top of page

Privacy Policy

Privacy Policy of Lola Fernandez Pardo

Introduction
Protecting privacy and the legitimate use of personal data are an absolute priority for Lola Fernandez Pardo, residing at Dis. Mocha el Castillo 28692 Madrid (“we” or the “Data Controller”). This privacy policy (“Policy”) explains how we collect, use, store, and process the personal data of our users in the context of and for the purposes of the services provided at our facilities, including medical and healthcare services and other related services (collectively, the “Services”).
We recommend that you read this information carefully before scheduling a medical consultation or visiting our premises.

Categories of Data Processed

The Data Controller collects the following data:

  1. GENERAL DATA:
    a. Personal and contact information (such as name, surname, date and place of birth, gender, residence, phone number, email address, and other identifying details);
    b. Payment data (e.g., bank account number for direct debit purposes);

  2. SPECIAL CATEGORIES OF DATA (SENSITIVE DATA):
    a. Health-related data (such as information on symptoms, existing or previous illnesses, diagnostic data, results of medical tests, or similar data);
    b. Other special categories of personal data: NONE

Legal Basis for Data Processing

GENERAL DATA:

We process users’ personal data based on one or more of the following:
a. To perform the contract entered into between us and the user concerning the provision of Services;
b. To comply with our legal obligations;
c. Based on our legitimate interests, such as: improving the user experience, preventing fraud, ensuring the security of our network, data, or IT systems, contacting users, optimizing service levels, and managing our clinic (provided that these interests do not override users’ fundamental rights and freedoms);
d. When necessary, based on the user's express consent, which can be withdrawn at any time.

SPECIAL CATEGORIES OF DATA (SENSITIVE DATA):

We only process sensitive personal data based on the explicit and informed consent of the data subject (or their legal representative in the case of users under 16 years of age). In the case of health-related data, we process it strictly when necessary for diagnosis, healthcare or social treatment, or the management of healthcare or social systems and services, and always under the responsibility of a professional bound by confidentiality, as per Article 9 of the EU General Data Protection Regulation 2016/679 ("GDPR").
In any case, we are always obligated to maintain maximum confidentiality, particularly concerning data about health and sexual life.

 

Purposes of Processing Personal Data
We process personal data for the following purposes:


a. To manage the user relationship necessary to provide the Services;
b. To comply with our legal, administrative, accounting, and tax obligations;
c. To contact you for managing service provision (via phone, fax, postal mail, email);
d. For any other purpose necessary in relation to the agreed Services between the client and the professional; and/or
e. For marketing and other commercial communications (only with the user’s express and specific consent, which can be withdrawn at any time).

 

User Rights
Data subjects may exercise the rights described in Articles 15, 16, 17, 18, 19, 20, 21, and 34 of the GDPR at any time by sending an email or written communication to the Data Controller: lola.ferdez@gmail.com.

 

Specifically, each user has the right to:


a. Request and obtain access to their personal data (copy of user’s personal data), verify its accuracy, and request its update, rectification, or completion (and obtain confirmation from the Data Controller);
b. Request and obtain the deletion of their personal data (“right to be forgotten”) if (a) the data is unlawfully processed or no longer necessary for the purposes it was collected, or (b) consent is withdrawn (where processing is based on consent, and no other legal grounds apply), or under other circumstances outlined in Article 17 of the GDPR, and to obtain confirmation of the deletion;
c. Request and obtain restriction or blocking of personal data processing in the cases provided for in Article 18 of the GDPR or object to processing based on our legitimate interests;
d. Object to profiling (including automated decision-making), except as permitted under Article 22(2) of the GDPR, and to the use of personal data for direct marketing;
e. Obtain the portability of their data processed by automated means, in accordance with Article 20 of the GDPR;
f. Be informed without delay of any data breach involving their personal data that presents a high risk to their rights and freedoms.

 

At any time, the data subject may withdraw previously given consent without affecting the lawfulness of prior processing.
The Data Controller may retain certain personal data after a request for deletion, solely to assert or defend legal claims, or as otherwise required by law.

 

Data Security
The processing of personal data is based on the principles of lawfulness, fairness, transparency, data minimization, relevance, and accountability. It may be carried out using paper and/or electronic means, provided they are suitable for ensuring security and confidentiality, and always with technical and organizational measures in place to minimize risks of loss, theft, unauthorized access, unlawful use, accidental alteration, and dissemination, in compliance with applicable regulations and professional confidentiality.

 

Retention Period
Personal data will only be retained for the time necessary to achieve the purposes for which it was collected or for any other legitimate related purposes.
Once the purpose has been fulfilled, the personal data will be irreversibly anonymized, deleted, or securely destroyed.


Retention periods for the purposes outlined above are as follows:

  1. GENERAL DATA: Stored for the duration required to fulfill contractual/accounting obligations and, in any case, for a maximum of 10 years after the end of the contractual relationship between the Data Controller and the user;

  2. SPECIAL CATEGORIES OF DATA (SENSITIVE DATA):
    a. Health data: Stored for 5 years
    b. Other special categories of data: N/A

 

Disclosures to Third Parties
Data will be processed by the Data Controller and by processors designated and authorized under the GDPR (“Processors”), using appropriate technical-organizational measures in compliance with data protection laws.
Personal data will not be sold or disclosed to third parties except in the following cases (and always in accordance with applicable law and without limiting the

 

Data Controller's responsibility for the processing carried out by such parties):

 

a. Public authorities, in the performance of their legal duties;
b. Companies/entities providing assistance, consultancy, or collaboration in areas such as accounting, administration, tax, legal, or financial services;
c. Third parties (e.g., providers, partners, insurance companies) appointed by the Data Controller as processors;
d. Oversight bodies, judicial authorities, and other entities where legally required.

 

The Data Controller does not transfer personal data outside the European Economic Area, except where there is an adequacy decision by the European Commission or based on other safeguards or exceptions outlined in Chapter V of the GDPR.

 

Complaints
For any complaints or concerns regarding data processing, users may contact the Data Controller at any time at lola.ferdez@gmail.com. We will do our best to provide the highest level of support.
If a satisfactory response is not received, users may file a complaint with the Spanish Data Protection Agency, at C/Jorge Juan, 6. 28001-Madrid.

 

☐ I consent to the processing of my personal data (or the personal data of a minor under 16 years old as their legal representative), including special categories of data, for the purposes described in this Privacy Policy*
☐ I consent to receiving commercial communications

  • Mandatory field to book a medical appointment

bottom of page