Privacy policy

  1. DATA CONTROLLER

In accordance with current regulations, you are hereby informed that the data provided will be processed by Asociación Española Contra el Cáncer (the “Spanish Association Against Cancer”, or hereinafter, the “Association”):

  • Tax ID: G-28197564
  • Registered office: Calle Teniente Coronel Noreña, 30, 28045, Madrid
  • Email address: informacion@contraelcancer.es
  • DPO email address: dpo_aecc@contraelcancer.es
  1. PROCESSING ACTIVITIES

When users provide personal data via the different forms (web, telephone and face-to-face channel), their personal data will be processed for the following purposes:

  1. When users provide personal data through the “User Registration” form.

Purposes and legitimate basis: (i) administer user registration on the official website of the Association, and control their access to the area intended for users, the legitimate basis being the execution of the pre-contractual and contractual relationship; (ii) administer participation in the participatory forum on the official website of the Association; (iii) where they expressly so authorise us, to send them information on the activities and news of the Association, the legitimate basis being the express consent of the user; (iii) comply with the corresponding legal obligations, the legitimate basis being the legal obligation of the Association.

Category of data subjects: Registered Association website users.

  1. When users provide data through the form to acquire our ebooks via https://www.contraelcancer.es/es/ebooks.

Purposes and legitimate basis(i) manage the download of the selected ebook, (ii) where they expressly so authorise us, to send them information on the activities and news of the Association, the legitimate basis being the express consent of the user, (iii) comply with the corresponding legal obligations, the legitimate basis being the legal obligation of the Association.

Category of data subjects: Website users wishing to download ebooks.

  1. When users provide data via our newsletter subscription form.

Purposes and legitimate basis(i) manage the registration of the user as a subscriber to the newsletter, (ii) comply with the corresponding legal obligations, the legitimate basis being the legal obligation of the Association.

Category of data subjects: Subscribers to the newsletter.

  1. When users provide data via the “Work with Us” web form.

Purposes and legitimate basis: assess and manage their application for employment and, where applicable, to carry out the necessary actions for selection and recruitment, the legitimate basis for the processing being the execution of the pre-contractual relationship and, where applicable, the contractual relationship.

Category of data subjects: Candidates in Association selection processes.

  1. When users provide personal data via the “Become a Member” form.

Purposes and legitimate basis(i) manage registration as a member, the legitimate basis for the processing being the execution of the contractual relationship, (ii) comply with the obligations and due responsibilities derived from the contractual relationship, the legitimate basis for the processing being the legal obligation derived from said contractual relationship, and (iii) where they expressly so authorise us, to send them information on the activities and news of the Association, the legitimate basis being the users express consent.

Category of data subjects: Members of the Association.

  1. When users provide personal data via the web forms in the “We can help you” section, as well as other face-to-face and digital channels through which we facilitate and provide our assistance.

Purposes and legitimate basis(i) address both urgent and repeat requests and needs of users, with the aim of analysing personalised care (such as for psychological care, social care, medical and nursing guidance, legal advice, for those who are patients, patients’ relatives or any other), the legitimate basis being the execution of the pre-contractual and contractual relationship between AECC and the user, (ii) fulfil the obligations and due responsibilities derived from the contractual relationship, the legitimate basis for the processing being the legal obligation derived from said contractual relationship, (iii) where they expressly so authorise us, to send them information, the legitimate basis being the express consent of the user, and (iv) evaluate the quality of the service provided, in order to improve analysis with regard to the detection of the needs of the data subjects.

Category of data subjects: Beneficiaries.

  1. When users provide personal data through Infocáncer, a 24-hour telephone service, we inform them that the calls will be recorded.

Purposes and legitimate basis: (i) deal with both urgent and repeat requests and needs of users, with the aim of handling emotional distress calls, analysing personalised care (such as for psychological care, social care, medical and nursing guidance, legal advice, for those who are patients, patients’ relatives or any other), the legitimate basis being the execution of the pre-contractual and contractual relationship between the Association and the user, (ii) manage registration as a member, the legitimate basis for processing being the execution of the contractual relationship, (iii) fulfil the obligations and due responsibilities derived from the contractual relationship, the legitimate basis for processing being the legal obligation derived from said contractual relationship, (iv) manage the registration of data subjects on our healthy itineraries, prevention and entertainment activities, the legitimate basis for processing being the express consent of the user, (v) manage expressions of interest from candidate volunteers, in order for the corresponding Provincial Offices to contact the data subjects directly, and (v) where they expressly so authorise us, to send them information, the legitimate basis being the express consent of the user, and (vi) evaluate the quality of the service provided, in order to improve analysis with regard to the detection of the needs of the data subjects.

Category of data subjects: Beneficiaries, Members, Donors, Candidate volunteers, Association event/activity registrants, and others interested in information on Association services and activities.

