Privacy policy

PZU Zdrowie S.A. (hereinafter referred to as “PZU Zdrowie”) attaches particular importance to respecting privacy of users visiting our website. Data collected in daily logs are used only for the purposes of managing services. We do not try to identify Users of the website.

Identification data are not associated with specific persons viewing PZU Zdrowie’s website, except for data entered by Users in contact forms. To ensure the highest service quality, we occasionally analyze log files to find which sites are visited most frequently, which web browsers are used, and verify that there are no errors in the site structure, etc.

Links to other websites

The privacy policy applies only to websites of PZU Zdrowie.

If a website of PZU Zdrowie provides links to other websites, PZU Zdrowie shall not be responsible for privacy rules applicable to those websites. After entering other entities’ websites, we recommend that you should get acquainted with the privacy policy defined for them.

Copyrights

The content of the Website is owned by PZU Zdrowie. Any personal and proprietary copyrights to any elements of the Websites (text, graphics, page layout, etc.) are reserved.

The Website and all its elements are protected by law, in particular the Copyright and Related Rights Act of 4 February 1994 and the Combating Unfair Competition Act of 16 April 1993.

Information about risks following from the provision of services electronically / via electronic access channels

The major threats associated with using online services, including those offered by PZU Zdrowie within electronic access channels, are as follows:

  • spyware,
  • phishing,
  • computer viruses,
  • spam.

The threats concern not only computers but also other mobile equipment, e.g. smartphones, tablets.

Spyware is software that can be covertly installed on a user’s device, such as by accessing a spoofed website or running a file sent by e-mail. Spyware can monitor/send to the attacker both the data placed on the device as well as the user’s actions: mouse movements, text typed from the keyboard; it can also start the camera and microphone for viewing/hearing.

Phishing involves placing fake sites on the Internet that mimic the original ones and getting users to log on to them by, for example, sending a forged email that pretends to be a message from a genuine institution or person. The aim is to capture access data to the service (login, password). 

A computer virus is malware that is transmitted by writing an infected file to a data carrier, e.g. hard disk, USB flash drive. The purpose of the virus is to steal or delete data, disrupt a device or take control of a computer. Most often, an electronic virus infection is transmitted after downloading files from a non-trusted Internet source or opening an attachment in an email.

Spam refers to unsolicited or redundant electronic messages sent simultaneously to multiple addressees. They often carry computer viruses, spyware, links to malicious sites.

Basic security principles

  1. Every Internet user should care about the security of their device. The computer should have an antivirus program with an up-to-date virus definition database, an up-to-date and secure version of a web browser, and a firewall enabled. In addition, users should periodically verify that the operating system and installed programs are updated to their latest versions, as attacks take advantage of bugs found in installed software. Software manufacturers make efforts to eliminate such vulnerabilities with updates. 
  2. Access data for online services, e.g. logins, passwords, PINs, electronic certificates, etc., should be secured. They should not be disclosed or stored on the device in a form that makes it possible to access them easily and read them.
  3. It is advisable to be cautious when opening attachments or clicking on links in unexpected messages, for example received from unknown senders. If you have any doubts, it is worth contacting the sender.
  4. It is advisable to run tools in your browser that check whether a displayed website is carrying out a phishing attack, such as by impersonating a person or institution. The use of anti-phishing filters reduces the risk of data theft considerably.
  5. It is important to use antivirus software to protect computers from malware, and a firewall to control the transmission of information to and from the Internet, thus preventing the transfer of confidential data.
  6. Files should be downloaded only from trusted sites. It is highly risky to install software from unverified sources. This also applies to mobile devices, e.g. smartphones, tablets.
  7. When using a home wireless network (Wi-Fi), you should set a secure and hard-to-crack password to access the network. It is also recommended to use trusted Wi-Fi encryption standards, such as WPA2.
  8. It is likewise important to maintain, as far as possible, physical access control over the hardware. If an unauthorized person attaches any additional devices to it, tampers with it, that can result in an infection with a malicious program or connection of spying devices, e.g. keyloggers, which are used to record text typed on the keyboard.

Personal data protection

Users provide their personal data on the portal voluntarily.

Personal data is all information about a natural person identified or identifiable by one or more specific factors determining physical, physiological, genetic, mental, economic, cultural or social identity, including image, voice recording, contact details, location data, information contained in correspondence, information collected through recording equipment or other similar technology.

Personal Data Controller

The Personal Data Controller (hereinafter referred to as the “PDC” or the “Controller”) is PZU Zdrowie. You can contact the Controller by sending an e-mail to IODzdrowie@pzu.pl or in writing to the address of the Controller’s registered office: ul. Rondo Daszyńskiego 4, 00-843 Warsaw.

