Privacy Policy
How Doctor Abbs SL processes personal data through The Holiday Doctor, including the lawful bases under GDPR Article 9(2)(h), the role of automated processing in the consultation form, and the full list of processors.
In compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the GDPR), Spanish Ley Orgánica 3/2018, de 5 de diciembre, de Protección de Datos Personales y garantía de los derechos digitales (LOPDGDD), and other applicable legislation, Doctor Abbs SL provides the user with the following information on the processing of personal data.
Basic data-protection information
| Controller | Doctor Abbs SL, a company entered in the Commercial Registry of Madrid (Tomo 41513, Folio 1, Sección 8, Hoja M-735596), NIF B42734350, with registered office at Calle Hermosilla 48, 1 Dcha, 28001 Madrid, Spain. |
|---|---|
| Main purpose | Provision of a private asynchronous online medical consultation service for repeat prescriptions of established medication, the oral contraceptive pill, one-off repeat prescriptions of insulin, and a defined set of minor acute conditions, including clinical assessment and private electronic prescription where clinically appropriate. |
| Lawful basis | Article 9(2)(h) GDPR (healthcare by a professional subject to professional secrecy) for health data; Article 6(1)(b) GDPR (performance of contract) for identification and contact data; Article 6(1)(c) GDPR for legal obligations relating to the clinical record, pharmacovigilance and tax obligations; Article 22(2)(c) in conjunction with Article 9(2)(a) GDPR (explicit consent) for the automated contraindication filter in the initial consultation request. |
| Retention periods | Clinical record: at least five years from the end of each episode of care under Article 17 of Ley 41/2002. Billing data: six years under the Commercial Code and tax legislation. Other data: until the purpose is fulfilled or consent is withdrawn. |
| Recipients | The pharmacy chosen by the patient, for dispensing the private electronic prescription; AEMPS for pharmacovigilance where applicable; the Spanish tax administration; health or judicial authorities where there is a legal obligation. Processors engaged under Article 28 GDPR, named in Section 7. |
| Rights | Access, rectification, erasure, objection, restriction of processing, portability and the right not to be subject to automated decisions with significant legal effects. Right to lodge a complaint with the AEPD. |
| How to exercise rights | By writing to privacy@nivelta.es with a copy of your DNI or equivalent identification document. |
1. Data controller
The controller of the personal data collected through the website theholidaydoctor.com or in the context of the medical service is:
Doctor Abbs SL
NIF: B42734350
Company entered in the Commercial Registry of Madrid: Tomo 41513, Folio 1, Sección 8, Hoja M-735596.
Registered office: Calle Hermosilla 48, 1 Dcha, 28001 Madrid, Spain.
Contact channels.
- Email for exercising data-protection rights and for the formal communications required under Article 10.1.a LSSICE: privacy@nivelta.es. This is the single channel for exercising the rights listed in Section 11 and for any formal communication to the controller. Doctor Abbs SL operates the Nivelta brand alongside The Holiday Doctor and uses one shared formal data-protection inbox.
- Operational service email: help@theholidaydoctor.com. This is the usual channel for operational queries, questions about the service, billing matters and any other non-formal communication. Use of the operational channel does not replace the formal channel above for exercising data-protection rights: user requests sent to help@theholidaydoctor.com that are identified as exercising a GDPR right will be routed internally to privacy@nivelta.es and handled within the timescales set out in Section 11, but the controller recommends that the user contact the formal channel directly to avoid delays.
The Medical Director and prescribing physician for the service is Dr Adam Abbs, registered with the Ilustre Colegio Oficial de Médicos de Madrid (ICOMEM) under number 282889105. Dr Adam Abbs is bound by the duty of professional secrecy under Article 5(1)(d) of Ley 41/2002 and Article 5 of Ley 44/2003 (LOPS).
Data Protection Officer. Doctor Abbs SL has carried out and documented an analysis of the need to appoint a Data Protection Officer under Article 37 GDPR and Article 34 LOPDGDD. In view of the scale and nature of the service’s operations at launch, Doctor Abbs SL has concluded that the circumstances requiring the appointment of a Data Protection Officer are not met. Requests and communications in matters of data protection are handled directly by the controller through the email address indicated above. Doctor Abbs SL will review this conclusion periodically as the service develops.
