At FUNDACIÓN INSTITUTO DE INVESTIGACIÓN SANITARIA DE SANTIAGO DE COMPOSTELA we understand that having a transparent relationship with you is key. Thus, we make our Privacy Policy available to you so you can always be duly informed on how we safely collect and process any data you provide to us.

Your data will be processed in accordance with the current legislation and, particularly, pursuant to the stipulations of Regulation (EU) 2016/679 of 27 April 2016 (GDPR) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. And also pursuant to Spanish Organic Law 3/2018, of 5 December, on Personal Data Protection and Digital Rights Guarantee.

By carefully reading our Privacy Policy you will have all the information you need to understand how we will use the data you provide to us.

1. WHO IS YOUR DATA CONTROLLER?

If you, or an authorized person, have provided us with your data, FUNDACIÓN INSTITUTO DE INVESTIGACIÓN SANITARIA DE SANTIAGO DE COMPOSTELA, with CIF (Spanish Tax Code) ESG15796683 will be the data controller. These data will be processed in accordance with the stipulations of current regulations on personal data protection.

There may be other data controllers in the processing we carry out. If this is the case, we will always inform you of the identity of the data controller, as well as of their identification details.

At FUNDACIÓN INSTITUTO DE INVESTIGACIÓN SANITARIA DE SANTIAGO DE COMPOSTELA we undertake to meet our obligation of confidentiality regarding personal data and our duty to protect them. For this purpose we take the necessary measures to prevent their modification, loss, non-authorized processing or access in accordance with the stipulations of the Regulations.

2. WHERE DO WE INFORM ABOUT THIS?

FUNDACIÓN INSTITUTO DE INVESTIGACIÓN SANITARIA DE SANTIAGO DE COMPOSTELA, through the www.idisantiago.es website, in the privacy policy section. For more information read the “Legal Notice”.

3. DO WE HAVE A DATA PROTECTION OFFICER?

Yes, we do. Due to the nature of our legal entity, FUNDACIÓN INSTITUTO DE INVESTIGACIÓN SANITARIA DE SANTIAGO DE COMPOSTELA has a Data Protection Officer in order to ensure the compliance with the current data protection regulations. You can contact them at this address ejercicio.derechos.proteccion.datos.fidis@sergas.es.

4. WHAT PERSONAL DATA DO WE PROCESS?

We process the following personal data:

  • Those you decide to provide voluntarily.
  • Data resulting from your communications with us.
  • Information on your browsing habits in the case of Online Services (IP address or information from cookies or similar devices [you can check our Cookies Policy on the website]).
  • Information available from public sources which we can lawfully access.
  • Data obtained as a result of your contractual or pre-contractual relationship with us, including your image. In this case, we will always notify you of the possibility of capturing your image.
  • Information on you provided by third persons, always based on legal grounds or on your prior consent.
  • Third-party information you provide to us, with prior consent from the third party.

5. HOW DO WE PROCESS YOUR DATA?

At FUNDACIÓN INSTITUTO DE INVESTIGACIÓN SANITARIA DE SANTIAGO DE COMPOSTELA we process your data pursuant to the current legislation. In addition to this, we would like to inform you that we have the appropriate technical and organizational measures to guarantee an optimal security level, thus ensuring that only authorized persons will access this information, that we will keep your data intact, preventing any intentional or accidental loss, and that we have reinforced our data treatment systems and services.

The automated or non-automated technical operations, formalities and procedures carried out by us which make possible the collecting, storing, modification, transfer of personal data, among other actions, are considered personal data processing.

6. WHAT ARE THE GROUNDS FOR LEGITIMATE DATA PROCESSING?

The criteria for making Personal Data processing legitimate will be those resulting from the contractual or pre-contractual relationship, employment relationship, or any other, relationship required for the processing of data, such as your express consent.

