BOOK AN APPOINTMENT
BOOK AN APPOINTMENT

Privacy Policy

Privacy Policy - general rules of personal data processing and privacy protection at Derma Future Ltd. (hereinafter referred to as the Clinic)

This Privacy Policy sets forth the terms and conditions under which Derma Future sp. z o.o., 15A/2B Mokotowska Street, 00-640 Warsaw, NIP No. 7011216032, KRS No. 0001118882, both as data controllers for the purposes of this Privacy Policy (collectively referred to as "we" or "Data Controllers"), process the personal data you provide to us when using the www.sthetic.pl website (hereinafter referred to as the "Site").

This general information clause is addressed to all individuals, as to whom we have not addressed the information clause available for inspection at the Clinic. Thus, it is indicated that the addressees of this document in the first instance are:

  • Patients and those interested in the services offered by the Clinic
  • visitors to the website, as well as accounts on social media platforms belonging to the Clinic
  • contractors who are natural persons whose services are used by the Clinic as well as representatives, attorneys, or so-called contact persons acting on behalf of contractors,
  • persons covered by video surveillance,
  • people who use the newsletter service,

Who is the controller of personal data?

  1. The administrator of the personal data is Derma Future sp. z o.o. with its registered office in Warsaw at Mokotowska 15a/2b, registered in the Register of Entrepreneurs under the KRS number 0001118882, NIP: 7011216032 (hereinafter also as: the Clinic and/or the Administrator).
  2. The Administrator is addressing this notice to individuals in connection with the need to fulfill the obligations set forth in Article 13(1) and (2) and Article 14(1) and (2) of the General Data Protection Regulation of April 27, 2016. (hereinafter: RODO).
  3. The controller has identified specific categories of data subjects and, if appropriate, directs separate communications to them containing information about the processing of personal data. 
  4. The Administrator shall exercise due care in selecting and applying technical, physical and organizational measures to ensure the protection of the processed personal data. Personal data are secured against their access to unauthorized persons, as well as against their processing in violation of applicable laws.

How can I contact a representative of the Administrator for more information about the processing of personal data?

  1. The Administrator has appointed a Data Protection Officer, who can be contacted via e-mail address: iod@sthetic.pl. Data of the Data Protection Officer: Paulina Danikiewicz.
  2. If you are unsure about the content of your question, you can also send it to: klinika@sthetic.pl

Processing of personal data of persons interested in the Administrator's services

  1. Purpose and legal basis for the processing that is performed on the personal data of persons interested in the Administrator's services:
    • Purpose of processing: to answer the questions asked in connection with the contact established by potential customers as well as contractors who are natural persons (possibly also by representatives and persons related to contractors),
    • Legal basis for the processing activity: the necessity of the processing for the performance of an action taken by the Clinic at the request of the data subject prior to entering into a contract, i.e. Article 6(1)(b) RODO and/or the legitimate interest of the personal data controller, i.e. Article 6(1)(f) RODO - where the legitimate interest is primarily indicated as contact with potential clients and customers, responses to messages sent and the performance of statutory activities.

Processing of personal data of visitors to the website as well as accounts on social media platforms that belong to the Administrator

  1. Purpose and legal basis for the processing that is performed on the personal data of visitors to the website, as well as accounts on social media platforms that belong to the Administrator:
    • Purpose of processing: to ensure that the content presented on the website, as well as within the subpages of the Clinic's social media platforms, can be used, including analytical activities using third-party tools,
    • Legal bases for processing activities: realization of the legitimate interests of the controller, i.e. Article 6(1)(f) of the RODO - where the legitimate interests are primarily indicated as marketing of the controller's own services, as well as activities undertaken for the maintenance and proper functioning of the websites, and consent of the data subject, i.e. Article 6(1)(a) of the RODO, which has reference to the acceptance of certain analytical activities.

Processing of personal data of contractors who are natural persons whose services are used by the Administrator, as well as processing of data of representatives, proxies, or so-called contact persons acting on behalf of contractors

  1. Purpose and legal basis of the processing that is performed on the personal data of contractors who are natural persons whose services are used by the Administrator, as well as the processing of data of representatives, agents, or so-called contact persons acting on behalf of contractors:
    • Purpose of processing: performance of a contract with a service provider, or any other type of contractor that is an individual, and processing of personal data of employees, or representatives performing activities for service providers and other contractors that may arise in the course of performance of concluded contracts,
    • legal basis of the processing activity: the necessity of the processing for the purpose of performing the contract and/or the action taken by the Clinic at the request of the data subject prior to the conclusion of the contract, i.e. Article 6(1)(b) RODO, and the fulfillment of the legitimate interests of the Data Controller, i.e. Article 6(1)(f) RODO. f RODO - where the legitimate interest is indicated as the realization of the Administrator's statutory activities, as well as the fulfillment of legal obligations incumbent on the Data Controller, i.e., among others, accounting and tax obligations - basis for processing: the realization of legal obligations incumbent on the Data Controller, i.e., Article 6(1)(c) RODO.

