Common Provisions

Data Controller and Contact

The Data Controller of the personal data described in this Privacy Policy is Labplus Spółka Akcyjna, with its registered office at Wyspa Słodowa 7, 50-266 Wrocław, Poland, entered in the National Court Register (KRS) under number 0001018188, Tax Identification Number (NIP) 8961622267, and National Business Registry Number (REGON) 524450039. For matters concerning data protection, you can contact us by post at Wyspa Słodowa 7, 50-266 Wrocław, Poland, or by email at rodo@labplus.pl, our preferred communication method.

Principles of Personal Data Administration

The Data Controller takes particular care to protect the interests of individuals whose personal data it processes. In particular, the Data Controller is responsible for and ensures that the data collected are:

I) processed lawfully; collected for specified, legitimate purposes and not subjected to further processing incompatible with those purposes;

II) factually correct and adequate in relation to the purposes for which they are processed;

III) stored in a form that prevents the identification of the data subjects by unauthorized third parties and stored no longer than necessary to achieve the purpose of processing;

IV) processed in a manner that ensures appropriate security of personal data, including protection against unauthorized or unlawful processing, accidental loss, destruction, damage, or disclosure, through appropriate technical or organizational measures.

Considering the nature, scope, context, and purposes of processing, as well as the risk to the rights and freedoms of natural persons, the Data Controller implements appropriate technical and organizational measures to ensure that processing complies with the General Data Protection Regulation, the The Act on the Protection of Personal Data, and ensures the security of the data subjects. These measures are regularly reviewed and updated. The Data Controller employs technical measures to prevent unauthorized persons from acquiring and modifying personal data transmitted via the final means of electronic communication.

Right of access by the data subject

Everyone whose data we process has the right to:

I) Access, rectification, restriction, erasure or data portability (“right to be forgotten” or restriction of data processing), and the right to object to processing, as well as the right to data portability. The detailed conditions for exercising the aforementioned rights are specified in Articles 15-21 of the GDPR. Also, the right to withdraw consent at any time – if personal data is processed by the Administrator based on expressed consent (pursuant to Article 6(1)(a) or Article 9(2)(a) of the GDPR), the data subject has the right to withdraw consent at any time without affecting the lawfulness of processing carried out based on consent before its withdrawal. 

II) Lodge a complaint with a supervisory authority – the person whose data is processed by the Data Controller has the right to lodge a complaint with a supervisory authority in the manner and procedure specified in the provisions of the GDPR and Polish law, particularly The Act on the Protection of Personal Data. The supervisory authority in Poland is the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych).

 III) Object – the data subject has the right to object at any time – on grounds relating to their particular situation – to the processing of personal data concerning them based on Article 6(1)(e) (public interest or official authority) or (f) (legitimate interests of the controller), including profiling based on these provisions. In such a case, the Data Controller shall no longer process these personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject, or for the establishment, exercise, or defense of legal claims. 

IV) Object to direct marketing – if personal data are processed for direct marketing purposes, the data subject has the right to object at any time to the processing of personal data concerning them for such marketing, including profiling to the extent that it is related to such direct marketing.

To exercise the rights referred to in point 1 of the Privacy Policy above, you can contact the Data Controller by sending a written message or email to the Data Controller’s address indicated at the beginning of the Privacy Policy, or by using the contact form available on the website www.labplus.health.

In the event of a breach of personal data protection regulations, the data subject may file a complaint with the President of the Personal Data Protection Office. After conducting proceedings, the President of the Office – if a breach has occurred – shall order the restoration of a lawful state through an administrative decision. A natural person may file a complaint with the President of the Office if the incorrect data processing concerns their personal data. 

However, please exercise your rights before filing a complaint with the Office. The Data Processor is obliged to respond to your request as soon as possible – within a maximum of one month. If, for some reason, this is not possible, they must inform you why they are extending the response period by an additional, non-extendable two months. The Data Processor should also inform you within one month about the non-fulfillment of the request and its reasons. If the Data Processor ignores your request or the response is not satisfactory to you, you can file a complaint with the Office. Please familiarize yourself with the detailed information from the Office regarding the exercise of rights: https://uodo.gov.pl/en/680 and remember that these rights may not apply in every situation. For example, they may be limited by provisions of Polish law.

