1. Information about the Controller
The FOUNDATION OF THE VALENCIAN COMMUNITY FOR THE MANAGEMENT OF THE INSTITUTE FOR HEALTH AND BIOMEDICAL RESEARCH OF ALICANTE (hereinafter, ISABIAL) is the DATA CONTROLLER of the personal data provided by the user through this website. The controller’s details are as follows:
CIF: G-42641308
Registered office: Dr. Balmis University General Hospital. Diagnostic Centre, 5th Floor (Grey Building) Avda. Pintor Baeza 12, 03010 Alicante
Teléfono: 965 913 948
Email: dpd@isabial.es
Web site: https://isabial.es
DPD: dpd@gva.es
The owner of this website is the controller of the personal data collected through browsing and use of this site, in accordance with the requirements established by Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data, as well as by Law 34/2002, of 11 July, on Information Society Services and Electronic Commerce (LSSI‑CE).
By using this website, we understand that you have read and understood the information provided regarding the processing of your personal data.
2. Record of Personal Data Processing Activities
Article 30 of the GDPR establishes that each controller shall maintain a record of the processing activities (RPA) carried out under its responsibility.
ISABIAL, as a public‑sector foundation and in accordance with Articles 31.2 and 77 of Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights, is required to make publicly available an inventory of its processing activities, accessible by electronic means. This inventory must include the information established in Article 30 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), as well as its legal basis.
For this reason, the document showing the Register of the various processing activities within ISABIAL’s organisational scope is published below. The list presented corresponds to the personal data processing activities carried out by this Entity.
Record of ISABIAL’s Personal Data Processing Activities
3. Information for the Data Subject
These terms of use are intended to inform the user of ISABIAL’s personal data protection policy. Accessing, browsing, and using this website implies knowledge and acceptance of these terms and of the privacy and personal data protection policy.
Through this website, the user may provide their personal data via contact forms. The user shall be entirely responsible for accessing and correctly using this website, as well as for any statements made herein, in accordance with these terms of use. ISABIAL accepts no liability for any failure to comply with this requirement.
This digital space is intended exclusively for individuals over 18 years of age. By accessing it, the user confirms that they are of legal age and the legitimate owner of the data provided in the personal information request forms. Likewise, the user undertakes to be the holder, subscriber, or authorised user of the contact details supplied, whether the mobile phone number or the email address.
The personal data provided by the user shall be processed in a manner that is adequate, relevant, and proportionate to the specific and legitimate purposes for which they are collected. It is the user’s responsibility to ensure the truthfulness, accuracy, lawfulness, and up‑to‑date nature of the information provided on this website.
Any modification to personal data must be communicated to ISABIAL for proper updating, via the email address dpd@isabial.es. The user shall be solely responsible for any damage or harm, whether direct or indirect, that may arise from completing forms with false, inaccurate, incomplete, or outdated information, whether affecting ISABIAL or third parties.
3.1 Principles Governing the Processing of Personal Data
Through the application of the following principles, ISABIAL’s privacy and personal data protection policy is upheld.
This set of fundamental principles has been formulated on the basis of the requirements established in the GDPR.
- Principle of Lawfulness, Fairness, and Transparency: Personal data shall be processed lawfully—on the basis of the data subject’s consent, for compliance with a legal obligation, or for the performance of a task carried out by ISABIAL in the public interest or in the exercise of official authority; fairly and transparently in relation to the data subject.
- Principle of Purpose Limitation: Personal data shall be collected for specified, explicit, and legitimate purposes and shall not be further processed in a manner incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes shall not be considered incompatible with the initial purposes.
- Principle of Data Minimisation: Personal data shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
- Principle of Accuracy: Personal data shall be accurate and, where necessary, kept up to date; all reasonable measures shall be taken to ensure that personal data that are inaccurate in relation to the purposes for which they are processed are erased or rectified without delay.
- Principle of Limitation of the Storage Period: Personal data shall be retained in a manner that allows the identification of data subjects only for as long as is necessary for the purposes of the processing and, thereafter, for the legally required periods. Personal data may be kept for longer periods provided that they are processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, without prejudice to the application of the appropriate technical and organisational measures required by the GDPR to safeguard the rights and freedoms of the data subject.
- Principle of Integrity and Confidentiality: Personal data shall be processed in such a way as to ensure appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, through the application of appropriate technical or organisational measures. ISABIAL and the data processors, as well as all persons involved in any phase of the processing, shall be subject to the duty of confidentiality.
- Principle of Proactive Responsibility: The Controller shall be responsible for complying with the principles set out in this section and for being able to demonstrate compliance with the provisions of the GDPR and Organic Law 3/2018 of 5 December on the Protection of Personal Data and the Guarantee of Digital Rights.
4. Data Protection Policy
The Controller applies the principle of proactive responsibility in the processing of personal data, maintaining continuous updates and promoting the ongoing improvement of the data protection system in accordance with applicable legal requirements, ensuring in all cases:
- the respect for the freedoms and fundamental rights of natural persons
- that the data are processed lawfully, fairly, and transparently
- that the data processed are accurate, adequate, relevant, and limited to what is necessary in relation to the purposes for which they are collected
- that the purposes for which the data are collected are explicit and legitimate, and that they are not processed in a manner incompatible with those purposes
The purpose of this document is to inform users about what we do with their personal data, how such data are collected, how they are used, the rights available to them, and all other legally required information established under the applicable regulations.
