Since 25th May 2018, the current data protection regulations has amended in such a way that the new EU General Data Protection Regulation 2016/679 (“GDPR”) applies.

Therefore, the information below is presented to You in order to let You know how Your personal data collected in the course of health services delivery and use of the Centre’s website is processed.

Personal data controller
The controller of personal data is the centre where you arrange your visit and a health care service via the online platform located at, i.e.:

  1. Ośrodek Chirurgii Oka Profesora Zagórskiego w Krakowie sp. z o.o. [ Zagorski Eye Surgery Centre in Kraków Ltd. , registered ofiice address: ul. Ludwika Solskiego 7C, 31-216 Kraków;
  2. Ośrodek Chirurgii Oka Profesora Zagórskiego w Nałęczowie sp. z o.o. ( Zagorski Eye Surgery Centre in Nałęczów Ltd., registered office address: al. Małachowskiego 5, 24 – 140 Nałęczów
  3. Ośrodek Chirurgii Oka Profesora Zagórskiego w Nowym Sączu sp. z o.o. ( Zagorski  Eye Surgery Centre in Nowy Sącz Ltd., , registered office address: Aleje Stefana Batory 88, 33 – 300 Nowy Sącz
  4. Ośrodek Chirurgii Oka Profesora Zagórskiego w Rzeszowie z o.o. (Prof. Zagorski Eye Surgery Centre in Rzeszów Ltd.), registered office address:  ul. Moniuszki 8, 35 – 117 Rzeszów
  5. Gabinety Okulistyczne sp. z o.o. [Ophthalmology Practices Ltd.), registered office address: Spokojna 17/9,20-060 Lublin,
  6. Gabinet Okulistyczny Prof. dr hab. Zbigniewa Zagórskiego ( Zagorski Private Practice), registered office address: ul. Ogrodowa 6, 20-075 Lublin

each of these entities is hereinafter referred to as the “Centre”, and all further provisions of the Policy relating to the services, responsibilities and rights of the controller refer to the Centre in which you arrange your visit and a health care service.

The operator of the website is the company “OCHO” sp. z o.o. (OCHO Ltd) with its registered office in Kraków, ul. Ludwika Solskiego 7C, 31-216 Kraków.

All matters related to the processing of your personal data, should be stated in writing and mailed to the address of the Centre which is Your actual care provider and the e-mail address: In the latter providing the location of the Centre is essential for the efficient communication.


You may contact the Data Protection Officer at:


Sources of your personal data
The personal data processed in the Centre are obtained directly from You, i.e. the Subject of the health services provided in the Centre. If you use the services of intermediary companies, then your data will be provided to us by the intermediary.

If you use our services, health care means a direct visit in the Centre, but also telephone registration and notification of the date of consultation, date of preoperative evaluation, date of the drug program and other procedures. Health care services are provided based on contracts signed with the National Health Fund (pol.: Narodowy Fundusz Zdrowia = NFZ) for the patients having public insurance. The above applies only in these Centres where such contracts have been signed. The scope of the Centre’s activities comprises also health services on commercial terms.

Employees of the Patient Services send an SMS notification about the planned date of the visit to the Centre.

Scope of personal data processing
If You use our services under an agreement with the National Health Fund (NFZ), a referral from a primary care doctor (general practitioner or family doctor) or Specialist is required. For this purpose, a referral should contain the following data: first name, surname, PESEL number (Personal Polish Individual Number), gender and date of birth, address of residence, telephone number, place of study (in the case of students), ICD-10 code, NFZ branch code. A referral from an ophthalmologist for the visit is treated equally.

If You pay for a medical service – commercial service, in order to be able to verify your identity, confirm the right to health care services and health insurance before providing a health care service; we also need the following data: first name, surname, PESEL number, gender, date of birth, and address of residence, contact telephone number, and in the cases provided for by law, also the data of your legal representative.

This information is necessary for us to provide health care to You.

For the telephone registration, it is necessary to provide full name and contact telephone number.

Another way to register a patient is to book an appointment online. Then it is necessary to provide the following data in an electronic version: first name and surname and description of the health problem.

