Basic data protection data | |
Data Controller: | Jesús Usón Minimally Invasive Surgery Centre Foundation Ctra. Nacional 521, Km. 41,8, 10071- Cáceres G10347417 dpd@ccmijesususon.com |
Purpose: | Mainly: ● To enable us to provide our services ● To deal with queries |
Legitimation: | The legal bases for processing personal data shall be, as appropriate: ● The consent of the data subject ● Compliance with legal obligations |
Recipients: (Assignments and transfers) | No further transfers of data are envisaged except for those that may exist due to legal obligations |
Legitimation recipients: | By legal obligation |
Profiling: | Non-existent |
Rights: | You may exercise your rights of access, rectification, portability and erasure of your data, and limitation or opposition to the processing |
Origin: | From the data subject |
Additional information: | Legal Notice Privacy Policy Cookie Policy |
1. Introduction
This Privacy Policy governs the collection, processing and use of personal and non-personal information as a User of the Website, as of the effective date shown in the header.
The Website does not sell personal information to third parties and will always seek consent before using the data for any purposes other than those described in this clause.
In processing personal data, the Website complies with current local and European legislation and its implementing regulations. It, therefore, adopts the necessary technical and organisational measures to prevent the loss, misuse, alteration, unauthorised access and theft of the personal data provided; always according to the state of technology, the nature of the data and the risks to which they are exposed.
2. Who is the Data Controller?
Jesús Usón Minimally Invasive Surgery Centre is the Data Controller regarding the User’s personal data and informs that these data will be processed according to Regulation (EU) 2016/679, of 27 April (GDPR), and Organic Law 3/2018, of 5 December (LOPDGDD).
3. What personal data do we collect and process?
The personal and non-personal information collected by the Website will change depending on your use of the Website and the features, options and services offered.
Personal and non-personal information collected by the Website will come to us in three ways:
- Automatically collected
- Data voluntarily provided to us
- Data provided by third parties
3.1.- Automatically collected data
This information shall consist of:
a) Data collected by cookies or similar mechanisms stored in the User’s device, always with consent. Our Cookie Policy is available (link) for more information.
b) The IP from which the connection is made, the type of device used and its characteristics, the operating system version, the type of browser, the language, the date, the country, the time of the request, the referrer URL or the mobile network used, among others. The Website servers may automatically detect the IP address and domain name used by the User. An IP address is a number automatically assigned to a computer when it connects to the Internet. All this information is recorded in a server activity file which allows the data to be further processed to obtain purely statistical measurements of the number of page impressions, the number of visits made to the web servers, the order of visits, the point of access, etc.
c) Data on the use of the Website and possible errors detected during its use, such as pages not found or erroneous visualisations.
3.2.- Data provided voluntarily
This information will consist of the information in messages sent through the Website’s contact channels.
3.3.- Data provided by third parties
This information shall consist of information provided by social media or similar services.
4. What do we process personal data for, and what do we do with it?
We will primarily process the data to respond to enquiries from interested parties. The operations envisaged to carry out the processing are:
a) Processing orders, requests, responding to queries or any type of request made by the User through any of the forms of contact provided to him/her on the Controller’s Website.
The data provided to the Website will be used to respond to your requests for information or contact.
4.1.- In mails and contact forms
The Website is SSL-encrypted to allow secure submission of your personal data through standard contact forms.
The personal data collected will be subject to automated processing and incorporated into the corresponding files of the activity register and of which the Data Controller is the owner.
In this sense:
We will receive your IP address, which will be used to check the origin of the message to provide you with appropriate recommendations (e.g. to present the information in the correct language) and detect possible irregularities (e.g. possible attempts to cyber-attack the Website), and data relating to your ISP.
You may also provide us with your details by telephone, email and other means of communication as indicated.
Moreover, certain services provided through the Website may contain particular conditions on the protection of personal data. They will need to be accepted before participating in these services.
Finally, and as already stated, the purpose of processing this data will be solely to provide the information or services requested.
4.2.- Social media
a) Data Controller
The Controller and the Website have profiles on some of the leading social media on the Internet, and the Controller recognises itself as the Data Controller concerning the data published (for example, photos uploaded by the Controller in which people’s faces appear).
b) Purposes the processing
The processing that the Data Controller will carry out with the data within each of the social media pages will be, at most, that which the social media allows for corporate profiles.
