I. PRIVACY AND DATA PROTECTION POLICY
Pursuant to the provisions of the current legislation, VIDREPUR S.A. (hereinafter, also the Website) agrees to adopt the necessary technical and organisational measures, to ensure an appropriate level of security for the risk associated with the data that is collected.
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR).
Personal Data Protection Act 15/1999, of 13 December (LOPD).
Royal Decree 1720/2007, of 21 December, approving the Implementing Regulation for Personal Data Protection Act 15/1999, of 13 December (RDLOPD).
Information Society Services and Electronic Commerce Act 34/2002, of 11 July (LSSI-CE).
Identity of the personal data controller
The controller of the personal data collected by VIDREPUR S.A. is: VIDREPUR S.A., with TIN: A12094009, whose representative is: FRANCISCO EXPOSITO SANCHEZ (hereinafter, the Data Controller). His contact details are as follows:
Address: CALLE COMERCIO Nº4 BAJO, 12550, ALMASSORA (CASTELLON) Contact telephone no.: 964564040 Contact email address: firstname.lastname@example.org
Register of Personal Data
The personal data collected by VIDREPUR S.A. through the forms that appear on its website will be added to a computer file that is under the responsibility of the Data Controller.
Principles applicable to the processing of personal data
The processing of the User’s personal data will be subject to the following principles, as set forth in Article 5 of the GDPR:
Principle of lawfulness, fairness and transparency: the User’s consent will be required at all times after being fully informed in a transparent manner of the purposes for which the personal data is collected.
Principle of purpose limitation: personal data will be collected for specific, explicit and legitimate purposes.
Principle of data minimisation: the personal data that is collected will only be that which is strictly necessary for the purposes for which it is processed.
Principle of accuracy: the personal data must be accurate and always up to date.
Principle of storage limitation: personal data will only be kept in a form which permits the identification of the User, for no longer than is necessary for the purposes for which it is being processed..
Principle of integrity and confidentiality: personal data will be processed in a manner that ensures its security and confidentiality.
Principle of accountability: the Data Controller will be responsible for ensuring compliance with the above principles.
Categories of personal data
The categories of data processed in VIDREPUR S.A. are only identifying data. Under no circumstances will special categories of personal data be processed, as defined in article 9 of the GDPR.
Legal basis for the processing of personal data
The legal basis for the processing of the personal data is consent. VIDREPUR S.A. agrees to obtain the express, verifiable consent of the User in order to process their personal data for one or several specific purposes.
The User will have the right to withdraw their consent at any time. It will be as easy to withdraw your consent as it is to give it. As a general rule, withdrawing consent will not prevent you from using the Website.
On those occasions when the User must or may provide their data through forms in order to make inquiries, request information or for reasons relating to the contents of the Website, they will be informed if the completion of any of said forms is mandatory because said data is essential in order for the operation to be performed correctly.
Personal data retention periods
Personal data may only be retained for the minimum time necessary to fulfil the purposes for which it is being processed and, in any event, only for the following period: 5 years, or unit the User requests its deletion.
When the personal data is obtained, the User will be informed of the period during which the personal data is to be kept or, when this is not possible, the criteria used to determine this period.
Recipients of the personal data
The User's personal data will be shared with the following recipients or categories of recipients:
Employment, tax and health and safety agencies, IT companies, finance companies and temporary employment agencies, with which a confidentiality agreement has been signed.
If the Data Controller intends to transfer personal data to a third country or international organisation, when the personal data is obtained, the User will be informed of the third country or international organisation to which it intends to transfer the data, and whether or not an adequacy decision has been adopted by the European Commission.
Personal data of minors
Pursuant to the provisions of article 8 of the GDPR and article 13 of the RDLOPD, only individuals over the age of 14 may give their consent for their personal data to be lawfully processed by VIDREPUR S.A. For children under the age of 14, the consent of their parents or guardians will be required for processing, and this will only be deemed lawful whenever this consent is given.
Confidentiality and security of the personal data
VIDREPUR S.A. agrees to adopt the necessary technical and organisational measures, to ensure an appropriate level of security for the risk associated with the data that is collected, in order to ensure the security of the personal data and avoid the accidental or unlawful destruction, loss or alteration of the personal data transmitted, stored or otherwise processed, or the unauthorised disclosure of or access to said data.
However, given that VIDREPUR S.A. cannot guarantee the impregnability of the Internet or the total absence of hackers or others who fraudulently access personal data, the Data Controller agrees to inform the User without undue delay when there is a breach of the security of personal data that is likely to entail a high risk to the rights and freedoms of individuals. Pursuant to the provisions of article 4 of the GDPR, a personal data security breach means any security breach that leads to the accidental or unlawful destruction, loss or alteration of personal data transmitted, stored or otherwise processed, or the unauthorised disclosure of or access to said data.
