Frequently asked questions about personal data protection

No. In accordance with the form that the Community of Madrid puts at your disposal, only in the event that you object to your query, is when you will have to provide it. However, if the data controller has any doubts regarding your identification, they may request additional information from you.

You cannot make a "general" request to the Community of Madrid, since the requests to exercise rights in personal data protection must be addressed to the person in charge of the treatment to whom you gave your data, who is the one who has them and is treating them. In the Community of Madrid, the Data Controllers are the owners of the General Technical Secretariats and of the different management centers in which it is structured. In the form in which you gave your personal data you have the information on protection of personal data and in this it is informed who is that Responsible. You can also find it in the Record of Processing Activities (RAT) of the ministries of the Community of Madrid.

No, the personal data published in an Official Gazette cannot be deleted or "deleted", but you can exercise your "right to forget". It means that you can request the data controller to remove links to publications, documents or web pages that contain your personal data from the lists of results obtained after a search based on your name and surnames. Thus, the link to that site will only cease to be visible when the search is made by your first and last name, but the page remains unchanged in its original source, in this case in the BOCM, and will continue to be displayed when the search is made for any other word or term other than your name and surname.

You must bear in mind that the right to be forgotten will be granted as long as these personal data are inadequate, inaccurate, excessive or outdated, and considering the purposes for which they were collected or processed at the time, the time elapsed and the nature and interest information public.

It is important that you check if the address of the web page (URL) on which you want to exercise that right corresponds to a domain, current or already extinct, of the Community of Madrid, being the most frequent community.madrid, madrid.org o bocm.es, although there may be others.

In the event that you have doubts as to whether or not it is a website of the Autonomous Administration, you can contact the Data Protection Delegates (consult here the list) or with the Citizen Information and Attention Service 012 of the Community of Madrid, through its different channels.

In principle, to provide personal data of any person to third parties, the consent of the owner of the data is necessary.

However, if circumstances life urgency for the resident or when having the presence of relatives or people linked for reasons of fact could be necessary for the due care of the user, the center could provide information regarding whether or not the person is admitted to the center and their location , but always without indicating data of special categories or relative to the attentions that the resident receives in the center.

In any case, this information could only be provided if the resident has not objected to said information being provided.

They must inform you of the treatment that is going to be done with the personal data at the same time of the data collection, regardless of whether the center is finally admitted or not. Therefore, the pre-entry form must contain, at least, the basic data protection information in clear and simple language, stating who is responsible for the treatment, its purpose, its legal basis and the possibility of communications to third parties or international transfers, as well as refer to the exercise of rights.

No. Bearing in mind that vaccination is not mandatory, that there are people who for different reasons cannot be vaccinated and to avoid discriminatory effects, you cannot be required to provide this information as a preventive medicine criterion, although you can provide it in a way volunteer.

When suspected or confirmed cases occur in the workplace or education, there are protocols established and directed by the health system that will determine which people must quarantine or continue with their usual activity and it will be the competent health authority who will inform both affected people as well as workplaces.

The right of access granted to the interested party by the Law only covers knowing the information subject to treatment on their own personal data, but does not include being able to provide you with the identification data of the professionals who have accessed your medical history, since, among other reasons , could affect the rights of third parties. Therefore, you should not have access, except with the express consent of the doctor or practitioner, to the subjective notes that appear in your own clinical history.

No, the health center/hospital is entitled to process this data as long as the patient has been informed. However, the express written consent of the patient must be obtained in the following cases:

• Surgical intervention.
• Invasive diagnostic and therapeutic procedures.
• Application of procedures that pose foreseeable risks to the patient's health.

Yes, but if they are considered health data, it will be the doctor or practitioner who decides whether to rectify or delete said data.

No, you can only access if there is a justification for it, for example, in the case of healthcare, management of health or social services, public interest or management of a claim.

Yes, but this right of access is limited to the people who hold parental authority, not to other family members.

If the parents are separated or divorced, access depends, it must be verified that there is no situation limiting the parental authority of either parent (for example, that the education of the minors is not endangered, that they are not treats with excessive harshness or that there is no family violence or abandonment of the minor).

Yes, you can request proof, but you must prove a relationship with the patient to justify that you have a legitimate interest in that treatment. Regarding the content of the receipt, the principle of data minimization must be followed, so the data that is strictly necessary and pertinent for the established purpose (justify your absence from work) will appear. Thus, you can include the identification data of the patient you accompanied (name and surname) and the date and time of admission and discharge. However, you should not specify the disease suffered, nor the admission unit nor the type of surgery, since they are not necessary to justify your absence from your work center.

Yes, using the system Mi Carpette of Savalanche, which allows you to consult your clinical information, health appointments, analytics, etc.

It will depend on the characteristics and operation of each service. However, in those services in which the calls are recorded, a warning will be made of said circumstance and you will be informed of the treatment that your personal data will receive (your voice is personal data) by the agent who answers the call or, in his/her case, through a pre-recorded voiceover containing said information.

Yes, for reasons of surveillance and security of facilities and people. But it must be borne in mind that video surveillance should only be used if there is no other means that causes less impact on privacy and should only process personal data (your image is personal data) essential for the purpose pursued. In any case, it is totally prohibited in bathrooms, changing rooms and the like. The number of cameras and the recording will be strictly necessary and the monitors must never be exposed to the public and can only be seen by those who have the mission of controlling the equipment that makes the recordings.

When a video surveillance activity is carried out by data controllers who belong to the Community of Madrid, it must be included in the Treatment Activities Registry. 

In addition, such activity should always be reported through a sign located in the video-monitored area and in which the identification of the data controller, the possibility of exercise of your rights on data protection and where you can find more information on the processing of personal data.

Keep in mind that the images will be deleted within a maximum period of one month, except if they must be kept to prove the commission of acts that threaten the integrity of people, goods or facilities.

Yes, You can request a copy from the person responsible for processing your image. But keep in mind that you can only get a recording of your own image; if third parties appear, their images will be blurred to preserve their privacy.

The images of security and surveillance cameras can only be communicated without your consent when the recipients are Judges or Courts or they are Security Forces or Bodies, who request the recordings in the event that they are necessary to guarantee public safety or to prosecute potential criminal offenses.

In addition, they can be communicated to others, whether individuals, legal entities or other Administration bodies, but only if necessary and if it is previously contemplated and declared in the corresponding treatment activity, which must appear in the Treatment Activities Registry.

There may also be cases in which individuals can access recorded images to find out the identity of a third party, in order to exercise certain legal or contractual actions. In these cases, the data controller must evaluate each specific case to determine whether or not to grant access to the images.

El National Security Scheme (ENS) It is a set of rules whose purpose is the creation of the necessary conditions of trust in the use of electronic media, through measures to guarantee the security of systems, data, communications and electronic services, which allows citizens and public administrations the exercise of rights and the fulfillment of duties through these means.

The Community of Madrid, like the rest of the Public Administrations, is obliged to comply with the provisions of the ENS, thus guaranteeing citizens that it meets the necessary security conditions to safeguard their personal data. That is why there is a reference to the ENS in the Treatment Activities Registry.

It's recommended that encrypt the file that contains the information with the personal data. Today many commonly used programs offer the option to encrypt files with password. Likewise, it is recommended that you communicate the password to the requesting doctor or physician by a different means, such as by telephone. This minimizes the chances that an outsider intercepting the file could decrypt it.