The protection of privacy and the legitimate use of personal data are of utmost priority for the Psychologist Jordi Arévalo Ventura (DNI: 52437950C), located at Balmes Street 209 1st 2nd, 08006, Barcelona ("We" or the "Data Controller"). This privacy policy ("Policy") explains how we collect, use, store, and process the personal data of our users in the context of and for the purposes of the services provided at our facilities, including medical and healthcare services and other related services (collectively, the "Services").
We suggest that you carefully read this information before making a medical consultation or visiting our facilities.
Categories of Processed Data
The Data Controller collects the following data:
1. GENERAL DATA:
- Personal and contact information such as name, surname, date and place of birth, gender, place of residence, phone number, email address, and other identification data.
- Payment data such as bank account number for direct debit.
- Other general personal data such as:
- Data related to communication via video call applications (Whatsapp, Skype, Facetime, Google Meet, Zoom, Teams, SMS, Email, among others).
2. SPECIAL CATEGORIES OF DATA (SENSITIVE DATA):
- Health-related data such as information about symptoms, existing or past diseases, diagnostic data, medical examination results, or other similar data.
- Other special categories of personal data such as demographic, biometric, sexual orientation, or belief data.
Legal Basis for Data Processing
GENERAL DATA: We generally process users' personal data based on one or more of the following:
- To execute the contract between us and the user related to the provision of the Services by us.
- To comply with our legal obligations.
- Based on our legitimate interests, such as: improving user experience, preventing fraud, ensuring the security of the network, data, or IT systems of the Data Controller, contacting users, optimizing the level of Services provided, and the administrative management of our clinic (always ensuring that such legitimate interests do not harm the interests or fundamental rights and freedoms of users).
- When necessary, based on the explicit consent provided by the user, which can be revoked at any time.
SPECIAL CATEGORIES OF DATA (SENSITIVE DATA): We process sensitive personal data (included in special categories) only based on the explicit and informed consent of the data subject (or their legal representative in the case of users under 16 years old). Additionally, in the case of health-related personal data, we process the data to the extent strictly necessary for purposes of diagnosis, healthcare, social therapy, or the management of healthcare or social systems and services, always under the responsibility of a professional bound by professional secrecy, in accordance with Art. 9 of the EU General Data Protection Regulation 2016/679 ("GDPR").
In any case, we are always obliged to respect maximum confidentiality, particularly for data related to health and sexual life.
Purposes of Personal Data Processing
We process users' personal data for the following purposes:
- To manage the relationships with the user necessary for the provision of the Services.
- To comply with our legal, administrative, accounting, and tax obligations.
- To contact you to manage the provision of our services (phone, fax, postal mail, email).
- For any other purpose necessary in connection with the provision of the Services agreed upon between the client and the professional.
- For marketing purposes and other commercial communications (which may be of interest to the user related to the Services received, but only with the user's explicit and specific consent, which can be revoked at any time).
The Data Controller will not process users' personal data within fully automated decision-making processes, including profiling.
User Rights
Data subjects may exercise at any time the rights mentioned in Articles 15, 16, 17, 18, 19, 20, 21, and 34 of the GDPR by sending an email or written communication to the contact details of the Data Controller: [email protected] or to the number +34 623 92 01 02.
Specifically, each user has the right to:
- Request and obtain access to their personal data processed by us (copy of the user's personal data), verify its accuracy, and if necessary, request its update, rectification, or integration (and obtain confirmation of its rectification from the Data Controller).
- Request the deletion of their personal data from our system (right to erasure) (a) if the personal data are processed unlawfully or are no longer necessary in relation to the purposes for which they were collected or otherwise processed, or (b) in case of withdrawal of consent by the user (if the processing is based on consent, and there are no other legal bases), or in other cases established by Art. 17 of the GDPR, and obtain confirmation of the deletion.
- Request the limitation of personal data processing or its blocking, in cases provided for in Art. 18 of the GDPR, or object to the processing of their personal data conducted based on our legitimate interests.
- Object to any profiling activities by us (including any decision-making activity based solely on automated processing of their personal data), except in cases established in Art. 22 (2) of the GDPR, as well as the use of their personal data for direct marketing purposes.
- Obtain the portability of their personal data processed by automated means, in accordance with Art. 20 of the GDPR.
- Be informed without undue delay of any security incident that has affected their personal data that poses a high risk to their rights and freedoms.
At any time, the data subject may withdraw their consent to the processing previously provided, without affecting the lawfulness of the processing based on consent before its withdrawal.
The Data Controller may in any case retain certain personal data even after the request for cessation of processing and deletion of personal data, exclusively to defend or assert their own right, or in other cases provided for by law.
Data Processing Security
The processing of personal data will be based on principles of lawfulness, fairness, transparency, minimization, relevance, and accountability, and may be carried out using paper and/or IT supports, as long as they are suitable to ensure availability, integrity, and confidentiality and in any case through the use of technical procedures and measures that minimize the risks of loss, theft, unauthorized access, illicit use, unwanted modifications, and dissemination, always respecting the current regulations and professional secrecy.
Retention Period
Personal data will only be retained for the time necessary to achieve the purposes for which they were collected or for any other legitimate related purpose.
Once the purpose for which the data was collected has been fulfilled, the personal data will be irreversibly anonymized or securely deleted or destroyed.
The retention periods, in relation to the different purposes listed above, will be as follows:
1. GENERAL DATA:
will be retained for the time necessary to manage contractual/accounting obligations and, in any case, for a maximum of 5 years from the end of the contractual relationship between the Data Controller and the user.
2. SPECIAL CATEGORIES OF DATA (SENSITIVE DATA):
- Health-related data: will be stored for 15 years.
- Other special categories of data: will be stored for 15 years.
Transfers to Third Parties
Data will be processed by the Data Controller, as well as by data processors designated by the Data Controller and authorized by it under the GDPR (the "Data Processors"), always adopting appropriate technical-organizational measures to comply with privacy legislation.
Personal data will not be transferred and/or disclosed to third parties, except in the following cases (always in compliance with applicable legislation and without limiting the Data Controller's liability for data processing carried out by them):
- Public authorities, for the performance of institutional functions within the limits established by law.
- Companies/organizations providing assistance, advice, or collaboration in accounting, administrative, tax, legal, financial, or other matters.
- Third parties (such as suppliers, partners, and insurance companies) designated by the Data Controller as processors, including:
| DATA PROCESSORS | LOCATION | CATEGORIES OF DATA PROCESSED | SCOPE OF PROCESSING |
|---|
| Sellarès Assessors | Spain | Personal data | Managing fiscal responsibilities |
| Jordi Arévalo Ventura | Spain | Personal data, contact data, data related to appointment booking, clinical data | Managing appointment bookings, creating patient medical records |
- Regulatory bodies, judicial authorities, as well as any other parties to whom the law obliges to communicate data.
The Data Controller does not transfer personal data outside the European Economic Area, except to those for which there is an adequacy decision by the European Commission, or based on one of the other guarantees or exceptions provided for in Chapter V of the GDPR.
Complaints
For any complaint or objection about data processing, the user can contact the Data Controller at any time at the following email address: [email protected] or the number +34 623 92 01 02. We will do everything possible to provide the best level of assistance. However, if a satisfactory response is not provided, it is always possible to refer complaints or objections to the Spanish Data Protection Agency, C/Jorge Juan, 6. 28001-Madrid.
Mark
I consent to the processing of my personal data (or the personal data of a minor under 16 years old as their legal representative), including special category data, for the purposes described in this Privacy Policy (check all fields) *