7. HOW DO WE MANAGE ELECTRONIC COMMUNICATIONS?

If you receive any electronic communications (e-mails, automatic response messages to forms and other types of communications) we would like to inform you that the messages are only intended for their recipient and that they may contain privileged or confidential information. If you are not the recipient of the message, please be aware that the unauthorized use, disclosure and/or copying of information is not allowed pursuant to the current legislation.

Pursuant to the stipulations of Spanish Law 34/2002, of 11 July, on Information Society Services and E-commerce, and Directive 2002/58/EC, we notify you that if you do not wish to receive commercial communications or information by means of electronic communication, you can let us know by electronic means, writing “UNSUBSCRIBE TO COMMERCIAL COMMUNICATIONS” on the subject line of your e-mail, and your personal data will be eliminated from our database. Your request will be implemented 10 days after you send it. If you do not reply to our communications, we will understand that you agree and give permission for the company to continue sending the aforementioned communications.

8. HOW LONG DO WE KEEP YOUR DATA?

Personal data on natural persons collected by any means by FUNDACIÓN INSTITUTO DE INVESTIGACIÓN SANITARIA DE SANTIAGO DE COMPOSTELA will be retained until the interested party requests their deletion. In addition to this, they will be retained while the relationship originating the data processing is still valid, always observing the legal retention periods. Once this period is finished, personal data will be deleted from all the systems of FUNDACIÓN INSTITUTO DE INVESTIGACIÓN SANITARIA DE SANTIAGO DE COMPOSTELA.

9. WILL YOUR DATA BE COMMUNICATED TO THIRD PARTIES?

We will not transfer, assign or communicate your personal data, except in those cases already provided for in previous sections, and except by legal obligation. If the Public Administration or Regional Institutions request your data within the scope of the powers expressly granted by law, we will transfer them to these entities.

In the event of transferring, assigning or communicating your personal data other than in the aforementioned cases, you will be notified beforehand so you may give us your authorization, where appropriate.

In order to be properly organized, and to implement good operating techniques and procedures which guarantee good management, FUNDACIÓN INSTITUTO DE INVESTIGACIÓN SANITARIA DE SANTIAGO DE COMPOSTELA may need to hire the services of advisors, professionals or other service companies for processing data under our instructions.

This third-party processing will be regulated in an written agreement or in any other way which allows to verify its execution and contents, expressly specifying that the data processor will process the data following our instructions and they will not apply them or use them with a purpose different from the one stipulated in said agreement, and that they will not communicate them, not even for their retention, to third parties.

10. WHAT ARE YOUR RIGHTS?

Data protection regulations grant you the following rights:

  • The right to withdraw any consent previously given.
  • Right of access: Knowing what kind of data are being processed and the characteristics of the processing carried out.
  • Right to rectification: The possibility of requesting the modification of inaccurate or untrue data.
  • Right to data portability: The possibility of obtaining a copy of the data being processed in an interoperable format.
  • Right to restriction of processing if you do not think it necessary.
  • Right to erasure: Requesting the cessation of data processing and their erasure when their retention is no longer necessary.

In addition to this, we would like to inform you that you can withdraw your consent without affecting the legality of the processing which has already been carried out by sending your request to the address in the previous paragraph. In this case, you shall attach a copy of your ID card or other identity documents to your request.

If you wish to have further information on your data processing, to rectify inaccurate data, to object and/or to restrict processing when you deem it unnecessary, or to request the cancellation of the processing when data are no longer necessary, you may write to FUNDACIÓN INSTITUTO DE INVESTIGACIÓN SANITARIA DE SANTIAGO DE COMPOSTELA en TRAVESÍA CHOUPANA, S/N, , 15706 – SANTIAGO DE COMPOSTELA (A Coruña), or send an e-mail to ejercicio.derechos.proteccion.datos.fidis@sergas.es.

  • This communication shall include the following information: User’s name and surname(s), request for application, address and identification documents.
  • The rights shall be exercised by the user. Nevertheless, they may also be exercised by an authorized person acting as legal representative of the user. In this case, the supporting documents certifying this granting of powers shall also be provided.

