Data protection
Additional information on the processing of patients’ personal data
This document provides all the information on the processing of personal data that Grupo Vithas entities carry out on their patients’ data, and complements the basic information provided in the document “Information on the processing of personal data”, which all patients must sign.
- DATA CONTROLLERS AND DATA PROTECTION OFFICER
- ORIGIN OF YOUR DATA
- PURPOSES, LEGITIMATE BASES AND DATA CATEGORIES
- RETENTION PERIOD
- RECIPIENTS
- INTERNATIONAL TRANSFERS
- RIGHTS
1. DATA CONTROLLERS AND DATA PROTECTION OFFICER
Grupo Vithas aims to provide its patients with a homogeneous, quality and easily accessible service across all its hospitals and centres, requiring centralised and unified management of certain administrative, financial and strategic aspects. This implies a joint determination of the purposes and means for the processing of our patients’ personal data, which translates into the co-responsibility of all the entities that make up the Grupo Vithas and that manage hospitals, healthcare centres or services.
As joint data controllers, Grupo Vithas entities comply with the obligation to inform you about the processing of your data at the time of creating your client file (when you first go to any Grupo Vithas hospital or centre) by signing the relevant data protection document. Likewise, each of the entities of the Grupo Vithas will inform you specifically before carrying out any data processing for a purpose other than those indicated in that document, it being the individual obligation of each of them to provide you with this information. The consents you granted or denied when you created your client file, as well as any subsequent modifications you make to these consents, shall apply to all entities of the Grupo Vithas equally and without distinction.
In compliance with Article 26 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (hereinafter, “GDPR”), you may request further information on the co-responsibility agreement between the entities of the Grupo Vithas.
In line with the aforementioned unified management, Grupo Vithas has appointed one Data Protection Officer for the entire group, whom you may contact for any matter related to the protection and processing of your personal data by any of the entities of the Grupo Vithas via the email address proteccion.datos@vithas.es.
To exercise your rights concerning the processing of your personal data, you can address them without distinction to any of the entities of the Grupo Vithas or to the specific email address, as indicated in the corresponding section of this document.
You can check which Vithas Group entity manages each of our hospitals (and the medical centers associated with each of those hospitals) at this link https://vithas.es/sociedades-vithas/.
2. ORIGIN OF YOUR DATA
As a general rule, the personal data we process is obtained directly from the patient or their representative, either because they provided it to us when their client file was created the first time they visited one of our centres, or from interacting with us (for example, clinical information and documentation is generated through providing the health care).
However, we also receive information about patients from third parties who provide it to us, mainly in relation to the provision of health services, such as:
- Patients who come to our centres under the coverage of an insurance company, a mutual fund or another entity (national or foreign) obliged to pay for care: in these cases, the company that is obliged to pay for health care may provide us with information about the identity and coverage of the patient, as well as the limits of these (deductibles, copays, quantitative limits, exceptions, etc.).
- Patients who come to our centre under the coverage of agreements between Vithas and mutual insurance funds affiliated with the social security system: these mutual funds provide us with basic information about the patient, information about their health that is relevant to the care, which the mutual fund would have collected through their own health professionals, as well as the identification of the patient as a beneficiary of the coverage provided by the mutual fund.
- Patients who come to our centre sent from other centres or healthcare professionals not affiliated with Vithas: these centres or professionals provide us with the necessary identity and contact information to admit and treat the patient, who must have been informed or have given their consent prior to transferring said data.
- Patients referred by the company’s medical services as part of agreements between Vithas and the patient’s employer: the company’s medical service provides us with the patient’s basic identity and contact information, confirmation that he/she is an employee of said company (and that he/she is therefore entitled to healthcare coverage) as well as the health data that are relevant to offer the patient appropriate medical or health care, provided that he/she has consented to it.
