1. Right to information
2. Who is responsible for the processing of your personal data?
In accordance with Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR), you are hereby informed that the personal information you give shall be duly processed and stored in the data processing systems belonging to CNIO (C/Melchor Fernández Almagro, 3, 28029, Madrid, Spain).
The personal information given to CNIO is used to provide effective service according to the relevant contract or agreement. The use of said information shall depend on the reason why it was requested in the first place.
- Data Processing Clinical diagnosis and research
Purpose The processing of personal data for clinical diagnosis and research falls within the handling of patient personal information in support of diagnosis, treatment and prevention of cancer, as well as for related scientific studies where the determination of filiation is required.
- Data Processing Biobank
PurposeThe processing of personal data for storage in the CNIO Biobank falls within the handling of personal information and biological samples for biomedical research.
- Data Processing Suppliers
The processing of personal data for the management of CNIO-supplier relationships.
- Data Processing Staff management
Purpose The processing of personal data for staff management at CNIO falls within the handling of personal and professional information of all the persons working at or collaborating with CNIO, including the screening and evaluation of job candidates, and the implementation of biosecurity measures.
- Data Processing Corporate contacts
Purpose The processing of personal data for CNIO corporate contact management falls within the handling of communications about CNIO’s promotional activities and events.
- Data Processing Video surveillance
Purpose The processing of personal data for video surveillance of CNIO entrances and facilities.
- Data Processing Clinical studies
Purpose The processing of personal data for clinical studies falls within the handling of the personal information of participants in studies managed from the CNIO Clinical Programme, involving the participation of CNIO or CNIO researchers.
- Data Processing Research projects
Purpose The processing of personal data for research projects falls within the handling of the personal information of participants in biomedical research projects involving the participation of CNIO or CNIO researchers.
Your personal data shall be kept as long as you have a relationship with CNIO, or as long as they are relevant to the health of interested parties, or as long as required by law. You are also informed that your personal data shall not be used by CNIO for profiling for commercial purposes. The handling of your personal information shall be legal, legitimate, relevant, limited, accurate and up to date. Accordingly, CNIO is committed to taking all reasonable measures for said information to be corrected or deleted whenever inaccuracies or mistakes are identified.
4. Security measures
5. How is data processing legitimised?
The processing of your personal data by CNIO has its legal grounds in the forms you have sent to CNIO, the consent you have given to participate in CNIO’s activities, projects, training programmes and events, the consent you have given to be part of projects or studies promoted by or involving the participation of CNIO, your contractual relationship with CNIO and/or a situation in which the processing of your personal data by CNIO is established by law.
In any case, you have a right to oppose said processing by following the relevant instructions by CNIO (see below).
6. Whom can your personal data be shared with?
CNIO shall not transfer or disclose the personal data in its systems to third parties.
7. What are your rights concerning the personal data you share with CNIO?
You have a right to access your personal data, correct them in case they are inaccurate and/or delete them when they are no longer necessary for the original purpose, among other reasons. Likewise, you can request a limited processing of your personal data, whereby CNIO shall only store them for protection against complaints and/or lawsuits. Moreover, you can oppose the handling of your personal data, in which case CNIO shall no longer be entitled to process them except for legal reasons and/or for protection against complaints or lawsuits. Finally, you have a right to data portability.
In order to exercise the aforementioned rights:
I) You can visit the CNIO facilities and ask for the relevant form at the front desk. The list below shows the forms available online, in case you want to download them in advance.
- Exercise of right to access personal data (PDF 70 KB)
- Exercise of right to correct personal data (PDF 60 KB)
- Exercise of right to delete personal data (PDF 50 KB)
- Exercise of right to oppose the processing of personal data (PDF 50 KB)
- Exercise of right to limit the processing of personal data (PDF 70 KB)
- Exercise of right to data portability (PDF 80 KB)
- Exercise of right to oppose automated decisions (PDF 60 KB)
ii) You can send your CNIO form or your own text to C/Melchor Fernández Almagro, 3, 28029, Madrid, Spain or by email to firstname.lastname@example.org, under the title ‘Exercise of right to X’ (fill in the relevant right). In either case, you must attach a copy of your ID card.
In addition, in compliance with the GDPR provisions, you can go to the Spanish Data Protection Agency (www.agpd.es/portalwebAGPD/index-ides-idphp.php) for additional information about your rights and/or to file a claim if you believe they have been infringed.
At CNIO, your personal information shall be treated confidentially. It shall not be used for purposes other than or incompatible with those stipulated in this Policy without your consent, unless said use has been authorised by you, or is permitted or required by law. Should your data be shared with or transferred to another organisation, CNIO shall inform you of said organisation in advance, and of the purpose of the transfer or disclosure, to get your consent. Likewise, your personal data could be accessed by organisations or persons outside CNIO for the provision of professional services. Should this be the case, a service contract shall be signed under the terms of article 28 of GDPR. You are hereby informed that, in the event of service contract with an organisation outside CNIO, your personal data could be transferred to non-EEA countries, e.g. USA, and therefore countries where data protection regulations are not as stringent and security levels are not necessarily as high. In any case, CNIO shall take all the necessary technical and organisational measures to protect your personal data, including the security measures stipulated in GDPR.
Even when CNIO has taken all the security measures established by law, it must be taken into account that such measures are not inviolable on the Internet. Therefore, CNIO shall not be held liable for illegal use of stolen data by third parties.