Transfers of Data to Third Countries

The transfer of data for which the Administrator is the Controller to third countries and international organizations may only take place if the conditions set out in Chapter V of the GDPR are met.

The transfer of data to third countries may take the form of (1) entrusting the processing of personal data or (2) making personal data available. This means that, depending on the type of transfer, the provisions of the GDPR regarding data processing agreements or data sharing agreements must also be considered.

A transfer of personal data to a third country may occur if the European Commission has issued a decision stating that the given third country, territory, or one or more specified sectors within that third country, or the international organization in question, ensures an adequate level of protection. Such a transfer does not require specific authorization.

In cases where there is no European Commission decision as mentioned above, the transfer of personal data to a third country is possible if the Data Controller independently provides appropriate safeguards and on the condition that enforceable data subject rights and effective legal remedies are available. 

Appropriate safeguards can be provided by:

– A legally binding and enforceable instrument between public authorities or bodies;

– Binding corporate rules approved by the supervisory authority, applicable to each member of a group of undertakings or a group of enterprises engaged in a joint economic activity;

– Standard data protection clauses adopted or approved by the European Commission;

– Standard data protection clauses adopted by a supervisory authority and approved by the European Commission;

– An approved code of conduct along with binding and enforceable commitments of the controller or processor in the third country to apply appropriate safeguards, including with regard to the rights of data subjects; or

– An approved certification mechanism along with binding and enforceable commitments of the controller or processor in the third country to apply appropriate safeguards, including with regard to the rights of data subjects. Subject to the authorization of the competent supervisory authority, the appropriate safeguards mentioned above can be provided in particular by: I) Contractual clauses between the Data Controller or processor and the controller, processor, or recipient of the personal data in the third country or international organization; Or II) Provisions in administrative arrangements between public authorities or bodies, which include enforceable and effective data subject rights.

In specific cases, the transfer of personal data to a third country is permitted despite the absence of a European Commission decision as mentioned above and without providing the appropriate safeguards described above. These specific cases include data transfer provided that:

– The data subject, having been informed of the possible risks of the proposed transfer for them, has explicitly consented to it;

– The transfer is necessary for the performance of a contract concluded with the data subject;

– The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject;

– The transfer is necessary for important reasons of public interest;

– The transfer is necessary for the establishment, exercise or defense of legal claims;

– The transfer is necessary to protect the vital interests of the data subject, or the transfer takes place from a public register.

As a rule, the Data Controller does not transfer your data to third countries. The server and additional services lessor has guaranteed the location of support tools within the European Union (EU) and European Economic Area (EEA). However, when the Data Controller uses tools supporting its current operations provided by, for example, Google, your personal data may be transferred to a country outside the EEA, in particular to the United States of America (USA) or another country where a cooperating entity maintains tools for processing personal data in cooperation with the Data Controller. The appropriate safeguarding of personal data processed outside the EEA is guaranteed by the use of external data processing agreements based on standard contractual clauses that meet GDPR requirements. The description and scope of standard contractual clauses are provided by the software and external tool providers:

I) Google in their privacy policy section: https://policies.google.com/privacy/frameworks?hl=eng, which contains precise data on the concluded standard contractual clauses.

II) AWS, the server provider: https://aws.amazon.com/

Personal Data Retention Periods by Type

Here’s a breakdown of how long different types of personal data are retained, based on the processing activity:

1.  Employee Recruitment

Data Carriers: CV, resume, application form

Data Processing Period: For the duration of the recruitment process; if consent is given by the individual, also for future recruitments.

Event Triggering Data Deletion: Immediately after the recruitment process ends. If the individual consented, then after future recruitments (up to 3 years from the date of the last recruitment).

2. Internships/Apprenticeships

Data Carriers: Internship documents, agreement, CV

Data Processing Period: 10 years

Event Triggering Data Deletion: From the end of the agreement.

3. Employment

Data Carriers: Training/course subsidies, civil law contracts with the employee, documentation related to benefit handling (e.g., Multisport card), occupational disease history, CV, resume, employee documentation (personal files)

Data Processing Period: 10 years or 50 years

Event Triggering Data Deletion: From the termination of the employment contract.