In the case of online registration, we also collect certain technical data, which may constitute personal data, such as:

  • Technical information: IP address, browser type and version (e.g. Internet Explorer, Firefox, Safari, etc.), time zone settings, browser plugin – in types and versions, operating system used (e.g. Vista, Windows 7, MacOS, etc.), device type, hardware model, MAC address, unique identifiers and mobile network information;
  • Data available online: information about the website of you visit, including the URL, the paths visitors take through our website (including date and time), information about user network, such as device data, nodes, configurations, connection speed and performance of web applications; pages you visit or search, response times, download errors, length of visits and information about interactions (such as scrolling, clicks, hovering), and information whether links or emails have been opened by you.

During health care services, we create medical documentation, containing all information about the diagnostics processes and management, in particular information about your health condition. It may also contain your other sensitive data (e.g., addictions).

This information is collected only for the purpose of medical diagnosis and proper treatment.

Purpose of personal data processing

The Centre processes personal data as a medical entity and the purpose of this processing is to provide health care and to manage health care systems and services, by which we mean:

  • determining the patient’s identity before providing the service, verifying data when arranging a remote visit (e.g. via the website or by telephone), at reception or in the doctor’s office (we process these data on the basis of a specific legal obligation imposed on the Centre by applicable law – the basis from to Article 6(1)(c) of the GDPR);
  • providing medical services and treating patients in order to fulfil the contract to which the patient is party (this is necessary for the purposes of fulfilling the contract to which the patient is party – the basis from Article 6(1)(b) of the GDPR),
  • keeping and storing medical records (this is necessary for the purposes of preventive medicine, medical diagnosis and delivery of health care – the basis from Article 9(2)(h) of the GDPR);
  • executing the patient’s right, e.g. receiving and archiving statements authorising other people access the patient’s medical documentation and provide them with information about the patient’s health (we process these data on the basis of a specific legal obligation imposed on the Centre by applicable law – the basis from Article 6(1)(c) of the GDPR);
  • contacts with the patient at the given telephone number or e-mail address, for example to confirm a reservation or cancel a medical consultation, remind about the consultation, inform about the need to prepare for the agreed procedure or inform about the possibility of receiving the test result (this is necessary for the purpose of performing the contract to which the patient is party – the basis from Article 6(1)(b) of the GDPR);
  • pursuing the legitimate interest of the Centre, which is to perform monitoring on the premises of the company, the development of the company and its employees, planning and organisation of work, performing analyses, summaries, statistics and programs or business or personnel strategies, obtaining opinions on the quality of health services provided (surveys), protection and safeguarding of the property of the Centre, defence of rights or establishment and pursuit of claims of the Centre (legitimate interest pursued by the controller – the basis from Article 6(1)(f) of the GDPR).
  • or the need to perform another, specific legal obligation imposed on OCHO by applicable law, e.g. tax, accounting issues, etc. (we process these data on the basis of a specific legal obligation imposed on the Centre by applicable law – the basis from Article 6(1)(c) of the GDPR).

Do we perform profiling of personal data?
We do not process your personal data for any purpose other than therapeutic or preventive activities. We do not use your personal data for marketing purposes, nor do we conduct so-called profiling, i.e. creating profiles of your preferences to customise our services and marketing content.

Recipients of personal data
All personal data collected by us are covered by the confidentiality clause in connection with the provision of health services and the need to properly organise the diagnostic and therapeutic process.

Your personal data may be transferred to the following categories of recipients:

  • Other medical institutions cooperating in order to ensure continuity of treatment and availability of health care in Poland.
  • The National Health Fund (NFZ) as part of contract agreements with the National Health Fund.
  • Service providers which supply the Centre with technical and organisational solutions enabling the provision of health care services and the management of our entity (in particular, providers of ICT services, suppliers of diagnostic equipment, courier and postal companies for the needs of the patient, SMS and e-mail service providers).
  • Providers of legal and advisory services and the entities which support us in asserting claims to which we are entitled (in particular law firms, debt collection companies).
  • Institutions and bodies authorised in accordance with the provisions of the Act on Patient Rights and the Patient Ombudsman.
  • People authorised by you as part of the implementation of statutory patient rights.

Will personal data be transferred outside the European Economic Area?
Your personal data is not transferred outside the European Union. If in the future it is necessary to transfer your data outside the EU, we ensure that in this case the transfer of data will take place on the basis of an appropriate agreement between the Centre and this entity, containing standard data protection clauses adopted by the European Commission.

