Your data rights (GDPR)

Last updated: 2026-05-18

Your rights under the GDPR

As a data subject, you have the following rights, exercisable at any time and free of charge for the first request per year (GDPR Art. 12(5)):

Right of access (Art. 15) — a copy of the personal data we hold about you, plus information about purpose, recipients, retention, and your other rights.

Right to rectification (Art. 16) — correction of inaccurate or incomplete data.

Right to erasure / "right to be forgotten" (Art. 17) — deletion where the data is no longer necessary, you withdraw consent, or processing is unlawful.

Right to restriction of processing (Art. 18) — temporary halt to processing while accuracy or lawfulness is investigated.

Right to data portability (Art. 20) — a structured, commonly used, machine-readable export.

Right to object (Art. 21) — to processing based on legitimate interest or direct marketing.

Right not to be subject to automated decision-making (Art. 22) — no significant decision is made about you by automated means without human review.

Right to withdraw consent (Art. 7(3)) — at any time, for any processing based on consent.

Right to lodge a complaint with a supervisory authority (Art. 77) — in your country of residence, place of work, or where the alleged infringement occurred.

How to exercise these rights

Submit a request: dpo@euroclinics.net

Web form: /data-rights/request — guides you through each option.

Post: EuroClinics SL — Data Protection Officer · Calle de Velázquez 50 · 28001 Madrid · Spain.

For security reasons, we may ask you to verify your identity (typically a photo ID document, redacted as you prefer). We never ask for passwords or financial information.

Response timeline

30 days from receipt of a complete request (GDPR Art. 12(3)).

May be extended by 60 additional days for complex requests; we will notify you with reasons within the original 30 days.

No fee for the first request per calendar year. Manifestly unfounded or excessive repeat requests may incur a reasonable fee.

Special-category data (health)

Health data is processed under Art. 9(2)(h) GDPR (provision of healthcare) and Art. 9(2)(a) (explicit consent for marketing communications).

Erasure of health data may be limited where retention is required by national law (e.g. medical record retention 10–30 years depending on country). Where erasure is restricted, we will explain the legal basis.

For minors

Where the data subject is under 16 (or under the national age in your country — between 13 and 16 across the EU), a parent or legal guardian may exercise rights on their behalf.

A minor reaching the age of majority may at any time take over their own records and revoke previous guardian consent.

Data Protection Officer

Marta Albertí (independent, appointed 2025)

Email: dpo@euroclinics.net · Postal: as above · Response: within 5 business days for acknowledgement.

Supervisory authority

You may lodge a complaint at any time with the data protection authority in your country.

For Spain: Agencia Española de Protección de Datos (AEPD) · https://www.aepd.es · C/ Jorge Juan, 6 · 28001 Madrid.

A list of all EU supervisory authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en.