- Patients treated under the coverage of health agreements with public administrations: bodies that have an agreement with Vithas to provide their patients with health care provide us with the identity data to verify the patient’s right to coverage of the requested health care, as well as the patient’s personal health information that is necessary for the health care.
- Foreign patients coming from vessels that dock in Spanish ports and are treated in hospitals and Vithas centres with the intermediation of consignee entities: these consignee entities provide us with the identification data needed for admission and, where appropriate, the data needed to confirm the coverage that the patient may have contracted, in order to invoice the services to the corresponding entity.
3. PURPOSES, LEGITIMATE BASES AND DATA CATEGORIES
Purpose | Legitimate basis | Data categories |
Provide the requested care service, which includes: administrative management of the patient’s appointments and admission; opening and maintaining the medical record; prevention, diagnosis and medical treatment or follow-up of the clinical process through various channels (face-to-face, medical chat and video consultation); contacting the patient or their representative about the service (e.g. to remind them of appointments and check-ups or to notify the availability of results); billing the services provided; responding to complaints or claims related to the services provided and, in general, any necessary action to manage the provision of the health service. In case of vital emergencies, data may be processed for additional purposes that are directly related to the provision of health care (e.g. transfer to another centre). | The execution of the contractual relationship (Art. 6.1.b of the GDPR). Health data (specially protected data) are processed on the basis of their need for the provision of health care (exception of Article 9.2.h of the GDPR). Biometric data that may be collected in the biometric signature of contractual documentation are processed on the basis of the data subject's explicit consent (art. 9.2.a of the GDPR).In case of vital emergencies, personal data may be processed on the basis of protecting the patient’s vital interests (Arts. 6.1.d and 9.2.c of the GDPR). | Patient or patient representative identification data (name, surname, sex, date of birth, ID card/passport, nationality, health card, social security or insurance number); contact data (telephone, e-mail address, address); personal characteristics; health data (medical history/clinical documentation); biometric data (biometric signature); transactional data (payments, receipts, transfers, debits). |
Respond to requests to access, deliver or send clinical information or documentation by the patient or legally authorised third parties. | Compliance with a legal obligation (Art. 6.1.c of the GDPR) Health data (specially protected data) are processed on the basis of their need for the provision of health care or the management of healthcare systems and services (exception of Article 9.2.h of the GDPR), as well as to address requests from courts and tribunals when performing their judicial duty (exception of Article 9.2.f of the GDPR). | Identification data of patients, representatives of the same or applicant (name, surname, ID / Passport); contact details (telephone, email address); patient health data (medical history/clinical documentation). |
Conduct satisfaction surveys to assess, monitor and improve the quality of the care service provided. | The legitimate interest of the Data Controller in controlling and improving the quality of the care service provided to its patients (Art. 6.1.f of the GDPR). | Identification data (name); contact details (telephone, e-mail address, Vithas center); information on the medical specialist provided; any other information you provide through the free text fields in the forms provided. |
Inform the patient’s companions of their health status and their stay at or admission to the centre. | The consent given by the patient or his/her representative, where applicable, in the information on the processing of personal data document (Art. 6.1.a of the GDPR). | Identification data (name, surname); health data (information on the patient's condition during their stay or admission to the center). |
Send personalised commercial communications about the services offered by Grupo Vithas based on the client profile created with the information collected or generated by Grupo Vithas. | The consent given by the patient or his/her representative, where applicable, in the information on the processing of personal data document (Art. 6.1.a of the GDPR). | Identification data (name, sex, age); contact details (telephone, email address, Vithas center); health data (medical specialties visited). |
When patients come to a Vithas centre under the coverage of a foreign entity located outside the European Economic Area (European Union, Iceland, Liechtenstein and Norway), we transfer personal data, including health data, to the insurance company, public health service or entity that must cover the health care provided, in order for it to verify, check and manage the coverage and cover the costs for the services performed. | The consent given by the patient or his/her representative, where applicable, in the information on the processing of personal data document (Art. 6.1.a of the GDPR). | Identification data of patients or their representatives (name, surname, sex, date of birth, ID/Passport, nationality, health card and/or entity that will be in charge of health care); contact details (telephone, email address, address); Personal characteristics; health data (medical history/clinical documentation); biometric data (biometric signature); transactional data (payments, deposits, transfers, debits). |
