PRIVACY POLICY

COMPLETE POLICY ON PERSONAL DATA PROTECTION

Both data privacy and information confidentiality are important aspects for C&B MEDICAL PLUS SLP. This data protection policy establishes how personal data obtained by the center is processed and may change over time due to possible legislative or jurisprudential changes, or changes in the criteria followed by the Spanish Data Protection Agency and/or the competent authority at any given time. Therefore, C&B MEDICAL PLUS SLP reserves the right to modify this policy to adapt it to new legislation or jurisprudence in force at the time of access to the website.

Last updated: 25/10/2025

1. RESPONSIBLE
Who is responsible for the processing of your data?:
C&B MEDICAL PLUS SLP
Canigo Round, 10. c 4
08950 Esplugues de Llobregat
CIF:B65773566
Mail: consultas@ginecologiaavanzada.es

2. PURPOSES
What is the purpose of processing your data?
As a patient:
We process our patients’ personal data for the following purposes:
1. To manage visits, diagnoses, and any medical treatments or other health-related services and dermatological services provided at any time by this center, as well as billing and the necessary communications for the provision of the aforementioned services.
2. To send informational communications about the promotion of products and services offered by the medical practice, provided you have previously authorized us to do so.
3. To address any complaint or request you submit through the forms available on the website or any other available contact method.
4. To manage online appointments.

We inform you that the processing of health data involves the processing of special categories of data. This processing is necessary for the management of healthcare services and will be carried out by professionals bound by professional secrecy.
The personal data collected is strictly necessary for providing the service and managing the established relationship, and is adequate, relevant, and not excessive, limited to what is necessary in relation to the purposes for which it is processed.

To ensure your information is current, accurate, and up-to-date, please inform us of any changes or modifications.
As a supplier and/or collaborator: We process the personal data of our suppliers and collaborators to manage our established professional relationship.
As a job applicant: We process the resumes of job applicants to manage open recruitment processes at our center.

3. LEGAL BASIS AND RETENTION PERIODS
What is the legal basis for processing your data and how long do we keep it?
As a patient:
The legal basis for processing your personal data is the contracting of the requested medical services and the legitimate interest of the center in addressing your inquiries and requests.
In some cases, the legal basis for processing will be the protection of the vital interests of the data subject or other natural persons.
For processing for promotional purposes of the center’s services and products, the legal basis will be your consent.
Retention period:
The personal data provided and your medical record will be kept in all cases for the duration of the established healthcare relationship and, once this relationship has ended, for the statutory limitation periods established in Law 21/2000, of December 29, on the rights to information concerning health and patient autonomy, and clinical documentation. The medical record, along with each patient’s identification data, will be kept for at least fifteen years from the date of discharge from each episode of care. All other documentation will be destroyed five years after the date of discharge from each episode of care.
Contact information for sending informational communications will be kept until the user requests its deletion.
As a supplier and/or collaborator:
The legal basis for processing is the existence of a contractual relationship.
Retention period:
Data will be kept in all cases for the duration of the contractual relationship and subsequently for the legal periods established in civil law for the statute of limitations on contractual obligations and in accounting and tax legislation.
As a job applicant:
The legal basis for processing is the adoption of pre-contractual measures in the selection processes that the entity maintains open and the consent for the retention of the CV in future selection processes.
Retention period:
The data will be kept for a maximum of 2 years. After that, it will be deleted.

4. DATA RECIPIENTS
Who will we share your personal data with?
Patient data may be disclosed to third parties in the following cases:
• To duly accredited healthcare administration personnel performing inspection functions, in order to verify the quality of care, compliance with patient rights, or any other obligation of the medical practice in relation to patients.
• To the healthcare administration for epidemiological, research, or teaching purposes, always keeping the patient’s personal identification data separate from clinical and healthcare data.
• To judges and courts in the context of a legal request
• To healthcare professionals involved in diagnosis or medical treatment; to administrative staff only when necessary for the performance of their duties.
 To the health mutuals for the management of the requested medical-health services and their corresponding payment.
 To medical entities, companies and/or professionals for the purpose of billing the service provided.
 To medical laboratories for the performance of medical tests.
All personnel who access any type of medical record data in the course of their duties are subject to the duty of confidentiality.
Patient data, medical records and online appointments are hosted on a medical management program located on an external server and whose provider complies with the guarantees and security measures established by the GDPR and with whom the data processing agreement has been signed.
International transfer of your data is not planned.

5. DATA SUBJECT RIGHTS
What are your data protection rights?
Everyone has the right to obtain information about what data C&B MEDICAL PLUS is processing.
Below, we outline your rights:
1. Right to access your personal data and obtain a copy of it.
2. Right to request the rectification of inaccurate data or, where appropriate, to request its erasure when, among other reasons, the data is no longer necessary for the purposes for which it was collected.
3. In certain circumstances, you may request the restriction of the processing of your data, in which case it will only be retained for the exercise or defense of legal claims.
4. In certain circumstances and for reasons related to your particular situation, you may object to the processing of your data. The center will cease processing the data, except for compelling legitimate grounds, or for the exercise or defense of possible legal claims.
5. Portability: The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the company, in a structured, commonly used and machine-readable format when:
a) the processing is based on consent or a contract, and b) the processing is carried out by automated means.
6. We inform you of your right to lodge a complaint with the supervisory authority (Spanish Data Protection Agency – www.agpd.es) if you believe that the exercise of your rights indicated herein has not been satisfied.

To exercise these rights, you can contact us via email at consultas@ginecologiaavanzada.es, providing the following information:
First and last name
Contact email address
Right you wish to exercise
Details of your request
We will respond to your request within one month and notify you at the email address you provided.

6. SAFETY IN TREATMENT.
What security measures do we implement in our information systems?
Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, C&B MEDICAL PLUS shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, preventing the accidental or unlawful destruction, loss or alteration of personal data transmitted, stored or otherwise processed, or unauthorized disclosure of or access to such data.