Note: For employment relationships established before January 1, 2019, the retention period for employee documentation must be determined based on the regulations in force before that date (Article 7(2) of the Act of January 10, 2018, on amending certain acts in connection with shortening the period of keeping employee files and their electronization – Journal of Laws of 2018, item 357). This means that employee documentation for this period must be kept for 50 years, counted from the date of termination of employment with a given employer for personal documentation, and from creation for payroll documentation.

4. Civil Law Cooperation Agreements

Data Carriers: Agreements, additional documents (e.g., subsidies), additional benefits (e.g., Multisport)

Data Processing Period: 10 years or 50 years

Event Triggering Data Deletion: Termination of the agreement.

5. Workplace Accidents

Data Carriers: Accident description, additional documents

Data Processing Period: 10 years

Event Triggering Data Deletion: Date of the incident/accident.

6. Commercial Agreements with Natural Persons

Data Carriers: Agreement, orders, email correspondence, execution documentation

Data Processing Period: 3 years

Event Triggering Data Deletion: Completion of service, termination of the agreement.

7. Commercial Agreements with Entrepreneurs

Data Carriers: Agreement, orders, email correspondence, execution documentation

Data Processing Period: 3 years

Event Triggering Data Deletion: Completion of service, termination of the agreement.

8. Marketing Services

Data Carriers: Newsletter, customer databases, email data, phone numbers

Data Processing Period: Immediately upon withdrawal of consent, unless processing is based on another legal basis (e.g., contract performance).

Event Triggering Data Deletion: Upon withdrawal of consent.

Final Provisions

The Data Controller’s website may contain links to other websites. The Data Controller encourages you to review the Privacy Policy established on those other sites once you navigate to them. This Privacy Policy applies only to the website www.labplus.health.

Services and features within the Website may change, which means we may make modifications to this Privacy Policy in the future. We will publish new versions of the document on the website.

Part A

For:

I) Users of labplus.health – website visitors, users of the contact form. 

II) Users of other websites belonging to us and our cooperators, if referred to this Privacy Policy.

Where We Obtain Your Personal Data and Whether It’s Necessary

When you visit the Data Contoller’s website, such as www.labplus.health or other similar sites that refer to this Privacy Policy, you provide us with information that is not personal data by itself, but under certain circumstances, this data may become personal data.

For example, your IP address, which is saved in your browser settings, is not personal data on its own because we cannot identify you based on it. An IP address will only be considered personal data if the Data Contoller also has access to data linking the IP address to other identifying information about you (Legal basis: Article 6(1) of the Act of August 29 on the Protection of Personal Data, Directive 94/46/EC of the European Parliament) or if it possesses characteristics of personal information because it is possible to identify “a natural person” based on it. The Data Contoller has determined that, in accordance with the principle of protecting personal data and data that may become personal data, it protects your data obtained while using the Data Contoller’s websites.

A detailed description of the data processed by the Data Contoller is provided below.

Purpose, Legal Basis, and Data Retention Periods

Contacting the Data Contoller via the Contact Form

Purpose of Data Processing: To facilitate contact with the Data Contoller through the contact form on www.labplus.health and other Data Contoller websites.

Legal Basis for Data Processing:

Article 6(1)(a), (b) GDPR: Processing is necessary for the performance of a contract or to take steps at your request prior to entering into a contract.

Article 6(1)(f) GDPR: Processing is necessary for the purposes of the legitimate interests pursued by the Data Contoller, such as marketing our own products, maintaining statistics on visits and inquiries.

Article 9(2)(f) GDPR: Processing is necessary for the establishment, exercise, or defense of legal claims.

Personal Data Processed:

Your first name, last name, and email address. Providing this data is essential to enable us to contact you. You may also provide other non-required data within the message sent via the contact form; this data will be processed by the Data Contoller with your consent and will not affect our ability to fulfill your contact request.

Data Retention Period:

For the time necessary to fulfill your request, perform the requested service, answer your questions, and for any additional time required to protect the Data Contoller’s and your rights and obligations. For data provided with your consent, data will be retained until consent is withdrawn.

Website Usage and Browse

Purpose of Data Processing: To enable website Browse.

Legal Basis for Data Processing:

– Article 6(1)(a), (b) GDPR: Processing is necessary for the performance of a contract or to take steps at your request prior to entering into a contract, which includes viewing content on the website.

