Privacy Policy
This Privacy Policy sets out the rules for the processing of personal data in connection with the use of the website operated by Cogito Realizacje Sp. z o.o. and fulfils the information obligation arising from Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter: GDPR).
1. Controller of personal data
The controller of your personal data is:
Cogito Realizacje Sp. z o.o.
Witoldów 3, 62-817 Żelazków
KRS: 0001089357 · NIP: 9681011126 · REGON: 527845502
E-mail: info@cogitozdrowie.pl
2. Data Protection Officer
The Controller has not, at this time, appointed a Data Protection Officer. For all matters relating to the processing of personal data, please contact the Controller directly at the address provided above. Given the nature of the activities conducted (the processing of special categories of data within the meaning of Art. 9 GDPR — see Section 6), the Controller periodically reviews the obligation to appoint a DPO under Art. 37(1)(c) GDPR.
3. GDPR information clause — summary
Controller: Cogito Realizacje Sp. z o.o., Witoldów 3, 62-817 Żelazków.
Purposes of processing: responding to enquiries, conducting physician recruitment processes, supporting the legalisation of professional practice and residence (including family members), and handling correspondence.
Legal basis: Art. 6(1)(a), (b), (c) and (f) GDPR; for special categories of data — Art. 9(2)(a), (b), (f) GDPR.
Recipients of data: providers of hosting and e-mail services, legal and accounting service providers, and state authorities to the extent required by law.
Retention period: from 12 months to 5 years depending on the category of data — detailed in Section 10.
Your rights: access, rectification, erasure, restriction, portability, objection, withdrawal of consent.
Complaint: President of the Personal Data Protection Office (PUODO), ul. Stawki 2, 00-193 Warszawa.
Full information is provided in the remainder of this document.
4. Purposes and legal bases of processing
We process your personal data for the following purposes:
| Purpose | Legal basis (Art. 6 GDPR) |
|---|---|
| Responding to enquiries made by telephone or e-mail, and conducting correspondence | Art. 6(1)(f) — legitimate interests pursued by the Controller (providing responses) |
| Conducting recruitment processes and supporting the legalisation of a physician's professional practice and residence | Art. 6(1)(b) — steps taken at the request of the data subject prior to entering into a contract and the performance thereof |
| Fulfilling legal obligations incumbent on the Controller (tax regulations, HR documentation, archiving) | Art. 6(1)(c) — legal obligation |
| Ensuring website security, maintaining server logs, technical statistics | Art. 6(1)(f) — legitimate interests |
| Handling functional cookies (remembering the choice made in the banner) | Art. 6(1)(f) in conjunction with Art. 173(3) of the Electronic Communications Act — essential cookies do not require consent |
| Possible establishment, exercise or defence of legal claims | Art. 6(1)(f) — legitimate interests |
5. Scope of data processed
Depending on the form of contact with the Controller, we process the following categories of personal data:
- identification and contact details provided by you voluntarily (first name, surname, e-mail address, telephone number);
- the content of correspondence and any attachments sent to the Controller;
- technical data associated with your visit to the website (IP address, session identifier, browser and operating system information, timestamp, addresses of pages from which the redirect occurred);
- where cooperation regarding employment is established — data resulting from professional documentation (diploma, documents confirming the Medical Practice License (right to practice medicine), official certificates, identity documents, residence documents).
The provision of data is voluntary; however, failure to provide it may make it impossible to provide a response or to carry out the recruitment process.
6. Special categories of data (Art. 9 GDPR)
In connection with carrying out the procedure for the recognition of professional qualifications and obtaining the Medical Practice License (right to practice medicine), the Controller may process personal data falling within the special categories within the meaning of Art. 9(1) GDPR. This applies in particular to:
- data concerning health — to the extent of medical certificates and rulings required by the District Chamber of Physicians, the Ministry of Health and other authorities in the procedure for obtaining the right to practice medicine;
- image data contained in identity documents (passport photographs and photographs in residence documents) — processed solely for the purposes of identification in official proceedings, without the use of biometric recognition techniques within the meaning of Art. 4(14) GDPR.
Legal basis for processing special categories of data:
- Art. 9(2)(a) GDPR — the explicit consent of the data subject, given unambiguously prior to the commencement of processing;
- Art. 9(2)(b) GDPR — the carrying out of obligations and the exercise of specific rights by the Controller or the data subject in the field of employment, social security and social protection law, in so far as it is authorised by law;
- Art. 9(2)(f) GDPR — where processing is necessary for the establishment, exercise or defence of legal claims.
The Controller applies enhanced security measures to such data: encryption of connections, access restricted exclusively to persons authorised in writing, the maintenance of a record of processing activities, and the prompt deletion of data once the purpose of processing has ceased.
