medical hair
Privacy
PERSONAL DATA PROTECTION POLICY
16-02-2024
INSTITUTO DE IMPLANTES Y MEDICINA CAPILAR S.L. (the “Company”) is an organization that carries out activities involving the processing of personal data, which gives it significant responsibility in the design and organization of procedures to ensure legal compliance in this area.
In exercising these responsibilities and with the aim of establishing the general principles that must govern the processing of personal data within the Company, this Personal Data Protection Policy is approved, which is communicated to its Employees and made available to all its Stakeholders.
1. PURPOSE
The Personal Data Protection Policy is a proactive accountability measure aimed at ensuring compliance with the applicable legislation in this area and, in connection with it, the respect for the right to honor and privacy in the processing of personal data of all individuals who interact with the Company.
In line with this Personal Data Protection Policy, the principles governing data processing within the organization are defined, along with the procedures and organizational and security measures that the individuals subject to this Policy are committed to implementing within their scope of responsibility.
To this end, Management will assign responsibilities to personnel involved in data processing operations.
2. SCOPE OF APPLICATION
This Personal Data Protection Policy applies to the Company, its administrators, executives, and employees, as well as all individuals who interact with it, including service providers with access to data (“Data Processorsâ€).
3. PRINCIPLES OF PERSONAL DATA PROCESSING
As a general principle, the Company will strictly comply with personal data protection legislation and must be able to demonstrate such compliance (“accountability principleâ€), paying special attention to those processing activities that may pose a greater risk to the rights of data subjects (“risk-based approachâ€).
In this regard, INSTITUTO DE IMPLANTES Y MEDICINA CAPILAR S.L. will ensure compliance with the following principles:
Lawfulness, fairness, transparency, and purpose limitation:
Data processing must always be made known to the data subject through clauses or other means. It shall only be considered lawful if it is based on valid consent (especially regarding minors), or on another legitimate basis, and its purpose must comply with applicable regulations.
Data minimization:
The data processed must be adequate, relevant, and limited to what is necessary for the purposes of the processing.
Accuracy:
Data must be accurate and, if necessary, kept up to date. Measures will be taken to erase or rectify personal data that are inaccurate without delay in relation to the purposes for which they are processed.
Storage limitation:
Data will be retained in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
Integrity and confidentiality:
Data must be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.
Data disclosures:
It is strictly prohibited to purchase or obtain personal data from illegitimate sources or in cases where such data have been collected or transferred in violation of the law or where their legitimate origin is not sufficiently guaranteed.
Contracting service providers with access to data:
Only providers offering sufficient guarantees to implement appropriate technical and organizational measures for secure data processing shall be contracted. A formal agreement documenting these terms will be established with such third parties.
International data transfers:
Any processing of personal data subject to European Union regulations that involves a transfer of data outside the European Economic Area must strictly comply with the applicable legal requirements.
Rights of data subjects:
The Company shall facilitate the exercise of data subjects’ rights of access, rectification, erasure, restriction of processing, objection, and portability, by implementing internal procedures and, where appropriate, templates for exercising such rights that meet, at a minimum, the applicable legal standards.
The Company will promote the integration of the principles set forth in this Personal Data Protection Policy into:
(i) the design and implementation of all work procedures;
(ii) the products and services offered;
(iii) all contracts and obligations entered into; and
(iv) the deployment of any systems and platforms that enable access by employees or third parties and/or the collection or processing of personal data.
4. PRINCIPLES OF PERSONAL DATA PROCESSING
Employees are informed of this Policy and acknowledge that personal data is a valuable asset of the Company. In this regard, they adhere to the Policy and commit to the following:
- Participate in the data protection awareness training provided by the Company.
- Apply user-level security measures relevant to their position, without prejudice to the responsibilities in the design and implementation of such measures that may be assigned to them based on their role within INSTITUTO DE IMPLANTES Y MEDICINA CAPILAR S.L..
- Use the established templates for the exercise of data subjects’ rights and immediately notify the Company to ensure an effective response.
- Inform the Company as soon as they become aware of any deviations from this Policy, particularly any “personal data security breaches”, using the designated reporting format.
5. CONTROL AND EVALUATION
A verification, evaluation, and assessment of the effectiveness of the technical and organizational measures to ensure data security will be carried out annually, or whenever there are significant changes in data processing activities.
INSTITUTO DE IMPLANTES Y MEDICINA CAPILAR SL
B83624551
C. del PrÃncipe de Vergara, 99, BJ A
28006
Madrid
Spain
