Data Protection Information (2nd Layer)

In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, Organic Law 3/2018, of 5 December (LOPDGDD) and Law 41/2002, of 14 November, Basic Regulating the Autonomy of the Patient and Rights and Obligations in Clinical Information and Documentation, the Management of this Center informs patients, users, and the general public of the following aspects:

 

Who is responsible for processing your data?

LABORATORIO ECHEVARNE S.A., hereinafter RESPONSIBLE, is the Data Controller of the User's personal data and informs you that these data will be processed in accordance with the provisions of current personal data protection regulations, Regulation (EU) 2016/679 of 27 April 2016 (GDPR) on the protection of natural persons with regard to the processing of personal data and the free movement of such data, therefore the following information about the processing is provided:

 

How can you contact the data controller?

You can contact the RESPONSIBLE in person at any of its centers, or by postal mail at its registered office located at C/ Provença, 312 baixos – 08037 Barcelona, or by email at info@laboratorioechevarne.com

 

How can you contact the Data Protection Officer (“DPO”) of the Entity?

You can contact the Entity's DPO by email at: dpo@laboratorioechevarne.com

 

What personal data do we process and where do they come from?

On the occasion of your relationship with us, the following categories of personal data may be processed:

• Identification and contact data of patients or their representatives (including name, surname, ID number, phone, email, signature, image, health card, social security or mutual insurance number);
• Health, genetic or biometric data, included in your Clinical History;
• Personal characteristics, social circumstances;
• Transactional and financial data (payments, income, transfers, debits, bank account number)

The data may come from the data subject (patient) or, where appropriate, from their legal representative, healthcare centers and/or healthcare personnel.

 

For what purpose do we process your personal data?

Personal data may be processed by the data controllers for the following purposes:

1. Provision of healthcare: your personal data are processed in order to provide you with the healthcare you require, as well as to properly manage the healthcare and administrative services of the Laboratory necessary for it, for example:

• • To remind you of your appointments.
  • To issue proof of your attendance at the healthcare center in favor of family members or persons linked to you who request it, within the framework permitted by the regulations.
  • To attend to any communication with the healthcare center reported by the patient.
  • To manage any incident or complaint filed by the user and/or patient.
  • To conduct surveys aimed at knowing your opinion about the care received, which will be used solely to improve and develop our healthcare and management services.
  • Customer retention and/or loyalty programs, or other similar ones.
  • Recording of calls made to the Customer Service.
  • To manage your participation in the different raffles or contests organized by the Entity.

2. Scientific research: your data may be processed for scientific purposes, complying with the specific regulations in this regard.
3. Handling requests for information, complaints, suggestions, claims, exercise of data protection rights, etc.: in these cases, your data will be processed to manage and process the request by any means, including telephone and/or electronic communications.
4. Compliance with legal obligations: it may be necessary to process personal data to comply with the applicable legal requirements. Specifically, to comply with data protection, tax, health legislation, etc.
5. Formalization and execution of the contract: the patient's personal data are processed to manage the contractual relationship with the patient.
6. Video surveillance: certain healthcare centers have a video surveillance system through which real-time images of the center's users are collected. The processing of this data is exclusively for security and access control purposes to the facilities.
7. Sending commercial communications: if you explicitly consent, your data may be used to send newsletters you have subscribed to by electronic means.

The collected data will be processed for the specified purposes and in no case in a manner incompatible with those purposes. We remind you that processing for scientific or statistical research purposes is not considered incompatible with the initial purpose.

In any case, we process your data to always serve you with the same level of care quality, regardless of the channel you use to communicate with us (healthcare center, center's website, mobile applications whether in person, by phone or online).

 

What is the legal basis for processing your data?

Purpose	Basis for Processing
Provision of healthcare	Processing necessary for the performance of a contract to which the data subject is a party; processing based on the data subject's consent, to protect their vital interests and/or legitimate interests of the data controller
Scientific research	Processing necessary for scientific research
Handling requests	Processing based on the data subject's consent and/or legitimate interest of the data controller
Compliance with legal obligations	Processing necessary for compliance with a legal obligation applicable to the data controller
Formalization and execution of the contract	Processing necessary for the performance of a contract to which the data subject is a party
Video surveillance	Processing based on the legitimate interest of the data controller
Sending commercial communications	Processing based on the data subject's consent
Participation in Contests and Raffles	Processing based on the data subject's consent

 

How long will we keep your data?

As a general rule, your data will only be kept for the time strictly necessary for the purpose for which they were collected.

The personal data provided, as well as those derived from the healthcare provided, will be kept for the time appropriate to each case (considering medical and legal criteria), and at least ten years from the date of discharge of each healthcare process, unless regional and/or specific regulations establish a longer minimum retention period, in which case the applicable regulations will be followed.

