1.- Introduction: Our Commitment to Privacy
At Pila Teleña S.L. we have always considered the privacy of our clients to be of special importance. The protection of your personal data has been a constant in our commitment from the first moment in which you placed your trust in us.
We want the respect for your fundamental right to the protection of your data to be a constant. We will try to give you control over your own information.
For this reason and due to the importance that we give to YOUR privacy, the application of the new Regulation (EU) 2016/679 of the European Parliament and of the council of April 27, 2016 regarding the protection of individuals with regard to the treatment of personal data and the free circulation of these data (RGPD), rather than taking this as an order of obligations and restrictions, it has just confirmed the importance that privacy has acquired in our present times. A time marked by technological advances, whose good use is always welcome, but that in “sensu contrario” can suppose an invasion and interference in the life of any citizen.
So without further delay we put forward the basic principles on which we base our treatment of personal data, their safe-keeping and their exclusive use for the entrusted purposes, always making available final decision-making capacity to their owner (YOU).
We intend to describe what data we collect, the purposes for which we carry out their collection, how we use this data and all the possibilities we offer, including how to access and update the data. In short, we intend to make you aware of all the essential elements that you need to know about the use we make of your personal data and our invariable commitment to your custody of them.
In addition, you will see that you have the “definitions” tab at your disposal. This is a tool that can be useful to understand those concepts or actions that, due to their specificity, require a short and a simple as possible description.
2.- Who is responsible for your personal data?
Although you will find the definition of responsible made by Regulation (EU) 2016/679 in the “definitions” tab, we prefer to explain in a simple way who is responsible for your personal data.
Pila Teleña S.L. is responsible for any personal data that you own and that is dealt with by us.
We are responsible for safeguarding your data, using them appropriately and protecting them with the necessary measures to avoid their misuse.
It is important to recognise the breadth of meaning that the expression “personal data” has at this time.
For a long time, personal information has been understood as name, surname, postal address and land-line number. Today, personal data is any information that allows the identification of a person or any information that serves to make them identifiable. Therefore, name is personal data, obviously, but so is the IP address of a computer or a car license plate.
Consequently and in the face of the infinity of personal data that can be gathered at the moment, Pila Teleña S.L. redoubles its efforts to comply with the principle of data minimisation. That is, to use only strictly necessary personal data, by the minimum number of people necessary and the least number of times.
Our postal address is: Pila Teleña S.L. – Calle Pozo Nuevo, 12, 28430 Alpedrete – Madrid (Spain)
To end this section, we remind you of the name and other contact information of our Delegate in Data Protection (DPO): J. Iñaki Hernández Aznar (firstname.lastname@example.org)
3.- When do we collect your personal data?
At Pila Teleña S.L. we collect personal data about you every time you connect with us, including the provision of any of our services, when you use our website or when you interact with us electronically.
At no time do we collect your data for any purposes other than the purpose of Pila Teleña S.L. which is none other than the development of our professional activity, which is why you came to us.
For example, we will collect your data when you come on retreat with us, participate in any of our programmes through the website, etc, etcetera.
4.- For what purpose do we process your data?
On the Pila Teleña S.L. website itself you can find more information about our services. In the different sections you will obtain a detailed answer about what you are looking for in each of the professional activities that we carry out.
All of them are related to each other and linked to our purpose, our reason for being.
We reiterate: at no time will we collect your data for purposes other than our corporate purpose, which is none other than the development of our professional activity.
It is important to remind you that data has been collected exclusively for specific, explicit and legitimate purposes, and will not be further processed in a manner incompatible with said purposes.
In other words, we will not use your data for any purpose other than the one included in this tab, reminding you again that we will try to give you control over your own information.
Regarding the period of conservation of data, they will be held while the existing contractual or commercial relationship is lasts, subsequently being blocked as long as the sector regulations oblige us.
And to end this epigraph, from Pila Teleña S.L. we announce that at no time will automated decisions be made with your personal data. In all company dealings there will always be human intervention.
5.- What data do we deal with and from what source do we obtain it?
Regarding your relationship with us, the following categories of personal data may be dealt with: (this will have to be modified depending on the client).
1.a) Identifying data. Included here could be: signature, some images, health card, social security number or mutuality.
2.b) Health related data. It may be the case that some personal characteristics or social circumstances are included, as long as these are necessary for the service provided.
