Privacy policy

general rules for the processing of personal data and the protection of privacy

at the Klinika Ambroziak sp.z o.o.


Ladies and Gentlemen, this general information clause is addressed to all natural persons to whom we have not addressed the specific clause. Therefore, it is indicated that the addressees of this document are primarily:

- people interested in the services of Klinika Ambroziak sp.z o.o.,

- visitors to this website and accounts on social media platforms belonging to Klinika Ambroziak sp.z o.o.,

- contractors who are natural persons, whose services are used by Klinika Ambroziak sp.z o.o., as well as representatives, proxies, or the so-called contact persons acting on behalf of contractors.


Introductory information - who is the data controller?

1. The administrator of personal data is Klinika Ambroziak sp.z o.o. with headquarters in Warsaw at Al. Gen. Władysława Sikorskiego 13 / 1U (02-758 Warsaw) entered into the Register of Entrepreneurs under the number KRS 0000697604, NIP: 1231243387 (hereinafter also as: Clinic and / or Administrator).

2. The administrator directs this information to natural persons in connection with the need to fulfill the obligations set out in Art. 13 sec. 1 and 2 and in art. 14 sec. 1 and 2 of the General Data Protection Regulation of April 27, 2016 (hereinafter: GDPR).

3. The administrator has identified detailed categories of data subjects and, if justified, sends them separate messages containing information on the processing of personal data. An example of such an action are information clauses addressed to the Clinic's patients, job applicants, people participating in marketing events organized by the Clinic, or people covered by video monitoring used by the Clinic.

4. The administrator with due diligence has selected and applied technical and organizational measures ensuring the protection of personal data being processed. Personal data is protected against disclosure to unauthorized persons, as well as against their processing in violation of applicable law.


How can you contact the Administrator's representative to obtain more information on the processing of personal data?

1. The administrator has appointed a personal data protection officer, who can be contacted via the following e-mail address:

2. If you are not sure about the content of the question asked, you can also send it to the following address:


Grounds authorizing Klinika Ambroziak to process personal data

Personal data is processed by the Clinic in accordance with specific grounds and for clearly indicated purposes, i.e .:

a. providing answers to questions asked in connection with contact made by potential clients and contractors who are natural persons (possibly also by representatives and persons related to contractors) - basis for processing: consent of the data subject, i.e. art. 6 sec. 1 lit. a GDPR or the necessity of processing to perform the action taken by the Clinic at the request of the data subject before concluding the contract, i.e. art. 6 sec. 1 lit. b GDPR,

b. performance of a contract with a service provider or other type of contractor who is a natural person - basis for processing: processing is necessary for the performance of the contract and / or action taken by the Clinic at the request of the data subject before concluding the contract, i.e. art. 6 sec. 1 lit. b GDPR,

c. processing of personal data of employees or representatives performing activities for service providers and other contractors that may appear during the implementation of concluded contracts - basis for processing: implementation of the legitimate interests of the data controller, i.e. art. 6 sec. 1 lit. f GDPR - where the legitimate interest is the performance of the Administrator's statutory activity,

d. processing of personal data of persons visiting the website, as well as accounts in the Clinic's social media - basis for processing: implementation of the legitimate interests of the data controller, i.e. art. 6 sec. 1 lit. f GDPR - where the legitimate interest is primarily marketing of own services,

e. fulfillment of legal obligations incumbent on the Data Administrator, i.e. accounting and tax obligations, or the implementation of an extensive catalog of data subjects' rights, as well as the handling of incidents related to the processing of personal data - basis for processing: implementation of legal obligations incumbent on the data controller, i.e. art. 6 sec. 1 lit. c GDPR.


Sources of origin of personal data processed by the Administrator

The Clinic indicates that if personal data did not come to us directly from the data subject, the source of their acquisition may be primarily:

a. the Clinic's contractor (i.e. primarily the employer or the principal of the so-called contact persons and representatives mentioned in the contracts),

b. a source of publicly available information (i.e. primarily publicly available business entities registration databases),

c. another personal data controller (i.e. e.g. providers of social media platforms).


What scope of personal data is processed by the Clinic?

1. During the processing activities, the Administrator applies the principle of data minimization. If the data catalog is not specified directly by law or we do not receive it personally from the data subject, the Administrator limits the catalog to the necessary data.

2. The Clinic indicates that data subjects are required to provide complete, up-to-date and true data.

3. The implementation of the purposes of processing described above, in the vast majority of cases, does not require the processing of special categories of personal data, i.e. also data concerning health condition. Therefore, persons who decide to provide personal data to the Administrator should not carry out such transfer in an excessive catalog.

