Data protection policy
Introduction
Our privacy policy complies with the provisions of GDPR 2016/679, of 27 April 2016, on the protection of natural persons with regard to the processing of personal data. The present document contains relevant information on the processing of data provided by you.
What is personal data?
Personal data is any information that relates to an identified or identifiable natural person. This is a fundamental right of all people.
Who owns personal data?
The owner of the data is an identifiable natural person, whose identity can be determined, directly or indirectly, for example, through his/her name, identification number, such as the ID card or the Social Security number; location information, such as his/her address, website (geolocation services), email address or social media profile; other online identifying elements, or characteristics related to his/her physical, physiological, genetic, psychological, economic and cultural identity.
Who is responsible for your personal data?
The entity responsible for the processing your personal data is GENERALIFE
Types of personal data
Identifying data (name, surname, date and place of birth , sex and nationality; ID card/National Insurance Number, Spanish Foreigner’s Identity Number (NIE) or residence permit, Social Security number or health insurance card, where appropriate; insurance company and policy number, where appropriate; residence address (address, postcode, city, province); e-mail address, land line and/or cell phone
Other personal data: images (photos, diagnostic images, molds), voice, physical marks, physical or anthropometric characteristics (height, weight, hair color, etc.); signature, footprint, electronic signature.
Data related to social circumstances: marital status, family information (children, parents, siblings); properties, material possessions, hobbies and lifestyle habits, club and association memberships; licenses or authorizations.
Academic and professional data: These data usually correspond to the information provided on CVs, such as training courses, qualifications, academic or learning history over the course of a person’s pre and post professional life, professional experience, and membership to professional associations or colleges.
Employment data: profession, job post, non-economic information from the payroll or employee records.
Data related to commercial information: activities and business, commercial licenses, subscriptions to publications or mass media, artistic, literary, scientific and technical creations.
Economic data: bank details: numbers, credit records or data, credit/debit cards; revenues, incomes, investments, capital assets; salary and economic information of the payroll; tax categories and tax deductions; mortgages, loans, credits, guarantees, investments, pension plans, retirement; insurances, grants, other benefits; financial transactions or compensations.
Special data: data related to religion affiliation, union membership, political party to which an individual belongs or votes for, racial origin, health or sexual life, criminal or administrative offences.
Types of personal data we process
Patients’ data
Identifying data (name, surname, date and place of birth , sex and nationality; ID card/ National Insurance Number, Spanish Foreigner’s Identity Number or residence permit, Social Security number or health chart, where appropriate; insurance company and policy number, where appropriate; residence address (address, postcode, city, province); e-mail address, land line and/or cell phone.
Other personal data: physiological samples (blood, tissues, fluids, etc.), physiological samples for genetic tests, embryos, images (video surveillance photos, images registered in medical records, diagnostic images), physical marks, physical or anthropometric characteristics (height, weight, hair color, etc.), signature, electronic signature, where appropriate.
Health data: In addition to samples, health data makes reference to report results, diagnostic and mold images, diagnostic results and exams, symptoms, medication, etc.
Staff data
“Staff” means the personnel hired by our company, as well as our professional or freelance partners, and the personnel of the providers that work in our facilities.
Identifying data (name, surname, date and place of birth , sex and nationality; ID card/ National Insurance Number, Spanish Foreigner’s Identity Number or residence permit, Social Security number or health cart , where appropriate; insurance company and policy number, where appropriate; residence address (address, postal code, city, province); e-mail address, land line and/or cell phone.
Other personal data: images (photos), signature, and electronic signature, if necessary.
Data related to social circumstances: marital status, family information (children, parents, siblings); properties, material possessions, hobbies and lifestyle habits, club and association memberships; licenses or authorizations.
Academic and professional data: These data usually correspond to the information provided on CVs and on our employees and regular external partners’ records, such as training courses, qualifications, academic or training records over the course of a pre and post professional lifetime, professional experience, and memberships to professional associations or colleges.
Employment data: profession, job post, non-economic information from the payroll or employee records.
Data related to commercial information: activities and business with external partners, scientific or technical publications.
Economic data: dbank details; economic information from the payroll, tax categories and tax deductions, pension plans, where appropriate; retirement and insurances, where appropriate.
Data on third parties
“Third parties” means other people related to clients and providers and, generally, to people from other organizations we are in contact with.
Identifying data: (name, surname, date and place of birth , sex and nationality; ID card/ National Insurance Number, Spanish Foreigner’s Identity Number or residence permit, Social Security number or health cart , where appropriate; insurance company and policy number, where appropriate; residence address (address, postal code, city, province); e-mail address, land line and/or cell phone.
Other personal data: images from visits, video surveillance, commercial joint events or sales brochures (pictures); signatures, electronic signatures, where appropriate.
Academic and professional data: These data usually correspond to the information provided on CVs and on our employees and regular external partners’ records, such as training courses, qualifications, academic or training records over the course of a pre and post professional lifetime, professional experience, and memberships to professional associations or colleges.
Employment data: profession, job post.
Data related to commercial information: scientific or technical publications, where appropriate.
Commercial and business data: job post, company address, other information necessary for the relationship.
Where is your data stored?
Personal data provided by you will be incorporated into computerized database system or physical files, which in turn, are subject to security measures and collected in an activity log owned by GENERALIFE.
What is an activity log?
It is a set of summarized information on the data processing we perform. This activity log is at the disposal of the Agencia Española de Protección de Datos.
How and from where do we collect the data we process?
Data provided by the owner of the data
The owner provides his/her data through:
His/Her express consent
By providing the necessary personal information for the relationship (the provision of the health service). In the case of patients, their express consent shall be given by signing a document when they come to our center to receive the health service required. It must be emphasized that failing to sign this consent will prevent the processing of your data and, therefore, the provision of the health service required.
Confirmation of appointments, news, newsletters, Push notifications (mobile notifications: SMS or other notification systems).
We process data related to email addresses, mobile numbers and other data necessary for the provision of service (for example, the name of the doctor, and the date and time of the appointments).
Use of data provided through our online platforms:
“Online platforms” means our web page, apps and/or online consultations, which constitute our information platforms
http://www.GeneraLife.co.uk
Through these platforms, we collect health information, the processing of which requires your express consent by your acceptance of our privacy policy.
Acceptance of Cookies
For information on cookies, please visit our Cookies Policy which is available in our webpage.
Data not provided by the owner of the data
Data non provided by the owner of the data
In the case of emergencies, state of unconsciousness or vital risk preventing you from providing your consent, with the purposes of safeguarding the legally protected good of life and the right that guarantees it, as a legal obligation and in the legitimate interest of GeneraLife, your data may be collected from third parties, where necessary, in order to provide the urgent healthcare services needed. Additionally, persons related to the individual concerned through family or factual ties may be informed of such situation. Your data will be used exclusively to provide the necessary medical assistance and to produce his/her medical history, in compliance with the provisions of the Spanish Law 41/2002 on the autonomy of patients and their clinical documentation. In any case, if possible, the consent of the individual concerned will be obtained during the first communications established with him/her within in a maximum period of one month.
Inferred data
“Inferred data” means data provided unconsciously and involuntarily by the user as the result of the use of algorithms.
GENERALIFE does not use or analyze, in any case, external means to our direct relationship with our clients, patients and related collaborators, except for the data obtained the use of analytics cookies that we use in our website and app.
All inferred data that we may use is related to your interaction with us or with our collaborators and legitimazied providers (for example, external diagnostic exams).
Data conservation period
Data will be maintained during all the contractual or assistance relationship or until the opposition of the owner and, in any event, during the period legally determined for the conservation of the legal documentation or the medical records.
Health data
With regard to health data or medical records, GENERALIFE must preserve them by legal mandate for a period of at least 5 years, in compliance with the provisions of the Spanish Law 41/2002 on the autonomy of the patients. Also, as our clinic is an establishment where tissues can be preserved, Article 8 of Directive 2004/23 CE of the European Parliament and Council of March 3, 2004, states that the necessary data must be preserved in order to guarantee its complete traceability for a minimum period of 30 years after its clinical use. Besides the Spanish Law 14/2006 of 26 May, on Assisted Fertility Techniques, establishes, on its Article 11, that the conservation period of gametes and pre embryos may be extended for an indefinite period:
- Sperm may be cryopreserved in authorized sperm banks during the life of the individual from whom the sample proceeds.
- The cryopreservation of eggs, ovarian tissue and remaining embryos from In Vitro Fertilization techniques, may be extended until the time when the responsible medical team deems it appropriate, taking into account the favorable opinion of independent and external specialists, when the recipient does not meet the necessary requirements to make use of assisted reproduction techniques. All this, the use of the pre embryos, sperm, eggs or ovarian cryopreserved tissue, will need the informed consent duly accredited for any of the purposes stated on the aforementioned regulation
Data obtained from web appointments:
These data may be preserved for a period of 1 year, unless they are necessary for the person concerned for the purposes of keep using our consultation services, or until the person concerned exercises its opposition, limitation or deletion rights.
Data from CVs:
These data may be preserved for a period of 1 year, after which, the data will be deleted. In this sense, after this deadline, if you are still interested in participating on the selection processes performed by the responsible entity, please send us your curriculum again.
Cookies:
The storage periods for the cookies we use are specified in our cookie policy
Other personal data:
Other personal data collected by GENERALIFE, such as video surveillance images, contracts and other legal documents, may be preserved during the period legally established for each case, or until the concerned person exercises his/her right to opposition or deletion, unless there is a legal requirement that prohibits it.
Tax data:
Tax data may be preserved for 4 years according to the applicable tax legislation (Ley General Tributaria, and subsidiary or additional national and regional laws).
Social Security data:
Social security data may be preserved for the time established for each case by Spanish Social Security authorities.
Video surveillance data:
Video surveillance data may be preserved for a month, unless they may constitute a criminal or administrative offense.
Legitimicy
Legitimacy is the condition which provides legal capacity for the processing of data. There are several factors conferring legitimacy:
By contract and legitimate interest for the services provided in the clinic:
In the case the processing of data is necessary for the performance of a contact in which the concerned individual is a party to this contract. The legitimate interest is a best interest of the Responsible to process the data (for example, the video surveillance used to preserve the security of the center, conducting satisfaction surveys in the interest of the quality of the service).
Specially, the necessary sensitive health data processing for care and health services as well as the necessary activities to provide them, such as identification, treatment, exams, billing, etc.
By legal obligation:
If you are in any vital situation in which you cannot give your consent and your data are gathered from third parties, it will be processed as the duty of assistance is a legal obligation.
By the consent of the concerned person:
When none of the circumstances of legal legitimacy or best interest occur, we will ask for your consent so your data can be used with different purposes, and shall be recorded.
As your health data is considered as specially protected information, the provision of the sanitary service will require your express consent.
We can also request your consent for different purposes, such as the subscription to our blog, research, promotions, information service, etc.
For which purposes de we process your personal data?
It is generally processed with the aim of providing our services and carrying out our mission. We, specially, collect private data for the following purposes:
Patients and related people: To provide a contracted clinical service
In the case of sensitive health data of patients, data is processed with the aim of providing assistance and complementary services requested by them and complying with the legal obligations resulting from our activity. It is also necessary for the billing of the service provided.
General Citizens: to provide web consulting services
We collect data that the person introduces in order to provide the information he or she has requested. The information processed through the website may contain health information specially protected, so appropriate security measures against risk will be implemented.
Advertising
We can use direct marketing (a type of advertising using one or several means to communicate directly with an objective public and obtain from it a measurable answer) in order to create customized services or inform about improvements and updates that may be of interest of the person concerned. For example, by subscribing to our blog “Reproductive health according to GeneraLife” we will be able to send you information about fertility and services proposed by GeneraLife to the email you previously provided us.
Research or study
Except when identification is required (in that case express consent will be requested), we will provide and process dissociated data with the purpose of training, research and scientific study, contributing towards the field of medicine in the interest of society.
Sharing personal data
Your data won’t be communicated to third parties, except in the case of legitimate interest or legal obligation. It will always be done with the only necessary data for the execution of the service that our center provides and when, without this data transfer, it is no longer possible to provide it.
Data from patients
The necessary entities for the complete provision of our services to patients are mainly, but not exclusively, the following ones: insurance companies, external medical service companies, laboratories of analyses and exams, complementary and external service companies and, generally, assistance and complementary service providers that are necessary for providing the service and guaranteeing the quality of the assistance and patients security (for example, technical inspections)
Ceding companies: in the case of patients and insurance companies, if the medical service is performed on the bases of agreements or policies insurances, from which the patient is a beneficiary, the information regarding to the provided services will be transferred to them because it is essential to such coverage and its corresponding billing.
In connection with the above, if his or her insurance company or referring physician is located in a non European country, his or her data will be only transferred if the patient has expressly consented the international transfer of his or her data, with the aim above-mentioned. Without this consent, the provision of the service with your insurance company won’t be provided.
Also, your identifying, working, socioeconomic, financial and patrimonial data can be transferred to finance companies with the aim of processing your request regarding their financial product, including the study and evaluation of the credit risk of the requested operations.
For those cases in which, for processing reasons, it is necessary the intervention of other healthcare providers, such as laboratories for analysis or diagnosis, between other service providers, needing your data for this healthcare service, it could be communicated to them with the only purpose above-mentioned.
In the case of the Health administration, data may be transferred in the cases legally stipulated.
Regarding the information obtained through the video surveillance system, it will only be transferred to the Security forces of the Sate as well as to Tribunals and Courts by legal or judicial mandate.
Data from the staff
The necessary companies to complete our activity are mainly, but not exclusively, the following ones: , in the case of employees ,labor consulting, prevention and health companies and legal consulting; in the case of collaborators, tax consultancy; and generally, other complementary consultancies being necessary for the activity with the required quality and legal compliance; and Public Administration for legal cases.
Other data
OOther necessary companies to complete our activity are mainly, but not exclusively, the following ones: security companies (video surveillance), courier companies (limited), external IT services companies, delivery companies (“mailings”), companies for surveys (with the previous consent of the concerned person and, generally, other companies or organizations needed for the activity with the quality and legal compliance requested; and Public Administration for legal cases.
Security measures
The clinic has a certified quality system according to the international standard ISO 9001: 2015 that supervises the legal compliance. It also has the Excellent Healthcare accreditation and Mercurio accreditation on data protection that aligns to the Standard Code for Data Protection for Private Health Organizations, available to the public on the Spanish Agency of Data Protection: www.aepd.es
The clinic has security measures described on its management and quality processes as well as protection measures of its information systems. All this is described on its Security Document.
Rights of the data owner
The owner of the data has the right to access, rectify, eliminate, limit, move and oppose to the processing of his/her data and to present a claim to the Spanish Agency of Data Protection.
We invite you to read the Citizen’s guide published by the Spanish Agency of Data Protection and that you can find on the following link: http://www.agpd.es/portalwebAGPD/canaldocumentacion/publicaciones/common/Guias/GUIA_CIUDADANO.pdf
The rights of the owner of the data are the following ones:
Access
You have the right to know if you personal data is being processed or not and, therefore, to obtain the following information: categories of the data; recipient or recipient categories to whom data has been transferred or will be transferred; conservation period expected or, if it is not possible, an assessment to determine this period.
The owner can exercise this right every 6 months, unless there is a legitimate reason for the request, in which case, it is possible to exercise the right more than once.
When the owner of the data exercises this right of access, we will give him a copy of the personal data that has been processed in a legible format that the concerned person can choose. In the case of clinical history, only the data of the owner will be transferred and no other information of the clinical history. In any case, it will be done in the interest of the concerned person and the legal provisions.
If the access request is done manifestly unfounded or excessively, especially if it’s excessive, we can impose a fee to compensate the administrative costs of the petition and it will correspond to the real cost of processing the application.
