Additional information on the processing of patients’ personal data
This document provides all the information on the processing of personal data that Grupo Vithas entities carry out on their patients’ data, and complements the basic information provided in the document “Information on the processing of personal data”, which all patients must sign.
Below is an index to locate information you may be interested in about the processing of your personal data.
- DATA CONTROLLERS AND DATA PROTECTION OFFICER
- ORIGIN OF YOUR DATA
- PURPOSES AND LEGITIMATE BASES
- RETENTION PERIOD
- INTERNATIONAL TRANSFERS
Grupo Vithas aims to provide its patients with a homogeneous, quality and easily accessible service across all its hospitals and centres, requiring centralised and unified management of certain administrative, financial and strategic aspects. This implies a joint determination of the purposes and means for the processing of our patients’ personal data, which translates into the co-responsibility of all the entities that make up the Grupo Vithas and that manage hospitals, healthcare centres or services.
As joint data controllers, Grupo Vithas entities comply with the obligation to inform you about the processing of your data at the time of creating your client file (when you first go to any Grupo Vithas hospital or centre) by signing the relevant data protection document. Likewise, each of the entities of the Grupo Vithas will inform you specifically before carrying out any data processing for a purpose other than those indicated in that document, it being the individual obligation of each of them to provide you with this information. The consents you granted or denied when you created your client file, as well as any subsequent modifications you make to these consents, shall apply to all entities of the Grupo Vithas equally and without distinction.
In compliance with Article 26 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (hereinafter, “GDPR”), you may request further information on the co-responsibility agreement between the entities of the Grupo Vithas.
In line with the aforementioned unified management, Grupo Vithas has appointed one Data Protection Officer for the entire group, whom you may contact for any matter related to the protection and processing of your personal data by any of the entities of the Grupo Vithas via the email address firstname.lastname@example.org.
To exercise your rights concerning the processing of your personal data, you can address them without distinction to any of the entities of the Grupo Vithas or to the specific email address, as indicated in the corresponding section of this document.
Below is information on which Grupo Vithas entity manages each of our hospitals (and the medical centres associated with each of these hospitals):
|Name of entity||Hospital, Medical Centre or Service||Address|
|IQUIMESA SERVICIOS SANITARIOS S.L.U.|
Tax ID No: B01118595
|Calle Beato Tomás de Zumárraga, 10 (Vitoria)|
|Vithas Vitoria||Calle Beato Tomás de Zumárraga, 10 (Vitoria)|
|VITHAS ALICANTE S.L.|
Tax ID No: B03000684
|Plaza Doctor Gómez Ulla, 15 (Alicante)|
|Vithas Medimar||Avenida de Denia, 78 (Alicante)|
|Vithas Alicante||Plaza Doctor Gómez Ulla, 15 (Alicante)|
|SANATORIO VIRGEN DEL MAR CRISTÓBAL CASTILLO S.A.|
Tax ID No: A04024071
|Carretera del Mamí, km1 (Almería)|
|Vithas Almería||Carretera del Mamí, km1 (Almería)|
|HOSPITAL REY DON JAIME S.L.U.|
Tax ID No: B96994231
|Avenida Valle de la Ballestera, 59|
|Vithas Castellón||Carrer Santa María Rosa Molas, 25 (Castellón de la Plana)|
|ALIANZA MÉDICA LERIDANA. S.A.|
Tax ID No: A25000258
|Carrer del Bisbe Torres, 9 (Lleida)|
|Vithas Lleida||Carrer del Bisbe Torres, 13 (Lleida)|
Tax ID No: A28235224
|Calle Arturo Soria, 103 (Madrid)|
|Vithas Madrid Arturo Soria||Calle Arturo Soria, 103 (Madrid)|
|HOSPITAL LA MILAGROSA, S.A.U.|
Tax ID No: A28034031
|Calle Modesto Lafuente, 14 (Madrid)|
|Vithas Madrid La Milagrosa||Calle Modesto Lafuente, 14 (Madrid)|
|HOSPITAL PARDO DE ARAVACA S.A.U.|
Tax ID No: A82786526
|Calle La Salle, 12 (Madrid)|
|Vithas Madrid Aravaca||Calle La Salle, 12 (Madrid)|
|VITHAS SANIDAD MÁLAGA INTERNACIONAL S.L.|
Tax ID No: B14708945
|Camino de Gilabert, s/n (Benalmádena)|
|Vithas Málaga||Avenida Pintor Sorolla, 2 (Málaga)|
|Vithas Xanit International||Avenida de los Argonautas, s/n (Benalmádena)|
|VITHAS HOSPITALES S.L.U.|
Tax ID No: B36787844
|Calle Arturo Soria 107 (Madrid)|
|Vithas Vigo||Calle Vía Norte, 48 (Vigo)|
|Vithas Las Palmas||Calle León y Castillo, 292 (Las Palmas de Gran Canaria)|
|Vithas Tenerife||Calle Enrique Wolfson, 8 (Santa Cruz de Tenerife)|
|Vithas Granada||Avenida Santa María de la Alhambra, 6 (Granada)|
|Vithas International||Calle Arturo Soria, 107 (Madrid)|
|GESNISA SEVILLA S.L.U.|