– Article 6(1)(f) GDPR: Processing is necessary for the purposes of the legitimate interests pursued by the Data Contoller, such as marketing our own products and maintaining statistics on visits and inquiries.

– Article 9(2)(f) GDPR: Processing is necessary for the establishment, exercise, or defense of legal claims.

Personal Data Processed:

We record information about the web browser and operating system used, the date and time of the visit, as well as the IP address. This data is essential for the websites to function, but we cannot attribute this data to a specific person without significant effort, given the Data Contoller’s current resources and functionalities. We do not collect any personal data through our website without user consent, including consent for cookies.

Data Retention Period:

For the time necessary to analyze website visit data and traffic. For data provided with consent, data will be retained until consent is withdrawn.

Data Recipients

For the proper functioning of the tools offered on www.labplus.health and other Data Controller’s websites, the Data Controller needs to use the services of external entities, such as software providers, server lessors, internet operators, and programmers. The Data Controller exclusively uses the services of processors who provide guarantees for implementing technical and organizational measures to protect personal data from breaches, to a degree no less than that of the Data Controller and in accordance with the GDPR.

Data transfer by the Data Controller does not occur automatically to all recipients or categories of recipients indicated in the Privacy Policy. The Data Controller transfers data only when it is necessary to achieve a specific purpose of personal data processing and only to the extent necessary to achieve it.

Personal data of users of www.labplus.pl and other Data Controller’s websites may be transferred to the following recipients or categories of recipients:

I) Service providers supplying the Data Controller with technical, IT, and organizational solutions that enable the Data Controller to manage and maintain the website and contact form. 

II) Providers of social plugins, scripts, and other similar tools placed on the Data Controller’s website, enabling the browser of a person visiting www.labplus.health to download content from the providers of the aforementioned plugins. 

III) Providers of marketing and positioning channels (e.g., Google Ads, Google Analytics), and data storage drives and cloud tools (e.g., Google Clouds), to the extent necessary for the provision of services to the Data Controller and solely regarding the personal data of users that are necessary for sharing, such as analytical data and user preferences.

The most important tools used by the Data Controller are:

Cookiebot by Usercentric

Recipient of your data in the sense of Art. 13. para. 1. e) DSGVO (GDPR) is Usercentrics GmbH. In the context of order processing, Labplus transmits personal data (consent data) to Usercentrics GmbH, Sendlingerstr. 7, 80331 Munich as a processor.

Consent data means the following data:

• Date and time of the visit or consent / refusal, device information.

The processing of the data is carried out for the purpose of compliance with legal obligations (obligation to provide evidence pursuant to Art. 7 (1) DSGVO) and the associated documentation of consents and thus on the basis of Art. 6 (1) lit. c) DSGVO. Local storage is used to store the data.
The consent data is stored for 1 year. The data is stored in the European Union.

For more information about the collected data and contact options, please visit https://usercentrics.com/privacy-policy/.

Google Analytics 

A web analytics service from Google Inc. Google Analytics operates exclusively through cookies and only with your consent or if your browser settings allow it. Google Analytics enables the analysis of website usage. Information obtained by Google Analytics is stored on Google Inc. servers in Ireland or the United States. At the request of the website owner, Google uses this information to analyze website usage, create reports on website activity related to website and internet usage. Detailed information regarding the terms of use of the Google Analytics tool and personal data protection is available at https://www.google.com/analytics/terms/en.html or https://policies.google.com/?hl=en.

HotJar 

A service from Hotjar Limited that allows for the collection of information regarding user behavior on the website, such as navigation, mouse movements and clicks, visited subpages, and the source of the website visit. This does not include plugins, forms, or other elements where personal data may appear. This data is anonymized at the information recording stage. The privacy policy of the service provider is available at: https://www.hotjar.com/legal/policies/privacy.

Profiling

The Data Controller is obliged to inform users about the profiling of personal data and to provide significant information about the principles of such decision-making, as well as the significance and foreseen consequences of such processing for the data subject. With this in mind, the Data Controller provides information in this section of the Privacy Policy regarding possible profiling, which means presenting content or decisions consistent with a specific user’s personal data or their preferences.

