Basic information on Data Protection
| Field | Information |
|---|---|
| Controller | JORDI NOGUÉ BENEDICTO DNI 47919195Y C/ de la Marina, no. 18, 08150, Parets del Vallès Phone: 620 286 513 info@fisioheartandhealth.com |
| DPO | fisioterapia.jordi912@gmail.com |
| Purpose | Enquiries, appointment bookings and third-party information requests: management and response to enquiries, appointment bookings and information requests made through the contact channels on the website, including the internal administrative management required to handle such requests. |
| Lawful basis | Enquiries, appointment bookings and third-party information requests: the processing of personal data is based on the legitimate interest of “Heart and health” in managing and responding to enquiries and information requests submitted by the data subject. |
| Retention | Personal data will be retained for as long as necessary to fulfil the purpose for which it was collected. Once that purpose has been achieved, the data will be blocked and will remain available only to deal with possible legal, administrative or judicial liabilities during the applicable limitation periods. After this period, the data will be securely deleted. The second information layer sets out the specific retention periods applicable to each category of data. |
| Source | Enquiries, appointment bookings and third-party information requests: the data is provided directly by the data subject or by their legal representative through the channels enabled on the website. The data subject is asked to ensure that the information provided is true and accurate and is responsible for its truthfulness. |
| Recipients | Personal data will be processed exclusively by “Heart and health”. It may also be shared with service providers acting as processors, who assist us in providing services necessary to fulfil the stated purposes. These processors have signed the corresponding data processing agreement in compliance with Article 28 of the GDPR, ensuring appropriate protection and confidentiality measures. |
| International transfers | No international transfers of personal data are carried out. |
| Rights | Access, rectification, objection, erasure, restriction of processing and portability of personal data, as explained in the relevant section. |
| Additional information | You can consult additional and detailed information on Data Protection in the section breakdown presented below, corresponding to the second information layer. |
General information
This Privacy Policy is intended to inform you of the conditions governing the collection and processing of your personal data by our organisation, in order to safeguard your fundamental rights, honour and freedoms, all in compliance with the current regulations governing personal data protection: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter, GDPR); and Spanish Organic Law 3/2018 of 5 December on Personal Data Protection and the guarantee of digital rights (hereinafter, LOPDGDD).
In accordance with these regulations, we need your authorisation and consent for the collection and processing of your personal data. Therefore, below we provide all relevant details on how we carry out these processes, for what purposes, which other entities may have access to your data and what your rights are.
Controller. Who is the controller of your data?
The data controller is the natural or legal person, whether public or private, or administrative body that, alone or jointly with others, determines the purposes and means of the processing of personal data.
We inform you that JORDI NOGUÉ BENEDICTO (hereinafter, “Heart and health”) is the owner of the website fisioheartandhealth.com, with DNI 47919195Y and address at C/ de la Marina, no. 18, 08150, Parets del Vallès. You may contact us by phone at 620 286 513. The DPO contact address is info@fisioheartandhealth.com.
The personal data collected will be only that which is strictly necessary to identify and manage the request submitted by the data subject. Such data will be processed fairly, lawfully and transparently, and always in relation to the established purposes.
The data will be collected only for specific, explicit and legitimate purposes and will not be further processed in a way that is incompatible with those purposes. We will also ensure that the data is adequate, relevant and limited to what is necessary in relation to the applicable purposes, and that it is updated when necessary.
Before data is collected, the data subject will be informed of the essential aspects set out in this policy so that they may provide clear, informed and specific consent, where such consent is required.
Purpose. For what purpose do we process your personal data?
The personal information you provide to us by email will be processed confidentially and with the highest protection safeguards. It will never be used for purposes other than those specified, nor disclosed to third parties without the data subject's consent, except where there is a legal obligation, in accordance with the principles set out in the GDPR and the LOPDGDD.
To ensure the security of your personal data, we have implemented different levels of protection and adopted all necessary technical and organisational measures to prevent loss, misuse, alteration, unauthorised access or manipulation.
The specific uses and purposes of the personal data collected are as follows:
- Enquiries, appointment bookings and third-party information requests: we process the data provided in order to manage and respond to enquiries and information requests made through the contact channels available on the website. This purpose also includes the internal administrative management necessary for the proper handling of requests and for possible legal, administrative or judicial liabilities arising from the relationship with the data subject.
Lawful basis. What is the lawful basis for processing your data?
The collection and processing of your personal data is always carried out on the basis of one or more legitimate legal grounds, as established by the GDPR and the LOPDGDD. Specifically:
- Enquiries, appointment bookings and third-party information requests: the processing of the data is justified by the legitimate interest of “Heart and health” in managing and responding to the enquiries and requests submitted, as well as in ensuring proper internal administrative management and compliance with possible legal obligations.
Retention. How long will we keep your data?
