Contact Us

Privacy Policy

  1. Identity and contact details of the Data Controller

For the purposes of Regulation (EU) 2016/679 (GDPR) and Organic Law 3/2018 (LOPDGDD), we hereby inform you that the personal data collected through the website www.doctor-abroad.eu and its associated functionalities (hereinafter, the “Platform“) will be processed by:

  • Data Controller: Medical Response International S.L.U.
  • Tax ID Number: B57609380
  • Registered office: Calle Victorio Luzuriaga 34, 07015 Palma de Mallorca, Balearic Islands, Spain
  • General contact email: patient@drnear.me

Data Protection Officer (DPO). Email: rgpd@medicalresponse.es

Contact channels for privacy and exercising rights.
For queries, requests or exercising rights regarding data protection (access, rectification, erasure, objection, restriction, portability and withdrawal of consent), users may contact:

  • Email (preferred):patient@drnear.me , or directly to the DPO atrgpd@medicalresponse.es .
  • Postal address: Medical Response International S.L.U., Attn: Privacy, Camí dels Reis, 308, 1st Floor, 07010, Palma de Mallorca, Balearic Islands, Spain.
    In order to safeguard confidentiality, proof of identity may be required and, where appropriate, additional information strictly necessary to locate the data subject to the request.

Scope and subject matter of this Policy.
This Policy applies to the processing of personal data derived from the use of the Platform (including its subdomains or sections), the booking and contact forms, and the electronic interactions that the user maintains with the Data Controller in connection with the services offered through www.doctor-abroad.eu. Unless expressly stated, it does not extend to third-party websites accessed through links or external integrations.

Responsibility and role vis-à-vis third parties involved.
The Data Controller acts as the data controller with respect to the data it collects and manages through the Platform. Notwithstanding this, certain providers (e.g., technology services, payment gateways) may act as data processors on behalf of the Data Controller, and certain professionals or healthcare centres that attend to the user may, as a general rule, act as independent controllers with respect to the data generated in the context of the healthcare they provide (e.g., medical records, medical procedures), without prejudice to the communications necessary for the management of the appointment and the coordination of the service.

Representation and jurisdiction.
Medical Response International S.L.U. is established in Spain and does not require a representative in the Union for the purposes of Article 27 of the GDPR. Any dispute relating to this Policy shall be understood without prejudice to the rights of the data subject and the competence of the AEPD or other competent supervisory authorities.

  1. Purposes and legal bases of processing

The personal data collected through the Platform’s contact form will be processed exclusively for the following legitimate purposes:

2.1. Attracting international patients (leads)

  • Purpose: to manage and respond to contact requests sent by users interested in travelling to Spain to undergo specific medical treatment. This includes initial guidance on the availability of medical services, centres or specialities, as well as subsequent contact to provide further information if requested by the user.
  • Legal basis: the processing is based on the consent of the data subject, given by voluntarily submitting the form (Art. 6.1.a GDPR).

2.2. Processing of health data provided voluntarily

  • Purpose: when the user decides to include medical information in the form (e.g. previous diagnosis, symptoms or clinical needs), this data will only be used to assess the suitability of the requested medical treatment and to be able to offer preliminary guidance on the feasibility of care in Spain.
  • Legal basis: the express consent of the data subject is required for the processing of special categories of data, in accordance with Art. 9.2.a GDPR.

2.3. Commercial communications and newsletter (opt-in)

  • Purpose: with the user’s consent, electronic communications relating to the Platform’s services, promotions or information campaigns, as well as periodic newsletters, may be sent.
  • Legal basis: processing is based on the consent of the data subject (Art. 6.1.a GDPR). The user may withdraw this consent at any time.

2.4. Security and fraud prevention

  • Purpose: to ensure the security of the Platform, prevent misuse, unauthorised access or fraudulent activities, and maintain an adequate level of technological protection.
  • Legal basis: this processing is based on the legitimate interest of the Data Controller in protecting the security of its systems and the information it manages (Art. 6.1.f GDPR).
  1. Types and categories of personal data processed

Depending on the user’s use of the www.doctor-abroad.eu Platform, the following categories of personal data may be processed:

3.1. Identification and contact details

  • Examples: name and surname, email address, telephone number, country of origin, contact language.
  • Purpose: necessary to manage the request sent via the form and to establish communication with the user.

3.2. Health-related data (voluntary contribution)

  • Examples: reason for medical treatment, previous clinical or diagnostic information, symptoms, basic medical history or specific health needs that the user decides to include in the form.
  • Note: provision of this data is optional and will only be processed with the user’s express consent (Art. 9.2.a GDPR), applying enhanced security measures given its particular sensitivity.

