Privacy Policy

I. PRIVACY POLICY AND DATA PROTECTION

Following the regulations included in the current legislation, British Surgery Of Lanzarote (the “Site”) agrees to adopt all requirements, either technical or organisational, to comply with the necessary level of confidentiality and security based on the type of information collected.

This privacy policy is adapted to Spanish and European legislation in terms of the protection of personal data on the internet. More specifically, this policy follows all the regulations shown below:

• The regulation (EU) 2016/679 of the European Parliament and the Council of April 27 of 2016 on the protection of natural persons concerning the processing of personal data and the free movement of such data and repealing Directive 95/46/EC (GDPR).

• The Organic Law 3/2018 of December 5, on Personal Data Protection and Guarantee of the Digital Rights (LOPD-GDD).

• The Real Decree 1720/2007 of December 21, in which it is approved the regulation of development of the Organic Law 15/1999 of December 13 of the Protection of Personal Data (RDLOPD).

• The Law 34/2002 of July 11, on Services of the Society of Information and E-Commerce (LSSI-CE).

Identity of the Data Controller for the processing of Personal Data

The Data Controller for the use of Personal Data collected in https://britishsurgeryoflanzarote.com is:

• NENE-LOOCKED SL, with Identification Number: B35511336 and inscribed in the Commercial Registry of Las Palmas with the following registry data: Tomo 80, Folio 6, Sección 8, H IL 2424. The Representative of NENE-LOOCKED SL (the “Company”) is Miguel Alberto Medina Valenzuela (the “Representative”).

• You can contact the Company through the following methods:

E-mail: surgery@britishsurgeryoflanzarote.com

Telephone: +34928514274

Mail: Avenida de Las Playas, 67, Puerto del Carmen, 35510, Lanzarote, Spain.

Data Protection Officer (DPO)

The data protection officer is in charge of ensuring compliance with the data protection regulations to which the Company is subject to. The User can contact the DPO, which is the Representative, using any of the methods listed on ways to contact the Company, which is listed above.

Collection of Personal Data

In compliance with the provisions of the GDPR and the LOPD-GDD, we inform you that the personal data collected by the Site through the use of forms will be incorporated and processed into our files in order to be able to facilitate, expedite, and fulfil the commitments established between the Company and the User or to maintain the relationship that is established through the completion of the forms, or to attend to a request or consultation from the User. Likewise, following the provisions of the GDPR and the LOPD-GDD, unless the exception provided in Article 30.5 of the GDPR applies, a record of treatment activities is maintained that specifies, according to their purposes, the treatment activities carried out and the other circumstances established in the GDPR.

Applicable Principles to the Processing of Personal Data

The processing of the User’s Personal Data shall be subject to the following principles contained in Article 5 of the GDPR and Article 4 et seq. of the Organic Law 3/2018, of December 5, on the Protection of Personal Data and the guarantee of digital rights:

• Principle of Legality, Loyalty, and Transparency: The User’s consent will be required at all times after being informed concisely on the purposes for which the personal data is collected.

• Principle of Limitation of Purpose: Personal Data will be collected for specific, explicit, and legitimate purposes.

• Principle of Data Minimisation: the personal data collected will be only those necessary concerning the purposes for which they are processed.

• Principle of Accuracy: personal data must be exact and always up to date.

• Principle of Limitation of the Retention Period: Personal Data will only be maintained in a way that allows the identification of the User for the time necessary for the purposes of their processing.

• Principle of Integrity and Confidentiality: Personal Data will be processed in a way that guarantees their security and confidentiality.

• Principle of Proactive Responsibility: the Data Controller will be responsible for assuring that the principles mentioned above are followed.

Categories of Personal Data

The categories of data processed in the Site are both identifying data and special categories of Article 9 of the GDPR and Article 9 of the Organic Law 3/2018 of December 5 on the protection of personal data and the guarantee of digital rights.