4. If the Clinic processes personal data of natural persons obtained from another source, the scope of the processed data is usually limited to: name and surname, basic contact and address details as well as indications regarding official affiliation or the type of business activity performed. The clinic may also process data such as IP address, web browsing preferences, or other personal data generated by users of social media platforms.

Who can be the recipient of personal data processed by the Clinic?

1. Personal data processed by the Administrator may be made available to entities authorized to receive them under applicable law, including competent state authorities.

2. In addition, personal data processed by the Administrator, depending on the purpose of processing, may be made available: processors, such as: an external entity providing accounting services, external entities providing IT services to the Administrator, including email mailbox hosting, external advisory and auditing entities, couriers, marketing agencies and possible entities that otherwise cooperate with the Clinic, which also applies to entities involved in patient service,

b. recipients who are separate personal data administrators, such as: an entity providing postal services, law firms, providers of social media platforms and other contractors of the clinic.

3. The administrator indicates that personal data may be transferred outside the EEA, ie to third countries only in the case of personal data processing in social media platforms. The data subject accepts such transfer by using social media and by accepting the internal regulations for the provision of services. Details on how to secure such a transfer are available in the terms and conditions of the providers of social media platforms. The country of transfer is in the vast majority of cases the USA, and the declared security is mainly a certificate of participation in the Privacy Shield program. The administrator informs that he does not anticipate and does not transfer personal data to international organizations.


How long does the Clinic keep personal data?

1. The main criterion that determines the period of storage of personal data is the time necessary to achieve the purpose of processing.

2. If the processing is based on consent, such consent may be withdrawn at any time. The administrator indicates, however, that in the event of such action, there may be other reasons justifying the further processing of personal data.

3.When the processing takes place due to the necessity to fulfill the legal obligation incumbent on the Administrator, or in connection with the performance of the contract or for the purposes of the Administrator's legitimate interest, the periods and criteria determining the duration of storage may be dictated by, among others:

a. the period of performance of a given contractual relationship,

b. the obligation to store accounting documents - 5 years from the beginning of the year following the financial year in which a given transaction was finally completed or settled,

c. the need to secure or pursue claims later - the basic period of 6 years from the date on which the claim became due.


What are the rights of natural persons in connection with the processing of their personal data by the Administrator?

1. Depending on the processing activity performed, the catalog of rights that natural persons may be entitled to is specified in the following list:

a.right to access data,

b.right to rectify data,

c. the right to delete data,

d. the right to limit processing,

e. the right to transfer data,

f. the right to object.

2. The exercise of rights may be implemented by sending an appropriate request to the e-mail address:

3. The administrator also indicates that data subjects have the right to lodge a complaint with the supervisory body, ie the President of the Personal Data Protection Office.


The need to provide personal data to the Administrator

If the obligation to provide personal data does not directly arise from contractual provisions or the law, providing personal data is a voluntary action, but necessary to cooperate with the Clinic, use the services of the Clinic, or contact the Clinic.


This document summarizes most of the information on the processing of personal data. Detailed information on specific processing activities can be obtained by contacting the personal data protection officer using the e-mail address:


Information about cookies files

1. For the proper operation of its website, the Administrator uses cookies, including in a manner tailored to individual needs.

2. Using the website without changing the settings for Cookies means that they will be saved on the end device of the person using the Administrator's website. Such a person may, at any time, change the cookie settings in his web browser.

3. Cookies, including session cookies, can also provide information about the end device and the browser version used by a natural person. These tasks are performed for the correct display of content on the Administrator's website.

4. Cookies are short text files which in no case do not allow the person visiting the website to be personally identified and do not contain any information that could enable such identification.


Additional information on the use of video monitoring

1. The Clinic uses video monitoring both in the areas surrounding the facilities belonging to the Clinic and in the rooms inside these facilities. We are talking about monitoring public rooms (corridors, reception, staircases) and offices, rooms where medical services are provided and other places where patients stay.

2. The main purposes of the video monitoring application are to secure the property belonging to the Administrator and to ensure the safety of patients.

3. The legal grounds for the processing of personal data, depending on the purpose of processing, result from the consent or legitimate interest of the data controller, which is described in separate and detailed information clauses.

4. An external entity that has permanent access to video monitoring recordings is the external IT service of the Clinic.

5. The basic period for storing monitoring recordings does not exceed 3 months from the date of recording.


+48 22 111 50 05