Address complaints, claims and suggestions by patients, customers or third parties that are unrelated to a previous contractual relationship. | The legitimate interest of the Data Controller in responding to complaints, informal claims and suggestions sent by the data subjects to understand the public’s perception of their image and pinpoint problems, issues and areas of improvement in their services, facilities, image, etc. (Art. 6.1.f of the GDPR). When official consumer claims are concerned, the basis for processing is the legal obligation under the applicable regional consumer regulations (Art. 6.1.c of the GDPR). | Identification details of the patient and/or claimant (name, surname, ID card/passport); contact details (telephone, e-mail address, address); health details (service or speciality against which the claim is being made); any other information that you provide through the free text fields in the forms provided. |
Defending its interests in administrative and judicial proceedings brought by the Data Controller or directed against it. | Execution of the contractual relationship when the proceeding originates in a contractual relationship, or the legitimate interest of the Data Controller in exercising its right to effective judicial protection, when the claim does not originate in a previous contractual relationship (Art. 6.1.b of the GDPR). Health data (specially protected data) are processed on the basis of their need for the formulation, exercise and defence of claims (exception of Article 9.2.f of the GDPR). | Identification data (name, surname, date of birth, DNI/Passport); contact details (telephone, email address, address); health data (medical history/clinical documentation). |
Issue proof of the patient’s care or admission to the Vithas centre so that the patient or their companions may provide them to prove their stay at the centre. | Execution of the contractual relationship in case of medical letters requested by the patient (Art. 6.1.b of the GDPR). In the case of medical letters requested by the patient’s companions, the basis for the processing is the legitimate interest of the companion in proving the accompaniment and care of the patient for the appropriate purposes, especially in relation to paid work leave (Art. 6.1.f of the GDPR). | Identification data of the patient and the companion (name, surname); data justifying the stay in the center without including health data. |
Compliance with legal obligations that require the processing of personal data, such as: responding to information requests by judicial or administrative authorities (Spanish Tax Agency, Health or Consumer Authorities, etc.) or divulgence of information to public records. | Compliance with legal obligations applicable to the Data Controller (Art. 6.1.c of the GDPR). Health data and, where appropriate, genetic data (specially protected data) are processed on the basis of European Union law and Spanish law (exception of Article 9.2.h GDPR). Specifically, health data are processed to fulfil the legal obligations laid down by or arising from the rules listed in the Seventeenth Additional Provision of Organic Law 3/2018 on the Protection of Personal Data and the Guarantee of Digital Rights. | Identification data (name, surname, date of birth, DNI/Passport); contact details (telephone, email address, address); health data (medical history/clinical documentation). |
Anonymise and pseudonymise data in order to carry out biomedical research projects using anonymised/pseudonymised data. This makes it possible to separate the data needed to carry out the research projects from the data that identifies the patients, in such a way that it becomes impossible to identify the patient from the medical information used for the research refers, or that for this purpose additional information is required that is kept separate from the medical data. | The legitimate interest of the Data Controller in promoting biomedical research. Health data (specially protected data) are processed on the basis of their need for scientific research (exception of Article 9.2.j of the GDPR and the Seventeenth Additional Provision of the Organic Law 3/2018 on Protection of Personal Data and Guarantee of Digital Rights). | Identification data (name, surname, date of birth, DNI/Passport); contact details (telephone, email address, address); health data (medical history/clinical documentation). |
Certain Vithas centers have a video surveillance system through which images of the center’s users are collected in real time. This data is processed for the sole purpose of security and access control to the facilities. | The performance of a public interest mission (Art. 6.1.e of the GDPR). | Image of patients, accompanying persons and visitors in general. |
4. RETENTION PERIOD
In general, your data will only be kept for the time strictly necessary for the purpose for which they were collected.
