PRIVACY POLICY

In accordance with the General Data Protection Regulation, GRUPO PENSA SALUD S.L., Oksygen Experience S. L and Asistencia Avanzada, S.L inform you of their Privacy Policy.

1. Controller of the processing of personal data.

For the Gran Vía and Girona centres, the data controller is GRUPO PENSA SALUD, S.L. (hereinafter, "GRUPO PENSA SALUD"), with Tax Identification Code B64023872 and registered office at C/ Gran Vía de les Corts Catalanes, n.º 657 - 08010 - Barcelona. To ensure fair and transparent processing of your personal data, GRUPO PENSA SALUD has a Data Protection Officer, who can be contacted at dpo.centrosmedicosaxa@axa.es

For the Les Corts centre, the data controller is Oksygen Experience S.L. with CIF B02681534 and registered office at C/ Can Bruixa, 17 local 4, 08028 Barcelona. This entity has a DPO who can be contacted at the following e-mail addressdpo.centrosmedicosaxa@axa.es

For the Aribau, Roselló and Pau Claris centres, the Data Controller is Asistencia Avanzada, S.L, with Tax Identification Code B62081716 and registered office at Carretera de Rubí, 72-74 Edificio Horizon, 08174 Sant Cugat del Vallès (Barcelona). This entity has a DPO who can be contacted at the following e-mail address dpo.centrosmedicosaxa@axa.es

2. Purposes and legitimate bases of processing

Your personal data will be processed for the following purposes:

2.1. If you are a user of the website, GRUPO PENSA SALUD will process the data for the following purposes:

  • Website maintenance.
    • The basis of legitimacy is the legitimate interest to enable communication between the equipment and the network, to provide the service requested on the website such as user log-in and subsequent identification and personalisation of the user interface.
    • This purpose corresponds to the need to display content on its website and improve usability for users who access it.
  • Analysis of browsing behaviour and profiling of your browsing preferences and interests.
    • The basis of legitimacy is the consent given by you, allowing the Data Controller to proceed to the elaboration of your profile based on information about your browsing, according to your consumption habits.
    • This purpose responds to the need to show you products or services with advertising character in the different navigation websites adjusted to your real needs, to maintain the preferences chosen on the website and to measure the traffic product on the website. Your profile information will be treated securely and confidentially, being processed solely in systems that analyze the information obtained automatically. Furthermore, you may, at any time, express your wish not to be subject to this processing by exercising your right to object to it.
  • If you provide your personal data by telephone or email using the contact details provided on the website, your data will be processed for the purpose of managing your requests for information, resolving your queries, answering your questions, or processing your complaints, including those related to healthcare and surgical services, as well as maintaining and developing the legal relationship that may be established between the parties prior to contracting.
    • The basis for legitimacy is the consent expressly given when you call or write to us, as well as the application of pre-contractual measures, at your request (Article 6.1.b GDPR) and compliance with legal obligations, in accordance with Article 6.1.c GDPR and Article 8.1 of Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights.
    • You have the right to withdraw your consent at any time. Finally, we inform you that the withdrawal of consent will not affect the lawfulness of the processing based on the consent prior to its withdrawal.
  • In the event that you provide your personal data by telephone or e-mail contact (available on the website), your data will also be processed for the purpose of carrying out surveys and satisfaction studies.
    • The basis for legitimisation is the legitimate interest in improving the quality of the care service.
    • At any time, you may refuse to give your assessment, as well as communicate your opposition to being contacted for this purpose.
  • Recording of calls made to the contact telephone number of the website and of the medical centres, in order to control the quality of the service, as well as to improve it.
    • The legitimate interest of the Data Controller in ensuring the correct execution of the service and its continuous improvement is the basis on which this processing is based.
  • Management of the complaints channel. If you report an irregularity or inappropriate conduct to us through the complaints channel, your data will be processed for the processing, investigation and resolution of the complaint received through said channel.
    • The legitimate basis is the consent of the whistleblower to the processing of his or her personal data when communicating the complaint, as well as compliance with the legal obligations established in Law 2/2023, of 20 February, regulating the protection of persons who report regulatory infringements and the fight against corruption.

