In compliance with the principles of legality and transparency and in order to provide information to the interested parties established in articles 13 and 14 of the European Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR), we inform you of the characteristics of the personal data processing carried out under the responsibility of CANARY MEDICAL & SOCIAL KEY SL
Data processing: (I) Human Resources Management. (II) Administrative, accounting, tax and commercial management. (III) Customer management. (IV) Management of companions (V) Medical history. (VI) Attention to the privacy rights of the interested parties. (VII) Commercial management. (VIII) Attention of requests received through the Web.
Purpose: (I) Selection of personnel, training, preparation and sending of payroll, and other documents necessary for employment relationship. (II) Preparation of accounting and taxes, relationship of collections and payments with customers and suppliers. (III) Provision of services related to health care. (IV) Collect data from clients’ companions to manage reservations. (V) Respond to requests for exercise of rights related to personal data. (VI) Notify the interested parties and the Control Authority of security violations that may affect the rights and freedom of the interested parties. (VII) Preparation and monitoring of budgets. (VIII) Attention of requests received through the Web.
Legitimation: (I) Application of contractual or pre-contractual measures (II) Law 58/2003, of December 17, General Tax. (III) and (IV) Application of contractual or pre-contractual measures. (V) Law 41/2002, basic regulator of the autonomy of the patient and of rights and obligations regarding information and clinical documentation. (VI) EU Regulation 2016/679, of the European Parliament and of the Council, of April 27, 2016, regarding the protection of natural persons with regard to the processing of personal data. (VII) Application of contractual and pre-contractual measures. (VIII) Consent of the interested party.
Retention Term: (I) During the selection processes or employment relationship and the term necessary to meet responsibilities derived from the contract for the provision of services. (II) Six years for commercial purposes, and the term necessary to meet responsibilities derived from the tax settlement. (III) and (IV) The term necessary to meet the requests and responsibilities that may arise from them. (V) Five years after the end of the care process and the period necessary to attend to responsibilities derived from it (VI) While the service is provided and the period necessary to address issues related to the services provided. (VII) The term that the proposal lasts. (VIII) The term necessary to attend to the request, as well as while the responsibilities that may arise from them last.
Recipients: (III) Clinics, Hotels, Insurers. (IV) Hotels. (V) Health workers. (VI) Spanish Data Protection Authority.
Exercise of rights: You can exercise your right of access, rectification, deletion, limitation and opposition to treatment, under the terms and conditions established in the personal data protection regulations Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016, regarding the protection of natural persons with regard to the processing of personal data, by sending a request by email to email@example.com, indicating in any case the Reference: «Data protection», along with an accompanying document that proves your identity, plus file a claim with the Spanish Data Protection Authorities.
Who is responsible for the processing of your data?
The owner of the company and of this website is CANARY MEDICAL & SOCIAL KEY, SL, hereinafter CANARY MEDICAL, therefore, any personal data that you send through this website, as well as on data collection forms that are completed in person on site will be processed under the responsibility of CANARY MEDICAL.
What personal data do we collect? (and how we do it)
We will request the minimum data necessary to carry out the matters indicated in the previous section; normally, name and surname, address, and contact information to notify you of appointments.
At the same time, in relation to your Medical History, all the data and medical history that we must request by law.
How do we use the personal data that we hold under our responsibility?
We use your data for the following purposes:
(I) Human Resources management of the company.
(II) Billing, accounting and tax management.
(III) Customer management.
(IV) Management of companions.
(V) Management and intermediation of medical records.
(VI) Attention to the privacy rights of the interested parties.
(VII) Preparation and monitoring of budgets.
(VIII) Dealing of requests received via the Website.
And, the use we make of the data is exclusively for what is necessary for each of the purposes; so, for example, for human resources management, we send data to our employment consultants so that they can organise employment contracts and payroll, also to the bank for the payment of salaries, plus the National Tax Authorities to report on the annual deductions that are made on salaries, to the associated Mutual Insurance companies and to the Occupational Health & Safety Agency.
For how long?
When the data processing is imposed by a ruling, normally it incorporates the period during which the data must be processed or saved, thus the Commercial Code establishes the obligation to keep the data for accounting and commercial purposes for six years, but there are certain assumptions such as the application of certain deductions that oblige the retention of supporting financial documents for a longer period, sometimes up to fifteen years.
We are obliged to keep the health data for five years from the date of discharge or completion of treatment.
Disclosure to third parties
As in the previous cases, the data that we forward on to third parties is always limited to the minimum necessary, sometimes we pass on patient data to other health professionals, when a complex diagnosis is involved or to complement a treatment with professionals from other specialties, such as dental technicians. We may also carry out international data transfers in compliance with contractual or pre-contractual measures, based on the requested service.
What security measures do we implement for personal data?
Canary Medical, has appropriate policies plus technical and organisational measures to safeguard and protect your personal data against illegal or unauthorized access, accidental loss or destruction, damage, use and illegal or unauthorized disclosure.
We also take all reasonable precautions to ensure that our staff and employees who have access to your personal data have received appropriate training.
In any case, the user is informed that any data transmission over the Internet is not completely secure and, as such, is carried out at their own risk. Although we will do our utmost to protect your personal data, Canary Medical cannot guarantee the security of the personal data that you forward to us via email, by Whatsapp or from the website form, we therefore ask you to exercise extreme caution and never forward health data or sensitive information over the Internet or public communication networks such as the Internet, unless you do so in an encrypted manner or via private networks.
What are your rights as owner of the data?
You have the right to request the deletion of your data when, among other reasons, the data is no longer necessary for the purposes for which it was collected. You have the right to obtain confirmation on whether Canary Medical is processing your personal data or not. You have the right to access your personal data and obtain a copy of it, as well as to request the rectification of inaccurate data. In certain circumstances, you may request the limitation of the processing of your data, in which case we will only keep it for the exercise or defence of claims. In certain circumstances and for reasons related to your particular situation, you may oppose to the processing of your data. Canary Medical, will stop processing the data, except in the case of compelling legitimate reasons, or the exercise or defence of possible claims. Likewise, you can exercise the right to data portability, as well as revoke the consents you have provided.
You can exercise these rights by email request addressed to firstname.lastname@example.org (in certain cases we may ask you to prove your identity by providing some additional information), and clearly indicating the right you want to exercise. Finally, we would indicate that you can file a legal claim with the Spanish Data Protection Authorities, especially when you have not obtained satisfaction in the exercise of your rights.