Data Protection Officer (DPO)

Users may contact the Data Protection Officer designated by the Controller with regard to all matters concerning personal data protection.

The Officer may be contacted by email or in writing to the addresses given below:

IOD PZU Zdrowie SA

PZU Zdrowie S.A., ul. Rondo Daszyńskiego 4, 00-843 Warsaw

e-mail: IODzdrowie@pzu.pl

Personal data processing by the Controller

In connection with its business activities, the Controller collects and processes personal data in accordance with relevant laws, including in particular the GDPR (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC) and the data processing rules provided for therein.

The Controller ensures transparency of data processing, in particular, it always informs about data processing when it collects them, including the purpose and legal basis of processing – e.g. when entering into a contract for the sale of goods or services. The Controller shall ensure that data are collected only to the extent necessary for the stated purpose and processed only for the period when this is necessary.

When processing data, the Controller shall ensure data security and confidentiality, as well as access to information about the processing to data subjects. Should there be a breach of personal data protection (e.g. data ‘leakage’ or loss) despite the security measures in place, the Controller will inform data subjects of such an event in the way which complies with laws and regulations.

Data recipients

In connection with conducting activities that require processing, personal data are disclosed to external entities, including, in particular, suppliers responsible for operating information systems and hardware (e.g. CCTV equipment), entities providing legal or accounting services, couriers, marketing or recruitment agencies. Data are also disclosed to the Controller's affiliates, including its companies from its group. More information on the Controller’s corporate group can be found here.

The Controller reserves the right to disclose selected information concerning a data subject to the competent authorities or to third parties who make a request for such information, based on a relevant legal basis and in accordance with provisions of the applicable laws.

Period of personal data processing

The period of data processing by the Controller depends on the type of service provided and the purpose of the processing. The period of data processing may also follow from regulations when they provide the basis for processing. In the case of data processing based on the Controller’s legitimate interest, e.g. for security reasons, the data are processed for a period that allows the fulfillment of this interest or until an effective objection to the data processing is made. If processing is based on consent, the data are processed until the consent is withdrawn. When the basis for processing is that it is necessary for entering into and performing a contract, the data are processed until the contract is terminated.

The period of data processing may be extended if the processing is necessary for the establishment or assertion of claims or defense against claims, and after this period – only if and to the extent required by law. At the end of the processing period, the data are irretrievably deleted or anonymized.

Rights of data subjects

A data subject is any natural person whose personal data is processed by the Controller, such as a person who visits the Controller’s office or sends an e-mail inquiry to the Controller.

PZU Zdrowie ensures that data subjects may exercise their rights following from the GDPR.

Data subjects have the following rights:

  • the right to information about personal data processing – on this basis, the requesting person is provided by the Controller with information about the data processing, including, in particular, the purposes and legal grounds for the processing, the scope of data stored, the entities to which they are disclosed, and the planned date of data erasure;
  • the right to obtain a copy of the data – on this basis, the Controller provides a copy of the processed data concerning the person making the request;
  • the right to rectification – the Controller is required to remove any inconsistencies or errors in the processed personal data and supplement them if they are incomplete;
  • the right to erasure – on this basis, it is possible to request the erasure of data which is no longer necessary to be processed to achieve any of the purposes for which they have been collected;
  • the right to restrict processing – if such a request is made, the Controller shall cease performing operations on personal data – with the exception of operations consented to by the data subject – and storing them, in accordance with established retention rules or until the reasons for restricting processing cease to exist (e.g. a decision is issued by a regulatory authority permitting further processing);
  • the right to data portability – on this basis, to the extent that the data are processed in connection with a contract or consent given, the Controller shall release the data provided by the data subject in a computer-readable format. It is also possible to request that the data should be sent to another entity – provided, however, that the technical capabilities exist in this regard, both on the part of the Controller and the other entity;
  • the right to object to processing for marketing purposes – the data subject may object at any time to the processing of personal data for marketing purposes, without having to justify such objection;
  • the right to object to other purposes of processing – the data subject may object at any time to the personal data processing that is carried out on the basis of the Controller’s legitimate interest (e.g. for analytical or statistical purposes or for reasons related to the protection of property); an objection in this regard should include a justification;
  • the right to withdraw consent – if the data are processed on the basis of consent given, the data subject has the right to withdraw it at any time, which, however, does not affect the lawfulness of the processing performed before the consent has been withdrawn;
  • the right to complain – if the personal data processing is deemed to violate the provisions of the GDPR or other data protection laws, the data subject may file a complaint with the President of the Personal Data Protection Office. In order to exercise the said rights, you should contact the Persona Data Controller or the Data Protection Officer using the above contact details.