The personal data provided, as well as those derived from the healthcare provided, will be kept for the periods established in the applicable national and regional regulations, and for at least five years from the time of discharge from each healthcare process, in accordance with the provisions of Law 41/2002, the basic law regulating patient autonomy and the rights and obligations regarding clinical information and documentation. Once the aforementioned minimum period has elapsed, and the care and contractual relationship has ended, the data controller shall keep the data duly blocked for the term of the periods corresponding to the legal prescription.
Personal data processed for the purpose of scientific research shall be kept for the time appropriate to each case according to the type of research study in which the data subject participates and taking into account the regulations applicable thereto. Regarding data processed for scientific research purposes, the Supervisory Authorities of the Autonomous Communities may, at the request of the data controller and in accordance with the procedure re-established by regulation, agree to the full retention of certain data, taking into account the historical, statistical or scientific values in accordance with the legislation applicable to each case.
The personal data provided for the purpose of managing any request for information, complaint, suggestion, claim, exercise of data protection rights, etc., shall be kept for the time necessary to process the request, and in any case for the time legally established, as well as for the period necessary for the formulation, exercise or defence of claims.
The data processed for compliance with legal obligations will be kept for the period of time established in the applicable legislation.
The data collected for the formalization and execution of the contract will be kept for the duration of the contractual relationship, as well as for the period necessary for the formulation, exercise or defense of claims, at least five years.
Images captured through video surveillance systems shall be kept for a maximum period of 30 days, unless the data controller becomes aware of any fact that may be relevant for subsequent legal action.
For processing operations specifically consented to by the user, the data will be kept as long as the owner does not revoke the consent given or request the deletion/cancellation of their data.
5. RECIPIENTS
The data controllers of your personal data, indicated in section 1, may transfer data to the categories of recipients indicated below:
- Other entities that make up the Grupo Vithas, on the basis of the legitimate interest in the Group’s proper internal management. You can consult all the companies that are part of the Grupo Vithas at this link: https://vithas.es/sociedades-vithas/.
- Insurance companies that must cover a civil liability generated by: (a) the health care provided by Vithas; (b) traffic accidents whose injured parties are treated at Vithas centres; and (c) other cases in which Vithas and/or the insurance company with which Vithas had contracted the coverage of the damage caused are responsible for paying the compensation or restoring the things or people to their original state prior to the damage.
Sometimes, the data will be passed to the Insurance Compensation Consortium when it is the latter — not an insurance company — that must cover the damages caused in a traffic accident.
This transfer is legitimised by Article 99 of Law 20/2015, of 14 July, on the organisation, monitoring and solvency of insurance and reinsurance companies.
- Healthcare professionals and their civil liability insurance companies in the context of judicial and extra-judicial claims that patients make against them, on the basis of the legitimate interest of professionals and companies to exercise their fundamental right to effective judicial protection.
- Competent administrative and judicial authorities when they require Vithas to provide information on patients in the context of administrative or judicial procedures of which they are aware (for example, the Spanish Tax Agency or health authorities with inspection and sanctioning powers).
- Registries, bodies and public authorities, to fulfil specific legal reporting or information obligations, such as:
- The Spanish Agency of Medicines and Medical Devices and the competent body for pharmacovigilance in each autonomous community, to fulfil healthcare professionals’ obligation to report adverse reactions to medicinal products for human use.
- Registry of Specialised Healthcare Activities, under the Ministry of Health. The Minimum Basic Data Set is communicated, regulated in Royal Decree 69/2015, of 6 February, regulating the Registry of Specialised Healthcare Activities, pursuant to the legal obligation established in the aforementioned Royal Decree and in Article 53 of Law 16/2003, of 28 May, on the cohesion and quality of the National Health Service.
