M. SKŁODOWSKA-CURIE‘S GREATER POLAND CANCER CENTRE
PRIVACY POLICY
Greater Poland Cancer Centre (GPCC) pays particular attention to privacy policy of all patients, employees and other people (hereinafter referred to as users) who visit GPCC’s websites. For the confidentiality and ensuring data safety purposes, GPCC developed data processing rules in the form of Privacy Policy that deal with its collection, modification, removal, and sharing. Other significant topics concerning user’s privacy have been addressed in the hereby rules including strategy of personal data protection and the option of data selection and its use. The following information is easily accessible on homepage and at the bottom of each GPCC’s website. GPCC strictly enforces compliance with rules stipulated herein.
We kindly advise you to acquaint yourself with the content of Privacy Policy before using our website. In case of absence of consent for conditions contained in the Privacy Policy the user should leave GPCC’s websites. This statement is applicable to all websites and domains, which belong to GPCC, except for GPCC’s specific websites, on which other statements on data protection, overruling this one, are applicable.
Data collection rules
GPCC websites may be used without entering personal data. However, users on some websites may be asked to enter some data for identification purposes. Typically, such data is required during enrollment for health services, praticipation in led by GPPC scientific-didactic events (especially workshops, trainings, conferences) or in cases when a user decides to enter personal data allowing GPCC to establish contact with him/her. GPCC requests only such data that is essential for website functioning. However, if the user decides not to enroll or not to enter personal data then he/she may use GPCC websites. However, the access to sections that require enrollment will not be granted.
During data collection process GPCC abides by the existing legal regulations, in particular adapts to all restrictions and bans implemented by the legislator.
The following data categories may be distinguished based on criterion on data acqusition, including:
- data obtained during enrollment in order to carry out scientific-didactic activity,
- data obtained during e-registration for health services,
- data obtained automatically,
- data obtained when the user contacs GPCC,
- data obtained for questionnires.
IMPORTANT NOTICE!!!
The users are requested to provide accurate data and data that they have and may use at their disposal.
Data obtained during registration in order to carry out scientific-didactic activity.
The users of conducted scientific-didactic activity may be asked during registration to provide data such as: name, surname, scientific title, address, telephone numer, fax numer, e-mail address, user identifier, date of birth, sex, name and address of the institution/company (name of department, country, city, zip code, street name), name of society of which a given user is a member, specialization, English level, career information: professional/scientific), CV (completed courses, professional and scientific experience). Registration is compulsory for the user who wants to take part in organized by the GPCC scientific-didactic events. Data obtained during registration will be used to enable the user log in to a website dedicated to a given scientific event, to send a newsletter upon consent given and supervision on proper functioning of a conducted activity.
In case of registration for scientific-didactic event and payment requirement for an event the following data is collected: payment data, payment status, payment method (card, transfer, on site), payment date and alternatively invoice data i.e., company/institution name, address, zip code, city, country, VAT identification numer, REGON numer, VAT exemption, tax payer data (natural person/ company).
Other required data, essential for proceeding a payment, the user enters on website dedicated to payment only. Such data is stored in database providing payment services.
Data collected during e-registration for health services
During e-registration for health services user’s name, e-mail address are required and the following patient’s data: name, surname, PESEL numer, sex, date and place of birth, telephone numer, place of residence (street number, city, district, voivodeship, county, zip code). The condition legalizing acquisition of the above-mentioned data is an Act of 6 November 2008 on Patient’s Rights and Patients Ombudsman. The user deliberately and voluntary enters the above-mentioned data in order to register for health services. Data collected during registration will be used solely to enable the user log in to GPCC’s e-registration, including scheduling, cancelling or changing the date of a visit. Registration is compulsory when a given user wans to register electronically for health services.
Data collected automatically
During user’s visit on GPCC’s websites, data concerning each user’s visit is collected, in particular:
- IP addresses of devices, which connect with GPCC’s websites,
- IP address of user’s internet service provider,
- type, version and installed browser plug-ins,
- country, from which the user logs in,
- operating system name,
- resolution and monitor screen type,
- visit duration,
- website addresses which are visited by the user (within GPCC’s website),
- website address from which a given user entered GPCC website (if it was a browser then a key word entered in the search field, which is included in the link),
- external website addresses which a given user visited through a link placed on GPCC websites,
- information on downloaded documents from GPCC websites.
