R-050-001 Record of Processing Activities (ROPA)
- Comes from: template
T-050-001 Record of Processing Activities (ROPA)
Purpose
In accordance with article 30.2 of Regulation (EU) 2016/679, of April 27, 2016 (GDPR), we must create and keep updated a registry of the treatment activities carried out under our responsibility. To that effect, we conduct a formal, documented, comprehensive and accurate record of processing activities based on a data mapping exercise that is reviewed regularly.
Procesing activities
In the following table, you can find a full list of our processing activities:
| Code | Name | Description | We are | System | Category |
|---|---|---|---|---|---|
| PA-001 CO Recruitment | Recruitment | Hiring processes for new employees | Controller | Digital | Basic |
| PA-002 CO Employees | Employees | Administrative management of our hired employees | Controller | Mixed | Basic |
| PA-003 CO Internships | Internships | Administrative management of our interns | Controller | Mixed | Basic |
| PA-004 CO Workhours | Workhours | Hourly recording of working hours of our personnel | Controller | Digital | Basic |
| PA-005 PR API | API | Management of medical data provided via API integration by the customers that use our service. | Processor | Mixed | Special |
| PA-006 PR Web app | Web app | Management of patient and medical data provided by the users through our web application | Processor | Mixed | Special |
| PA-007 CO Scientific publications | Scientific publications | Management of data for scientific publications, including clinical validations | Controller | Mixed | Special |
| PA-008 CO Sales | Sales | Management of contact details of parties who contract our service. | Controller | Mixed | Basic |
| PA-009 CO Outbound marketing | Outbound marketing | Data management for outbound commercial activities such as email marketing. | Controller | Digital | Basic |
| PA-010 CO Inbound marketing | Inbound marketing | Management of data provided by customers with the purposes of knowing more about our service | Controller | Digital | Basic |
| PA-011 CO Fine tuning | Fine tuning | Management of the data used to train the medical features of our solution. | Controller | Digital | Special |
Identification of involved parties
We are
| Property | Value |
|---|---|
| Company name | AI Labs Group, S.L. |
| Trademark | Legit.Health ® |
| ID Number | (ES)B95988127 |
| Activity | Provision of clinical intelligence and communication software for HCP. |
| Address | Gran Via, BAT Tower, 48001, Bilbao, Spain |
| Telephone | +34 653 08 83 37 |
| hello@legit.health | |
| Website | https://legit.health |
| Legal representative | Ms. Aguilar Robles |
Our DPO is
| Identifying information | |
|---|---|
| Company name | Audens Legal, S.L.P. |
| Address | Calle del Marqués de Cubas 12, 5ºC, 28014 Madrid |
| ID Number | (ES)B85808954 |
| Address | Gran Via, BAT Tower, 48001, Bilbao, Spain |
| Telephone | +34 910 099 875 |
| rgpd@audens.es | |
| Website | https://audens.es |
PA-001 CO Recruitment
| Code | PA-001 CO Recruitment |
|---|---|
| Name | Recruitment |
| We act as | Data Controller |
| Description | Hiring processes for new employees |
| Source of the data | Job applicants directly or via recruitment agencies. |
| Purposes | Employee recruitment and selection. |
| Interested parties | Job applicants. |
| Identifying data | Names, contact details, curriculum vitae, employment history, educational background. |
| Special or criminal data categories | None, unless voluntarily provided by the applicant (e.g., health information relevant to the job). |
| Other type of data | Employment history, educational background. |
| Transfer to 3rd parties | Recruitment agencies, background check services (only if applicable and with consent). |
| International transfers | None, unless data needs to be shared with an international branch of our company for specific job roles. |
| Deadlines planned for data suppression | Data of unsuccessful applicants is kept for a maximum period of 1 year unless consent is given for longer to consider them for future positions. |
| General description of technical and organizational security measures | Access to recruitment data is restricted to the HR department and senior management only, with password-protected systems and data encryption. Regular security audits are conducted. |
| Risk of processing | No probability of a high risk to the rights and freedoms of the data subjects |
| Lawfulness (legitimization of processing) | Unequivocal consent through a clear action by the data subject (Article 6.1.a GDPR) |
PA-002 CO Employees
| Code | PA-002 CO Employees |
|---|---|
| Name | Employees |
| We act as | Data Controller |
| Description | Administrative management of our hired employees |
| Source of the data | Directly from employees, and occasionally from third-party services for background checks or benefit administration. |
| Purposes | Employee management, including payroll, benefits, compliance with employment law, and other HR responsibilities. This excludes interns. |
| Interested parties | Employees, legal entities (e.g., tax authorities, social security institutions, insurance companies). |
| Identifying data | Names, addresses, contact details, government-issued IDs (such as social security numbers), employment records. |
| Special or criminal data categories | Health data (only where relevant for benefits management or compliance with employment obligations), union membership (if applicable). |
| Other type of data | Financial information (e.g., bank account details for payroll), employment history, performance reviews. |
| Transfer to 3rd parties | Payroll processing companies, benefit providers, legal advisors (if necessary), government agencies (for reporting purposes). |
| International transfers | None, unless the company operates in multiple countries and needs to manage employee information across borders. |
| Deadlines planned for data suppression | Employee data is retained as long as required by law for tax and employment recordkeeping purposes, typically X years after the end of employment. |
