Privacy policy

PZU Zdrowie S.A., with its registered office in Warsaw (00-843) at Rondo Daszyńskiego 4 (hereinafter: PZU Zdrowie), attaches particular importance to respecting the privacy of users visiting our website. The data collected in log files is used solely for the purpose of administering the service. We do not seek to identify Users of the website.

Identification data is not associated with specific individuals browsing the PZU Zdrowie website, except for data provided by Users in contact forms. To ensure the highest quality of the service, we occasionally analyze log files to determine which pages are visited most frequently, which web browsers are used, whether the website structure contains errors, etc.

Links to other websites

This Privacy Policy applies only to the websites of PZU Zdrowie.

If links to other websites are provided on the PZU Zdrowie website, PZU Zdrowie is not responsible for the privacy practices applied on those websites. After visiting other entities’ websites, we recommend reviewing the privacy policies established therein.

Copyright

The content of the Service’s websites is the property of PZU Zdrowie. All moral and economic copyrights to any elements of the Service (textual, graphic, layout, etc.) are reserved.

The Service and all its elements are protected by law, in particular by the Act of 4 February 1994 on Copyright and Related Rights, and the Act of 16 April 1993 on Combating Unfair Competition.

Information on risks related to the provision of electronic services / electronic access channels

The basic risks associated with using internet services – including those offered by PZU Zdrowie through electronic access channels – include: 
  • spyware activity,
  • impersonation aimed at obtaining information,
  • computer viruses,
  • spam.
The risks apply not only to computers but also to other portable devices, such as smartphones and tablets.
 
Spyware is software that can be secretly installed on a user’s device, e.g. by visiting a malicious website or opening a file received via email. It may monitor/send to the attacker both data stored on the device and user activity, such as mouse movements, text entered via the keyboard, and can enable camera and microphone surveillance.

Impersonation (phishing) involves creating fake websites that imitate legitimate ones and encouraging users to log in, for example by sending a forged email that appears to come from a genuine institution or person. The goal is to capture access credentials (login, password).

Computer virus is malicious software that spreads by saving an infected file on a data carrier, e.g. a hard drive or a USB flash drive. The purpose of a virus is to steal or delete data, disrupt the operation of a device, or take control of a computer. Most often, infection occurs when downloading files from untrusted internet sources or opening email attachments.

Spam refers to unsolicited or unnecessary electronic messages sent simultaneously to many recipients. They often carry computer viruses, spyware, or links to malicious websites.
 

Basic security rules

  1. Every internet user should ensure the security of their device. A computer should have antivirus software with an up-to-date virus definition database, a current and secure version of a web browser, and an enabled firewall. The user should also regularly check whether the operating system and installed programs have the latest updates, as attacks often exploit vulnerabilities found in software. Software manufacturers attempt to eliminate such vulnerabilities through updates.  
  2. Access data for internet services – such as logins, passwords, PINs, electronic certificates, etc. – should be properly secured. They should not be disclosed or stored on a device in a form that allows easy access and reading. 
  3. Caution is advised when opening attachments or clicking links in messages that were not expected, e.g. from unknown senders. In case of any doubts, it is advisable to contact the sender.
  4. It is recommended to enable tools in the web browser that check whether the displayed website is attempting to obtain information fraudulently, e.g. by impersonating a person or institution. The use of anti-phishing filters significantly reduces the risk of data theft. 
  5. It is important to use antivirus software that protects computers against malicious software and a firewall that controls the transfer of information to and from the internet, thereby preventing the leakage of confidential data. 
  6. Files should only be downloaded from trusted sources. Installing software from unverified sources carries a high risk. This also applies to portable devices such as smartphones and tablets.
  7. When using a home wireless network (Wi-Fi), a secure and difficult-to-guess password should be set. It is also recommended to use trusted Wi-Fi encryption standards such as WPA2. 
  8. It is also important to maintain physical control over devices whenever possible. If an unauthorized person connects additional devices or manipulates the equipment, it may result in infection with malicious software or the installation of spying devices such as keyloggers, which capture text entered on the keyboard.

Personal data protection

Users provide their personal data on the portal voluntarily.
 
Personal data means any information relating to an identified or identifiable natural person through one or more specific factors determining their physical, physiological, genetic, mental, economic, cultural or social identity, including image, voice recording, contact details, location data, information contained in correspondence, and information collected via recording equipment or other similar technology.
 

Personal Data Controller

The Personal Data Controller (hereinafter: the “Controller”) is PZU Zdrowie. The Controller can be contacted via email at: daneosobowe-zdrowie@pzu.pl  or in writing at the Controller’s registered address: Rondo Daszyńskiego 4, 00-843 Warsaw.
 

