GDPR: 6.1(c) Processing is necessary for compliance with a legal obligation to which the controller is subject.
Royal Legislative Decree 2/2015 of 23 October, approving the consolidated text of the Workers’ Statute Law.
Law 58/2003 of 17 December, General Tax Law.

Purposes of Processing:

• Procurement of products and/or services required for the development of our activities.
• Monitoring of subcontractors where applicable.

Data Subjects:

• Suppliers.
• Individuals working for our suppliers.

Categories of Data:

• First name and surname, ID number (DNI/NIF/other identification document), address, signature and telephone number.
• Employment details: job position; occupational health and safety training.
• Financial and insurance data: bank details.

Categories of Recipients:

• Financial institutions (invoice payments).
• Spanish Tax Agency.

International Transfers:
No international data transfers are envisaged.

Retention Period:
Data will be retained for as long as necessary to fulfil the purpose for which they were collected and to determine any potential liabilities arising from that purpose and from the processing of the data, in accordance with Law 58/2003 of 17 December, General Tax Law.

Security Measures:
Adapted to the requirements of Regulation (EU) 2016/679, General Data Protection Regulation.

Processing of Security Breach Notifications

Legal Basis:
GDPR: 6.1(c) Processing is necessary for compliance with a legal obligation applicable to the controller.
General Data Protection Regulation, Articles 33 and 34.

Purposes of Processing:
Management and assessment of security breaches occurring within our organisation.

Data Subjects:
Variable: employees, clients, suppliers, contact persons (depending on the breach).

Categories of Data:
Variable (depending on the breach).

Categories of Recipients:

• Spanish Data Protection Agency.
• State Security Forces and Bodies.

International Transfers:
No international data transfers are envisaged.

Retention Period:
Data will be retained for as long as necessary to fulfil the purpose for which they were collected and to determine any potential liabilities arising from that purpose and the processing of the data. Archival and documentation regulations shall apply.

Security Measures:
Adapted to the requirements of Regulation (EU) 2016/679, General Data Protection Regulation.

Processing of Medical Records

Legal Basis:
GDPR: 6.1(b) Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

Purposes of Processing:
To manage health data, including patients’ medical records, in order to provide accurate diagnoses, monitor prescribed treatments, assess visual efficiency and coordination, and address vision-related issues.

Data Subjects:
Patients.

Categories of Data:

• First name and surname, ID number (DNI/NIF/other identification document), address, signature and telephone number.
• Health data.

Categories of Recipients:

• Public health authorities (where applicable).
• Financial institutions (service payments).

International Transfers:
No international data transfers are envisaged.

Retention Period:
Data will be retained for as long as necessary to fulfil the purpose for which they were collected and to determine any potential liabilities arising from that purpose and the processing of the data.

Security Measures:
Adapted to the requirements of Regulation (EU) 2016/679, General Data Protection Regulation.

YOUR RIGHTS

You have the right to request a copy of your personal data, to rectify inaccurate data or complete incomplete data, or, where appropriate, to request their erasure when they are no longer necessary for the purposes for which they were collected.

You also have the right to restrict the processing of your personal data and to receive your personal data in a structured, commonly used and readable format.

You may object to the processing of your personal data in certain circumstances (in particular, where we do not need to process them to comply with a contractual or other legal requirement, or where the processing is for direct marketing purposes).

Where you have given your consent, you may withdraw it at any time. At that point, we will cease processing your data or, where applicable, cease processing them for that specific purpose. Withdrawal of consent will not affect any processing carried out while your consent was valid.

These rights may be limited; for example, if fulfilling your request would reveal data about another person, or if you request the deletion of records we are required to retain by law or for legitimate interests, such as the defence of legal claims. They may also be limited where freedom of expression and information must prevail.

You may contact us by any of the means indicated in the Data Controller section of this privacy policy, providing a copy of a document proving your identity (usually your ID document). The most convenient way to exercise your rights is via our RIGHTS PORTAL:
https://www.adelopd.com/portalderechos/enfocat-terapiavisual

You also have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

If you believe your rights have been violated—for example, if we have not addressed your request—you have the right to lodge a complaint with a data protection supervisory authority. This may be the authority in your country (if you live outside Spain) or the Spanish Data Protection Agency (if you live in Spain).

Additional Information

Links to third-party websites
Our website may occasionally contain links to other websites. It is your responsibility to ensure that you read the data protection policy and legal terms applicable to each site.

Third-party data
If you provide us with data relating to third parties, you assume responsibility for informing them in advance in accordance with Article 14 of the GDPR.