Privacy

PRIVACY AND DATA PROTECTION POLICY

1.- Rights to information

The privacy policy of the Centro Nacional de Investigaciones Cardiovasculares (F.S.P), , addresses the need to regulate access to and use of the scientific services and research carried out at our center, as well as the training opportunities, events, and employment offered by the CNIC via its website www.cnic.es and through printed applications.

2.- Who is responsible for handling your personal information?

In accordance with the provisions of the General Data Protection Regulation (GDPR) (EU) 2016/679, we inform you that personal information you provide will be registered and incorporated in the database-management systems managed by the CNIC (C/ Melchor Fernandez Almagro, 3 - 28029 - de Madrid).

3.- What is your personal information used for?

The way we handle the personal information you provide to the CNIC via its various channels of communication and data acquisition depends on the purpose for which you provided it:

• Personal information handling related to human biological samples stored at the center for use in biomedical research.
• Personal information handling related to CNIC suppliers and partners who provide professional services to the center.
• Personal information handling related to the video surveillance system at the CNIC sites, for the purpose ensuring controlled, safe and secure access to the center.
• Personal information handling related to CNIC personnel, for the purpose of internal communication, managing the personnel directory and the CNIC intranet, and interdepartmental communication.
• Personal information handling related to institutional contacts, for the purpose of managing contacts with registered individuals in relation to public and private calls for proposals and events, as well as communications and notifications related to the activity of the CNIC.
• Personal information handling related to participants in scientific research projects in which the CNIC participates, promotes, or collaborates.
• Personal information handling related to human resources, for the purpose of managing salary payments, selection of personnel, training programs, workplace risk prevention, work-related illness, work-related accidents, and scientific collaborations with the CNIC.
• Personal information handling of submitted contact information to enable the center to respond to applications, requests, and queries; manage the publication of enquiries and comments; and conduct an appropriate follow-up.
• Personal information handling related to curricula vitae / résumés sent to the CNIC as part of selection procedures for positions of programs published by the center.

Your personal information will be stored for as long as you maintain a relationship with the CNIC. Information may be stored for longer periods if it is health-related or if a longer period is stipulated by law. The CNIC will not use your personal information for the commercial profiling. Your personal information will be handled according to the law, in good faith, with transparency, in an up-to-date manner, and with respect for the purpose for which it was supplied. The CNIC is committed to taking all reasonable steps to remove or correct any inaccuracies in your information without delay.

4.- Security Measures

A series of security challenges are implied by the state of the technology, the application costs, and the nature, scope, context, and purpose of the articles set out in point 3 of this privacy policy document, as well as variations in probability and severity of risk to the rights and freedoms of users. To meet these challenges and satisfy its obligations under GDPR article 32.1, the CNIC has, introduced organizational and technical procedures to ensure an appropriate level of security in the handling of personal data. These procedures include measures to guarantee the confidentiality, integrity, availability, and permanent resilience of the data handling systems and services, measures to rapidly restore availability and access to personal information after a physical or technical incident, and procedures for the regular verification, assessment, and evaluation of these organizational and technical procedures.

5.- What is the legal basis for storing and handling your personal information?

The legal justification for storing your personal information is to allow the management of your relationship with the CNIC. This justification governs any enquiries or applications you submit; your consent to participate in CNIC activities, training programs, and events; your consent to participate in scientific projects run by the CNIC or in which it collaborates; your contractual relationship with the CNIC; and all situations for which the handling of your personal data is permitted by law.

Nevertheless, as explained below, you can exercise your right to oppose the use of your personal information as described above by following the instructions provided by the CNIC for this purpose.

6.- Do we share your data with anyone else?

The CNIC will not share or transfer information held about you on its database-management systems to third parties unless such transfer has your express authorization or is required or permitted by law. In this situation, the CNIC will first inform you of the identity of the recipient and the reason for the transfer, in order to seek your consent. We further inform you that, under specific circumstances, your personal information may be accessible by external organizations or persons when this is necessary for the provision of services to the CNIC. Any such transfer of or access to information will be conducted within the framework of a service provision contract conforming to the terms and conditions of GDPR article 28. As a consequence of service contracts with outside organizations, your information may be transferred to insecure destinations (countries outside the European Union), for example the United States, where data protection rules are less strict than in the European Union. However, in signing contracts with such external organizations and in managing any data transfer under the terms of such contracts, the CNIC will adopt all technical, organizational, and security measures required by the GDPR.

7.- What rights do you have over the information we hold?

You have the right to access personal information held about you, and to request correction of inaccurate information or the suppression of your information when the purpose for which it was stored has expired or for another reason. You can also set limits on the way your personal information in handled; in this case, the CNIC will only preserve your information for the filing of or defense against complaints. You can also withdraw permission for us to hold your personal information; in this case, the CNIC will cease to hold or handle your information, except when a need to protect against possible complaints or another justifiable cause prevent us from accessing your permission withdrawal request. You can also request portability of your personal information.

To exercise these rights, you can attend the CNIC in person and ask at the reception desk for the specific application form you require. These forms are also available via the links listed below this paragraph. You can hand the completed form in at the CNIC reception desk or alternatively mail the completed for or your own personally written request to CNIC, C/Melchor Fernandez Almagro 3, Madrid 28029, Spain, including the heading “Rights claim for + corresponding right”

• Rights claim for data access
• Rights claim for data correction
• Rights claim for data suppression
• Rights claim for withdrawal of consent to data storage and handling
• Rights claim for limited data storage and handling
• Rights claim for data portability
• Rights claim for withdrawal of consent to automated decision taking

If you have a DNIe, or other certificate issued by a qualified trust service providers, you can also digitally sign the file and send it via our exercise of rights form.

Additionally, in accordance with the GDPR, we inform you that you can obtain further information about your rights from the Agencia Española de Protección de Datos (Spanish data protection agency; http://www.agpd.es/portalwebAGPD/index-ides-idphp.php), and can also file a complaint with the agency should you feel that your rights have not been adhered to.

The CNIC reserves the right to modify the present Privacy and Data Protection Policy in accordance with regulatory modifications as they arise and with the policy recommendations of the Agencia Española de Protección de Datos. All changes will be clearly signaled on the CNIC website in order to inform all registered users and those interested in the services and activities offered by the CNIC.

Finally, the CNIC will treat your personal information in absolute confidence and will not use it for any purposes other than or incompatible with those outlined in the present document without seeking your prior consent.

8.- User consent

By submitting your personal information to the CNIC via internet or printed forms, electronic mail, or other channel you give consent to the automated handling of information related to the CNIC and its activities (if this was indicated in the application form). However, you can withdraw your consent at any time without the need to provide any explanation for your decision. The procedures for exercising your rights are laid out under point 7 of this Privacy and Data Protection Policy document.

The CNIC will provide users with access to all technical resources required for them to express their clear consent for their personal information to be included in CNIC databases.

9.- Links

This privacy policy applies exclusively to the website of the CNIC. We cannot guaranteed the application of this privacy policy during access to this site through links from other sites or in links from this site to other sites.

The CNIC has adopted all legally prescribed security measures; however, you should be aware that there is no total security on the internet, and the CNIC cannot therefore take responsibility for the use of data obtained by theft or any use arising from the illegal activity of third parties.

10.- Log files

Log files are the historical record of all activity on a website (entry and exit of users [IP address], website of origin, dates, country, etc.). The CNIC can analyze this information to monitor traffic flow through its web portal, the most visited content, and the main navigation routes used; all with the express purpose of improving content to meet the needs of visitors.