Please remember that you have the right to lodge a complaint before the Spanish Data Protection Agency (AEPD, Agencia Española de Protección de Datos) if you deem that your rights have been violated: Protección de datos C/ Jorge Juan, 6 28001-Madrid – FAX: 914483680- Tel. No.: 901 100 099- E-mail: ciudadano@agpd.es

11. WHAT ARE THE PURPOSE AND LEGAL GROUNDS FOR DATA PROCESSING?

Below are the purposes of the data processing carried out by some, or all, of the aforementioned Data Controllers.

PROCESSING ACTIVITY PROCESSING PURPOSE LEGAL GROUNDS
IDIS Management Management of research groups in order to control the activities they carry out Contractual relationship

Legal obligation for the data controller

Express consent from the data subject

Labour management Management of personnel for the execution of a employment agreement, control of files, payroll management Contractual relationship
Fiscal and accounting management Processing required in order to meet the fiscal and accounting obligations Contractual relationship

Legal obligation for the data controller

Prevailing legitimate interests of the data controller or of third parties

Contact management Processing of data in order to communicate with data subjects Contractual relationship

Prevailing legitimate interests of the data controller or of third parties

Express consent from the data subject

Occupational risk prevention Compliance with the current legislation regarding occupational risk prevention and health surveillance Contractual relationship

Legal obligation for the data controller

Management of job applicants Personnel selection and provision of job positions by curriculum management, personal interviews and assessment tests Vital interests of the data subject or other persons

Express consent from the data subject

Event and activity management Management and coordination of activities and events related to the entity’s business activity. Attendance and participant control Contractual relationship

Express consent from the data subject

Information communication and notifications Communication of activities and notifications of relevant information related to the entity’s business activity Prevailing legitimate interests of the data controller or of third parties

Express consent from the data subject

Multimedia management Processing of images and/or videos for their publication in media and social networks and promotion of activities Express consent from the data subject
Management of job applicants by competition Management of job applicants by means of public competition in order to offer a job position Express consent from the data subject
Labour control Employee attendance control, shift control and management of holiday, sick leaves and other attendance periods. Contractual relationship

Prevailing legitimate interests of the data controller or of third parties

Supplier management Analysis, assessment, contracting, order management and management of payments to suppliers. Contractual relationship
Statistics for research Statistical analyses and research Public interest or exercising of public powers

Prevailing legitimate interests of the data controller or of third parties

Express consent from the data subject

Procedure and subsidy management Management, obtaining and accountability of subsidies and other procedures before different public and private bodies Contractual relationship

Express consent from the data subject

Management of calls, meetings and appointments of the managing body Management of the company’s communication with the members of the board of directors, persons and institutions related to the company and other stakeholders for the management and information on calls, meetings, appointments and other Contractual relationship

Prevailing legitimate interests of the data controller or of third parties

Management of personnel reports Assessment and filing of the reports issued on the data controller’s personnel Contractual relationship

Prevailing legitimate interests of the data controller or of third parties

Area contact management Hiring of third parties or by third parties when carrying out activities corresponding to the field of action Contractual relationship

Prevailing legitimate interests of the data controller or of third parties

Management of research and development activity collaborators Management of the relationships with persons who collaborate in or are interested in research, development and innovation activities Contractual relationship

Express consent from the data subject

Management of intern and trainee relationships Maintenance of the contractual relationship with interns and trainees Contractual relationship
Employee training Processing of the data necessary for the training of employees and interested personnel Legal obligation for the data controller

Prevailing legitimate interests of the data controller or of third parties

Web management Management of requests, contacts and claims received through the website Express consent from the data subject
Invoicing Issuing of invoices to clients, remittances and direct debits, collections and register keeping Contractual relationship

Legal obligation for the data controller

Management of governing body information Management of data regarding the natural persons who comprise the company’s governing body Contractual relationship

Legal obligation for the data controller

Project management Management of client and collaborator data necessary for the management and processing of consulting projects Contractual relationship

Express consent from the data subject

Trustee board management Management of the management body of the foundation Express consent from the data subject