Privacy policy

COMMON PROVISIONS

ADMINISTRATOR, CONTACT

The administrator of the personal data described in this Privacy Policy is Labplus Spolka Akcyjna, registered office address: 41 Strzelińska Street, 55-010 Żerniki Wrocławskie, registered in the National Court Register under the number 0001018188; holding NIP number 8961622267; Regon 524450039 Contact regarding data protection is possible by mail to the address: ul. Strzelińska 41, 55-010 Żerniki Wrocławskie or by e-mail rodo@labplus.pl.

PRINCIPLES OF PERSONAL DATA MANAGEMENT

The controller shall take special care to protect the interests of the persons whose personal data it processes and, in particular, shall be responsible and ensure that the data it collects are: 

I) processed in accordance with the law; 

II) collected for specified, legitimate purposes and not subjected to further processing incompatible with those purposes; 

III) substantively correct and adequate in relation to the purposes for which they are processed;

IV) stored in a form that does not allow identification of the data subjects by third parties and kept for no longer than is necessary to achieve the purpose of the processing and;

V) processed in a manner that ensures appropriate security of personal data,
including protection against unauthorised or unlawful processing, accidental loss, destruction, damage or access by means of appropriate technical or organisational measures.

VI) Taking into account the nature, scope, context and purposes of the processing and the risk of infringement of the rights or freedoms of natural persons, the Controller shall implement appropriate technical and organisational measures so that the processing is carried out in accordance with the RODO Regulation, the Act and the safety of the data subjects. These measures shall be reviewed and updated. The Controller shall apply technical measures to prevent the acquisition and modification by unauthorised persons of personal data transmitted by terminal means of electronic communication. 

RIGHTS OF THE DATA SUBJECT

  1. Anyone whose data we process has the right to: 

I) access, rectification, restriction, erasure or data portability i.e., the “right to be forgotten” or restriction of data processing, and has the right to object to processing, and has the right to data portability. The detailed conditions for exercising the rights indicated above are indicated in Articles 15-21 of the RODO Regulation;

II) withdraw consent at any time – a person whose data is processed by the Controller on the basis of expressed consent (on the basis of Article 6(1)(a) or Article 9(2)(a) of the RODO Regulation), then he/she has the right to withdraw consent at any time without affecting the
lawfulness of the
processing performed on the basis of consent before its withdrawal;

III) lodge a complaint to the supervisory authority – the person whose data is processed by the Controller has the right to lodge a complaint to the supervisory authority in the manner and mode specified in the provisions of the RODO Regulation and Polish law, in particular the Personal Data Protection Act. The supervisory authority in Poland is the President of the Office for Personal Data Protection;

IV) Objection – the data subject has the right to object at any time – on grounds relating to his or her particular situation – to the processing of personal data concerning him or her based on Article 6(1)(e) (public interest or tasks) or (f) (legitimate interest of the controller), including profiling on the basis of these provisions. In such a case, the controller shall no longer be allowed to process these personal data unless the controller can demonstrate the existence of compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject or grounds for the establishment, exercise or defence of claims;

V) Objection to direct marketing – where personal data are processed for the purposes of direct marketing, the data subject has the right to object at any time to the processing of personal data concerning them for such marketing, including profiling, to the extent that the processing is related to such direct marketing.

2. In order to exercise the rights referred to in paragraph 1 above of the Privacy Policy, the Administrator may be contacted by sending an appropriate message in writing or by e-mail to the Administrator’s address indicated at the beginning of the Privacy Policy or by using the contact form available at www.labplus.pl.

3. In the event of a breach of data protection regulations, the data subject may lodge a complaint with the President of the Office for Personal Data Protection. After the investigation of the case, the President of the Office – if there has been an infringement – by means of an administrative decision, orders the restoration of the lawful state. A complaint to the President of the Office may be lodged by an individual if the incorrect data processing concerns his/her personal data. However, exercise your rights before lodging a complaint with the Office. The controller is obliged to respond to your request as soon as possible – within a maximum of one month. If, for some reason, this is not possible, he or she must inform you why he or she is extending the deadline for a response by a maximum of another two months. Also, within one month, the Administrator should inform you that the request has not been complied with and the reasons for this. If the Administrator ignores your request or the response is not satisfactory to you, you can lodge a complaint with the Authority. Read the Authority’s detailed information on the exercise of rights: https://uodo.gov.pl/pl/383/579, and remember that rights do not necessarily apply in every situation. They may, for example, be limited by Polish law.