3.c) Economic or transactional data, such as payments, income, transfers or debits.
The data may come from the owner, their representative or a third party.
6.- What is the legitimacy for the treatment of your data?
The Regulation, in its spirit and intention to avoid the arbitrary treatment of personal data, establishes requirements for its use.
To put it another way, the Regulation relates to us the reasons for which personal data can be dealt with, with whoever is responsible for it and whoever is in charge of “justifying” acting accordingly with the possibilities that are included in the regulations.
In general, it establishes the conditions in article 6, leaving treatment where particularly sensitive data is collected for article 9.
In our case, the legitimate basis to treat your personal data is the following:
1. Your consent, if you have given it.
2. The provision of services that have occurred.
The legitimate interest of the company, which exclusively seeks the best provision of the services it offers.
We do not want to stop reminding you that for the correct achievement of the objectives when dealing with your personal data, it is essential that they are correctly updated. Therefore, if in the absence of an opportunity to update, we are aware of the need to do so, so please get in touch with our DPO to carry out as many updates as necessary. It is essential to have your data up to date.
Both national regulations and the European Regulation itself establish limitations regarding the treatment of the personal data of a “minor”.
Therefore, at Pila Teleña S.L. and adhering to age as recommended in the Regulation, all data processing of a child under 16 must have the authorisation of his or her parent or guardian, which will be duly accredited and in accordance with the applicable regulations .
In this sense, we will implement all the measures that we deem appropriate and possible to proceed with the effective verification of the minor’s age.
8.- Will we communicate your personal data? To who?
At Pila Teleña S.L. we will not transfer your personal data to third parties, unless:
1. It is necessary in order to provide the contracted service.
2. There is a legal obligation to do so.
3. You have given us your consent to do so.
We put at your disposal a list of categories of companies to which we give your information in the Third parties section. (It is necessary to list the transfers of data that are carried out and the categories of those responsible for the dealings we have).
Section a) indicates the cases where in order to provide an adequate service and manage the relationship we have with you, it is necessary that certain companies deal with your data as part of the provision of services contracted.
In these cases, all relationships will be regulated by a data protection contract. A document that will regulate the confidentiality and the commitment that meets the normative, referenced in the Regulation (EU) 2016/679 of the European Parliament.
b) only indicates cases where a law forces us to transfer data (example, Tax Agency).
And c) refers to situations where you will be asked for your consent for cases where it is necessary to have your approval. These situations will be covered by your consent, which will be duly managed so that you are information whenever you need to and so that in case you change your mind and revoke it, you do not have any problem doing so.
We insist that you are the owner of the data, and our commitment is to give you control of your own information.
What happens if you do not consent?: Nothing obliges you to give us this consent, but if you do not do so, you will lose information about our products, services and other activities that, without having a direct relationship via the contractual relationship that we could maintain, would be very useful in order to keep abreast of the evolution, news and offers of our company.
It is important to note, although we hope that it is not necessary, that by virtue of the legal relationship that may exist and in the event of any default, data relating to debt may be communicated with files related to compliance or breach of monetary obligations (asset solvency files).
9.- Will we communicate your personal data? To who?
Prior to the explanation of the Control Authority on international data transfers, we want to inform you from Pila Teleña S.L. that we will not carry out any international transfer without your consent, re-insisting that you will be in control of your information.
Once this fundamental aspect is clarified, we can refer to what the Spanish Data Agency says on this matter:
International data transfers involve a flow of personal data from Spanish territory to recipients established in countries outside the European Economic Area (the countries of the European Union plus Liechtenstein, Iceland and Norway).
Those responsible for and in charge of processing data may make international transfers of data without the need for an authorisation from the Spanish Data Protection Agency, provided that the data processing complies with the provisions of the European Regulation and the following assumptions are made.
The European Commission has declared the following countries as having an adequate level of security.
In other words, it considers them apt to carry out data transfers with them, equating them to a level analogous to the member states of the EU.
(listed as of June 2018)
- Decision 2000/518 CE of the Commission, of July 26, 2000.
- Canada Decision 2002/2/CE of the Commission, of December 20, 2001, with respect to the entities subject to the scope of application of the Canadian data protection law.
- Decision 2003/490/CE of the Commission, of June 3, 2003.
- Decision 2003/821/CE of the Commission, of November 21, 2003.
- Isle of Man. Decision 2004/411/CE of the Commission, of April 28, 2004.
