Privacy Policy


In accordance with EU Regulation 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data; Organic Law 3/2018, of December 5, on data protection and digital-rights guarantees; and Law 41/2002, of November 14, regulating patient autonomy and patient rights and obligations regarding clinical information and documentation, all  users of the services rendered on these premises, and the general public are hereby informed of the following: 


This document contains the privacy policy of the Open House clinics regarding the processing of personal data of users receiving treatment from the aforementioned business entity and/or the individuals acting on behalf of these users. 

Users may address any issues or questions regarding this matter to the Open House Group Data Protection Officer, who may be reached via post at Calle Atocha, 117, 1° izquierda, 28012, Madrid. The Data Protection Officer may also be reached via email at recepció[email protected]


Based on the relationship you enter into with us, we may process the following personal data: 

-Identification data and Contact details of users or their representatives (including signature, image, health-service card, and social security number or mutual benefit association number); 

-Health-related information appearing in user medical records; 

-Personal characteristics and demographic attributes; and 

-Transactional data (payments of any nature, including transfers and debits). 

The data may come from the Data Subject (you, the user) or from your legal or volunteer representative and/or care professionals. 


GDPR Article 6: 

  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; and 

GDPR Article 9: 

-      Processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment of the management of health or social care systems and services. 



Data Controller may process personal data for the following purposes: 


  1. Delivery of health care: your personal information is processed for the purposes of providing you the health care you need as well as to appropriately manage the health services and carry out administrative tasks required for the provision of care, as in the following examples:

-To send appointment reminders; 

-To communicate with another health facility when instructed to do so by you; 

-To process any and all incidents or claims filed by the individual using the service and/or you, the user; 

-To administer surveys intended to gather your opinion of the care delivered to you; such surveys shall be used exclusively to improve and develop our care services and management activities; and 

-To provide the services offered via the Open House website: personal information pertaining to patients who register as users of the website may be processed for the purposes of accessing and using the tool. 

  1. Scientific research: Should you wish to opt in to be involved in scientific research, your anonymised data may be processed for scientific purposes in compliance with specific regulations governing such processing. In these instances, Open House will contact the User directly for express consent to be given.
  2. Procedures: for anonymisation: For scientific or statistical research purposes, your data may be subjected to certain procedures to make them unidentifiable or so that they can no longer be linked to any party in the absence of additional information appearing separately.
  3. Processing of information requests, complaints, suggestions, grievances, and the exercise of data-protection rights, etc.: your data will be processed to fulfil the request by any means necessary, including telephone calls and/or electronic means.
  4. Compliance with legal obligations: in order to comply with applicable legal obligations, it may be necessary to process personal information. Specifically, these obligations may be related to compliance with legislation on data protection, taxation, health, etc.
  5. Drawing up and executing the contract: personal information is processed to manage the contractual relationship with the patient.
  6. 7. Newsletter distribution and notification of events and promotions: if you provide explicit consent, your data may be used to send you digital bulletins for the publications to which you are subscribed.


At Open House, data security is important to us, and we also know it's important to you. We use a variety of security technologies and procedures to help protect your personal data from unauthorised access, use and disclosure. For example, we store your personal data on computer servers that are located in secure and controlled facilities with limited access to employees, agents, contractors and other third parties who only have a legitimate business requirement to view it. These individuals will only process your personal data following our instructions in accordance with this policy and are subject to a duty of confidentiality. 
In accordance with EU GDPR regulations, we have put in place procedures to deal with any suspicious or actual personal data breach if it occurs and will notify you and any applicable regulator of a breach where we are legally required to do so.


We may have to share your personal data with service providers, affiliates, partners, and other third-parties where it is necessary to provide our products and services to you, or for any other purposes except as described in this Privacy Policy. Where we do this, we will only share the minimum personal data necessary to fulfil the sharing requirement. 


We require all third parties to respect the security of your personal data and to treat it in accordance with data protection legislation. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions. 