TRANSFER OF DATA TO THIRD COUNTRIES

The transfer of data of which the Administrator is the controller to third countries and international organisations may only take place if the conditions provided for in Chapter V of the RODO are met. 

Transfers of data to third countries may take the form of:

  • entrusting the processing of personal data;
  • sharing of personal data;

– which means that, depending on the type of transfer, the rodo provisions of the data entrustment or sharing agreement must also be taken into account.

A transfer of personal data to a third country may take place if the European Commission has issued a decision that the third country, territory or specific sector(s) within that third country or the international organisation concerned ensures an adequate level of protection. Such transfers do not require a specific authorisation.

In the absence of a decision by the European Commission as referred to above, the transfer of personal data to a third country is possible when the Controller provides adequate safeguards himself and provided that enforceable data subject rights and effective legal remedies are in place. Adequate safeguards can be provided by:

  • a legally binding and enforceable instrument between public authorities or bodies;
  • binding corporate rules approved by the supervisory authority and applicable to each member of a group of undertakings or a group of undertakings carrying on a joint economic activity;
  • standard data protection clauses adopted or approved by the European Commission;
  • standard data protection clauses adopted by the supervisory authority and approved by the European Commission;
  • an approved code of conduct with binding and enforceable obligations on the controller or processor in the third country to apply appropriate safeguards, including in relation to the rights of data subjects, 

or

  • an approved certification mechanism with binding and enforceable obligations on the controller or processor in the third country to apply appropriate safeguards, including in relation to the rights of data subjects. Subject to the authorisation of the competent supervisory authority, the appropriate safeguards referred to above may be ensured in particular by means of:
  1. contractual clauses between the Controller or processor
    and the Controller, the processor or the recipient of the personal data in a third country or an international organisation, or
  2. the provisions of administrative arrangements between public authorities or bodies
    which will provide for enforceable and effective rights for data subjects.

In specific cases, it is permissible to transfer personal data to a third country despite the absence of the decision of the European Commission referred to above and without ensuring adequate safeguards as described above. These special cases include the transfer of data provided that:

  • the data subject, having been informed of the possible risks that the proposed transfer may entail for him or her, gives his or her explicit consent to the transfer,
  • the transfer is necessary for the performance of a contract concluded with the data subject,
  • the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject,
  • the transfer is necessary on important grounds of public interest,
  • the transfer is necessary due to the claims held,
  • the transfer is necessary to protect the vital interests of the data subject or the transfer will be from a public register.

As a general rule, the Administrator does not transfer your data to third parties. The server and support services’ lessor has guaranteed the support tools’ location within the EU and EEA. However, in the context of the Administrator’s use of tools to support day-to-day operations provided, for example, by Google, your Personal Data may be transferred to a country outside the European Economic Area, in
particular to the United States of America (USA) or another country in which an entity cooperating with it maintains tools for processing Personal Data in cooperation with the Administrator.
Adequate safeguards for processing Personal Data outside the EEA are guaranteed by using external data processing agreements based on standard contractual clauses that meet the requirements of the RODO. The description and scope of the standard contractual clauses are provided by the providers of external software and tools:

THE TIME LIMIT FOR DELETION OF PERSONAL DATA OF THE DIFFERENT TYPES

LP TYPE OF PROCESSING ACTIVITY  DATA CARRIERS  TIME LIMIT FOR DATA PROCESSING THE EVENT FROM WHICH THE TIME FOR ERASURE IS CALCULATED
1 Recruitment of staff CV, resume, application form For the duration of the recruitment

– if the person consents, also in future recruitments.

