This Privacy Policy is adapted to the European policy and current Spanish legislation in force on data protection as a consequence of the adaptation of Suministros Hospitalarios S.A. to REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL, of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (henceforward GDPR).
Identity of the data controller:
The personal data controller of SH Medical Group is: Suministros Hospitalarios S.A. with Tax ID no A-08876310, located in C/ Tortosa 199 - 201, Badalona with postcode 08918 (Barcelona). Contact telephone: +34 934 607 920; email: lopd@shmedical.net
And offices in:
Madrid
Pº de las Delicias, 30 – 7ª planta
28045 Madrid, Spain
Tel. +34 910 608 617
Barcelona
C/ Tortosa, 199-201
08918 Badalona (BCN), Spain
Tel. +34 934 607 920
Lisbon
Rua Carvalho Freirinha, 55
2800-676 Cacilhas (Almada), Portugal
Tel. +351 215 947 735
Data protection officer
The data protection officer (DPO) is responsible for ensuring compliance with the data protection legislation to which SH Medical Group is subject. Users, clients, suppliers and employees can contact the DPO appointed by the data controller on lopd@shmedical.net.
You can contact the above-mentioned offices and lopd@shmedical.net to exercise your rights and for any queries or doubts that arise in matters of data protection.
Scope of application
SH Medical Group offers services and products in the audiology field and healthcare sector in its specialities detailed on the website www.shmedical.net. You can also purchase Baha device accessories online at www.mybahaonline.com
In compliance with the provisions of the GDPR and the LOPDGDD (Organic Law on the protection of personal data and guarantee of digital rights), we inform you that any data collected on contact forms on the websites, data necessary for the performance of a contract, data from your medical records to ensure the correct device calibration, plus training activities and product presentations, shall be incorporated and processed for the purpose of facilitating and fulfilling commitments, executing contracts and maintaining ongoing communications with users, clients, suppliers, etc.
SH Medical Group keeps a data processing log book that specifies the activities carried out and other circumstances set forth in the GDPR according to their purposes.
- The lawful basis of SH Medical Group for processing the personal data we collect in the provision of services and products:
- Some examples are contracts signed by clients for maintenance services on our products and/or sales contracts for our products.
- Another lawful basis is the express, free and informed consent that users give us for both the management of cookies and training activities, and also to communicate with them, via email or our publicity newsletter (subscription) and SMS campaigns.
- The lawful basis for the data processing is the law that authorises us to process your personal data specifically in the field of medical devices (Royal Legislative Decree 1/2015, of 24 July, which approves the recast text of the Spanish Law on guarantees and rational use of medicines and medical devices), which imposes on us obligations due to the fact we distribute these medical devices.
As well as explaining the lawful basis for the data processing, we also explain how and what data we use, and the purposes and the technical and organisational measures that we apply for its security, which we list below.
Personal data we collect
SH Medical Group wishes to provide you the best experiences with our services and products in the above-mentioned areas.
Some of this data is directly provided to us by the medical practitioners (hospitals and health centres), the data controllers. We obtain other data by recording your interaction with our services and products; for example, when signing a maintenance contract for your Cochlear device, or when using technologies such as cookies and receiving error reports or usage data from the applications that run on your device (see Cookies Policy), or when buying hearing aids and other products from us.
Accordingly, the data we collect will be: Identifying data: name, surname(s), ID doc, TIS (Individual Health Card). Contact details: address, email, landline and mobile. Bank details: bank account number. Medical details to manage the health service and/or product you are using.
How we use your personal data
We use your medical, contact and identifying data to operate our centres and provide you the best quality in the services and products we offer.
We can also use the contact data to communicate with you, such as, for example, to provide you information on maintenance services and/or for updating devices, always providing you give us your express consent, or have a Cochlear device maintenance or sales contract with us.
The consent must be given in a clear, positive action by you so that it is in accordance with law, by a means (written, verbal or electronic) by which we can prove it has been given. Whenever consent is requested for several different purposes, this will have to be granted separately for each one.
At all times our organisation will solicit the consent in a free, specific and informed manner in accordance with the provisions of the GDPR and the LOPDGDD.
