Skip to Content

Privacy Policy

PRIVACY POLICY AND DATA PROTECTION


The protection of your personal data is a fundamental priority. This privacy policy aims to inform you clearly and in detail about the processing of your personal data within the framework of Health Psychology and Mediation services.

In the provision of these services, compliance with the current regulations on data protection and your rights as a user is guaranteed, including the General Data Protection Regulation (GDPR 2016/679), the Organic Law 3/2018 on Personal Data Protection and Guarantee of Digital Rights (LOPDGDD), the Law 41/2002 on Patient Autonomy, the Law 5/2012 on Mediation in Civil and Commercial Matters, as well as the applicable regional regulations on family mediation.

This policy establishes a common framework of privacy and confidentiality applicable to all services offered, integrating the specific particularities of Health Psychology and Mediation, without prejudice to the necessary regulatory, technical, and ethical distinction between the two.

 

1. Data Controller

The data controller of your personal data is Antonio Romero Pérez, General Health Psychologist (Nº Col. MU03905), with a professional address at Cristóbal de los Pinas 5, emailantoniotomas@eudai.esand phone 659899220.

His role is to ensure that personal data is processed lawfully, fairly, and transparently, as well as to implement the necessary technical and organisational measures to protect it against unauthorised access, alterations, losses, or misuse.

 

 2. Personal Data Processed

We will only collect the strictly necessary data in order to correctly provide you with the services you request. This data may include your first and last name, ID number, address, email address, and phone number.

In the case of the Health Psychology service, we may also collect information related to previous assessments, interventions, and treatments. Additionally, we can gather data about your performance in academic, work, social, and family areas, as well as any other information we consider relevant for conducting a proper evaluation, diagnosis, and psychological intervention.

For mediation processes, we will only collect data that is linked to the conflict or situation subject to mediation and to the people involved.

In all cases, we process your data only after obtaining your consentexplicit, free, informed, specific, and unambiguous. This means that you will have full control over the information you share and how it is used.

 

3. Purpose of processing

Your data will only be used for the necessary purposes to provide you with our services correctly and safely. These purposes include:

·       Managing the professional relationship we maintain with you.

·       Coordinating appointments and sending you reminders for sessions or meetings.

·       Billing and compliance with legal, tax, and accounting obligations.

·      Complying with the legal, health, and ethical obligations that are applicable to our professional activity.

 

4. Legal basis for processing

We always handle your personal data with a clear legal justification, as required by the regulations. These are the bases we apply:

· Your explicit consent: we use your data only if you give us permission freely, informed and specifically. This includes, for example, data about your health or personal situation necessary for psychological care (art. 6.1.a and 9.2.a GDPR).

· To fulfil the professional relationship: some data, such as your name, contact details and session information, are used to provide our services and manage the professional relationship with you (art. 6.1.b GDPR).

· Compliance with legal obligations: we process certain data, such as tax or accounting data, to comply with current legislation and administrative obligations (art. 6.1.c GDPR).

· Provision of health and psychological services: sensitive data, including clinical information or psychological assessments, are used exclusively to provide you with a quality and safe service, and to carry out appropriate diagnoses and interventions (art. 9.2.h GDPR).

With this, it is clear what data we use, for what purpose and under what legal basis, in a transparent and easy-to-understand manner.

 

5. Means and tools used

To provide our services securely and in an organised manner, we use different equipment, platforms and communication channels, each with a specific purpose and always protecting your data according to current regulations:

· Online platform “Odoo”: is used exclusively for managing schedules, billing and web hosting. All data is securely stored and backups are made on servers located in the European Union.

· Online platform and desktop applications of “Microsoft 365 Business Standard”: it is used exclusively for agenda management, general administration, online meetings, and online backups of medical records and mediation files. Except for contact data, all data is encrypted on local equipment (end to end), before being stored in the cloud and on servers located in the European Union.

· Personal computer: protected with access password, encryption system, and local backup. It is used to store medical records and mediation files in a secure digital file.

· Document digitisation and destruction equipment: allows for scanning physical documents and destroying them following the P-5 security standard (DIN 66399), ensuring the protection of information.

· Communication channels (email, WhatsApp, Telegram, SMS, and phone calls): are used to provide general information, confirm or remind appointments, and manage other requests or services.


Notice regarding health information:

It is not advisable to send health or sensitive information through communication channels such as: email, messaging applications, or SMS;WE CANNOT ENSURE CONFIDENTIALITY. Some services may allow access to third parties or store data outside the EU.

Therefore, we strongly recommend using in-person sessions or secure video calls to transmit this type of information. Any data sent by other means will be the responsibility of the sender.


6. Recipients of the data and data processors

In general, we do not share your personal data with third parties, unless there is a legal obligation or it is strictly necessary to provide the service correctly.

Some providers who assist us with ancillary tasks, such as management platforms, IT services, hosting or tax and accounting advice, may have access to your data as data processors. We have signed the corresponding contracts with all of them in accordance with Article 28 of the GDPR, to ensure that your data is processed securely and in compliance with the law.

In addition, your data may be communicated to public administrations, judicial or health authorities only when there is a legal obligation to do so.

 

7. International data transfers

We do not carry out international data transfers on our part.

However, as explained in point 5, if you choose to use certain messaging or email applications to send sensitive information, there is a risk that your data may be stored or accessed from other countries, outside of our control. For this reason, the sending of information by these means is solely your responsibility.