  1.  When users provide personal data via the “Volunteer” form.

Purposes and legitimate basis(i) manage the volunteer selection process, and, if chosen, manage the corresponding registration, the legitimate basis being the execution of the pre-contractual and contractual relationship with the user, (ii) where they expressly so authorise us, to send them information on the activities and news of the Association, the legitimate basis being the express consent of the user, (iii) comply with the obligations and due responsibilities derived from the contractual relationship, the legitimate basis for processing being the legal obligation derived from said contractual relationship.

Category of data subjects: Association volunteer candidates.

  1. When users provide personal data via the “Donate” and “Donate to a Challenge” web form located at http://www. mireto.contraelcancer.es.

Purposes and legitimate basis(i) manage user donations, the legitimate basis being the execution of the contractual relationship, (ii) where they expressly so authorise us, to send them information on the activities and news of the Association, the legitimate basis being the express consent of the user, (iii) comply with the obligations and due responsibilities derived from the contractual relationship, the legitimate basis for the processing being the legal obligation derived from said contractual relationship.

Category of data subjects: Association donors.

  1. When users provide personal data through the “My Challenge Against Cancer” form set up on the website http://www. mireto.contraelcancer.es.

Purposes and legitimate basis(i) management of charitable events carried out by the creator of the challenge to raise funds, the legitimate basis being the execution of the contractual relationship, (ii) where they expressly so authorise us, to send them information on the activities and news of the Association, the legitimate basis being express user consent, (iii) comply with the obligations and due responsibilities arising from the contractual relationship, the legitimate basis for processing being the legal obligation arising from said contractual relationship.

Category of data subjects: Association event/activity registrants and Association donors.

  1. When users provide personal data through the “CREATE MY PIGGY BANK” form, enabled on the Website https:// mihucha.contraelcancer.es/.

Purposes and legitimate basis(i) management of the solidarity piggy bank that the user registered as contributor to raise funds and (ii) publish identification details of the creator of the Piggy Bank on the aforementioned Website, the legitimate basis for both purposes being the execution of the contractual relationship, (iii) where they expressly so authorise us, to send them information on activities and news of the Association, the legitimate basis being the express consent of the user, (iii) comply with the obligations and due responsibilities arising from the contractual relationship, the legitimate basis for the processing being the legal obligation arising from said contractual relationship.

Category of data subjects: Association event/activity registrants.

  1. When users provide personal data via the “I want to contribute” form enabled on the Website https:// mihucha.contraelcancer.es/.

Purposes and legitimate basis: (i) management of the collection of funds and donations made by the user in the charitable piggy banks, the legitimate basis being the execution of the contractual relationship, (ii) where they expressly so authorise us, to send them information on activities and news of the Association, the legitimate basis being the express consent of the user, (iii) comply with the obligations and due responsibilities derived from the contractual relationship, the legitimate basis for processing being the legal obligation derived from said contractual relationship.

Category of data subjects: Association donors.

  1. When users provide personal data through the different event/activity registration forms organised by the Association.

Purposes and legitimate basis: (i) manage and process the participation of the User in the specific activity/event of the Association, the legitimate basis being the execution of the contractual relationship, (ii) where they expressly so authorise us, to send them information on activities and news of the Association, the legitimate basis being the express consent of the user, (iii) comply with the obligations and due responsibilities derived from the contractual relationship, the legitimate basis for processing being the legal obligation derived from said contractual relationship.

Category of data subjects: Association event/activity registrants and Association donors.

  1. Where the data subject so authorises, the data provided through surveys issued by the Association.

Purposes and legitimate basis: generate aggregate data reports, for statistical and analytical purposes in the field of Cancer, which may be published on the Website owned by the Association, http://observatorio.contraelcancer.es/#observatorio, congresses organised by or involving the Association, health portals, scientific journals and publications, and any other medium related to health science activity, the legitimate basis being the legitimate interest of the Association, in order to assess the activity and participation of the Association within the field of the fight against cancer.

Category of data subjects: Beneficiaries, Partners, Donors, Association event/activity registrants, and others interested in information on Association services and activities.

In general, the Association will generate personalised reports on their activity with the Association, requesting explicit, separate consent, which they may withdraw at any time. However, the withdrawal of consent will not affect the lawfulness of processing carried out previously.

  1. COMMUNICATION OF DATA

User data may be communicated to:

  • Public Authorities as applicable by law.
  • Partner organisations or events organisers of the Association, solely for the purpose of managing stakeholder participation.
  • Suppliers/professionals of the Association necessary for the proper fulfilment of the purposes indicated in the previous sections, as well as legal obligations.
  • Professionals working with the Association to ensure the proper handling of applicants and the proper provision of the service required of the Association.
  • Public and/or private entities within the scope of grants awarded, to fulfil those purposes within the contractual relationship therewith.
  • Where expressly so authorised by the user, third-party companies in the social sector in order to ascertain the services that they may be receiving from said third parties, so as to address specific needs, and to assist in the administration of certain services that they might be receiving in their name.