Data Protection Officer (DPO)

For matters related to personal data protection, Users may contact the Data Protection Officer appointed by the Controller.
Such contact may be made electronically or in writing to the address provided below:
 
DPO of PZU Zdrowie SA 
PZU Zdrowie S.A., Rondo Daszyńskiego 4, 00-843 Warsaw

Processing of data by the Controller

In connection with its business activities, the Controller collects and processes personal data in accordance with applicable laws, including in particular the GDPR (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC), and the principles set out therein.
 
The Controller ensures transparency of data processing, in particular by always informing about the processing of data at the time of its collection, including the purpose and legal basis for processing – e.g. when concluding a contract for the sale of goods or services. The Controller ensures that data is collected only to the extent necessary for the specified purpose and processed only for as long as necessary.
 
When processing data, the Controller ensures its security and confidentiality, as well as access to information about processing for data subjects. Should a personal data breach occur despite the security measures in place (e.g. a “leak” or loss of data), the Controller will inform the affected individuals in accordance with applicable law.
 

Recipients of data

In connection with business activities requiring data processing, personal data is disclosed to external entities, in particular providers responsible for IT systems and equipment maintenance (e.g. CCTV infrastructure), entities providing legal or accounting services, couriers, marketing or recruitment agencies. Data may also be disclosed to entities affiliated with the Controller. More information about them can be found here.

The Controller reserves the right to disclose selected information concerning the data subject to competent authorities or third parties that request such information, based on an appropriate legal basis and in accordance with applicable law.
 

Retention period for personal data

The period for which the Controller processes data depends on the type of service provided and the purpose of processing. The retention period may also result from legal provisions where they constitute the basis for processing. In the case of processing based on the Controller’s legitimate interest – e.g. for security reasons – data is processed for a period enabling the fulfillment of that interest or until an effective objection to processing is raised. If processing is based on consent, data is processed until such consent is withdrawn. Where processing is necessary for the conclusion and performance of a contract, data is processed until the contract is terminated.
 
The data processing period may be extended where processing is necessary to establish or pursue claims or to defend against claims, and after that period only where and to the extent required by law. After the retention period expires, data is irreversibly deleted or anonymized.
 

Rights of data subjects

A data subject is any natural person whose personal data is processed by the Controller, e.g. a person visiting the Controller’s premises or submitting an inquiry via email.
 
PZU Zdrowie ensures the exercise of rights granted to data subjects under the GDPR.
 
Data subjects have the following rights:
  • right to information about the processing of personal data – upon request, the Controller provides information about data processing, in particular about the purposes and legal bases of processing, the scope of data held, entities with whom it is shared, and the planned deletion date;
  • right to obtain a copy of data – upon request, the Controller provides a copy of the processed data concerning the requesting person;
  • right to rectification – the Controller is obliged to correct any inaccuracies or errors in the processed personal data and complete it if it is incomplete;
  • right to erasure – on this basis, it is possible to request the deletion of data that is no longer necessary for any of the purposes for which it was collected;
  • right to restriction of processing – upon such a request, the Controller ceases operations on personal data – except for operations consented to by the data subject – and limits itself to storing data in accordance with retention rules or until the reasons for restriction cease (e.g. a decision by the supervisory authority allowing further processing);
  • right to data portability – where data is processed based on a contract or consent, the Controller provides the data supplied by the data subject in a format that allows computer reading. It is also possible to request that the data be transferred to another entity – provided that technical capabilities exist on both the Controller’s and the recipient’s side;
  • right to object to processing for marketing purposes – the data subject may object at any time to the processing of personal data for marketing purposes without providing justification;
  • right to object to other processing purposes – the data subject may at any time object to processing based on the Controller’s legitimate interest (e.g. for analytical or statistical purposes or for the protection of property); such an objection should include justification;
  • right to withdraw consent – where data is processed based on consent, the data subject has the right to withdraw it at any time, without affecting the lawfulness of processing carried out before withdrawal;
  • right to lodge a complaint – if the data subject believes that the processing of personal data violates GDPR or other data protection regulations, they may lodge a complaint with the President of the Personal Data Protection Office. To exercise the above rights, please contact the Controller or the Data Protection Officer using the contact details provided above.

Submitting requests related to the exercise of rights

A request regarding the exercise of data subjects’ rights may be submitted:

  • in writing to the address: Rondo Daszyńskiego 4, 00-843 Warsaw;
  • by email to: IODzdrowie@pzu.pl.
If the Controller is unable to identify the person submitting the request based on the information provided, it will request additional information from the applicant. The request may be submitted in person or through an authorized representative (e.g. a family member). For data security reasons, the Controller encourages the use of a power of attorney certified by a notary or an authorized legal advisor or attorney, which will significantly speed up the verification of the request’s authenticity. A response should be provided within one month of receiving the request. If it is necessary to extend this period, the Controller will inform the applicant of the reasons for the delay.
 
The response is provided via traditional mail unless the request was submitted by email or a response in electronic form was requested.
 

