Privacy Policy

Privacy Policy

Introduction

This Privacy Policy has been developed in accordance with the provisions of Organic Law 3/2018 of 5 December on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD), as well as Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 concerning the protection of natural persons with regard to the processing of personal data and the free movement of such data, hereinafter the GDPR.

The purpose of this Privacy Policy is to inform the owners of personal data, in respect of whom information is being collected, of specific aspects relating to the processing of their data, including, among other matters, the purposes of the processing, the contact details for exercising their rights, the retention periods of the information, and the security measures in place.

Data Controller

For the purposes of data protection, ROBERTO BRUÑA S.L. must be considered the Data Controller in relation to the processing operations identified in this policy, specifically in the section on Data Processing.

The identifying details of the owner of this website are provided below:

Data Controller: ROBERTO BRUÑA S.L.
Postal Address: RECTA DE HERAS 7, 39619, SAN SALVADOR (CANTABRIA)
Email: info@robertobruna.es

Data Processing

The personal data requested, where applicable, will consist solely of those strictly necessary to identify and respond to the request made by the data subject, hereinafter the “interested party”. Furthermore, personal data will be collected for specific, explicit, and legitimate purposes, and will not be further processed in a manner incompatible with those purposes.

The data collected from each interested party will be adequate, relevant and not excessive in relation to the purposes for which they are collected, and will be updated whenever necessary.

The data subject will be informed, prior to the collection of their data, of the general terms set out in this policy, so that they may provide their express, precise and unequivocal consent to the processing of their personal data, in accordance with the following aspects.

Purposes of Processing

The explicit purposes for which each of the processing operations is carried out are set out in the information clauses included in each of the data collection methods (web forms, paper forms, recorded messages, posters, and information notices).

Nevertheless, the personal data of the interested party will be processed exclusively for the purpose of providing an effective response and attending to the requests made by the user, as specified alongside the option, service, form or data collection system used by the data subject.

Legal Basis

As a general rule, prior to the processing of personal data, the Data Controller obtains the express and unequivocal consent of the data subject, by means of the inclusion of informed consent clauses in the various data collection systems.

However, in cases where the consent of the data subject is not required, the legal basis legitimising the processing relied upon by the Data Controller is the existence of a law or specific regulation that authorises or requires the processing of the data of the data subject.

Recipients

As a general rule, the Data Controller does not transfer or communicate data to third parties, except where legally required. Nonetheless, where necessary, such transfers or communications of data will be brought to the attention of the interested party by means of informed consent clauses included in the various channels used to collect personal data.

Source

As a general rule, personal data are always collected directly from the data subject. However, in certain exceptions, the data may be collected through third parties, entities or services other than the data subject. In such cases, this circumstance will be communicated to the data subject by means of informed consent clauses contained in the different data collection methods and within a reasonable period, once the data have been obtained, and at the latest within one month.

Retention Periods

The information collected from the data subject will be retained for as long as it is necessary to fulfil the purpose for which the personal data were collected. Once the purpose has been fulfilled, the data will be cancelled. Such cancellation will result in the blocking of the data, which will be kept solely at the disposal of Public Authorities, Judges, and Courts, for the purpose of addressing any liabilities arising from the processing, during the period of limitation of such liabilities. Once this period has expired, the information will be destroyed.

For information purposes, below are the statutory data retention periods in relation to different subject matters:

DOCUMENT PERIOD LEGAL REFERENCE
Employment or social security-related documentation 4 years Article 21 of Royal Legislative Decree 5/2000 of 4 August, approving the consolidated text of the Law on Social Order Infringements and Sanctions
Accounting and tax documentation for commercial purposes 6 years Article 30 Commercial Code
Accounting and tax documentation for tax purposes 4 years Articles 66 to 70 General Tax Law
Video surveillance 1 month Instruction 1/2006 of the Spanish Data Protection Agency (AEPD), Organic Law 4/1997
Curricula vitae of applicants and candidates Until the end of the initial selection process for those who do not pass the process. For CVs included in the job pool, a maximum of 2 years if not updated since submission.

Browsing Data

With regard to browsing data that may be processed through the website, where data subject to regulation are collected, we recommend consulting the Cookie Policy published on our website.

Rights of Data Subjects

Data protection legislation grants a series of rights to data subjects, users of the website, or users of the Data Controller’s social media profiles.

These rights available to data subjects are as follows:

  • Right of access: the right to obtain information as to whether their personal data are being processed, the purpose of the processing, the categories of data concerned, the recipients or categories of recipients, the retention period, and the source of such data.
  • Right of rectification: the right to obtain the correction of inaccurate or incomplete personal data.
  • Right of erasure: the right to obtain the erasure of data in the following circumstances:
    • When the data are no longer necessary for the purpose for which they were collected
    • When the data subject withdraws consent
    • When the data subject objects to the processing
    • When the data must be deleted in compliance with a legal obligation
    • When the data have been obtained through an information society service as provided in Article 8(1) of the European Data Protection Regulation
  • Right to object: the right to object to a specific processing based on the consent of the data subject.
  • Right to restriction: the right to obtain restriction of the processing of data in the following cases:
    • When the data subject contests the accuracy of the personal data, for a period enabling the entity to verify their accuracy
    • When the processing is lawful and the data subject objects to the erasure of the data
    • When the entity no longer needs the data for the purposes for which they were collected, but the data subject requires them for the formulation, exercise or defence of legal claims
    • When the data subject has objected to the processing, pending verification of whether the legitimate grounds of the entity prevail over those of the data subject
  • Right to data portability: the right to receive the data in a structured, commonly used and machine-readable format, and to transmit them to another controller when:
    • The processing is based on consent
    • The processing is carried out by automated means
  • Right to lodge a complaint with the competent supervisory authority.

Data subjects may exercise the aforementioned rights by contacting the Data Controller by email at info@robertobruna.es, indicating in the subject line the right they wish to exercise.

In this regard, the Data Controller will respond to the request as soon as possible, taking into account the time limits established in data protection legislation.

Security

The security measures adopted by the Data Controller are those required in accordance with Article 32 of the GDPR. In this regard, the Data Controller, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing, as well as the varying risks of likelihood and severity for the rights and freedoms of natural persons, has implemented the appropriate technical and organisational measures to ensure a level of security appropriate to the existing risk.

In any case, the Data Controller has implemented sufficient mechanisms to:

  1. Ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
  2. Restore availability and access to personal data quickly in the event of a physical or technical incident.
  3. Regularly verify, evaluate and assess the effectiveness of the technical and organisational measures implemented to guarantee the security of processing.

Where applicable, personal data will be pseudonymised and encrypted.