We recommend always using in-person sessions or secure video calls to share sensitive data and ensure its confidentiality.

 

8. Data retention period

We retain your personal data only for as long as is necessary to fulfil the purpose for which it was collected and, subsequently, during the periods required by law. Specifically:

8.1. Medical records and health documentation

Adults: they are kept for 5 years from the last consultation, as established by Law 41/2002 on Patient Autonomy (art. 13) and applicable health regulations.

Minors: they are kept until the minor turns 18 years old plus an additional 5 years, that is, 23 years, to ensure compliance with legal responsibilities.

8.2. Documentation of mediation

It is kept according to Law 5/2012 on Mediation in Civil and Commercial Matters and general legal criteria, for a minimum of 5 years from the end of the process, unless there is a legal obligation requiring a longer period.

8.3. Tax and accounting data

According to the General Tax Law, they are kept for 4 years for invoicing, collections, declarations, and accounting justifications.

In this way, your data is maintained only for the necessary time, combining the security of your information with compliance with current regulations.

 

9. Rights of the interested parties

You have a number of rights regarding your personal data, which you can exercise at any time:

·       Right of access: you can know what personal data we have about you, what we use it for, with whom we share it, and how long we keep it.

·       Right of rectification: you can correct any data that is inaccurate or incomplete.

·       Right of cancellation or deletion (right to be forgotten): you can request that your data be deleted when it is no longer necessary for the original purposes or if you have withdrawn your consent. This right is subject to possible legal obligations of retention.

·       Right of opposition: you can prevent your data from being processed for certain purposes, such as advertising, marketing or commercial prospecting, or for processing based on legitimate interests, except for legal exceptions.

·       Right to data portability: you can receive your data in a structured, commonly used and readable format, and transfer it to another data controller if you wish.

·       Right to restrict processing: you can request that the use of your data be limited while its accuracy is verified or its processing is contested.

·       Right not to be subject to automated decisions: your data will not be used for solely automated decisions (such as automated diagnostics or scoring) without human intervention, except for legal exceptions.

To exercise any of these rights, you can send a written request (verifying your identity) to the data controller: Antonio Romero Pérez (antoniotomas@eudai.es).

If you believe your rights have been violated, you can also file a complaint with the Spanish Agency for Data Protection (AEPD).


10.           Consequences of not providing the data

If you do not provide the personal data that is necessary to provide the service, it may not be possible to start or continue the provision of the professional service you request.

In other words, to be able to offer you a complete and secure service, we need to have the essential information; without it, some processes or interventions may be limited.

 

11.           Data processing for minors and persons with legally limited capacity

When services are provided to minors or individuals with legally limited capacity, the processing of their data and the provision of the service will be carried out in accordance with current data protection regulations and Law 41/2002 on Patient Autonomy, always ensuring:

· Confidentiality and data protection, in accordance with the GDPR and the LOPDGDD.

· Right to information and participation in decision-making regarding their care, adapting the information to the age and understanding capacity of the minor or person with limited capacity.

 

11.1. Consent according to age and family situation

Under 14 years old:

Consent from both parents is required, unless parental authority belongs solely to one of them; in that case, the consent of the parent with legal responsibility will suffice.

Minors between 14 and 18 years old:

In addition to the consent of the parents or legal guardians, the minor's capacity for discernment will be taken into account, listening to their opinion about the service and providing them with clear and understandable information about the procedures, risks, and alternatives.

Separated or divorced parents:

Consent will be required from the person who has been granted legal custody, or from both if so established by a court ruling.

  

11.2. Additional rights and guarantees

The data controller will ensure that the information provided to the minor or their legal representative is clear, comprehensible, and sufficient to make informed decisions about the provision of the service.

The provision of the service will strictly adapt to data protection regulations, the Patient Law, and the principles of the best interests of the child.

 

12. Information Security

Technical and organisational measures are applied to protect your personal data and ensure its confidentiality, integrity, and availability. These measures include:

·       Encryption of information, on local equipment (end to end), so that only authorised persons can access the data.

·       Backup copies(local and online backups), to ensure the availability of information in the event of any eventuality.

·       Access control, limiting who can view or handle the data according to their role.

·       Secure storage, ensuring that data is stored in protected locations and complies with current regulations.

These measures are designed to ensure that your data is protected at all times, both in physical and digital formats.

 

13. Differentiation of roles

In order to guarantee impartialityand neutrality, the provision of Psychology services cannot precede a Mediation intervention. Both functions are strictly differentiated and separated, avoiding any influence between them.neutralidad, la prestación de los servicios de Psicología no puede preceder a una intervención de Mediación. Ambas funciones se mantienen estrictamente diferenciadas y separadas, evitando cualquier influencia entre ellas.

This criterion applies to both past and present professional relationships, and is based on the ethical principles of psychological practice and the regulations governing mediation, ensuring that each service is carried out with independence and objectivity.

  

14. Closure and acceptance

Accessing and using the website, requesting or booking any of the services offered, or participating in sessions of Health Psychology or Mediation, implies acceptance of this specific privacy policy.

Regardless of the above, each service will have its own document ofInformed Consent, which will be provided before the start of the intervention and will be tailored to the characteristics and requirements of each activity.

Users will be able to exercise their rights regarding personal data protection at any time in accordance with the provisions of the general privacy policy and current regulations, including the withdrawal of consent given at any time, without the need to justify their decision.