A particular form of profiling is profiling that leads to automated individual decision-making, which is performed entirely, i.e., at every stage, without human assistance or support. In the case of full automation of processing, the data subject has no possibility to influence the course of this process and cannot appeal to a person making the decision, because the decision is made by artificial intelligence.

Profiling on www.labplus.health involves the automated analysis or prediction of the behavior of visitors to www.labplus.pl and other Data Controller’s websites, for example, by determining the behavior of website recipients, the manner of Browse content, user behavior within individual windows, or selection of tabs.

Profiling by the Data Controller will not produce legal effects for the user until the individual accepts the result of the profiling. Also, the data subject always has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

Cookies and Analytics

Cookies are small text files, sent by a server and stored on the side of the person visiting the website (e.g., on the hard drive of a computer, laptop, or on the memory card of a smartphone), depending on the device used by the visitor.

Detailed information on Cookies can be found at https://ec.europa.eu/info/cookies_en.

Our website uses cookies and similar technologies. To ensure compliance with data protection regulations (such as GDPR) and to give you full control over their use, we have implemented the Consent Management Platform (CMP) Cookiebot by Usercentrics. With this solution, we always obtain your informed consent before placing cookies on your device, except for those absolutely necessary for the proper functioning of the website. You also have the ability to easily change or withdraw your consent at any time.

You can change or withdraw your consent to cookies at any time by clicking on the small circle with the privacy shield available on our website, usually in the lower right corner of the screen.

The Cookies that may be sent by www.labplus.health can be divided into different types, according to the following criteria:

I) Based on their provider:

• First-party cookies (created by the Data Controller’s website) 
• or Third-party cookies (belonging to persons/entities other than the Data Controller)

II) Based on their storage period on the visitor’s device:

• Session cookies (stored until logging out or closing the web browser)
• or Persistent cookies (stored for a defined period, specified by the parameters of each file, or until manually deleted)

III) Based on their purpose of use: 

• Necessary cookies (enabling the website to function correctly)
• Functional/Preference cookies (allowing the website to adapt to the visitor’s preferences) 
• Analytical and Performance cookies (collecting information about how the website is used) 
• Marketing, Advertising, and Social cookies (collecting information about the visitor to display personalized advertisements and conduct other marketing activities, including on websites separate from the Data Controller’s website, such as social media portals)

Detailed Cookie Statement

Below you will find a detailed, dynamic list of cookies used on our site, along with their purpose and validity period. The list is automatically updated.

Web browser settings

You can find the location of information in the most popular web browsers regarding which Cookies are currently sent by the Data Controller in the following ways:

In Chrome: (1) In the address bar, click the padlock icon on the left, (2) go to the “Cookies” tab.

In Firefox: (1) In the address bar, click the shield icon on the left, (2) go to the “Allowed” or “Blocked” tab, (3) click the “Cross-site tracking cookies,” “Social media trackers,” or “Content with trackers” field.

In Internet Explorer: (1) Click the “Tools” menu, (2) go to the “Internet Options” tab, (3) go to the “General” tab, (4) go to the “Settings” tab, (5) click the “View files” field.

In Opera: (1) In the address bar, click the padlock icon on the left, (2) go to the “Cookies” tab.

In Safari: (1) Click the “Preferences” menu, (2) go to the “Privacy” tab, (3) click the “Manage Website Data” field.

Regardless of the browser, this information can also be found using tools available on websites like https://www.cookiemetrix.com/ or https://www.cookie-checker.com/.

By default, most web browsers available on the market are configured to accept cookies. However, with our implemented cookie consent management tool , you have the ability to manage your cookie preferences. This includes rejecting non-essential cookies directly through our website interface, in addition to defining the conditions for using Cookies through your own web browser settings.

Example Cookies used on the Data Controller’s websites:

I) Google Analytics from Google LLC. for the purpose of realizing the Data Controller’s legitimate interest, which involves creating and analyzing statistics to optimize the website. Google Analytics automatically collects information about website usage. The information collected in this way is most often transferred to a Google server in Ireland or the United States and stored there. The anonymized IP address transferred by the browser as part of Google Analytics is generally not combined with other data held by Google. For data protection by Google Analytics, please refer to:

https://policies.google.com/privacy/frameworks?hl=en, which describes the data protection solutions and standard contractual clauses used by Google.