3.3. Communication data

  • Examples: content of the query submitted via the form, as well as any attached documentation that the user decides to include.
  • Purpose: to respond to the request made, provide information on available medical treatments and, where appropriate, maintain subsequent communication.

3.4. Data for marketing and newsletters (opt-in)

  • Examples: email address, communication preferences, history of interactions with newsletters (e.g., opening messages or clicking on links).
  • Purpose: to manage the user’s voluntary subscription to commercial communications and marketing campaigns.

3.5. Basic technical browsing data

  • Examples: IP address, device identifiers, browser type, operating system, language, time zone, as well as cookies and similar technologies.
  • Purpose: to ensure the technical functioning of the Platform, maintain its security and, if accepted by the user, compile usage statistics through analytical tools.
  • Note: this processing is additionally regulated in the Cookie Policy.
  1. Retention of personal data

Personal data collected through the www.doctor-abroad.eu Platform will be retained only for as long as necessary to fulfil the purpose for which it was collected, as well as for the applicable statutory limitation periods.

In compliance with Article 5.1.e of the GDPR (limitation of storage period) and Article 32 of the LOPDGDD (data blocking), the following criteria shall apply:

4.1. Contact forms and lead capture

  • Duration: for the time necessary to respond to the initial enquiry and carry out basic follow-ups (maximum 2 years from the last interaction with the user).
  • Justification: interest in maintaining a limited history of requests to ensure consistency in future communications and to provide evidence of the service provided.

4.2. Health-related data (voluntary contribution)

  • Duration: data will only be kept for the time necessary to respond to the initial request for guidance.
  • Justification: as no medical history is generated at this stage, there is no need for prolonged storage.
  • Measures: once the consultation has been dealt with, the health data will be deleted or, where appropriate, blocked exclusively for the purpose of responding to any complaints.

4.3. Communications and attached documentation

  • Duration: up to 3 years, in accordance with the general limitation period for possible infringements related to information society services (Art. 43.1 LSSI).

4.4. Marketing and newsletter

  • Duration: as long as the user does not withdraw their consent or choose to unsubscribe from communications.
  • Subsequent retention: once the right of opposition or withdrawal has been exercised, the data will be kept blocked for 1 year for the sole purpose of proving the existence of prior consent.

4.5. Technical data and cookies

  • Duration: they will be kept in accordance with the type and duration defined in the Platform’s Cookies Policy, or until the user revokes their consent.

4.6. Blocking and deletion of data

  • Once the aforementioned periods have elapsed, the data will be blocked and will only be available to judges, courts, the Public Prosecutor’s Office or competent authorities for the purpose of addressing possible legal liabilities.
  • Once these limitation periods have expired, the data will be permanently and securely deleted.
  1. Recipients and categories of recipients

The personal data collected through the www.doctor-abroad.eu Platform will be processed by the Data Controller and, where appropriate, communicated only to the recipients indicated below, always under minimisation criteria and to the extent strictly necessary:

5.1. Internal team of Medical Response International S.L.U.

  • Recipients: authorised personnel from the marketing, operations and customer service departments.
  • Purpose: management of requests received through the contact form and communication with users interested in medical treatment in Spain.

5.2. Data processors

Certain providers provide services to the Data Controller and, therefore, access personal data as data processors, always under contract in accordance with Article 28 of the GDPR:

  • Web hosting and maintenance provider.
  • Email and corporate messaging services.
  • Email marketing and newsletter platforms (e.g. Mailchimp, Sendinblue or other equivalents).
  • External consultants and Data Protection Officer (DPO).

These providers act solely on the instructions of the Data Controller and apply appropriate security measures.

5.3. Public authorities and courts

  • Recipients: public administrations, judges, courts, law enforcement agencies and other competent authorities.
  • Purpose: compliance with legal obligations or response to judicial/administrative requirements.

5.4. Third-party tools and services

In the event that the Platform integrates external services, these may collect data in accordance with their own privacy policies:

  • Google Analytics: statistical analysis of web browsing (subject to consent to cookies).
  • Social networks (Facebook, Instagram, LinkedIn, etc.): interaction through social buttons or external links.
  • Other technology providers: these will be reported in the Cookie Policy and in their respective privacy policies.

Important note:
At this stage of lead capture, data is not communicated to doctors, clinics or insurance companies. Such transfers will only take place at a later stage, after clear information has been provided to the user and with the corresponding legal basis.

  1. International data transfers

Within the framework of the processing carried out through the www.doctor-abroad.eu Platform, user data is stored on servers located in the European Union.

However, international data transfers may occur in the following cases:

6.1. Users located outside the EEA

Users of the Platform may be located in countries in the Americas or other territories outside the European Economic Area (EEA). In these cases, the data is collected directly by the Data Controller in the EU, so it is not considered an international transfer, but rather direct collection from the user’s country of origin.

