Zadzwoń: +48 508 208 420 Email: info@cmbm.pl

Privacy and Cookies Policy

We respect and protect your privacy. Therefore, we have prepared this document to set out the issues related to the collection, processing, and storage of personal data necessary for the provision of electronic services through the website available at www.klinikababcimarysi.pl.

We also ensure that your data is processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as the “GDPR”).

General Provisions

The controller of the personal data collected through the website www.cmbm.pl is Centrum Medyczne BM Sp. z o.o., with its registered office in Będzin
(42-504 Będzin, Niepodległości 34),
Tax ID (NIP): 6252504720, REGON: 543882850-00010, KRS: 0001221542.

The data controller is responsible for the security of the personal data provided and for processing such data in accordance with applicable law. The Controller may be contacted by email at info@cmbm.pl, by phone at +48 508208420, or by post at the address indicated above.

The Controller has appointed a Data Protection Officer (DPO), Ms. Izabela Dziuba, who may be contacted regarding matters related to the processing of personal data and the exercise of the rights granted to users under personal data protection law at: iod@cmbm.pl.

Personal data is processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 and other currently binding legal provisions on personal data protection, applicable throughout the period of processing of the relevant data.

When you visit our website, certain IT-related data is collected automatically, including:

  • IP address,
  • operating system type,
  • browser type/kind.

The scope of the data we process may include:

For appointment scheduling purposes, we process your data including:

  • first name,
  • last name,
  • gender,
  • PESEL number or date of birth (if no PESEL number is available),
  • telephone number,
  • email address.

The above data is also used to verify identity before the provision of healthcare services.

As a medical entity, the Controller is obliged to create and retain medical records, the content and scope of which are defined by applicable law. The data contained in such records includes, among other things, a description of the course of treatment and diagnostics.

In connection with our business activity, we process (or may process) personal data for the following purposes:

  • Provision of healthcare services, including in particular activities related to preventive healthcare, medical diagnosis and treatment, as well as ensuring healthcare and managing healthcare services (e.g. registration, e-registration, prescription order processing, settlements with the payer, maintenance and storage of medical documentation, identity verification before an appointment, issuing sick leave certificates and handling them in systems) – based on Article 6(1)(c) GDPR in conjunction with Article 9(2)(h) GDPR and the legal provisions governing the provision of healthcare services, in particular the Act of 15 April 2011 on Medical Activity, the Act of 6 November 2008 on Patients’ Rights and the Patients’ Rights Ombudsman, and the Act of 27 August 2004 on Healthcare Services Financed from Public Funds.
  • Provision of occupational medicine services, including the assessment of employees’ fitness for work (based on an agreement concluded with the employer) – based on Article 9(2)(h) GDPR in conjunction with Articles 6 and 11 of the Act on Occupational Medicine Services.
  • Keeping accounting records and tax settlements – based on Article 6(1)(c) GDPR in conjunction with Article 74(2) of the Accounting Act of 29 September 1994 and the Act of 11 March 2004 on Value Added Tax.
  • Execution of patients’ rights regarding access to medical records and health information for persons authorized by the patient through telephone, email, or in person – based on Article 6(1)(c) GDPR in conjunction with Article 9(3) and Article 26(1) of the Act on Patients’ Rights.
  • Conducting correspondence in traditional and electronic form using email and contact forms. Your data is processed for the purpose of maintaining contact, including responding to questions asked, where the legal basis for processing is Article 6(1)(f) GDPR – the legitimate interest of the Controller. Where the user provides special categories of data (e.g. health information), the user declares that they consent to the use of such data for the proper handling of the inquiry and responding to it, including communication and providing answers (legal basis – Article 9(2)(a) GDPR – consent).
  • Managing the Controller’s social media profiles with regard to data processing connected with the use of a given social media platform, where the legal basis is Article 6(1)(f) GDPR, i.e. the Controller’s legitimate interest in managing its profile on a given platform, as well as your consent (Article 6(1)(a) GDPR), expressed for example by joining a group created by the Controller on a given platform. The data is jointly controlled by Centrum Medyczne SYBERKA Sp. z o.o. and Facebook. The data will be processed until an objection to the processing is raised.
  • Managing cookies, including processing data such as IP address and user behavior on the website, where the legal basis is Article 6(1)(a) GDPR, which allows the processing of personal data based on your consent. You give your consent during your first visit to the website.
  • Establishing, pursuing, or defending claims with regard to the processing of the data indicated above, where the legal basis is Article 6(1)(f) GDPR, which allows the processing of personal data where the Controller pursues its legitimate interest (in this case, the interest of the Controller is to possess personal data enabling it to establish, pursue, or defend claims brought by website users, third parties, or customers).

