PROVIDING INFORMATION BY LAYER OR LEVEL
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data repealing Directive 95/46/EC (General Data Protection Regulation) (OJEU L 119/1, 04-05-2016) (hereinafter referred to as the “GDPR”) provides an updated framework founded on accountability for the protection of data in Europe.
Article 12(1) of the GDPR, under chapter “Transparent information, communication and modalities for the exercise of the rights of the data subject”, stipulates the following:
The [data] controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.
In order to reconcile with the greater requirements that the GDPR imposes on providing information and in order to ensure this is presented in a concise and understandable way, the data protection authorities recommend structuring information in layers or levels.
This multi-layer approach consists of:
- presenting a summary of basic information at the first level, at the same time and in the same way that data is collected;
- referring to additional information at a second level, whereby the rest of the information will be presented in a more appropriate way to ensure understanding and, if desired, archiving.
LEVEL 1: BASIC INFORMATION ON DATA PROTECTION
This information must be provided to users at the same time that the data is collected. It must be complete, accessible and clearly visible.
|BASIC INFORMATION ON DATA PROTECTION|
|Data controller||GIA, S.L.|
|Address||POL. IND. CAMPOLLANO AVDA GREGORIO ARCOS, 69, CP 02007, ALBACTE (ALBACETE, SPAIN)|
|Purposes||We will use your data to respond to your requests and deliver our services to you.|
|Marketing||We will only send you marketing correspondence if you have given your prior consent, which you can do by ticking the box for that purpose.|
|Lawful basis||We will only process your data if you have given your prior consent, which you can do by ticking the box for that purpose.|
|Recipients||Generally, only our members of staff who have been duly authorised may access the data that you have provided.|
|Your rights||You have the right to know what information we hold about you, to rectify it and to erase it, as explained in the additional information available on our website.|
|Additional information||For more information, please see “SECURING YOUR DATA” on our website.|
LEVEL 2: ADDITIONAL INFORMATION ON DATA PROTECTION
This information must be provided to users through a link on the website, under the heading “SECURING YOUR DATA”. This link must ideally be available on the top part of the page to ensure visibility and accessibility.
SECURING YOUR DATA
Information in compliance with personal data protection legislation
In Spain and the rest of Europe, there are data protection regulations in place designed to protect your personal data that, as a company, we need to be compliant with.
That is why it’s important to us that you clearly understand what we do with the data we request.
We will be transparent and ensure you have control over your data, using plain language and clear options that will allow you to decide what we are allowed to do with your personal data.
If anything is unclear after reading this information, please don’t hesitate to contact us.
Thank you for your cooperation.
- Who are we?
- Company name: GIA, S.L.
- Our tax identification code/tax ID: B02117059
- Our primary activity: Iron and steel industry
- Our address: Ind. Campollano Avda Gregorio Arcos, 69, CP 02007, Albacete (Albacete, Spain)
- Our telephone number: +34 967522523
- Our email address: firstname.lastname@example.org
- Our website: giaet.com
- For your peace of mind and security, we are inscribed in the following Spanish Public Registry/Commercial and Trade Registry:
- Our primary activity is subject to a system of prior administrative authorisation. For your peace of mind and security, the details of the administrative authorisation and the competent supervisory body are:
Competent supervisory body:
(IF THE ACTIVITY IS SUBJECT TO ADMINISTRATIVE AUTHORISATION)
- The operator of this website is a member of a regulated profession, whose details are as follows:
Official academic or professional qualification:
Issuing EU Member State:
Professional standards applicable to the exercise of the profession:
(IF THE WEBSITE OPERATOR IS A MEMBER OF A REGULATED PROFESSION)
We are available should you need us. Please don’t hesitate to contact us.
- Why do we use your data?
Generally, your personal data will be used to maintain a relationship with us in order to deliver our services to you.
Your data may also be used for other purposes, such as sending you marketing communications or promoting our services.
- We do you need to use your data?
Your personal data is required for us to maintain a relationship with us in order to deliver our services to you. We will provide a series of tick-boxes that will allow you to make a clear and simple decision on how you want us to use your data.
- Who will we share the data you provide with?
Generally, only our members of staff who have been duly authorised may access the data that you have provided.
Equally, we may pass your personal data on to other entities where this is required in order to provide our services to you. For instance, we will need to share your data with our bank if you pay for our services by credit card or bank transfer.
We will also need to pass your data on to public or private entities when we are obliged to do so by law. For example, Spanish tax law requires us to provide the tax authorities with information on financial transactions that exceed a certain amount.
Nevertheless, if we otherwise need to disclose your personal data to other entities, we will ask your permission beforehand, providing you with clear options that will allow you to make a decision.
- How do we protect your data?
We protect your data using effective security measures in proportion to the risks involved in using your data.
We have adopted a Data Protection Policy, and we carry out checks and annual audits to verify that your personal data is secure at all times.
- Will we transmit your data to other countries?
Many countries across the world offer secure protection for your data, while others not so much. The European Union, for example, is a secure environment for your data. Our policy is not to send your personal data to any country that does not offer secure protection for your data.
In the event that we need to send your data to a country that is not as secure as Spain, in order to deliver our services to you, we will always ask your permission beforehand and apply effective security measures to reduce the risk of sending your personal data to another country.
- How long do we retain your data for?
We will store your data for the duration of our customer relationship, in compliance with the legislation. Once the statutory retention period has lapsed, we will then destroy your data in a secure and environmentally-friendly manner.
