PRIVACY POLICY

Privacy Policy of the Clinic of Dr. Karim Ben Ghezala

Last updated: December 2025

This Privacy Policy explains how we process the personal data of people who use the website of the Clinic of Dr. Karim Ben Ghezala to request an assessment or get in touch with our team.

This policy applies to the use of the website, its forms and any subsequent communications (email, telephone or messaging) that arise from a request submitted through the website.

1. Data controller

The data controller is:

NEURORAQUIS DENIA SLP

Tax ID (NIF): B54681671

Address: Camino del Vasco 10, 03700 Dénia (Alicante), Spain

For the purposes of this policy, we will refer to NEURORAQUIS DENIA SLP as the "Clinic of Dr. Karim Ben Ghezala".

Contact details for privacy matters:

A Data Protection Officer has not been appointed, as it is not mandatory in our case.

2. Personal data we process

Through the website forms and the communications that follow them, we may process the following categories of data:

a) Identification and contact details

  • First name and surname(s).
  • Mobile phone number.
  • Email address.
  • Preferred contact method (phone call, WhatsApp or email).
  • Language of the form.

b) Data about how you access the clinic

  • Type of insurance or modality (reimbursement private insurance, in-network insurer/mutual company, self-pay).
  • Name of the insurer or mutual company (Sanitas, Asisa, Adeslas, Mapfre, DKV, AXA, Allianz, Generali, or "Other" with a free-text field).

c) Data relating to the reason for consultation

  • Area of concern (neck, upper back, lower back, legs, several areas, not sure).
  • Type of main problem or symptom (pain, tingling/numbness, weakness, gait instability, other).
  • Duration of the problem (less than 6 weeks, between 6 weeks and 6 months, more than 6 months, more than one year).
  • Tests already performed (MRI, CT scan, X-rays, electromyography, or "I have no tests").
  • Optional additional comment to briefly describe the situation.

In this additional comment, the user may voluntarily include health data (information about diagnosis, medical history, treatments, etc.). The form is not intended to send full medical records, but rather a brief description of the reason for consultation.

d) Technical and browsing data

As is usual, through hosting services and associated tools we may collect:

  • IP address.
  • Device and browser data.
  • Source URL and page from which the request is sent.
  • Date and time of submission (timestamp).
  • Source of the visit (for example: direct access, search engine, link from another website, campaign, etc.).
  • Internal submission identifier (ID) in our tools.

These data are mainly used to ensure the security of the service, properly manage the reception of requests and obtain aggregated statistics on the use of the website.

3. Purposes of the processing

We process personal data for the following purposes:

  1. To manage assessment and appointment requests
    • To receive and review the information that the user sends us about their spine problem.
    • To assess whether the consultation falls within the professional activity of Dr. Karim Ben Ghezala.
    • To propose appointment options and organise the clinical schedule.
  2. To answer information requests
    • To reply to questions about the clinic's activity, the centres where consultations are held, the types of treatments available or general questions related to spine care.
  3. To organise communication with the patient or interested person
    • To contact the user by the method indicated (phone, WhatsApp or email) to confirm or reschedule appointments, request additional information when necessary or clarify questions related to the assessment.
  4. To comply with legal and healthcare obligations
    • When the person becomes a patient, the necessary data are integrated into the corresponding medical record at the hospital or healthcare centre, in accordance with healthcare and data protection regulations.
  5. Statistics and service improvement
    • To produce aggregated statistics on the most frequent types of problems, response times and origin of requests, in order to improve organisation and quality of care.

Under no circumstances is the information used to create profiles with legal effects on the user, nor to take automated decisions that produce significant effects.

The website is not intended to be an emergency channel. It must not be used for medical emergencies or to request immediate care.

4. Legal bases for processing

The legal bases that allow these processing operations are:

  1. User consent
    • By submitting the form and ticking the box accepting the Privacy Policy, the user consents to the processing of their data for the purposes described (request management, contact, initial assessment).
    • When the user voluntarily includes information relating to their health, the processing is also based on their explicit consent.
  2. Taking pre-contractual steps and performance of a contract
    • When the request aims to obtain an appointment or assessment, we process the data to take steps prior to the establishment of the care relationship and, where appropriate, to deliver the healthcare service itself.
  3. Compliance with legal obligations
    • For patients, the relevant data are integrated into the medical record and kept in accordance with healthcare regulations and clinical record rules, as well as the limitation periods for professional and legal liability.
  4. Legitimate interest of the controller
    • For website security, fraud prevention and internal statistical analysis on site usage, provided that the rights and freedoms of the user do not prevail.

5. Data retention period

Data will be kept for the time necessary to fulfil the purposes indicated and, where applicable, any legal obligations:

  • Requests that do not lead to a care relationship: They are kept for the time necessary to respond to the request and then for a period of up to 3 years to deal with possible complaints or new inquiries from the same person.
  • Requests that lead to a care relationship (patients): The data are incorporated into the medical record of the corresponding healthcare centre and are kept in accordance with applicable healthcare legislation (minimum 5 years from the last care, notwithstanding longer periods in certain cases).
  • Technical and browsing data: They are kept for the time necessary to guarantee the security and operation of the website, as well as to obtain aggregated statistics. This period is usually 12 months, unless it is necessary to keep them longer for security or legal compliance reasons.