| General description of technical and organizational security measures | Access to employee data is restricted to authorized HR personnel and management. Data is stored in secure, encrypted databases with regular audits. |
| Risk of processing | No probability of a high risk to the rights and freedoms of the data subjects |
| Lawfulness (legitimization of processing) | Performance of a contract or pre-contract with the data subject (Article 6.1.b GDPR) |
PA-003 CO Internships
| Code | PA-003 CO Internships |
|---|---|
| Name | Internships |
| We act as | Data Controller |
| Description | Administrative management of our interns |
| Source of the data | Directly from interns and educational institutions. |
| Purposes | Management of intern recruitment, training, and evaluation processes. |
| Interested parties | Interns, educational institutions, mentors within the company. |
| Identifying data | Names, contact details, educational background, evaluation reports. |
| Special or criminal data categories | None, unless voluntarily disclosed for specific legal or health accommodations. |
| Other type of data | Performance evaluations, project assignments, feedback from supervisors. |
| Transfer to 3rd parties | Educational institutions for the purpose of reporting performance (with consent), third-party platforms for intern management (if applicable). |
| International transfers | None, unless data needs to be shared with educational institutions or project partners located abroad, under relevant international data transfer rules. |
| Deadlines planned for data suppression | Intern data is typically retained for the duration of the internship plus X years for performance evaluation and legal compliance purposes. |
| General description of technical and organizational security measures | Access to intern data is restricted to relevant HR personnel and intern supervisors. Data is stored in secure systems with access controls and encryption. |
| Risk of processing | No probability of a high risk to the rights and freedoms of the data subjects |
| Lawfulness (legitimization of processing) | Performance of a contract or pre-contract with the data subject (Article 6.1.b GDPR) |
PA-004 CO Workhours
This processing activity is required by Real Decreto-ley 8/2019, de 8 de marzo, de medidas urgentes de protección social y de lucha contra la precariedad laboral en la jornada de trabajo.
| Code | PA-004 CO Workhours |
|---|---|
| Name | Workhours |
| We act as | Data Controller |
| Description | Hourly recording of working hours of our personnel to comply with Real Decreto-ley 8/2019, which addresses the fight against job insecurity in workdays. |
| Source of the data | Direct input from employees via digital time tracking systems or manual timesheets. |
| Purposes | To ensure compliance with Spanish labor laws regarding work hours and to prevent labor abuses. |
| Interested parties | Employees, HR department, labor inspectors, and legal entities such as social security and tax authorities. |
| Identifying data | Names, employee IDs, and the exact times of starting and ending work each day. |
| Special or criminal data categories | None. |
| Other type of data | Work hours logged, overtime hours, absences, and leave records. |
| Transfer to 3rd parties | None, except as required by law (e.g., to labor inspectors or tax authorities). |
| International transfers | None. |
| Deadlines planned for data suppression | Work hours data is retained for a minimum of 4 years, as required by Real Decreto-ley 8/2019, to allow for audits and inspections by labor authorities. |
| General description of technical and organizational security measures | Secure logging systems with access controls limit data access to authorized HR personnel. Data encryption and regular audits ensure data integrity. |
| Risk of processing | No probability of a high risk to the rights and freedoms of the data subjects |
| Lawfulness (legitimization of processing) | Fulfillment of a legal obligation of the data controller (Article 6.1.c GDPR) |
PA-005 PR API
| Code | PA-005 PR API |
|---|---|
| Name | API |
| We act as | Data Processor |
| Description | Management of medical data provided via API integration by the customers that use our service. |
| Source of the data | The interested party or their legal representative to the data controller, who then provides the data to us. |
| Purposes | Provision of computer services |
| Interested parties | Patients. Other interested groups: doctors. |
| Identifying data | Images of lesions, which may include birthmarks or tattoos, and in some cases the sex and the age. |
| Special or criminal data categories | Health |
| Other type of data | Personal data, limited to sex and age. |
| Transfer to 3rd parties | None |
| International transfers | None |
| Deadlines planned for data suppression | Preserved following the instructions of the data controller. |
| General description of technical and organizational security measures | The implanted security measures correspond to those provided for in Annex II (Security Measures) of Royal Decree 311/2022, of May 3, which regulates the National Security Scheme (ENS) in the field of administration Electronics, which are described in the documents that make up the data protection policy and information security of our entity. |
| Risk of processing | There is probability of a high risk to the rights and freedoms of the data subjects. DPIA could be required. |
| Lawfulness (legitimization of processing) | Processing is governed by a binding contract or other legal act (Article 28.3 GDPR) |
Information to data subjects
Article 24 of the GDPR states that the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with the Regulation. In the case of the processing activity PA-005 PR API where we act as processors,** due to the technical nature of the API implementation** it is impossible for us to carry out privacy-by-design measures to inform data subjects of our processing. As such, the controller shall inform the data subject of the processing carried out by us is they are required to do so under the GDPR.