- Decision 2008/393/CE of the Commission, of May 8, 2008.
- Feroe Islands. Decision 2010/146/EU of the Commission, of March 5, 2010.
- Decision 2010/625/EU of the Commission, of October 19, 2010.
- Commission Decision 2011/61 / EU of January 31, 2011.
- New Zealand. Decision 2013/65 / EU of the Commission, of December 19, 2012.
United States. Applicable to entities certified under the EU-US Privacy Shield. Commission Decision (EU) 2016/1250 of July 12, 2016. The Privacy Shield offers a series of rights and obliges companies to protect personal data in accordance with the “Principles of privacy”.
In cases where the country is not included in the previous list, the following will be necessary:
A legally binding and enforceable instrument between public authorities or bodies.
Binding corporate rules.
Data protection type clauses adopted by the Commission that are still valid.
- Decisión 2001/497/CE, de 15 de junio de 2001, on standard contractual clauses for the transfer of personal data between data subjects to a third country and Decision 2010/87/UE of the Commission of 5 February 2010, relating to standard contractual clauses for the transfer of personal data to data processors established in third party countries, in accordance with Directive 95/46/EC of the European Parliament and of the Council.
- Data protection type clauses adopted by a supervisory authority and approved by the Commission.
- Codes of conduct, together with binding and enforceable commitments of the third party responsible or processor in charge of applying adequate guarantees, including those related to the rights of the interested parties.
- Certification mechanisms, together with binding and enforceable commitments of the responsible or third-party processor in the third country to apply adequate guarantees, including those related to the rights of the interested parties.
If the specific case does not meet the preceding requirements, as in, there is an absence of adequate decision-making guarantees, these can only be made if any of the following conditions are met:
The interested party has explicitly given their consent.
The transfer is necessary for the execution of a contract between the interested party and whoever is responsible for treating that data or for the execution of pre-contractual measures adopted at the request of the interested party.
The transfer is necessary for the meeting or execution of a contract, in the interest of the interested party, between whoever is responsible for treating data and another natural or legal person.
The transfer is necessary for important reasons of public interest.
The transfer is necessary for the formulation, carrying out or defence of claims.
The transfer is necessary to protect the vital interests of the interested party or of other persons, when the interested party is physically or legally incapable of giving his or her consent.
The transfer is made from a public registry that, in accordance with Union or Member State law, has the purpose of providing information to the public and is open to consultation with the general public or any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down in the law of the Union or of the Member States for consultation are met in each particular case.
When neither of these exceptions is applicable, a transfer can only be carried out if it is not repetitive, affecting only a limited number of interested parties, it is necessary for the purposes of imperative legitimate interests pursued by whoever is responsible for the data, over which the interests or rights and freedoms of the interested party do not prevail, and the data controller will evaluate all the concurrent circumstances in the transfer of data and, based on this evaluation, offers appropriate guarantees with respect to the protection of personal data.
In this case, the data controller will inform the transfer control authority. In addition to the information referred to in Articles 13 and 14 of the RGPD, the controller will inform the interested party of the transfer and of the legitimate imperious interests pursued.
Binding corporate rules (BCR):
The binding corporate rules (or BCR for its acronym in English) are “the policies of protection of personal data assumed by someone responsible for or in charge of the established treatment of data in the territory of a Member State for transfers or a set of transfers of personal data to whoever is responsible or in charge in one or more third party countries, within a business group or a union of companies dedicated to a joint economic activity”.
The business groups are those “constituted by a company that exercises control and the companies it controls.”
The competent control authority will approve binding corporate rules (better known by its acronym BCR (Binding Corporate Rules) in accordance with the coherence mechanism established in Article 63 of the RGPD.
10.- How long will we keep your data for?
From Pila Teleña S.L. we want to convey the firm purpose of keeping your personal data for as long as is strictly necessary. Whether it is due to a relationship with us, because there is a provision of services, because there is an interest in receiving information about our services or any other circumstance that requires the processing of your personal data. That is, during the time strictly necessary for the purpose for which they were collected.
Regarding the security of facilities, images captured through video surveillance systems shall be kept for a maximum period of 30 days, unless there is knowledge of any event that may be relevant for a subsequent judicial action.
Once the reason for which we treat your personal data comes to an end, we will keep it as long as we are bound to by the sectoral regulations that may affect them.