After recruitment immediately, if the person consents, after future recruitment (up to 3 years from the last recruitment)
2 Internships/traineeships Internship documents, contract, cv 10 years Since the end of the contract
3 Zatrudnienie Subsidised training/courses, civil law contracts with the employee, documentation related to the handling of benefits, e.g. multisport card, course of occupational diseases/ 10 years or 50 years Since the end of the employment contract. 

Note: With regard to employment relationships that were established before 1 January 2019, the retention period of employee records should be determined on the basis of the provisions in force before that date (Article 7(2) of the Act of 10 January 2018 amending certain acts in connection with the shortening of the retention period of employee records and their electronicisation – Journal of Laws of 2018, item 357). This means that employee records relating to this period must be kept for 50 years, counting from the date of termination of employment with the employer – for personnel records; production – for payroll records. 

CV, resume, employee documentation (personnel file). 10 years or 50 years
Other documents e.g. quarterly assessments. 3 years
4 Civil law cooperation agreements Contract, additional documents e.g. subsidies, fringe benefits e.g. multisport. 10 years or 50 years Termination of contract
5 Accidents at work Description of the accident, supporting documents. 10 years The day of the incident – the accident
6 Commercial contracts with individuals Contract, orders, e-mail correspondence, executive documentation. 3 years Termination of service, contract termination
7 Commercial contracts with traders Contract, orders, e-mail correspondence, executive documentation. 3 years Termination of service, contract termination

 

FINAL PROVISIONS

The Administrator’s website may contain links to other websites. The Administrator urges that when you go to other sites, you should read the privacy policy established there. This privacy policy applies only to www.labplus.pl


PART A

For:

  1. users of the www.labplus.pl website – visitors to the site using the contact form; 
  2. users of our other websites and those of our cooperators, if referred to this Privacy Policy.

WHERE DO WE COLLECT YOUR PERSONAL DATA FROM, AND IS IT NECESSARY?

  • By visiting the Administrator’s website www.labplus.pl, www.labtestchecker.pl, or other similar websites that link to this Privacy Policy 

– you leave us information that is not personal data, but under certain circumstances, this data may become personal data, e.g., your IP address, which is stored in your browser settings, is not personal data in itself, as we cannot identify you from it. An IP address will only be considered personal data if the Administrator at the same time has access to data linking the IP address to other data identifying your person (Legal basis Art. 6(1) of the Act of 29 August on the Protection of Personal Data, Directive 94/46/EC of the European Parliament). or having the characteristics of information of a personal nature, as it is possible to identify “some natural person” from it. The Administrator has recognised that, in accordance with the principle of protection of personal data and data which may become personal data, it protects your data obtained when using the Administrator’s websites. 

Each user of the contact form provides personal information – e-mail address, telephone number, name, and surname. The content of the message may also contain information containing the user’s personal data. 

The use of the website www.labplus.pl and other websites of the Administrator is voluntary. 

With regard to making contact via the contact form, failure to provide personal data will prevent the use of the function. The provision of personal data is a requirement in this case and if the data subject wishes to use the contact form provided on the Controller’s website, he/she is obliged to provide this data. 

A detailed description of the data processed by the Controller, is indicated in the table below. 

PURPOSE, BASIS, AND DURATION OF DATA PROCESSING

Purpose of data processing Basis for processing Personal data processed Data retention period
CONTACTING THE CONTROLLER VIA THE CONTACT FORM

Contact with the Administrator,

contact form at www.labplus.pl and other websites of the Administrator

Article 6(1)(a), (b) RODO: the processing is necessary for the performance of the contract or to take action at your request prior to entering into the contract, 

 

Article 6(1)(f) RODO: the processing is necessary for purposes deriving from the legitimate interests pursued by the Administrator, e.g., marketing of its own products, keeping statistics on visits and inquiries, 

Article 9(2)(f) RODO: the processing is necessary for the establishment, investigation or defence of claims. 

Name, surname, name, contact details: e-mail address, telephone number. The provision of this data is necessary for the provision of the contact service to you. 