Presenting requests about exercising the rights

A request concerning a data subject’s rights may be submitted:

  • in writing to the address: ul. Rondo Daszyńskiego 4, 00-843 Warsaw;
  • by e-mail to the address: IODzdrowie@pzu.pl.

If the Controller is unable to identify the requesting person on the basis of the request made, they will ask the requesting person for additional information. A request may be submitted in person or through a proxy (such as a family member). For the sake of data security, the Controller encourages the use of a power of attorney in a form certified by a notary public or authorized legal counsel or attorney-at-law, which will significantly speed up the verification of the authenticity of the request. The request should be answered within a month of its receipt. If it is necessary to extend this deadline, the Controller shall inform the requesting person of the reasons for the delay.

A response is provided by traditional mail, unless the request is made by e-mail or a response is requested to be in electronic form.

Rules for collecting fees

The presented requests are processed free of charge.

Purposes and legal basis for data processing

E-mail and traditional mail

In the Controller receives correspondence by e-mail or traditional mail that is not related to the services provided to the sender or any other agreement entered into with them, the personal data contained in this correspondence are processed solely for the purpose of communication and to resolve the matter described in the correspondence.

The legal basis for the processing is the Controller’s legitimate interest (Article 6(1)(f) of the GDPR) in conducting correspondence addressed to it in connection with its business activity.

The Controller processes only personal data relevant to the matter to which the correspondence relates. All correspondence is stored in a way that ensures the security of the personal data contained therein (as well as other information) and is disclosed only to authorized persons.

Contact on the telephone

When contacting the Controller by telephone for matters not related to an executed contract or the services provided, the Controller may request personal data only if it is necessary to handle the matter about which it has been contacted. The legal basis in such a case is the Controller’s legitimate interest (Article 6(1)(f) of the GDPR) involving the need to resolve a reported case related to its business activity.

Telephone conversations can also be recorded, in which case appropriate information is provided at the beginning of the conversation. Calls are recorded to monitor the quality of the service provided and verify the work of consultants, as well as for statistical purposes. The recordings are available only to the Controller's employees and the Controller's information hotline consultants.

Personal data in the form of a conversation recording are processed:

  • for purposes related to servicing customers and interested persons via the information hotline, if the Controller provides such a service – the legal basis for processing is the necessity of processing to provide the service (Article 6(1)(b) of the GDPR);
  • in order to monitor the quality of service and verify the work of information hotline consultants, as well as for analytical and statistical purposes – the legal basis for processing is the Controller's legitimate interest (Article 6(1)(f) of the GDPR) in ensuring the highest possible quality of service as well as the work of consultants to customers and interested persons, and also conducting statistical analysis of telephone communication.

Video surveillance and access control

In order to ensure the safety of people and property, the Controller uses video surveillance and controls access to the premises and to the area managed by it. The data collected in this way are not used for any other purpose.

Personal data in the form of surveillance footage and data collected in the entry and exit register are processed for the purpose of ensuring security and order on the premises and possibly for the purpose of defending against or pursuing claims. The basis for the personal data processing is the Controller’s legitimate interest (Article 6(1)(f) of the GDPR) in ensuring the security of the Controller’s property and protecting its rights.

Recruitment

As part of the recruitment processes, the Controller expects the transfer of personal data (e.g. in a resume or biography) only to the extent specified in the labor laws. As a result, the scope of the information provided should not be wider. In the event that the submitted applications contain additional data, they will not be used or taken into account in the recruitment process, except when consent is given for processing them for recruitment purposes.

Personal data are processed:

  • in order to comply with legal obligations related to the employment process, including primarily the Labor Code – the legal basis for processing is a legal obligation imposed on the Controller (Article 6(1)(b) and (c) of the GDPR in connection with provisions of the Labor Code);
  • for the purpose of conducting the recruitment process with regard to data not required by law, as well as for the purpose of future recruitment processes – the legal basis for processing is consent (Article 6(1)(a) of the GDPR);
  • for the purpose of establishing or pursuing potential claims or defending against such claims – the legal basis for data processing is the Controller’s legitimate interest (Article 6(1)(f) of the GDPR).

Data collection in connection with the provision of services or performance of other contracts

If data are collected for the purpose of performing a specific contract, the Controller shall provide the data subject with details of the processing of their personal data at the time of entering into the contract.

