Privacy Policy

DATA CONTROLLER

The Data Controller is PABLO CASTILLO QUINTANA, CALLE JUAN CARLOS I, 73, 29130, ALHAURÍN DE LA TORRE (MALAGA).

Privacy principles

From PABLO CASTILLO QUINTANA we commit to you to work continuously to guarantee privacy in the processing of your personal data, and to offer you at all times the most complete and clear information we can. We encourage you to read this section carefully before providing us with your personal data. If you are under fourteen years old, please do not provide us with your data without parental consent.

In this section we inform you how we process the data of people who have a relationship with our organization. Starting with our principles:

• We do not request personal information unless it is necessary to provide you with the services you require.
• We never share personal information with anyone, except to comply with the law, when necessary to provide you with the service, or when we have your express authorization.
• We will never use your personal data for purposes other than those expressed in this privacy policy.
• Your data will always be processed with an adequate level of protection according to data protection legislation, and we will not subject them to automated decisions without expressly informing you.

We have written this privacy policy taking into account the requirements of current data protection legislation:

• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons (GDPR).
• Organic Law 3/2018, of December 5, on Protection of Personal Data and guarantee of digital rights (LOPD).
• Royal Decree 1720/2007, of December 21 (RLOPD).

This privacy policy is written on December 6, 2018.

Due to the modification of processing criteria, in order to facilitate your understanding or to adapt it to current legality, we may modify this privacy policy. We will update its date so that you can check its validity.

Treatments we perform

CONTACT PROCESSING

Legal Basis: Consent of the data subject

Treatment Purposes: Attend to your request, send you information and follow up on the request.

Collective: Contact persons, clients, suppliers

Data Categories: Name and surnames, telephone, email address

Recipient Categories: No data transfers to third parties are contemplated.

International Transfers: No international transfers of data are planned.

Deletion Period: Contact data will be kept for an indefinite period, or until the data subject requests its deletion.

Security Measures: Adapted to the requirements of Regulation (EU) 2016/679, General Data Protection Regulation.

TREATMENT FOR ATTENTION TO PEOPLE'S RIGHTS (ARCO)

Legal Basis: GDPR: 6.1.c) Processing necessary for compliance with a legal obligation applicable to the data controller. General Data Protection Regulation.

Treatment Purposes: Attend to requests in the exercise of rights established by the General Data Protection Regulation: Right of access, rectification, deletion, limitation, portability and opposition to automated decision-making.

Collective: Natural persons who request it (employees, clients, suppliers, contact persons)

Data Categories: Name and surnames, address, signature and telephone.

Recipient Categories: Personal data may be communicated to the Control Authority (Spanish Data Protection Agency) in the framework of an investigation for rights protection initiated by the data subject.

International Transfers: No international transfers of data are planned.

Deletion Period: They will be kept for a period of five years from the time of the request.

Security Measures: Adapted to the requirements of Regulation (EU) 2016/679, General Data Protection Regulation.

SUPPLIERS TREATMENT

Legal Basis: GDPR: 6.1.b) Processing necessary for the execution of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. GDPR: 6.1.c) Processing necessary for compliance with a legal obligation to which the controller is subject. Royal Legislative Decree 2/2015, of October 23, approving the consolidated text of the Workers' Statute Law. Law 58/2003, of December 17, General Tax Law.

Treatment Purposes: - Acquisition of products and/or services that we need for the development of our activity. - Control of subcontractors if applicable.

Collective: - Suppliers. - People who work for our suppliers.

Data Categories: - Name and surnames, DNI/NIF/Identification document, address, signature and telephone. - Employment detail data: job position. Training in occupational safety. - Economic financial and insurance data: Banking data.

Recipient Categories: - Financial institutions. (Payment of invoices) - State Tax Administration Agency.

International Transfers: No international transfers of data are planned.

Deletion Period: They will be kept for the time necessary to fulfill the purpose for which they were collected and to determine possible responsibilities that could arise from said purpose and data processing, in accordance with Law 58/2003, of December 17, General Tax Law,

Security Measures: Adapted to the requirements of Regulation (EU) 2016/679, General Data Protection Regulation.

SECURITY BREACH NOTIFICATION TREATMENT

Legal Basis: GDPR: 6.1.c) Processing necessary for compliance with a legal obligation applicable to the data controller. General Data Protection Regulation. Articles 33 and 34

Treatment Purposes: Management and evaluation of security breaches that occur in our organization.

Collective: Variable: Employees, Clients, Suppliers, Contact Persons (will depend on the security breach)

Data Categories: Variable. (Will depend on the security breach)

Recipient Categories: - Spanish Data Protection Agency. - State Security Forces and Bodies.

International Transfers: No international transfers of data are planned.

Deletion Period: They will be kept for the time necessary to fulfill the purpose for which they were collected and to determine possible responsibilities that could arise from said purpose and data processing. The provisions of the archival and documentation regulations will apply.

Security Measures: Adapted to the requirements of Regulation (EU) 2016/679, General Data Protection Regulation.

MEDICAL RECORDS TREATMENT

Legal Basis: GDPR: 6.1.b) Processing necessary for the execution of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

Treatment Purposes: Manage patient health data (Medical records) to make diagnoses and follow medical treatments

Collective: Patients

Data Categories: - Name and surnames, DNI/NIF/Identification document, address, signature and telephone. - Health Data

Recipient Categories: Public administration with health competencies

International Transfers: No international transfers of data are planned.

Deletion Period: They will be kept for the time necessary to fulfill the purpose for which they were collected and to determine possible responsibilities that could arise from said purpose and data processing.

Security Measures: Adapted to the requirements of Regulation (EU) 2016/679, General Data Protection Regulation.

YOUR RIGHTS

You have the right to request a copy of your personal data, to rectify inaccurate data or complete it if it is incomplete, or delete it when it is no longer necessary for the purposes for which it was collected.

You also have the right to limit the processing of your personal data and to obtain your personal data in a structured and readable format.

You can oppose the processing of your personal data in some circumstances (particularly when we do not have to process them to comply with a contractual requirement or other legal requirement, or when the purpose of processing is direct marketing).

When you have given us your consent, you may withdraw it at any time. At that time we will stop processing your data or, where appropriate, stop doing so for that specific purpose. If you decide to withdraw your consent, this will not affect any processing that has taken place while your consent was in force.

These rights may be limited; for example if to fulfill your request we would have to reveal data about another person, or if you ask us to delete some records that we are obliged to maintain for a legal obligation or legitimate interest, such as the exercise of defense against claims. Or even in those cases where the right to freedom of expression and information must prevail.

You can contact us by any of the means indicated in the Data Controller section of this privacy policy, providing a copy of a document that proves your identity (usually the DNI). The most convenient way to exercise your rights is by accessing our RIGHTS PORTAL: https://www.adelopd.com/portalderechos/fisio-fit.

Another of your rights is not to be subject to a decision based solely on automated processing, including profiling that produces legal effects or affects you.

In the face of any violation of your rights, such as, for example, that we have not attended to your request, you have the right to file a complaint with the Control Authority in matters of data protection. This can be that of your country (if you live outside Spain) or the Spanish Data Protection Agency (if you live in Spain).

Links to third-party websites.

Our website may, on some occasions, contain links to other websites. It is your responsibility to make sure you read the data protection policy and legal conditions that apply to each site.

Third party data.

If you provide us with third party data, you assume the responsibility of informing them in advance as established in article 14 of the GDPR.