2. Personal data processed
Doctor Abbs SL processes the following categories of personal data, all of which are provided directly by the data subject:
- Identification data: first name, surname(s), date of birth, sex registered at birth and gender identity where applicable, DNI, NIE or equivalent identification document number (as required by Real Decreto 1718/2010 for a valid Spanish prescription).
- Contact data: email address, mobile phone number, and, where applicable, postal address.
- Economic and billing data: information needed to issue an invoice for the services delivered, as well as information relating to the payment method used as provided by the payment service provider engaged (Doctor Abbs SL does not store complete payment card details).
- Health data (special category under Article 9 GDPR): the symptoms or condition for which treatment is sought; all medications currently being taken, including over-the-counter, supplements and herbal preparations; past and current medical history (including heart, kidney, liver, respiratory or neurological conditions, diabetes and others); known allergies and previous adverse reactions; information specific to the branch of the service (for example, pregnancy and breastfeeding status for the oral contraceptive pill or where clinically relevant; previous urinary symptoms for a UTI consultation); supporting documents uploaded by the patient (for example, the label or photograph of a prior prescription, a previous diagnosis letter); the clinical assessment, decision, reasoning and the medication and instructions prescribed by the doctor.
- Site usage data: information about browsing collected through cookies and equivalent technologies, on the terms described in the Cookie Policy.
Data is collected through the consultation form on the website, contact forms, email communications with the controller and the other channels made available by Doctor Abbs SL in the context of delivering the service.
Data we deliberately do not collect. Doctor Abbs SL does not collect the user’s complete payment card details at any point on the website or consultation form; payment is processed by the payment service provider identified in Section 7. No biometric identifiers are collected beyond the basic clinical body measurements (weight, height, blood pressure where relevant) needed for safe prescribing. No information is requested about the user’s race, ethnic origin, religious beliefs, political opinions or sexual orientation, and the user is asked not to include this information in any free-text answer in the consultation form or other communications with the controller.
3. Purposes of processing
Doctor Abbs SL processes personal data for the following purposes:
- To assess clinically the user’s eligibility for the service in accordance with the published eligibility criteria.
- To deliver the private asynchronous online medical consultation service requested: clinical assessment, private prescription where appropriate, and clinical communications relating to the request.
- To issue the private electronic medical prescription under Real Decreto 1718/2010 and to enable its dispensing at the pharmacy chosen by the patient.
- To maintain the patient’s clinical record under Ley 41/2002.
- To communicate with the patient about the consultation and its outcome (clinical summaries, follow-up reminders where clinically appropriate, decline reasons).
- To comply with pharmacovigilance obligations, in particular the notification of suspected adverse drug reactions to AEMPS where applicable.
- To issue invoices and to comply with the accounting and tax obligations of Doctor Abbs SL.
- To handle queries, information requests, exercise of rights and complaints.
- To improve the service through internal analysis of the consultation activity, using aggregated or pseudonymised data where technically possible.
- Where appropriate, to defend any legal actions to which Doctor Abbs SL may be party.
4. Lawful basis for processing
The lawful basis for processing varies by purpose:
- For the processing of health data for healthcare purposes, the lawful basis is Article 9(2)(h) GDPR: processing necessary for the provision of healthcare by a professional subject to the obligation of professional secrecy. This processing takes place within the doctor-patient relationship between the patient and Dr Adam Abbs as a doctor registered with ICOMEM, and is covered by the medical professional secrecy provided for in Article 5(1)(d) of Ley 41/2002 and Article 5 of Ley 44/2003 (LOPS), as applicable under Article 9(3) GDPR.
- For the processing of identification and contact data for the purpose of delivering the service, the lawful basis is Article 6(1)(b) GDPR: performance of the contract for private medical services requested by the data subject.
- For compliance with the clinical-record retention obligation, the lawful basis is Article 6(1)(c) GDPR in conjunction with Ley 41/2002.
- For compliance with pharmacovigilance obligations, the lawful basis is Article 6(1)(c) and Article 9(2)(i) GDPR in conjunction with applicable pharmacovigilance legislation.
- For compliance with accounting and tax obligations, the lawful basis is Article 6(1)(c) GDPR in conjunction with the Commercial Code and applicable tax legislation.
- For the automated absolute-contraindication filter in the initial consultation form (the mechanism described in Section 10.i), the lawful basis is Article 22(2)(c) GDPR (explicit consent of the data subject to a decision based solely on automated processing) in conjunction with Article 9(2)(a) GDPR (explicit consent for processing special-category data evaluated by the filter). This consent is obtained specifically and independently at the start of the consultation request.
- For internal analysis of consultation activity for service improvement, the lawful basis is Article 6(1)(f) GDPR (legitimate interest of the controller), to which the data subject may object at any time as set out in Section 11.
5. Retention periods
Doctor Abbs SL retains personal data for the time necessary to fulfil the purposes for which it was collected and to meet the legal responsibilities arising from its processing:
- Clinical record: at least five years from the end of each episode of care under Article 17.1 of Ley 41/2002. Applicable autonomous-community legislation may set longer periods; in that case, the longer period prevails.
- Economic, billing and accounting data: six years under Article 30 of the Spanish Commercial Code, extended to the applicable tax limitation period where longer.
- Data related to complaints, claims or proceedings: for the duration of the proceeding and, thereafter, for the limitation period of the applicable civil, administrative or criminal actions.
Once the relevant periods have elapsed, data is irreversibly deleted or anonymised, except where its retention is required by law. The blocking regime in Article 32 LOPDGDD applies to data whose retention continues by legal obligation once the purpose-fulfilment period has elapsed.
6. Recipients of the data
Doctor Abbs SL discloses personal data only where there is a lawful basis to do so:
- Pharmacy chosen by the patient: the private electronic prescription is transmitted to the pharmacy designated by the patient for dispensing. The pharmacy is an independent controller in respect of the data it receives in this context.
- Homologated private electronic prescription platform: for the issuing of the prescription under Real Decreto 1718/2010 and the homologation of the General Council of Official Medical Colleges (CGCOM/OMC).
- Spanish Medicines Agency (AEMPS): in compliance with pharmacovigilance obligations, where notification of suspected adverse drug reactions applies.
- Spanish Tax Administration: in compliance with the accounting and tax obligations of Doctor Abbs SL.
- Health, administrative or judicial authorities: where there is a legal obligation to disclose or a legitimate request from a competent authority.
No other transfers to third parties are envisaged. In particular, Doctor Abbs SL does not sell personal data and does not disclose it to third parties for commercial or advertising purposes.
7. Processors
Doctor Abbs SL engages certain technical and operational services with providers acting as processors under Article 28 GDPR, on the basis of a written processing agreement that binds each of them to the same protection standards. These processors access personal data only to the extent strictly necessary to deliver the service contracted and under the contractual obligations set out in the processing agreement (in particular: processing in accordance with the controller’s documented instructions; duty of confidentiality; appropriate technical and organisational measures; assistance to the controller in handling data-subject rights and meeting its obligations; deletion or return of data on termination of the engagement; audit rights).
The processors with whom Doctor Abbs SL works as at the publication of this policy are:
- Private electronic prescription platform: Receta Médica Privada electrónica (REMPe), managed by the General Council of Official Medical Colleges (Spain), exclusively for the transmission of the prescription and associated administrative data under Real Decreto 1718/2010.
- Website hosting, CDN, DNS and threat protection: Cloudflare, Inc. (United States), integrated provider of static site hosting (Cloudflare Pages), content delivery network, DNS resolution, bot and attack mitigation, and execution of contact-form backend logic (Cloudflare Workers). Its processing covers technical web traffic data (IP addresses, request headers, usage metadata) and personal data provided by the user in the site’s contact forms.
- Clinical consultation form: Jotform Inc. (EU plan; data submitted through the form is stored on the provider’s European infrastructure).
- Management and storage of clinical service data: Baserow B.V. (hosting in the European Union), responsible for the operational repository of the patient’s clinical data during service delivery.
- Payment gateway: Stripe Payments Europe, Limited (Ireland, European Union). Stripe may rely on international sub-processors for specific technical and fraud-prevention functions in accordance with its public sub-processor list, covered by the applicable transfer framework.
- Workflow orchestration: Make.cz s.r.o. (Czech Republic, European Union), for the operational link between the various technical systems of the service.
