Privacy Policy
INTRODUCTION
In accordance with Regulation (EU) 2016/679 of the Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of their personal data and the free movement of such data (hereinafter, the “GDPR”), Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights, Law 41/2002, of 14 November, Basic Regulatory Law on Patient Autonomy and on Rights and Obligations regarding Clinical Information and Documentation, and any other data protection regulations that may be applicable, we hereby inform you of the following:
This document constitutes the privacy policy that informs about the treatment of personal data. (i) of the users of the www.openhouse.es website (hereinafter, the “Website”), and (ii) of patients and/or their representatives using the services offered at Open House medical centers or remotely (hereinafter, the “Privacy Policy”).
The person responsible for the treatment of the personal data of the Interested Parties is Centro Médico Open House S.L.U. (hereinafter, “Open House” or “we”) with address for contact purposes at C/ Atocha, 117, 1° izquierda, 28012, Madrid.
For any question in this matter, the interested parties can contact the Data Protection Delegate of Open House with postal address at Calle Atocha, 117, 1° izquierda, 28012, Madrid. You may also contact the Data Protection Officer by e-mail at the following address: [email protected].
TYPE AND ORIGIN OF DATA
The following categories of personal data of data subjects and, where appropriate, their representatives may be processed:
- Identifying and contact data (including signature, image, voice, health card, social security or mutual insurance number); -Special categories of data (e.g., health data, racial or ethnic origin, life or sexual orientation data);
- Personal characteristics (e.g., family data, date of birth, age, sex, nationality and physical characteristics) and social circumstances (e.g., family situation and lifestyle);
- Transactional data (e.g. payments, transfers, debits)
The data may come from the data subject himself or, if applicable, from his representative and/or health personnel.
PURPOSE AND APPLICABLE LEGAL BASIS
Personal data may be processed by Open House for the following purposes:
Provision of health care:
- the personal data of the data subjects are processed for the purpose of providing them with the health care they require, as well as for the proper management of the health care and administration services required for such care, for example:
- Reminder of appointments and reviews;
- Attend to any communication with the health center reported by the interested parties;
- Manage any incident or claim filed by the interested parties;
- To conduct surveys in order to know the opinion of the interested parties on the care received and that will be used only to improve and develop our care and management services;
- Enable Web access to request appointments, access to certain medical tests, etc.
The legal basis that legitimizes this processing of personal data is the express consent.
Scientific research: the data subjects’ data may be processed for scientific purposes in accordance with the applicable rules in this area. In these cases, Open House will contact the interested party directly to request his or her express consent. The legal basis that legitimizes this processing of personal data is the express consent.
Attention to requests for information, complaints, suggestions, claims, exercise of data protection rights, etc..: in these cases, the data of the interested parties and, if applicable, of their representatives will be processed for the purpose of managing and processing the request, by any means, including telephone and/or electronic communications. The legal basis that legitimizes this processing of personal data is the express consent.
Sending of newsletters and notification of events and promotions: the data may be used to send, by electronic means, the newsletters to which you have subscribed. The legal basis that legitimizes this processing of personal data is the express consent.
KEEP YOUR DATA SAFE
At Open House, data security is important to us, and we also know that it is important to our stakeholders. We use a variety of security technologies and procedures to help protect personal data from unauthorized access, use and disclosure. For example, we store personal data on computer servers that are located in secure, controlled facilities with access limited to employees, agents, contractors and other third parties who are authorized to access them. These persons will only process personal data in accordance with our instructions and are subject to a duty of confidentiality.
In accordance with GDPR regulations, we have put in place procedures to manage any suspected or actual personal data breaches if they occur and will notify data subjects and the applicable data protection authority of such a breach where we are legally obliged to do so under applicable data protection legislation.
DISCLOSURE OF YOUR PERSONAL DATA
We may need to share your personal data with service providers, including laboratories and healthcare industry suppliers, affiliates, partners and other third parties – all located in the European Economic Area – when necessary to provide our services to you, or to comply with legal obligations, except as described in this Privacy Policy. When we do so, we will only share the minimum amount of personal information necessary to fulfill the purpose for which it is shared. The legal basis that legitimizes these communications of personal data is the express consent and the execution of the contractual relationship.
We require all third parties to respect the security of personal data and to process it in accordance with applicable data protection legislation. We do not allow our third party service providers to use personal data for their own purposes and only allow them to process it for the specific purposes described in this Privacy Policy and in accordance with our instructions.