PA-006 PR Web app
| Code | PA-005 PR Web app |
|---|---|
| Name | Web app |
| We act as | Data Processor |
| Description | Management of medical data provided via API integration by the customers that use our service. |
| Source of the data | The interested party or their legal representative to the data controller, who then provides the data to us. |
| Purposes | Provision of computer services |
| Interested parties | Patients. Other interested groups: doctors. |
| Identifying data | Images of lesions, which may include birthmarks or tattoos, and in some cases the sex and the age. |
| Special or criminal data categories | Health |
| Other type of data | Personal data, limited to login credentials, sex and age. I can also include HIS number and other health record identifyer. |
| Transfer to 3rd parties | None |
| International transfers | None |
| Deadlines planned for data suppression | Preserved following the instructions of the data controller. |
| General description of technical and organizational security measures | The implanted security measures correspond to those provided for in Annex II (Security Measures) of Royal Decree 311/2022, of May 3, which regulates the National Security Scheme (ENS) in the field of administration Electronics, which are described in the documents that make up the data protection policy and information security of our entity. |
| Risk of processing | There is probability of a high risk to the rights and freedoms of the data subjects. DPIA could be required. |
| Lawfulness (legitimization of processing) | Processing is governed by a binding contract or other legal act (Article 28.3 GDPR) |
PA-007 CO Scientific publications
| Code | PA-007 CO Scientific Publications |
|---|---|
| Name | Scientific Publications |
| We act as | Data Controller |
| Description | Management of data for scientific publications to advance the state of the art in medicine, including clinical validations. |
| Source of the data | Data collected from clinical trials, patient records provided by healthcare facilities, or directly from patients under specific research protocols. Also, in some cases, publicy available datasets that are gathered for the purposes of research. |
| Purposes | To publish scientific findings that contribute to the medical community and enhance understanding of medical conditions and their treatments. |
| Interested parties | Researchers, healthcare professionals, patients (as study subjects), academic institutions, scientific journals. |
| Identifying data | Dependent on the study but can include patient identifiers, medical histories, and results from clinical assessments. |
| Special or criminal data categories | Health data, potentially including sensitive health information relevant to the research study. |
| Other type of data | Demographic information, clinical data related to the study, outcome measurements. |
| Transfer to 3rd parties | Data may be shared with academic institutions, research partners, and publication platforms as required for research collaboration and publication. |
| International transfers | Data may be transferred internationally as necessary for research collaboration or publication in international journals. |
| Deadlines planned for data suppression | Data is retained as long as necessary to support the research findings, usually as dictated by research protocols and applicable regulatory requirements. |
| General description of technical and organizational security measures | Strict access controls to ensure that only authorized research personnel can access the data. Data anonymization and encryption where possible. |
| Risk of processing | No probability of a high risk to the rights and freedoms of the data subjects |
| Lawfulness (legitimization of processing) | Unequivocal consent through a clear action by the data subject (Article 6.1.a GDPR) |
PA-008 CO Sales
| Code | PA-008 CO Sales |
|---|---|
| Name | Sales |
| We act as | Data Controller |
| Description | Management of contact details of parties who contract our service. |
| Source of the data | Data obtained directly from clients during the sales process, through forms, meetings, or other communication channels. |
| Purposes | To manage client relationships, process orders, and provide services as agreed upon in contracts. |
| Interested parties | Clients, potential clients, business partners. |
| Identifying data | Contact names, company details, job titles, contact information (phone numbers, email addresses). |
| Special or criminal data categories | None. |
| Other type of data | Transactional details, contractual agreements, communication records. |
| Transfer to 3rd parties | None. |
| International transfers | None. |
| Deadlines planned for data suppression | Client data is retained for as long as necessary to fulfill the contract and then as required by applicable law for record keeping and tax purposes. |
| General description of technical and organizational security measures | Client data is stored in secure CRM systems with access controlled by authentication mechanisms and data encryption. Regular security audits are conducted. |
| Risk of processing | No probability of a high risk to the rights and freedoms of the data subjects |
| Lawfulness (legitimization of processing) | Performance of a contract or pre-contract with the data subject (Article 6.1.b GDPR) |
PA-009 CO Outbound marketing
| Code | PA-009 CO Outbound Marketing |
|---|---|
