ARS ET AESTHETICA IN SALUTE, LDA.

ARS ET AESTHETICA IN SALUTE, LDA. acts to ensure the protection of our Clients’ data whenever personal data is processed — whether in the context of providing healthcare services, ensuring high standards of quality (in areas such as medical diagnosis, preventive medicine, and the management of healthcare services), or in compliance with our legal obligations, within the framework of the services we provide at ARS ET AESTHETICA IN SALUTE, LDA., and in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“General Data Protection Regulation” or “GDPR”).

In this Personal Data Protection Policy (“Policy”), we have gathered the main points relating to the processing of your personal data, thus ensuring that we provide you with information in a concise, transparent, intelligible, and easily accessible manner.

What is personal data?

Personal data is any information, of any nature and regardless of its format, including sound and image, relating to an identified or identifiable natural person (“data subject”). An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more specific factors relating to their physical, physiological, mental, economic, cultural, or social identity.

In certain situations, personal data may be of a more sensitive nature, which the GDPR classifies as “special categories of data.” These may concern a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic information, biometric identifiers, sex life, sexual orientation, or health.

“Health data” refers to personal data related to the physical or mental health of a natural person, including the provision of healthcare services, which reveal information about that person’s past, present, or future health status.

Who is responsible for processing your personal data?

As a rule, when a Client attends Clínica B.aesthetics, it is ARS ET AESTHETICA IN SALUTE, LDA. that provides the services and is therefore considered the Data Controller, under the terms of the GDPR.

We highlight that:

• ARS ET AESTHETICA IN SALUTE, LDA. is the Data Controller for client care, in relation to the processing necessary for the provision of healthcare services (e.g. preventive medicine, medical diagnosis, administrative management of clinical records, scheduling of appointments and exams, admission and delivery of test results, electronic prescription of medicines and diagnostic tests).
• ARS ET AESTHETICA IN SALUTE, LDA. is the Data Controller for the administrative management of the services provided to you.
• ARS ET AESTHETICA IN SALUTE, LDA. is also responsible for processing data for purposes related to internal auditing and compliance of its systems and processes, protection of individuals and property, and the security of its premises (through video surveillance, where applicable).
• When conducting studies and clinical trials, the entity acting as the Data Controller of the personal data will generally be the study or trial sponsor, while ARS ET AESTHETICA IN SALUTE, LDA. acts merely as a Processor for the processing of your personal data in that context, in accordance with the agreement between the parties involved.
• ARS ET AESTHETICA IN SALUTE, LDA., through its Marketing Department, is also responsible for processing personal data for marketing purposes — such as sending direct marketing communications through various communication channels, both physical and digital.

If you attend another of our Units, you will not need to provide your personal data again to receive healthcare services. Through our Integrated Information System, the healthcare professional at the Unit can consult the information collected at the original Unit. Naturally, this system is equipped with appropriate security measures and data protection safeguards, in full compliance with current legislation.

Categories of personal data we process and collection methods

We collect your data directly, for example, when you complete the client identification form, book an appointment or examination, attend a consultation/examination, or contact us. We may also receive your personal data indirectly from our service providers acting on our behalf or from our partners. You can find more information about data sharing with other entities in the section “DATA DISCLOSURE” below.

Your personal data processed may include data directly or indirectly related to your health. Data marked with an asterisk (*) are mandatory.

Client Record Creation

Categories of personal data
Full name*, date of birth*, gender*, telephone/mobile number*, and Tax Identification Number (NIF)*; other identification data, e.g.: NHS number, health centre, GP, marital status, spouse’s name, father’s name, mother’s name (if the Client is a minor), and information related to your insurance or healthcare subsystem.

Collection method
When your client record is created, either in person at the ARS ET AESTHETICA IN SALUTE, LDA. reception desk or through telephone or digital means.

Client Profile Creation

Categories of personal data
Client number* (encrypted information allowing the system to recognise the user’s password).

Collection method
At the time of creating the Client Profile.

Appointments, Consultations & Examinations

Categories of personal data
Information about your appointments, consultations, or examinations (including data necessary for the provision of medical and telemedicine services).

Collection method
When you make an appointment/request information through the various channels (email, telephone, or the ARS ET AESTHETICA IN SALUTE, LDA. website).

Provision of Integrated Healthcare Services

Categories of personal data
Information about your health, including: reason for consultation/appointment, personal and family medical history, clinical examination, diagnoses, complementary tests, referrals, alerts; prescribed medication; act and signature of the professional involved, start and end dates of the episode, episode status, type of episode, indication of test results and respective identifiers.

Genetic data and data relating to sexual life and sexual orientation.

Collection method
During the provision of integrated healthcare services, including for the management of ARS ET AESTHETICA IN SALUTE, LDA. systems and services.

