In accordance with Regulation (EU) 2016/679 of the Parliament and of the Council of April 27th, 2016 on the protection of individuals with regard to the processing of their personal data and the free movement thereof, Organic Law 3/2018, of December 5th, for the Protection of Personal Data and Guarantee of Digital Rights, Hospital de Sant Pau informs you about the processing of your data:
1. Who is the controller of the data processing?
The data controller is the Fundació de Gestió Sanitària de l’Hospital de la Santa Creu i Sant Pau, located at Sant Antoni Maria Claret, 167, 08025, Barcelona.
For any questions regarding this matter, you may contact the Data Protection Officer at the same address as the controller. You can also contact the Data Protection Officer by email at: dpd@santpau.cat
2. What personal data do we process and where do they come from?
The following categories of personal data may be processed:
Identification data; contact data of patients and representatives (including signature, image, health card, social security number or mutuality); users or any person related to the entity.
Health-related data, personal and/or social characteristics.
Economic and professional data.
Contact details, such as email.
Navigation data, technical data, IP address.
The data may come from the interested party, user or, where appropriate, his legal representative or health personnel.
3. For what purpose are your data processed?
Personal data may be processed by the controller of the process for the following purposes:
- Healthcare provision: Your data is processed to provide the health care you require. This includes:
- Ensure the registration and monitoring of medical treatment.
- Guarantee the continuous care between different health and social devices when required.
- Remind you of assistance visits and communication of citations, by sending SMS, or any other messaging channel.
- Provide justification vouchers for attendance or visits to Hospital Sant Pau for patients, relatives, or related persons, when regulations allow it.
- Attend to any requests or communications with Hospital Sant Pau made by the patient, such as requests for documentation.
- Send information about the hospital that may be of interest for your assistance, including health promotion and prevention activities.
- Use data in observational studies to improve the quality of care.
- Invoicing.
- Serve as a source of information necessary for public health processes, health management and control, health planning, epidemiological studies, and statistics
- Research: The hospital participates in research projects as a participating center. Therefore, your data may be processed for scientific purposes, in accordance with applicable sectoral regulations. Your consent will be requested, and your data will be pseudoanonymized, reused, or treated as research for public health. The hospital may also contact patients to suggest participation in a research study.
- Management of requests for the exercise of data protection rights, requests for information and documentation, thanks, suggestions, claims, complaints, etc, by any means (face-to-face, email, telephone, etc.).
- Reminders of care visits and citations via SMS, or any communication channel: Send SMS reminders for scheduled visits with hospital services.
- Satisfaction and/or quality surveys: Propose participation in surveys to gather opinions about the care received and experiences at Hospital Sant Pau. These surveys aim to improve the quality of care and management activities. Occasionally, you may be invited to participate in an improvement group project.
- Tuition: Hospital Sant Pau is affiliated with the Autonomous University of Barcelona (teaching unit of the Faculty of Medicine of the Autonomous University of Barcelona and University School of Nursing).
- Compliance with legal obligations: Process data to comply with corresponding legal requirements.
- Video surveillance: Process data for security and access control purposes. The hospital has a video surveillance system that collects real-time images of users.
- Sending communications. With your explicit consent, your data may be used to send communications related to Sant Pau (newsletters, bulletins, general information, events, campaigns, etc.). For events requiring registration, your data will be used to manage your registration. Events may be recorded for dissemination, and general photographs and videos of attendees may be taken.
- Complaint channel: Your data may be processed if you file a complaint.
- Website navigation and registration: To understand your browsing preferences and maintain website security. For certain websites requiring registration, your data will be used to manage your registration and allow the use of services and functionalities in the digital environment of the Health Management Foundation of the Hospital de la Santa Creu I Sant Pau (websites, apps, social networks, etc.), optimize its operation, manage records, and comply with the requested service.