2.2. If you are a patient and contract healthcare or surgical services through any authorised channel, the Data Controller will process your data for the following purposes:

  • Management of the online appointment request service. You can request an appointment with the medical centre of your choice via the website. Your data will be processed exclusively for the purpose of processing that appointment in the medical centre's systems.
    • The basis of legitimacy for this processing is the contractual performance between you and the medical centre, on which the health or surgical care you have requested is based.
  • Provision, monitoring, management, control and billing of care and/or surgical services requested directly or through a third party, including prevention, diagnosis and medical treatment.
    • The basis for legitimacy is the management and formalisation of the contract for the provision of care services to which you are a party (Articles 6.1.b and 9.2.h of the GDPR), as well as compliance with legal obligations, in accordance with Article 6.1. c. of the GDPR and Article 8.1 of Organic Law 3/2018, of 5 December, on the Protection of Personal Data and the guarantee of digital rights.
  • Generation and maintenance of medical records and similar documentation.
    • The basis for legitimacy is compliance with the provisions of the applicable regulations, including regional regulations: Law 14/1986, of 25 April, on General Health, Law 4/2002, of 14 November, regulating patient autonomy and obligations and rights regarding clinical information and documentation, and Law 21/2000, of 29 December, on the rights to information concerning health and patient autonomy, and clinical documentation in Catalonia), in addition to tax and accounting regulations. Only in certain cases of extreme urgency will the basis of legitimation of the patient's vital interest apply.
    • If you do not provide us with the requested data, we will not be able to provide you with the corresponding care service, as this is a matter of contractual and legal requirements, and the Data Controller reserves the right of admission.
  • When we use electronic signature systems, for greater security, convenience, paper savings and better management, biometric elements are captured when creating the signature, such as the speed and acceleration of each stroke or the pressure exerted at each point. This data is essential to ensure that you are the one signing the documents and that no one is impersonating you. If you refuse to provide us with biometric data in the form of a written electronic signature, you may sign the document with a non-electronic written signature.
    • The legitimate basis is your consent, which you give by signing the form provided to you at the medical centre.

2.3. If you visit a medical centre in person, whether or not you are a patient, the Data Controller will process your data for the following purposes:

  • Video surveillance. If you access a medical centre that has a video surveillance system, you are informed that your image will be processed for the purpose of safeguarding the security of property and persons on the premises.
    • The legitimate basis is the legitimate interest in ensuring the security and protection of the data controller's persons and premises.

3. Category of personal data

The Controller will process the following categories of data to achieve the purposes set out throughout this Privacy Policy.

  • Website maintenance
    • Data on behaviour and interaction between the parties:
      • Web browsing data or mobile applications through cookies or other data storage and retrieval devices: information collected from the browsing you do on them, in the event that you have accepted the use of cookies and similar technologies on your devices.
  • User service
    • Identification data: name and surname.
    • Contact details: e-mail address.
    • Other information (if applicable): subject and message.
  • Health and surgical care service
    • Identification data: name, surname, date of birth and ID card number.
    • Contact details: telephone, address, e-mail.
    • Health data: medical history, diagnostic tests, medical history data.
    • Biometric data: written electronic signature, image and voice.
    • Financial data: bank account number, insurance policy details.
    • Identification and contact details of relatives, family members or contact persons.

4. Main addressees

Personal data will not be passed on to third parties, except in the following cases:

  • External healthcare providers (e.g., your private doctor who participates in the treatment you receive at the medical centre) and healthcare service or material providers (laboratories for performing analyses or tests, prosthetic service providers and surgical material providers, when they need to access personal data), all for the purpose of providing adequate healthcare, based on compliance with the healthcare service provision contract.
  • If you give us your consent, your identification, contact and health-related data may be shared with Medical Centres of GRUPO PENSA SALUD, Oksygen Experience S. L. or Asistencia Avanzada, S.L., in order to provide health care services. We also inform you that you may revoke the consent given at any time.
  • Banks and financial institutions, to manage the collection of payments for services rendered, where appropriate.
  • Relevant insurance companies. If you are the beneficiary of an insurance policy, the healthcare centre may communicate to them the data strictly necessary for billing the service provided to the patient, constituting necessary processing for the management of the healthcare service provided, on the legal basis of Law 50/1980 on Insurance Contracts and Law 20/2015 on the regulation, supervision and solvency of insurance and reinsurance companies.
  • Public authorities and administrations (including the Tax Agency, Social Security, the Catalan Health Service or the Regional Ministry of Health), courts and tribunals and other natural and legal persons, public or private, where applicable according to the regulations applicable to the Data Controller.
  • Family members and relatives, regarding the patient's condition, when expressly authorised by the patient or when applicable according to the applicable regulations.