Your personal data will be used for the time strictly necessary to fulfil the purposes indicated above and, once those purposes have been achieved, it will be blocked and retained only for possible legal, administrative or judicial liabilities during the applicable limitation periods. After this period, the data will be securely deleted.
The following are indicative retention periods according to the type of information collected:
| Document | Period | Legal reference |
|---|---|---|
| Employment or social security-related documentation | 4 years | Article 21 of Royal Legislative Decree 5/2000 of 4 August, approving the consolidated text of the Law on Social Order Offences and Penalties. |
| Accounting and tax documentation for commercial purposes | 6 years | Art. 30 of the Commercial Code. |
| Accounting and tax documentation for tax purposes | 4 years | Articles 66 to 70 of the General Tax Law. |
| Data for sending information about services | As long as the data subject does not request erasure. | Not applicable. |
| Data of persons who have contacted us | Until erasure is requested. | Not applicable. |
| Medical records | 15 years | Personal data will be retained in compliance with the legal periods established in the applicable regulations, in particular Law 16/2010 of 3 June, amending Law 21/2000 on the rights to information concerning health, patient autonomy and clinical documentation. |
In any case, your personal data will be cancelled or blocked once the retention period established for each type of data has elapsed, in accordance with the applicable legal provisions.
Source. How did we obtain your data?
Simply visiting the “Heart and health” website does not require the user to provide any information about themselves.
“Heart and health” expressly prohibits children under fourteen years of age from providing personal data without the prior consent of their parents or legal guardians. In addition, “Heart and health” will not carry out any healthcare activity with minors under sixteen years of age without the consent of their parents or legal guardians, except in the cases provided for by law.
With regard to the source of the data collected:
- Enquiries, appointment bookings and third-party information requests: the data is provided directly by the data subject or by their legal representative through the forms and contact channels enabled on the website. The information provided must be truthful, complete and up to date, and the data subject is responsible for its accuracy.
Security measures. What do we do to protect your data?
“Heart and health” adopts the organisational and technical measures necessary to guarantee the security and privacy of personal data, protecting it against alteration, loss, unauthorised processing or access. These measures are applied taking into account the state of the art, the nature of the data stored and the risks to which it is exposed.
Among others, the following measures are implemented:
- Ongoing confidentiality, integrity, availability and resilience of the systems and services that manage the processing of personal data.
- Rapid restoration of the availability of and access to personal data in the event of a physical or technical incident.
- Continuous evaluation of the effectiveness of the technical and organisational measures implemented to guarantee processing security through periodic tests, audits and assessments.
- Pseudonymisation and encryption of personal data, especially sensitive data, to protect users' privacy.
- Restricted access to personal data, limiting access to employees or collaborators who need such information to perform their duties.
- Incident response plan: in the event of security incidents, established protocols will be activated to mitigate risks and ensure the protection of personal data.
Recipients. To which recipients will your data be disclosed?
Personal data collected through our website will be processed by “Heart and health” and by service providers that support us in the management of administrative processes and the provision of the service, acting as processors, with whom we have entered into the agreement required under Article 28 of the GDPR.
All processors will process your data exclusively for the purposes indicated and in accordance with our instructions, applying the security and confidentiality measures provided for by data protection regulations.
When you use the WhatsApp button to contact us, the data you provide (name, phone number and message content) will be transmitted to WhatsApp, Inc. (Meta Platforms, Inc.), which will act as data controller for the purpose of enabling the communication and delivering it to the final recipient.
This data will be processed by WhatsApp/Meta in accordance with its own privacy policy and terms of service, and “Heart and health” cannot control or modify the way in which WhatsApp processes such data.
Rights. What are your rights when you provide us with your data?
Current data protection regulations grant you a series of rights regarding our use of your personal data. Each of these rights is personal and non-transferable, meaning that they may only be exercised by the data subject, after verifying their identity.
You have the following rights:
- To request access to your personal data.
- To request rectification of your data.
- To request erasure or deletion of your data (right to be forgotten).
- The right to data portability in cases involving telecommunications or internet services.
- To restrict or object to our use of your data.
- The right to withdraw your consent at any time.
- The right to lodge a data protection complaint with the supervisory authority: the Spanish Data Protection Agency.
How can you exercise your rights?
To exercise your rights of access, rectification, erasure, restriction or objection, portability and withdrawal of consent, you may do so in person or by email at:
JORDI NOGUÉ BENEDICTO DNI 47919195Y info@fisioheartandhealth.com
In addition to these rights, if you believe that your data is not being collected or processed in accordance with current data protection regulations, you may file a complaint with the supervisory authority:
Spanish Data Protection Agency C/ Jorge Juan, 6. 28001, Madrid. Email: info@agpd.es Phone: 912663517 Website: https://www.agpd.es
Consent and acceptance
By accepting this Privacy Policy, you declare that you have read, understood and accepted its clauses. You also expressly authorise the processing of your personal data in accordance with the purposes and conditions set out in this document.