4. What is the basis for processing your data?
| Purpose | Legal grounds |
|---|---|
| Health care |
|
| Research |
|
| Management of requests for the exercise of rights |
|
| Reminders for appointments | Legitimate interests pursued by the controller or a third party, provided that the interests or fundamental rights and freedoms of the data subject do not prevail, especially if the data subject is a child. |
| Satisfaction and/or quality surveys | Legitimate interest and consent of the patient. Answering the survey implies consent. Participation is optional and voluntary. |
| Tuition | Consent of the patient or their representative, as indicated by applicable regulations. |
| Compliance with legal obligations | Compliance with a legal obligation applicable to the controller. |
| Video surveillance | Fulfillment of a mission carried out in the public interest or in the exercise of public powers conferred on the controller. |
| Sending communications without being related to your assistance | The interested party has given consent for the processing of their personal data, for one or more specific purposes. |
| Channel of complaints |
|
| Web registration |
|
5. Recipients of your personal Data
This information will be used by the administrative services and services directly linked to the health care of our entity, each within its powers. It may be sent in whole or in part to public and private official entities that, for legal reasons or material need, must access the data to ensure the correct provision of health care, which is the purpose of processing these data.
Additionally, the Hospital de Sant Pau participates in the Shared Clinical Records of Catalonia. The data of patients assisted in this centre will be integrated into the Shared Clinical Records of Catalonia, in accordance with legal requirements and following the indications of the Department of Health of the Generalitat de Catalunya, which is responsible for this file.
To ensure adequate provision of assistance, certain service providers may process personal data on behalf of the controller. These third parties will act as data processors. These providers may include physical security, destruction of documentation, advisory services, consulting, computer services, etc.
6. How long will we keep your information?
Your data will only be kept for the time strictly necessary for the purpose for which they were collected.
The data provided will be kept in accordance with health legislation affecting the patient’s health at any time, currently in Law 21/2000 on the rights of information concerning the patient’s health and autonomy, and clinical documentation, which provides for a period of fifteen years from the date of discharge of each care process in relation to the relevant documentation and a period of five years for the rest. Subsequently, they will be kept for the period corresponding to the legal prescription or until the Hospital de Sant Pau may have some type of legal responsibility.
Personal data processed for research purposes will be kept for the appropriate time in each case according to the type of research project and the applicable legal regulations.
Personal data provided to manage a request submitted by you, or a complaint, suggestion, claim, or exercise of the right to data protection, will be kept for the period necessary to process the request submitted, and in any case for the time legally established.
Data processed to comply with a legal obligation will be kept during the period indicated by the applicable regulations. Images captured by video surveillance systems will be kept for 15 days, except when the Hospital de Sant Pau has knowledge of some fact that may be relevant for a judicial action. Data processed for sending communications unrelated to your assistance will be processed until the interested party withdraws consent or exercises the right of opposition or suppression.
Finally, data processed within the framework of the complaints channel will be treated during the essential time to decide on the origin of initiating an investigation into the reported facts, if applicable, during the time in which the relevant investigation is carried out, and during the course of the legal proceedings that apply. Data processed when user registration is necessary will be kept as long as the registration is in force.
7. International transfers
We inform you that your personal data will not be communicated or processed outside the European Economic Area. However, if a supplier or third party performs any data processing outside the EU and carries out an international data transfer, we will ensure that the recipient is declared at an appropriate level by the European Commission (transfers based on an adequacy decision), or that corresponding guarantees are taken in accordance with Article 46 of the General Data Protection Regulation (GDPR), or that there is an exception for specific situations. The same will apply to data processing in the field of research.
8. What are your rights?
You have the right to access your personal data to know what personal data we are processing that concerns you, to access your medical history, and to obtain a copy. You also have the right to request the rectification of inaccurate or obsolete data. If the data are no longer necessary for the purposes for which they were collected or if consent is withdrawn, when this is the only legal ground, you may request the deletion of such data. You also have the right to request the limitation of the processing of your data, in which case we will only retain them for the exercise or defense of claims; the right of opposition, where the Hospital de Sant Pau will continue to process the data if there are legitimate compelling reasons, for the exercise or defense of possible claims; and the right to portability. You may also withdraw your consent for those data processing activities where the consent of the interested party is necessary.
We will respond to the exercise of your rights as soon as possible and, in any case, within one month. This period can be extended by two more months if necessary, depending on the complexity and number of requests.
If you are not satisfied with the response to the exercise of your rights, you may file a complaint with the Catalan Data Protection Authority or the corresponding supervisory authority. Before starting any communication with the supervisory authorities, we ask you to contact the data protection delegate to try to resolve any discrepancy in the exercise of your rights or if you need more information about the processing of your data. You may send an email to dpd@santpau.cat, explaining your request.