In this sense and as an example, the sectoral regulations on money laundering, the Tax Agency, the Commercial Code regulations, the patient’s autonomy or clinical history, the Courts and Tribunals of Justice in the face of potential claims, scientific research and/or statistics, etc., et cetera.
In any case, for the cases where we have to keep data according to the obligations imposed by the different legal standards, we will block it, preventing any use other than the one mentioned exclusively.
And after the terms provided by law, we will destroy or anonymise your data.
11.- What are your rights?
As the owner of the fundamental right to the protection of your personal data, the law recognises rights that these have been reinforced since the RGPD.
The recognised rights are the following: ACCESS, RECTIFICATION, SUPPRESSION, LIMITATION, PORTABILITY AND OPPOSITION.
Exercising your rights is FREE and WITHOUT CHARGE.
The interested party can exercise their rights by requesting it in writing, and with a copy of a reliable document that proves their identity, to the following postal address:
- C/ Pozo Nuevo, 12, 28430 Alpedrete – Madrid (Spain).
- E-mail: email@example.com
Therefore, at Pila Teleña S.L. we want to follow the current that is imposed from Europe and provide you with all the necessary tools so that you can exercise your rights, understand them and know their importance.
Right of Access.- First right that the RGPD gathers, in its article 15:
1.The interested party shall have the right to obtain confirmation from the person responsible for processing data of whether or not personal data concerning him/her are being processed and, in such this case, will have the right of access to personal data and the following information:
2.a) the purposes of the treatment of data;
3.b) the categories of personal data concerned;
4.c) the addressees or categories of recipients to whom the personal data were or will be communicated, in particular to third parties or international organisations;
5.d) if possible, the expected period of conservation of personal data or, if this is not possible, the criteria used to determine this period;
6.e) the existence of the right to request the rectification or deletion of personal data or the limitation of the processing of personal data relating to the interested party, or to oppose such treatment; from whoever is responsible
7.f) the right to file a claim with a supervisory authority;
8.g) when personal data has not been obtained from the interested party, any available information about its origin;
9.h) the existence of automated decisions, including the preparation of profiles, referred to in Article 22, paragraphs 1 and 4, and, at least in such cases, significant information on the logic applied, as well as the importance and expected consequences of such treatment for the interested party.
10. When personal data is transferred to a third country or an international organisation, the interested party shall have the right to be informed of the appropriate guarantees under article 46 relating to the transfer.
11. The data controller will provide a copy of the personal data that is being processed. The responsible party may receive a reasonable fee based on the administrative costs for any other copy requested by the interested party. When the interested party submits the application by electronic means, and unless the latter requests that it be provided otherwise, the information will be provided in an electronic format of common use.
12. The right to obtain a copy mentioned in section 3 will not negatively affect the rights and freedoms of others.
In other words and looking for an easy explanation, what is intended is that the owner of the data has the capacity to access them and know what data has been collected.
Right of Rectification.- gathered in the RGPD, Article 16:
The interested party shall have the right to obtain, without undue delay, the rectification of inaccurate personal data concerning them. Taking into account the purposes of the treatment of data, the interested party shall have the right to complete any incomplete personal data, including by means of an additional declaration.
An elementary right that recognises possibility of the owner to demand that their data be correct and updated.
Right of Suppression (also called the Right to Forget): – Article 17 of the RGPD:
1. The interested party shall have the right to obtain, without undue delay, the deletion of personal data concerning them, from the data controller, who shall be obliged to remove the personal data without undue delay when any of the following circumstances occur:
2.a) personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
3.b) the interested party withdraws the consent on which the treatment of data is based in accordance with article 6, paragraph 1, letter a), or article 9, paragraph 2, letter a), and this is not based on another legal basis;
4.c) the interested party opposes the treatment according to article 21, paragraph 1, and no other legitimate grounds for the treatment prevail, or the interested party opposes the treatment according to article 21, paragraph 2;
5.d) personal data have been treated unlawfully;
6.e) personal data must be deleted for the fulfilment of a legal obligation established in the law of the Union or of the Member States that applies to the data controller;
7.f) personal data have been obtained in relation to the offer of services of the information society mentioned in Article 8, paragraph 1.
8. When it has made public the personal data and is obliged, under the provisions of section 1, to delete such data, taking into account the available technology and the cost of its application, the data controller shall adopt reasonable measures, including technical measures, with a view to informing those responsible who are dealing with the personal data of the interested party’s request to delete any link to such personal data, or any copy or replica of them.
9.Sections 1 and 2 do not apply when the treatment is necessary:
10.a) to exercise the right to freedom of expression and information;
11.b) for the fulfilment of a legal obligation that requires the treatment of data imposed by the Law of the Union or of the Member States that applies to the controller, or for the fulfilment of a mission carried out in the public interest or in the exercising of public powers conferred onto the person responsible;
12.c) for reasons of public interest in the field of public health in accordance with article 9, paragraph 2, letters h) and i), and section 3;
13.d) for the purpose of archiving in the public interest, scientific or historical research purposes or statistical purposes, in accordance with article 89, paragraph 1, insofar as the right indicated in section 1 could make it impossible or seriously impede the achievement of the objectives of said treatment, or
14.e) for the formulation, carrying out or defence of claims.
Delete your personal data when they are not necessary for the purposes for which they were collected, among other reasons.
Right of Limitation.- Article 18 RGPD:
1. The interested party shall have the right to obtain from the data controller the limitation of the processing of the data when any of the following conditions is met:
2.a) the interested party challenges the accuracy of the personal data, for a period that allows the whoever is responsible to verify the accuracy of the same;
3.b) the treatment is unlawful and the interested party opposes the deletion of personal data and requests the limitation of its use instead;
4.c) the person in charge no longer needs the personal data for the purposes of the treatment, but the interested party needs them for the formulation, carrying out or defence of claims;
5.d) the interested party has opposed the treatment of data under article 21, paragraph 1, while verifying if the legitimate reasons of the responsible party prevail over those of the interested party.
6. When the processing of personal data has been limited by virtue of section 1, said data may only be subject to processing, with the exception of its conservation, with the consent of the interested party or for the formulation, carrying out or defence of claims, or with a view to the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a particular Member State.
7. Anyone who has obtained the limitation of the treatment according to paragraph 1 will be informed by the person responsible before the lifting of said limitation.
Limit the processing on our behalf of all or part of your personal data in the circumstances determined by law.
Right of Portability.- Article 20 of the RGPD:
1. The interested party shall have the right to receive the personal data that concerns them, that they have provided to a data controller, in a structured format, of common use and mechanical reading, and to transmit them to another controller without being prevented by the person responsible who would have facilitated them, when:
2.a) the treatment is based on consent under article 6, paragraph 1, letter a), or article 9, paragraph 2, letter a), or on a contract under article 6, paragraph 1, letter b), and
3.b) the treatment is carried out by automated means.
4. When exercising their right to the portability of the data in accordance with section 1, the interested party shall have the right to have personal data transmitted directly from responsible person to responsible person when technically possible.
5. The exercise of the right mentioned in paragraph 1 of this article shall be understood without prejudice as article 17. Such right shall not apply to the treatment necessary for the fulfilment of a mission performed in the public interest or in the exercise of public powers conferred to the person responsible for the treatment.
6. The right mentioned in paragraph 1 will not negatively affect the rights and freedoms of others.
Request the portability of your personal data in an interoperable and self-sufficient format.
Right of Opposition.- Article 21 RGPD:
1.The interested party shall have the right to object at any time, for reasons related to his/her particular situation, to the fact that personal data concerning him/her are subject to a treatment based on the provisions of article 6, paragraph 1, letters e) of), including profiling on the basis of these provisions. The data controller will stop processing personal data, unless he or she demonstrates compelling legitimate reasons for the treatment of data that prevails over the interests, rights and freedoms of the interested party, or for the formulation, carrying out or defence of claims.
2.When the processing of personal data is aimed at direct marketing, the interested party shall have the right to object at all times to the processing of personal data concerning them, including the elaboration of profiles insofar as they are related to said marketing. .
3. When the interested party opposes the treatment of data for direct marketing purposes, personal data will no longer be processed for said purposes.
4. At the time of the first communication with the interested party at the latest, the rights indicated in sections 1 and 2 will be explicitly mentioned to the interested party and will be presented clearly and independently of any other information.
5. In the context of the use of information society services, and notwithstanding the provisions of Directive 2002/58/EC, the interested party may exercise his/her right to object by automated means that apply technical specifications.
