According to (EU) Regulation 2016/679 of the Parliament and of the Council of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter, the GDPR), Organic Act 3/2018, of 5 December, on Personal Data Protection and the guarantee of the digital rights (hereinafter, LOPD-GDD) and Act 41/2002, of 14 November, the Basic Regulations on Patient Autonomy and Rights and Obligations in the Area of Clinical Information and Documentation, as well as the respective applicable regional regulations (e.g., Act 10/2014, of 29 December, on Health in the Valencia Community; or Act 5/2010, of 24 June, on rights and duties in the area of health in Castilla La Mancha), the Users or their families and/or representatives, are informed of the following aspects:
- Who is the data controller?
The data controller is the titleholder society of the hospital that provides the healthcare service: Fundación Instituto Valenciano de Oncología (hereinafter, IVO); having fiscal identification (CIF) number G46129698; with domicile for notifications purposes in Valencia (Spain), calle Profesor Beltrán Báguena 8, postal code 46009; telephone number 961114000; fax 961114346; and email firstname.lastname@example.org.
For any issue related to this area, the patient may contact the Data Controller of IVO via email, to the following address: email@example.com.
- What personal data do we process and where do they come from?
Regarding your relationship with us, the following personal data categories may be processed:
- Identifying data on patient contacts or representatives (including signature, image, healthcare card, social security or insurance agency number);
- Data on the integrated health from the patient’s clinical history;
- Personal characteristics and social circumstances;
- Transactional data (payments, income, transfers, debts)
The data may be provided by the concerned party (patient) or, when relevant, from his/her legal representative or volunteer and/or healthcare personnel.
- What is the purpose of the personal data processing?
The personal data may be processed by the IVO for the following purposes:
- Provision of healthcare assistance: your personal data are processed to offer the necessary healthcare assistance, as well as to appropriately manage the healthcare services and hospital administration required for the same (e.g., to remind you of your appointments and revisions; to issue records of your visits to the healthcare centre to family members or related individuals, upon your request, within the framework permitted by the law; to attend to any notification with the healthcare centre that may be reported by the patient; to manage any incident or claim filed by the user and/or patient; to carry out surveys in order to know your opinion regarding the care received and to improve or develop our care and management services; to enable access to the patient’s portal to permit the visualisation of the electronic clinical history, appointment requests, access to certain medical tests, etc.)
- Scientific research: your data may be processed for scientific purposes, in accordance with the specific regulations on the same.
- Procedures of anonymity and pseudonymization: Certain procedures may be applied on your data so that they are not identifiable or no longer may be identified or so that they may not be attributed to a specific individual without the use of additional information appearing separately, for scientific or statistical purposes.
- Attention to requests for information, complaints, suggestions, claims, the exercising of data protection rights, etc.: in these cases, your data will be treated in order to manage and process the request.
- Compliance with legal obligations: it may be necessary to treat the personal data in order to comply with the corresponding legal requirements. Specifically, to comply with data protection, tax and healthcare law (among others).
- To formalise and carry out the contract: the personal data of the patient will be processed in order to manage the contractual relationship with the patient.
The collected data will be processed for the specified purposes and in no case, in a manner that is not compatible with said purposes. In all cases, you are informed that the processing for scientific or statistical purposes is not considered incompatible with the initial purpose.
In all cases, your data will be processed in order to attend to you with the same level of care, regardless of the channel used to communicate with the IVO (healthcare centre, webpage, mobile phone application, in person, via telephone or over the Internet).
- What is the legitimation of the data processing?
Below, the legitimation of the data processing is indicated:
- Provision of healthcare services: Processing necessary to carry out a contract in which the concerned individual is a party; processing based on the consent of the concerned party, to protect the interests of the same and/or the legitimate interests of the data controller.
- Scientific research: Processing necessary for scientific research.
- Procedures of anonymity and pseudonymization: Processing for scientific or statistics purposes
- Attention to requests: Processing based on the consent of the concerned party and/or the legitimate interest of the IVO.
- Compliance with legal obligations: Processing required for compliance with legal obligations applicable to the IVO.