If the consent requested to process specific data is not granted, it will not be possible to begin processing your data. If you do not give us truthful, accurate data, we can also not carry out the above-mentioned processing.
Data processing purposes
The objectives or purposes of the data processing will be those that are assigned and developed by SH Medical Group. These are lawful purposes within the scope of healthcare, such as providing services and products to the patient or user in audiological centres.
- This data processing has the following purposes:
- Company's administrative management.
- Management of medical data, in accordance with the purpose of providing audiological services and products and others within the scope of healthcare and the safekeeping, traceability and protection by legal obligation of the medical documentation.
- Management of our commercial relationship with you as a patient.
- Other more specific purposes and that require your express consent are to provide you relevant, satisfactory and current information in the area of audiological healthcare or products distributed by us and the training activities we carry out, or to improve the quality of our commercial relationship and offer you efficient assistance.
For how long do we keep your personal data?
We keep personal data solely for the time required as set out in Royal Legislative Decree 1/2015, of 24 July, which approves the recast text of the Spanish Law on guarantees and rational use of medicines and medical devices, which obliges us to keep your health data for a maximum of 25 years for treatments with specific medical products.
In cases where you provide us your express consent to interact with you by sending you emails, SMS or actions to promote training or informative activities, the term of validity will be that which you define, unless you exercise your right to revoke the consent provided for this purpose.
For the administrative purposes of the management of the centres, the terms for retaining your data are those set out in mercantile and mortgage legislation (maximum 6 years, mercantile books; Treasury, 4 years).
Who can access your personal data?
Our employees (admin, sales, finance, IT, etc.) with access to data, who have signed a confidentiality agreement and duty of secrecy in relation to their access to the personal data of our clients.
The data processors who provide us maintenance and management services, with whom we have the provision of said services regulated through written contracts, in accordance with the provisions of the GDPR, in its Article 28, and logistics companies for product distribution.
Third parties where the law obliges us to transfer personal data for legally-specified reasons, public health administration, judicial, tax authorities, financial entities for the management of payment collection.
Privacy of minors
As per regulations, minors under 14 years must be duly represented by their legal guardians or parents, and these must provide documents that prove their filiation (libro de familia [family book] or the ruling that establishes guardianship).
Exercise of rights
You can access your personal data by exercising the right of access established in the GDPR, within the limits and conditions that this Regulation sets forth concerning this right. You can also exercise your right to rectification (in this case the data processing will cease, in accordance with that specified in the Regulation), and exercise your right to erasure, objection, restriction of processing or portability, as set out in this Regulation.
You also have the right to withdraw your consent at any time, in cases where you have given it, without this affecting the validity of any data processing that occurred before the withdrawal.
For you as the data subject to exercise these rights, you can contact our primary care centres to present any queries or objections that you need clarification of by emailing lopd@shmedical.net. You can also send them by post to the address in the header of this Privacy Policy, enclosing a photocopy of your ID document either electronically or as a hard copy.
If you are not satisfied with how we process your personal data, you can contact our DPO on lopd@shmedical.net, and can file a complaint with the competent control authority as stated in the above-mentioned Regulation.
Technical and organisational measures for the security of your personal data
Technical and organisational measures guarantee an appropriate level of security for the processed data and the confidentiality of your personal data, in accordance with that set forth in the new Regulation.
These measures are developed based on technological advances, their implementation costs, the nature of the data and the processing risk. The purpose of the systems is to protect your personal data from any accidental or intentional alteration, from unauthorised access, from its destruction or loss and other potential illicit modifications during its processing.
All these measures are aimed at guaranteeing the availability, integrity, confidentiality, traceability, authenticity and also the resilience of your personal data.
In regard to the organisational measures, we only collect the personal data that is necessary, appropriate and pertinent for the intended purposes.
Version of this Privacy Policy
REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL, of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (henceforward GDPR). You will be notified beforehand of any future change in legislative matters, both in the area of personal data protection and the area of import and export, or any cross-cutting legislation that may affect the processing of your data, through our habitual communication channels, as well as through the updating of this Privacy Policy.
The version of the Privacy Policy as is indicated is V. 4. 0 - 02/2021