| Name | Outbound Marketing |
| We act as | Data Controller |
| Description | Data management for outbound commercial activities such as email marketing. |
| Source of the data | Data collected from subscriptions on our website, trade shows, or other marketing activities where individuals provide their contact information. |
| Purposes | To promote products or services to potential customers, including sending updates, newsletters, or special offers. |
| Interested parties | Subscribers, potential clients, current clients. |
| Identifying data | Names, email addresses, phone numbers, job titles, company names. |
| Special or criminal data categories | None. |
| Other type of data | Marketing preferences, interaction records with previous campaigns (e.g., open rates, click-through rates). |
| Transfer to 3rd parties | None |
| International transfers | None |
| Deadlines planned for data suppression | Data is retained as long as the individual is considered an active subscriber or until they opt out or request deletion. Retention periods may also be governed by specific legal requirements. |
| General description of technical and organizational security measures | Use of secure, compliant marketing platforms that ensure data protection. Access controls and encryption protect the data. Regular audits verify adherence to security policies. |
| Risk of processing | No probability of a high risk to the rights and freedoms of the data subjects |
| Lawfulness (legitimization of processing) | Unequivocal consent through a clear action by the data subject (Article 6.1.a GDPR) |
PA-010 CO Inbound marketing
| Code | PA-010 CO Inbound Marketing |
|---|---|
| Name | Inbound Marketing |
| We act as | Data Controller |
| Description | Management of data provided by customers with the purposes of knowing more about our service. |
| Source of the data | Data collected from website forms, live chats, emails, and during phone calls where customers express interest in our services. |
| Purposes | To respond to customer inquiries, provide detailed information about our products and services, and nurture potential sales leads. |
| Interested parties | Potential customers, existing customers, marketing and sales teams. |
| Identifying data | Names, email addresses, phone numbers, organizational affiliation. |
| Special or criminal data categories | None. |
| Other type of data | Communication records, interaction histories with marketing content (e.g., downloads of whitepapers, webinar attendance). |
| Transfer to 3rd parties | None. |
| International transfers | None. |
| Deadlines planned for data suppression | Data is retained for as long as it is deemed necessary for customer relationship management and until consent is withdrawn or the customer requests deletion, adhering to legal retention requirements. |
| General description of technical and organizational security measures | Secured databases with strict access controls. Data encryption in transit and at rest. Regular security assessments to ensure compliance with privacy standards. |
| Risk of processing | No probability of a high risk to the rights and freedoms of the data subjects |
| Lawfulness (legitimization of processing) | Unequivocal consent through a clear action by the data subject (Article 6.1.a GDPR) |
PA-011 CO Fine tuning
| Code | PA-011 CO Fine Tuning |
|---|---|
| Name | Fine Tuning |
| We act as | Data Controller |
| Description | Management of the data used to train and refine the medical features of our solution, in compliance with medical device regulations. |
| Source of the data | Data collected from clinical trials, partnerships with healthcare facilities, and directly from patients under specific agreements. |
| Purposes | To enhance the accuracy, efficiency, and safety of our medical device solutions through ongoing refinement and compliance with industry standards. |
| Interested parties | Patients (data subjects), clinical researchers, regulatory bodies. |
| Identifying data | Dependent on the medical device being refined but may include health metrics and images. |
| Special or criminal data categories | Health data, potentially including sensitive health information necessary for device calibration and performance improvements. |
| Other type of data | Device performance data, software interaction logs, feedback from healthcare professionals. |
| Transfer to 3rd parties | Data may be shared with regulatory authorities, clinical research organizations, and third-party auditors involved in compliance and certification. |
| International transfers | Data may be transferred internationally as necessary, in accordance with global compliance requirements for medical devices. |
| Deadlines planned for data suppression | Data is retained as long as necessary for compliance with medical device regulations and to support validation and certification processes, then securely disposed of as per legal and regulatory guidelines. |
| General description of technical and organizational security measures | Data is processed in compliance with ISO 13485, ensuring robust security measures such as encryption, access control, and regular security audits to protect data integrity and confidentiality. |
| Risk of processing | No probability of a high risk to the rights and freedoms of the data subjects |
| Lawfulness (legitimization of processing) | Unequivocal consent through a clear action by the data subject (Article 6.1.a GDPR) |