DataProcessing.

Data controller

The controller of your personal data is MEDCONGRESS GROUP sp. z o.o., entered in the Register of Entrepreneurs of the National Court Register under number KRS 0001237036, NIP 5253087146, REGON 544567895 (the "Controller" or "Organizer").

KRS

0001237036

NIP

5253087146

REGON

544567895

Registered office

ul. Chmielna 2/31, 00-020 Warsaw, Poland

Contact details for data protection matters

General & GDPR matters

info@iccsh2027.org

Registration

registration@iccsh2027.org

Abstracts

abstracts@iccsh2027.org

Sponsorship

sponsors@iccsh2027.org

Postal address

ul. Chmielna 2/31, 00-020 Warsaw, Poland

Data Protection Officer (DPO)

The Controller has not appointed a Data Protection Officer. Appointing a DPO is not mandatory under Article 37 GDPR (the Controller is not a public authority, and its core activities do not consist of large-scale monitoring of data subjects or large-scale processing of special categories of data). For all data-protection matters, please contact info@iccsh2027.org.

General legal framework

"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).

Categories of recipients (processors)

The Controller uses the following IT service providers acting as processors under data processing agreements concluded in accordance with Article 28 GDPR. All providers process data within the European Economic Area (EEA), with the exception of Cloudflare Turnstile (anti-bot verification on the sign-up form), which may process limited technical data on Cloudflare's global network under the safeguards described under "Transfers".

• Vercel Inc. — Frontend hosting (website) · EEA (EU region)
• Railway Corp. — Backend hosting and PostgreSQL database · EEA (EU region)
• Zoho Corporation B.V. — Transactional e-mail / SMTP (smtp.zoho.eu) · EEA (EU data centre)
• Cloudflare, Inc. — File storage — abstract attachments (Cloudflare R2) · EEA (EU region)
• Cloudflare, Inc. — Anti-bot verification on the account sign-up form (Cloudflare Turnstile) · processes IP address and technical signals on Cloudflare's global network · transfers safeguarded by SCC (Art. 46 GDPR) / EU–US Data Privacy Framework
• Jakub Pożarycki, sole trader operating under the business name "Jakub Pożarycki", with registered office at ul. Bukszpanowa 2, Bezrzecze, Poland, NIP 8513262181, REGON 389487615 — Technical support / application maintenance · EEA (Poland/EU)

Recipients may also include providers of accounting, legal and advisory services, and authorized public bodies — solely on the basis of applicable law. With respect to payments, the independent, separate controllers of payment data are Stripe Payments Europe, Ltd. (Dublin, Ireland) and PayPro SA (Przelewy24) — see the Payments section.

Transfers outside the EEA

The Controller's core infrastructure (hosting, database, e-mail, file storage) is located within the European Economic Area (EEA). The only processing that may take place outside the EEA is Cloudflare Turnstile — anti-bot verification on the account sign-up form — which may process limited technical data (including IP address) on Cloudflare's global network; that transfer is safeguarded by the Standard Contractual Clauses (Article 46 GDPR) and Cloudflare's EU–US Data Privacy Framework certification. Any further transfer would take place solely on the terms set out in Chapter V GDPR (e.g. an adequacy decision or standard contractual clauses), and the Controller would inform the data subjects accordingly.

Automated decision-making and profiling

Your personal data are not subject to solely automated processing, including profiling, that produces legal effects concerning you or similarly significantly affects you (Article 22 GDPR).

Article 13 GDPR

Categories of data

E-mail address, hashed password (passwordHash — stored solely as an irreversible hash, e.g. Argon2/bcrypt), preferred interface language, e-mail confirmation status.

Purposes of processing

• creating and operating a user account on iccsh2027.org,
• authentication (login) and securing access to the account,
• confirming the e-mail address (account-confirmation message),
• enabling features requiring an account (congress registration, abstract submission).

Legal basis

Article 6(1)(b) GDPR — processing necessary for the performance of a contract for the provision of an electronic service (account operation), or to take steps at your request prior to entering into a contract.

