Privacy Policy
Introduction
This Privacy Policy has been developed taking into account the provisions of the Organic Law on the Protection of Personal Data in force, as well as Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the circulation of such data.
This Privacy Policy aims to inform the holders of the personal data, regarding which information is being requested, of the specific aspects relating to the processing of their data, among other things, the purposes of the processing, the contact details to exercise the rights that they have, the periods for which the information must be kept and the security measures, among other things.
Responsible for the Treatment
In terms of data protection XXXXXXXXXXXX, must be considered the Data Controller, in relation to the files/processing identified in this policy, specifically in the Data Processing section.
The identifying data of the owner of this website is indicated below:
Data Controller: XXXXXXXXXXXX
Postal address:
C/PXXXXXXXXXXXXXXX
08028 BARCELONA
Email address:
XXXXX
Data processing
The personal data requested, if applicable, will consist only of those strictly essential to identify and respond to the request made by the owner of the same, hereinafter the interested party. This information will be treated in a loyal, lawful and transparent manner in relation to the interested party. On the other hand, the personal data will be collected for specific, explicit and legitimate purposes, and will not be further processed in a manner incompatible with these purposes.
The data collected from each interested party will be adequate, relevant and not excessive in relation to the corresponding purposes for each case, and will be updated whenever necessary.
The data subject will be informed, prior to the collection of their data, of the general points regulated in this policy so that they can provide express, precise and unequivocal consent for the processing of their data, in accordance with the following aspects.
Purposes of the treatment.
The explicit purposes for which each of the treatments is carried out are included in the information clauses incorporated into each of the data collection channels (web forms, paper forms, statements or posters and information notes).
However, the personal data of the interested party will be processed for the exclusive purpose of providing them with an effective response and attending to the requests made by the user, specified together with the option, service, form or data collection system that the owner uses.
Legitimation
As a general rule, prior to processing personal data, the Data Controller obtains the express and unequivocal consent of the data subject, by incorporating informed consent clauses into the different information collection systems.
However, in the event that the consent of the interested party is not required, the legitimizing basis for the processing on which the Controller relies is: The existence of a specific law or regulation that authorizes or requires the processing of the interested party’s data.
Recipients
As a general rule, the Data Controller does not transfer or communicate data to third parties, except for those legally required. However, if necessary, these transfers or communications of data are informed to the interested party through the informed consent clauses contained in the different ways of collecting personal data.
Origin
As a general rule, personal data is always collected directly from the interested party, however, in certain exceptions, the data may be collected through third parties, entities or services other than the interested party. In this regard, this will be communicated to the interested party through the informed consent clauses contained in the different channels of information collection and within a reasonable period, once the data has been obtained, and no later than one month.
Conservation periods
The information requested from the interested party will be kept as long as it is necessary to fulfill the purpose for which the personal data were collected, so that, once the purpose has been fulfilled, the data will be cancelled. This cancellation will result in the blocking of the data and will be kept only at the disposal of the AAPP, judges and courts, to meet the possible responsibilities arising from the treatment, during the limitation period of these, once the aforementioned period has been met, the information will be destroyed.
For information purposes, the legal periods for the conservation of information in relation to different matters are listed below:
DOCUMENT | TERM | LEGAL REF. |
Documentation of a work-related nature or related to social security | 4 years | Article 21 of Royal Legislative Decree 5/2000, of 4 August, which approves the revised text of the Law on Offences and Sanctions to Social Order |
Accounting and tax documentation for commercial purposes | 6 years | Art. 30 Commercial Code |
Accounting and tax documentation for tax purposes | 4 years | Articles 66 to 70 General Tax Law |
Building access control | 1 month | Guide on the use of video cameras for security and other purposes from the AEPD |
Video surveillance | 1 month | Guide on the use of video cameras for security and other purposes from the AEPD Organic Law 4/1997, of August 4, which regulates the use of video cameras by security forces and bodies in public places Organic Law 4/2015, of March 30, on the protection of citizen security |
Navigation data.
Regarding the browsing data that may be processed through the website, in the event that data subject to regulations is collected, it is recommended to consult the Cookies Policy published on our website.
Rights of interested parties.
The regulations on data protection grant a series of rights to interested parties or data holders, website users or users of the Controller’s social media profiles.
These rights that assist interested parties are the following:
- Right of access: right to obtain information about whether your data is being processed, the purpose of the processing being carried out, the categories of data in question, the recipients or categories of recipients, the retention period and the origin of this data.
- Right to rectification: right to obtain the rectification of inaccurate or incomplete personal data.
- Right to deletion: right to obtain the deletion of data in the following cases:
- When the data is no longer necessary for the purpose for which it was collected
- When the data owner withdraws consent
- When the interested party objects to the processing
- When they must be deleted in compliance with a legal obligation
- When the data have been obtained by virtue of an information society service on the basis of the provisions of art. 8, paragraph 1 of the European Data Protection Regulation.
- Right to object: right to object to a certain treatment based on the consent of the interested party.
- Right to limitation: right to obtain limitation of data processing when any of the following situations occur:
- When the interested party contests the accuracy of the personal data, for a period that allows the company to verify its accuracy.
- When the processing is unlawful and the interested party opposes the deletion of the data.
- When the company no longer needs the data for the purposes for which they were collected, but the interested party needs them for the formulation, exercise or defense of claims.
- When the interested party has objected to the processing while it is being verified whether the company’s legitimate reasons prevail over those of the interested party.
- Right to portability: right to obtain the data in a structured, commonly used and machine-readable format, and to transmit them to another controller when:
- The treatment is based on consent.
- The processing is carried out by automated means
- Right to file a complaint with the competent supervisory authority
Interested parties may exercise the indicated rights by contacting the Data Controller, in writing, sent to the following address: info@XXX.eu, indicating in the Affairs line the right you wish to exercise.
In this sense, the Data Controller will respond to your request as soon as possible and taking into account the deadlines established in the regulations on data protection.
Security
The security measures adopted by the Controller are those required, in accordance with the provisions of Article 32 of the GDPR. In this regard, the Controller, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the risks of varying probability and severity for the rights and freedoms of natural persons, has established the appropriate technical and organizational measures to guarantee the level of security appropriate to the existing risk.
In any case, the Controller has implemented sufficient mechanisms to:
- Guarantee the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
- Restore availability and access to personal data quickly, in the event of a physical or technical incident.
- Verify, evaluate and assess, on a regular basis, the effectiveness of the technical and organizational measures implemented to guarantee the security of the processing.
- It anonymizes and encrypts personal data, if applicable.