- Transactional communications with the patient: Brevo SAS (France, European Union), for sending follow-up communications to the patient by email and other enabled channels.
- External advisors (legal, tax and accounting, audit), exclusively to the extent necessary for the provision of their professional advice and subject to the duty of professional secrecy.
Doctor Abbs SL maintains a record of processing activities under Article 30 GDPR documenting the identity of each processor, the categories of data to which it has access and the applicable safeguards. The record is available to the AEPD on request. Any update to the processor list, in the event of a change of provider for any of the functions listed, will be reflected in the next periodic review of this policy.
8. International data transfers
Some of the processors named in Section 7 are established outside the European Economic Area. In particular, Cloudflare, Inc. is established in the United States. Jotform Inc. is a company incorporated in the United States, although Doctor Abbs SL contracts its EU plan and form content is stored on the provider’s European infrastructure; occasional access by support personnel based in the United States is treated as an international transfer and covered by the safeguards described below. Stripe Payments Europe, Limited, Make.cz s.r.o., Baserow B.V. and Brevo SAS are European Union entities but may rely on international sub-processors in accordance with their respective public sub-processor lists.
International transfers to the United States are made under the EU-US Data Privacy Framework, recognised by the European Commission’s Adequacy Decision of 10 July 2023, where the provider is certified under that framework. Failing that, transfers are covered by the Standard Contractual Clauses approved by the European Commission under Decision (EU) 2021/914, supplemented by such additional measures as may be appropriate under European Data Protection Board Recommendations 01/2020.
The data subject can request a copy of the safeguards applicable to these transfers by writing to privacy@nivelta.es.
9. Security measures
Doctor Abbs SL has implemented the technical and organisational measures required by Article 32 GDPR, taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of processing, and the risks of varying likelihood and severity to the rights and freedoms of natural persons. These measures include, among others:
- Encryption of data in transit and, where technically appropriate, at rest.
- Role-based access control on the principle of least privilege.
- Access logging for systems processing health data.
- Strong authentication for access to clinical systems.
- Regular backups and documented recovery procedures.
- Incident management and security-breach response procedures.
- Periodic training of personnel with access to personal data.
- Periodic review of the measures implemented.
In the event of a personal data breach that poses a risk to the rights and freedoms of natural persons, Doctor Abbs SL will notify the AEPD within 72 hours under Article 33 GDPR. Where the breach is likely to result in a high risk to the rights and freedoms of those affected, Doctor Abbs SL will communicate the breach to affected data subjects without undue delay under Article 34 GDPR.
10. Artificial intelligence and automated decisions
Doctor Abbs SL distinguishes two forms of automated processing in the service, with different legal consequences. It also expressly records the limited role of artificial intelligence tools in The Holiday Doctor.
(i) Automated absolute-contraindication filter in the initial consultation form (decision based solely on automated processing, Article 22 GDPR). The initial consultation form includes pre-defined rules that identify absolute contraindications for the medications that The Holiday Doctor prescribes (for example, current pregnancy, breastfeeding, or medical or pharmacological history incompatible with the medication, in line with the AEMPS-authorised information for the medicines concerned). Where a rule identifies an absolute contraindication, the consultation request does not progress to clinical review by the prescribing physician, and the user is informed of the reason and of available alternatives.
This decision constitutes a decision based solely on automated processing for the purposes of Article 22 GDPR. It is applied under the explicit consent of the user, obtained specifically and independently at the start of the consultation form through a dedicated screen, in accordance with Article 22(2)(c) GDPR in conjunction with Article 9(2)(a) GDPR for the health data evaluated by the filter. The user has the right, under Article 22(3) GDPR, to obtain human intervention by the controller, to express their point of view and to contest the decision by writing to privacy@nivelta.es; in that case, Dr Adam Abbs will review the case personally. The filter operates by means of verifiable pre-defined rules; it does not involve the use of artificial intelligence to evaluate the user’s case.
(ii) Automated selection of educational content and communications (no significant legal effects). Where The Holiday Doctor sends post-consultation educational content or follow-up communications to the user, the content has been prepared and approved in advance by Dr Adam Abbs. The automated selection of the specific content delivered to a given user is performed by pre-defined rules based on variables of the consultation (medication prescribed, type of branch, follow-up events). This selection does not produce legal effects in respect of the user nor affects them significantly in the terms of Article 22 GDPR.
