DETAILED INFORMATION ON DATA PROTECTION
Who is responsible for your data?
Hospital Dr. Gálvez S.A – CIF: A29059243
Postal Address: Calle San Agustín, nº 1 – 29015 – Málaga
Data Protection Delegate
What data do we collect and where does it come from?
The following categories of personal data may be collected:
- Health related data integrated in the patient’s Medical History.
- Identification, contact details of the interested party, patient or his/her/their representatives.
- Personal characteristics.
- Academic and professional data (resumes)
- Transactional data (banking).
- Image data.
The data may come from the interested party, patient or, where appropriate, from his/her/their legal or voluntary representative, from health personnel, Insurance Companies and / or other health centres.
What´s the purpose of collecting your personal data?
Personal data may be collected by those responsible for the patient-care for the fallowing purposes:
1.- Providing the best health care: your personal data is collected in order to provide you with the health care you need, as well as to properly manage the health and administration services of the hospital. For example:
- Remind you of your appointments and medical examinations.
- Issue a doctor´s note if this is requested by family members or others related to you, always in accordance with the law and regulations.
- Attend any of your communication with the hospital.
- Manage any incident or claim filed by the user and / or patient.
- Conduct surveys with the purpose of knowing your opinion about the care received in order to improve and develop our care and management services.
2.- Scientific research: your data can be collected for scientific purposes, complying with the specific regulations in this regard.
3.- Processing information requests, complaints, suggestions, claims, exercise of data protection rights, reception of resumes, etc.: in all these cases your data will be collected in order to manage and process the requests, by any means, including telephone and / or electronic communications.
4.- Compliance with legal obligations: It may be necessary to collect personal data in order to comply with the corresponding legal requirements. In particular, to comply with legislation on data protection, tax, health, etc.
5.- Formalization and execution of the contracts: The patient’s personal data is collected in order to manage the contractual relationship with the patient.
6.- Video monitoring: Dr. Gálvez Hospital has a video surveillance system through which real-time images of the centre’s users are collected. Collection of this information is exclusively for the purpose of security and access control to the facilities.
The data collected will be processed for the specified purposes and in no case incompatible with said purposes. We remind you that collection of the data for scientific research purposes is not considered incompatible with the initial purpose.
In any case, we process your data in order to be able to assist you always with the same level of quality of care, regardless of the channel you use to communicate with us ( through the hospital, our website, mobile phone applications where appropriate, either in person, by telephone or via telematics).
What is the legal base for processing your data?
Purpose (P) and Legal Base for Processing (LBP)
P 1.: Providing health care.
LBP.: Necessary collection in order to execute a contract with the interested party; collection and processing based on his/hers/their consent, to protect his/hers/their interests and / or the legitimate interests of the party responsible for the collection.
P 2.: Scientific research
LBP: Necessary collection for scientific research.
P 3.: Processing applications and resumes
LBP: Collection based on the consent of the interested party and / or legitimate interest of the responsible party for the collection.
P 4.: Formalization and execution of the contract
LBP: Necessary collection in order to execute the contract with the interested party.
P 5.: Video surveillance
LBP: Data collection is based on the legitimate interest of the Hospital (Responsible).
P 6.: Compliance with legal obligations
LBP: The legal base is compliance with a legal obligation that is applicable to the responsible party for the data collection.
Data storage duration
As a general rule, your data will be stored only for the time strictly necessary for the purpose for which it was collected.
Storage period: The period of storage of personal data will vary depending on the service you request, though it will always be the minimum necessary:
- The personal data provided as well as the health data derived from the care process will be kept for the appropriate time in each case, in accordance with legal and / or medical criteria and during at least 5 years from the finalization of the care received, except when there is a need for a longer period of storage due to legal obligations.
Once the assistance and the contractual relationship has ended, the responsible party shall keep the collected data duly blocked and pseudo-anonymized during the term of the statutory limitation periods.
- The personal data collected for the purpose of scientific research will be kept for a maximum period of 5 years from the end of the investigation. However, upon request from the data controller, the Control Authorities may agree on the complete storage of some data, with regards to historical, scientific or statistical values.
- The personal data provided in relation with lodging a complaint, a request to exercise data protection rights or submission of resumes, will be stored for the necessary time to process the request (2 years in case of resumes) and up to 5 years in the remaining cases, to meet the request of the Competent Authority.
- The data processed to comply with legal obligations will be kept for the time established in the applicable legislation.
- The data collected to formalize and execute the contract will be kept for the duration of the contractual relationship; and for minimum 5 years or more in order to allow time space for the claim/request process and the response it requires.
- The images captured through the video surveillance systems will be kept for a maximum period of 30 days, unless the data controller is aware of a fact that is relevant for further judicial action.
– 6 years according to article 30 of the Commercial Code (accounting books, invoices …).
– 5 years according to article 1964 of the Civil Code (personal actions without special term).
– The General Tax Law provides a period of 4 years so that rights can be exercised, whether formal or economic rights, by the taxpayer or the Administration (VAT or Income Tax).
Which recipients will your data be communicated to?
In order to guarantee adequate service provision, it may become necessary that some service providers have access to your data to process it on behalf of The Care-giver (the Hospital), acting as Care Managers; with regards to certain data, also being able to act as Responsible along with the Hospital, especially when the treatment is carried out with their own means and systems. These entities may be those providing diagnostic, clinical analysis, document destruction, information storage, entities collaborating in payment collection management and other administrative tasks, etc.
Your personal data will not be transferred to third parties unless there is a legal obligation, vital interest or the consent of the interested party.
Since the patient may have an insurance contract under which a third party is payer for the health services provided by the Hospital, as long as the patient bring this to the knowledge of the care-giver, we can communicate the data collected to said entities, in order to manage the payment of the services provided
Your personal data can also be communicated to providers of medical supplies, prostheses, implants or ambulances, in line with a vital interest of the patient.
In any case, all the information you provide will be processed confidentially and with strict compliance with security measures to prevent access by unauthorized third parties.
What are your rights when you provide us with your data?
You can exercise the right of access to your data, rectification of inaccurate data, request the deletion of said data (for example when the data is no longer necessary for the purposes that is was collected), of limitation of the processing (in this case we will keep your data for the purposes of responding to claims). You can also exercise the right of opposition and portability.
You may at any time revoke the consent given for collection and storage of your data.
The exercise of these rights as well as the revocation of consent are free, except in cases provided in Article 12.5 of Regulation (EU) 679/2016.
You may download the forms available on our website: www.hospitalgalvez.com
How to exercise these rights?
You can send a written communication to Hospital Dr. Gálvez, located in Calle San Agustín,1 29015 – Málaga or email it to email@example.com. Please attach a photocopy of your ID or other similar identification document, and indicate the right you wish to exercise.
We also inform you of the possibility of submitting a claim to the competent control authority.
LINKS TO FORMS:
OPOSSITION TO DATA COLLECTION REQUEST: FORM A) FORM B)
DATA SUPRESSION REQUEST (RIGHT TO OBLIVION)
RIGHT TO LIMITATION OF DATA PROCESSING
RIGHT TO PORTABILITY
RIGHT TO NOT TO BE SUBJECT TO INDIVIDUALIZED DECISIONS
1 month´s term is established under which the right of the interested party is made effective. This is renewable for 2 additional months in cases of complexity or where a large number of applications are received. In any case, such extensions must be informed, expressly notifying the interested party of the reasons.
Last update January 2019