The personal data will be treated as confidential by the Data Controller, which agrees to inform of and guarantee by way of a legal or contractual obligation that said confidentiality will be respected by its employees, associates, and any individual to whom the information is accessible.
Rights arising from the processing of the personal data
In relation to VIDREPUR S.A., the User has and, therefore, may exercise the following rights with regard to the Data Controller, as recognised in the GDPR:
Right to access: The User will have the right to obtain from VIDREPUR S.A. confirmation as to whether or not their personal data is being processed and, where that is the case, to obtain information regarding the specific personal data and how VIDREPUR S.A. has or is processing it, in addition to the information available regarding the source of said data and the recipients to whom it has been or will be disclosed.
Right of rectification: The User has the right to obtain the rectification of any of their personal data that is inaccurate or, bearing in mind the purposes for which it is processed, incomplete.
Right to erasure (“right to be forgotten”): Provided that the current law does not establish otherwise, the User is entitled to obtain the erasure of their personal data when the personal data is no longer necessary for the purposes for which it was collected or otherwise processed; the User has withdrawn the consent given for processing and where there is no other legal ground for the processing; the User objects to the processing and there are no other legitimate grounds for the continuation thereof; the personal data has been unlawfully processed; the personal data has to be erased to comply with a legal obligation; or the personal data has been collected in relation to the direct offer of information society services to a child under the age of 14. In addition to erasing the data, and considering the technology available and the cost of using it, the Data Controller must take reasonable steps to inform the processors of the personal data of the request by the data subject to erase any link to that personal data.
Right to restriction of processing: The User has the right to restrict the processing of their personal data. The User is entitled to ensure that processing is restricted when they contest the accuracy of their personal data; the processing is unlawful; the Data Controller no longer needs the personal data, but the User requires it to file claims; and when the User has objected to the processing.
Right to data portability: When processing is carried out by automated means, the User will have the right to receive their personal data in a structured, commonly used and machine-readable format and to transmit that data to another data controller. Whenever technically possible, the Data Controller will transmit the data directly to this other controller.
Right to object: The User is entitled to object to the processing of their personal data and is entitled to ask VIDREPUR S.A. to stop processing said personal data.
Right not to be subject to automated individual decision-making, including profiling: The User has the right not to be subject to a decision based solely on the automated processing of their personal data, including profiling, except where current legislation establishes otherwise.
Hence, the User may exercise their rights by writing to the Data Controller with the reference “RGPD-www.vidrepur.com”, specifying:
• The User's full name and a copy of their ID document. Where representation is permitted, the same form of identification will be required of the individual representing the User, as well as the document evidencing said representation. The photocopy of the identity document may be replaced with any other valid legal form of proof of identity.
• Request with the specific reasons for the request or information to which access is required.
• Address for notification purposes.
• Date and signature of the petitioner.
• All documents proving that the request has been made.
This request and all other attached documents may be sent to the following postal and/or email address: Postal address: CALLE COMERCIO Nº4 BAJO, 12550, ALMASSORA (CASTELLON) Contact email address: email@example.com
Links to third-party websites
The Website may include hyperlinks or links that allow you to access third-party websites not owned by VIDREPUR S.A. Therefore, they are not operated by VIDREPUR S.A. The owners of those websites will have their own data protection policies, and they will each be responsible for their own files and their own privacy policies.
Complaints to the supervisory authority
If the User believes that there is a problem or breach of current law in the way in which their personal data is being processed, they will be entitled to effective legal protection and to file a complaint with the specific supervisory authority in their usual country of residence, place of work or the place of the alleged breach. In the case of Spain, the supervisory authority is the Spanish Data Protection Agency (http://www.agpd.es).
II. COOKIES POLICY
The User must read and accept the conditions regarding personal data protection contained in this Privacy and Cookies Policy, and agree to the processing of their personal data so that the Data Controller is able to do so in the manner, during the periods and for the purposes that are specified. Use of the Website implies acceptance of its Privacy and Cookies Policy.
VIDREPUR S.A. reserves the right to modify its Privacy and Cookies Policy at its discretion, or due to change in the law, jurisprudence or legal principles of the Spanish Data Protection Agency. The User will be expressly notified of any changes or updates to this Privacy and Cookies Policy.
This Privacy and Cookies Policy was updated on 27 May 2018 to comply with Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR).