Privacy Policy

PROCEDURE FOR EXERCISING THE RIGHT OF ACCESS. 

1. A data subject of the Entity makes a communication to the Entity exercising their right of access to their personal data.
2. The person who receives such communication will immediately transfer it to the SECURITY OFFICER or the DATA CONTROLLER.
3. After the access request has arrived, the SECURITY OFFICER will examine the request so that the person responsible for the file can decide¹ on it within a maximum period of one month from the receipt of the request²

In order to proceed with this examination, the SECURITY OFFICER must take into account the specifications in the ANNEX to this procedure.

Such resolution may be FAVORABLE or UNFAVORABLE: 

A) FAVOURABLE RESOLUTION of the request for access:

If the request is accepted and the person in charge does not attach the legally required information to its communication, access will be effective during the ten days following said communication.

The information provided, regardless of the medium in which it is provided, shall be given in a legible and intelligible form, without the use of keys or codes that require the use of specific mechanical devices.

Such information shall include:

• All the basic data of the affected person.
• Those resulting from any computer elaboration or process.
• The information available about the source of the data.
• The assignees of the data.
• The specification of the specific uses and purposes for which the data were stored.

The affected party may choose to receive the information through one or more of the following file consultation systems:

• On-screen display.
• Writing, copy or photocopy sent by mail, certified or not.
• Fax.
• E-mail or other electronic communications systems.
• Any other system that is appropriate to the configuration or material implementation of the file or to the nature of the processing, offered by the controller

Therefore, the PERSON RESPONSIBLE FOR THE FILE will deliver the information depending on the system to which the interested party has opted

These systems for consulting the file may be restricted depending on the configuration or material implementation of the file or the nature of the processing, provided that the processing offered to the affected party is free of charge and ensures written communication if the latter so requests.

If the person responsible offers a certain system to enforce the right of access and the affected party rejects it, he or she will not be liable for the possible risks to the security of the information that may arise from the choice.

B) UNFAVOURABLE RESOLUTION:

The person responsible for the file or processing may deny access to the personal data within a maximum period of one month from the receipt of the request when:

• The right has already been exercised in the twelve months prior to the application, unless a legitimate interest to that effect is proven.
• Access may also be refused in cases where it is provided for by a law or a rule of Community law of direct application or when these prevent the controller from disclosing to the data subjects the processing of the data to which the access refers.
• In any case, the person responsible for the file will inform the affected party of their right to seek protection from the Spanish Data Protection Agency or, where appropriate, from the control authorities of the autonomous communities.

• PROTECTION OF RIGHTS. The interested party who is denied, in whole or in part, the exercise of the rights of opposition, access, rectification or deletion, may inform the Data Protection Agency or, where appropriate, the competent body of each Autonomous Community, which must ensure that the refusal is admissible or inadmissible. 
  The maximum period in which the express resolution for the protection of rights must be issued will be six months.
  A contentious-administrative appeal will be lodged against the resolutions of the Data Protection Agency.

• To communicate this resolution, the communication will be sent in such a way as to accredit both compliance with it and its content. It will be up to the data controller to prove compliance with the duty to respond, and must maintain accreditation of compliance with the aforementioned duty. 

What is the right of access?

The right of access is the right of the data subject to obtain information about whether his or her own personal data:

• The purpose of the processing that, if applicable, is being carried out is being processed.
• The information available on the origin of such data
• The communications made or planned of the same.

By exercising it, the data subject may obtain from the data controller:

• Information relating to specific data
• To data included in a specific file
• To all of your data subject to processing. 

How is the right of access exercised?

The right of access may be exercised by means of a communication addressed to the person responsible for the file. It can be exercised:

• The affected party, proving his or her identity, in the manner provided. It is required:

• Name and surname of the interested party.
• Photocopy of your national identity card, passport or other valid document identifying you and, if applicable, of the person representing you, or equivalent electronic instruments; as well as the document or electronic instrument accrediting such representation. The use of an electronic signature identifying the affected party will exempt the presentation of photocopies of the ID card or equivalent document.
• Petition specifying the request.
• Address for notification purposes, date and signature of the applicant.
• Documents accrediting the request made, if applicable.

