Enginyeria i Gestió d’Espais Industrials, SL
Basic information on data processing (Regulation (EU) 2016/679 and LO 3/2018)
Enginyeria i Gestió d’Espais Industrials, SL
NIF: B17493396 C/Areny s/n (Polígon Industrial) 17460 Celrà Email: email@example.com
Purpose of the treatment
To offer and manage our IT services.
In general, the legitimacy for the treatment of the data will be found in the consent obtained from the interested party or in the execution of the service contract.
The data will not be disclosed to third parties, unless required by law or necessary to fulfil the purpose of the processing.
Rights of individuals
Data subjects are entitled to exercise their rights of access, rectification, restriction of processing, erasure, portability and objection by sending their request to our address.
Data retention period
For as long as the business relationship is maintained or for the years necessary to comply with legal obligations.
Interested parties may contact the AEPD to file any complaint they deem appropriate.
You can consult the additional and detailed information below in the “Questions about privacy”.
Questions about privacy
In compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR) and Organic Law 3/2018 of 5 December on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD) we provide you with the following information on the processing of your personal data:
Who is responsible for the processing of your data?
Identity: Enginyeria i Gestió d’Espais Industrials, SL
TAX ID: B17493396
Address: C/Areny s/n (Polígon Industrial) 17460 Celrà
Tel.: 972 49 42 14
For what purpose do we process your personal data?
We process the information provided to us in order to manage our IT services.
In the event that you contact us through the contact form on our website, we will process it in order to manage your query.
If you give us your consent we may also process your data to send you information about our activities, products or services.
When you sign in at the visitors’ register on our premises, we will process your data for the purposes of maintaining the security of our premises.
When you enter our premises, your image may be recorded by video surveillance cameras for security control purposes.
If you send us a CV, we will process the data for the purpose of managing our CV database for recruitment purposes.
How long will we keep your data?
The personal data provided will be kept for as long as you are a user of our services or wish to receive information, given that you can object to the processing of your data for promotional purposes at any time, and then for the periods established to comply with our legal obligations, which in the case of accounting and tax documentation for commercial purposes will be 6 years, in accordance with Art. 30 of the Commercial Code, and for tax purposes will be 4 years, in accordance with Articles 66 to 70 of the General Tax Law.
The data obtained through the visitor registration will be kept for one month.
Images captured by the video surveillance system will be kept for one month.
In the case of CVs, the data will be kept for one year.
What is the legitimacy for the processing of your data?
The legitimacy to process them lies in the execution of the service contract and in the consents you give us. In the case of information sent by minors under 16 years of age, it is a prerequisite that the personal data be processed with the consent of the minor’s parent, guardian or legal representative. If this is not the case, the legal representative of the minor will inform us as soon as he/she becomes aware of it. With regard to the collection of data in the visitors’ register and the capture of images by the video surveillance system, the legitimacy is given by the legitimate interest of preserving the security of persons and property.
To which recipients will your data be communicated?
The data will not be communicated to third parties, unless required by law or necessary to fulfil the purpose of the processing.
What are your rights when you provide us with your data?
Any individual has the right to obtain confirmation as to whether or not we are processing their personal data.
Data subjects have the right to access their personal data, as well as the right to request the rectification of inaccurate data or, where appropriate, to request its deletion when, among other reasons, the data is no longer necessary for the purposes for which it was collected.
In certain circumstances, data subjects may request the limitation of the processing of their data, in which case we will only keep them for the exercise or defence of claims.
Also, in certain circumstances and for reasons relating to their particular situation, data subjects may object to the processing of their data. In this case, we will stop processing the data, except for compelling legitimate reasons or for the exercise or defence of possible claims.
Data subjects also have the right to data portability.
Every data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
Finally, data subjects have the right to lodge a complaint with the competent supervisory authority.
How can you exercise your rights?
By sending a letter, enclosing a copy of a document that identifies you, to our physical or e-mail address.
How did we obtain your data?
The personal data we process comes from the data subject. The interested party guarantees that the personal data provided are true and is responsible for communicating any changes to them. The data marked with an asterisk are obligatory in order to be able to provide the requested service.
What data do we process?
The categories of data that we may process in the provision of our services are:
Data of an identifying nature
Postal or e-mail addresses
In the case of the video surveillance system:
In the case of curricula, also:
Academic and professional
The data is limited, as we only process the data necessary for the provision of our services and the management of our activity.
What security measures do we apply?
We apply the security measures set out in Article 32 of the GDPR, therefore, we have adopted the necessary security measures to ensure a level of security appropriate to the risk of the data processing we carry out, with mechanisms that allow us to ensure the confidentiality, integrity, availability and ongoing resilience of the processing systems and services.
Some of these measures are:
Informing staff of data processing policies.
Carrying out regular backup copies.
Controlling access to data.
Regular verification, evaluation and assessment processes.
How do we process data on behalf of third parties?
When in the provision of our services we process personal data for which our customers are responsible, we do so as data processors, in accordance with the provisions of Article 28 GDPR and, therefore, in these processing operations of personal data:
(a) We will process personal data only on the documented instructions of the controller, including in relation to transfers of personal data to a third country or to an international organisation, unless we are obliged to do so under Union or Member State law to which we are subject. In this case, we will inform the controller of this legal requirement prior to processing, unless this right prohibits it for important reasons of public interest.
b) We ensure that persons authorised to process personal data have undertaken to respect confidentiality.
c) We have taken all necessary security measures in accordance with Article 32 of the GDPR, having implemented mechanisms to: Guarantee the confidentiality, integrity, availability and permanent resilience of the processing systems and services.
Restore availability and access to personal data quickly in the event of a physical or technical incident.
Regularly verify, evaluate and assess the effectiveness of the technical and organisational measures implemented to ensure the security of the processing.
Pseudonymise and encrypt personal data, where appropriate.
d) We will respect the conditions set out in Article 28(2) and (4) of the GDPR for using another processor.
(e) We will assist the controller, where possible, in accordance with the nature of the processing and by appropriate technical and organisational measures, in complying with the obligation to respond to requests for the exercise of the rights of data subjects set out in Chapter III of the GDPR.
f) We will assist the controller in ensuring compliance with the data security obligations set out in Articles 32 to 36 of the GDPR, taking into account the nature of the processing and the information made available to us.
(g) At the controller’s option, we will delete or return all personal data upon termination of the provision of the processing services and delete existing copies unless the retention of personal data is required by Union or Member State law.
(h) We will make available to the controller all information necessary to demonstrate compliance with the obligations set out in Article 28 of the GDPR and to allow and assist audits, including inspections, by the controller or another auditor authorised by the controller.
The data that we may process as data processors includes basic identification information of clients, suppliers or employees of our clients, such as name, address, e-mail address, as well as any other data that the client processes in the IT equipment that is the object of the service that we provide; and the processing that we may carry out will be those necessary for the provision of the service, including, but not limited to, the following: visualisation, monitoring, structuring, organisation or synchronisation.