Special categories of personal data are those that reveal ethnic or racial origin, political opinions, religious or philosophical convictions, or union membership, and the processing of genetic data, biometric data aimed at uniquely identifying a natural person, health data, or data relating to a natural person’s sex life or sexual orientation.

For the processing of special categories of personal data, explicit consent of the User for one or more specific purposes will be necessary in any case.

Legal basis for the processing of Personal Data

The legal basis for the processing of personal data is consent. The Company agrees to seek express and verifiable consent from the User for the processing of their Personal Data for one or more specific purposes.

The User will have the right to withdraw his consent at any time. It will be as easy to withdraw consent as to give it. As a general rule, the withdrawal of consent will not condition the use of the Site.

On occasions where the User must or may provide his data through forms to consult, access medical services, request information, or for reasons related to the content of the Website, they will be informed if the completion of any of them is mandatory because they are essential to the proper development of the operation carried out.

Purposes of the processing for which Personal Data is destined to

Personal data are collected and managed by the Company in order to be able to facilitate, expedite, and fulfil the commitments established between the Company or Site and the User or the maintenance of the relationship established on the forms that the User fills out or to meet a request or consultation.

Likewise, the data may be used for a commercial purpose of customisation, operation and statistics, and activities typical of the Company’s social object, as well as for the extraction, storage of data and marketing studies to adapt the content offered to the User, as well as to improve the quality, operation, and navigation of the Site.

At the time that the Personal Data is obtained, the User will be informed about the specific purpose or purposes of the processing for which the personal data will be used; that is, the use or uses that will be given to the information collected.

Periods of retention of Personal Data

Personal Data will only be retained for the minimum time necessary for the purposes of their processing and, in any case, only for the following period: 10 years from the last medical visit or until the User requests its deletion.

At the time that the Personal Data is obtained, the User will be informed about the period during which the Personal Data will be kept or, when that is not possible, the criteria used to determine this period.

Recipients of Personal Data

The User’s Personal Data will be shared with the following recipients or categories of recipients:

• Google Analytics provided by Google LCC

You can review Google Analytics’ privacy policy by going to:

https://marketingplatform.google.com/about/analytics/terms/us/

• Zoho Group

You can review Zoho Group’s privacy policy by going to:

https://www.zoho.com/privacy.html

If the Data Controller intends to transfer personal data to a third country or international organisation, at the time the personal data are obtained, the User will be informed about the third country or international organisation to which it is intended to transfer the data, as well as the existence or absence of an adequacy decision by the European Commission.

Personal Data of Minors

Following the provisions of Article 8 of the GDPR and Article 7 of the Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights, only those over the age of 14 may grant their consent to the processing of their Personal Data lawfully by the Company. In the case of a child under the age of 14, parents or guardians’ consent for the processing of Personal Data will be necessary, and this will only be considered lawful to the extent that they have authorised it.

Confidentiality and Security of Personal Data

The Company agrees to take the necessary technical and organisational measures, according to the level of security appropriate to the risk of the data collected, in such a way as to guarantee the security of Personal Data and to prevent the accidental or unlawful destruction, loss or alteration of Personal Data transmitted, stored or otherwise processed, or unauthorised communication or access to such data.

The Site has an SSL (Secure Socket Layer) certificate, which ensures that Personal Data is transmitted securely and confidentially, being the transmission of the data between the server and the User, and in feedback, fully encrypted.

However, because the Company cannot guarantee the impregnability of the internet or the total absence of hackers or others who fraudulently access Personal Data, the Data Controller undertakes to communicate to the User without undue delay when a violation of the security of Personal Data that is likely to pose a high risk to the rights and freedoms of natural persons occurs. Following the provisions of Article 4 of the GDPR, a violation of the security of Personal Data means any breach of security that causes the accidental or unlawful destruction, loss or alteration of Personal Data transmitted, stored or otherwise processed, or unauthorised communication or access to such data.

