Header links
Intranet
Donate now
image/svg+xml Map
Contact us

Personal data protection

Personal data protection

In accordance with Regulation (EU) 2016/679 of the Parliament and of the Council, of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR) and Organic Law 3/2018, of 5 December, on the Protection of Personal Data and guarantee of digital rights, We inform you.

Data controller

Fundació Hospital Universitari Vall d'Hebron - Institut de Recerca – VHIR

NIF G-60.594.009

Passeig de la Vall d'Hebron, 119-129, edifici Central, 08035 Barcelona

T. 93 489 30 00

From the Legal Unit of our Foundation we will resolve your doubts, complaints, clarifications or suggestions, and we will attend to the exercise of your rights by the email lopd@vhir.org.

Data Protection Officer

In compliance with the GDPR, the VHIR has appointed a data protection officer: Fundació Tic Salut Social dpd@ticsalutsocial.cat.

Data we process through the web

We may process the data we collect through the forms and means of contact on this website, such as:

Name and surname, email, telephone number and information that you can provide us with in the body of the message.

The data requested are strictly necessary, adequate, pertinent and limited to the purpose for which they are collected, and will be processed in a lawful, loyal and transparent manner. These are optional, however, without filling in all the required data it is possible that we will not be able to respond correctly to your request.

You guarantee that the data provided is true and personal, and the VHIR is not responsible for the consequences that may arise against you and third parties from the processing of inaccurate data that you have provided to us.

Purposes of the processing of personal data

  • To report on news and activities related to the VHIR.
  • Inform about patronage campaigns.
  • Donation management (You can consult the specific privacy policy through this link).
  • Respond to requests for specific information.
  • Resolve doubts, queries, complaints and claims.
  • Management of the Whistleblowing Channel.
  • Intranet Management.

In the management of the Intranet, as a registered user, and member of the VHIR, the processing will be carried out for the purpose of providing the services offered by the entity, as well as to regulate and comply with the legal obligations of the relationship that binds us, either as an employee or as an attached member. We inform you that the information in the databases may be used for the identification of users. In addition, as a member of VHIR, you may also receive emails about training and other current aspects of VHIR. If you wish to unsubscribe from these communications, you can do so through the links provided therein or by making a request to lopd@vhir.org.

As a job applicant for an application offered by the VHIR or has spontaneously sent us your CV data, you will be accepting the processing of your data in order to subscribe to the application, maintain communication in relation to the status of the application, to access the CV submitted, as well as the candidate's social networks; to compare whether their data fit vacancies that must be filled by the VHIR and to verify, where appropriate, that the information provided is truthful. This information may be shared with third parties in charge of the processing involved in the management of the application, which will be expressly informed at the time of data collection.

Legitimate basis for data processing

The legitimate basis for the processing of your data for the purposes of information in general and resolution of doubts, queries and complaints, will be the consent granted by the interested party. You may withdraw your consent at any time, without retroactive effect.

The legitimate basis for the processing of your data for the processing of the Whistleblowing Channel will be compliance with a legal regulation.

The legitimate basis for the processing of your data for the management of the intranet and relations maintained with the VHIR will be the execution of a contract to which the VHIR is a party.

No automated decisions will be made on the personal data processed, including profiling. International data transfer is not envisaged.

How long we process data for

The personal data we process will be kept for the following periods for the following purposes:

  • Inform about news and activities related to the VHIR or patronage campaigns: The data will be kept as long as you do not revoke consent or oppose the sending of information.
  • Donation management (You can consult the specific privacy policy through this link).
  • Respond to requests for specific information: The data will be kept for the period necessary to be able to respond and for as long as responsibilities may arise.
  • Resolve doubts, queries, complaints and claims: The data will be kept for the period necessary to be able to respond to you and for as long as responsibilities may arise.
  • Management of the Whistleblowing Channel: The data will be kept for the time necessary to decide on the appropriateness of initiating an investigation into the facts reported (art. 32.3 Whistleblowing Law).
  • Intranet management: The data for accessing the Intranet are linked to the data obtained for the execution of the employment relationship, so they will be kept as long as it is in force and, in any case, as long as legal responsibilities may arise.