Recipients

Vercel (frontend hosting), Railway (backend hosting + PostgreSQL), Zoho Corporation B.V. (e-mail confirmation — smtp.zoho.eu), Cloudflare, Inc. (anti-bot verification on the sign-up form — Turnstile), and the application-maintenance developer. See "Common information".

Retention period

Until the account is deleted by the user or the Controller, and thereafter for 1 year from deletion (to handle complaints and demonstrate correct execution of the deletion request).

Voluntariness

Providing an e-mail address and setting a password is voluntary but necessary to create and operate an account — without this data, creating an account is not possible.

Your rights

Access, rectification, erasure, restriction of processing, data portability, objection, and complaint to the President of PUODO (ul. Stawki 2, 00-193 Warsaw).

Transfers outside the EEA: none. Automated decision-making/profiling: none.

Article 13 GDPR

Categories of data

Title/salutation, first name, last name, e-mail, phone, country, institution/affiliation, specialization, participant type, dietary requirements, additional comments, fee category, add-ons, whether an invoice is required, and — where requested — invoicing details (company name, street, city, postal code, country, Tax ID).

Purposes of processing

• performance of the ICCSH 2027 participation contract (registration, badge, access control),
• organization of catering and accompanying events (dietary requirements),
• settlement of the registration fee and add-ons,
• issuing a VAT invoice and fulfilling accounting and tax obligations,
• organizational communication with the participant.

Legal basis

• Article 6(1)(b) GDPR — performance of the participation contract (title, name, e-mail, phone, country, participant type, fee category, add-ons, dietary requirements, comments);
• specialization and institution/affiliation — Article 6(1)(b) GDPR: data necessary for a professional service directed at healthcare professionals (correct assignment to the scientific programme, fee-category eligibility, session organization);
• Article 6(1)(c) GDPR — legal obligation regarding issuance and retention of invoices and tax documentation (VAT Act, Accounting Act, Tax Ordinance) — for invoicing data;
• Article 6(1)(f) GDPR — the Controller's legitimate interest in establishing, pursuing or defending claims — for data retention after the congress.

Recipients

Vercel, Railway (hosting + PostgreSQL), Zoho Corporation B.V. (transactional e-mail), the maintenance developer, the accounting-services provider, and — for payments — Stripe Payments Europe, Ltd. and PayPro SA (Przelewy24) as separate controllers (see Payments). See "Common information".

Retention period

Participation data (registration, add-ons, contact, specialization, institution, diet, comments)

3 years from the end of the congress — establishment/defence of claims (Art. 6(1)(f) GDPR), limitation periods.

Invoicing data and accounting documents

5 years from the end of the calendar year in which the tax obligation arose — legal obligation (Art. 6(1)(c) GDPR), tax and accounting law.

Voluntariness

Providing data marked as required is voluntary but necessary to conclude and perform the participation contract; invoicing data is necessary if you request an invoice, and the Tax ID (NIP) is a requirement of tax law. Data not marked as required (e.g. additional comments) is entirely voluntary.

Your rights

Access, rectification, erasure, restriction, data portability, objection (for data processed under Art. 6(1)(f) GDPR, on grounds relating to your particular situation), and complaint to the President of PUODO.

Transfers outside the EEA: none. Automated decision-making/profiling: none.

Article 13 GDPR

Categories of data

Identification and contact data of the submitting person (academic title, first name, last name, affiliation, e-mail, phone), plus the submission itself in IMRaD structure: abstract title, abstract body (up to 300 words), the Introduction (up to 800 words), Material and Methods, Results and Discussion sections (up to 1000 words each) and, optionally, Limitations (up to 400 words) and References (up to 8000 characters), theme, keywords (up to 3), comments, session type, presentation language, presenting-author indicator, and attachments (up to 5 files per abstract in PDF, PNG, JPEG, or TIFF format, up to 5 MB per file, with an optional caption).

Purposes of processing

• receipt and substantive evaluation (review) of the abstract by the scientific committee,
• contact with the submitting person about the status of the submission,
• publication of the accepted abstract in the book of abstracts and congress materials,
• scientific archiving.