Surveys / Questionnaires

Categories of personal data
No personal data are collected.

Collection method
No personal data are collected.

Marketing

Categories of personal data
Name, date of birth, gender, and email address.

Collection method
When using our website and mobile applications, under the terms of the applicable Privacy and Cookie Policies.

Website and Mobile Applications

Categories of personal data
Information for creating your Personal Account on our website and mobile applications (such as full name, email address, password, mobile number, date of birth, NIF, and gender) and additional information required to manage and respond to your requests within these platforms.

Information about how you use these platforms, such as: [IP address of the device used to access them, date and time of the start and end of your website visit, browser history/user data collected through cookies].

Collection method
When using our website and mobile applications, under the terms of the applicable Privacy and Cookie Policies.

Video Surveillance

Categories of personal data
Image data.

Collection method
When you visit our facilities where video surveillance cameras are installed, to ensure the safety of individuals and property.

Purposes of Processing

Clients’ personal data are processed for the provision of healthcare services, including the management of ARS ET AESTHETICA IN SALUTE, LDA. systems and services.

If the Client decides to make their personal data available for other purposes, or if ARS ET AESTHETICA IN SALUTE, LDA. is bound by legal obligations requiring the processing of personal data, we may process such data for the relevant purposes.

Accordingly, we use your personal data for the following purposes:

Provision of Healthcare Services

We use the aforementioned information for preventive medicine, telemedicine, appointment scheduling, medical diagnosis, provision of healthcare, electronic prescription of medicines and diagnostic tests, and for the management of ARS ET AESTHETICA IN SALUTE, LDA. systems and services.

Client Relationship Management

We may contact you by letter, email, telephone, or SMS for administrative or operational reasons (e.g. to confirm your appointments/payments or to inform you of any changes or unforeseen circumstances regarding your appointments).

Since these communications are not for marketing purposes, you will continue to receive them even if you have opted out of marketing communications.

We will also use your personal data to respond to your requests, suggestions, queries, or complaints.

Keeping You Informed

We may send you marketing communications if you have consented to receive them, including through newsletter subscriptions.

If you no longer wish to receive marketing communications from us, you can withdraw your consent at any time by clicking the unsubscribe link at the bottom of any marketing email you receive.

Support Activities

We may also process your personal data for administrative and financial management purposes, the protection of people and property, and the security of facilities (video surveillance), as well as for audits, fraud detection and analysis, the establishment, exercise, and defence of legal claims, and the development and maintenance of systems.

Compliance with Legal Obligations

This includes the obligation to provide your personal data to the Central Administration of the Health System (ACSS) and other public health entities, as well as to courts, solicitors, and law enforcement authorities in the exercise of their powers and duties.

For more information on the categories of recipients of your personal data, please refer to the section “DATA DISCLOSURE” below.

Legal Basis for Processing

We always process your personal data in strict compliance with the law.

Under the GDPR, processing is only lawful if the Data Controller has a valid legal basis.

Accordingly, and in line with applicable legislation, the processing of your personal data may rely on the following legal grounds:

Purpose	Legal Basis
Provision of healthcare services and management of the relationship between the Client and ARS ET AESTHETICA IN SALUTE, LDA.	Performance of the healthcare services contract entered into with the Client, or execution of pre-contractual measures at the Client’s request (e.g. when booking an appointment or medical act). When processing involves special categories of data, such as health data, processing will be based strictly on necessity for preventive medicine, medical diagnosis, or the provision of health or treatment services.
Compliance with legal obligations	Necessity of processing for compliance with legal obligations of the Data Controller.
Keeping you informed about news of interest, personalising and improving your client experience, and sending newsletters	These activities are based on your consent. You may withdraw your consent at any time. However, withdrawal does not affect the lawfulness of processing based on consent prior to withdrawal. For more information about your rights under the GDPR, see the section “YOUR RIGHTS” below.
Satisfaction surveys	These activities are also based on your consent. You may withdraw your consent at any time, without affecting the lawfulness of previous processing. For more details on your rights, please see “YOUR RIGHTS” below.

Your Rights

Under the applicable data protection legislation, you may, at any time, request access to your personal data, as well as their rectification, erasure, restriction of processing, data portability, or object to their processing.

You may exercise these rights through the contact details provided in the “Contact Us” section below or in person at the reception desk of ARS ET AESTHETICA IN SALUTE, LDA.