The personal data that may be collected directly from data subjects through this website will be incorporated into the corresponding processing activity under the responsibility of ISABIAL and will be processed confidentially in accordance with the applicable personal data protection regulations, specifically Regulation (EU) 2016/679 of 27 April 2016 (GDPR) on the protection of natural persons with regard to the processing of personal data and the free movement of such data, and Organic Law 3/2018 of 5 December (LOPDGDD) on the protection of personal data and the guarantee of digital rights.
4.1. Purpose of the Processing
The purpose of the processing of personal data corresponds to each of the processing activities carried out by ISABIAL, all of which are related to the management of matters within the field of biomedical research.
Regarding the processing of personal data provided by the user through this website, the purpose of the processing is described in the purposes indicated in the corresponding form or contract (suggestions box, Collaborate, Employment), including, among others, the following purposes:
- Management and processing of requests or any type of enquiry submitted by the user through the contact channels made available on the website.
- Sending communications by email, fax, SMS/MMS, social networks, or any other electronic or physical means that enables such communications. These communications will be carried out by the Controller and will relate to its activities and services, or by its partners with whom an agreement has been reached in connection with the purpose of the processing, and may be sent through any of the means provided by the User.
4.2. Legal basis
The processing of data belonging to users of the website is carried out in order for ISABIAL to comply with its legal obligations, to fulfil tasks performed in the public interest or in the execution of a contract, as well as in cases where the purpose of the processing requires the user’s consent, which will have been requested when registering on the website or through the forms provided by ISABIAL.
The legal basis for sending communications by email, fax, SMS/MMS, social networks, or any other electronic or physical means that enables such communications is the data subject’s explicit consent, as well as the provisions of Law 34/2022 of 11 July regarding the sending of information through electronic communications.
4.3. Source of the Data
The personal data are provided by the data subject when completing the forms on this website, through which they consent to the processing of their personal data.
If the user provides personal data belonging to third parties, they must first inform those individuals of the content of these terms and of the circumstances relating to the processing of their personal data, as well as obtain their prior consent. Information relating to minors or persons lacking legal capacity requires having previously obtained the consent of their parents, guardian, or legal representative.
You are hereby informed that providing the personal data requested in the various forms is voluntary but necessary in order to carry out the requested procedure, and therefore the User must guarantee the accuracy and validity of the information provided. The fields marked with an asterisk in the data collection forms are mandatory for processing the request; refusal to provide them will prevent its management or may result in the information or service provided not fully meeting the user’s needs. The user is deemed to have been informed and to expressly accept these terms and the privacy and personal data protection policy if they tick the corresponding checkboxes or click the “Send/Continue/Accept” button or similar options included in the data collection forms.
4.4. Data Retention
The personal data provided will be retained for the time necessary to fulfil the purpose for which they were collected and, once they are no longer required for such purpose, they will be duly blocked and kept only for as long as they are needed to comply with a legal obligation or for the formulation, exercise, or defence of claims.
Likewise, the personal data provided for the purpose of sending communications by email, fax, SMS/MMS, social networks, or any other electronic or physical means that enables such communications will be retained as long as the user’s consent has not been revoked or until they object to the processing for receiving such communications.
In accordance with the applicable regulations, personal data will be retained solely at the disposal of the authorities for the purpose of determining legal liabilities and for the corresponding limitation period.
4.5. Data Disclosure
For all purposes, ISABIAL is the recipient of the processing, and personal data will not be disclosed to third parties except where required by law.
All data will be processed with the utmost confidentiality and will not be accessible to third parties for purposes other than those for which they have been authorised.
ISABIAL may disclose personal data to third‑party collaborators or service providers exclusively for the purposes established for the processing and for the proper functioning of ISABIAL. In any case, any such data disclosures will be carried out in the form of data processing assignments to these third parties, which will entail their access to personal information. In this regard, ISABIAL will have the corresponding data processing agreements in place with all third parties that process or access ISABIAL’s personal data, in compliance with the provisions of data protection regulations.
Likewise, the data will be disclosed to Public Administrations for the fulfilment of legal obligations.
4.6. Users’ Rights
Any individual has the right to obtain confirmation as to whether ISABIAL is processing their personal data.
Users who provide their personal data have the right to request from the Controller access to their personal data, as well as their rectification or erasure, the restriction of their processing, to object to such processing, and the right to data portability..
Specifically, the data subject may request the restriction of the processing of their data in the circumstances established in Article 18 of the GDPR, in which case the data will only be retained for the establishment, exercise, or defence of potential legal claims.
When the processing is based on the data subject’s consent, such consent may be withdrawn at any time, thereby objecting to the processing of their data for a specific purpose. This withdrawal shall not affect the lawfulness of the processing carried out prior to its withdrawal. In such cases, the data subject’s personal data will only be retained for the establishment, exercise, or defence of potential legal claims.