Tax ID No: B97338552
|Avenida Valle de la Ballestera, 59 (Valencia)|
|Vithas Sevilla||Avenida Plácido Fernández Viagas, s/n (Sevilla)|
|HOSPITAL AGUAS VIVAS S.A.|
Tax ID No: A46663324
|Partida del Monasterio de Aguas Vivas|
|Vithas Aguas Vivas||Carretera Alzira-Tavernes de Valldigna CV-50, Km 12|
|Vithas Instituto de Neurorehabilitación||Calle María de Maeztu, 5 (Elche)|
|HOSPITAL 9 DE OCTUBRE S.A.U.|
Tax ID No: A46582326
|Avenida Valle de la Ballestera, 59 (Valencia)|
|Vithas Valencia 9 de Octubre||Avenida Valle de la Ballestera, 59 (Valencia)|
|NISA NUEVAS INVERSIONES EN SERVICIOS S.A.|
Tax ID No: A46036984
|Avenida Valle de la Ballestera, 59 (Valencia)|
|Vithas Valencia Consuelo||Callosa d'en Sarrià, 12 (Valencia)|
As a general rule, the personal data we process is obtained directly from the patient or their representative, either because they provided it to us when their client file was created the first time they visited one of our centres, or from interacting with us (for example, clinical information and documentation is generated through providing the health care).
However, we also receive information about patients from third parties who provide it to us, mainly in relation to the provision of health services, such as:
- Patients who come to our centres under the coverage of an insurance company, a mutual fund or another entity (national or foreign) obliged to pay for care: in these cases, the company that is obliged to pay for health care may provide us with information about the identity and coverage of the patient, as well as the limits of these (deductibles, copays, quantitative limits, exceptions, etc.).
- Patients who come to our centre under the coverage of agreements between Vithas and mutual insurance funds affiliated with the social security system: these mutual funds provide us with basic information about the patient, information about their health that is relevant to the care, which the mutual fund would have collected through their own health professionals, as well as the identification of the patient as a beneficiary of the coverage provided by the mutual fund.
- Patients who come to our centre sent from other centres or healthcare professionals not affiliated with Vithas: these centres or professionals provide us with the necessary identity and contact information to admit and treat the patient, who must have been informed or have given their consent prior to transferring said data.
- Patients referred by the company’s medical services as part of agreements between Vithas and the patient’s employer: the company’s medical service provides us with the patient’s basic identity and contact information, confirmation that he/she is an employee of said company (and that he/she is therefore entitled to healthcare coverage) as well as the health data that are relevant to offer the patient appropriate medical or health care, provided that he/she has consented to it.
- Patients treated under the coverage of health agreements with public administrations: bodies that have an agreement with Vithas to provide their patients with health care provide us with the identity data to verify the patient’s right to coverage of the requested health care, as well as the patient’s personal health information that is necessary for the health care.
- Foreign patients coming from vessels that dock in Spanish ports and are treated in hospitals and Vithas centres with the intermediation of consignee entities: these consignee entities provide us with the identification data needed for admission and, where appropriate, the data needed to confirm the coverage that the patient may have contracted, in order to invoice the services to the corresponding entity.
|Provide the requested care service, which includes: administrative management of the patient’s appointments and admission; opening and maintaining the medical record; prevention, diagnosis and medical treatment or follow-up of the clinical process through various channels (face-to-face, medical chat and video consultation); contacting the patient or their representative about the service (e.g. to remind them of appointments and check-ups or to notify the availability of results); billing the services provided; responding to complaints or claims related to the services provided and, in general, any necessary action to manage the provision of the health service.|
In case of vital emergencies, data may be processed for additional purposes that are directly related to the provision of health care (e.g. transfer to another centre).
|The execution of the contractual relationship (Art. 6.1.b of the GDPR).|
Health data (specially protected data) are processed on the basis of their need for the provision of health care (exception of Article 9.2.h of the GDPR).