6.When personal data are processed for scientific or historical research purposes or for statistical purposes in accordance with article 89, section 1, the interested party shall have the right, for reasons related to his/her particular situation, to oppose the processing of personal data provided by him/her that concern them, unless it is necessary for the accomplishment of a mission carried out for reasons of public interest.
Or as could be summarised: to oppose certain treatments of data in the circumstances and for reasons related to their particular situation.
And as the final element of the section, referring to the rights of the holders, it is important to notify them that they may withdraw the previously granted consents at any time.
12.- Which Control Authority can claims be exercised with?
The Regulation, in order to protect the owner of the data, offers a route in cases where the expected response in the exercising of rights related to the protection of damages has not been obtained .
In these cases, you can file a claim with the Spanish Data Protection Agency, the control authority in matters of data protection, at the following address:
C / Jorge Juan, 6. Madrid (28001)
13.- When will we send you commercial communications?
When we collect data directly from you, we may ask you whether or not you wish to receive our commercial communications.
In this sense, it must be taken into account that if these communications are related to goods, services or news related to the relationship you have with us, we can carry them out in virtue of the existing legitimate interest.
It need not be the case, but if they are commercial communications that have no direct relationship with the relationship you have with us, or are even third party companies, these commercial communications will always be preceded by your consent.
Consent that, as you know, you can revoke whenever you deem appropriate.
14.- Social Networks
Pila Teleña S.L. has a profile on some of the main on-line social network, and is responsible for the treatment of data in relation to the data published on those profiles or the data that users send privately to the mailbox that appears on the profile (for example, questions or advice).
Purpose and legitimacy: The treatment of data that will be carried out with the data within each of the aforementioned networks will be, at most, the one that the social network allows on corporate profiles.
So, from Pila Teleña S.L. we will be able to inform “our” followers, when the law does not prohibit it, about activities, offers, as well as provide personalised customer service.
Extraction of data: Under no circumstances will we extract data from social networks, unless the user’s consent is specifically and expressly obtained for it.
Rights: When, due to the very nature of social networks, an owner requires the effective exercising of data protection rights, our DPO may inform and advise you to the extent that it is possible according to that purpose.
15.- Data Security
When we become responsible for your data and handle it for the relevant purposes, the organisational and security measures necessary to guarantee integrity, confidentiality, availability, resilience or invulnerability will be applied to avoid loss, misuse and unauthorised access to your personal data. All this in accordance with the provisions of the aforementioned Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, concerning the protection of natural persons with regard to the processing of personal data, as well as what is established in the national regulations that are applicable.
For security and strictly authorised access, we will block your data if necessary, we will proceed to encrypt them when the action so advises and even anonymise them if that enables us to achieve our goal, which is none other than the proper custody and proper use of your personal data.
We have also reviewed our policy regarding the collection, storage and processing of data, including physical security measures, to prevent unauthorised access to our systems.
Complying with the principle of data minimisation, we limit access to personal information that must be processed and we will ensure that all parties comply with strict contractual confidentiality obligations.
Failure to comply with the disciplinary conditions set forth will be grounds for sanction, termination of contract or dismissal from work.
It is our intention to provide comprehension and understanding of the glossary of concepts that hide behind your fundamental right to data protection as much as possible.
Therefore, and from now on, the following definitions serve as “clarifications”.
However, the Data Protection Delegate of the company is at your disposal for any questions you may have.
.- It would be interesting that all the words object of definition have a direct link to reach the definition that is contained in this tab (underlined of automated decision to take to the definition tab).
- “Personal data”: all information about an identified or identifiable natural person (the interested party); Any person whose identity can be determined, directly or indirectly, in particular by means of an identifier, such as a name, an identification number, location data, an on-line identifier or one or several identity elements; physical, physiological, genetic, psychological, economic, cultural or social of said person is considered an identifiable person.
- “Treatment”: any operation or set of operations performed on personal data or personal data sets, either by automated procedures or not, such as collection, registration, organisation, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, diffusion or any other form of access, authorisation, collation or interconnection, limitation, suppression or destruction.
- “Limitation of treatment”: the marking of personal data kept in order to limit their treatment in the future.
- “Profiling”: any form of automated processing of personal data consisting of using personal data to evaluate certain personal aspects of a natural person, in particular, to analyse or predict aspects related to professional performance, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements of said natural person.