Likewise, the data subject may request the erasure of their data when such data are no longer necessary for the purposes for which they were collected.
Data subjects may exercise their rights by sending a written request addressed to the Fundación de la Comunidad Valenciana para la Gestión del Instituto de Investigación Sanitaria y Biomédica de Alicante, located at Hospital General Universitario Dr. Balmis,
Centro de Diagnóstico, 5th Floor (Grey Building), Avda. Pintor Baeza 12, 03010 Alicante, or by contacting the following email address: dpd@isabial.es.
To obtain further information regarding the exercise of your rights, you may consult the following documents:
Instructions for Exercising the Data Subject’s Rights
Model for the Exercise of Rights
5. Possibility of Contacting the Data Protection Officer
Data subjects may contact the Data Protection Officer of the Generalitat Valenciana regarding any matter related to the processing of their personal data and the exercise of their rights under the GDPR.
Their contact details are:
Data Protection Officer of the Generalitat
Paseo de la Alameda, 16. 46010 Valencia
Email address: dpd@gva.es
6. Complaint Before the Spanish Data Protection Agency
Data subjects also have the right to lodge a complaint with the national supervisory authority for data protection (Spanish Data Protection Agency – AEPD), especially if they have not obtained a satisfactory response in the exercise of their rights. Complaints may be submitted through the electronic headquarters available on its website https://www.aepd.es, or at its physical address: C/ Jorge Juan, 6, 28001 Madrid.
7. Web Forms
The personal data collected through the web contact form are used to respond to any inquiry submitted by the user through it.
The personal data collected through the order form are processed for the purpose of managing the information necessary for the proper handling of your orders.
The processing of the data is legitimized by the consent you provide when you expressly accept the processing conditions communicated through this privacy policy
8. Data Recipients
The personal data obtained through the web forms are recorded and stored on electronic systems that are controlled and supervised by the data controller.
Your personal data will not be disclosed to third parties, except where such disclosure is covered by a legal obligation or when, for the proper provision of the service or the execution of the contract, it is necessary to share your data with other controllers, such as other companies within the group, or with data processors involved in the provision of the service (for example, transport companies).
In cases where the disclosure of data to third parties is not covered by the legal bases set out in the previous section, such disclosure will only take place if the user has given their explicit consent.
Strict criteria are applied when selecting data processors, and each of them is bound by a contractual commitment to comply with—and ensure compliance with—the obligations established in data protection regulations.
In the event that international data transfers take place, ISABIAL will ensure that the transfer of your personal data is carried out in accordance with the applicable privacy laws and, in particular, that the necessary contractual, technical, and organizational measures are implemented, such as the Standard Contractual Clauses approved by the European Commission.
You may obtain further information regarding the processing of personal data carried out by our organization by requesting it via email at: dpd@isabial.es.
9. Technical and Organizational Data Protection Measures
The systems used for data storage include the necessary technical and organizational measures to ensure the confidentiality and preservation of the personal data obtained through the website.
The personal data collected through the website are processed using an HTML protocol with a valid SSL certificate.
The personnel involved in data‑processing operations—access, editing, deletion, etc.—are qualified, trained, and committed to this data protection policy.
10. Data Retention
The personal data obtained through the contact form will be retained for the time necessary to address the request or inquiry submitted.
The personal data obtained through the order form will be retained for as long as a contractual and/or commercial relationship exists with you, or until you exercise your right to erasure, cancellation, and/or restriction of the processing of your data.
Once the contractual relationship has ended, we will keep the information duly blocked, without using it in any way, for as long as it may be necessary for the exercise or defense of claims, or if any judicial, legal, or contractual liability arising from its processing may still materialize and must be addressed, for which its retrieval may be required.
If you have expressly agreed to receive commercial information, we will retain your contact details until you inform us of your decision to cancel such commercial communications.
11. Information on the existence of automated decision‑making (including profiling)
We do not normally make automated decisions, but whenever we do, we will clearly indicate that such a decision is being made. Nevertheless, ISABIAL includes several sections dedicated to service personalization in order to display customized advertising when you access its website, as well as to send personalized communications.
ISABIAL acknowledges the possibility of carrying out profiling activities in order to improve its product offering, personalize the delivery of commercial offers, or provide customers with a more tailored service.
12. Objection to the processing of data for advertising purposes
If you have given your consent for your data to be used for advertising purposes and you no longer wish to receive such communications, you may withdraw the consent granted at any time by sending an email to the controller at dpd@isabial.es.
13. Changes to the Privacy Policy
We may modify the information contained in this Privacy and Cookies Policy whenever we deem it appropriate. If we do so, we will notify you through different channels on the Platform (for example, via a banner, a pop‑up, or a push notification), or we may even contact you at your email address when the change is significant for your privacy, so that you can review the updates, assess them, and, where appropriate, object to them or unsubscribe from any service or functionality. In any case, we suggest that you review this Privacy and Cookies Policy from time to time in case minor changes are introduced or we implement any interactive improvements.