Legal basis

Article 6(1)(b) GDPR — processing necessary to carry out submission, evaluation and publication (a contractual relationship between the submitter and the Organizer). For scientific archiving and publication of the author's name alongside the abstract, Article 6(1)(f) GDPR also applies (legitimate interest — integrity and permanence of conference output).

Recipients

Scientific-committee reviewers (acting under the Controller's authorization and bound by confidentiality), Cloudflare, Inc. (attachment storage in Cloudflare R2, EU region), Vercel and Railway (hosting + database), Zoho Corporation B.V. (transactional e-mail), the maintenance developer. After publication — congress participants and, where the book is public, the general public.

Retention period

Until publication of the book of abstracts, and thereafter for 5 years as part of the conference's scientific archive. Published abstracts may remain publicly available indefinitely in line with the purpose of publication.

Voluntariness

Providing the data is voluntary but necessary to submit, evaluate and publish the abstract — without it the submission cannot be processed.

Your rights

Access, rectification, erasure, restriction, data portability, objection (to processing under Art. 6(1)(f) GDPR), and complaint to the President of PUODO. Some rights (e.g. erasure) may be limited for already-published abstracts, owing to the integrity of the scientific output.

Transfers outside the EEA: none. Automated decision-making/profiling: none — the abstract is evaluated by reviewers (humans).

Article 14 GDPR

Source of the data (Art. 14(2)(f) GDPR)

The Controller obtained your personal data from the person submitting the abstract, who indicated you as a co-author and provided your data in the abstract submission form. That person declared they hold your consent/authorization to provide your data to the Controller for the abstract submission process.

Categories of data (Art. 14(1)(d) GDPR)

Academic title, first name, last name, affiliation, e-mail address, telephone number, and role information (including whether you are the presenting author).

Purposes of processing

• including you as a co-author in the evaluation (review) of the abstract,
• contacting you where necessary on matters related to the submission,
• indicating you as a co-author in the publication (book of abstracts and congress materials).

Legal basis

Article 6(1)(f) GDPR — the legitimate interest of the Controller and the submitting person in the proper conduct of the scientific process (correct attribution of all co-authors and integrity of the scientific output).

Recipients

Scientific-committee reviewers, Cloudflare R2 (attachment), Vercel, Railway, Zoho Corporation B.V., the maintenance developer. After publication — congress participants and recipients of the publicly available book of abstracts. See "Common information".

Retention period

Until publication of the book of abstracts, and thereafter for 5 years as part of the scientific archive; published abstracts (including co-author data) may remain publicly available indefinitely in line with the purpose of publication.

Time of first information (Art. 14(3) GDPR)

This information will be provided to you at the latest in the first e-mail addressed to you after the submission (if contact proves necessary), or at the time of publication, and in any event within a reasonable period, no later than one month from obtaining the data (Art. 14(3)(a) GDPR).

Your rights — with particular emphasis on the right to object (Art. 21 GDPR)

The right to object (Article 21 GDPR) — because we process your data on the basis of legitimate interest (Art. 6(1)(f) GDPR), you may object at any time, on grounds relating to your particular situation; upon objection the Controller will cease processing unless it demonstrates compelling legitimate grounds overriding your interests, rights and freedoms, or grounds for the establishment, exercise or defence of legal claims.

You also have the right to access, rectification, erasure, restriction of processing, data portability, and to lodge a complaint with the President of PUODO (ul. Stawki 2, 00-193 Warsaw).

If you do not wish your data to be further processed or to be indicated as a co-author, please contact us at abstracts@iccsh2027.org or info@iccsh2027.org.

Transfers outside the EEA: none. Automated decision-making/profiling: none.

Article 13 GDPR

Categories of data

First and/or last name, e-mail address, and the content of the message (and any other data you voluntarily include).

Purpose of processing

Responding to the enquiry submitted via the contact form and conducting correspondence on the matter (including the contact-inquiry-autoreply message).

Legal basis

Article 6(1)(f) GDPR — the Controller's legitimate interest in handling and responding to enquiries addressed to it.

Recipients

Vercel, Railway (hosting + database), Zoho Corporation B.V. (transactional e-mail), the maintenance developer. See "Common information".