II) Hotjar from Hotjar Limited, Level 2, St Julian’s Business Centre, 3, Elia Zammit Street, St Julian’s STJ 1000, Malta. Hotjar monitors information such as time spent on individual pages, buttons and links clicked, subpages discovered, and their sequence. We use this service to optimize our website for user preferences and behavior, which constitutes the realization of our legitimate interest. Hotjar uses cookies and other technologies (e.g., video recording) to collect information about on-site behavior and devices used to access the site. It collects an anonymized IP number, screen size, browser information, location, and language. Hotjar pseudonymizes the data. More information can be found in the Hotjar privacy policy: https://www.hotjar.com/privacy/.

III) Server Logs. Using the website involves sending requests to the server where our website is hosted. Each request directed to the server is saved in the server logs. Logs include, among other things, the IP address, server date and time, and information about the web browser and operating system you are using. Logs are saved and stored on the server. Data saved in server logs are not associated with specific individuals using the website and are not used by us for identification purposes.

For users who access the Lab Test Checker by Labplus® medical software application (LabTest Checker by Labplus® application) and other applications published by the Data Controller on their own or other companies’ websites, utilizing a “plugin” for the Lab Test Checker by Labplus® application.

Where We Obtain Your Personal Data and Whether It’s Necessary

When you use the Lab Test Checker by Labplus® application on other websites belonging to the Data Controller and third-party clients (e.g., diagnostic companies, laboratories, healthcare providers), you provide us with personal data as described below.

The exceptions to this rule are when a patient uses Labplus’s medical team Q&A service regarding their Lab Test Checker by Labplus® analysis result, or when a patient submits a complaint directly to Labplus, as detailed below.

A detailed description of the data processed by the Data Controller is provided below.

Using the Lab Test Checker by Labplus® Application Based on an Agreement Concluded by the Patient with a Diagnostic Laboratory, the Data Controller, or a Healthcare Provider

Purpose of Data Processing:

I) To enable the Data Controller’s medical specialists to answer a patient’s question regarding their Lab Test Checker by Labplus® analysis result.

II) To process a complaint related to the Lab Test Checker service.

Legal Basis for Data Processing:

Article 6(1)(a), (b) GDPR: Processing is necessary for the performance of a contract or to take steps at your request prior to entering into a contract.

Article 6(1)(c) GDPR: Processing is necessary for compliance with a legal obligation to which the Data Controller is subject, e.g., in the context of healthcare entities’ operations and medical documentation collection.

Article 6(1)(f) GDPR: Processing is necessary for the purposes of the legitimate interests pursued by the Data Controller, e.g., statistics on tests, medical history, and test analysis results.

Article 9(2)(h) GDPR: Processing is necessary for the purposes of preventive or occupational medicine.

Article 9(2)(f) GDPR: Processing is necessary for the establishment, exercise, or defense of legal claims.

Personal Data Processed:

I) Medical questionnaire containing data on the user’s health status, data obtained from the person making declarations, or from a legal guardian (e.g., data on other test results, medical history).

II) User’s laboratory test results.

III) First name, last name, residential address, email address.

Data Retention Period

For the time necessary to perform the analysis of test results, and for the period of analysis mandated by statutory provisions imposed on healthcare entities (medical documentation retention), and until the possibility of initiating legal proceedings by the Data Controller or the individual providing personal data has expired.

Using the LabTest Checker by Labplus® Application Based on an Agreement Concluded Directly by the Patient with the Data Controller

Purpose of Data Processing

To perform analysis using Lab Test Checker by Labplus® tools at the patient’s request and for their benefit.

Legal Basis for Data Processing:

Article 6(1)(a), (b) GDPR: Processing is necessary for the performance of a contract or to take steps at your request before entering into a contract.

Article 6(1)(c) GDPR: Processing is necessary for compliance with a legal obligation to which the Data Controller is subject, for example, in the context of healthcare entities’ operations and the collection of medical documentation.

Article 6(1)(f) GDPR: Processing is necessary for the purposes of the legitimate interests pursued by the Data Controller, such as test statistics, medical history, and test analysis results.