Personal Data will be treated as confidential by the Data Controller, who undertakes to report and guarantee through a legal or contractual obligation that such confidentiality is respected by his employees, associates, and anyone to whom the information is accessible.

Rights derived from the processing of Personal Data

The User has over the Company and may, therefore, exercise against the Data Controller the following rights recognised in the GDPR and the Organic Law 3/2018, of December 5, on the Protection of Personal Data and the Guarantee of Digital Rights:

• Right of access: It is the right of the User to obtain confirmation of whether or not the Company is processing their Personal Data and, if so, obtain information about their specific Personal Data and the treatment that the Company has carried out or carries out, as well as, among other things, of the information available on the origin of such data and the recipients of the communications made or planned thereof.

• Right of rectification: It is the right of the User to have their Personal Data modified that proves to be inaccurate or, taking into account the purposes of the processing, incomplete.

• Right of deletion (“the right to forget”): It is the right of the User, provided that current legislation does not establish otherwise, to obtain the deletion of their Personal Data when these are no longer necessary for the purposes for which they were collected or processed; the User has withdrawn their consent to the processing, and it does not have another legal basis; the User opposes the processing, and there is no other legitimate reason to continue it; Personal Data have been illegally processed; Personal Data must be deleted in fulfilment of a legal obligation, or Personal Data have been obtained as a result of a direct offer of services from the information society to a child under the age of 14. In addition to deleting the data, the Data Controller, taking into account the available technology and its application cost, must take reasonable steps to inform those who are processing the Personal Data of the data subject’s request to delete any link to such Personal Data.

• Right to the limitation of processing: it is the right of the User to limit the processing of their Personal Data. The User has the right to obtain the limitation of the processing when they challenge the accuracy of their Personal Data; the processing is illegal; the Data Controller no longer needs the Personal Data, but the User needs it to make complaints; and when the User has opposed the processing.

• Right to data portability: In the event that the data processing is carried out by automated means, the User shall have the right to receive their Personal Data form the Data Controller in a structured, commonly used and mechanically readable format and to transmit them to another Data Controller. Whenever technically possible, the Data Controller will transmit the data directly to that other Data Controller.

• Right of opposition: It is the right of the User not to carry out the processing of their Personal Data or to cease their processing by the Company.

• Right not to be subject of a decision based solely on automated processing, including profiling: It is the right of the User not to be subject of an individualised decision based solely on the automated processing of their Personal Data, including profiling unless the current legislation dictates otherwise.

The User will be able to exercise their rights by means of written communication addressed to the Data Controller with the reference “GDPR–BRITISHSURGERYOFLANZAROTE” specifying:

• Full Name and copy of their Passport. In cases where representation is admitted, it will also be necessary to identify by the same means the person representing the User, as well as the document accrediting the representation. The photocopy of the Passport may be replaced by any other means valid under law that proves identity.

• The petition with the specific reasons for the request of information you want to access.

• Postal address in which to be notified, or an e-mail address instead.

• Date and signature from the requester.

• All documents that accredit the request made.

This request and any attached documents may be sent to the following address and/or e-mail address:

• Mailing Address: Avenida de Las Playas, 67, Puerto del Carmen, 35510, Lanzarote, Spain

• E-mail Address: surgery@britishsurgeryoflanzarote.com

Links to third-party websites

The Site may include hyperlinks or links that allow access to third parties’ websites other than the Company. The owners of such websites will have their own Data Protection policies, being themselves, in each case, responsible for their own files and their own privacy practices.

Claims to the Supervisory Authority

If the User considers that there is a problem or violation of the regulations in force in the way in which their Personal Data are processed, they will have the right to effective judicial protection and to file a complaint with a supervisory authority, in particular in the State in which they have their habitual residence, workplace, or place of the alleged offence.