In case of vital emergencies, personal data may be processed on the basis of protecting the patient’s vital interests (Arts. 6.1.d and 9.2.c of the GDPR).
|Respond to requests to access, deliver or send clinical information or documentation by the patient or legally authorised third parties.||Compliance with a legal obligation (Art. 6.1.c of the GDPR)|
Health data (specially protected data) are processed on the basis of their need for the provision of health care or the management of healthcare systems and services (exception of Article 9.2.h of the GDPR), as well as to address requests from courts and tribunals when performing their judicial duty (exception of Article 9.2.f of the GDPR).
|Conduct satisfaction surveys to assess, monitor and improve the quality of the care service provided.||The legitimate interest of the Data Controller in controlling and improving the quality of the care service provided to its patients (Art. 6.1.f of the GDPR).|
|Inform the patient’s companions of their health status and their stay at or admission to the centre.||The consent given by the patient or his/her representative, where applicable, in the information on the processing of personal data document (Art. 6.1.a of the GDPR).|
|Send personalised commercial communications about the services offered by Grupo Vithas based on the client profile created with the information collected or generated by Grupo Vithas.||The consent given by the patient or his/her representative, where applicable, in the information on the processing of personal data document (Art. 6.1.a of the GDPR).|
|When patients come to a Vithas centre under the coverage of a foreign entity located outside the European Economic Area (European Union, Iceland, Liechtenstein and Norway), we transfer personal data, including health data, to the insurance company, public health service or entity that must cover the health care provided, in order for it to verify, check and manage the coverage and cover the costs for the services performed.||The consent given by the patient or his/her representative, where applicable, in the information on the processing of personal data document (Art. 6.1.a of the GDPR).|
|Address complaints, claims and suggestions by patients, customers or third parties that are unrelated to a previous contractual relationship.||The legitimate interest of the Data Controller in responding to complaints, informal claims and suggestions sent by the data subjects to understand the public’s perception of their image and pinpoint problems, issues and areas of improvement in their services, facilities, image, etc. (Art. 6.1.f of the GDPR).|
When official consumer claims are concerned, the basis for processing is the legal obligation under the applicable regional consumer regulations (Art. 6.1.c of the GDPR).
|Defending its interests in administrative and judicial proceedings brought by the Data Controller or directed against it.||Execution of the contractual relationship when the proceeding originates in a contractual relationship, or the legitimate interest of the Data Controller in exercising its right to effective judicial protection, when the claim does not originate in a previous contractual relationship (Art. 6.1.b of the GDPR).|
Health data (specially protected data) are processed on the basis of their need for the formulation, exercise and defence of claims (exception of Article 9.2.f of the GDPR).
|Issue proof of the patient’s care or admission to the Vithas centre so that the patient or their companions may provide them to prove their stay at the centre.||Execution of the contractual relationship in case of medical letters requested by the patient (Art. 6.1.b of the GDPR).|
In the case of medical letters requested by the patient’s companions, the basis for the processing is the legitimate interest of the companion in proving the accompaniment and care of the patient for the appropriate purposes, especially in relation to paid work leave (Art. 6.1.f of the GDPR).
|Compliance with legal obligations that require the processing of personal data, such as: responding to information requests by judicial or administrative authorities (Spanish Tax Agency, Health or Consumer Authorities, etc.) or divulgence of information to public records.||Compliance with legal obligations applicable to the Data Controller (Art. 6.1.c of the GDPR).|
Health data and, where appropriate, genetic data (specially protected data) are processed on the basis of European Union law and Spanish law (exception of Article 9.2.h GDPR). Specifically, health data are processed to fulfil the legal obligations laid down by or arising from the rules listed in the Seventeenth Additional Provision of Organic Law 3/2018 on the Protection of Personal Data and the Guarantee of Digital Rights.
|Anonymise and pseudonymise data in order to carry out biomedical research projects using anonymised/pseudonymised data. This makes it possible to separate the data needed to carry out the research projects from the data that identifies the patients, in such a way that it becomes impossible to identify the patient from the medical information used for the research refers, or that for this purpose additional information is required that is kept separate from the medical data.||The legitimate interest of the Data Controller in promoting biomedical research.|
Health data (specially protected data) are processed on the basis of their need for scientific research (exception of Article 9.2.j of the GDPR and the Seventeenth Additional Provision of the Organic Law 3/2018 on Protection of Personal Data and Guarantee of Digital Rights).
The personal data that you have provided to us, the data that have been generated through the services performed by Vithas, as well as those that have been obtained from third parties (as indicated in the section “Origin of your data”) shall be kept for the periods established in the applicable national and regional regulations, and at least for the five years following discharge from each visit, as provided for in Law 41/2002, regulating patient autonomy and health documentation- and information-related rights and obligations. For processing that the user has specifically consented to, the data shall be kept as long as the holder does not withdraw the consent given or request the deletion/cancellation of their data.
The data controllers of your personal data, indicated in section 1, may transfer data to the categories of recipients indicated below:
- Other entities that make up the Grupo Vithas, on the basis of the legitimate interest in the Group’s proper internal management. You can consult all the companies that are part of the Grupo Vithas at this link: https://vithas.es/sociedades-vithas/.