Fee policy

The handling of submitted requests is free of charge.

Purposes and legal bases for processing

Email and traditional correspondence

In the case of sending correspondence to the Controller via email or traditional mail that is not related to services provided to the sender or any other agreement concluded with them, the personal data contained in such correspondence is processed solely for the purpose of communication and resolving the matter to which the correspondence relates.
 
The legal basis for processing is the Controller’s legitimate interest (Article 6(1)(f) of the GDPR), consisting in conducting correspondence addressed to it in connection with its business activity.
 
The Controller processes only personal data relevant to the matter to which the correspondence relates. All correspondence is stored in a manner ensuring the security of the personal data (and other information) contained therein and is disclosed only to authorized persons.
 

Telephone contact

In the case of contacting the Controller by telephone in matters not related to a concluded agreement or provided services, the Controller may request personal data only when it is necessary to handle the matter concerned. The legal basis in such a case is the Controller’s legitimate interest (Article 6(1)(f) of the GDPR), consisting in the need to resolve the reported matter related to its business activity.
 
Telephone calls may also be recorded – in such cases, appropriate information is provided at the beginning of the call. Calls are recorded for the purpose of monitoring service quality, verifying the work of consultants, as well as for analytical and statistical purposes. Recordings are accessible only to the Controller’s employees and entities handling the Controller’s helpline.
 
Personal data in the form of call recordings is processed:
  • for purposes related to customer and client service via the helpline, where such service is provided by the Controller – the legal basis for processing is the necessity of processing for the performance of a service (Article 6(1)(b) of the GDPR);
  • for the purpose of monitoring service quality and verifying the work of consultants handling the helpline, as well as for analytical and statistical purposes – the legal basis for processing is the Controller’s legitimate interest (Article 6(1)(f) of the GDPR), consisting in ensuring the highest quality of service for customers and clients, as well as supervising the work of consultants and conducting statistical analyses of telephone communication.

Video surveillance and access control

In order to ensure the safety of persons and property, the Controller uses video surveillance and controls access to premises and areas under its management. Data collected in this way is not used for any other purposes.
 
Personal data in the form of surveillance recordings and data collected in entry and exit logs are processed for the purpose of ensuring safety and order on the premises and, if necessary, for the purpose of establishing or pursuing claims or defending against claims. The legal basis for processing is the Controller’s legitimate interest (Article 6(1)(f) of the GDPR), consisting in ensuring the security of the Controller’s property and protecting its rights.
 
Recruitment
 
As part of recruitment processes, the Controller expects personal data (e.g. in a CV or résumé) to be provided only to the extent specified in labor law regulations. Therefore, no information beyond this scope should be submitted. If submitted applications contain additional data, such data will not be used or taken into account in the recruitment process, unless consent for its processing for recruitment purposes has been given.
 
Personal data is processed:
  • for the purpose of fulfilling legal obligations related to the employment process, in particular those arising from the Labor Code – the legal basis for processing is a legal obligation incumbent on the Controller (Article 6(1)(b) and (c) of the GDPR in conjunction with labor law provisions);
  • for the purpose of conducting recruitment with regard to data not required by law, as well as for future recruitment processes – the legal basis for processing is consent (Article 6(1)(a) of the GDPR);
  • for the purpose of establishing or pursuing potential claims or defending against such claims – the legal basis for processing is the Controller’s legitimate interest (Article 6(1)(f) of the GDPR).
Collection of data in connection with the provision of services or performance of other contracts
 
If data is collected for purposes related to the performance of a specific contract, the Controller provides the data subject with detailed information regarding the processing of their personal data at the time of concluding the contract.
 
Social media 
 
In connection with building brand awareness of PZU Zdrowie on social media, the Controller processes, based on its legitimate interest (Article 6(1)(f) of the GDPR), personal data of users of social media platforms (Facebook, Instagram, and LinkedIn) who follow the Controller’s profile or communicate with PZU Zdrowie via messaging tools on these platforms. PZU Zdrowie does not provide patient services through social media, including any information regarding treatment; therefore, please do not share any health-related data via social media.  However, if during such interactions users voluntarily provide PZU Zdrowie with special categories of data via social media, PZU Zdrowie will process them on the following legal bases:  data contained in comments – based on Article 9(2)(e) of the GDPR; data contained in correspondence conducted via online messaging tools – based on Article 9(2)(f) of the GDPR. Joint controllers of personal data processed by PZU Zdrowie on social media are the entities providing access to these platforms and specifying the rules for the processing of personal data in their own privacy policies. 
 
Collection of data in other cases
 
In connection with its business activities, the Controller also collects personal data in other cases – e.g. during business meetings, industry events, or through the exchange of business cards – for purposes related to initiating and maintaining business relationships. The legal basis for processing in such cases is the Controller’s legitimate interest (Article 6(1)(f) of the GDPR), consisting in building a network of contacts in connection with its business activity.
 