• When the affected person is in a situation of incapacity or a minor that makes it impossible for him or her to exercise this right personally, it may be exercised by his or her legal representative, in which case it will be necessary to prove such condition.
• The right of access may also be exercised through a voluntary representative, expressly designated to exercise the right. In this case, the identity of the represented party must be clearly accredited, by providing a copy of their National Identity Document or equivalent document, and the representation conferred by the latter. 

The right of access will be DENIED when the request is made by a person other than the affected person and it is not proven that he or she is acting on behalf of the affected person.

The right of access of the interested party to the documentation of the Entity's history may not be exercised to the detriment of the right of third parties to the confidentiality of the data contained therein in the therapeutic interest of the interested party, nor to the detriment of the right of the professionals participating in its preparation, who may oppose the right of access to the confidentiality of their subjective annotations.

Health centres and individual practitioners will only provide access to the history of the deceased interested parties to people linked to them, for family or de facto reasons, unless the deceased has expressly prohibited it and this is accredited. In any case, the access of a third party to the Entity history motivated by a risk to its health will be limited to the relevant data. No information will be provided that affects the privacy of the deceased or the subjective notes of the professionals, or that harms third parties.

The interested party must be granted a simple and free means of exercising the right of access.

The provisions of Organic Law 15/1999, of 13 December, and Royal Decree 1720/2007, of 21 December, will not be considered to be in accordance with the provisions of Organic Law 15/1999, of 13 December, and in Royal Decree 1720/2007, of 21 December, in cases in which the data controller establishes as a means for the interested party to exercise their rights the sending of registered letters or similar, the use of telecommunications services that imply an additional tariff to the affected party or any other means that imply an excessive cost for the data subject. the interested party.

When the person responsible for the file or processing has services of any kind for the attention of its public or the exercise of claims related to the service provided or the products offered to it, the affected party may be granted the possibility of exercising their right of access through these services. In such a case, the identity of the interested party will be considered accredited by the means established for the identification of the customers of the responsible party in the provision of its services or contracting of its products.

The person responsible for the file or processing must respond to the request for access made by the data subject even if he or she has not used the procedure specifically established for this purpose by the data subject, provided that the interested party has used a means that allows the sending and receipt of the request to be accredited, and that it contains the elements referred to above. 

The person responsible for the file must adopt the appropriate measures to ensure that the people in their organisation who have access to personal data can inform them of the procedure to be followed by the affected party for the exercise of their right.

PROCEDURE FOR EXERCISING THE RIGHT TO OBJECT (Articles 23-26 to 34-36 of Royal Decree 1720/2007, of 21 December, approving the Regulations for the development of Organic Law 15/1999, of 13 December, on the protection of personal data and Articles 6.4 and 30.4 of Organic Law 15/1999, of 13 December, of Personal Data Protection).

1. A data subject of the Entity makes a communication to the Entity exercising their right to object to their personal data, including or not their Entity history. 
2. The person who receives this communication will immediately transfer it to the SECURITY MANAGER.
3. After the opposition request has been received, the SECURITY OFFICER will examine the application so that the person responsible for the file can decide on it within a maximum period of ten days from the receipt of the request.

In order to proceed with this examination, the SECURITY OFFICER must take into account the specifications in the ANNEX to this procedure.

Such resolution may be FAVORABLE or UNFAVORABLE

A) FAVOURABLE RESOLUTION of the request for access:

In this case, the processing of the personal data of the interested party is not carried out or the processing is ceased. It occurs in the following cases:

The information provided, regardless of the medium in which it is provided, shall be given in a legible and intelligible form, without the use of keys or codes that require the use of specific mechanical devices. 

Such information shall include:

When your consent is not required for the processing, as a result of the concurrence of a legitimate and well-founded reason, referring to your specific personal situation, that justifies it, provided that a law does not provide otherwise. When the opposition is made on the basis of this assumption, the application must state the well-founded and legitimate reasons, relating to a specific personal situation of the affected party, which justify the exercise of this right.

In the case of files whose purpose is to carry out advertising and commercial prospecting activities, in the terms provided for in Article 51 of Royal Decree 1720/2007, of 21 December, regardless of the company responsible for their creation.

When the purpose of the processing is to adopt a decision concerning the data subject and based solely on the automated processing of their personal data .

In any case, reliable notification will be made to the interested party 

B) UNFAVORABLE resolution: 

The person responsible for the file or processing must deny the interested party's request within a maximum period of ten days from receipt of the request, with reliable notification to the interested party.