We do not use or share any of your personal data for marketing purposes without first asking for and receiving your consent to do so.   


If you send offensive or objectionable content or otherwise engage in any disruptive behaviour on the Site, we can use your information to stop such behaviour and pursue our legitimate interest to prevent such behaviour on our Site. This may involve informing relevant third parties, such as law enforcement agencies about the content and your behaviour. 


We do not transfer your personal data outside the European Economic Area (EEA). 


We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.  Where this is the case, we will notify you and will update this Privacy Policy. 

If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so as well as updating this Privacy Policy. 


In general, your data will be kept only for the length of time strictly necessary for the purpose for which the data were collected. 

The personal data provided, as well as data derived from the health care delivered, are kept only for the storage period appropriate to each case (in accordance with medical and legal criteria); this data will be maintained for a minimum of 8 years as of the date of each care episode, with the exception of cases in which regional and/or specific regulations stipulate that this period must be longer than that mentioned above. 

The personal data processed for purposes of scientific research shall be maintained, in adherence of retention criteria, for a period not to exceed five years as of the termination of the research. With regard to data processed for purposes of scientific research, the competent regional authorities may, upon request of the data controller and in accordance with established regulatory procedures, order prolonged retention of the entire set of certain data for purposes of historical, statistical, or scientific research in adherence of applicable legislation in each case. 

Personal data provided for the purposes of processing information requests, complaints, suggestions, grievances, or the exercising of data-protection rights of any sort, etc., shall be retained for the period necessary to process the request. In all cases the minimum period shall be that which is legally mandated as well as that required to file grievances, exercise rights, or for the defence against such grievances or the exercise of individual rights. 

Data processed to comply with legal obligations will be kept for the storage period set forth in applicable legislation. 

Data gathered to sign and perform a contract shall be retained for the duration of the contractual relationship as well as the period necessary to file grievances, exercise rights, or for the defence against such grievances or the exercise of individual rights. This period shall not be less than five years. 

Personal data processed for the distribution of newsletters to which the individual has subscribed will be retained until the user withdraws his or her consent, unsubscribes from the newsletter, and/or exercises their right to oppose the retention of such data and/or requests that they be deleted. 

Personal data processed for the distribution of advertising materials will be retained until the concerned party withdraws his or her consent and/or exercises their right to oppose the retention of such data and/or requests that they be deleted. 


You may exercise your rights to require access to information, rectification information that is inaccurate, or request the erasure of your data when, among other reasons, the data are no longer necessary for the purposes for which they were collected. In certain circumstances, you may also request the restriction of personal data processing, in which case we will only keep this data to file or defend against claims and grievances. Finally, and for reasons related to your particular situation, you can also exercise your right to object and to data portability. Additionally, you may revoke the consent given for your data processing at any time. 

Exercise of your rights and withdrawal of consent to process your data are free of charge, except in the cases set forth in art. 12.5 of the Regulation (EU) 679/2016, which may be exercised by contacting [email protected] 

  1. A) Users of Open House products and services may exercise their rights either in person at the Open House clinic where their care is rendered, or by mailing a letter to Open House Group Data Protection Officer, who may be reached via post at Calle Atocha, 117, 1° izquierda, 28012, Madrid., stating that the letter is in reference to "data-protection rights" and attaching a photocopy of the individual’s identity card or equivalent document and indicating the right they wish to exercise.
  2. B) Should the rights you wish to exercise concern any of our newsletters or requests for information regarding products and/or services offered via the group’s webpages, you may exercise these rights by sending an email to [email protected] or a letter to Open House,  Calle Atocha, 117, 1° izquierda, 28012, Madrid, indicating that the letter is in reference to "data-protection rights - newsletter/information" and attaching a photocopy of your identity card or equivalent document and indicating the right you wish to exercise


We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response 


 We encourage you to contact us at [email protected] if you think that any collection or use of your personal data by us is unfair, misleading or inappropriate. 

If you remain dissatisfied, you have the right to make a complaint to the Agencia Española de Protección de datos