We hereby inform you that your personal data will be processed in accordance with the principles of transparency, legitimate interest in the purpose, data minimisation, exactness, integrity and confidentiality, while also respecting the guarantees stipulated in Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, regarding the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and in accordance with the information listed below:
1. WHO IS THE CONTROLLER?
-
Joint Controllers. The controllers for processing your personal data are:
-
INSTITUTO CONDAL DE OFTALMOLOGIA, S.L. (ICO)
-
Identity Data: Tax ID Code (NIF): B59054163, address: 08006 Barcelona, Via Augusta 48-54, 2°, recorded in the Companies Register of Barcelona, in volume 30.760, folio 157, sheet number B-41566.
-
-
GESTIÓ I MICROCIRURGIA OCULAR, S.A. (GMO)
-
Identity Data: Tax ID Code (NIF): A63096861, address: 08036 Barcelona, Carrer Balmes 253, baixos, recorded in the Companies Register of Barcelona, in volume 35289, folio 207, sheet number B-262432.
-
-
Website:https://www.verte.es/en(hereinafter referred to as the ‘Website’).
(Hereinafter referred to jointly as the ‘Companies’ or the ‘Joint Controllers’).
As such, the Joint Controllers shall be jointly responsible for processing and protecting your personal data. Moreover, there is an agreement between the companies that states their responsibilities.
-
-
Data Protection Officer. You can contact the Data Protection Officer using the following email address: dpo@verte.es.
-
Hospital Centres. The Joint Controllers are the joint owners of the following hospital centres:
-
Name: ICO·1. Address: Vía Augusta, 61 (08006) Barcelona
-
Name: ICO·2. Address: Vía Augusta, 48 2° (08006) Barcelona
-
Name: Clínica CEM. Address: c/ Balmes, 253 (08006) Barcelona
-
2. FOR WHAT PURPOSES DO WE PROCESS YOUR PERSONAL DATA?
We may process your data for the following purposes:
PURPOSE | MORE INFO |
---|---|
1. Providing ophthalmological medical care | Your personal data is processed in order to provide ophthalmological medical care and to properly manages these healthcare services, which may include:
|
2. Administrative procedures related to the provision of healthcare services, managing the contractual relationship with the patient and invoicing |
|
3. Compliance with legal obligations | It may be necessary to process your personal data in order to comply with any relevant legal obligations. Specifically, to comply with legislation on data protection, tax, healthcare, etc. |
4. CCTV for security purposes | The healthcare centres have a CCTV system which captures images of users of the centre in real time. The processing of this data is for the purpose of security and access control for the centre. |
5. Sending commercial communications (Newsletter) |
|
6. Conducting quality surveys | We may conduct actions and quality surveys to find out the level of satisfaction among our patients in order to improve our services. |
7. Managing the website (https://www.verte.es/en) |
|
8. Social media management | Managing LinkedIn, Facebook, Instagram and YouTube and contacting you on there. |
9. Digital communications |
|
10. Responding to information requests, complaints, suggestions, claims and incidents. | Managing and processing your requests of any kind, by any means, including phone calls and/or digital communications. |
11. Clinical trials | Your data will be processed in order to conduct clinical trials for the following purposes:
Also, to properly manage the following services, including:
|
12. Managing requests to exercise the rights of the data subject | Your data will be processed to manage and process your request to exercise your rights to access, rectification, erasure, processing limitation, data portability and objection, as well as to respond to your request. Also, to comply with data protection obligations and regulations. |
13. Managing data breaches | Managing and communicating with you if there is a data breach and complying with data protection obligations and regulations. |
14. CV management | Your data will be processed for the following purposes:
|
3. WHAT IS THE LEGITIMATION FOR PROCESSING YOUR DATA?
The legal basis that allows us to process your personal data depends on the purpose for which we process it, as listed below:
PURPOSE | LEGITIMATION |
---|---|
1. Providing ophthalmological medical care |
|
2. Administrative procedures related to the provision of healthcare services, managing the contractual relationship with the patient and invoicing |
|
3. Compliance with legal obligations | Processing is necessary for compliance with a legal obligation applicable to the joint data controllers. |
4. CCTV for security purposes |
|
5. Sending commercial communications (Newsletter) |
|
6. Conducting quality surveys |
|
7. Managing the website (https://www.verte.es/en) |
|
8. Social media management |
|
9. Digital communications |
|
10. Responding to information requests, complaints, suggestions, claims and incidents. |
|
11. Clinical trials |
|
12. Managing requests to exercise the rights of the data subject |
|
13. Managing data breaches |
|
14. CV management |
|
4. WHAT CATEGORIES OF DATA DO WE PROCESS AND WHERE DO WE GET THE DATA FROM?
The data we will process will include the following categories:
-
Identity data and contact details of patients or their representatives: name and surname(s), email, National ID Card (DNI) or other legally valid ID document, address, phone number, signature, health card, social security or mutual insurance number, insurance provider.