In any case, the person responsible for the file will inform the affected party of their right to seek protection from the Spanish Data Protection Agency or, where appropriate, from the control authorities of the autonomous communities.

PROTECTION OF RIGHTS. Actions contrary to the provisions of this Law may be the subject of a complaint by the interested parties to the Data Protection Agency, in the manner determined by regulations.

The interested party who is denied, in whole or in part, the exercise of the rights of opposition, access, rectification or deletion, may inform the Data Protection Agency or, where appropriate, the competent body of each Autonomous Community, which must ensure that the refusal is admissible or inadmissible. 

The maximum period in which the express resolution for the protection of rights must be issued will be six months. 

A contentious-administrative appeal will be lodged against the resolutions of the Data Protection Agency.

To communicate this resolution, the communication will be sent in such a way as to accredit both compliance with it and its content. It will be up to the data controller to prove compliance with the duty to respond, and must maintain accreditation of compliance with the aforementioned duty. 

>> Right to object to decisions based solely on automated data processing.

Data subjects have the right not to be subject to a decision with legal effects on them or which significantly affects them, which is based solely on automated data processing aimed at assessing certain aspects of their personality, such as their work performance, credit, reliability or conduct.

However, those affected may be subject to one of these decisions when that decision: 

1. It has been adopted in the context of the conclusion or performance of a contract at the request of the interested party, provided that he is given the opportunity to argue what he deems pertinent, in order to defend his right or interest. In any case, the person responsible for the file must inform the affected party in advance, clearly and precisely, that decisions with the characteristics indicated above will be adopted and will cancel the data in the event that the contract is not finally concluded.
2. It is authorised by a regulation with the status of law that establishes measures that guarantee the legitimate interest of the interested party.

The right to object can be exercised by communication addressed to the person responsible for the file. It can be exercised:

The affected party, proving his or her identity, in the manner provided. It is required:

• Name and surname of the interested party.
• Photocopy of your national identity card, passport or other valid document identifying you and, if applicable, of the person representing you, or equivalent electronic instruments; as well as the document or electronic instrument accrediting such representation. The use of an electronic signature identifying the affected party will exempt the presentation of photocopies of the ID card or equivalent document.
• Petition specifying the request.
• Address for notification purposes, date and signature of the applicant.
• Documents accrediting the request made, if applicable.

In the event that the application does not meet the requirements specified herein, the person responsible for the file must request that they be corrected. 

When the affected person is in a situation of incapacity or a minor that makes it impossible for him or her to exercise this right personally, it may be exercised by his or her legal representative, in which case it will be necessary to prove such condition.

The right to object may also be exercised through a voluntary representative, expressly designated to exercise the right. In this case, the identity of the represented party must be clearly accredited, by providing a copy of their National Identity Document or equivalent document, and the representation conferred by the latter.

The right to object will be DENIED when the request is made by a person other than the affected party and it is not proven that it acts on behalf of the affected person. 

The interested party must be granted a simple and free means of exercising the right to object

The provisions of Organic Law 15/1999, of 13 December, and Royal Decree 1720/2007, of 21 December, will not be considered to be in accordance with the provisions of Organic Law 15/1999, of 13 December, and in Royal Decree 1720/2007, of 21 December, in cases in which the data controller establishes as a means for the interested party to exercise their rights the sending of registered letters or similar, the use of telecommunications services that imply an additional tariff to the affected party or any other means that imply an excessive cost for the data subject. the interested party.

When the person responsible for the file or processing has services of any kind for the attention of its public or the exercise of claims related to the service provided or the products offered to it, the affected party may be granted the possibility of exercising their right of opposition through these services. In such a case, the identity of the interested party will be considered accredited by the means established for the identification of the customers of the responsible party in the provision of its services or contracting of its products.

The person responsible for the file or processing must respond to the request for opposition made by the data subject even if he or she has not used the procedure specifically established for this purpose by the data subject, provided that the interested party has used a means that allows the sending and receipt of the request to be accredited, and that it contains the elements referred to above

The person responsible for the file must adopt the appropriate measures to ensure that the people in their organisation who have access to personal data can inform them of the procedure to be followed by the data subject for the exercise of their right to object.