Regarding to procedures, we will inform the individual concerned about the activities resulting from the request within one month (even two months more for particularly complex requests. The extension of the period will be notified within the first month.
If we decide not to respond to the request, we will communicate the decision to the concerned person, explaining the reason, within one month from request; the concerned person can bring a complaint before the Spanish Agency of Data Protection.
Rectification
It is the right to rectify the inaccurate personal data or to complete uncompleted personal data through and additional statement, taking into account the purposes of the processing.
For this purpose, the concerned person must request it and precise the data he or she wants to modify; if necessary, he or she must present the supporting documentation of this data inaccuracy or incomplete information.
Cancellation
The person concerned has the right to delete his or her personal data in the following circumstances: when it is no longer necessary for the purposes for which it was collected or processed; if he withdraw his consent and the treatment is not based on other legal basis (the examples already mentioned); if he opposes to the treatment and no other legitimate reasons prevails; if data has been processed illicitly.
Regarding the health data collected in medical histories, it should be kept for the legal time established by the applicable legislation of clinical documentation and when there is a public interest according to the legal system.
When the deletion comes from the exercise of the right to opposition with direct marketing purposes, we may retain the identifying data in order to prevent future data processing for direct marketing purposes.
Once we have transferred the personal data and we are obliged to delete such data, we will adopt reasonable measures, taking into account the available technology and the cost of its application, including technical measures to inform the responsible of data processing that are treating the data personal with the deletion request.
All this shall not apply for the compliance of a legal obligation requiring a data processing or for the fulfillment of a mission performed in the public interest or in the exercise of granted public powers; for scientific or historic research purposes, as well as statistics purposes inasmuch as the right of deletion may not permit or interfere badly to get this goals for the development and exercise or defense of complaints.
Opposition
The owner has the right to object his data processing at any time, except for the legal cases aforementioned.
If the owner exercises this right, we will stop processing his personal data, unless we certify overriding legitimate reasons on which the data processing takes precedence over his interests rights and liberties or for the development of the exercise or defense of claims, as well as the necessary conservation according to the legal regulation of the clinic history or for issues of general interest, when such interest exists.
When the data processing target direct marketing, the owner may have the right to oppose at any moment and, in that case, persona data will be no longer processed for those purposes.
Limitations on data processing
The owner has the right to limit the data processing in the following situations:
When the owner has announced the inaccuracy of his personal data during the period of time that allows us to verify the precision of those already mentioned;
When the owner considers that the processing is illegal and we have refused the elimination of its personal data and, instead, he has requested for the limitation of its use;
When we no longer need his or her personal data for the treatment, but they must be preserved for legal reasons or the development, exercise or defense of claims;
When the owner refuse the treatment, while we verify if our legitimate reasons take precedence over his.
When the owner can limit the data processing according to the exercise of this right, he will be informed before lifting this limitation..
We will also inform about any personal data rectification, elimination, limitation or processing to each one of the recipients to whom it has been transferred or communicated, unless it is impossible or needs a disproportionate effort. If the owner asks for it, we will inform him or her about those recipients.
Moreover, the owner may revoke the consent for particular types of processing at any moment and with prospective effect. However, this revocation does not affect to legitimacy of the processing before the revocation of its consent or as long as the processing can be justified through other legal bases.
Portability
The owner has the right to receive the personal data he provided us and that we posses, in a structured format, commonly used and machine readable, and transmit it to other data processing responsible without being able for us to avoid it, when the data processing is based on the consent and it is done by automated means.
His personal data may be also transferred directly from one responsible to another responsible when it is technically possible.
The exercise of this right is extended without prejudice of the authority granted by the right of deletion.
The right of portability won’t be extended to the data that we could have inferred from data directly resulted from our services.
How to exercise your data protection rights
In order to exercise their rights, the owner can write to our headquarters, located at P.º del General Martínez Campos 41, 7ªA, 28010 Madrid.
In such way, you can also seek advice independently by email info@generalife.com and to present a complaint to the Spanish Agency of Private Data.