Data collection in other cases

In connection with its business activity, the Controller also collects personal data on other occasions – such as during business meetings, at industry events or through the exchange of business cards – for the purposes of initiating and maintaining business contacts. The legal basis for the processing in this case is the Controller’s legitimate interest (Article 6(1)(f) of the GDPR), which involves networking in connection with its business activity.

Personal data collected in such cases shall be processed only for the purpose for which they were collected, and the Controller shall ensure their adequate protection.

Data security

In order to ensure the integrity and confidentiality of data, the Controller has implemented procedures that allow for access to personal data only to authorized persons and only to the extent necessary for their tasks. The Controller uses organizational and technical solutions to ensure that any operations on personal data are recorded and performed only by authorized persons.

In addition, the Controller shall take any necessary measures to ensure that its subcontractors and other cooperating entities also provide a guarantee of the application of appropriate security measures whenever they process personal data on behalf of the Controller.

The Controller conducts a risk analysis on an ongoing basis and monitors the adequacy of the data safeguards which are in place to address identified risks. If necessary, the Controller shall implement additional measures to enhance data security.

Profiling

What is profiling?

Profiling means any form of automated personal data processing that involves the use of personal data to evaluate certain personal features of an individual, in particular to analyze or forecast aspects of that individual's work performance, economic situation, health, personal preferences, interests, reliability, behavior, location or movement.

Profiling consists of three components:

  • the form of processing is automated (at least in part);
  • processing concerns personal data;
  • the purpose of the processing is to evaluate personal factors, to assign certain characteristics or to predict behavior.

What is automated data processing?

Automated data processing takes place when data is processed solely by an algorithm (computer), i.e. without human involvement.

The Personal Data Controller is required to inform about automated processing, including profiling – if such processing produces legal effects or affects the individual in significant way. The data subject, on the other hand, has the right to object to automated processing, including profiling. The GDPR also guarantees the right not to be subject to a decision that is based solely on automated processing.

Other disclosed information (cookies)

Almost every website uses the cookie technology. When the User visits our site, code snippets are stored on their computer, where their settings are saved.

They are used to provide users with optimal experience when visiting our site and allow for faster and easier access to information. Cookies are not used to process personal data and their content does not make it possible to identify the user. On the next visit from the same device, the browser can check whether the corresponding cookie (i.e. a file containing the name of the site) is stored on the device and send the data it contains back to the site that stored the cookie. This makes it possible to recognize that a particular User has visited the site in the past and, in some cases, to tailor the content presented to the recipient.

Due to the lifespan of cookies and other similar technologies, we use two main types of these files:

  • session cookies – temporary files stored on the User’s terminal device until the User logs out, leaves the website and application or shuts down the software (web browser);
  • permanent cookies – stored in the User’s terminal device for the time specified in the parameters of cookies or until they are deleted by the User.

Due to the purpose of cookies and other similar technologies, we use the following types of cookies:

  • necessary for the operation of the service and applications – allowing for using our services, such as authentication cookies used for services that require authentication;
  • files used to ensure security, such as those used to detect authentication abuses;
  • performance cookies – making it possible to collect information about how websites and applications are used;
  • functional cookies – making it possible to ‘remember’ the settings selected by the User and personalize the User’s interface, for example with regard to the User's chosen language or region of origin, font size, appearance of the website and applications, etc.;
  • advertising cookies – to provide Users with advertising content more tailored to their interests;
  • statistical cookies – which are used to count statistics about websites and applications.

The User can delete the placed cookies at any time or block the placement of cookies using the options available in his or her web browser. Deleting or blocking the placement of cookies may hinder the User’s use of the site, or even prevent them from using some of its options. Managing and deleting cookies varies depending on the browser used. More information on this topic can be found by using the Help function in the browser. Most browsers offer the option of accepting or rejecting all cookies, accepting only certain types, or notifying the user each time a website tries to save them. The User can also easily delete cookies that have already been stored on the device by the browser.

Changing the conditions for storing or receiving cookies is possible by configuring the settings in web browsers, among others:

  • in Internet Explorer
  • in Mozilla Firefox
  • in Chrome
  • in Opera

Transfers of data outside the EEA

The level of protection for personal data outside the European Economic Area (EEA) differs from that provided by the European law. For this reason, the Controller transfers personal data outside the EEA only when necessary and with an adequate degree of protection, primarily by:

  • cooperation with personal data processors in countries for which a relevant decision of the European Commission has been issued;
  • application of standard contractual clauses issued by the European Commission;
  • application of binding corporate rules approved by the relevant regulatory authority;
  • in the case of data transfers to the US – cooperation with entities participating in the Privacy Shield program approved by a decision of the European Commission.

The Controller shall always inform about the intention to transfer personal data outside the EEA at the stage of collection.