PROCEDURE FOR THE EXERCISE OF THE RIGHTS OF RECTIFICATION AND DELETION. (Articles 23-26 to 31-33 of Royal Decree 1720/2007, of 21 December, approving the Regulations for the development of Organic Law 15/1999, of 13 December, on the protection of personal data and Article 16 of Organic Law 15/1999, of 13 December, on the Protection of Personal Data). 

1. A data subject of the Entity makes a communication to the Entity exercising their right of rectification or their right of deletion of their personal data, including or not their Entity history.
2. The person who receives this communication will immediately transfer it to the SECURITY MANAGER.
3. After the request for rectification or the request for deletion has arrived, the SECURITY OFFICER will examine the request so that the person responsible for the file can decide5 on it within a maximum period of ten days from the receipt of the request.

In order to proceed with this examination, the SECURITY OFFICER must take into account the specifications in the ANNEX to this procedure.

Such resolution may GRANT or DENY the exercise of the right of rectification or deletion: 

In this case, the data that turn out to be inaccurate or incomplete will be modified, after reliable notification to the interested party.

In the cases in which the interested party invokes the exercise of the right of deletion to revoke the consent previously given, the provisions of Organic Law 15/1999, of 13 December and Royal Decree 1720/2007, of 21 December, will apply.

C) DENIAL of RECTIFICATION of data:

The right to rectification may be denied in cases where this is provided for by a law or a rule of Community law of direct application or when these prevent the controller from disclosing to the data subjects the processing of the data to which the access relates

This resolution will be notified to the interested party. 

D) REFUSAL to DELETE the data: 

The deletion will not proceed when: 

• Personal data must be kept for the periods provided for in the applicable provisions.
• Personal data must be kept for the periods provided for in the contractual relations between the person or entity responsible for the processing and the data subject that justified the processing of the data.
• That it is provided for by a law or a rule of Community law of direct application or when these prevent the controller from disclosing to the data subjects the processing of the data to which the access relates

In any case, the person responsible for the file will inform the affected party of their right to seek protection from the Spanish Data Protection Agency or, where appropriate, from the control authorities of the autonomous communities. 

PROTECTION OF RIGHTS. Actions contrary to the provisions of this Law may be the subject of a complaint by the interested parties to the Data Protection Agency, in the manner determined by regulations.

The interested party who is denied, in whole or in part, the exercise of the rights of opposition, access, rectification or deletion, may inform the Data Protection Agency or, where appropriate, the competent body of each Autonomous Community, which must ensure that the refusal is admissible or inadmissible

The maximum period in which the express resolution for the protection of rights must be issued will be six months.

A contentious-administrative appeal will be lodged against the resolutions of the Data Protection Agency

To communicate this resolution, the communication will be sent in such a way as to accredit both compliance with it and its content. It will be up to the data controller to prove compliance with the duty to respond, and must maintain accreditation of compliance with the aforementioned duty.

ANNEX PROCEDURE FOR DELETION OR RECTIFICATION OF DATA 

How are the right to rectification and the right to erasure exercised? 

a) THE REQUEST FOR RECTIFICATION must indicate:

1. What data is it referring to?
2. The correction to be made.
3. It must be accompanied by the supporting documentation of the request

b) IN THE REQUEST FOR DELETION, THE INTERESTED PARTY MUST INDICATE:

1. What data is it referring to?
2. Provide the documentation that justifies it, if applicable.

If the rectified or cancelled data have been previously transferred, the person responsible for the file must notify the transferee of the rectification or deletion of the rectification or deletion, within the same period, so that the latter, also within ten days of receipt of said communication, can also rectify or cancel the data.

The rectification or deletion made by the assignee shall not require any communication to the interested party, without prejudice to the exercise of the rights by the interested parties recognised in Organic Law 15/1999, of 13 December.

The right of rectification and deletion can be exercised by communication addressed to the person responsible for the file. It can be exercised:

The affected party, proving his or her identity, in the manner provided. It is required: 

• Name and surname of the interested party.
• Photocopy of your national identity card, passport or other valid document identifying you and, if applicable, of the person representing you, or equivalent electronic instruments; as well as the document or electronic instrument accrediting such representation. The use of an electronic signature identifying the affected party will exempt the presentation of photocopies of the ID card or equivalent document.
• Petition specifying the request.
• Address for notification purposes, date and signature of the applicant.
• Documents accrediting the request made, if applicable. 

