Contractor’s Information regarding personal data protection
Processing of Personal Data by the Contractor is regulated by the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (“the Regulation“).
The personal data controller in relations to personal data of the Guardian / Student within the scope of the Regulation is EpiXpert sp. z o.o. with its headquarters in Warsaw, 00-014 Warszawa, ul. Stanisława Moniuszki nr 1A, firstname.lastname@example.org („Controller”).
Personal data of the Guardian / Student are obtained by the Controller from these persons, and to the extent that allows the Guardian / Student to be identified as persons related to the school run by Akademeia High School sp. z o.o. with headquarters in Warsaw, św. Urszuli Ledóchowskiej 2, 02-972 Warsaw, entered into the Register of Entrepreneurs of the National Court Register under entry number 0000638796 (“Company”), have been obtained from the Company.
Personal Data will be processed for the purpose of providing by the Controller to the Student medical care services and mitigation of epidemic risk, and in the event of obtaining the appropriate consent of the Guardian / Student – to provide epidemic support services to the Company.
The legal basis for data processing is:
- the consent of the data subject (Article 6 (1) (a) of the Regulation and Article 9 (2) (a) of the Regulation) – with regard to data on epidemic risk, including a positive result of tests for COVID-19 that may be transferred to the Company;
- processing is necessary for the performance of the Agreement (Article 6 (1) (b) of the Regulation), including a medical diagnosis (Article 9 (2) (h) of the Regulation) – in terms of identification and contact details of the Guardian and the Student, behavioural data entered into the Application and COVID-19 testing data,
- processing is necessary to fulfil the legal obligation incumbent on the administrator (Article 6 (1) (c) of the Regulation) – in the scope of data entered into the medical documentation of the Student kept by the Controller, as well as data provided to the appropriate state sanitary inspector,
- processing is necessary for the purposes of the legitimate interests pursued by the Controller (Article 6 (1) (f) of the Regulation) – in the scope of data necessary for accounting records, settlements under the Agreement and pursuing claims or protection against claims.
The recipients of personal data will be: the Guardian, the Student, the Company – subject to and within the scope of the consent given by the Guardian, the appropriate state sanitary inspector – in the case of confirmed infection, other appropriate state authorities – in cases specified by law, as well as entities entrusted by the Controller with data processing personal.
Personal data will not be transferred to a third country or an international organization. The Controller uses data storage services on servers located only in European Union countries.
Personal data in the scope covered by medical documentation will be kept for the period of storing medical records specified by law. Personal data in the scope covered by the accounting documentation will be kept for the period of storing the accounting documentation specified by law. For the remaining scope, personal data will be stored for the period of limitation of claims.
The Guardian (Student) has the right to request the Controller to access the personal data of the data subject, rectify it, delete or limit processing, as well as the right to object to the processing, as well as the right to transfer data.
In the case of personal data processed on the basis of art. 6 sec. 1 lit. a of the Regulation or art. 9 sec. 2 lit. a of the Regulation – the Guardian (Student) has the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
The Guardian (Student) has the right to lodge a complaint with the supervisory body: the President of the Office for Personal Data Protection.
Providing personal data is a contractual requirement, the data subject is not obliged to provide them, but without providing them, it will not be possible for the Controller to perform the Agreement.
The data entered into the Application are subject to automated decision-making referred to in art. 22 sec. 1 and 4 of the Regulation, which consists in determining the epidemic risk level based on medical knowledge and the results of testing for COVID-19. The consequence of such processing may be, in the case of transferring this data, only on the basis and within the limits of the Guardian’s consent, to the Company, the prohibition to participate in stationary education for a specified period, resulting from the internal rules of the Company.