PATIENTS PRIVACY POLICY

We inform you that your personal data will be processed in accordance with the principles and guarantees established in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and in accordance with the information shown below:

1.- WHO IS THE DATA CONTROLLER?

1.1.- Joint Controllers. The Joint Controllers who process your personal data are:

• INSTITUTO CONDAL DE OFTALMOLOGIA, S.L. (ICO) 
  Identification data: VAT number: B59054163, address: 08006 Barcelona, Vía Augusta Street, number 48-54, 2º, registered in the Commercial Registry of Barcelona, volume 30760, page 157, sheet number B-41566.
 
• GESTIÓ I MICROCIRURGIA OCULAR, S.A. (GMO)
  Identification data: VAT number: A63096861, address: 08036 Barcelona, Balmes Street, number 253, local, registered in the Commercial Registry of Barcelona, volume 35289, page 207, sheet number 262432.
 
• Website: https://www.icoftalmologia.es/es/ (hereof, the ‘Website’). (Hereof all together, the ‘Companies’ or the ‘Joint Controllers’). 
 

Therefore, the Joint Controllers take care of processing and protecting your personal data. Also, an agreement has been formalized between both Companies determining their responsibilities. 

1.2.- Data Protection Officer. You can contact to the Data Protection Officer through the following email: dpo@icoftalmologia.es.

1.3.- Hospital centers. The Joint Controllers have the following hospital centers:

• Name: ICO·1. Address: Via Augusta Street, 61 (08006) Barcelona
• Name: ICO·2. Address: Via Augusta Street, 48 2º (08006) Barcelona
• Name: Clínica CEM. Address: Balmes Street, 253 (08006) Barcelona 

2.- FOR WHAT PURPOSE DO WE PROCESS YOUR PERSONAL DATA?

We can process your data for the following purposes:

1. Provision of ophthalmological medical assistance

Your personal data are processed in order to provide you ophthalmic medical care, as well as to properly manage these health services, and can include:

• Medical assistance by our professionals.
• Communication via postal or electronic mail of an informative and/or professional nature about medical assistance services.
• Management of the clinical history.
• To answer to your queries.
• To manage appointments and medical reviews.
• Communication and appointment reminder by electronic, telephone and SMS means.
• Provision of the 'Online Appointment' service through our Website, if the patient registers.
• To issue other documents related with the attendance at the health center.

2. Administrative procedures related to the provision of the health service, managing the contractual relationship with the patient and to invoice them

• Contact for any matter related to the execution of the contract.
• To manage the payment of our services.

3. Compliance with legal obligations

It may be necessary to process your personal data in order to comply with the corresponding legal requirements. Specifically, to comply with the legislation on data protection, tax, health, etc.

4. Attention to requests for information, complaint, suggestion, claim, exercise of data protection rights

To manage and process your requests by telephone and/or electronic communications.

5. Send commercial communications (Newsletter)

• If you are already a Patient of us, we can send you information related to our services by email, sms or by any other electronic or physical means.
• If you are not a Patient of us or you do not have a contractual relationship with us, we can send you commercial communications electronically if you have given your express consent by checking the corresponding box authorizing the treatment for this purpose on the Website. Although, at any time you can unsubscribe or cancel your subscription to the newsletter.

6. Video surveillance for security purposes

The health centers have a video surveillance system through which images are collected in real time from the users of the center. The processing of this data is for the sole purpose of security and access control to the facilities.

7. Conduct quality surveys

We will be able to carry out quality actions and surveys to kwon the degree of satisfaction of our patients and to improve our services.

3.- WHAT ARE THE LAWFUL BASIS OF PROCESSING OF YOUR DATA?

The lawful basis that allow us to process your personal data also depends on the purpose for which we process it, as detailed below:

1. Provision of ophthalmological medical assistance

• The execution of a contract to which the data subject is a party.
• The explicit consent you provide when you give us with your personal data through the paper information forms when you access any of the hospital centers or when you register on our Website through the 'Online Appointment' service or through the section 'Can we help you?'
• The processing of personal data is necessary for the purposes of preventive medicine, medical diagnosis, provision of healthcare assistance or treatment, as well as the management of healthcare systems and services. 