Personal data collected in such cases is processed solely for the purpose for which it was collected, and the Controller ensures appropriate protection of this data.
 

Data security

In order to ensure the integrity and confidentiality of data, the Controller has implemented procedures enabling access to personal data only to authorized persons and only to the extent necessary due to the tasks performed. The Controller applies organizational and technical measures to ensure that all operations on personal data are recorded and carried out only by authorized persons.
 
The Controller also takes all necessary actions to ensure that its subcontractors and other cooperating entities provide guarantees of applying appropriate security measures whenever they process personal data on behalf of the Controller.
 
The Controller continuously conducts risk analysis and monitors the adequacy of applied data protection measures in relation to identified threats. Where necessary, the Controller implements additional measures to enhance data security.
 

Profiling

What is profiling?

Profiling means any form of automated processing of personal data that consists in using personal data to evaluate certain personal aspects of a natural person, in particular to analyze or predict aspects concerning that person’s work performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
 
Profiling consists of three elements:
  • the form of processing is automated (at least in part);
  • the processing concerns personal data;
  • the purpose of processing is to evaluate personal aspects, assign specific characteristics, or predict behavior.

What is automated data processing?

Automated data processing occurs when data is processed exclusively by an algorithm (computer), i.e. without human involvement.
 
The Personal Data Controller is obliged to inform about automated processing, including profiling – if such processing produces legal effects or significantly affects an individual. A data subject has the right to object to automated processing, including profiling. The GDPR also guarantees the right not to be subject to a decision based solely on automated processing.
 

Other disclosed information (cookies)

Almost every website uses cookie technology. During visits to our site, small pieces of code containing user settings are stored on the User’s device.
 
They are used to ensure optimal service during visits to our website and enable faster and easier access to information. Cookies are not used to process personal data, and their content does not allow user identification. During a subsequent visit from the same device, the browser may check whether an appropriate cookie (i.e. a file containing the website name) is stored on the device and send the data contained in it back to the website that created it. This makes it possible to recognize that a given User has visited the website before and, in some cases, to tailor displayed content to the recipient.
 
Due to the lifespan of cookies and similar technologies, we use two basic types of these files:
  • session cookies - temporary files stored on the User’s device until logging out, leaving the website or application, or turning off the software (web browser);
  • persistent cookies - stored on the User’s device for the time specified in the cookie parameters or until deleted by the User.

Due to the purpose they serve, we use the following types of cookies and similar technologies:

  • necessary for the operation of services and applications - enabling the use of our services, e.g. authentication cookies used for services requiring authentication;
  • security cookies, e.g. used to detect abuses in authentication;
  • performance cookies - enabling the collection of information on how websites and applications are used;
  • functional cookies - enabling “remembering” user-selected settings and personalizing the user interface, e.g. language or region, font size, appearance of the website and application, etc.;
  • advertising cookies - enabling the delivery of advertising content more tailored to Users’ interests;
  • analytical cookies - used to compile statistics regarding websites and applications.
The User may at any time delete stored cookies or block their storage using the options available in their web browser. Deleting or blocking cookies may cause difficulties in using the service or even prevent the use of certain functionalities. Managing and deleting cookies varies depending on the browser used. Detailed information can be found in the browser’s Help function. Most browsers allow accepting or rejecting all cookies, accepting only certain types, or informing the user whenever a website attempts to store them. Users can also easily delete cookies that have already been stored on their device by the browser.
 
Changing the conditions for storing or receiving cookies is possible by configuring settings in web browsers such as:
  • Internet Explorer
  • Mozilla Firefox
  • Chrome
  • Opera

Functionalities or technologies of external partners

We use the following functionalities and tools provided by external partners:
  • The cux.io tool provided by CUX Research Sp. z o.o. – we use this tool to create statistics and analyze them to optimize our websites. cux.io records users of our Service and allows us to recreate their movement on our website, as well as generate so-called heatmaps. cux.io does not provide us with any information that would allow us to identify you, as your data is encrypted at the browser level and is not sent to cux.io servers.

Transfer of data outside the EEA

The level of personal data protection outside the European Economic Area (EEA) differs from that provided by European law. Therefore, the Controller transfers personal data outside the EEA only when necessary and ensures an appropriate level of protection, in particular by:
  • cooperating with entities processing personal data in countries for which a relevant decision of the European Commission has been issued;
  • applying standard contractual clauses issued by the European Commission;
  • applying binding corporate rules approved by the competent supervisory authority;
  • in the case of transfers to the USA – cooperating with certified entities that have committed to comply with the principles set out in the EU–US Data Privacy Framework approved by a decision of the European Commission.
The Controller always informs about the intention to transfer personal data outside the EEA at the stage of its collection.
Zamknij
Szukaj