Data Processing Policy in a Public Cord Blood Bank

This document shall apply from 25 May 2018

Processing of personal data in connection with blood banking in a public cord blood bank

Pursuant to Article 13(1) and (2) the Regulation (EU) No 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 2016/EC ("GDPR"), we inform you about the manner and purpose for which we process your personal data, as well as about your rights arising under the GDPR.

  1. Data controller and person responsible for processing the data

    In connection with the gratuitous deposit of the biological material in a public bank the controller of your personal data shall be Polski Bank Komórek Macierzystych S.A. with its registered office at Al. Jana Pawła II 29, 00-867 Warsaw ("PBKM").

    PBKM appointed a person responsible for processing personal data, i.e. the Data Protection Officer who may be contacted in any and all matters concerning the processing of personal data and the exercise of rights relating to the data processing, at the following e-mail address:

  2. Necessity of transfer of personal data

    The provision of data is voluntary but may be necessary for the deposit of biological material for public purposes with a public bank.

  3. Purpose of processing your personal data and legal basis of processing

    We shall process your personal data in accordance with the provisions of the GDPR and the Polish Act on Personal Data Protection. The personal data shall be processed:

    • on the basis of your explicit consent (Articles 6(1)(a) and 9(1)(a) of the GDPR)

    Data shall be processed on the basis of consent for the purpose of depositing biological material for public purposes with a public bank. The processing shall be necessary for the qualification, processing and storage of the collected biological material.

    The consent may be withdrawn at any time. The withdrawal of the consent shall not affect the legality of the processing until the consent has been withdrawn.

    • to comply with legal obligations (Article 6(1)(c) of the GDPR) or perform tasks carried out in the public interest (Article 6(1)(e) of the GDPR)

    As a cord blood bank and a healthcare entity, we are subject to a number of legal obligations, i.e. requirements resulting from, for example, the Act on Patients' Rights and the Patient Ombudsman, and the Act on Collection, Storage and Transplantation of Cells, Tissues and Organs.

    • for the purposes arising from legitimate interests pursued by PBKM or a third party (Article 6(1)(f) of the GDPR)

    If necessary, we shall process your data to protect the legitimate interests of you or of any third parties. For example:

    • ensuring information security;
    • claiming and defending against claims;
    • ensuring the safety of biological material.
  4. Personal Data Recipients

    The personal data may be made available to other recipients to meet a legal obligation of PBKM or for purposes arising from legitimate interests of the administrator or a third party.

    The recipients may be in particular: authorised employees and a law firm providing services to PBKM.

    In addition, the data may be transferred to entities processing personal data on behalf of PBKM and their authorised employees, provided that such entities shall process the data on the basis of a contract with PBKM and only in accordance with instructions and on condition that confidentiality is kept.

  5. Duration of data retention

    Personal data shall be processed for the period of storing the material in a public bank or until the withdrawal of consent.

  6. Your rights in respect of processing of your personal data

You have the right to:

  • require access to and rectification of your personal data, limit the processing of your personal data or delete your personal data;
  • to the extent that the processing of personal data is based on your consent, withdraw at any time the prior consent given to the processing of your personal data;
  • object at any time to the processing of your personal data for reasons relating to your particular situation where PBKM processes the data for purposes based on its legitimate interests (Article 21(1) of the GDPR);
  • require the transfer of personal data processed on the basis of consent. The transfer shall involve the receipt of your personal data from PBKM in a structured, commonly used and machine-readable format and the transmission of such data to another controller. The right to transfer data shall not apply to data that constitute a business secret;
  • file a complaint with a supervisory authority, i.e. with the President of the Office for Personal Data Protection, if the processing of your personal data is found to violate the provisions of the GDPR.