Data collected through the Service will not be used for decisions based solely on automated processing of personal data, including profiling within the meaning of Article 22 GDPR.

Personal data processed through the Service, while maintaining all data security guarantees, may be disclosed to persons authorized by the Controller, as well as to other entities, including:

  • entities authorized to receive such data under the law,
  • processors acting on behalf of the Controller (e.g. advisory service providers, technical service providers, IT and hosting providers),
  • other data controllers to the extent necessary for the performance of services and compliance requirements.

In connection with the processing of personal data by the Controller, the website user is entitled to:

  • the right of access to their personal data – we will confirm whether we process your data and, if so, provide you with access to it and the information referred to in Article 15 GDPR;
  • the right to rectification of your personal data (Article 16 GDPR) if your data is inaccurate or incomplete;
  • the right to erasure of your personal data if one of the conditions set out in Article 17 GDPR is met, for example if your personal data is no longer necessary for the purposes for which it was collected;
  • the right to restriction of processing in the cases referred to in Article 18 GDPR, for example where you contest the accuracy of your personal data;
  • the right to object to the processing of your personal data where the legal basis is the legitimate interest of the Controller under Article 6(1)(f) GDPR; you may object at any time – on grounds relating to your particular situation. After an objection is raised, the Controller may no longer process the personal data unless it demonstrates compelling legitimate grounds for processing overriding your interests, rights and freedoms, or grounds for the establishment, exercise, or defense of claims;
  • the right to data portability – you may receive your data from us in a commonly used format if we process it by automated means and on the basis of your consent. We may transfer that data to another controller or you may request that we do so, where technically feasible;
  • the right to withdraw consent to the processing of personal data at any time, without affecting the lawfulness of processing carried out on the basis of consent before its withdrawal;
  • the right to lodge a complaint with the supervisory authority, i.e. the President of the Personal Data Protection Office:
    https://uodo.gov.pl/pl/83/155
    if you believe that the processing of your personal data violates the law.

To exercise the above rights, please contact the Data Protection Officer at: iod@cmbm.pl

The Controller will not transfer your personal data to countries outside the European Economic Area (i.e. countries other than European Union countries, Iceland, Norway, and Liechtenstein).

Data Collected Automatically

Using the Service involves sending requests to the server, which are automatically recorded in event logs.

The event logs contain data regarding user sessions such as:

  • IP address,
  • type and name of device,
  • date and time of visits to our Service,
  • information about the web browser and operating system.

The data referred to above is not associated with specific individuals.

Access to the contents of the event logs is available to persons authorized by the Controller to administer the Service. The chronological record of information about events constitutes auxiliary material used solely for administrative purposes. Analysis of event logs enables, in particular:

  • threat detection,
  • ensuring adequate Service security,
  • compiling statistics in order to better understand how users use the Service.

The data indicated above is used for diagnosing problems related to the functioning of the Service and analyzing potential security breaches, administering the Service, and compiling statistics (legal basis – Article 6(1)(f) GDPR – legitimate interest).

In addition, the website uses cookies to function properly. More information on this subject is provided below.

Your data is protected by technical and organizational measures designed to prevent the risk of infringement of rights or freedoms.

We use the SSL transmission protocol, which ensures that the transfer of data on our website is secure. SSL involves encoding data before it is sent from your browser and decoding it after it safely reaches the server supporting the Website.

Requirement to Provide Personal Data

If you contact us regarding any matter related to the website, our products, or the services we provide, providing your contact details may be necessary in order to respond to your inquiry.

Providing your personal data is a necessary condition for the provision of healthcare services due to the legal requirements imposed on the Controller, including in particular the obligation to maintain medical records. Refusal to provide data may constitute grounds for refusing to provide a healthcare service. Providing data is also necessary for issuing a bill or invoice.

Providing personal data for marketing purposes is entirely voluntary. Lack of consent to marketing communication may not constitute grounds for refusing to provide a healthcare service.

Period of Personal Data Processing

As a rule, we process your personal data in accordance with applicable law for as long as necessary to achieve the intended purpose of processing. After that period, your data is irreversibly destroyed or deleted from our systems.