The purpose of the processing is that already stated relating to the maintenance of a relationship between the User and the Controller and may include these operations: (a) to process requests and queries submitted to the Controller; b) to provide information on activities and events organised by the Controller; c) to interact through official profiles. Thus, where not prohibited by law, the Controller may inform our followers about its activities or by any means allowed by social media and provide personalised customer service.
Under no circumstances will the Data Controller extract data from social media unless the User’s consent to do so has been specifically obtained.
c) Legal basis for processing
Article 6.1.a) GDPR is the legal basis, as the User has given his/her consent to the processing of his/her personal data for one or more specific purposes. The User has a profile on the same social media and has decided to follow the Controller’s profile, thus showing interest in the information published. Therefore, when requesting to follow our official profiles, he/she gives his/her consent to the processing of personal data published on his/her profile.
The User may at any time access the privacy policies of the social media itself and configure his/her profile to guarantee his/her privacy.
The Controller has access to and processes the User’s public information, particularly his/her contact name. These data are only used within the social media itself and will only be included in a file belonging to the Data Controller when necessary to process the User’s request.
d) Data conservation criteria
They will be kept until the User revokes the consent given as stated in this privacy policy.
e) Recipients
The information provided by the User through the Data Controller’s social media, including his/her personal data, may be published, always depending on the services used by the User, and may, therefore, be publicly available to other third-party users of the social media.
On each social media profile, the Users can configure what information they want to make public in each case, view permissions granted, delete them or deactivate them, such as any third-party application that he/she no longer wishes to use.
No communication of personal data to third parties outside the social media is envisaged except, if essential for the development and execution of the purposes of the processing, to our service providers related to communications, with whom the Data Controller has signed the confidentiality and data processor contracts required by current privacy regulations.
f) Rights
When, due to the very nature of social media, effectively exercising the User’s or follower’s data protection rights is subject to the modification of the User’s or follower’s personal profile, the Controller will help and advise accordingly to the best of its ability.
g) Use of the profile
The Controller may carry out these actions:
- Access public profile information.
- Publish information already published on the Controller’s social media on the user’s profile.
- Send personal and individual messages through social media channels.
- Update the status of the page that will be published on the User’s profile.
Users can always control their connections, delete content that no longer interests them and restrict whom they share their connections with by accessing their privacy settings.
h) Posts
Once he/she is a follower or has joined the Controller’s social media, the User may publish comments, links, images, photographs or any other type of multimedia content supported. The User must, in all cases, be the owner of such content, hold the copyright and intellectual property rights or have the consent of the third parties concerned.
Any publication on social media, whether texts, graphics, photographs, videos, etc., that violate or are likely to violate morals, ethics, good taste or decorum and/or that infringe, violate or breach intellectual or industrial property rights, the right to image or the law, is expressly prohibited.
In such cases, the Controller reserves the right to remove the content immediately and without prior notice and may request the permanent blocking of the User.
The Controller shall not be held responsible for the contents freely published by a User. The User must bear in mind that other users will see his/her publications, so he/she is primarily responsible for his/her privacy.
The Data Controller will store none of the images published on social media, but they will remain on such social media.
i) Data of minors or persons with special abilities
Access and registration on the Data Controller’s social media are prohibited to persons under 18. If the User has special abilities, the intervention of the holder of parental authority or guardianship or his/her legal representative with a valid document accrediting representation will be necessary.
The Controller shall be expressly exonerated from any liability that may arise from the use of social media by minors or persons with special abilities. The Data Controller’s social media do not knowingly collect any personal information from minors. Therefore, if the User is a minor, he/she should not register, use the Controller’s social media or provide any personal information.
5. Why may we process personal data?
Because the processing is legitimised by Article 6 of the GDPR as follows:
Purpose: | Legitimation: |
Address consultations | Processing might be necessary for the performance of a contract or pre-contractual measures as per Article 6.1.b) GDPR |
Process orders, requests, etc. at the user’s request | In the legitimate interest of the Controller or third parties as per Article 6.1.f) GDPR |
6. How long do we store your personal data for?
They shall be kept for no longer than is necessary to maintain the purpose of the processing or if legal prescriptions dictate their safekeeping. When no longer necessary for that purpose, they shall be deleted with appropriate security measures to ensure the anonymisation of the data or their total destruction.