7. Family members' data
As part of the comprehensive support for the legalisation of a physician's residence, the Controller may also process the personal data of the physician's family members (spouse, children, other dependants) — to the extent necessary to handle matters relating to the legalisation of residence and work permits.
The processing of family members' data is carried out on the basis of:
- Art. 6(1)(a) GDPR — the consent of the data subject (consent is obtained directly from an adult; for minors — from a parent or legal guardian);
- Art. 6(1)(f) GDPR — the legitimate interests of the Controller, consisting in the provision of comprehensive customer service to the physician-client, including support for the legalisation of his or her family's residence.
The Controller fulfils the information obligation towards family members in accordance with Art. 14 GDPR — providing them with the information clause at the first contact (by e-mail, in writing, or via the physician, who is contractually obliged to deliver it on the Controller's behalf) no later than within one month of obtaining the data. The physician who transfers the family members' data warrants that he or she has previously obtained their consent to do so and has informed those persons of the identity of the Controller and the means of contacting the Controller. The text of the Privacy Policy is made available to family members upon their request.
8. Recipients of data
Your personal data may be disclosed to the following categories of recipients:
- home.pl S.A., with its registered office in Szczecin — provider of website hosting and e-mail services;
- entities providing the Controller with legal, accounting and advisory services — on the basis of concluded data processing agreements;
- state authorities and entities authorised under the law — solely to the extent and for the purpose arising from those provisions.
The Controller has concluded a data processing agreement with home.pl S.A. in accordance with Art. 28 GDPR. With the remaining entities to which data processing is entrusted, the Controller concludes separate written data processing agreements meeting the requirements of Art. 28(3) GDPR.
The Controller does not sell, lease or share your personal data for marketing purposes.
9. Transfer of data outside the European Economic Area
The Controller does not actively transfer your personal data outside the European Economic Area (EEA). Correspondence conducted with persons located outside the EEA (e.g. in Ukraine) takes place via standard channels of electronic communication (e-mail, telephone) and does not constitute a systematic transfer of data within the meaning of Chapter V of the GDPR. Should this principle change (e.g. upon a change of hosting service provider), the Controller will update this Policy and provide the appropriate safeguards required by the GDPR (Art. 46–49).
10. Data retention periods
- server logs — up to 12 months from the date of registration;
- correspondence and contact details provided as part of general enquiries — up to 12 months from the conclusion of the matter, unless a longer period is required by law or by the need to defend claims;
- documentation of the recruitment and legalisation support process — for the period necessary to perform the contract and for the period resulting from the statute of limitations for claims (typically up to 6 years for consumer claims and up to 3 years for business claims in accordance with Art. 118 of the Civil Code);
- accounting and tax documents — for the period required by law (as a rule, 5 years from the end of the accounting year);
- functional cookies — up to 12 months or until they are deleted by the user.
11. Your rights
In connection with the processing of personal data, you have the following rights:
- access to the data and the right to obtain a copy (Art. 15 GDPR);
- rectification of inaccurate data or completion of incomplete data (Art. 16);
- erasure of data — the "right to be forgotten" (Art. 17);
- restriction of processing (Art. 18);
- data portability (Art. 20);
- objection to processing carried out on the basis of legitimate interests (Art. 21);
- withdrawal of consent at any time, where processing is based on consent — without affecting the lawfulness of processing carried out prior to its withdrawal.
Rights are exercised upon a request submitted to the Controller by e-mail or in writing at the address of its registered office. The Controller responds without undue delay and no later than within one month of receipt of the request.
Notwithstanding the above, you have the right to lodge a complaint with the supervisory authority — the President of the Personal Data Protection Office (PUODO), ul. Stawki 2, 00-193 Warszawa, uodo.gov.pl.
12. Profiling and automated decision-making
The Controller does not take decisions in an automated manner and does not engage in profiling within the meaning of Art. 22 GDPR.
13. Cookies
The rules for the use of cookies are described in a separate document: Cookies Policy.
14. Data security
The Controller applies technical and organisational measures appropriate to the risk, in particular: encryption of connections (HTTPS), control of access to systems, regular software updates and a backup policy. Despite exercising due diligence, the Controller cannot guarantee full protection against all threats associated with the use of the internet.
15. Changes to the Privacy Policy
The Controller reserves the right to amend this Policy in the event of changes in applicable law, technology or the scope of business activities conducted. The current version of the Policy is published on the website with the date of the last update indicated at the beginning of the document.
Language versions. If there is any inconsistency between the Polish version of this document and its translation into another language, the Polish version shall prevail. Translations are provided for informational purposes only.
16. Contact
For any questions concerning this Policy or the processing of personal data, please contact us at: info@cogitozdrowie.pl or in writing at the registered address of the Controller.