Retention period

1 year from the last contact on the matter, and in the event of claims — until they become time-barred.

Voluntariness

Providing the data is voluntary but necessary to respond — without an e-mail address we cannot reply.

Your rights

Access, rectification, erasure, restriction, data portability, objection (Art. 21 GDPR — on grounds relating to your particular situation, to processing under Art. 6(1)(f) GDPR), and complaint to the President of PUODO.

Transfers outside the EEA: none. Automated decision-making/profiling: none.

Article 13 GDPR

Categories of data

First and last name of the contact person, e-mail address, telephone number, name of the represented company/organization, position/role, and the content of the enquiry.

Purpose of processing

Conducting business discussions on sponsorship/exhibition cooperation, preparing and presenting an offer, and taking steps towards concluding a contract (including the sponsorship-received message).

Legal basis

• Article 6(1)(b) GDPR — taking steps at the request of the data subject prior to entering into a contract (pre-contractual steps);
• Article 6(1)(f) GDPR — the Controller's legitimate interest in conducting business discussions, marketing its own congress services to business partners, and the possible establishment, pursuit or defence of claims.

Recipients

Vercel, Railway (hosting + database), Zoho Corporation B.V. (transactional e-mail), the maintenance developer. See "Common information".

Retention period

For the duration of the discussions, and after their conclusion for 3 years (general limitation period for claims arising from business activity). If a contract is concluded — for its performance and the period arising from tax and accounting obligations.

Voluntariness

Providing the data is voluntary but necessary to undertake discussions and present an offer.

Your rights

Access, rectification, erasure, restriction, data portability (for data processed under Art. 6(1)(b) GDPR), objection (Art. 21 GDPR — to processing under Art. 6(1)(f) GDPR), and complaint to the President of PUODO.

Transfers outside the EEA: none. Automated decision-making/profiling: none.

Processing model

Online payments (registration fee, add-ons) are handled by external payment operators. The Controller does not store your payment card data — payment data are entered by you directly in the operator's environment, which is responsible for their security under the PCI DSS standard.

What the Controller receives

The Controller receives from the operator only the transaction status (e.g. paid/unpaid/refunded) and the transaction identifier, needed to confirm payment and link it to your submission (payment-confirmed message). To that extent the Controller processes data under Article 6(1)(b) GDPR (performance of the participation contract) and Article 6(1)(c) GDPR (settlement and tax obligations).

Payment operators as separate controllers

With respect to payment data, the separate, independent data controllers are:

Stripe Payments Europe, Ltd.

Dublin, Ireland — Privacy policy

PayPro SA (Przelewy24)

ul. Pastelowa 8, Poznań, KRS 0000347935 — GDPR information obligation

Each operator processes your payment data in its own name and on its own responsibility, as an independent data controller — detailed information (purposes, bases, rights, any transfers) is set out in their own privacy policies above.

Retention period (on the Controller's side)

Data on the status and identifier of the transaction are retained with settlement and invoicing documentation for 5 years from the end of the calendar year in which the tax obligation arose (Art. 6(1)(c) GDPR).

Your rights vis-à-vis the Controller

Access, rectification, erasure (subject to tax and accounting obligations), restriction, data portability, and complaint to the President of PUODO. Rights concerning payment data processed by the operators are exercised directly vis-à-vis the relevant operator.

Transfers outside the EEA (on the Controller's side): none. Automated decision-making/profiling on the Controller's side: none.

Right to lodge a complaint

You have the right to lodge a complaint with the supervisory authority if you consider that the processing of your personal data infringes the GDPR.

Sources and legal basis

• Regulation (EU) 2016/679 (GDPR), in particular Articles 6, 13, 14, 21 and 22, and Chapter V;
• Guidelines of the Article 29 Working Party / European Data Protection Board on transparency under Regulation 2016/679 (WP260 rev.01);
• Decisions and guidelines of the President of the Personal Data Protection Office (uodo.gov.pl);
• the Act of 11 March 2004 on VAT, the Act of 29 September 1994 on Accounting, and the Act of 29 August 1997 — Tax Ordinance (retention periods for settlement documents).

Privacy Policy