The following indicates how long the data processed by the Website is retained:
(a) Disaggregated data shall be retained without a time limit for deletion.
(b) Users’ data uploaded by the Controller to social media pages and profiles will be kept from when the user gives his/her consent until he/she withdraws it.
7. Who do we provide or disclose personal data to?
No communication of personal data to third parties is envisaged except, if essential for the development and execution of the purposes of the processing, to our service providers related to communications, with whom the Data Controller has signed the confidentiality and data processor contracts required by current privacy regulations.
8. Are there data transfers outside the EEA?
We inform you of the possibility and intention to transfer personal data to a third country declared adequate by the European Commission – USA, applicable to entities certified in the framework of the EU-US Privacy Shield. Commission Decision (EU) 2016/1250 of 12 July 2016 – setting out the following possible importers, included but not limited to: Google Inc., Microsoft, Social Networks, Payment providers, etc.
9. Where do we obtain personal data from?
The personal data processed on this Website are collected primarily and directly from the User, except any that may be collected automatically and provided by third parties mentioned earlier in this document.
10. What rights can be exercised and how?
The rights of the User are:
● Rights of access, rectification, portability and erasure and of limitation or opposition to the processing.
● The right to lodge a complaint with the supervisory authority (www.aepd.es) if you consider that the processing does not comply with the regulations in force.
● If you have granted consent for a specific purpose, you may withdraw it at any time, without this affecting the legality of the processing based on the consent before the withdrawal.
The rights may be exercised at any time at these addresses:
Data Controller: | Jesús Usón Minimally Invasive Surgery Centre Foundation |
Address: | Ctra. Nacional 521, Km. 41,8, 10071- Cáceres |
Email address: | ccmi@ccmijesususon.com |
You will have to identify yourself with your name and surname and provide a copy of your ID card in all cases.
You can find the different models for exercising these rights here (in Spanish): https://www.aepd.es/es/derechos-y-deberes/conoce-tus-derechos
Moreover, as a User, if you consider there is a problem with how the Controller is handling your data, you may address your complaints to the Data Protection Delegate or the data protection authority as appropriate, namely the Spanish Data Protection Agency in Spain.
11. On the compulsory nature of the information provided
By ticking the corresponding boxes and entering data in the fields marked with an asterisk (*) in the contact form or presented in download or account registration forms, Users expressly and freely and unequivocally accept that their data are necessary for the Controller, as the service provider, to deal with their request. The inclusion of data in the remaining fields is voluntary. The User guarantees that the personal data provided to the Data Controller are true and undertakes to inform of any changes/updates in this respect.
The Data Controller informs that all data requested through the Website are mandatory, as they are necessary to provide an optimal service to the User. If not all data is provided, there is no guarantee that the information and services provided will be completely tailored to your needs or that the service will be limited.
The personal data provided will be incorporated and processed according to the Data Controller’s Register of Processing Activities for the purpose(s) described above.
12. Security measures
Following current data protection regulations, the Controller complies with all the provisions of the GDPR and LOPDGDD regulations for the processing of personal data under its responsibility, and manifestly with the principles described in Article 5 of the GDPR, whereby they are processed lawfully, fairly and transparently concerning the User as a data subject and are adequate, relevant and limited to what is necessary for relation to the purposes for which they are processed.
The Controller guarantees that it has implemented appropriate technical and organisational policies to apply the security measures established by the GDPR and the LOPDGDD to protect the rights and freedoms of Users and has provided them with the appropriate information so that they can exercise them.
In any case, the Website cannot guarantee the absolute security of the information collected, so Users should cooperate and use common sense regarding the information shared.
It must be understood and acknowledged that, even after deletion, personal and non-personal information may remain visible in cache or if other Users have copied or stored it.
For further information on privacy guarantees, Users can always contact the Data Controller.
13. Privacy Policy Updates
We may update this Privacy Policy in the future. We will report any changes by sending a notice to the email address provided and/or posting a notice in a prominent place on our Website.
14.- Contact us
If you have any questions about this Privacy Policy, please contact us at:
Data Controller: | Jesús Usón Minimally Invasive Surgery Centre Foundation |
Address: | Ctra. Nacional 521, Km. 41,8, 10071- Cáceres |
Email address: | ccmi@ccmijesususon.com |