Likewise, suppliers of the Association required for the adequate compliance with legal obligations and/or the stated purposes may process user data in the position of data processor, without the Association in any case losing its position as data controller.

  1. PERSONAL DATA OF MINORS

The Association informs users that in order to process the personal data of minors under 14 years of age, the consent of the parents, guardians or those with parental authority over the minor will be required.

Therefore, when a minor participates in an event, Race, Challenges or in general in an event organized by the Association, by its collaborators or by its members, as well as to obtain the status of volunteer or member, it will be necessary to provide the identification data of the parents, guardians or those with parental authority, for the sole purpose of obtaining the necessary consent. The Association reserves the option of demanding the family record book or any other document determining the parentage, guardian status or parental authority in general over the minor.

  1. PERSONAL DATA OF THIRD PARTIES

When users provide personal data of relatives, friends, partners or any other third parties related to the user, they must agree to inform them of the privacy policy of the Association, and in general of the terms set out herein, and obtain the consent of these third parties for the processing of their personal data.

  1. ONLINE DONATIONS

Through the various online donation forms of the Association, whether users have registered user status or not, they can make donations to support charitable projects. During this donation process, the Association does not obtain personal data from users who decide to make a donation, save for the following exceptions:

  • The user freely includes their personal data.
  • If the amount of the donation is equal to or greater than 100 euros (in accordance with Act 10/2010, of 28 April 2010, on Anti-Money Laundering and Prevention of Terrorist Financing, hereinafter the “AML Act”).
  • When the user requests the issuance of the tax certificate.

We likewise inform you that your personal data included in the documents or records accrediting the application of funds in the different projects will be available to the Charities Supervisor, the AML Supervisory Committee, the Commission for the Prevention of Money Laundering and Monetary Offences or its support bodies, and also to administrative or judicial bodies with powers in the field of the prevention or prosecution of money laundering or terrorism.

  1. DATA SECURITY

The Association will treat the User’s data at all times in an absolutely confidential manner and with the mandatory duty of secrecy regarding them, in accordance with the provisions of the applicable regulations. The Association has implemented the technical and organisational measures necessary to guarantee the security of their personal data and prevent their alteration, loss, unauthorised processing or access, taking into account the state of the technology, the nature of the data stored and the risks to which they are exposed.

  1. RIGHTS OF THE DATA SUBJECT

As the owner of the data, the User may exercise the rights recognised in the data protection regulations at any time, free of charge, by writing to the address indicated in the heading of this Privacy Policy, attaching a photocopy of their identity document, or another document serving to establish the identity of the User.

Right of Access: You are entitled to be informed by the Association as to whether it is processing your personal data and, if so, you may access such data and receive information as to the purposes for which they are processed, the data categories affected by the processing, the recipients to which your personal data have been communicated, and the planned duration of storage of your data, among other information.

Right of rectification and erasure: You will have the right to request the erasure of personal data provided that the applicable legal requirements are fulfilled, and the rectification of inaccurate data concerning you if, among other reasons, the data are no longer needed for the purposes for which they were gathered.

Restriction of processing, revocation of consent and total or partial objection to processing: In certain circumstances (for example, if the requesting party challenges the accuracy of their data, while the accuracy thereof is being verified), you may request that processing of your personal data be restricted, in which case they will be processed only in order to bring or defend against claims.

You will also have the right to revoke consent and to object to processing at any time, for reasons connected with your individual circumstances, if the processing is based on our legitimate interest or on the legitimate interest of a third party (including processing intended for direct marketing and the corresponding profiling processes). In this case, the Association will cease processing, unless legitimate reasons can be demonstrated.

Portability of your data: You will be entitled to receive any personal data that you have provided to the Association in a standard, structured, machine-readable format, and to be able to transfer them to another data controller, without the controller to which you provided them preventing this, in the circumstances legally established for these purposes.

Individual automated decisions: Furthermore, in addition to the aforementioned rights, in case of automated decision making, including profiling, you have the right to obtain human intervention by the Association and to express your point of view and challenge the decision.

Other: Likewise, if personal data are transferred to a third country or to an international organisation, you will be entitled to be informed as to how you may access or obtain a copy of appropriate guarantees with regard to the transfer.

You may also lodge a complaint regarding the protection of your personal data with the Spanish Data Protection Agency at the address Calle Jorge Juan, 6, 28001 Madrid, if as data subject you consider that the Association has violated the rights granted by the applicable data protection regulations.

  1. STORAGE PERIODS: Consult here the storage periods table
  2. CATEGORY OF DATA PROCESSED: Consult here the category of data processed table