Information communicated by the user’s browser do not allow for his/her identification. GPCC collects such data in order to produce general statistics concerning GPCC’s usage by its users, which allows for solid estimation of the level of users interest and development of websites and also diagnosis of problems connected with the server and analysis of a potential breach of security.
Data collected when the user contacts GPCC
When the user contacts GPCC through its website, telephone, e-mail then transfers data to GPCC e.g., name, surname, e-mail address, etc., Data collected during correspondence between the users and GPCC will be used solely for ad hoc aims i.e., replies to queries asked or providing information according to the Privacy Policy.
Data collected for questionnaires
Proposals to take part in questionnaires appear periodically on GPCC’s websites. Data required to be entered may encompass the following data, including contact details (name, surname, name of institution/organization, name of department, e-mail and shipping address), demographic data (country, city) or profile data (age, education, position, job). Filling in the questionnaires is always voluntary. Data collected in such a way will be processed annonymously for statystical analysis or for monitoring purposes and for improvement of services provided by GPCC’s webiste.
Data of persons who do not have full legal capacity
GPCC mentiones that it does not collect or monitor the data, which would enable whether a given user has legal capacity. The above mentioned persons should not use the services provided by the GPCC, unless their legal represenatives give consent for it and such consent will be sufficient in the light of applicable law.
Prerequsites legalizing user’s data processing
The basis for personal data processing collected by GPCC websites is a consent given by users and law regulations authorizing for data processing essential for realization of services provided by the GPCC and for contact with the user within conducted activity, in particular:
- Act of 6 November 2008 on Patient’s Rights and Patients Ombudsman
- Act of 15 April 2011 on Medical Activity,
- Act of 28 April 2011 on Healthcare Information System,
Act of 17 February 2005 on Informatisation of Activities of Entities Performing Public Tasks,
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
The user using GPCC’s websites or transferring data gives consent to processing of personal data (operation or set of opeartions performed upon personal data or sets of personal data by automated means or non-automated means like: collecting, recording, organizing, arranging, storing, adapting or modyfying, downloading, reviewing, using, disclosing through sending, disseminating or otherwise making available, matching or linking, limiting, erasing or destroying) in a way indicated inhereby Privacy Policy. If, however, the user does not give consent for data processing in a way stipulated in Privacy Policy, then is required to stop using GPCC websites.
GPCC provides the user with a posibility to erase his/her data on demand and also in other cases i.e., based on the provisions of the existing law in particular. GPCC may, however, refuse to erase data, particularly when the law requires so or whenthe user has not settled all amounts payable to GPCC (e.g., payment for participation in scientific-didactic event, etc.,) and data storage is essential for clarification of a given case.
Security of the processed data
All data entered by the user through GPCC websites is stored and secured according to the Privacy Policy and in line with both appropriate security measures and preservation of confidentiality, in particular:
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation),
- Act of 18 July 2002 on Providing Services by Electronic Means
- Act of 17 February 2005 on Informatization of Activities of Entities Performing Public Tasks
- Branch Acts within the scope of medical law.
GPCC guarantees that it makes every effort in order to provide security of processed data. Therefore:
- implements security measures both organizational and technical, which main tasks are security of processed data relevant to hazards and data categories under protection. GPCC particularly protects data against making it available to third parties, unauthorised takeover, processing with violation of the Act as well as against any change, removal, damage or destruction,
- keeps a record of how data is processed and means mentioned above,
- data processing is allowed only by authorised persons and instruction to do so by the personal data administrator,
- provides control over which data, by whom it was entered to the system, and to whom it was transferred,
- keeps record of persons authorised to data processing.
User IDs
GPCC provides access control mechanism to websites on which user’s data is processed. Such data may be exclusively accessed using user’s unique ID and after completed authentication. The user’s ID that lost entitlement for data processing is not assigned to other person.
Authentication
Access passwords are secured in a way to prevent its usage by third parties. All passwords are encrypted, thus there is no possibility to see them through. It is recommended to use minimum 8 characters, including small and capital letters, special characters and digits. All passwords to accounts should be stored in a safe place. You must not reveal them to third parties. If there is suspicion that the password was used in an unauthorised way the GPCC’s websites administrators should be informed about the situation.