- Insurance companies that must cover a civil liability generated by: (a) the health care provided by Vithas; (b) traffic accidents whose injured parties are treated at Vithas centres; and (c) other cases in which Vithas and/or the insurance company with which Vithas had contracted the coverage of the damage caused are responsible for paying the compensation or restoring the things or people to their original state prior to the damage.
Sometimes, the data will be passed to the Insurance Compensation Consortium when it is the latter — not an insurance company — that must cover the damages caused in a traffic accident.
This transfer is legitimised by Article 99 of Law 20/2015, of 14 July, on the organisation, monitoring and solvency of insurance and reinsurance companies.
- Healthcare professionals and their civil liability insurance companies in the context of judicial and extra-judicial claims that patients make against them, on the basis of the legitimate interest of professionals and companies to exercise their fundamental right to effective judicial protection.
- Competent administrative and judicial authorities when they require Vithas to provide information on patients in the context of administrative or judicial procedures of which they are aware (for example, the Spanish Tax Agency or health authorities with inspection and sanctioning powers).
- Registries, bodies and public authorities, to fulfil specific legal reporting or information obligations, such as:
- The Spanish Agency of Medicines and Medical Devices and the competent body for pharmacovigilance in each autonomous community, to fulfil healthcare professionals’ obligation to report adverse reactions to medicinal products for human use.
- Registry of Specialised Healthcare Activities, under the Ministry of Health. The Minimum Basic Data Set is communicated, regulated in Royal Decree 69/2015, of 6 February, regulating the Registry of Specialised Healthcare Activities, pursuant to the legal obligation established in the aforementioned Royal Decree and in Article 53 of Law 16/2003, of 28 May, on the cohesion and quality of the National Health Service.
- Corresponding regional registry of vital wills, living wills or previous instructions, when provided for by the applicable regional regulations.
- Insurance companies, mutual benefit funds, mutual funds for accidents at work and occupational illness, public health services and those other public or private entities that have been obliged to pay for the health care provided to patients, in order to justify the performance, the cost and the need or relevance of the health care.
- Mutual funds for accidents at work and occupational illness that have arranged health care with Vithas, in addition to the management of the health care which they are required to cover, as well as for the control of situations of temporary disability and the management of social security benefits.
- Independent healthcare professionals who work in Vithas centres, with the sole purpose of giving these professionals access to the clinical documentation needed to provide the health care required by the patient.
- Laboratories, when it is necessary to analyse samples for the correct diagnosis and treatment of the patient.
- Suppliers of prostheses and implantable medical devices: in compliance with the obligation to generate and provide the supplier with the Implant Card for medical devices indicated in Article 33 of Royal Decree 1591/2009, of 16 October, regulating medical devices.
The supplier of the product must also send a copy of said Implant Card to the National Implant Registries created by virtue of Order SCO/3603/2003, of 18 December, to create National Implant Registries, under the Spanish Agency of Medicines and Medical Devices (AEMPS).
All of the above is in the framework of the surveillance of medical devices established by the aforementioned Royal Decree 1591/2009 and which corresponds to the AEMPS.
- Financial institutions, to manage collections and payments from patients or their representatives, as well as to fulfil their money laundering prevention obligations.
- Emergency medical services and healthcare centres or professionals (public or private) in case of transfer or referral, either on request and with the authorisation of the patient or his/her representative, or in case of need.
Notwithstanding the foregoing, patients’ (and, where appropriate, their legal representatives’) personal data may be accessed by Vithas service providers in the technology and information systems, administrative management, marketing and legal advice and consulting sectors. These third parties will only access personal data under the instructions and supervision of Vithas, and for the sole purpose of performing the hired service.
In the case of patients coming to our centres under the coverage of entities that are located outside the European Economic Area (European Union, Iceland, Liechtenstein and Norway), international transfers will be carried out with the personal data of these patients, in order to manage the coverage and obtain payment for the healthcare services provided.
These transfers will always be made with the express and explicit consent of the patient, who will have provided it when they created their patient file.
Should the patient refuse the transfer, it is possible that the entity responsible for covering the expenses of the health care provided may refuse to cover them as it is not able to validate and verify the care provided, meaning the patient must bear the cost of the care.
You may exercise your rights of access, rectification, erasure, portability, objection and restriction of the processing that we do of your personal data and not to be subject to a decision based solely on automated processing of your data. You have the right to withdraw the consents given at any time.
For greater efficiency in the management of your request, please indicate the company of the Grupo Vithas, hospital or centre to which the request is linked, if any.
To exercise your rights, you can write a letter to the address of the corresponding entity or centre, or email us at our single, centralised address email@example.com.