After the mentioned minimum period, and once the healthcare and contractual relationship has ended, the controller will keep your data properly blocked and pseudonymized during the term of the corresponding legal prescription periods.

Personal data processed for scientific research purposes will be kept under a retention criterion for a maximum period of five years from the end of the research. Regarding data processed for scientific research purposes, the Control Authorities of the Autonomous Communities may, upon request by the data controller and according to the regulatory procedure, agree to the full retention of certain data, considering their historical, statistical, or scientific value according to the legislation applicable to each case.

Personal data provided to manage any request for information, complaint, suggestion, claim, exercise of data protection rights, etc., will be kept for the time necessary to process the request, and in any case for the legally established time, as well as for the period necessary for the formulation, exercise, or defense of claims.

Data processed to comply with legal obligations will be kept for the time established in the applicable legislation.

Data collected for the formalization and execution of the contract will be kept for the duration of the contractual relationship, as well as for the period necessary for the formulation, exercise, or defense of claims, at least five years.

Images captured through video surveillance systems will be kept for a maximum period of 30 days, unless the data controller becomes aware of any fact that may be relevant for subsequent judicial action.

Data processed for sending newsletters you have subscribed to will be kept until the user revokes consent, unsubscribes from the newsletter and/or exercises their rights of opposition and/or deletion.

Data processed for sending commercial communications will be kept until the data subject revokes consent and/or exercises their rights of opposition and/or deletion.

 

To which recipients will your data be communicated?

To ensure proper service provision, it is necessary that certain service providers and/or group entities process data on behalf of the controller and as processors of your personal data. These entities may be, for example, providers of medical services, diagnostics, clinical analysis, auditing, physical security, archiving, storage or digitization of information, document destruction, legal advisory services, IT services, etc.

Your personal data will not be communicated to third parties except for legal obligation, vital interest, or prior consent of the data subject, only in the cases and to the recipients detailed below:

1. Since the User may have a contract or insurance policy, of which they are a beneficiary, under which a third party (for example, insurance companies, mutual societies, public administrations, even those of a third party in the case of civil liability insurance) is obliged to pay for the healthcare services provided by the laboratory, provided the patient informs us, we may communicate your data to such entities to manage, validate, verify, and control the payment of the healthcare services provided. In the event that the User has insurance contracted with an entity located outside the European Economic Area (hereinafter E.E.A.) whose legislation does not offer a level of data protection equivalent to that of the European Union, it may be necessary to carry out an international data transfer, with the explicit consent of the patient after being informed of the possible risks. We inform you that such transfers only occur to collaborate with the User and facilitate payment of the healthcare services provided; in short, these transfers only take place to manage and verify as efficiently as possible with the insurer the payment of services in cases where the User has an insurance policy with an entity located outside the E.E.A. If you object to the communication of your data, these entities may refuse to pay for the healthcare services received, and you will be responsible for paying them, as these entities will not be able to verify, check, validate, or control the correct billing by the healthcare center of each of your healthcare processes.
2. We also inform you that your personal data may be communicated to suppliers of materials and/or companies that collaborate in sample collection.
3. Banks or financial institutions, for the purpose of managing the collection of the services provided.
4. Authorities, public administrations, social security, and, where appropriate, judges or courts, to comply with applicable legal obligations.
5. Your relatives up to the second degree of consanguinity or affinity, where appropriate, to comply with labor or public official regulations regarding leave for illness of relatives.

All information provided to us will be treated confidentially and in strict compliance with the necessary security obligations to prevent access by unauthorized third parties.

 

What are your rights when you provide us with your data?

You may exercise your rights of access; rectification of inaccurate data; request deletion when, among other reasons, the data are no longer necessary for the purposes for which they were collected; in certain circumstances, you may also request the limitation of the processing of your data, in which case we will only keep them for the exercise or defense of claims; finally, and for reasons related to your particular situation, you may also exercise the right to object and data portability. You may also revoke, at any time, the consent given for the processing of your data.

The exercise of rights, as well as the revocation of consent for the processing of your data, is free of charge, except in the cases of Article 12.5 of Regulation (EU) 679/2016. You can exercise your rights in person at the patient service of the Laboratory that provides you assistance, by postal mail addressed to “Patient Service” C/ Provença, 312 baixos – 08037 Barcelona (Barcelona). Email: info@laboratorioechevarne.com with the reference “data protection rights”, providing a photocopy of your ID or equivalent document and indicating the right you wish to exercise.

We inform you of the possibility of filing a complaint with the competent supervisory authority, according to the procedure applicable to the specific case. (www.aepd.es)