Privacy Policy

Terms used in this document
Personal Data – refers to information about an individual that can be used to identify them. This Privacy Policy explains how we use the personal information you provide to us.
We/Us – SMA Foundation with headquarters in Warsaw, at 10/99 Przy Forcie street.
You, Your – any individual with whom we have a legal relationship, especially patient, doctor, physiotherapist, volunteer.
GDPR – General Data Protection Regulation (Regulation (EU) 2016/679) of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC,
SMA Database – the database maintained by us, accessible at the address:

Kto jest administratorem ?
Jesteśmy administratorem Twoich danych osobowych. Oznacza to, że decydujemy jak i w jakich celach Twoje dane osobowe, które nam przekazałeś, są przetwarzane. Chcemy, abyś wiedział, że dokładamy wszelkich starań, aby Twoje dane osobowe były bezpieczne. Nie udostępniamy odpłatnie powierzonych nam danych osobowych. Jeśli masz jakiekolwiek pytania dotyczące przetwarzania przez nas Twoich danych osobowych, skontaktuj się z nami wykorzystując poniższe dane kontaktowe

SMA Foundation, 10/99 Przy Forcie street, Warsaw. Phone: (+48) 22 350 02 02, e-mail: [email protected]

How do we process your personal data?
Your data is processed in the following way:

  1. Basic data
    Basic data includes information about you such as your name, surname, date of birth, gender, or contact information.

Purpose of processing basic data
To facilitate communication with you (via phone and email included)
To enable the fulfillment of orders that require shipping via mail or courier service
Who do we share your basic personal data with
Your basic personal data may be disclosed to the following entities based on separate agreements:

Online marketing entities – in the scope of your name, surname, and email address
Postal or courier entities in case you request the shipment of any item
The relevant public administration authorities within the scope required by the applicable laws regarding the maintenance and storage of financial records
Duration of processing basic data
We process the data as long as you do not file an official objection to the processing of these data.

Legal basis
Voluntary consent (Article 6 (1) (a) of the GDPR).

  1. Sensitive data
    Sensitive data includes basic information combined with information about health and genetics, if provided by you. In the understanding of this Regulation, sensitive data includes all data collected by us within the SMA Database.

Purpose of Processing Sensitive Data
Treatment and clinical trials enrollment coordination
Conducting epidemiological analysis of the prevalence of spinal muscular atrophy in Poland
Conducting informational and educational activities aimed at individuals with specific health conditions (such as a specific type of spinal muscular atrophy)
Who we disclose personal data to
Access to all personal data provided by you may be obtained from us by the following entities, based on the entrustment of personal data processing:

Server administrators who host the SMA Database
Entities providing IT support and security for the SMA Database
Treatment or clinical trial centers – only with your individual consent each time
Entities conducting public health research on our behalf
Period of Processing Sensitive Data
We process the data as long as you do not file an official objection to the processing of these data.

Legal basis
Voluntary consent (Article 6 (1) (a) of the GDPR).

  1. Anonymous Data
    The data you provide may be anonymized by us in such a way that it is not possible to identify the individual to which it refers. This can be achieved by, for example, hiding the name and surname, gender, date of birth and contact details and/or replacing some data elements with identifiers.

Anonymous data is used by us for statistical purposes, such as determining the number of people covered by treatment programs or estimating the interest in clinical trials.

Who we share anonymous data with
We can share anonymous data without the need to enter into a personal data processing agreement, and recipients may include:

Entities providing treatment or clinical trials
Entities conducting public health research
State administration bodies performing health protection tasks in Poland
Based on anonymous data, we also prepare information posted on the Foundation’s websites, in reports and studies prepared by us, etc.

Period of processing sensitive data
Data is processed without time limits

Legal basis
The processing of data that does not allow for the identification of the person to which it refers does not require consent.

  1. Internet Connection Data
    Internet connection data includes the user’s IP address, connection time, and actions performed by the user on this website (e.g. creating a profile). Collection of this information is mandatory for us in accordance with the GDPR.

Furthermore, we gather anonymous information obtained via Google Analytics service, including information about device type, operating system version, browser type, screen size, etc. This information helps us better tailor the website’s functionality to the users.

  1. Image/Appearance
    If you have given consent for the processing of your image, we will process it for the purpose of promoting our business activities in accordance with our statutory objectives.

