Users/patients are hereby informed that the 'Patient Portal' is a web portal whose purpose is to enable patients of certain health centres that make up the Ribera Salud Group (hereinafter 'Ribera' or 'the Group') to view their health information and carry out other procedures, such as managing appointments, consulting reports and medical prescriptions, among others.

Ribera is committed to respecting the privacy of users and the protection and security of their personal data. That is why, in compliance with EU Regulation 2016/679 General Data Protection, (hereinafter, "RGPD") and Organic Law 3/2018 of December 5 on the Protection of Personal Data and guarantee of digital rights (hereinafter "LOPDGDD"), the user is hereby informed about the way in which RIBERA SALUD, SAU (hereinafter, "RIBERA SALUD") collects and processes the personal data of users through the Patient's Portal.

1. IDENTIFICATION OF THE DATA CONTROLLER

The person responsible for the processing of your personal data is the company that owns the health centre that provides you with health care. You can consult the information on the following link: https://www.riberasalud.com/sociedades-del-grupo-ribera

2. PURPOSES OF DATA PROCESSING AND LEGITIMATING BASES OF TREATMENT.

Ribera will carry out the following data processing operations, using an appropriate legal basis for each of them, respecting the rights and freedoms of the data subjects:

2.1 Managing user registration in the Patient Portal

• Purpose: Management of the registration of patient/users in the Patient Portal by generating an account for their access, as well as enabling the recovery of passwords.
• Legal basis: Execution of the contractual relationship and the fulfilment of a mission carried out in the public interest or in the exercise of public powers conferred on the data controller.
• Type of data processed: Identification data, data relating to personal circumstances, contact data, insurance data and financial data

2.2 Manage and respond to patient appointment requests.

• Purpose: To enable registration on the website to allow appointment management for patient users and their families.
• Legal basis: Execution of the pre-contractual relationship.
• Types of data processed: Identification data, contact data and data relating to personal characteristics.

2.3 Management and consultation of health reports and documentation

• Purpose: the user/patient will be able to view and store medical reports in the Patient Portal.
• Legal basis: Execution of the contractual relationship and the fulfilment of a mission carried out in the public interest or in the exercise of public powers conferred on the data controller.
• Types of data processed: Health data.

2.4 Management of Patient Portal incidents.

• Purpose: Management of incidents that may be reported by users during registration and use of the Patient Portal.
• Legal basis: Execution of contractual or pre-contractual relationship.
• Types of data processed: Identification data, data relating to personal circumstances, contact data and health data.

2.5 Manage user subscription to the newsletter.

This data processing will be carried out by the entity RIBERA SALUD, S.A.U, with Tax Identification Code A-03681186 and registered office at Avenida Cortes Valencianas, number 58, Edificio Sorolla Center, 46015, Valencia, Spain.

• Purpose: manage user subscriptions to the newsletter by sending electronic commercial communications about the services.
• Legal basis: consent from the parties interested.
• Types of data processed: identification and contact data.

3. RECIPIENTS OF PERSONAL DATA

3.1. Communication of data to third parties.

Your data may be transferred in accordance with the following circumstances:

• Patient data may be accessed by other centres of the Ribera Group in order to guarantee adequate continuity of care and provision of services in the terms described above.
• To bodies, centres and services of the National Health System.
• To banking institutions for the collection or payment of payments
• At the request of the Tax Agency, Courts or Tribunals or other competent Public Administrations.
• In accordance with the provisions of current legislation, your data may be communicated to the health authorities and other public bodies with competence in the matter.
• In the case of Patients that use private health insurance companies, their data will be communicated to the insurance company for the payment of the services.
• To suppliers of medical equipment, prostheses and implants under legal obligation, or ambulances.

3.2. Those in charge of treatment

Some of the data processing purposes identified in the policy may be carried out by suitable service providers contracted by the controller. Such service providers will only process the data for the stated purposes and in accordance with the relevant contract of engagement in accordance with the provisions of art. 28 GDPR

4. INTERNATIONAL DATA TRANSFERS

The data processing identified in this policy will be carried out in the territory of the European Economic Area (EEA), and therefore no international data transfers are envisaged.

Likewise, the eligible service providers indicated in the previous section are located within the EEA, and therefore do not carry out international data transfers either.

5. CONSERVATION PERIOD.

The personal data of patients will be retained in accordance with the principle of 'limitation of the retention period' established in the GDPR, being limited in time to the fulfilment of the purposes pursued by the relevant data processing.

Specifically, the data of users/patients provided when registering in the Patient Portal will be kept for as long as the interested party maintains their user account in the portal and the personal data necessary for the management and storage of the patient's health information in the portal will be kept for a minimum period of 5 years from the end of the last healthcare process, from the patient's death or from the exercise of their right to object.

6. EXERCISE OF RIGHTS REGARDING DATA PROTECTION.

At any time, the user may exercise their rights of access, rectification or deletion, opposition, limitation and portability of their data, directly by sending their request in writing accompanied by a photocopy of their ID or equivalent documentation, to the Data Protection Officer, by sending an email to the following email address. dpo@riberasalud.es or by postal mail to the following address Cortes Valencianas, number 58, Edificio Sorolla Center, Postal Code 46015 of Valencia (Spain) under the reference subject: "Data Protection".

Likewise, the user is informed that if they consider that the exercise of their rights has not been satisfied, they may file a claim with the Spanish Agency for Data Protection. More information in www.aepd.es.

Last updated: April 2025