We do not use or share any of your personal data for marketing purposes without first seeking and receiving your express consent to do so, in accordance with applicable law.
If you submit offensive or objectionable content or engage in any disruptive behavior on the Site, we may use your personal data to stop such behavior based on our legitimate interest in preventing such fraudulent behavior on our Site. This may involve informing relevant third parties such as law enforcement agencies about the content and its behavior.
We do not transfer personal data outside the European Economic Area (EEA).
CHANGE OF PURPOSE
We will only use the personal data of data subjects for the purposes for which we collected it, unless we reasonably believe that we need to use it for another purpose and that such purpose is compatible with the original purpose for which the data was collected. In this case, we will notify you and update this Privacy Policy.
If we need to use your personal data for a purpose unrelated to the original purpose for which the data was collected, we will have the legal basis that legitimizes such processing, we will notify you and proceed to update this Privacy Policy.
SHELF LIFE
In general, personal data will only be kept for the time strictly necessary for the purpose for which they were collected.
The personal data provided, as well as those derived from the health care provided will be kept for the time appropriate to each case (according to medical and legal criteria), and at least for eight (8) years from the date of discharge from each care process, unless the regional and/or specific regulations establish a minimum retention period longer than indicated, in which case the provisions of the applicable regulations will be followed.
Personal data processed for the purpose of scientific research will be kept for the time appropriate to each case according to the type of research study in which you participate and taking into account the regulations applicable to them. With regard to data processed for scientific research purposes, the supervisory authorities of the Autonomous Communities may, at the request of the data controller and in accordance with the procedure established by regulation, agree to keep certain data in full, taking into account the historical, statistical or scientific values in accordance with the legislation applicable to each case.
Personal data provided for the purpose of managing any request for information, complaint, suggestion, claim, exercise of data protection rights, etc., will be kept for the time necessary to process the request, and in any case for the time legally established, as well as for the period necessary for the formulation, exercise or defense of claims.
The data processed for sending newsletters to which you have subscribed, will be retained until the user revokes their consent, unsubscribes from the newsletter and / or exercise their rights of opposition and / or deletion, without prejudice to retain the minimum identification data to identify interested parties who do not want to continue receiving newsletters.
RIGHTS OF INTERESTED PARTIES
Data subjects and/or their representatives may exercise their rights of access; rectification of inaccurate data; request deletion, when, among other reasons, the data are no longer necessary for the purposes for which they were collected; in certain circumstances they may also request the limitation of the processing of their data, in which case we will only keep them for the exercise or defense of claims; finally, and for reasons related to their particular situation, they may also exercise the right of opposition and portability. They may also revoke, at any time, the consent given for the processing of their data.
The exercise of the rights, as well as the revocation of consent for the processing of your data are free of charge, except in the cases of art. 12.5 of the RGPD. The interested parties and/or their representatives may exercise these rights by contacting [email protected]. or by mail to Calle Atocha, 117, 1° izquierda, 28012, Madrid (indicating the reference “data protection rights” or, in the event that the exercise of rights is related to any of our newsletters or requests for information on services offered on the Web, “data protection rights – newsletter/information”. In the case of being a patient of Open House, the interested party may exercise his/her rights in person at the patient care service of the medical center that provides assistance.
You can also exercise your rights electronically at the following links:
- To exercise your right of access click here
- To exercise your right of rectification click here.
- To exercise your right to Deletion (Forgetfulness) click here
- To exercise your right of Limitation of Processing click here
- To exercise your right to oppose click here
- To exercise your portability right click here
WHAT WE MAY NEED FROM YOU
We may need to ask data subjects and/or their representatives for specific information and/or documentation, including a copy of their identity card or equivalent, to help us confirm their identity and to ensure their right to access their personal data (or exercise any of their other rights). This is a security measure to ensure that personal data is not disclosed to anyone who is not entitled to receive it. We may also contact you and/or your representatives to request further information regarding your request in order to expedite or properly manage our response.
HOW TO FILE A CLAIM
We encourage data subjects and/or their representatives to contact us at [email protected] if they believe that the collection or use of their personal data by us is unfair, misleading or inappropriate.
They also have the right to file a complaint with the Spanish Data Protection Agency (www.aepd.es) or any other data protection authority.