2. Administrative procedures related to the provision of the health service, managing the contractual relationship with the patient and to invoice our services

• The processing of personal data is based on the execution of a contract to which the data subject is a party.

3. Compliance with legal obligations

• The processing of personal data is necessary for the fulfillment of a legal obligation applicable to the Joint Controllers.

4. Attention to requests for information, complaint, suggestion, claim, exercise of data protection rights

• When your query is related to the exercise of your rights, the processing of personal data will be based on the fulfillment of a legal obligation applicable to the Joint Controllers.
• The processing of personal data will be based on the legitimate interest of the Joint Controllers to attend the requests or queries that you make to us through the various existing means of contact in order to adequately serve you and resolve the queries raised.

5. Send commercial communications (Newsletter)

• The lawful base for processing your data for marketing purposes is the express consent by checking the corresponding box authorizing the treatment for this purpose on the Website.
• The lawful base for processing your data for these purposes will be the legitimate interest when such communications can be covered in the cases of article 21.2 of Law 34/2002, of July 11, on services of the information society and electronic commerce.

6. Video surveillance for security purposes 

• Fulfillment of a mission of public interest of the Joint Controllers based on Law 5/2014 on Private Security.

7. Conduct quality surveys

• We consider that we have a legitimate interest to analyze the degree of patient satisfaction, since we understand that the processing of these data is also beneficial for them because the purpose is to offer a quality service that is appropriate to their needs.

4.- WHAT CATEGORIES OF DATA DO WE PROCESS AND WHERE DO WE OBTAIN THOSE DATA??

The personal data that we will process include the following categories:

• Identification and contact data of patients or their representatives: name and surname, email, DNI or other legally valid identification document, address, telephone, signature, health card, social security or mutual number, insurance company.
• Personal characteristics: marital status, date and place of birth, age, sex, nationality, language.
• Health-related data: data integrated in the patient's clinical history; medical history number; family and personal physiological and pathological history; urgency report; description of the disease; reasons for the consultation; medical tests and their results; nursing assistance; informed consent; consent revocation document, if applicable; information about the diagnosis; surgical intervention report; the anesthesia report; indication of the origin, in case of referral from another healthcare center; service or unit in which the assistance is provided; doctor responsible for the patient; comments from healthcare professionals.
• Bank details: credit / debit card details, bank account number.
• Browsing and connection data: in the event that you access our Website (cookies, IP address, connection time, etc.)

When we request your data in the forms on the Website and/or on paper forms, we will mark some fields that are necessary to fulfill the established purposes. Therefore, if these data are not provided or are not provided correctly, said purposes may not be realized.

The data can be provided to us from:

• The data subject (patient) through our Website, by filling in the 'Appointment Online' request form or from the 'Do you need help' section or through the informative paper form in any of our centers or, through other means such as, for example, inquiries or communications that you ask us by electronic and / or paper means.
• Your legal representative or guardian by the same means described.
• Health personnel.
• The patient's insurance company, if applicable.
• The entity that manages the online appointments of the Website. 
• If it is a foreign patient, there can be entities or embassies that give us with your personal data to provide you our services. 

4.- WHO ARE THE RECIPIENTS OF YOUR DATA AND HOW DO WE STORE IT?

4.1. Recipients. To fulfill the purposes indicated in this Privacy Policy, your data may be processed by third parties who will act as data processors and who will be contractually obliged to comply with their legal obligations as data processor, to maintain the confidentiality and secrecy of the information, such as medical service providers, analysis or clinical trials, health centers, security companies, documentation destruction entities, providers of technological and computer services.

Likewise, the data that you provide us can be communicated to third parties for the correct development of the contractual and/or healthcare relationship established between the patient and the Joint Controllers, based on a legal obligation, the vital interest of the data subject or with the prior consent of the data subject and only in the cases and to the recipients detailed below:

• Insurance and mutual entities, for the correct development of the contractual and/or healthcare relationship with the patient and to invoice the services provided.
• Financial entities, in the event that the service or management requested by the patient is subject to payment, for the correct development of the contractual relationship and the management of payments.
• Suppliers of sanitary material, prostheses and implants, for the correct development of the contractual and/or healthcare relationship with the patient or based on the vital interest of the data subject. 
• Health centers for the leasing of operating theaters, for the correct development of the contractual and/or healthcare relationship with the patient and based on the vital interest of the data subject.
• Entities dedicated to put the patient in contact with the health centers and/or embassies that facilitate us the contact of international patients who want to request our services, to manage the contractual and/or healthcare relationship with the patient.
• Public Administrations, Judges, Courts, Security Forces, in case of legal obligation.