 

You may also provide other data not required by the Administrator as part of the message sent in the contact form and these are then processed by the Administrator with your consent and do not affect the ability to carry out a contact request on your behalf. 

For the time necessary to carry out the order on your behalf, to perform the service requested in this form, to answer your questions and for the further time necessary to protect the rights and obligations of the Administrator and you. 

 

With regard to data provided with your consent, until you withdraw your consent. 

USE AND VIEWING OF THE ADMINISTRATOR’S WEBSITE
Browsing the website Article 6(1)(a), (b) RODO: the processing is necessary for the performance of a contract or to take steps at your request prior to entering into a contract, i.e., viewing content on the website,

 

Article 6(1)(f) RODO: the processing is necessary for purposes deriving from the legitimate interests pursued by the Administrator, e.g. marketing of its own products, keeping statistics on visits and inquiries, 

Article 9(2)(f) RODO: processing is necessary for the establishment, investigation or defence of claims. 

we store information regarding the Internet browser and operating system used, the date and time of the visit as well as the IP address.

 

This data is necessary for the functioning of the sites, but we cannot attribute this data to a specific person without effort and with the current resources and functionalities of the Administrator.

We do not collect any personal data via our website without your consent, including in the form of cookie consent.

For the time necessary for the analysis of visit and traffic data on the website. With regard to data provided with consent, until you withdraw your consent.
USER ACCOUNT
User account on www.labplus.pl

– feature under development, not currently available, possible implementation from 2023. 

Article 6(1)(a), (b) RODO: the processing is necessary for the performance of the contract or to take action at your request prior to entering into the contract, 

Article 6(1)(f) RODO: the processing is necessary for purposes deriving from the legitimate interests pursued by the Administrator e.g. research statistics, medical history and test analysis results, 

Article 6(1)(c) RODO: the processing is necessary for the performance of the Administrator’s legal obligations, e.g. with regard to the activities of medical entities and the collection of medical records, 

Article 9(2)(f) RODO: processing is necessary for the establishment, investigation or defence of claims. 

IP address, data on the selection of a diagnostic test, user opinions, submitted descriptions of technical errors, registration data in the system: name(s) and surname, gender, date of birth, correspondence address, if the patient in question does not reside in Poland then the address of his or her place of residence in Poland, telephone number, e-mail address, medical history, test results.   For the time necessary to maintain your account on the system, perform the analysis service and for the further time necessary to protect the rights and obligations of the Administrator and you. 

 

With regard to data provided with your consent, until you withdraw your consent. 

 

RECIPIENTS OF THE DATA

For the proper functioning of the tools offered on www.labplus.pl and other websites of the Administrator, it is necessary for the Administrator to use the services of external entities, e.g. software provider, server lessor, web operators, programmers. The Administrator shall only use the services of processors who provide guarantees for the implementation of technical and organisational measures to protect personal data from being compromised, to a degree no less than that of the Administrator and in accordance with the RODO.

The transfer of data by the Controller does not take place automatically, to all recipients or categories of recipients indicated
in the Privacy Policy – the Controller transfers data only when it is necessary for the fulfillment of the given purpose of personal data processing and only to the extent necessary for its fulfillment.

Personal data of users of the website www.labplus.pl and other pages of the Administrator, may be communicated to the following recipients or categories of recipients:

  • service providers who supply the Administrator with technical, IT, and organisational solutions enabling the Administrator to manage and maintain the website and the contact form; 
  • providers of social plug-ins, scripts and other similar tools placed on the Administrator’s website that enable the visitor’s browser at www.labplus.pl to download content from the providers of said plug-ins;
  • providers of marketing and positioning channels, e.g. Google Ads, Google Analytics, drive tools and data clouds, e.g., Google clouds, to the extent necessary to provide the service to the Administrator and only to the extent of the personal data of the users whose data is necessary to share such as analytics data, user preferences. The most important tools used by the Administrator are:
    • Google Analytics – a web analytics service from Google Inc. Google analytics works exclusively via cookies and only if you have given your consent or have set your browser to do so. Google Analytics enables you to analyse your use of the website. The information obtained by Google analytics is stored on a server of Google Inc. in Ireland or in the United States. On behalf of the operator of the website, Google uses this information to analyse your use of the website or to compile reports on website activity related to website and internet usage. Detailed information on the terms of use of the Google analytics tool and on data protection is provided on https://www.google.com/analytics/terms/pl.html or on https://policies.google.com/?hl=pl.
    • Google Ads- or Google Conversion Tracking service. This makes it possible to determine whether a user has reached a website via a Google ad 
    • HotJar – a service from Hotjar Limited enables the collection of information about a user’s behaviour on a website, such as navigation, mouse movements and clicks, pages visited, the source from which the website visit originated. This does not include plug-ins, forms and other elements where personal data may appear. This data is anonymised at the stage of recording the information. Privacy policy of the service provider: https://www.hotjar.com/legal/policies/privacy.

The Administrator indicates that logging the user into the user account on the website www.labplus.pl,when this function, not available today and to be implemented in January 2023, is activated by means of login data to social networks – Facebook, Twitter, Google mail or other plug-ins, results in the transfer of the visitor’s personal data to providers, e.g. Facebook, information about the user’s preferences and activities on the website www.labplus.pl, to the extent and in accordance with the privacy rules available at https://www.facebook.com/about/privacy/ (this data includes information about activities on the website – including information about the device, visited sites, purchases, displayed advertisements and use of services – regardless of whether the User has a Facebook account and is logged into Facebook). 

PROFILING

The Controller is obliged to inform users about the profiling of personal data and to provide relevant information about the modalities of such profiling, as well as the significance and foreseeable consequences of such processing for the data subject. With this in mind, the Controller provides information in this section of the Privacy Policy regarding possible profiling, i.e. the presentation of content, and decisions in line with the user’s specific personal data or preferences. 

A specific form of profiling is profiling leading to automated decision-making in relation to an individual, which in its entirety, i.e. at each stage, is performed without human assistance or support. 
In the case of fully automated processing, the data subject does not have the possibility to influence the process, he/she cannot address the person who makes the decision, as the decision is made by artificial intelligence. 

Profiling on www.labplus.pl, involves the automatic analysis or prediction of the visitor’s behaviour on www.labplus.pl and the Administrator’s other websites, e.g., by determining the audience behaviour of the website, the way the content is viewed, the user’s behaviour by individual windows, the choice of tabs. 

Profiling by the Controller will not produce legal effects on the user and until the person accepts the result of the profiling. Also, at all times, the data subject has the right not to be subject to a decision which is based solely on automated processing, including profiling, and which produces legal effects on the person or similarly significantly affects the person. 

COOKIES AND ANALYTICS

Cookies are small pieces of information in the form of text files that are sent by a server and stored on the visitor’s side of the website, e.g., on the hard drive of a computer, laptop, or smartphone memory card – depending on the device used by the visitor. 

For detailed information on cookies, please visit https://ec.europa.eu/info/cookies_pl.

The cookies that may be sent by www.labplus.pl and other pages of the Administrator can be divided into different types, according to the following criteria:

  • because of their supplier:
    • own (created by the Administrator’s website) or those of third parties (other than the Administrator)
  • due to their period of storage on the visitor’s device:
    • session (stored until you log out or close your web browser) or permanent (stored for a specific period of time, defined by the parameters of each file or until manually deleted)
  • due to the purpose of their use:
    • necessary (to enable the website to function properly),
    • functional/preferential (enabling the website to be tailored to the visitor’s preferences),
    • analytics and performance (gathering information about how the site is used),
    • marketing, advertising and social networking (which collects information about a website visitor in order to display personalised advertising to that person and to carry out other marketing activities, including on websites separate from the Administrator’s website, such as social networking sites)

The Administrator may process the data contained in cookies when visitors use the website for the following specific purposes:

  • identify Service Recipients as logged in to their user account and show that they are logged in (essential),
  • remembering the products for the purpose of placing an Order (essential),
  • memorising data from completed surveys (functional and preferential, not necessary), 
  • to adapt the content of the website to your individual preferences (e.g. concerning your preferred diagnostic tests) and to optimise the use of the pages (functional and preferential, not necessary), 
  • to keep anonymous statistics showing how the website is used (analytical and performance statistics, not necessary), 
  • remarketing, i.e. the study of the behavioural characteristics of website visitors through anonymous analysis of their actions (e.g. repeated visits to specific pages, keywords, etc.) in order to create their profile and provide them with advertising tailored to their anticipated interests, also when they visit other websites on the advertising network of Google Ireland Ltd. and Facebook Ireland Ltd. (marketing, advertising and social media, not necessary), 

The location of the information in the most popular web browsers as to which cookies are currently being sent by the Administrator is possible as follows:

  • In the Chrome browser: (1) in the address bar, click on the padlock icon on the left, (2) go to the “Cookies” tab,
  • in your Firefox browser: (1) in the address bar, click on the shield icon on the left-hand side, (2) go to the “Allowed” or “Blocked” tab, (3) click on the box “Tracking cookies between sites”, “Social network tracking elements” or “Content with tracking elements” ,
  • in Internet Explorer: (1) click the “Tools” menu, (2) go to the “Internet options” tab, (3) go to the “General” tab, (4) go to the “Settings” tab, (5) click the “Display files” box, 
  • In the Opera browser: (1) in the address bar, click on the padlock icon on the left, (2) go to the “Cookies” tab, 
  • in the Safari browser: (1) click on the “Preferences” menu, (2) go to the “Privacy” tab, (3) click on the “Manage site data” box, 
  • Irrespective of the browser, using the tools available, for example, at: https://www.cookiemetrix.com/ or: https://www.cookie-checker.com/

By default, most web browsers on the market accept the storing of cookies. You are able to determine the conditions for the use of cookies via the settings of your own browser.

Examples of Cookies used on the Administrator’s websites: 

  • Google Analytics from Google LLCfor the purpose of fulfilling the Administrator’s legitimate interest in generating statistics and analysing them in order to optimise the websiteGoogle Analytics automatically collects information about the use of the website. The information collected in this way is usually transmitted to a Google server in Ireland or the United States and stored there. The anonymised IP address is transmitted by the browser as part of Google Analytics and is generally not combined with other data held by Google. With regard to data protection by Google Analytics, we refer you to: https://policies.google.com/privacy/frameworks?hl=pl, describing Google’s data protection solutions and standard contractual clauses.
  • Google Adwords from Google LLC. With the help of Google Adwords, we promote the website in search results and on third-party websites and for the purpose of fulfilling the Administrator’s legitimate marketing interests. When you visit our website labplus.pl, a Google remarketing cookie is automatically left on your device, which allows ads based on your interests to be displayed on the basis of the pages you visit. Further processing is only with your consent. As Google LLC is based in the USA and uses a technical infrastructure located in the USA, we refer you to: https://policies.google.com/privacy/frameworks?hl=pl, describing Google’s data protection solutions and standard contractual clauses. 
  • Hotjar from Hotjar Limited, Level 2, St Julian’s Business Centre, 3, Elia Zammit Street, St Julian’s STJ 1000, MaltaHotjar monitors information such as time spent on individual pages, buttons and links clicked, sub-pages discovered and their order. We use this service to optimise our website regarding user preferences and behaviour, in pursuit of our legitimate interest. Hotjar uses cookies and other technologies, e.g. video recording, to collect information about behaviour on the website and the devices used to use the website. It acquires anonymised IP number, screen size, browser information, location, language. Hotjar psedunonymises the data. See Hotjar’s privacy policy for more: https://www.hotjar.com/privacy/.
  • Server logs. Using the website involves sending requests to the server on which our website is stored. Each request made to the server is recorded in the server logs. The logs include the IP address, date and time of the server, information about your browser and the operating system you are using. The logs are saved and stored on the server. The data stored in the server logs are not associated with specific users of the website and are not used by us for identification purposes.

UPDATE: 09.02.2023r.