- Corresponding regional registry of vital wills, living wills or previous instructions, when provided for by the applicable regional regulations.
- Insurance companies, mutual benefit funds, mutual funds for accidents at work and occupational illness, public health services and those other public or private entities that have been obliged to pay for the health care provided to patients, in order to justify the performance, the cost and the need or relevance of the health care.
- Mutual funds for accidents at work and occupational illness that have arranged health care with Vithas, in addition to the management of the health care which they are required to cover, as well as for the control of situations of temporary disability and the management of social security benefits.
- Independent healthcare professionals who work in Vithas centres, with the sole purpose of giving these professionals access to the clinical documentation needed to provide the health care required by the patient.
- Laboratories, when it is necessary to analyse samples for the correct diagnosis and treatment of the patient.
- Suppliers of prostheses and implantable medical devices: in compliance with the obligation to generate and provide the supplier with the Implant Card for medical devices indicated in Article 33 of Royal Decree 1591/2009, of 16 October, regulating medical devices.
The supplier of the product must also send a copy of said Implant Card to the National Implant Registries created by virtue of Order SCO/3603/2003, of 18 December, to create National Implant Registries, under the Spanish Agency of Medicines and Medical Devices (AEMPS).
All of the above is in the framework of the surveillance of medical devices established by the aforementioned Royal Decree 1591/2009 and which corresponds to the AEMPS.
- Financial institutions, to manage collections and payments from patients or their representatives, as well as to fulfil their money laundering prevention obligations.
- Emergency medical services and healthcare centres or professionals (public or private) in case of transfer or referral, either on request and with the authorisation of the patient or his/her representative, or in case of need.
- Security Forces and Bodies, as well as Courts and Tribunals in the case of images captured by video surveillance systems, on the basis of compliance with a legal obligation or for the formulation, exercise and defense of claims on the basis of legitimate interest, either their own or that of third parties, in exercising the right to effective judicial protection. In addition, the images and/or sounds captured may be accessed by service providers of the Data Controller in the private security and legal advice sectors.
Notwithstanding the foregoing, patients’ (and, where appropriate, their legal representatives’) personal data may be accessed by Vithas service providers in the technology and information systems, administrative management, marketing and legal advice and consulting sectors. These third parties will only access personal data under the instructions and supervision of Vithas, and for the sole purpose of performing the hired service.
6. INTERNATIONAL TRANSFERS
- In the case of patients coming to our centres under the coverage of entities that are located outside the European Economic Area (European Union, Iceland, Liechtenstein and Norway), international transfers will be carried out with the personal data of these patients, in order to manage the coverage and obtain payment for the healthcare services provided.
These transfers will always be made with the express and explicit consent of the patient, who will have provided it when they created their patient file.
Should the patient refuse the transfer, it is possible that the entity responsible for covering the expenses of the health care provided may refuse to cover them as it is not able to validate and verify the care provided, meaning the patient must bear the cost of the care.
- When the maintenance or repair of sanitary equipment requires remote access by a provider from a territory located outside the European Economic Area.
Said access will take place in any case after adopting the appropriate guarantees provided for in the General Data Protection Regulation.
You can request more information about any of the above international transfers by contacting proteccion.datos@vithas.es.
7. RIGHTS
You may exercise your rights of access, rectification, erasure, portability, objection and restriction of the processing that we do of your personal data and not to be subject to a decision based solely on automated processing of your data. You have the right to withdraw the consents given at any time.
For greater efficiency in the management of your request, please indicate the company of the Grupo Vithas, hospital or centre to which the request is linked, if any.
To exercise your rights, you can write a letter to the address of the corresponding entity or centre, or email us at our single, centralised address proteccion.datos@vithas.es.
Likewise, we inform you that you have the right to lodge a complaint with the Spanish Data Protection Agency (www.aepd.es).