Privacy Policy

This Privacy Policy may be updated to adapt to regulatory changes or changes in the services provided. It is recommended to review it each time you provide your personal data.

Visiting this website does not oblige the user to provide any personal information. However, certain services —such as appointment requests or inquiries— require the completion of forms. The requested data is adequate, relevant, and strictly necessary for the purpose indicated in each case; failure to provide it may prevent the provision of the corresponding service.

1. DATA CONTROLLER

2. PURPOSE, LEGITIMATION, AND RETENTION

2.1. Contact form and appointment request

  • Purpose: manage and respond to inquiries, information requests, and appointment requests submitted by the user through the website forms.
  • Legal basis: consent of the data subject, granted at the time of completing and submitting the form.
  • Retention: data will be retained for a period of 5 years from the last interaction, unless the user requests its deletion earlier.

2.2. Provision of medical services

  • Purpose: management of medical records, medical follow-up, treatment coordination, and compliance with obligations arising from the healthcare relationship, including the processing of special category data (health data, clinical images before/after).
  • Legal basis: execution of the healthcare services contract and, for health data, explicit consent of the patient in accordance with Article 9.2.a) of the GDPR, as well as legal obligations arising from current healthcare regulations.
  • Retention: clinical data will be retained for the minimum period required by applicable healthcare legislation (Law 41/2002 on patient autonomy and corresponding regional regulations), and in any case as long as there is an active healthcare relationship.

2.3. Commercial communications

  • Purpose: sending information about services, promotions, and news from the Institute, via electronic or other channels.
  • Legal basis: express consent of the data subject, provided by checking the box enabled for this purpose. For existing patients, sending communications about similar services may be based on the legitimate interest of the controller, in accordance with Article 21.2 of the LSSI-CE.
  • Retention: data will be processed for this purpose until the user withdraws their consent or requests to unsubscribe, without prejudice to the necessary retention to prove compliance with legal obligations.

The user can withdraw the consent given for any purpose at any time, without affecting the lawfulness of the processing carried out previously.

3. SPECIAL CATEGORY DATA

Health data and clinical images constitute a special category of personal data in accordance with Article 9 of the GDPR and receive enhanced protection. Their processing will be carried out only with the explicit consent of the patient or under the exceptions provided by healthcare regulations, and with appropriate technical and organizational security measures according to their sensitivity.

4. DATA DISCLOSURE

User data will not be disclosed to third parties except in the following cases:

  • Data processors: technology providers (hosting, appointment management platform, email services) acting under contract and only according to the controller's instructions.
  • Legal obligation: public health administrations or other bodies when there is a legal obligation to communicate.

Under no circumstances will personal data be sold to third parties or disclosed for purposes other than those described.

5. USER RIGHTS

The user can exercise the following rights over their personal data at any time:

  • Access: obtain confirmation of whether their data is being processed and, if so, information about the processing.
  • Rectification: request the correction of inaccurate or incomplete data.
  • Erasure: request the deletion of their data when, among other reasons, they are no longer necessary for the purpose for which they were collected, unless there is a legal obligation to retain them.
  • Restriction of processing: request that processing be restricted to certain purposes.
  • Objection: object to the processing of their data, particularly when it is based on legitimate interest or for direct marketing purposes.
  • Portability: receive their data in a structured and commonly used format, or request its transmission to another controller.

To exercise any of these rights, the user can write to info@institutodebenito.com, indicating the right they wish to exercise and attaching a copy of their identity document.

Furthermore, if they consider that the processing of their data does not comply with current regulations, they have the right to file a complaint with the Spanish Data Protection Agency (AEPD): www.aepd.es

6. SECURITY

INSTITUTO DR. JAVIER DE BENITO, S.L.U. applies the necessary technical and organizational measures to ensure the confidentiality, integrity, and availability of personal data, with special attention to health data. Personnel with access to personal data have assumed the duty of confidentiality.

7. MINORS

The services of this website are aimed at adults. In accordance with Article 8 of the GDPR and Article 7 of the LOPDGDD, minors under 14 years cannot consent to the processing of their data without the authorization of their parents or legal guardians. If the Institute detects that data from a minor has been collected without such authorization, it will proceed to its immediate deletion.

8. UPDATES

This Privacy Policy may be modified to adapt to regulatory changes or changes in services. The current version will always be available on this website. In case of substantial changes affecting already initiated processing, the user will be informed appropriately.