After these periods, the data are securely deleted or anonymised so that they no longer allow the identification of the user, unless there is a legal obligation to keep them (for example, to attend inspections, legal proceedings, etc.).

6. Recipients of the data

Personal data may be disclosed to the following categories of recipients:

  • Clinic staff: Administrative and healthcare team members who need to access the information to coordinate appointments, manage requests and provide healthcare services.
  • Healthcare centres: Hospitals, clinics or medical centres where Dr. Karim Ben Ghezala holds consultations or performs procedures. Data are integrated into the corresponding medical record when a care relationship is established.
  • Insurers or medical mutual companies: When the user accesses through an in-network insurer or mutual company, it may be necessary to communicate certain data to the corresponding entity to process the authorisation and billing of the service, according to the protocols of each insurer.
  • Technology service providers: Web hosting services, email management, forms, messaging, security and analytics tools that enable the secure operation of the website. These providers act as data processors and are contractually obliged to protect the confidentiality of the data.
  • Authorities and public bodies: If required by law (for example, court orders, Spanish Data Protection Agency, healthcare inspections, etc.).

We do not transfer data to third parties for commercial or advertising purposes.

Some of the technology providers may be located outside the European Economic Area (for example, hosting or messaging services in the United States or other countries). In such cases, we ensure that appropriate safeguards are in place for the protection of data (standard contractual clauses approved by the European Commission, certification of recognised frameworks, etc.).

7. Users' rights

Any person who has provided their data through the website has the right to:

  • Access: Obtain confirmation of whether personal data concerning them are being processed and, if so, obtain a copy of them.
  • Rectification: Request the correction of data that are inaccurate or incomplete.
  • Erasure ("right to be forgotten"): Request the deletion of their data when they are no longer necessary for the purposes for which they were collected, when consent is withdrawn, or when they have been unlawfully processed. There are exceptions when retention is necessary to comply with legal obligations (for example, retention of medical records) or for the exercise or defence of claims.
  • Restriction of processing: Request that processing be restricted in certain circumstances (for example, when the accuracy of the data is contested, or during the time it is verified whether erasure should proceed).
  • Objection: Object to certain data processing, especially when it is based on the legitimate interest of the controller. In that case, we will cease processing the data unless there are compelling legitimate grounds for the processing or for the defence of possible claims.
  • Portability: When processing is based on consent or a contract, and is carried out by automated means, the user has the right to receive the data in a structured, commonly used and machine-readable format, and to transmit it to another controller.
  • Withdrawal of consent: When processing is based on consent, the user may withdraw it at any time, without affecting the lawfulness of processing based on consent prior to its withdrawal.
  • Right not to be subject to automated individual decision-making: The user has the right not to be subject to a decision based solely on automated processing that produces legal effects or significantly affects them. However, this type of automated decision-making is not performed on this website.

How to exercise these rights:

Users can exercise these rights by sending their request to:

  • Email: info@neuroklinik.es
  • Postal address: NEURORAQUIS DENIA SLP, Camino del Vasco 10, 03700 Dénia (Alicante), Spain.

The request must include first name and surname(s), contact details, a copy of the ID card or equivalent document, and a description of the right they wish to exercise. We will respond within 1 month of receipt of the request (extendable to 3 months in complex cases, informing the user of the reason for the extension in that case).

Complaint to the supervisory authority:

If you consider that the processing of your data violates the regulations or your rights have not been duly addressed, you may lodge a complaint with the Spanish Data Protection Agency (www.aepd.es).

8. Information security

We have implemented appropriate technical and organisational measures to protect personal data against destruction, loss, alteration, unauthorised access or unlawful disclosure. These measures include:

  • Encryption of information transmitted through the website (HTTPS protocol).
  • Limitation of access to data to strictly authorised persons.
  • Backup systems and contingency plans.
  • When data are communicated to data processors (technology providers, healthcare centres, etc.), the corresponding agreements are formalised to ensure compliance with data protection regulations.

However, as no transmission of information over the internet is completely secure, we recommend that you take reasonable precautions (do not send extremely sensitive information by unencrypted email, protect your passwords, etc.).

9. Minors

The website may be used for minors (for example, when parents or guardians request an assessment for a minor). In such cases, it is the parent or legal guardian who provides consent and the minor's data.

If it is detected that data from minors have been collected without the consent of their legal representatives, they will be deleted immediately.

10. Medical information and emergency situations

The information provided through the form is for guidance purposes and does not in any case replace a full medical assessment during consultation.

This website is not intended for medical emergencies. If you are facing an emergency situation (incapacitating pain, sudden loss of strength, loss of sphincter control, etc.), you should immediately go to an emergency service or call 112.

Submitting an appointment request form does not guarantee an immediate response and does not constitute urgent medical care.

11. Changes to the Privacy Policy

We reserve the right to update and modify this Privacy Policy to reflect changes in our data processing practices, applicable regulations or services offered.

When significant changes are introduced, the new version will be published on this page, indicating the "Last updated" date at the top. We recommend that you periodically review this policy to stay informed about how we protect your data.

If you have any questions about this Privacy Policy or about how we process your personal data, you can contact us through the channels indicated in section 1.

Privacy Policy | Dr. Karim Ben Ghezala's Practice