In the event that the application does not meet the requirements specified herein, the person responsible for the file must request that they be corrected.

When the affected person is in a situation of incapacity or a minor that makes it impossible for him or her to personally exercise these rights, they may be exercised by his or her legal representative, in which case it will be necessary to prove such condition.

Rights may also be exercised through a voluntary representative, expressly designated to exercise the right. In this case, the identity of the represented party must be clearly accredited, by providing a copy of their National Identity Document or equivalent document, and the representation conferred by the latter.

Rights will be DENIED when the request is made by a person other than the affected person and it is not proven that the person acting on behalf of the affected person.

The interested party must be granted a simple and free means of exercising the rights of rectification and deletion.

The provisions of Organic Law 15/1999, of 13 December, and Royal Decree 1720/2007, of 21 December, will not be considered to be in accordance with the provisions of Organic Law 15/1999, of 13 December, and in Royal Decree 1720/2007, of 21 December, in cases in which the data controller establishes as a means for the interested party to exercise their rights the sending of registered letters or similar, the use of telecommunications services that imply an additional tariff to the affected party or any other means that imply an excessive cost for the data subject. the interested party.

When the person responsible for the file or processing has services of any kind for the attention of its public or the exercise of claims related to the service provided or the products offered to it, the affected party may be granted the possibility of exercising their rights of rectification and deletion through said services. In such a case, the identity of the interested party will be considered accredited by the means established for the identification of the customers of the responsible party in the provision of its services or contracting of its products.

The person responsible for the file or processing must respond to the request for rectification and deletion made by the data subject , even if the data subject has not used the procedure specifically established for this purpose by the data subject, provided that the data subject has used a means that allows the sending and receipt of the request to be accredited, and that it contains the elements referred to above.

The person responsible for the file must adopt the appropriate measures to ensure that the people in their organisation who have access to personal data can inform them of the procedure to be followed by the data subject for the exercise of their rights. 

When the laws applicable to certain specific files establish a special procedure for the rectification or deletion of the data contained therein, the provisions of those laws will apply.

RIGHT OF PORTABILITY

•  
• The interested parties who request it will be given the personal data that concerns them, which they have provided to the Entity

• The delivery will be made in a structured, commonly used and machine-readable format

• If requested, they will be transmitted to another controller where technically feasible and the processing is based on consent pursuant to Article 6(1)(a) or Article 9(2)(a) or on a contract pursuant to Article 6(1)(b) and (b) of the European Data Protection Regulation, and the processing is carried out by automated means.

• The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17 of the European Data Protection Regulation on the right of deletion of requesting data subjects.

• Such a right shall not apply to processing which is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

• This right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.

• The right to portability will refer only to automated processing subjected, directly or indirectly, to the will or authorisation of the data subject (based on consent or a contractual relationship)

• The right to "Current Data" will be extended, understood not only as those related to the present moment, without taking into account those that have been provided by the interested party or obtained by the use of the product or service previously contracted and that at the time of exercising the right are being processed.

Due to its complexity, in the event that an interested party exercises this right, each case will be studied in a specific way, seeking specialized professional assistance if necessary.

RIGHT OF LIMITATION

This right will be granted to the interested parties when any of the following conditions are met:

• The data subject contests the accuracy of the personal data, for a period of time that allows the controller to verify the accuracy of the same.

• The processing is unlawful and the data subject objects to the erasure of the personal data and instead requests the restriction of its use.

• The controller no longer needs the personal data for the purposes of the processing, but the data subject needs them for the establishment, exercise or defence of legal claims.

• The data subject has objected to the processing pursuant to Article 21(1) while it is verified whether the legitimate grounds of the controller prevail over those of the data subject. 

Effects of the exercise of the right by the interested parties 

Where the processing of personal data has been restricted, such data may only be processed, with the exception of their retention, with the consent of the data subject or for the establishment, exercise or defence of legal claims, or with a view to protecting the rights of another natural or legal person or for reasons of important public interest of the Union or of a particular Member State.

Any interested party who has obtained the limitation of processing in accordance with the above will be informed by THE ENTITY before the lifting of said limitation.

Due to its complexity, in the event that an interested party exercises this right, each case will be studied in a specific way, seeking specialized professional assistance if necessary