6.2. Technology providers

Certain third-party services used by the Platform may involve the international transfer of data to countries outside the EEA:

  • Google Analytics / Google Ads / Google Tag Manager: possible transfer to the US or other countries.
  • Email marketing platforms (e.g. Mailchimp, Sendinblue): possible transfer to the US or other third countries.
  • Social networks (Facebook, Instagram, LinkedIn): user interaction with plugins or social links, which may involve the transmission of data to the US and other countries where these platforms have servers.

6.3. Safeguards applied

In all cases, transfers will be carried out in accordance with Articles 44 to 50 of the GDPR, ensuring an adequate level of protection through:

  • Adequacy decisions by the European Commission (Article 45 GDPR), where applicable.
  • Standard Contractual Clauses (SCCs) approved by the Commission (Article 46 GDPR), signed with the relevant suppliers.
  • Additional technical and organisational measures (encryption, data minimisation).

6.4. Specific exceptions

Where it is not possible to apply adequate safeguards, transfers may be based on the exceptions in Article 49 GDPR, such as:

  • The express consent of the user.
  • The necessity of the transfer for the performance of a contract or the implementation of pre-contractual measures.
  • The necessity of the transfer for reasons of substantial public interest or for the establishment, exercise, or defence of legal claims.
  1. Third-party tools and services

The www.doctor-abroad.eu Platform may integrate third-party applications, tools and technological services that involve the processing of personal data. These third parties act, as the case may be, as data processors (processing data under the instructions of the Data Controller) or as independent data controllers in accordance with their own privacy policies.

7.1. Web hosting and maintenance provider

  • Purpose: to ensure the proper functioning of the Platform and the hosting of data on servers located in the European Union.
  • Role: acts as a data processor under contract art. 28 GDPR.

7.2. Corporate email services

  • Purpose: management of communications derived from the contact form and responses to the user.
  • Role: secure email provider, acting as data processor

7.3. Email marketing and newsletter platforms

  • Purpose: sending commercial communications, information campaigns and newsletters to users who have expressly requested them.
  • Examples: Mailchimp, Sendinblue or other equivalents.
  • Role: acting as data processors.
  • International transfers: in some cases, this may involve transfers to the US or other countries, based on Standard Contractual Clauses (SCCs).

7.4. Google Analytics (if enabled)

  • Purpose: statistical analysis of web traffic and improvement of the Platform’s usability.
  • Data processed: IP address (anonymised), cookie identifiers, browser, device, language, pages visited, session duration.
  • Role: independent controller, based on user consent (Art. 6.1.a GDPR) collected through the cookie banner.
  • International transfers: may occur to the US, under SCCs and additional security measures.

7.5. Social networks

  • Purpose: user interaction with the Platform’s social profiles (Facebook, Instagram, LinkedIn, etc.) through social buttons or links.
  • Data processed: user identification data on the social network, public information from their profile, and metadata associated with the interaction.
  • Role: social networks act as independent controllers of the data generated through these interactions.
  • Note: the use of these tools is voluntary and governed by the privacy policies of each social network.

7.6. Transparency and user consent

The use of cookies and technologies associated with these tools will be communicated to the user through the Cookies Policy and the consent banner that appears when accessing the Platform, where they can:

  • Accept all cookies.
  • Reject non-essential cookies.
  • Configure their use in a granular manner.
  1. Rights of data subjects

Users who provide their personal data through the Platform may exercise their rights under current data protection legislation (Articles 15 to 22 of the GDPR and Articles 12 to 18 of the LOPDGDD) at any time.

The rights available and how to exercise them are detailed below:

8.1. Right of access

The data subject has the right to obtain confirmation as to whether or not the Controller is processing their personal data and, where applicable, to access it, including information on the purposes of the processing, the categories of data concerned, the recipients to whom it is disclosed and the envisaged period of storage.

8.2. Right of rectification

The data subject may request the rectification of inaccurate or incomplete data concerning them, and the Data Controller must proceed to correct it without undue delay.

8.3. Right to erasure (“right to be forgotten”)

The data subject may request the erasure of their personal data when any of the circumstances provided for in Article 17 of the GDPR apply, such as: the data is no longer necessary for the purpose for which it was collected, the consent on which the processing is based is withdrawn, or the data has been processed unlawfully.

This right shall not apply in cases where processing is necessary for compliance with a legal obligation or for the establishment, exercise or defence of legal claims.

8.4. Right to object

The data subject may object at any time, on grounds relating to their particular situation, to the processing of their data based on the legitimate interest of the Controller or on the public interest.

In particular, this right may be exercised in relation to processing for direct marketing purposes, including profiling associated with such marketing.