Article 9(2)(h) GDPR: Processing is necessary for the purposes of preventive health care.

Article 9(2)(f) GDPR: Processing is necessary for the establishment, exercise, or defense of legal claims.

Personal Data Processed:

I) Medical questionnaire containing data on the user’s health status, data obtained from the person making declarations or as a legal guardian (e.g., data on other test results, medical history).

II) User’s laboratory test results.

III) First name, last name, residential address, NIP number, payment account number, email address.

Data is saved in the patient’s or user’s account within the third-party system of our client (i.e., laboratories or medical practices) as medical history data and medical analysis results, for viewing and retrieval.

Data Retention Period

For the time necessary to perform the analysis of test results and for the period of analysis mandated by statutory provisions imposed on healthcare entities (medical documentation retention), and until the possibility of initiating legal proceedings by the Data Controller or the individual providing personal data has expired.

Data Recipients

For the proper functioning of the tools offered by the Lab Test Checker by Labplus® application, regardless of where it’s installed or on which website it’s used, the Data Controller must use the services of external entities. These include software providers, server lessors, internet operators, and programmers. The Data Controller exclusively uses the services of processors who guarantee the implementation of technical and organizational measures protecting personal data from breaches, to a degree no less than that of the Data Controller and in accordance with the GDPR.

Data transfer by the Data Controller does not happen automatically to all recipients or categories of recipients listed in the Privacy Policy. The Data Controller transfers data only when it’s necessary to achieve a specific purpose of personal data processing and only to the extent required for its realization.

Personal data of Lab Test Checker by Labplus® users may be transferred to:

I) Entities handling electronic or credit card payments – in the case of a user who pays for tests under an agreement with the Data Controller and has chosen electronic or credit card payment. The Data Controller provides the collected personal data to the selected payment service provider, at the Data Controller’s request, to the extent necessary to process the payment for the user. This payment service provider then becomes the Data Controller of that personal data and performs its own entity authorization, over which the original Data Controller has no influence.

II) Providers of cloud data channels (e.g., Google Clouds), but only to the extent of user personal data that is necessary for sharing.

III) Hotjar Limited, which provides a service for collecting information about user behavior while using the application, such as navigation, mouse movements and clicks, visited subpages, and the source of user activity. This does not include the recording of non-anonymized elements where personal data might appear. This data is anonymized at the information recording stage. The service provider’s privacy policy can be found here: https://www.hotjar.com/legal/policies/privacy

Profiling

The Data Controller is obligated to inform users about the profiling of personal data and to provide essential information about the principles of such decision-making, as well as the significance and anticipated consequences of such processing for the data subject. With this in mind, the Data Controller provides information in this section of the Privacy Policy regarding possible profiling, which involves presenting content or decisions consistent with a user’s specific personal data or their preferences.

A particular form of profiling is profiling that leads to automated individual decision-making, which is performed entirely, meaning at every stage, without human assistance or support. In the case of fully automated processing, the data subject has no ability to influence the process and cannot appeal to a person making the decision, as the resolution is made by artificial intelligence.

The Data Controller uses profiling, but not automated decision-making, in the analysis of results within Lab Test Checker by Labplus®. After analyzing the results, the program transmits information about the outcome of diagnostic test data analysis combined with information from the medical history.

Cookies & Analytics

Cookies are small text files, sent by a server and stored on the side of the person visiting the website (e.g., on the hard drive of a computer, laptop, or on the memory card of a smartphone), depending on the device used by the visitor.

Detailed information on Cookies can be found at https://ec.europa.eu/info/cookies_en.

The Cookies that may be sent by www.labplus.pl and other Data Controller’s websites can be divided into different types, according to the following criteria:

I) Based on their provider:

– First-party cookies (created by the Data Controller’s website) 

– or Third-party cookies (belonging to persons/entities other than the Data Controller)

II) Based on their storage period on the visitor’s device:

– Session cookies (stored until logging out or closing the web browser) 

– or Persistent cookies (stored for a defined period, specified by the parameters of each file, or until manually deleted)

III) Based on their purpose of use: 

– Necessary cookies (enabling the website to function correctly)

– Functional/Preference cookies (allowing the website to adapt to the visitor’s preferences) 

– Analytical and Performance cookies (collecting information about how the website is used) 

– Marketing, Advertising, and Social cookies (collecting information about the visitor to display personalized advertisements and conduct other marketing activities, including on websites separate from the Data Controller’s website, such as social media portals)

The Data Controller may process data contained in Cookies when visitors use the website for the following specific purposes:

– Identifying Service Recipients as logged into a user account and showing that they are logged in (necessary).