- Formalisation and implementation of the contract: Processing required to exercise a contract that you are involved in.
- How long will your data be stored?
Normally, your data will only be stored for the period of time that is strictly necessary, according to the purpose for which said data were collected.
The personal data provided, as well as data derived from the healthcare services provided, will be stored for the appropriate period of time (in accordance with legal and medical criteria), and a minimum of 5 years, as of the date of registration of each care process, except when the regional or specific regulations establish a longer storage period, in which case, applicable regulations will be considered. Once the mentioned minimum period has been exceeded, and upon termination of the care and contractual relationship, the controller will maintain the data duly blocked and pseudonymized for the periods corresponding to the legal prescription.
The personal data processed for the purpose of scientific research will be stored based on the relevant storage criteria, for a maximum of five years as of the end of the research period. As for the data processed for scientific research purposes, the controlling authorities, when so requested by the controller and according to the established regulatory procedures, may agree to the integral storage of certain data, according to historic, statistical or scientific values, as applicable by the law in each case.
The personal data provided for the purpose of managing information requests, complaints, suggestions, claims, the exercising of data protection rights, etc., can be stored for the period of time needed to process the request, and in all cases, for the legally established time period, and for the time needed to formalise, exercise or defend from claims.
The data processed for compliance with legal obligations will be stored for the time established by applicable law.
The data collected to formalise and execute the contract will be stored for the period during which the contractual relationship is in effect, and for the formulation, exercising or defence of claims.
- Who can be a transferee or recipient of your data?
To ensure the suitable service provision, certain service providers or group entities may be required to process the data on behalf of the data controller, and acting as managers of the personal data processing. These entities may, for example, consist of the providers of medical services, diagnostics, clinical analyses, audits, physical security of files, information storage or digitalisation, document destruction, legal advising and computer services, etc.
Your personal data will not be communicated to third parties, except in the case of legal obligation, vital interest or prior consent of the concerned party, only in the cases and to the recipients detailed below:
- Given that the patient may have an insurance contract through which a third party (for example, insurance entities, mutual insurance companies, public administrations, even third parties in the case of civil liability insurance), assuming that the patient is informed, the party obliged to pay for the healthcare services provided by the healthcare centre may notify their data to said entities, in order to manage, validate, verify and control the payment of the care services provided.
- In the case in which the patient has contracted insurance with an entity that is situated outside of the European Economic Area (hereinafter, the EEA), whose legislation does not offer a level of protection that is equivalent to that of the European Union, it may be necessary to make an international data transfer, with the express consent of the patient after being informed of the potential risks. You are informed that said transfers will only take place in order to collaborate with the patient and to facilitate the payment of the provided care services; ultimately, these transfers will only take place for the most expedited management and verification with the insurer of the payment of services in cases in which the patient has contracted an insurance policy with an entity located outside of the EEA. If you oppose the communication of your data, these entities may oppose the payment of the care services received, with the payment of the same corresponding to you, since these entities do not have the possibility of verifying, checking, validating or controlling the proper invoicing by the healthcare centre of each of its care processes.
- Likewise, you are informed that your personal data may be communicated to the providers of healthcare material, prostheses and implants, by legal obligation, and to ambulance services based on the patient’s vital interests.
All of the information that is not provided will be treated confidentially, in strict compliance with the security obligations required to prevent access by unauthorised third parties.
- What are your data protection rights?
You may exercise your rights to access; rectification of imprecise data; request for suppression, when, for other causes, the data are no longer necessary for the purposes for which they were collected; in specific circumstances, the limitation of the data processing may be requested, in which case we will only store the data to exercise or defend from claims; finally, and for causes related to your specific situation, you may also exercise your rights to opposition and portability. Similarly, at any time, you may revoke the consent that has been provided for the treatment of your data.
In the exercising of your rights, you may present a document, including a photocopy of your Spanish national identification document (DNI) or other equivalent identification document, addressed to the company identified in section 1. In addition, you are informed of the possibility of filing a claim before the Data Protection Delegate of the IVO (firstname.lastname@example.org), or, when relevant, before the Spanish Data Protection Agency (www.aepd.es).