Period of processing your personal data
We are obliged to store your medical records for the periods indicated in Article 29(1) of the Act on Patient Rights and the Patient Ombudsman, that is, in principle for a period of 20 years, counting from the end of the calendar year in which the last entry was made.

If the data have been processed by us for the purpose of pursuing claims (e.g. in debt collection proceedings), then we store them for as long as the applicable law in the scope of limitation of civil claims permits (as a rule, 3 or 10 years).

All data processed for accounting and tax purposes are processed for 5 years, counting from the end of the calendar year in which the tax obligation arose.

After the aforementioned periods, your data is erased or anonymised (irreversible process).

Obligation to provide personal data

The choice of a medical entity is the patient’s right, and the use of the services provided by the Centres is fully voluntary. As an entity performing medical activities, we are obliged to keep medical records in a manner specified by law, including marking the patient’s identity with the use of his or her personal data. In this case, failure to provide data may result in the refusal to book a visit or provide a health care service. Also for accounting or tax reasons, we have a legal obligation to process your data; if data are not provided, we, for instance, will not be able to issue an invoice or a receipt bearing your name.

Providing your telephone number or e-mail address for contact is voluntary; if these are not provided, a health care service will not be refused, but You will not receive from us a confirmation of your visit, information about changing the date or other important information about a given service.

Rights of the patient in the processing of personal data
Data subjects have the following rights:

  • the right of access to the content of their personal data(submitting a request for information about the processed data and obtaining a copy of them, including copies of own personal data that are transferred to a third country) and the right to rectify (correct) themerase the data processed unjustifiably, restrict processing (suspension of operations on data or non-erasure of data – according to the submitted request), as well as the right to transfer these data to another data controller (within the scope specified in Article 20 of the GDPR).
  • the right to withdraw consent to the processing of personal data at any timewithout affecting the lawfulness of the processing which was carried out on the basis of the consent given before its withdrawal.
  • in special situations, they may object to the processing of personal data by the Centre at any time, if the basis for the use of the data is the legitimate interest of the Centre or the public interest. In such a situation, after considering the objection, the Centre will not be able to process the personal data covered by the objection on this basis, unless the Centre proves that there are:
    • compelling legitimate grounds for the processing of data that are considered by law to override the interests, rights and freedoms of the data subject, or
    • grounds for the establishment, execute, or defence of legal claims.

The scope of each of these rights and the situations in which they apply are specified in the provisions of law. By protecting data against unauthorized access, we may request additional identification of the data subject or additional information.

The possibility of application of each the aforementioned rights arises from the applicable legal provisions; for example, it depends on the legal basis for data processing and the purpose of their processing.


Reviewing requests related to your rights
All requests related to your rights should be submitted in writing to the address of the Centre and additionally in the form of a scan of the letter to the following address: The requests must be signed and must contain the following information: first name, surname, address and preferably also your e-mail address, to verify your identity.

Where applicable law provides an administrative fee for the execution of such request (including irresponsible or exaggerated requests), the Centre may charge such a fee.

All requests submitted under the applicable regulations will be reviewed by the Centre immediately and properly. We will respond to your request within 30 days at the latest. Your request to be forgotten, restrict the processing of data or transfer to another controller of the personal data contained in medical records for the entire period of archiving medical records required by law will be refused.

If the request is rejected, and if, in the opinion of the data Subject, the processing of personal data by the Centre violates the law, including the GDPR, the data Subject has the right to lodge a complaint with the President of the Office for Personal Data Protection.

We use cookies to identify Your browser. They collect and store information about when You visited our website and how You use it, which allows us to store information about Your visits to the website and provides better service and experience when browsing the website and for analysis purposes. The personal data collected by us using these technologies will also be used to manage your session.

More information about cookies and how to use them is available here:

Links to third party websites
Websites may contain links to other websites whose privacy practices are different from ours. Such external websites place their own cookies on your computer, collect data or require you to provide personal information. If you provide personal data on any of these websites, then such information is subject to separate privacy policies. The Centre has no control over such websites and accepts no responsibility for such websites. We encourage You to carefully read the privacy policy of each website You visit.

Changes to this Privacy Policy
The Centre reserves the right to make periodic changes to this Policy. We expect that these will be mostly minor changes, but there may also be more significant changes. The date of the last modification is indicated at the end of this document.

We will post such changes on this page.

This Privacy Policy was published on 31 May 2018.


Skip to content