-
Personal characteristics: marital status, date and place of birth, age, gender, nationality, language.
-
Health-related data: data contained in the patient’s medical records, medical records number, physiological and pathological family and person background, emergency medical report, description of the diseases, reasons for appointment, medical tests and the results thereof, nursing care, informed consent, revocation of consent document, where applicable, diagnosis information, surgical report, aesthetical report, indication of sources if sent from another healthcare centre, service or unit in which care is provided, doctor responsible for the patient, healthcare professionals’ comments.
-
Bank details: credit/debit card details, bank account number if there are payments, transfers or direct debits.
-
Browsing and connection data: when the website is accessed (cookies, IP address, connection time, etc.).
-
Academic and professional data: the data requested is mandatory (unless stated otherwise) in order to fulfil the purpose. As such, if this data is not provided or not correctly provided, such purposes cannot be fulfilled.
When we request your data through forms on the website and/or paper-based forms, we will state that some fields are mandatory to fulfil the stipulated purposes. As such, if this data is not provided or not correctly provided, such purposes cannot be fulfilled.
Data may be provided by:
-
The data subject (patient) on the website when filling out an ‘Online Appointment’ form or in the ‘Do You Need Help?’ section, or on the paper-based information form at any of our centres, or via other means, for example queries or messages they send us digitally and/or on paper.
-
Their legal representative or guardian via the means listed.
-
The healthcare professional.
-
The patient’s insurance company, where applicable.
-
The company that manages online appointments on the website.
-
If there is a foreign patient, there may be institutions or embassies that provide us with their contact details to provide them with our services.
-
The data subject for a job.
-
Private institutions.
-
INNOVA OCULAR
5. WHO ARE THE RECIPIENTS OF YOUR DATA AND HOW DO WE STORE IT?
5.1Recipients. To fulfil the purposes stipulated in this Privacy Policy, your data may be processed by third parties who act as data processors, who are contractually required to comply with the legal obligations for a data processors, to keep the information secret and confidential, such as providers of medical services, clinical analyses or trials, security firms, document destruction services and providers of technological and IT services.
Moreover, the data that you provide us with could be sent to third parties in order to correctly perform the contractual and/or care relationship between the patient and the joint controllers, based on a legal obligation, the data subject’s vital interest or the data subject’s prior consent, only in cases and to the recipients listed below:
-
Supplier firms that act as data processors located within the European Economic Area with which there is an agreement, that support us in providing our services as providers of medical services, clinical analyses or trials, security firms and document destruction services.
-
IT service providers
-
Financial institutions, if the service or action requested by the patient is subject to payment for the correct performance of the contractual relationship and managing collections and payments.
-
Insurance and mutual insurance firms for the correct performance of the contractual and/or care relationship with the patient and invoicing for the services provided.
-
Suppliers of medical devices, prostheses and implants, in order correctly manage the contractual and/or care relationship with the patient or based on the data subject’s vital interest.
-
Healthcare centres for leasing operating theatres, in order correctly manage the contractual and/or care relationship with the patient based on the data subject’s vital interest.
-
Businesses that form part of clinical trials.
-
Institutions that put patients in contact with healthcare centres and/or embassies that provide us with the contact details of international patients that wish to request our services to manage the contractual and/or care relationship with the patient.
-
Public Authorities, Judges, Courts and Law Enforcement Bodies if there is a legal obligation.
5.2International Transfers. We hereby inform you that, in order to provide some services, we work with service providers that may conduct international data transfers to third countries outside of the European Economic Area with the right level of security recognised by the European Commission or that have standard clauses.
However, express consent will be necessary if the patient in question lives outside the EEA or if they hold an insurance policy with an insurance firm located outside the EEA, their data may be transferred and processed in regions outside of the EEA that the European Commission has deemed not to be suitable, not to have suitable guarantees or not to have a similar data protection of data protection to that of the European Union in its legislation. For example, if you wish to contract our services, there may be dedicated institutions for putting you in contact with healthcare centres and/or embassies in the country where you reside that provide us with your personal data, as well as insurance firm for managing the payment for the services provided if you hold an insurance company located outside the EEA.