5. International transfers of personal data

We inform you that the Data Controller will not carry out international data transfers.

However, should they occur in the future, the Data Controller guarantees that the data processing and the providers involved will be covered by the guarantee mechanisms established in the applicable regulations.

6. Rights

As the data subject of the personal data undergoing processing, you have the right to contact the relevant Data Controller, depending on the medical centre you visit. We refer you to point 1.1 of this policy to find out which Data Controller is responsible for processing your personal data:

GRUPO PENSA SALUD: you can contact us at C/ Gran Vía de les Corts Catalanes, n.º 657 - 08010 - Barcelona, or at the following e-mail address dpo.centrosmedicosaxa@axa.es

Oksygen Experience S.L.: you can contact us at C/ Can Bruixa, 17 local 4, 08028 Barcelona or at the following e-mail addressdpo.centrosmedicosaxa@axa.es

Asistencia Avanzada, S.L: you can contact us at Carretera de Rubí, 72-74 Edificio Horizon, 08174 Sant Cugat del Vallès (Barcelona), or at the following e-mail address dpo.centrosmedicosaxa@axa.es

You may exercise the following rights:

  • Right of Access

You have the right to be informed by the Data Controller whether or not your personal data is being processed and, if so, to access that data and receive information about the purposes for which it is being processed, the categories of data affected by the processing, the recipients to whom your personal data has been disclosed, and the expected period of data retention, among other information.

  • Right of rectification

You have the right to request the rectification of inaccurate data concerning you when.

  • Right of Suppression

You have the right to request the deletion of personal data provided that the applicable legal requirements are met, inter alia, when they are no longer necessary for the purposes for which they were collected.

  • Right to restriction of processing

In certain circumstances (e.g. in the event that the applicant disputes the accuracy of your data, while the accuracy of the data is being verified), you may request that we restrict the processing of your personal data and process them only for the purpose of pursuing or defending claims.

  • Right to withdraw consent

You also have the right to revoke your consent at any time.

  • The right to object in whole or in part to the processing.

You have the right to object to the processing at any time, on grounds relating to your particular situation, where the processing is based on our legitimate interest or the legitimate interest of a third party (including processing for direct marketing purposes and the creation of corresponding profiles). In this case, the Data Controller will cease processing, unless it can demonstrate legitimate grounds.

  • Right to data portability

You have the right to receive the personal data that you have provided to the Data Controller, in a structured, common and machine-readable format, and to be able to transmit them to another Data Controller without being prevented from doing so by the Controller to whom you have provided them, in the cases legally foreseen for this purpose.

  • Automated individual decisions

Furthermore, in addition to the rights mentioned above in the context of processing operations involving automated decision-making, including profiling, you have the right to obtain human intervention by the Controller, and to express your point of view and challenge the decision.

  • Other

Similarly, where personal data are transferred to a third country or to an international organisation, you have the right to be informed about how you can access or obtain a copy of the appropriate safeguards relating to the transfer.

If you have any further questions or concerns about the exercise of your rights or, in general, about the processing of your personal data, you can contact the relevant Data Protection Officer at the addresses specified above.

Finally, you will have the right to lodge a complaint with a national supervisory authority Spanish Data Protection Agency(www.aepd.es) or their respective regional authority.

7. Origin

In addition to the information you provide directly to us (e.g. via forms, information requests, etc.), we will collect information about your browsing habits if you consent to this.

In the event that the data provided refers to third parties other than the patient, you expressly state that you have informed and obtained their prior consent for the processing of their data in accordance with the purposes set out in this Privacy Policy.

In the specific case of minors or legally incapacitated persons, the express consent of the minor's or legally incapacitated person's legal representative shall be required prior to any processing of data.

Conservation period

Your personal data will be stored in the following manner:

Call recording 1 year
Data related to enquiries or request management 2 years
Data related to quality and satisfaction surveys 2 years.
Patient documentation or medical history 20 years since the patient's last care
Complaints channel In relation to the complainant's personal identification data communicated through the complaints channel, they will be kept in the complaints system for a period of 1 month from the communication.
Videovigilance 1 mes

All of the above is without prejudice to the fact that this period may be extended when you expressly authorise it or when there are specific processing operations derived from the contractual relationship that remain in force after said period. Likewise, your personal data will be kept for the limitation period of the liabilities derived from the processing, without prejudice to the duty of blocking. Once the retention periods have expired, the information will be deleted.

Last update: July 2025