- “Pseudonymisation”: the processing of personal data in such a way that it can no longer be attributed to an interested party without using additional information, provided that such additional information appears separately and is subject to technical and organisational measures designed to ensure that personal data are not attributed to an identified or identifiable natural person.
- “File”: any structured set of personal data, accessible according to certain criteria, whether centralised, decentralised or distributed functionally or geographically.
- “Responsible for treatment” or “data controller”: the natural or legal person, public authority, service or other body that, alone or together with others, determines the purposes and means of treatment; if the law of the Union or of the Member States determines the aims and means of processing, the controller or the specific criteria for their appointment may be established by Union or Member State law.
- “Responsible for processing” or “in charge”: the natural or legal person, public authority, service or other body that processes personal data on behalf of the data controller.
- “Recipient”: the natural or legal person, public authority, service or other body to which personal data is communicated, whether or not it is a third party. However, public authorities who may receive personal data in the framework of a specific investigation in accordance with Union or Member State law shall not be considered as addressees; the processing of such data by said public authorities will be in accordance with the data protection regulations applicable for the purposes of processing.
- “Third party”: individual or legal entity, public authority, service or organisation other than the interested party, the person responsible for the processing, the processor and the persons authorised to process personal data under the direct authority of the person responsible or the person in charge.
- “Consent of the interested party”: any expression of free, specific, informed and unequivocal will for which the interested party accepts, whether through a declaration or clear affirmative action, the processing of personal data concerning them.
- “Violation of the security of personal data”: any breach of security resulting from the destruction, loss or accidental or unlawful alteration of personal data transmitted, stored or otherwise processed, or unauthorised communication or access to said data .
- ”Genetic data”: personal data relating to inherited or acquired genetic characteristics of a natural person that provide unique information about the physiology or health of that person, obtained in particular from the analysis of a biological sample of that person.
- “Biometric data”: personal data obtained from a specific technical treatment, relating to the physical, physiological or behavioural characteristics of a natural person that allow or confirm the unique identification of said person, such as facial images or fingerprint data.
- “Health related data”: personal data related to the physical or mental health of a natural person, including the provision of health care services, that reveal information about their state of health.
- “Principal establishment”:
- a) with regard to a controller with establishments in more than one Member State, the place of their central administration in the Union, unless decisions on the purposes and means of processing are taken in another establishment of the responsible person in the Union and the latter establishment has the power to enforce such decisions, in which case the establishment that has adopted such decisions shall be considered as the principal establishment.
- b) with regard to a person in charge of the treatment with establishments in more than one Member State, the place of their central administration in the Union or, if they lack this, the establishment of the person in charge in the Union in which the main treatment activities are carried out, in the context of the activities of a manager’s establishment to the extent that the person in charge is subject to specific obligations under this Regulation.
- “Representative”: a natural or legal person established in the Union who, having been designated in writing by the controller or processor in accordance with article 27, represents the person responsible or the person in charge with respect to their respective obligations under this Regulation.
- “Company”: individual or legal entity engaged in an economic activity, regardless of its legal form, including companies or associations that regularly carry out an economic activity.
- “Business group”: a group constituted by a company that exercises control and its controlled companies.
- • “Binding corporate rules”: the policies for the protection of personal data assumed by a responsible party or processor in the territory of a Member State for transfers or a set of transfers of personal data to a person in responsible or in charge in one or more third party countries, within a business group or a union of companies dedicated to a joint economic activity.
- “Control Authority” means the independent public authority established by a Member State in accordance with the provisions of Article 51 of the RGPD.
- “Interested control authority”: the control authority that affects the processing of personal data because:
- a) the controller or processor is established in the territory of the Member State of that control authority.
- b) the interested parties residing in the Member State of that control authority are substantially affected or are likely to be substantially affected by the treatment, or
- c) a claim has been filed with that supervisory authority.
- “Cross-border treatment”:
- a) the processing of personal data carried out in the context of the activities of establishments in more than one Member State of a data controller or processor in the Union, if the person in charge or the person in charge is established in more than one Member State, or
- b) the processing of personal data carried out in the context of the activities of a single establishment of a data controller or processor in the Union, but which substantially affects or is likely to substantially affect interested parties in more than one Member State.
- “Relevant objection and objection with due cause”: the objection to a proposal for a decision on the existence or non-existence of an infraction of this Regulation, or on the compliance with this Regulation of actions envisaged in relation to the person responsible or the person in charge of the treatment, who clearly demonstrates the importance of the risks involved in the draft decision for the rights and fundamental freedoms of the interested parties and, where appropriate, for the free circulation of personal data within the Union.