Limited role of artificial intelligence in The Holiday Doctor. Doctor Abbs SL uses artificial intelligence tools only in the prior preparation phase of educational content, programme flows and informational materials, always under the supervision and express approval of Dr Adam Abbs before they go into production. Artificial intelligence tools do not process user personal data at the moment of service delivery: the user interacts with previously prepared and approved content, not with real-time AI systems. Artificial intelligence does not diagnose, does not prescribe, does not adjust doses, does not decide the user’s clinical eligibility and does not evaluate the user individually. The clinical decision is made in full by Dr Adam Abbs as the prescribing physician registered with ICOMEM. Accordingly, the AI providers used in the prior preparation phase are not processors of user personal data under Article 28 GDPR and therefore do not appear in the named list in Section 7.
11. Data subject rights
The data subject has the following rights in relation to their personal data:
- Right of access (Article 15 GDPR): to obtain confirmation as to whether Doctor Abbs SL is processing personal data concerning them and, where applicable, to access that data.
- Right of rectification (Article 16 GDPR): to request correction of inaccurate or incomplete data.
- Right of erasure (Article 17 GDPR): to request erasure of the data where the circumstances provided for in the legislation apply, without prejudice to applicable legal retention periods. This right is limited for clinical data: while the legal obligation to retain the clinical record under Ley 41/2002 remains in force, Doctor Abbs SL cannot erase the clinical record before the period expires, but can mark it as restricted under Article 18 GDPR.
- Right to object (Article 21 GDPR): to object to processing based on the controller’s legitimate interest and to non-essential follow-up communications.
- Right to restriction of processing (Article 18 GDPR): to request restriction of processing in the cases provided for in the legislation.
- Right to data portability (Article 20 GDPR): to receive the personal data provided to the controller in a structured, commonly used and machine-readable format, and to transmit it to another controller where technically possible.
- Right not to be subject to automated decisions with significant legal effects (Article 22 GDPR), as set out in Section 10.
- Right to withdraw consent given for processing based on consent, without the withdrawal affecting the lawfulness of prior processing. Withdrawal of consent to the automated contraindication filter (Section 10.i) means that the consultation request cannot continue, as the filter is a necessary step in the consultation process.
- Digital rights recognised by LOPDGDD (Title X): right to be forgotten in internet searches, right to portability in social network services and equivalent information society services, and right to digital will, on the terms provided for in the legislation.
Clinical treatment is not based on consent. The processing of health data for healthcare purposes is based on Article 9(2)(h) GDPR (healthcare by a professional subject to professional secrecy) and not on the patient’s consent. Accordingly, the patient cannot “withdraw consent” to this specific processing, as it is not requested as such. The patient may, however, stop using the service at any time and retains all the other rights listed in this section, including the right to mark the clinical record as restricted once the doctor-patient relationship has ended.
The data subject may exercise these rights by writing to privacy@nivelta.es with a copy of their DNI or equivalent identification document allowing their identity to be verified. Doctor Abbs SL will respond within one month of receipt, extendable by a further two months where the request is particularly complex or where a large number of requests have been received from the same data subject, under Article 12.3 GDPR.
The data subject has the right to lodge a complaint with the Spanish Data Protection Agency (AEPD) where they consider that the processing of their personal data does not comply with the legislation in force, in particular where they have not obtained satisfaction in the exercise of their rights directly with the controller. The AEPD has its registered office at C/ Jorge Juan, 6, 28001 Madrid, and can be consulted at www.aepd.es.
12. Cookies
The theholidaydoctor.com website uses cookies and equivalent technologies on the terms described in the Cookie Policy, prepared under Article 22.2 of Spanish Ley 34/2002, de 11 de julio, de Servicios de la Sociedad de la Información y de Comercio Electrónico (LSSICE) and the AEPD Guide on the use of cookies.
13. Modifications to the policy
Doctor Abbs SL reserves the right to modify this Privacy Policy to reflect changes in legislation, operational changes to the service or recommendations of the competent authorities. Substantive modifications will be actively communicated to active patients through the usual communication channel. The date of the last update is shown at the start and end of the document.