Processing of personal data

Who is the data controller for your personal data?

The data controller is the Navarre University Hospital (CUN), with NIF [Tax ID no.] R3168001J and its registered office at Avenida Pio XII, 36, 31008, Pamplona.

The CUN has formally appointed a Personal Data Protection Officer and has also made the following communication channel available:

How do we obtain your personal data?

To answer this question, a distinction must be made between the sources from which your data is derived and the type of personal data that the CUN processes:

a. Sources from which personal data is received.

Provided by patients as part of the legal, contractual, care or any other relationship established with the CUN.

The management, maintenance and development of the relationship established between the CUN and the patient.


Public bodies and administrations.

b. Types of personal data.

Identification data, including images.

Data on personal characteristics and social circumstances.

Clinical and healthcare data in your medical records obtained over the course of the relationship established between the CUN and the patient.

Economic, financial and insurance data necessary for billing your medical care.

Why do we process your personal data?

At the CUN, your personal data are processed for the purposes detailed below:

Management, maintenance and development of the legal, contractual and/or healthcare relationship established between the CUN and the patient, which may include:

  • Healthcare provided to the patient.
  • Medical tests performed on the patient.
  • Clinical diagnoses.
  • Any other necessary matter in relation to carrying out clinical healthcare.

Managing the collection and billing of the medical care and interventions performed.

Use of medical data for the purposes of research undertaken at the CUN if consent has been given for this.

In all cases, the processing of medical data for research purposes shall comply with current law.

You are also hereby informed that such processing will be undertaken with encrypted and/or pseudonymized data, in strict compliance with the security measures applicable to the storage and safekeeping of data and, in any case, following an opinion from the Ethics Committee of the Navarre University Hospital.

Sending information by post, telephone or email about the CUN, Navarre University or the Center for Applied Medical Research (CIMA). Such information will concern the research projects, activities or studies that these institutions undertake; the advances made; the new products, services and techniques being offered in the health sector at both the care and research levels; and the products and services that the CUN, Navarre University or CIMA provide. Information may also be sent regarding the CUN’s collaborating institutions in the hotel, catering and retail sectors. This will only happen if consent has been given.

You may refuse the processing of your personal data for advertising or promotional purposes at any time by using the channels the CUN makes available, as detailed in the "What are your rights concerning the processing of your personal data?” section.

Use of data to inform patients about clinical research projects undertaken by the Navarre University Hospital, either individually or in collaboration with other scientific research institutions, and request their participation in these, only if consent has been given.

What is the CUN’s justification for processing your data?

The justification for processing your personal data is based on the following:

The formalization, development, implementation and maintenance of the care, legal and/or contractual relationship entered into between the patient and the Navarre University Hospital.

Compliance with legal obligations applicable to the Navarre University Hospital.

The Navarre University Hospital’s legitimate interest.

The consent given by the patient for the purposes requested.

Which recipients will your personal data be communicated to?

The personal data that the CUN processes to achieve the purposes detailed above may be communicated to the following recipients for communication purposes.

Based on the foregoing, the following data communications seek to ensure the proper development of the contractual relationship and to comply with legal obligations requiring that the aforementioned communications be made:

Public bodies and administrations, to comply with the CUN’s legal obligations.

Financial institutions, to manage collections and payments.

Suppliers of medical material and products, as well as pharmaceutical companies.

Insurers, to maintain the healthcare and economic relationship.

How long do we retain your data?

Personal data will be retained for the duration of the care, legal and/or contractual relationship and subsequently provided that you have not exercised your right to deletion; the data will be retained considering the legal periods applicable in each specific case, taking into account the type of data and the purpose of the processing.

The data and documentation serving as proof of the care and/or legal relationship that the patient has entered into with the Navarre University Hospital will be retained for the retention periods established in the applicable laws and the statutes of limitation for civil, criminal, administrative or any other type of action that may arise from the relationship entered into.

Further information about the terms of data retention by the Navarre University Hospital can be requested by contacting us at

What are your rights concerning the processing of your data?

The CUN informs you that you have the right to access your personal data and to receive confirmation about how these data are being processed. You also have the right to request the amendment of inaccurate data or, where appropriate, request their deletion when, among other reasons, the data are no longer necessary for the purposes the CUN collected them for.

In certain circumstances, you may request the limitation of the processing of your data, in which case the CUN will only retain them to make or defend against claims.

Additionally, in certain circumstances, you may forbid the processing of your personal data for certain purposes as communicated by the CUN. In this case, the CUN will stop processing your personal data unless there are legitimate grounds or to ensure the exercise of, or defense against, any claims.

Lastly, you may request the right to portability and obtain for yourself or another service provider certain information stemming from the contractual relationship entered into with the Hospital.

We also remind you that you may disallow, at any time, the processing of your data for advertising or promotional purposes.

You may exercise these rights by writing to the Navarre University Hospital at one of the following addresses:

If you are a patient in Pamplona, by post to Avenida Pio XII, 36, 31008, Pamplona.

Patient Customer Service

Or by email,


If you are a patient in Madrid, by post to Calle Marquesado de Santa Marta, 1, 28027 Madrid.

Security and Data Protection Unit

Or by email,

In both cases, the identity of the person exercising their rights must be proven by sending a copy (both sides) of their ID card, foreign ID number, passport or equivalent document.

The CUN informs you that you can find templates (modelos) for documents to exercise your data protection rights on the website of the Spanish Data Protection Agency (

The CUN will provide the information requested within one month of receiving a request. This period may be extended by a further two months if necessary depending on the complexity and number of requests.

If consent has been granted for a specific purpose, you may withdraw this consent at any time without affecting the legality of the processing before such withdrawal.

You may lodge a complaint with the competent data protection supervisory authority. In the first instance, however, you may file a complaint with the Data Protection Officer, who will resolve your complaint within a maximum of two months.

We inform you that, as a signatory, you accept that the signature of the document will be produced in electronic form by means of your digital signature. If you use the digital signature system, CUN will process the biometric data associated with said signature solely for the purpose of maintaining the traceability of the receipt and acceptance of the documentation. If you do not wish to provide such data, you may sign the document on paper.