Privacy Policy

Privacy Policy

1. The Right to Information

The Privacy Policy of the Instituto de Investigación Sanitaria del Principado de Asturias (Health Research Institute of Asturias) – “ISPA” – pertains to the need to regulate access to and use of the services, job offers, events and training opportunities offered by the organisation, whether via the website or hard-copy application forms.

2. ¿Who is the Controller of your personal data?

In accordance with the provisions of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data (GDPR), please be informed that the personal data that you provide us will be duly registered and incorporated into the data processing systems controlled by the Fundación para la Investigación e Innovación Biosanitaria del Principado de Asturias – FINBA (Foundation for Biomedical Research and Innovation in Asturias): Avenida de Roma s/n, 33011 Oviedo, Principado de Asturias, Spain.
Contact e-mail:

3. Purpose

The data provided are used by ISPA to effectively provide the services contracted / agreed upon, whether they relate to ISPA’s work or not, this being dependent on why you have provided us with the data:

Type of Processing Purpose
Diagnosis and Research Data processing for diagnosis and research, the purpose of which is defined as follows: processing patients’ personal data to facilitate the diagnosis, treatment and prevention of diseases that are the object of scientific studies in which it is necessary to determine filiation .
Biobank Data processing for storage in the Biobank (Biobanco) of the Servicio de Salud de Principado de Asturias (SESPA) and ISPA, the purpose of which is defined as follows: processing personal data and biological samples for biomedical research purposes.
Suppliers Data processing for the purpose of managing ISPA’s relationships with its suppliers.
Staff Management Data processing to facilitate ISPA’s staff management, the purpose of which is defined as follows: processing personal and professional data for each person who works in or collaborates with FINBA, including the management of candidates for job opportunities and the implementation of biosecurity measures.
Corporate Contacts Data processing to manage ISPA’s corporate contacts, the purpose of which is defined as follows: management of events and actions to promote ISPA’s work.
Video Surveillance Data processing to enable video surveillance of ISPA’s access points and facilities.
Clinical Studies Data processing for clinical studies, the purpose of which is defined as follows: processing the personal data of the subjects participating in studies managed by ISPA, as part of FINBA’s Annual Work Plan, including management of those SESPA clinical trials and observational studies in which ISPA and/or its researchers participate.
Research Projects Data processing for research projects, the purpose of which is defined as follows: processing the personal data of the subjects participating in biomedical research projects in which ISPA and/or its researchers participate.

The personal data provided will be stored for as long as your relationship with ISPA lasts, being held longer when relevant to the health of the data subjects, or they will be stored for the time required by law in each case. Please also be informed that your personal data will not be used by ISPA for commercial profiling. Your personal data will be processed in a lawful, faithful, transparent, satisfactory, pertinent, restricted, accurate and up-to-date manner. ISPA therefore undertakes to take all reasonable measures to erase or rectify these data if they are inaccurate.

4. Security Measures

Taking into account the state of the art , the costs of implementation and the nature, scope, context and purposes of data processing described in point 3 of this privacy policy, as well as the risks of varying likelihood and severity to rights and freedoms of the users, ISPA, in compliance with the provisions of article 32.1 of the GDPR, has implemented appropriate technical and organisational measures to ensure an appropriate level of security. These include, inter alia: measures to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; measures to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, and implementation of a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

5. What are the legal grounds for processing your data?

The legal grounds for processing your personal data are as follows: the handling of the request you have sent to ISPA, in each case; your consent for participating in the activities, projects, training and events organised by ISPA; your consent for participating in the projects or studies sponsored by ISPA or in which ISPA collaborates; your contractual relationship with ISPA or, in certain circumstances, the legal grounds for ISPA processing your personal data are provided by a law.
Nevertheless, as detailed below, you have the right to exercise your right to object to the aforementioned processing, following the instructions provided by ISPA for this purpose.

6. To which recipients will your data be sent?

ISPA does not anticipate performing any disclosure or transfer of the personal data held in its systems to third parties.

7. What are your rights when you provide us with your data?

You have the right to access your personal data, request the rectification of inaccurate data or, where applicable, request their erasure when, among other motives, the data are no longer necessary for the purposes they were collected for. You may request that processing of your data be restricted, in which case ISPA will store the data only for the exercise or defence of claims. You may also object to the processing of your data, in which case ISPA will stop processing the data, except when, for legitimate grounds or due to the defence of potential claims, it is not able to meet your objection request. You may also request the portability of your data.
To exercise these rights, i) you may visit the ISPA premises in person and request the forms provided for this purpose at reception. Alternatively, you may download these forms below:

ii) You may also send the aforementioned request form produced by ISPA, or your own version thereof, to the following postal address: Avenida de Roma s/n, 33011 Oviedo, Asturias, Spain. Please add the heading “Exercise of + the corresponding right” if you have produced your own request. Alternatively, you may send it to the e-mail address: In all cases, please remember to attach a copy of your national ID document (DNI, NIE or passport ).
In compliance with the provisions of the GDPR, we hereby inform you that you may also contact the Agencia Española de Protección de Datos (Spanish Data Protection Agency) to obtain additional information on your rights and/or file a claim if your rights have not been attended to.
ISPA will treat your data with the strictest confidentiality, refraining from using them for purposes other than or incompatible with those described in this notice, without first requesting your consent for this processing, except in those circumstances in which you expressly authorise so doing, or it is required or permitted by a law. In such circumstances, ISPA undertakes, where appropriate, to provide advance notice to all users of the identity of the recipient entity and the purpose of the disclosure, so as to secure your consent. Please also be informed that your personal data may be accessed by entities or persons that are external to ISPA, in circumstances when this is necessary for the provision of a professional service to ISPA. In this last case, said data transfer or access will be performed within the framework of a signed service-provision agreement, under the terms and conditions set forth in article 28 of the GDPR. ISPA informs you that, when agreements are entered into with external entities, your data may be transferred to insecure destinations (countries that are not part of the European Economic Area), such as the United States, where the regulations on data protection does not provide as many guarantees as the European Union regulations within the European Economic Area. However, when entering into agreements with these entities and transferring your data for this type of agreement, ISPA will take all the technical, organisational and security measures stipulated by the GDPR.

8. Links

This privacy policy only applies to ISPA web pages. This privacy policy provides no guarantees regarding access to this site via external links, not access to other websites via the links on this site.
ISPA has taken all the legally-required security measures. However, please be aware that these measures are not impenetrable on the internet, and ISPA therefore cannot be liable for use of the data resulting from robbery, theft and any use exploiting the illegal acts of third parties.

9. Amendment of this Privacy Policy

ISPA reserves the right to amend this Privacy and Data Protection Policy, in accordance with any regulatory amendments that are made, and with the guidelines provided by the Agencia Española de Protección de Datos. The aforementioned amendments will be duly made to this website in order to inform all registered users and parties interested in ISPA’s services and activities of such changes.