For information, the legally established retention periods are:

  • 10 years in the case of financial or in-kind donations made free of charge in accordance with Law 10/2010, of 28 April, on the prevention of money laundering and the financing of terrorism.
  • 10 years for all matters related to the accounting and taxation of the VHIR, as provided for in the General Tax Law and according to the limitation periods for criminal liability provided for in Organic Law 10/1995, of 23 November.
  • 10 years for all contractual obligations acquired by the VHIR, except for periodic payment obligations made for years or shorter periods; remuneration for the provision of services and execution of works; claims for the collection of the consumer sale price, which will be kept for a period of 3 years, in accordance with the provisions of Law 29/2002, of 30 December, First Law of the Civil Code of Catalonia.
  • 5 years with respect to the obligations arising from the prevention of occupational risks, as provided for in Royal Legislative Decree 5/2000, of 4 August, which approves the revised text of the Law on infractions and sanctions in the social order.
  • 4 years for the obligations arising from social security as provided for in Royal Legislative Decree 5/2000, of 4 August, approving the revised text of the Law on infractions and penalties in the social order.
  • 3 years with respect to data linked to other non-contractual obligations, in accordance with the provisions of Law 29/2002, of 30 December, First Law of the Civil Code of Catalonia.

In the clinical research activity of the VHIR, the specific storage periods in accordance with the applicable legislation in the field of biomedicine, and until the corresponding rights are exercised by the interested parties, are:

  • 30 years with respect to data associated with cells, tissues and any biological material of human origin according to Law 14/2007, of 3 July, on biomedical research, once the project, study or trial for which they were collected has ended.
  • 15 years with respect to the data included in the informed consent, according to Law 21/2000, of 29 December, on the rights to information regarding the patient's health and autonomy, and clinical documentation.
  • 5 years with respect to genetic data, from the time they were obtained, unless they are necessary for their conservation in order to preserve the health of the person from whom they come or of third parties related to them according to Law 14/2007, of 3 July, on biomedical research.

The data collected in selection processes will be kept while they are being carried out, being deleted later in case you have not been the selected person. In the event that you send us a CV of your own free will through the contact details on this website, it will be kept for 1 year from its receipt.

Personal data will be processed only for the time necessary for the purposes indicated, and will subsequently be deleted, except for legitimate reasons or for the exercise or defence of possible claims.

Who we will communicate the data to

VHIR will only communicate your data to those third parties who, by reason of the provision of services, must access them and those transfers to comply with the legal and contractual obligations of the VHIR.

International data transfers may occur in the use of management technologies, in particular for the use of cloud-hosted services. These data transfers will be carried out in compliance with the requirements of Articles 45 and 46 of the GDPR.

What rights you have

You may exercise the following rights before the VHIR at any time:

  • Right of access: If you want to know what data we are processing and how.
  • Right of rectification: If you want to modify any data previously provided.
  • Right to erasure: If you want us to delete your data. However, we are obliged to keep them, on a blocked basis, for the periods of time indicated above or for as long as legal liabilities may arise.
  • Right of limitation: If you want us to keep them only for the exercise or defense of claims.
  • Right to object: If in those cases not covered by consent you do not want us to continue processing your data except in those cases in which it cannot be deleted by legal imperative or in defence of possible claims.
  • Right to data portability: In case you want your data processed in technical support to be processed by another entity.

To exercise the rights mentioned above, you must write to lopd@vhir.org or by post.

Remember that the exercise of these rights is very personal and must be carried out by the owner himself or his legal representative, with the VHIR having a period of one month from its correct receipt, extendable for another month, to answer. See our application form for the exercise of rights.

In the event of disagreement with the resolution, you can lodge a complaint with the competent data protection authority.