Your rights:
We ensure the implementation of the rights indicated below. You can exercise your rights by making a request using the contact details provided by us.

Right to withdraw consent
You have the right to withdraw any consent you have given for the processing of your personal data at any time. The withdrawal of your consent takes effect from the moment of withdrawal. The withdrawal of consent does not affect the processing we carry out in accordance with the law before its withdrawal.

Withdrawing consent does not have any negative consequences for you. However, it may prevent us from further carrying out actions on your behalf or using our functionality that, in accordance with the law, we can only provide with your consent.

Legal basis: Article 7 para. 3 GDPR

Right to Object to the Processing of Personal Data
You have the right to object to the processing of your personal data at any time if we are processing it based on our legitimate interest, such as for sending you information about our new activities and initiatives, including profiling based on this.

If your objection is justified and we do not have another legal basis for processing your personal data, we will remove your data for which you have raised an objection.

In the event that you object to receiving marketing information, we will stop sending you such information.

Legal basis: Art. 21 GDPR

Right to Erasure of Personal Data (“Right to be Forgotten”)
You have the right to request the deletion of all or some of your personal data.

Despite your request to delete your personal data due to an objection or the withdrawal of consent, we may retain some personal data to the extent necessary for the purposes of establishing, pursuing or defending potential claims related to the processing of your personal data. This applies in particular to personal data that includes your name, surname and information about consents or activity history, which we retain for the purposes of reviewing complaints and claims related to the processing of your personal data by us in connection with our legal relationship. We will process your personal data for this purpose for a period of 10 years from the end of our legal relationship. The legal basis for our processing of your personal data for this purpose is our legitimate interest (Article 6(1)(f) of the GDPR).

Legal basis: Article 17 of the GDPR.

Right to restrict the processing of personal data
You have the right to request the restriction of the processing of your personal data. If you make such a request, until it is processed, we will disable certain functionalities or services for you that would involve processing the data subject to your request. We will also not send you any messages, including marketing messages.

Legal basis: Article 18 GDPR.

Right of access to personal data
You have the right to obtain from us confirmation as to whether we are processing your personal data, and if so, you have the right to:

Access your personal data;
Obtain information on the processing purposes, categories of processed personal data, recipients or categories of recipients of such data, the planned storage period of your data or the criteria for determining that period, the rights you have under the GDPR and the right to file a complaint with a supervisory authority, the source of the data, automated decision-making, including profiling, and security measures taken in connection with the transfer of data outside the European Union;
Obtain a copy of your personal data.
Legal basis: Article 15 GDPR.

Right to rectification of personal data
You have the right to request rectification of your personal data provided, if and when these are discordant with the actual state or require to be complemented (if these are incomplete).

Legal basis: Art. 16 GDPR.

Right to move personal data
You have the right to receive your personal data that you have provided to us, and then to transfer it to another personal data administrator chosen by you, such as another public benefit organization.

You also have the right to request that your personal data be transferred directly from us to another data administrator, if technically feasible.

Legal basis: Art. 20 GDPR.

The right to file a complaint
You have the right to file complaints, inquiries, and requests regarding the processing of your personal data and the exercise of your rights.

You have the right to file a complaint with the General Data Protection Inspector (in the future, the President of the Data Protection Office) if you believe that your right to personal data protection or other rights granted to you under the GDPR have been violated.

Legal basis: Article 13, paragraph 2, letter d) of the GDPR.

What area do we disclose personal data in?
We only share personal data with entities within the European Economic Area (EEA) and, regarding data about visits to this website and collected by Google Analytics, only with entities that have joined the EU-US Privacy Shield Framework and hold a relevant certification of participation (more information about the Privacy Shield program can be found on the website

Is Providing Personal Data Obligatory?
Providing your personal information is not mandatory, but it is necessary in order to register yourself or your children/dependents in the SMA Database, in accordance with our statutory purposes.

Without your consent to receive information about our initiatives and support proposals at the email address or phone number provided by you, we will not be able to send you such information.

Without your consent to participate in survey research provided through your email address or telephone number, we will not be able to contact you to participate in such research.

Who to contact regarding personal data?
To make requests for data access; data correction; and cessation of processing, please contact the SMA Foundation, 10/99 Przy Forcie St., 02-495 Warsaw, tel. (+48) 22 350 02 02, fax 22 350 02 01, e-mail: [email protected].