Privacy policy

Privacy policy


Due to our cooperation, in order to protect the personal data of our patients/customers and their privacy, we would like to inform you, in fulfilment of our obligation under the GDPR, about how your data is processed and protected by us, as explained in this document. The regulations described herein apply to the processing of all personal data within our business activity.

I. Controller of the data, definitions

  1. The Controller of your personal data is: conducting business activity under the company
    Skin Spa
    NIP: PL 8942958687
    ul. Aleja Wiśniowa 85B/3, Wrocław
    tel +48502392615
    Within the meaning of Regulation (EU) No 45/2001 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter “GDPR”), this means that the controller determines the purposes and means of the processing of personal data on its own account and under its own responsibility.
  2. We would like to inform you that according to the GDPR, personal data is any information concerning an identified or identifiable individual. An identifiable individual is one who can be identified, directly or indirectly, in particular by reference to data such as his name, surname, address, e-mail address, identification number or a group of information relating to his social, health, family or racial situation.
  3. Providing personal data to the Controller is voluntary, but it may be necessary to conclude an agreement with us and perform it or provide medical assistance, as it is often not possible without data.
  4. Processing of personal data is any action on personal data, including its collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, distribution or otherwise making available, alignment or combination, restriction, deletion or destruction (Article 4 GDPR).

  5. II. Rights of the individual whose data are processed

  6. Everyone whose personal data we process has:
    • the right to access his data and receive its copy,
    • the right to rectify (correct) their data,
    • the right to limit data processing,
    • the right to lodge objections to data processing,
    • the right to transfer data to other entities;
    • prawo do przenoszenia danych do innych podmiotów;
    • the right to lodge a complaint with a supervisory authority if you consider that we are processing your personal data incorrectly and in violation of the law, including the regulations of the GDPR;
    • the right to revoke the prior consent for the processing of personal data.

  7. We can always process and process your personal data only to the extent that it is necessary for the purposes of the data processing (adequate), in particular the data necessary for the execution and conclusion of agreements with you, including agreements for the provision of medical services (Article 6(1)(b) of the GDPR). We may also process data for the purposes of possible claims under civil law, if any (Article 6 section 2 letter f of the GDPR). We may also process data for tax and accounting purposes or to fulfil other obligations imposed on us by law, like those related to the settlement with the NFZ [National Health Fund] (Article 6 section 1 letter c of the GDPR). In addition, we may ask you to give us your consent for the processing of your data and to process certain categories of data on this basis (Article 6 section 1 letter a of the GDPR).
  8. We also process your health data, which are sensitive data within the meaning of the GDPR, but we do this only to the extent and for the purpose necessary for the medical diagnosis, provision of health care or social security, treatment or management of health care systems and services (basis – Article 9 section 2 letter h of the GDPR).
  9. All data processed by us, whether on paper or in electronic form, are protected by physical, IT and technical and organisational safeguards. All data in the IT system is encoded and encrypted, and our employees have been trained on the requirements of protecting the security of your personal data.
  10. Each Customer/Patient may contact us about exercising the rights referred to in this policy or about any questions regarding data protection at or by letter at
    Skin Spa
    NIP: PL 8942958687
    ul. Aleja Wiśniowa 85B/3, Wrocław
    tel +48502392615

  11. You have the right to lodge a complaint against the processing of data on the basis of a legitimate interest (Article 21 of the GDPR) at any time. You can do this any way you want to contact us.
  12. Following an objection, we will cease processing your personal data to the extent of the objection concerned, unless there are important legitimate interests, which take precedence over your interests, rights and freedoms or your data will be necessary for us to possibly determine, assert or defend your claims, or to fulfil our obligations to state authorities acting within the limits and under the law.
    These exceptions derive directly from the GDPR regulations.

  13. III. Recipients of personal data, processing time

  14. The recipients of your personal data may be entities providing accounting, HR and payroll services for us, specialized providers of data storage and IT services, as well as entities to which we are obliged to provide data on the basis of applicable laws, including the Tax Office, the National Health Fund or authorities supervising medical activities.
  15. Your personal data will be processed by us for the time necessary to perform the service provision agreement and additionally for the time required for possible claims or settlement with state authorities, including the Tax Office or the National Health Fund, but not longer than 10 years from the end of cooperation with you or the termination of medical care.
  16. We would like to point out that your personal data shall not be transferred outside the European Economic Area (EEA) or to an international organisation.

  17. IV. Others

  18. We indicate that your personal data shall not be processed in an automated way.
  19. No profiling processes based on personal data shall be conducted with respect to you.
  20. The President of the Personal Data Protection Office shall be the supervisory authority to which a complaint may be lodged against the Controller’s actions breaching the provision on personal data protection.
  21. The above explained privacy policy provisions concerning personal data protection apply regardless of trade secrets resulting from the Act of 6 November 2008 on Patient’s Rights and Patient Ombudsman, the Act of 5 December 1996 on the profession of a doctor and a dentist, the Regulation of the Minister of Health of 9 November 2015 on the types, scope and models of medical documentation and the method of its processing and do not in any way breach the provisions of patient data protection.