– Remembering products for placing an Order (necessary).

– Remembering data from completed surveys (functional and preferential, not necessary).

– Adapting website content to the user’s individual preferences (e.g., concerning preferred diagnostic tests) and optimizing website use (functional and preferential, not necessary).

– Conducting anonymous statistics presenting website usage (analytical and performance, not necessary).

– Remarketing, which involves examining the behavioral characteristics of website visitors through an anonymous analysis of their actions (e.g., repeated visits to specific pages, keywords, etc.) to create a profile and deliver a customized application appearance (HotJar, not necessary).

You can find the location of information in the most popular web browsers regarding which Cookies are currently sent by the Data Controller in the following ways:

In Chrome: (1) In the address bar, click the padlock icon on the left, (2) go to the “Cookies” tab.

In Firefox: (1) In the address bar, click the shield icon on the left, (2) go to the “Allowed” or “Blocked” tab, (3) click the “Cross-site tracking cookies,” “Social media trackers,” or “Content with trackers” field.

In Internet Explorer: (1) Click the “Tools” menu, (2) go to the “Internet Options” tab, (3) go to the “General” tab, (4) go to the “Settings” tab, (5) click the “View files” field.

In Opera: (1) In the address bar, click the padlock icon on the left, (2) go to the “Cookies” tab.

In Safari: (1) Click the “Preferences” menu, (2) go to the “Privacy” tab, (3) click the “Manage Website Data” field.

Regardless of the browser, this information can also be found using tools available on websites like https://www.cookiemetrix.com/ or https://www.cookie-checker.com/.

Most web browsers on the market are by default configured to accept cookies. However, every user has the ability to define the conditions for using cookies through their own web browser settings. Browser settings regarding cookies are significant from the perspective of consenting to the use of cookies by the Data Controller’s website. In accordance with regulations, such consent can also be expressed through web browser settings.

Example cookies used on the Data Controller’s websites:

Hotjar from Hotjar Limited

Level 2, St Julian’s Business Centre, 3, Elia Zammit Street, St Julian’s STJ 1000, Malta.

Hotjar monitors information such as: time spent on individual pages, buttons and links you click, subpages discovered, and their sequence. We use this service to optimize our website, considering user preferences and behavior, which constitutes the realization of our legitimate interest. Hotjar uses cookies and other technologies, like video recording, to collect information about on-site behavior and devices used to access the site. It obtains an anonymized IP address, screen size, browser information, location, and language. Hotjar pseudonymizes the data. For more information, see Hotjar’s privacy policy: https://www.hotjar.com/privacy/;

Server Logs

Using the website involves sending requests to the server where our site is hosted. Each request directed to the server is saved in the server logs. Logs include, among other things, the IP address, server date and time, and information about the web browser and operating system you are using. Logs are saved and stored on the server. Data saved in server logs are not associated with specific individuals using the website and are not used by us for identification.

With the highest regard for the protection of your personal data, we have developed a personal data protection project at Labplus S.A. We assure you that the actions taken by the Data Processor to effectively and fully protect the personal data entrusted to us are necessary, compliant with national and EU law, and adequate to your needs and ours.

Below are documents for download that will familiarize you with the topic of personal data protection or facilitate contact with us regarding the protection or changes to your data processed by us.

I. Information clauses: i.e., who manages your data, for what purpose, for how long, and what are your rights associated with this. If you have any questions regarding the content of the clauses or their application, please contact us via email at the email addresses provided in the clauses

II) Documents for exercising rights. Information about the obligations, rights of individuals whose data is processed, and information about the protection of your personal data.

Here you will find all necessary information regarding the possibility of submitting your comments, orders, reservations, and inquiries regarding your personal data administered by us, along with submission instructions.

A sample document for exercising your rights, including reporting changes to personal data, correcting data, deletion, withdrawal of consent, and other actions that you may instruct the Administrator to perform.