In any case, we hereby inform you that such disclosure will only take place in order to manage the contractual relationship with the patient and facilitate payment for the care services provided; as such, if you object to this disclosure, the agreement will not be valid and the insurance firms will not be able to process the payment for the services received since they will not be able to validate the provision of the service by the health care centre.
6. HOW LONG DO WE STORE YOUR DATA?
In general, your data will only be stored for as long as strictly necessary for the purpose for which it was collated as stipulated below:
-
Providing ophthalmological medical care: a minimum of 15 years counted from when the patient is register for the process. Moreover, the medical records shall be kept when there are epidemiological reasons, reasons of research or the organisation and operation of the National Health System.
-
Administrative procedures related to the provision of healthcare services, managing the contractual relationship with the patient and invoicing: for the term that the contractual relationship lasts.
-
Compliance with legal obligations: for the time stipulated in the applicable legislation in each case.
-
CCTV for security purposes: for a maximum term of 30 days, unless the joint controllers are aware of any action that could be relevant for subsequent legal proceedings.
-
Sending commercial communications (Newsletter): the data will be stored until the user revokes their consent, unsubscribes and/or exercises their rights to objection and/or erasure.
-
Conducting quality surveys: for the time we take to carry out the survey.
-
Website management: the data will be stored for the time necessary to fulfil for which the data was collated, as long as the data subject does not request erasure, and for the time necessary to determine any possible liabilities that may be derived therefrom.
-
Social media management: for as long as the consent granted by the data subject lasts.
-
Digital communications: data will be stored for the time necessary to fulfil the purpose.
-
Requests, complaints, suggestions, claims and incidents: for the time necessary to respond to your request.
-
Clinical trials: at least 25 years after the end of the trial or for a longer term if necessary.
-
Managing requests to exercise the rights of the data subject: the data will be stored for the time necessary to respond to your request and to determine any liabilities that may be derived from such purpose.
-
Managing data breaches: the data will be stored for the time necessary to fulfil the purpose and to determine any liabilities that may be derived therefrom.
-
CV management: the data will be stored for as long as the recruitment process lasts or for 24 months to keep the data subject up-to-date on various job vacancies at the company.
After the aforementioned terms have elapsed, your personal data will be locked and remain available only for requests from judges and courts, the public prosecution service and the competent Public Authorities for the number of years necessary to comply with legal obligations; once such term has elapsed, it will be fully deleted.
7. WHAT ARE YOUR RIGHTS AND HOW CAN YOU EXERCISE THEM?
7.1.ights. Our data protection regulations grant you a series of rights related to data processing that involve our services that can be summarised as follows:
-
Right to access: knowing what kind of data we process about you.
-
Right to rectification: being able to request a modification to your data if it is inexact or untrue.
-
Right to erasure: requesting the erasure of your data when processing is no longer necessary for the purpose for which we needed it.
-
Right to limitation of processing: marking personal data stored in order to limit processing in the future.
-
Right to objection: requesting an end to commercial communications.
-
Right to data portability: this allows the data subject to receive their personal data in a structured, widely-used and machine-readable format to forward, copy or sent it to a different controller.
7.2.Right to withdraw consent. You can revoke your consent granted by notifying us by email dpo@verte.esor sending a letter to the joint processors: to ICO, Via Augusta, 48 2° (08006) Barcelona or to GMO, c/ Balmes, 253 (08006) Barcelona.
7.3Right to not be subject to decision-making based solely on automated data processing: You also have the right to request that your personal data not be processed in a way that involves the joint controllers making decisions that significantly affect them and do this automatically with no human intervention.
7.4Exercising right. The Companies guarantees that the necessary measures will be adopted to ensure that these rights can be exercise free of charge. To exercise your rights, you will need to send a written communication to the email addressdpo@verte.esspecifying the right you wish to exercise, or by sending a letter to either of the Joint Controllers, to ICO, Via Augusta, 48 2° (08006) Barcelona or to GMO, c/ Balmes, 253 (08006) Barcelona. Moreover, we wish to inform you that you can seek protection of your rights with the Spanish Data Protection Agency with headquarters on Calle de Jorge Juan, 6, 28001 Madrid, or on their website. You can request the relevant standard for to make your request from either of the Joint Controllers.
7.5Right to lodge a complaint with a supervisory authority. Moreover, we wish to inform you that you can seek protection of your rights with the Spanish Data Protection Agency with headquarters on Calle de Jorge Juan, 6, 28001 Madrid, or on their website, www.aepd.es
8. CHANGES TO THE PRIVACY POLICY.
Our Privacy Policy is subject to periodic changes. You can find the latest version of our Privacy Policy on our website.