Information Clause on the Processing
of Personal Data of Conference Participants

European Health Data and Innovation Summit

Whenever the following terms are used in this Clause:

1. Participant – refers to any person attending the European Health Data and Innovation Summit Conference;
2. Event/Conference – refers to the European Health Data and Innovation Summit Conference;
3. Organizer – refers to the Polish Supreme Medical Chamber (“NIL”) and The Finnish Innovation Fund Sitra;
4. Data Controller – refers to The Polish Chamber of Physicians and Dentists (“NIL”) and The Finnish Innovation Fund Sitra.

In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as GDPR (OJ EU L No. 119, p. 1), the following information is provided:

Data Controller and Contact Information

1. The joint controllers of the Participant’s personal data are:
   1. Supreme Chamber of Physicians (NIL) in Warsaw, 110 Jana III Sobieskiego St., 00-764 Warsaw, telephone number: +48 22 559 13 00, address-email: innowacje@nil.org.pl, represented by the President of the Supreme Medical Council.
   2. Sitra, the Finnish Innovation Fund  Address: Itämerenkatu 11-13, PO Box 160, FI-00181 Helsinki  Tel: +358 294 618 991  Email: kirjaamo@sitra.fi
   3. EIT Health InnoStars e.V., an association having its registered seat at Mies-van-der-Rohe-Strasse 1C, 80807 München, Germany, with tax registration number DE308252541, represented by: Balázs Fürjes, acting as Managing Director.
   4. EOSC4Cancer, empirica Gesellschaft für Kommunikations- und Technologieforschung mbH, Oxfordstr. 2, 53111 Bonn, Germany; phone: +49-228-98530-0
2. The role of Data Protection Officer (DPO) is held by:
   1. at the Supreme Medical Council is Agnieszka Witoszek, who can be contacted by e-mail: agnieszka.witoszek@nil.org.pl
   2. Sitra, the Finnish Innovation Fund Data Protection Officer:  Janika Skaffari,  Specialist, Administration, kirjaamo@sitra.fi
   3. EIT Health e.V.  Mies-van-der -Rohe-Str. 1C 80807 Munich E-Mail: DataPrivacy@eithealth.eu IT Health InnoStars e.V.,
   4. EOSC4Cancer, empirica Gesellschaft für Kommunikations- und Technologieforschung mbH, Oxfordstr. 2, 53111 Bonn, Germany; phone: +49-228-98530-0
3. The Data Controller declares that the processing of personal data is conducted in accordance with the principles outlined in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, referred to hereafter as GDPR.
4. In all actions related to the organization of the Conference, the Data Controller implements the principles of privacy by design and privacy by default and manages risks in the context of personal data protection.
5. The Data Controller of Participants’ data ensures the implementation of appropriate technical and organizational measures to secure personal data, particularly to prevent third-party access or processing in violation of the law, as well as to prevent data loss, damage, or destruction.

Purposes and Legal Basis for the Processing of Personal Data

1. Providing personal data by the Participant is voluntary but is a prerequisite for registration—it is necessary to register for participation in the Conference and to enable the Data Controller to properly perform services related to the registration and execution of the Event. Failure to provide personal data will prevent registration and participation in the Conference.
2. The processing of data by the Data Controller is based, among others, on the following legal provisions:
   a. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), specifically Article 6(1)(a), (c), and (e);
   b. The Act of 2 December 2009 on Medical Chambers (Journal of Laws of 2021, item 1342, as amended);
   c. The Act of 6 September 2001 on Access to Public Information (Journal of Laws of 2022, item 902); d. The Act of 4 February 1994 on Copyright and Related Rights (Journal of Laws of 2022, item 2509); e. The Act of 14 July 1983 on the National Archival Resource and Archives (Journal of Laws of 2020, item 164);
   f. The Act of 29 September 1994 on Accounting (Journal of Laws of 2023, item 120, as amended).
3. The personal data of Participants is processed for the following purposes:
   a. Registration of participation in the European Health Data and Innovation Summit organized on January 30, 2025, by the Polish Supreme Medical Chamber and The Finnish Innovation Fund Sitra, based on Article 6(1)(a) of the GDPR, i.e., processing based on consent to participate in the Conference and communicate with Participants on matters related to the organization of the conference, document its course, including creating a list of Participants and issuing certificates of attendance—based on Article 6(1)(f) of the GDPR, i.e., processing necessary for purposes resulting from the legitimate interests pursued by the Data Controller;
   b. Organization and proper conduct of the Event;
   c. Marketing of the Data Controller’s own products or services during and after the Conference until the Participant opts out of receiving marketing offers and in connection with the provision of electronic services—based on Article 6(1)(a) of the GDPR, i.e., based on the Participant’s consent;
   d. Contact after the Conference for collaboration on other initiatives and events organized by the Data Controller, based on Article 6(1)(a) of the GDPR, i.e., voluntary consent given by the Participant;
   e. Statistical purposes—based on Article 6(1)(f) of the GDPR, i.e., based on the legitimate interest pursued by the Data Controller, which is maintaining statistics on the services provided and activities conducted by the Data Controller;
   f. Recording and promoting the Event and publishing reports, coverage from the Event, including on the Data Controller’s website, social media, and in titles published by the Data Controller, based on Article 6(1)(a) of the GDPR, i.e., voluntary consent given by the Participant;
   g. Related to claims defense and pursuit of compensation—based on Article 6(1)(f) of the GDPR, i.e., based on the legitimate interest pursued by the Data Controller;
   h. Related to document management and archival storage of documentation—based on Article 6(1)(c) and (e), i.e., fulfilling obligations resulting from legal provisions;
   i. Conducting audits and inspections (internal and external) at the Data Controller—based on Article 6(1)(c) and (e) of the GDPR, i.e., fulfilling obligations resulting from legal provisions;
   j. Other purposes for which separate consent was granted;
   k. Other purposes imposed on the Data Controller by universally applicable law.