- What are your rights when it comes to data protection?
You may contact us at any time to find out what personal data we hold about you, to have it rectified where it is incorrect and to have it erased once our customer relationship comes to an end, provided that it is lawful to do so.
You are also entitled to have your data transferred to other entities in certain situations, under your right to data portability.
If you wish to exercise any of these rights, please send us a written request, accompanied by a copy of your ID, so that we can confirm your identity.
We have specific forms that you can use to exercise these rights, which we would be happy to help you fill in.
For more information about your data protection rights, please visit the Spanish Data Protection Agency website at www.agpd.es.
- Can you withdraw your consent if you change your mind later?
Yes, you can withdraw your consent at any time if you change your mind about how your data may be used.
For example, if you were previously interested in receiving marketing communications about our products or services, but you no longer wish to receive these, you can let us know by using the consent withdrawal form available from us.
- How can you submit a complaint if you feel your rights have not been honoured?
If you are not satisfied with how we have handled your request, you may submit a complaint to the Spanish Data Protection Agency, the Agencia Española de Protección de Datos. The agency can be contacted as follows:
- Website: www.agpd.es
Agencia Española de Protección de Datos
C/ Jorge Juan, 6
+34 901 100 099
+34 91 266 35 17
You can submit a complaint to the Spanish Data Protection Agency free of charge and you do not need the assistance of a solicitor or lawyer.
- Do we build profiles about you?
Our policy is not to build any profiles about the users of our services.
However, there may be situations when we need to develop information profiles about you in order to provide a service, commercial or otherwise. An example would be where we use your purchase or service history to offer products or services tailored to your tastes or needs.
In such cases, we will apply effective security measures to protect your data at all times against unauthorised persons intending to use it for their own benefit.
- Do you use your data for other purposes?
Our policy is not to use your data for any purposes other than those that we have explained. However, if we need to use your data for another purpose, we will always ask your permission beforehand, providing you with clear options that will allow you to make a decision.
PERMISSIONS (PLEASE TICK THE BOX TO GIVE YOUR CONSENT):
- a I agree to the use of my data for the purposes specified under “SECURING MY DATA”.
- I agree to the use of my data to receive marketing communications from you.
DATA PROTECTION POLICY
This information, aimed at everyone (not just website users), must be provided through a link on the website, under the heading “DATA PROTECTION POLICY”. This link must ideally be available on the top part of the page to ensure visibility and accessibility.
DATA PROTECTION POLICY
The management board/governing body of GIA, S.L. (hereinafter referred to as the “data controller”) assumes full responsibility for and provides its full commitment to drafting, implementing and maintaining this Data Protection Policy, ensuring continuous improvement on the part of the data controller with a view to achieving excellence in compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data repealing Directive 95/46/EC (General Data Protection Regulation) (OJEU L 119/1, 04-05-2016) and with Spanish legislation on the protection of personal data (Spanish Organic Law, specific sector legislation and the implementing regulations).
The GIA, S.L. Data Protection Policy is based on the principle of proactive responsibility, according to which the data controller is responsible for ensuring compliance with the regulatory framework and case law that governs the Policy, and is able to prove this before the competent supervisory authorities.
The data controller is governed by the following principles that should serve as a guide and frame of reference for all of its staff, with regard to the protection personal data:
- Data Protection by design: when determining the means of processing and during processing itself, the data controller shall apply appropriate technical and organisational measures, such as pseudonymisation, designed to effectively implement the principles of data protection, such as processing the minimum amount of data required and incorporating the necessary guarantees into the processing.
- Data protection by default: the data controller shall apply appropriate technical and organisational measures with a view to ensuring that, by default, only personal data necessary for each specific purpose of processing is processed.
- Data protection in the data life cycle: measures to ensure that personal data is protected must be applied during the complete life cycle of the data.
- Lawfulness, fairness and transparency: the personal data must be processed in a lawful, fair and transparent manner in relation to the data subject.
- Purpose limitation: personal data must be collected for specific, explicit and legitimate purposes only, and must not be subsequently processed in any way that is incompatible with those purposes.
- Data minimisation: personal data must be adequate, relevant and restricted to what is necessary for the purposes for which it is processed.
- Accuracy: personal data must be accurate and updated where necessary; all reasonable steps must be taken to ensure that personal data which is inaccurate with regard to the purposes for which it is processed is rectified or erased without delay.
- Limiting the retention period: personal data must not be stored in any way that allows the data subject to be identified for any no longer than is necessary for the purposes of the processing of personal data.
- Integrity and confidentiality: personal data must be processed in such a way as to ensure adequate security of the personal data, including protection against unauthorised or unlawful processing, loss, destruction and accidental damage, by applying appropriate technical and organisational measures.
- Information and training: one of the keys to ensuring the protection of personal data is providing training and information to staff involved in processing the data. During the life cycle of the data, all staff with access to the data must be properly trained on and informed about their obligations in terms of compliance with data protection legislation.
The GIA, S.L. Data Protection Policy is distributed to all staff under the authority of the data controller and made available to anyone interested.
Consequently, the present Data Protection Policy involves all staff under the authority of the data controller, who must be familiar with the policy and take ownership of it; every single one of them is responsible for applying and verifying data protection regulations in their course of their work, as well as identifying and creating opportunities for improvement as appropriate with a view to achieving excellence in compliance.
This policy will be reviewed by the management board/governing body of GIA, S.L. as often as necessary to ensure compliance with the provisions in force on the protection of personal data.