Home | Data Protection and Privacy Policy

1. Right to information

The Privacy Policy of the Centro Nacional de Investigaciones Oncológicas (F.S.P.), hereinafter referred to as CNIO, refers to the need to regulate the access to and use of services, training opportunities, events and career opportunities offered either online at www.cnio.es or in print.

2. Who is responsible for the processing of your personal data?

In accordance with Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR), you are hereby informed that the personal information you give shall be duly processed and stored in the data processing systems belonging to CNIO (C/Melchor Fernández Almagro, 3, 28029, Madrid, Spain).

Contact: delegado_lopd@cnio.es

3. Purpose

The personal information given to CNIO is used to provide effective service according to the relevant contract or agreement. The use of said information shall depend on the reason why it was requested in the first place.

  • Data Processing Clinical diagnosis and research
    Purpose The processing of personal data for clinical diagnosis and research falls within the handling of patient personal information in support of diagnosis, treatment and prevention of cancer, as well as for related scientific studies where the determination of filiation is required.
  • Data Processing Biobank
    PurposeThe processing of personal data for storage in the CNIO Biobank falls within the handling of personal information and biological samples for biomedical research.
  • Data Processing Suppliers
    The processing of personal data for the management of CNIO-supplier relationships.
  • Data Processing Staff management
    Purpose The processing of personal data for staff management at CNIO falls within the handling of personal and professional information of all the persons working at or collaborating with CNIO, including the screening and evaluation of job candidates, and the implementation of biosecurity measures.
  • Data Processing Corporate contacts
    Purpose The processing of personal data for CNIO corporate contact management falls within the handling of communications about CNIO’s promotional activities and events.
  • Data Processing Video surveillance
    Purpose The processing of personal data for video surveillance of CNIO entrances and facilities.
  • Data Processing Clinical studies
    Purpose The processing of personal data for clinical studies falls within the handling of the personal information of participants in studies managed from the CNIO Clinical Programme, involving the participation of CNIO or CNIO researchers.
  • Data Processing Research projects
    Purpose The processing of personal data for research projects falls within the handling of the personal information of participants in biomedical research projects involving the participation of CNIO or CNIO researchers.

Your personal data shall be kept as long as you have a relationship with CNIO, or as long as they are relevant to the health of interested parties, or as long as required by law. You are also informed that your personal data shall not be used by CNIO for profiling for commercial purposes. The handling of your personal information shall be legal, legitimate, relevant, limited, accurate and up to date. Accordingly, CNIO is committed to taking all reasonable measures for said information to be corrected or deleted whenever inaccuracies or mistakes are identified.

4. Security measures

Considering the current state of the art, the implementation costs, and the nature, scope, purpose and context described in clause 3 of this Privacy Policy, as well as the variable probability and seriousness risks of user rights and freedoms, in accordance with clause 32.1 of GDPR, CNIO has taken the relevant organisational and technical measures to safeguard adequate security levels, including, but not limited to, measures to protect the confidentiality, integrity, availability and resilience of data processing systems and services at all times; measures to restore the easy availability of and access to personal data in the event of technical or physical failure; and the implementation of regular procedures to assess and check the effectiveness of the organisational and technical measures in force to safeguard security in data processing.

5. How is data processing legitimised?

The processing of your personal data by CNIO has its legal grounds in the forms you have sent to CNIO, the consent you have given to participate in CNIO’s activities, projects, training programmes and events, the consent you have given to be part of projects or studies promoted by or involving the participation of CNIO, your contractual relationship with CNIO and/or a situation in which the processing of your personal data by CNIO is established by law.

In any case, you have a right to oppose said processing by following the relevant instructions by CNIO (see below).

6. Whom can your personal data be shared with?

CNIO shall not transfer or disclose the personal data in its systems to third parties.

7. What are your rights concerning the personal data you share with CNIO?

You have a right to access your personal data, correct them in case they are inaccurate and/or delete them when they are no longer necessary for the original purpose, among other reasons. Likewise, you can request a limited processing of your personal data, whereby CNIO shall only store them for protection against complaints and/or lawsuits. Moreover, you can oppose the handling of your personal data, in which case CNIO shall no longer be entitled to process them except for legal reasons and/or for protection against complaints or lawsuits. Finally, you have a right to data portability.

In order to exercise the aforementioned rights:

I) You can visit the CNIO facilities and ask for the relevant form at the front desk. The list below shows the forms available online, in case you want to download them in advance.

ii) You can send your CNIO form or your own text to C/Melchor Fernández Almagro, 3, 28029, Madrid, Spain or by email to delegado_lopd@cnio.es, under the title ‘Exercise of right to X’ (fill in the relevant right). In either case, you must attach a copy of your ID card.

In addition, in compliance with the GDPR provisions, you can go to the Spanish Data Protection Agency (www.agpd.es/portalwebAGPD/index-ides-idphp.php) for additional information about your rights and/or to file a claim if you believe they have been infringed.

At CNIO, your personal information shall be treated confidentially. It shall not be used for purposes other than or incompatible with those stipulated in this Policy without your consent, unless said use has been authorised by you, or is permitted or required by law. Should your data be shared with or transferred to another organisation, CNIO shall inform you of said organisation in advance, and of the purpose of the transfer or disclosure, to get your consent. Likewise, your personal data could be accessed by organisations or persons outside CNIO for the provision of professional services. Should this be the case, a service contract shall be signed under the terms of article 28 of GDPR. You are hereby informed that, in the event of service contract with an organisation outside CNIO, your personal data could be transferred to non-EEA countries, e.g. USA, and therefore countries where data protection regulations are not as stringent and security levels are not necessarily as high. In any case, CNIO shall take all the necessary technical and organisational measures to protect your personal data, including the security measures stipulated in GDPR.

8. Links

This Privacy Policy is valid for the CNIO website only. Its provisions shall not necessarily apply when it is being accessed through links from other websites or to websites accessed from links herein.

Even when CNIO has taken all the security measures established by law, it must be taken into account that such measures are not inviolable on the Internet. Therefore, CNIO shall not be held liable for illegal use of stolen data by third parties.

9. Changes in Privacy Policy

CNIO reserves the right to change this Data Protection and Privacy Policy according to regulatory modifications and/or changes in the guidelines issued by the Spanish Data Protection Agency. Should changes be made, they shall appear on this website and shared with registered users or parties interested in CNIO’s activities and services.