4.2. International transfers. The data that we collect about you is stored within the European Economic Area (‘EEA’). However, if you are a patient that reside outside the EEA or if you have an insurance contract with an insurer located outside the EEA, your personal data may be transferred and processed to territories outside the EEA where there is no decision of adequacy by the Commission, nor adequate guarantees and whose legislation does not offer a level of data protection equivalent to that of the European Union. For example, in the event that you want to request our services, there may be entities dedicated to put you in contact with our health centers and/or embassies of the country where you reside that give us with your personal data, as well as insurance entities to manage the payment of the services provided, in the cases in which you have an insurance with an entity located outside the EEA.

In cases where the transfer is made to a country whose legislation does not provide a level of data protection equivalent to that of the EEA, your prior explicit consent would be required.

In any case, we inform you that said communications are only produced for the purpose to manage the contractual relationship with the patient and manage the payment of the healthcare services provided, so that if you oppose that, the contract cannot be made and the entities insurers will not be able to process the payment of the healthcare services received since they will not validate the provision of the service by the health center.

5.- FOR HOW LONG DO WE KEEP YOUR DATA? 

In general, your data will only be kept for the time strictly necessary for the purpose for which it was collected, as is indicated below:

• Provision of ophthalmologic medical assistance: at least 15 years from the date of registration of each healthcare process. Likewise, the clinical history will be kept when there are epidemiological, investigative, or organizational and operating reasons of the “Sistema Nacional de la Salud”.
• Administrative procedures related to the provision of the health service, to manage the contractual relationship with the patient and to invoice our services: during the term of the contractual relationship.
• ompliance with legal obligations:during the time established in the applicable legislation in each case.
• Attention to requests for information, complaint, suggestion, claim and exercise data protection rights: during the time necessary to attend to your request.
• Send commercial communications (Newsletter): they will be kept until the user does not revoke their consent, unsubscribe from the newsletter and / or exercise their rights of opposition and/or erase.
• Video surveillance for security purposes: for a maximum period of 30 days, unless the Joint Controllers were aware of any fact that could be relevant for subsequent judicial action.
• Conduct quality surveys: during the time we proceed to conduct the survey.

After the mentioned deadlines, your personal data will be blocked and will be available only at the request of Judges and Courts or the competent Public Administrations for the years necessary to comply with legal obligations and, after this period, they will be completely deleted. 

6.- WHAT ARE YOUR RIGHTS AND HOW CAN YOU EXERCISE THEM??

6.1. Our data protection regulations give you some rights in relation to the data processing that our services imply, which can be summarized as follows:

• Right of access: to know what personal data we are processing about you.
• Right of rectification: to be able to request the modification of your data because they are inaccurate or not correct.
• Right of erasure: request us the erasure of your data when the processing is no longer necessary for the purpose for which we needed it.
• Right of restriction: request us to temporally suspend the processing of the data.
• Right of object you will also have the right to object to the processing of your data for sending of commercial communications.
• Portability right: you have the right to receive your personal data in a structured, commonly used and machine-legible format and to be able to transmit them to another entity directly.
 

6.2. Exercise of rights. The Companies guarantee the adoption of the necessary measures to ensure the exercise of these rights for free. To exercise these rights, you just need to send a communication to dpo@icoftalmologia.es specifying the right you wish to exercise or send a letter to any of the Joint Controllers to ICO, Vía Augusta Street, 48 2º (08006) Barcelona or to GMO, Balmes Street, 253 (08006) Barcelona. Also, we inform you that you can request the protection of your rights before the Spanish Agency for Data Protection based at Jorge Juan Street, 6, 28001 Madrid. You can request from any of the Joint Controllers the corresponding standard form to exercise your request.

7.- CHANGES IN THE PRIVACY POLICY

Our Privacy Policy is subject to change periodically. You will find the latest version of our Privacy Policy on our Website.