Categories of Personal Data and Data Recipients

1. The personal data of Participants collected by the Data Controller may be shared only based on legal provisions with authorized entities and bodies.
2. The personal data of Participants may be entrusted to entities providing services to the Data Controller, including providers of IT systems and IT services, entities providing maintenance services for IT systems, legal services, and financial services, solely under appropriate data processing agreements and to the extent necessary to perform the agreements.
3. The scope of processed personal data of Participants includes:
   1. first and last name,
   2. job position,
   3. the country from which the Conference participant is arriving
   4. the organization represented by the person registering for the Event,
   5. phone number,
   6. email address,
   7. membership in entities listed in the registration form by the Organizer,
   8. image.

4. The Data Controller will record (in terms of video and audio) the Conference proceedings. Participation in the conference is equivalent to the Participant’s consent for the free recording and distribution of their image for the Data Controller’s educational and promotional purposes, unless obtaining such consent is not required by applicable laws. The Data Controller also states that the recording will be made in a form where the Participant’s image will be part of a larger whole.
5. The personal data of Participants is not transferred to countries outside the European Economic Area.
6. The personal data of Participants is not and will not be processed in an automated manner, including profiling.

Retention Period for Personal Data

1. The personal data of Participants will be processed for a period of no less than 5 years from the end of the year in which the data was collected, in accordance with the deadlines specified by applicable law and the internal regulations of the Polish Supreme Medical Chamber, including the Uniform Material Record of Activities.
2. In certain cases specified in the Act of July 14, 1983, on the National Archival Resource and Archives, personal data may be classified as archival category “A,” meaning it will be transferred to the State Archive after 25 years.

Rights of Individuals and How to Exercise Them

1. Depending on the legal basis for data processing, the Participant has the right to:

a. access – obtain confirmation from the Data Controller as to whether their personal data is being processed. If such data is being processed, they are entitled to access it and receive information regarding the purposes of processing, categories of personal data, recipients or categories of recipients to whom the data has been or will be disclosed, the period of data retention, or criteria for determining this period, the right to request rectification, erasure, or restriction of processing, and the right to object to such processing (Article 15 GDPR);
b. receive a copy of the data – obtain a copy of the data being processed, with the first copy provided free of charge and a reasonable fee for additional copies based on administrative costs (Article 15(3) GDPR);
c. rectification – request correction of inaccurate or incomplete personal data (Article 16 GDPR);
d. erasure of data – request deletion of personal data if the Data Controller no longer has a legal basis for processing or if the data is no longer necessary for processing purposes (Article 17 GDPR);
e. restriction of processing – request the restriction of processing (Article 18 GDPR) when:

• the data subject contests the accuracy of the personal data—for a period enabling the Data Controller to verify the accuracy,
• processing is unlawful, and the data subject opposes deletion, requesting restriction instead,
• the Data Controller no longer needs the data, but it is required by the data subject for the establishment, exercise, or defense of legal claims,
• the data subject has objected to processing—pending verification of whether the Data Controller’s legitimate grounds override the data subject’s objections;

f. data portability – receive personal data concerning them, which they have provided to the Data Controller, in a structured, commonly used, machine-readable format, and to request transmission of this data to another controller if the data is processed based on consent or a contract and is processed automatically (Article 20 GDPR);

g. object – object to the processing of their personal data for the Data Controller’s legitimate interests due to their particular situation, including profiling. The Data Controller will assess the existence of compelling legitimate grounds for processing that override the interests, rights, and freedoms of the data subject, or for the establishment, exercise, or defense of claims. If the assessment favors the data subject’s interests, the Data Controller must cease processing for these purposes (Article 21 GDPR).

2. To exercise the above rights, the data subject should contact the Data Controller using the provided contact information and specify which right and to what extent they wish to exercise.
3. When data processing is based on consent, the Participant has the right to withdraw it at any time. This does not affect the legality of the processing conducted before withdrawal.
4. If the Participant believes their personal data is being processed in violation of the law, they have the right to file a complaint with:
   a. The Polish supervisory authority – Prezes Urzędu Ochrony Danych Osobowych, ul. Stawki 2, 00-193 Warsaw,
   b. The Finnish supervisory authority – Tietosuojavaltuutetun toimisto, Käyntiosoite: Lintulahdenkuja 4, 00530 Helsinki, Postiosoite: PL 800, 00531 Helsinki, Sähköposti: tietosuoja(at)om.fi, Puhelinvaihde: 029 566 6700, Kirjaamo: 029 566 6768, Yleinen neuvonta yksityishenkilöille: 029 566 6777, Yleinen neuvonta rekisterinpitäjille: 029 566 6778.