8.5. Right to restriction of processing

The data subject may request the restriction of the processing of their data in the cases provided for in Article 18 of the GDPR, for example, when they contest the accuracy of the data or when the processing is unlawful and, instead of erasing it, they prefer to request its restriction.

8.6. Right to portability

The data subject has the right to receive the personal data concerning him or her in a structured, commonly used and machine-readable format and to transmit those data to another controller, provided that the processing is based on consent or on the performance of a contract and is carried out by automated means.

8.7. Right to withdraw consent

Where processing is based on consent, the data subject has the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

8.8. Right not to be subject to automated individual decision-making

The user has the right not to be subject to a decision based solely on the automated processing of their data, including profiling, unless it is necessary for the performance of a contract, is authorised by Union or Member State law, or explicit consent has been given.

8.9. Channels enabled for the exercise of rights

These rights may be exercised free of charge by writing to:

  • Email (preferred): patient@drnear.me
  • Data Protection Officer (DPO): rgpd@medicalresponse.es
  • Postal address: Medical Response International S.L.U. – Attn: Privacy, Camí dels Reis, 308, 1st Floor, 07010, Palma de Mallorca, Balearic Islands, Spain

The Data Controller may ask the data subject to provide documentation proving their identity (ID card, passport or other valid document) in order to verify it before responding to the request.

8.10. Response time

The Data Controller will respond to requests within a maximum period of one month from receipt, extendable to two additional months in particularly complex cases, in accordance with Article 12.3 of the GDPR. In such cases, the user will be informed of the extension within the first month.

8.11. Right to lodge a complaint with the supervisory authority

If the user considers that their rights have not been adequately addressed, they may lodge a complaint with the Spanish Data Protection Agency (AEPD): www.aepd.es.

Without prejudice to this, the user may exercise any other administrative remedy or legal action they deem appropriate.

  1. Data security and confidentiality

The Data Controller undertakes to treat the personal data of users of the www.doctor-abroad.eu Platform with complete confidentiality and to apply the necessary technical and organisational measures to guarantee its security, in accordance with Articles 24, 25 and 32 of the GDPR and Article 32 of the LOPDGDD.

9.1. Security principles applied

  • Confidentiality: access restricted exclusively to authorised personnel and contracted data processors.
  • Integrity: protective measures to prevent accidental alteration or loss of information.
  • Availability: mechanisms that ensure access to data when necessary, including backup systems.
  • Minimisation: only data strictly necessary for the purposes described is processed.
  • Privacy by design and by default: the Platform is configured from its conception to limit the collection and processing of personal data.

9.2. Technical and organisational measures

Among others, the following measures are applied:

  • Encryption of communications between the user and the Platform using TLS/SSL.
  • Access control through credentials and authorisation policies.
  • Records and auditing of access to systems.
  • Regular backups and contingency plans.
  • Anti-intrusion systems, antivirus software and firewalls.
  • Logical segregation of data according to type and purpose.
  • Internal confidentiality protocols and staff training in data protection.

9.3. Enhanced protection of sensitive data

In the event that the user provides health data during their consultation:

  • Enhanced security and confidentiality measures are applied.
  • Only authorised personnel will have access to this information.
  • The data will be kept for the time strictly necessary to respond to the request and will be deleted or blocked immediately after fulfilling the purpose.

9.4. Impact assessments and risk management

  • The Data Controller will periodically assess the risks associated with data processing and take measures to mitigate them.
  • When processing may involve a high risk to the rights and freedoms of data subjects, a Data Protection Impact Assessment (DPIA) will be carried out in accordance with Article 35 of the GDPR.

9.5. Incident and security breach management

  • The Data Controller has a protocol in place for the detection, notification and management of security incidents.
  • In the event of a breach of personal data security, the Spanish Data Protection Agency (AEPD) will be notified within a maximum period of 72 hours from the time it becomes known, and, where appropriate, the affected users will also be notified (Articles 33 and 34 of the GDPR).
  1. Modifications and updates to the Privacy Policy

The Data Controller reserves the right to modify this Privacy Policy in order to adapt it to new legislation or case law, criteria of the supervisory authority in the field of data protection (Spanish Data Protection Agency – AEPD), industry practices or technical improvements to the Platform.

10.1. Notification of changes to the user

When the modification is significant, the user will be informed in a clear and visible manner through the Platform itself (by means of prominent notices, emails or other appropriate means).

In the event that the changes affect data processing based on the user’s consent, such consent will be requested again in the manner established by current regulations.

10.2. Date of last update

This Privacy Policy was last reviewed and updated on 10 September 2025.

Users are advised to review this Policy periodically to stay informed about how and why we process their personal data.