The right of access to personal data
The rights of access to personal data of the users were limited in a restricted way by the GPCC. The full control is exercised over the process of data processing to prevent the data from becoming accessible to unauthorised persons. The number of people was limited to the essential minimum necessary for proper running and administration of GPCC’s websites. These persons were granted authorisation and instruction on data processing given by the Information Security Administrator, and since May 25th 2018 GPCC’s Data Protection Supervisor on behalf of Personal Data Administrator and were entered to a record for persons authorised for data protection in Greater Poland Cancer Centre.
Backups and data archiving
Data collected by the GPCC websites is subject to regular archiving. The data is stored until it is necessary to deliver a service (conference, training, workshop, e-services of health benefits) no longer than it is required by the rules of law. Backup copies are localised on high quality equipment in properly secured rooms to which the access is limited (access only for authorised persons) and fully controlled.
Protection against power failure
Users data processed by the GPCC is secured in a way to minimalise the risk of its loss in case of power supply failure or disruptions in the power network.
Protection against software which aim is to gain unauthorised access
GPCC uses antivirus software updated on daily basis, which lowers the risk of losses caused by computer virus.
Software update
In order to minimalise the impact of data security risk, the GPCC systematically updates operating systems and software by reducing the created gaps and making the data processing process safer at the same time.
Network traffic logbooks
GPCC uses software responsible for network traffic monitoring and unauthorised access to data, detection of computer viruses and other programs, which aim is to gain unauthorised access to data. The above software is used in GPCC exclusively for the purposes of secure data processing of the GPCC’s website users.
User responsibility
GPCC uses organisational and technical measures securing user’s personal data to protect against unauthorised access by third parties. In spite of the above, it may not fully guarantee to completely exclude the risk of unauthorised use of personal data against unauthorised access by the third parties (e.g., hackers). GPCC is not responsible for data security breach, which remains beyond GPCC’s control. It is recommended for GPCC’s users, who enter and share their personal data, to obey by the security rules of computer networks according to GDPR (General Data Protection Regulation).
SSL Certificate
GPCC uses many various organizational and technical measures during data processing such as personal data collected during e-registration in order to secure personal data against unauthorised access, use and disclosure and providing its integrity.
Data trasmitted on the internet is encrypted using commonly used encrypted connection SSL (Secure Socket Layer). SSL protocol secures the process of data transmission through Internet thanks to encrypting data leaving the browser and its decryption after reaching GPCC’s server safely. Similarly, the data is encrypted before sending it out on the Internet during transmission in the opposite direction, i.e., to the user, and after reaching the destination it is decrypted.
Moreover, for the purposes of additional personal data protection on the Internet, all GPCC’s forms collecting personal data (conferences, trainings, workshops) are gradually changed for those using SSL protocol, which significantly increases the data transmission security on the Internet. Once the user connects with the secure website, the user is informed that the connection is secured thanks to SSL protocol.
Data sharing and transmission
GPCC does not transfer (does not sell, does not lease) and does not share the data with third parties. However, in certain and limited situations, data transmission may happen:
- when the user allows for that,
- when it is required by law to share the data with the entities including judicial authorities,
- when it is essential for the purpose of providing services,
- when it is aimed at helping to fight fraudsters, illegal or detrimental actions or GPCC’s employees personal safety.
- in case control of entitites authorised by the law (e.g., control by the supervisory body).
Pursuant to Article 18(6) of the Act of 18 July 2002 on Providing Services by Electronic Means, GPCC may be obliged to provide information, which is processed in order to implement the provisions of the agreement between the user and GPCC, upon request authorised by law relevant authorities for the purposes of conducted proceedings.
In case of such situations, GPCC takes appropriate steps in order to secure user’s personal data.
GPCC as administrator within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) may contractually delegate personal data processing collected by its website services to other entities based on art.28 of General Data Protection Regulation.
Use of cookies
In order to improve the functioning of GPCC’s websites the cookies or similar are used. Cookies are small text files, which are transmitted by the server/ website to the internet browser or other user’s device, stored on local hard drive of the website user.