With regard to specific categories of data, we process them for the following periods:

  • Medical records are retained, as a rule, for at least 20 years from the end of the calendar year in which the last entry was made. After the statutory retention period expires, the records will be destroyed in a manner preventing identification of the patient concerned or released to you or a person authorized by you. Data used for settlement of healthcare services, as well as data used for pursuing claims, will be processed for the limitation period applicable to such claims under the Civil Code.
  • Data processed for accounting and tax purposes is processed for 5 years from the end of the calendar year in which the tax obligation arose.
  • If you have consented to marketing communication, your data will be processed until you withdraw your consent for processing for those purposes.
  • 3 or 6 years + 1 year – with regard to personal data processed for the purpose of establishing, pursuing, or defending claims, depending on whether both parties are entrepreneurs or not.
  • Until an effective objection is raised or the purpose of processing is achieved – with regard to personal data processed on the basis of the Controller’s legitimate interest under Article 6(1)(f) GDPR.
  • Until consent is withdrawn or the data loses its usefulness.

We retain correspondence for the period necessary for the proper and reliable fulfillment of the relevant purposes.

Social Media

Information on Joint Control of Data with Meta Platforms Ireland Limited and YouTube

The Controller uses services and technologies offered by Meta Platforms, Inc., such as:

  • Facebook,
  • Messenger,
  • Instagram,
  • WhatsApp,

as well as YouTube, owned by Alphabet Inc.

As part of cooperation with the above entities, the Controller and those entities act as joint controllers of your data under Article 26 GDPR with regard to processing for statistical and advertising purposes.

Joint controllership includes aggregate analysis of data in order to display statistics on user activity on the Controller’s fanpage.

Scope of Meta Platforms Ireland’s responsibility

  • having a legal basis for processing data for page statistics purposes;
  • ensuring the exercise of data subjects’ rights;
  • reporting breaches to the supervisory authority and notifying the persons affected by the breach;
  • ensuring appropriate technical and organizational measures to safeguard your data.

Scope of the Controller’s responsibility

  • having a legal basis for data processing;
  • fulfilling information obligations regarding the processing purposes pursued by the Controller.

Meta Platforms Ireland will make the essence of the Page Insights Addendum available to data subjects (Article 26(2) GDPR) through the information contained in the Page Insights information, accessible from all pages.

The lead supervisory authority for joint processing is the Irish Data Protection Commission, without prejudice to Article 55(2) GDPR, where applicable.

Detailed information regarding mutual arrangements between the controllers is available at:
https://www.facebook.com/legal/terms/page_controller_addendum

The rules for processing your personal data by Meta Platforms Ireland are available at:
https://www.facebook.com/privacy/explanation

Facebook’s Data Protection Officer can be contacted via the form available at:
https://www.facebook.com/help/contact/540977946302970

The rules for processing your personal data within YouTube are available at:
https://policies.google.com/privacy?hl=pl&gl=pl

Cookies

We would like to inform you that, pursuant to Articles 173–174 of the Polish Telecommunications Law of 16 July 2004, the website http://cmbm.pl/ does not automatically collect any information except for information contained in cookies.

Cookies are files sent to your computer or other device when you browse http://cmbm.pl/

You may determine the conditions for storing or accessing your data by changing the cookie settings in your browser.

Cookies make it possible to remember and verify website user preferences. Thanks to this, we may, among other things:

  • improve search results,
  • ensure the relevance of the information displayed to you.

Cookies do not make any changes or modifications to the settings of the device or software on which they are installed.

You have the right not to consent to the use of cookies; they may be blocked.

If you wish to block cookies, we recommend selecting the appropriate settings in your web browser. More information can be found at:

or directly in individual browsers:

We would also like to inform you that using the website http://cmbm.pl/ means consent to our use of cookies. This message is displayed automatically whenever a given user visits our website for the first time.

Blocking or deleting cookies may result in difficulties when using the Website, and some of its options may become unavailable.

Cookies may be divided into the following categories:

  • “essential” – enabling the use of services available within the website, e.g. maintaining a session after the user logs in,
  • “functional” – enabling selected settings to be remembered and affecting interface personalization,
  • “security” – supporting security measures,
  • “performance” – enabling the collection of information on how the website is used,
  • session cookies – temporary files stored on the User’s device until logout, leaving the website, or closing the browser,
  • persistent cookies – stored on the User’s device for the period specified in the cookie parameters or until deleted by the User.

The following types of cookies are used on our website:

NameCookie TypePurpose of Storage
_ga2 years – persistentCookie used by Google Analytics to collect aggregated statistical data about users of our website
_gat10 minutes – persistentCookie used by Google Analytics to collect aggregated statistical data about users of our website
_git24 hours – persistentCookie used by Google Analytics to distinguish users of our website

The table above summarizes the cookies listed in the policy and their stated purpose.

Final Provisions

This Privacy Policy enters into force on 03.02.2026.

The rules set out in this Privacy Policy shall be governed by Polish law.