- “Information society service”: any service according to the definition of article 1, paragraph 1, letter b), of Directive (EU) 2015/1535 of the European Parliament and of the Council.
- “International organisation”: an international organisation and its subordinate bodies of international public law or any other body created by an agreement between two or more countries or by virtue of such agreement.
- “Cookie”: Small file that sends a web server to the hard disk of the user who visits it with information about their preferences and navigation guidelines.
- “IP address”: a number that identifies, logically and hierarchically, a network interface (communication/ connection element) of a device (computer, tablet, laptop, smart-phone) that uses the IP protocol (Internet Protocol) or, which corresponds to the network level of the TCP/IP model (example, 184.108.40.206).
- “Visit counter”: computer programme that indicates the number of visitors that a certain web page has received. Once configured, these counters will increase one by one after each visit to the website. Web counters are not necessarily reliable. A web-master could set them up to start at any large number, giving the impression that your site is more popular than it actually is.
- “Browser”: Programme that allows browsing of the Internet or another communications computer network.
“Automated decision” – Explanation of Recital 71 of the RGPD: the interested party should have the right not to be the subject of a decision, which may include a measure, which evaluates personal aspects related to it, and which is based solely on automated processing and produce legal effects on them or affect them significantly in a similar way, such as the automatic denial of an on-line credit application or network contracting services in which no human intervention occurs. This type of treatment includes the elaboration of profiles consisting of any form of treatment of personal data that assess personal aspects related to a natural person, in particular to analyse or predict aspects related to work performance, economic situations, health, preferences or personal interests, reliability or behaviour, the situation or the movements of the interested party, to the extent that it produces legal effects on them or affects them significantly in a similar way. However, decisions based on such treatment, including profiling, should be allowed, if expressly authorised by Union or Member State law applicable to the controller, including for the purpose of fraud control and prevention and tax evasion, carried out in accordance with the regulations, rules and recommendations of Union institutions or national supervisory bodies and to ensure the safety and reliability of a service provided by the data controller, or necessary for the conclusion or execution of a contract between the interested party and a controller, or in those cases in which the interested party has given their explicit consent. In any case, said treatment must be subject to appropriate guarantees, which must include specific information to the interested party and the right to obtain human intervention, to express their point of view, to receive an explanation of the decision taken after such evaluation and to challenge the decision. Such a measure should not affect a minor.
Principles in the Protection of Personal Data
- Personal data will be
- a) treated in a lawful, fair and transparent manner in relation to the interested party (“lawfulness, loyalty and transparency”).
- b) collected for specific, explicit and legitimate purposes, and will not be subsequently processed in a manner incompatible with said purposes; according to article 89, paragraph 1, the further processing of personal data for purposes of archiving in the public interest, scientific and historical research purposes or statistical purposes will not be considered incompatible with the initial purposes (“limitation of purpose”) .
- c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are treated (“data minimisation”).
- d) exact and, if necessary, updated; all reasonable measures shall be taken so that personal data that are inaccurate with respect to the purposes for which they are treated (“accuracy”) are deleted or rectified without delay.
- e) maintained in a way that allows the identification of the interested parties during no more time than necessary for the purposes of processing personal data; personal data may be kept for longer periods provided they are exclusively for the purpose of archiving in the public interest, scientific or historical research purposes or statistical purposes, in accordance with article 89, paragraph 1, without prejudice to the application of the measures appropriate technical and organisational measures imposed by this Regulation in order to protect the rights and freedoms of the person concerned (‘limitation of the period of storage’).
- f) treated in such a way as to ensure adequate security of personal data, including protection against unauthorised or illegal treatment and against loss, destruction or accidental damage, through the application of appropriate technical or organisational measures (“integrity and confidentiality »).
- The controller will be responsible for complying with the provisions of section 1 and able to prove it (“proactive responsibility”).
Therefore, Pila Teleña S.L. can modify or update this “policy” when necessary.
Check it frequently. It will serve as an element to assess the good practices that we perform.
When we update this “policy”, we will modify the date of the last update that appears at the beginning of it.
If there is a major change in the “policy” or in the way your personal information is used, you will be notified via a posting of a notice of such changes before they become effective or by direct notification to you if you have agreed to receive this.