). Providing data to the extent necessary to create an account is voluntary, but necessary for the account to be created. At this stage, the User may also be asked to read specific regulations and to confirm the fact that he has read the terms of providing a specific service and information on the processing of personal data.
  • Order Form service - if the User uses the option of ordering products in the Online Store, then he will be asked to provide specific personal data to the extent necessary to provide the service, such as: name, surname, address, e-mail address, telephone number. In the case of Orders for Reimbursed Products - the User will be asked additionally for the data required by the NFZ Order, in accordance with the Terms and Conditions of the store. Providing this data is voluntary, but at the same time it is necessary in order for us to provide the service.
  • Newsletter Service - when using the Newsletter Service, the user will be asked to provide his personal data to the extent necessary to provide this service, i.e., an e-mail address. Providing an e-mail address is necessary for this service to be provided.

Consent to personal data processing 

If none of the above-mentioned premises apply, your personal data may be processed on the basis of voluntary consent - to the extent and purpose of its expression. The data will be processed until the goal is achieved or until the consent is withdrawn, which you can do at any time, e.g. by sending such a request to the address: rodo@diabetyk.pl.

Handling medical incidents

In relation to some medical devices and products, we have a status of a distributor within the meaning of the Act on Medical Devices, and we are obliged, on the one hand, to receive all information about medical incidents, and on the other hand, to provide information about them to authorized state bodies and other entities (e.g. manufacturers). When it comes to reporting medical incidents to us, we will process your personal data as data of a person reporting incidents, including information on the type of incident, time of the incident, type, model, and number of the medical device which the incident concerns, circumstances related to the incident, and effects. The legal basis of that is the necessity of processing to ensure high quality and safety standards of medical devices (Article 6 (1) (c) of the GDPR and Article 9 (2) (i) of the GDPR).

Communication with persons contacting Diabetyk24 on their own initiative

If you correspond with us by e-mail, traditional letter or via forms available on the website, your personal data may be processed to the extent that you have provided us with. This is mainly data such as name, surname, address, telephone number or e-mail address and details of the case about which you contact us. Providing data is voluntary, but in some cases it may be necessary, in order for us to be able to take certain actions wanted by you, e.g. failure to provide a telephone number in the contact form will prevent us from contacting you by phone. The legal basis for the processing of personal data is our legitimate interest (Article 6 (1) (f) of the GDPR), part of which for us is the handling of correspondence addressed to the Company and its archiving for the purposes of establishing, investigating, and defending claims.

Performance of contracts with counterparties

Running a business without the support of other entities would be almost impossible, therefore our business may involve the processing of personal data of counterparties who are natural persons.

Counterparties' data will be processed for the purpose of:

•    performance of the concluded contract and taking steps, at the request of a potential Counterparty, even before concluding the contract (Article 6 (1) (b) of the GDPR),

•    fulfillment of legal obligations, in particular those of a tax nature, related to issuing and storing accounting documents (Article 6 (1) (c) of the GDPR),

•    our legitimate interest (Article 6 (1) (f) of the GDPR), as which we recognize:

•    direct marketing of own services, including those based on consent referred to in the provisions of the Act on the provision of electronic services - if required,

•    conducting analyzes, audits, reports for internal business purposes,

•    archiving for the purpose of demonstrating the proper performance of legal obligations and contractual obligations, including establishing, investigating, and defending claims.

Communication with persons authorized to represent counterparties in contacts with Diabetyk24 in order to perform the contract

On the occasion of concluding or concluded contracts, personal data of natural persons other than Counterparties may be processed, e.g., of the members of the Management Board, proxies authorized to represent the counterparty when concluding the contract, employees, associates. This is due to the fact that very often, in order to conclude and perform a contract, the parties must agree on the details, and usually they do so through the above-mentioned categories of persons. The legal basis for the processing of personal data of this category of persons is our legitimate interest (Article 6 (1) (f) of the GDPR), part of which we consider:

  • communication for the purposes of executing concluding or concluded contracts; in this regard, the data will be processed for the duration of the contract or for the duration of activities prior to the conclusion of the contract,
  • direct marketing of own services, including those based on consent referred to in the provisions of the Act on the provision of electronic services - if required,
  • conducting analyzes, audits, reports for internal business purposes,
  • establishing, investigating, and defending claims. This data will be processed until the expiry of the limitation period for claims, and in the event of legal proceedings or any other proceedings conducted by state authorities - until their finalization.

How long do we store personal data

We will only store personal data for as long as it is necessary to achieve the purposes for which it was collected, including for the duration of the contract, until the fulfillment of a legal obligation or until achieving any goal based on the legitimate interest, and no longer than until the expiry of the limitation period for claims that may be pursued within and in connection with the business processes in which they were collected.

Data recorded via video monitoring will be stored for a period not exceeding 3 months from the date of recording. In a case where the image recordings constitute evidence in legal proceedings or if Diabetyk24, as an employer, becomes aware that they may constitute evidence in the proceedings - the storage period is extended until the finalization of the proceedings.

Sharing personal data with recipients

The recipients of your personal data may only be companies that support Diabetyk24 in achieving the above-mentioned objectives of processing, and in this respect, they provide us with certain services, within which your personal data is processed. These entities include IT service providers (maintaining and providing us with systems for personal data processing), providers of accounting and postal services, as well as legal advisory services (law firms).

Your data may also be transferred to other entities if you consent to that.

In the cases specified in the applicable legal provisions, your personal data may be shared with state authorities for their proceedings, as well as with other legal entities, e.g. producers, when such an obligation arises from legal provisions, in the event of becoming aware of medical incidents.

Where from do we get the data we process

In the vast majority of cases, personal data comes directly from the data subjects, i.e. you provide us with it as clients, persons reporting incidents, persons contacting us, contracting parties or their representatives. In some cases, it may happen that your data will be shared with us by other entities - e.g. your employer, who has authorized you to contact us in matters of a commercial contract concluded with us.

Transferring data outside the EEA

Since the Administrator uses the marketing tools provided by Google, personal data may be transferred outside the European Economic Area, among others, to the USA. The administrator ensures that the transfer of data to entities operating in the USA takes place with the use of appropriate safeguards, based on an appropriate agreement between the Administrator and such entity containing standard contractual clauses adopted by the European Commission.

Do you have to provide data?

Please remember that providing data is voluntary but may be necessary to conclude a contract or perform obligations specified by legal provisions. The consequence of not providing data may be the inability to conclude a contract, to complete an order for a medical device or to perform an action for which we need your consent.

What are the rights of individuals whose data we process?

Depending on the legal basis for the processing of personal data and the premises referred to in art. 7 and 15-21 of GDPR, each person whose data is being processed has the right to:

  • access their personal data and receive a copy of it (Article 15 of the GDPR),
  • rectify incorrect data and supplement incomplete data (Article 16 of the GDPR),
  • delete personal data (Article 17 of the GDPR),
  • limit processing in the cases referred to in art. 18 GDPR,
  • transfer data, in the cases specified in art. 20 GDPR,
  • object at any time - for reasons related to a particular situation - to the processing of their personal data based on art. 6 (1) (f) GDPR and in other cases referred to in art. 21 GDPR,
  • withdraw consent at any time, which does not affect the lawfulness of processing based on consent before its withdrawal (Article 7 of the GDPR).

In order to implement any of the above-mentioned rights, please send an appropriate request to Diabetyk24 sp.z o.o. In case of doubts related to the submission of a request, please contact us by e-mail at rodo@diabetyk24.pl.

The person whose personal data is being processed also has the right to lodge a complaint with the supervisory authority if they believe that Diabetyk24 sp.z o.o. processes their personal data contrary to applicable law. In Poland, the supervisory body is the President of the Personal Data Protection Office, ul. Stawki 2, 00-193 Warsaw.

The processing of your personal data and its protection is very significant to us. It is important to us that any doubts that arise with the processing of data are immediately resolved. Therefore, we would be grateful if, in case of any doubts regarding the lawful processing of your personal data by us, you would like to contact us, so that we can deal with them immediately.