The cookies are used mainly for the indentification of the user’s browser when the user uses the wesbite in a way needed for the realisation of some functions on the website, and also allow the administrator a better adjustment of the website to the individual preferences and interests of the user, they also enable to perfect the navigation and content of the website. The data stored in cookies does not cause configuration changes in the final device or software installed on this device.
According to art. 173 of the Act of 16 July 2004 of Telecommunications Law saving all text files on the user’s PC drive is allowed as long as the user will be previously informed. Cookies work when the user accepts to the appropriate option on Interner browser and then the files (cookies) are not deleted. In most cases no configuration changes of the internet browser are required on the part of the user, as default configuration cookies are conventionally accepted. The user may however specify the way of dealing with the obtained cookies. The user may block them totally or set settings allowing every time to decide or accept cookies coming from a given website. There are functions available in configuration options of the internet browser. In order to find out more about these functions you need to acquaint yourself with the browser’s manual.
GPCC websites do not use cookies in order to obtain confidential data and personal data of internet website or access passwords and data, which will enable user identification.
During GPCC’s website visit cookies are saved on the user’s PC (the name of currently used language version of the website, the information allowing for session identification) for the following purposes:
- better adjustment of the websites to user’s needs,
- the creation of internet surveys and securing them against multiple voting by the same people,
- maintaining the user’s session (after log in), thanks to which the user does not need to enter user’s name and password on every website.
Web-links with other websites. Exclusion of accountability
GPCC websites may contain links to other websites of external units, not managed by GPCC and published for the information and convenience purposes of the users. It should be noted that GPCC does not control these websites, is not responsible for confidentiality rules, or the content of the websites and information collected on them. The content on these websites is subject to copyright belonging to its creator and is protected by copyright laws. GPCC encourages to familiarise yourself with the Privacy Policy of each website visited, before using the services on such websites, because they may be different from the rules used by the GPCC. The GPCC’s Privacy Policy is not applicable to data, which the user decides to enter to external units.
Unannounced messages
GPCC reserves the right to send the unannounced messages to people, whose contact data it possesses and who accepted the hereby Privacy Policy. Under the definition of unannounced messages GPCC implies that the information are with limited volume and topic and are strictly connected with the conducted scientific-didactic activity (e.g., e-mails dealing with user’s data verification with a request to confirm the data, e-mails connected with changing the date of an event or payment notifications and connected with providing health services (e.g., change of e-registration date).
Change of personal data and obligation of the right to inform and control the processed data.
Each person, whose data is processed on GPCC’s websites has the right to access his/her data, to change, to control and obtain information about processing rules (art. 13-15 GDPR). Information Clauses have been described on GPCC’s website (www.wco.pl) on Information Security tab/ Personal Data Information Security.
Questions, remarks and opinions on Privacy Policy
All comments, remarks and opinions on GPCC’s Privacy Policy and issues connected with personal data security and privacy are very important and valuable for Greater Poland Cancer Centre.
Thus, in case of any queries or doubts connected with the above issues all users visiting GPCC’s websites may contact Data Protection Supervisor at daneosobowe@wco.pl or using regular post address:
Greater Poland Cancer Centre
15 Garbary
61-866 Poznań
With annotation Information Security Administrator, and since May 25th 2018 Data Protection Supervisor.
Changes to the Privacy Policy
GPCC’s assumption is providing the highest level of security of the offered services and obtained data through GPCC’s websites. Technological progress and changes of the regulations of law and GPCC’s development cause that GPCC reserves the right to extension, change, update and modification of the above Privacy Policy at any time and without prior notice. After each significant change in Policy Privacy its new version will be published on GPCC’s website with the updated date of issue and appropriate information on the change. In order to avoid an omission of any change to the Privacy Policy, the users should visit the website periodically and browse through through the actual version of the Policy as by visiting the website, the users accept the practices discussed in the hereby Policy.
The actual version of Privacy Policy applies to every GPCC website user.
Latest update: April17th 2018
For reasons of users’ data security processed withing GPCC’s websites, and especially for the purposes of protecting data from its disclose to non-authorised persons, acquiring it by an non-authorised person with, processing with violation of regulations of law and change, removal, damage I hereby approve this Privacy Policy of Greater Poland Cancer Centre.
Poznań, 17-04-2018
Prof. Julian Malicki
Director of Greater Poland Cancer Centre