II. COOKIE POLICY

Access to this Website may, unless denied, involve the use of cookies. Cookies are small amounts of information stored in the browser used by each User – on the different devices, you can use to navigate the internet – so that the server remembers certain information that will later and only the server that implemented it will read. Cookies make browsing easier, make it more friendly, and don’t damage the browsing device.

Cookies are automatic procedures for collecting information regarding the preferences determined by the User during their visit to the Website in order to recognise them as a User and to personalise their experience and use of the Site, and can also, for example, help identify and resolve errors.

The information collected through cookies may include the date and time of visits of the Site, the pages viewed, the time you have been on the Site, and the sites visited just before and after it. However, no cookie allows it to be contacted with the User’s phone number or any other means of personal contact. No cookie can extract information from the User’s hard drive or steal personal information. The only way for the User’s private information to be part of the Cookie file is for the User to personally give that information to the server.

Cookies that allow a person to be identified are considered Personal Data. Therefore, the Privacy Policy described above will apply to them. In this sense, the use of them will require the consent of the User. This consent will be communicated, based on an authentic choice, offered by an affirmative and positive decision, before the initial, removable and documented treatment.

First-Party Cookies

These are cookies that are sent to the User’s computer or device and are managed exclusively by the Company for the best functioning of the Site. The information collected is used to improve the quality of the Site and its content, and its experience as a User. These cookies allow us to recognise the User as a recurring visitor to the Site and adapt the content to offer you content that conforms to your preferences.

Third-Party Cookies

These are cookies used and managed by external entities that provide the Company with services requested by the Company to improve the Site and the User’s experience when browsing the Site. The main objectives for which third-party cookies are used are to obtain and analyse browsing information, that is, how the User interacts with the Site; additionally, it is also used to offer services such as a chatbot.

The information obtained refers, for example, to the number of pages visited, the language, the place from which the IP address from which the User accesses the Site, the number of Users who access the Site, the frequency and recidivism of visits, the visit time, the browser they use, the operating system or type of device from which the visit is made. This information is used to improve the Site and detect new needs to offer Users optimal quality, content, and/or service. In any case, the data is collected anonymously, and trend reports on the Site are prepared without identifying individual users.

You can learn more about cookies, privacy information, or consult the description of the type of cookies used, their main characteristics, expiration period, etcetera, at the following links:

• Google Analytics:

https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage

• Zoho:

https://www.zoho.com/privacy.html

• Webflow:

https://webflow.com/legal/privacy

The entities in charge of providing cookies may transfer this information to third parties, provided that it is required by law or by a third party that processes this information for those entities.

Disable, Reject, and Delete Cookies

The User can disable, reject, and delete cookies – in whole or in part – installed on their device by configuring their browser (E.g., Chrome, Microsoft Edge, Safari, etcetera). In this sense, procedures for rejecting and eliminating cookies may differ from one internet browser to another. Consequently, the User must go to the instructions provided by the internet browser they are using themselves. If you reject the use of cookies – you may continue to use the Site, although you may have limited the use of some of the Site’s features.

III. ACCEPTANCE AND CHANGES TO THIS PRIVACY POLICY

It is necessary that the User has read and accepts the conditions on the protection of Personal Data contained in this Privacy and Cookies Policy, as well as to accept the processing of their Personal Data so that the Data Controller can access it in the established manner, during the allowed period, and for the purposes indicated. The use of the Site and acceptance of the cookie banner will imply acceptance of the Site’s Privacy and Cookies Policy.

The Company reserves the right to modify its Privacy and Cookies Policy, at its own discretion, or motivated by a legislative, jurisprudential or doctrinal change of the Spanish Data Protection Agency. Changes or updates to this Privacy and Cookies Policy will be explicitly notified to the User.

This Privacy and Cookies Policy was updated on February 22, 2021, to adapt to the Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of Personal Data and the free movement of such data (GDPR) and the Organic Law 3/2018 of December 5 on the Protection of Personal Data and the Guarantee of Digital Rights.

‍