Processing of data of persons using the newsletter service

  1. Purpose and legal basis for the processing that is performed on the personal data of persons using the newsletter service:
    • purpose of processing: marketing of the Administrator's own services,
    • Legal basis for the processing activity: consent of the data subject, i.e. Article 6(1)(a) of the RODO.

Sources of personal data obtained not directly

  1. The clinic points out that if the personal data did not come to us directly from the data subject, the source of acquisition may be primarily:
    • Other controller of personal data ( e.g. social media platform providers)
    • the Clinic's counterparty (including, but not limited to, the employer or principal of the so-called contact persons, as well as the representatives named in the contracts),
    • A source of public information (e.g., publicly available business entity registration databases),

What range of personal data is processed by the Clinic?

  1. In carrying out processing activities, the Administrator applies the principle of data minimization. If the catalog of data is not directly prescribed by law or if we do not personally receive it from the data subject, the Administrator limits such catalog to the necessary data.
  2. The clinic points out that data subjects are obliged to indicate complete, up-to-date and truthful data.
  3. The realization of the purposes of processing as described above, in the vast majority of cases, does not require the processing of special categories of personal data, i.e. also data on health status. Accordingly, those who choose to transfer personal data to the Administrator should not implement such transfer in an excessive catalog.
  4. If the Clinic processes personal data of individuals obtained from another source, the scope of the processed data is generally limited to: first and last name, basic contact and address data, and indications of business affiliation or type of business activity. The clinic may also process data such as IP address, browsing preferences, or other personal data generated by users of social media platforms.

Who can be the recipient of personal data processed by the Clinic?

  1. Personal data processed by the Administrator may be made available to entities entitled to receive them under applicable laws, including relevant state authorities.
  2. In addition, personal data processed by the Administrator, depending on the purpose of processing, may be shared:
    • to processors such as: third-party accounting service providers, third-party entities performing the Administrator's IT services, including hosting of email boxes and, software providers, third-party consulting and auditing entities, marketing agencies, and possible entities that otherwise cooperate with the Clinic, which includes entities involved in patient services,
    • to recipients that are separate controllers of personal data, such as the postal service provider, courier service, law firms, social media platform providers and other contractors of the clinic.
  3. The Administrator indicates that personal data may be transferred outside the EEA, i.e. to third countries in the case of processing personal data in social media platforms, or in the case of using certain IT tools.

Details of the security for such a transfer are available in the terms and conditions of the social media platform providers or at the indicated email address, i.e.: iod@sthetic.pl. The country of transfer is in the vast majority of cases the USA, and the declared security is standard contractual clauses. The Administrator informs that it does not envisage and does not transfer personal data to international organizations.

How long does the Clinic keep personal information?

  1. The essential criterion that determines the period of storage of personal data is the time necessary to fulfill the purpose of processing.
  2. If processing is based on consent, such consent can be withdrawn at any time. However, the controller indicates that in the case of such an action, there may be other grounds justifying the continued processing of personal data.
  3. When the processing is carried out due to the need to fulfill a legal obligation incumbent on the Administrator, or in connection with the performance of a contract or for the purpose of fulfilling the Administrator's legitimate interest, the periods and criteria determining the duration of storage are as follows:
    • basic period - 10 years
    • obligation to store accounting evidence - 5 years from the beginning of the year following the fiscal year in which the transaction in question was finally completed, or settled,

What rights do individuals have in connection with the Administrator's processing of their personal data?

  1. Depending on the processing activity being carried out, the catalog of rights that individuals may be entitled to is defined below:
    • right of access to data,
    • The right to rectify data,
    • The right to delete data,
    • The right to restrict processing,
    • The right to data portability,
    • The right to object.
  2. Exercising your rights can be done by sending the appropriate request to the e-mail address: iod@sthetic.pl.
  3. The controller also indicates that data subjects have the right to lodge a complaint with the supervisory authority, i.e. the President of the Office for Personal Data Protection.

Necessity of providing personal data to the Administrator and final information

  1. If the obligation to provide personal data does not arise directly from the contractual provisions, or from a provision of law, then providing personal data is a voluntary act, but it is necessary in order to carry out cooperation with the Clinic, to use the Clinic's services, or to establish contact with the Clinic.
  2. This document presents collectively most of the information regarding the processing of personal data. Detailed information on specific processing activities can be obtained by contacting the Data Protection Officer using the e-mail address: iod@sthetic.pl.

Information about cookies

  1. For the proper operation of its website, the Administrator uses cookies, including in a customized manner.
  2. Using the website without changing the cookie settings means that cookies will be stored on the end device of the person using the Administrator's website. Such a person may, at any time, change the cookie settings on his/her web browser.
  3. Cookies, including session cookies, can also provide information about the end device, as well as the version of the browser that an individual is using. These tasks are performed for the correct display of content within the Administrator's website.
  4. A cookie is a short text file that in no way personally identifies a visitor to the site and does not store information that could enable such identification.
  5. Detailed information on the cookies used can be recommended in a separate cookie policy