Your rights under the applicable data protection legislation include:

• Right to Transparency of Information, Communication and Rules for the Exercise of Rights: the right to know who the Data Controller is, what your rights are, and how to exercise them. This information must be provided concisely, transparently, intelligibly, and in an easily accessible form, using clear and plain language.
• Right of Access and Information: the right to confirm whether your personal data are being processed and, if so, to access them and obtain certain information, including a copy of the data undergoing processing. This right must not adversely affect the rights and freedoms of others, including trade secrets and intellectual property rights of the Data Controller.
• Right to Rectification: the right to have inaccurate personal data corrected and to have incomplete data completed.
• Right to Erasure (“Right to be Forgotten”): the right to request the deletion of your data in certain circumstances, particularly if they are no longer necessary for the purpose for which they were collected or processed. This right does not override legal obligations requiring the Data Controller to retain personal data.
• Right to Restriction of Processing: the right to request the restriction of processing in certain situations, such as when processing is unlawful and you oppose the erasure of data, requesting instead the restriction of their use.
• Right to Data Portability: the right to receive your personal data that you have provided to the Data Controller in a structured, commonly used, and machine-readable format, and to transmit those data to another controller.
• Right to Object: the right, in certain circumstances (e.g. where your personal data are processed for direct marketing purposes), to object at any time, on grounds relating to your particular situation, to the processing of your personal data.

Under the law, you are also entitled, through the means referred to above, to withdraw your consent for processing operations based on consent. This does not, however, affect the lawfulness of processing carried out prior to withdrawal.

The above provisions apply, with necessary adaptations, to the exercise of rights by the holders of parental responsibilities or legal guardians on behalf of data subjects who are minors or legally incapacitated.

If you believe that the way we process your data does not comply with the applicable data protection legislation, you have the right, without prejudice to any other administrative or judicial remedy, to lodge a complaint with the Comissão Nacional de Proteção de Dados (CNPD) – the Portuguese Data Protection Authority – or another competent supervisory authority.

Processing of Data on the ARS ET AESTHETICA IN SALUTE, LDA. Website and Mobile Application

This Policy applies in full to all users of the ARS ET AESTHETICA IN SALUTE, LDA. website and mobile application.

However, given the specific nature of their use, separate Privacy Policies have been prepared and are available on the website (https://bclinic.pt/politica-de-privacidade/ and on the mobile application.

Data Disclosure

Our Units may share data between them when necessary to provide Clients with high-quality healthcare services.

We may also engage third-party entities as data processors for specific services, based on data processing agreements and in compliance with the requirements of applicable legislation.

Furthermore, we may disclose Clients’ personal data to third parties when such disclosure is necessary or appropriate:

1. under applicable law,
2. to comply with legal obligations or court orders, or
3. to respond to requests from public or governmental authorities.

Accordingly, we may disclose your personal data to the Health Regulatory Authority, ACSS, Shared Services of the Ministry of Health (SPMS), INFARMED, or Regional Health Administrations, as well as to courts, solicitors, criminal police authorities, or the Public Prosecutor’s Office, when required or necessary to comply with legal obligations.

For the services provided by ARS ET AESTHETICA IN SALUTE, LDA. to be covered by your insurance or healthcare subsystem, your personal data — including health data related to such services — may also be disclosed to your insurance company or healthcare subsystem, both of which are subject to confidentiality and are independent data controllers.

In all of the above cases, we are committed to taking all reasonable measures to ensure the effective protection of personal data we process.

International Data Transfers

If the provision of services by ARS ET AESTHETICA IN SALUTE, LDA. requires the transfer of your personal data to third countries (outside the European Union or the European Economic Area), including to foreign insurance companies or insurance brokers, ARS ET AESTHETICA IN SALUTE, LDA. will implement all necessary and appropriate measures, in accordance with applicable law, to ensure the protection of personal data subject to such transfers, strictly complying with the legal provisions governing these operations.

Security Measures

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of data processing, as well as the varying likelihood and severity of risks to the rights and freedoms of data subjects, we have adopted appropriate technical and organisational measures to ensure a level of security appropriate to such risks, including:

• Pseudonymisation and encryption of personal data, where possible;
• The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
• The ability to restore data availability and access in a timely manner in the event of a physical or technical incident;
• A process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures to ensure processing security.

In the event of a personal data breach that is likely to result in a high risk to the rights and freedoms of our clients, employees, or partners, we undertake to notify the Comissão Nacional de Proteção de Dados (CNPD) within 72 hours of becoming aware of the incident, and to inform the affected data subjects whenever the breach is likely to result in a high risk to their rights.

How to Contact Us

ARS ET AESTHETICA IN SALUTE, LDA. has appointed a Data Protection Officer (DPO).

If you have any questions or suggestions regarding this Policy or our personal data processing practices, please contact us via email at bclinic@grupohpa.com or by post at the following address:

Avenida do Infante, Praça do Turista 1G, 9000-021, Funchal, Portugal.

Policy Updates

We may amend or update this Policy at any time.

Any changes we make will be duly updated on our website. If such changes result in a significant alteration to the way your data are processed, we will notify you using the contact details you have provided to us.

Date of last update: 16 October 2023