1. DATA CONTROLLER
1.1 Who is responsible for processing your data?
Identity: Galbaian S.Coop. (Data controller)
Postal address: Goiru kalea 1 A, 20500, Arrasate-Mondragón (Gipuzkoa).
Telephone number: + (34) 943 253 950
2.1 What will the Data Controller use my data for?
The data you provide us with may be used by the Data Controller for one or more of the purposes indicated below, which will be determined by factors such as your relationship with us (e.g. customer) or by the means used to send the data (e.g. issuing a business card).
We will process your data in order to enable you access to the private area and link it to your digital files on which can be consulted telematically, both the status and the phase or the work that has been done in relation to them
Service provision and maintenance of business relationship:
To provide and manage the work and services you request from us, including preparing estimates and quotes, whether or not they are the result of the extension of any service we may currently be providing for you.
To send you commercial communications related to the services and activities offered by the Data Controller and that fall within your reasonable expectation with regards the services previously contracted. This processing may cease if you object to it.
Administrative management of the relationship, including the management and processing of payment for our services
Requests for information:
When you contact us, for example, giving us your business card at a trade fair, using the contact form on our website, by telephone, fax, e-mail, messenger services, social networks, telephone or even in person, to request information or query anything, to make a suggestion, complaint or claim, we will process your data in order to respond to the request for information and/or query you have put forward, with the appropriate management and scope and in order to keep you informed of any relevant new developments. This operation may include the use of the data received for producing proposals for services and/or collaboration, in the event that the request is related to such issues.
If you were the representative of a company, your data will be processed in order to maintain the relationship or meet the request of the legal entity.
2.2 How long will you keep my data?
The amount of time we will keep your data for is closely linked to the type of processing it will undergo.
In this respect, we would like to inform you that in general terms we will process the data for as long as we have a legal relationship with you or until you object to such processing.
Once the period indicated above has expired, we will keep your data to one side, unless otherwise obliged by regulations, until the complete time period for any possible actions that may arise has expired. These terms may be determined, among other issues, by the law applicable to the relationship between the parties.
Therefore, in order to calculate the time, we need to retain the data for, we need to take the period indicated in section 2.2.2 as a starting point relating to the specific data processing and add to this the period of time that could apply in terms of the statute of regulations and the statute of limitations for actions.
Time periods related to the specific processing:
Processing relating to the provision of services and maintenance of the business relationship: For as long as the relationship between the parties is maintained.
Processing relating to requests for information. We will process your data for the time necessary to respond and manage your request for information or query.
Cookies: according to the type of cookies, as stated in the corresponding policy.
Time periods imposed by the regulations and the statute of limitations for actions:
Civil Code (article 1964): 5 years.
Code of Commerce: 6 years of mandatory documentation retention imposed by article 30.
3. LEGITIMISATION OF PROCESSING
3.1 Why can the Data Controller process my data? Why is this legitimate?
Depending on the relationship that is established and, therefore, the purpose of the processing, the legal basis may vary. Below is a list of the different situations that may arise and the legal basis that may apply to you depending on the processing:
Access to the area: we inform you that we are entitled to process your data in accordance with the express consent given by you at the time of registration in our private area.
PURPOSES RELATED TO THE PROVISION OF SERVICES OR YOUR CUSTOMER STATUS:
Processing of your data in order to provide you with the contracted service: We are entitled to process your data in accordance with the contract held with you for the purpose of providing the contracted service.
Sending commercial communications: Pursuant to the current legislation in force and having considered our interests and your rights, we hereby inform you that we have a legitimate interest in processing your data in order to send you commercial communications related to the services you have contracted with us (notwithstanding the fact that you may oppose this processing at any time).
Administrative management and compliance with legal obligations: On an accounting and administrative level, we need to process your data in order to comply with the obligations imposed by commercial, fiscal and money laundering regulations, among others, which is why are legally entitled to process your data.
ATTENDING TO REQUESTS FOR INFORMATION:
Attending to requests for information: This processing is allowed by means of your consent given either when sending your request for information and/or assistance, or when giving your data to our company personnel by any means used for this purpose (business cards, in person…).
We are entitled to process your data under the terms of your consent given when you start to browse our website.
In this case, considering the balance between our interests and your rights, we inform you that we hold a legitimate interest in the processing of your personal data for the purpose established in point 2.
3.2 Consequences of withdrawing your consent or opposing the processing of your data. Mandatory and optional fields.
In the event that you are asked at any time to give your authorization for the processing of a purpose for which your consent is required, failure to give your consent (or the subsequent withdrawal of consent) will not affect you in any way. Neither will your opposition to the processing of your data for purposes based on legitimate interest (for example, the use of your data as a customer for sending commercial communications).
On some data collection forms, you will clearly see that some fields are marked as mandatory (with an asterisk) while the rest are absolutely optional. Therefore, there will be no repercussions if you leave the optional fields blank, although you may fill them in if you so wish.
4.1 Will my data be passed on to third parties?
In general, your data will not be passed on to any third party without your explicit and affirmative consent, unless we are legally obliged to do so.
4.2 Providers of services related to the website and the e-mail service.
Hosting: the website of the Data Controller is hosted by the provider DinaHosting S.L.
5.1 What are my data protection rights? General information.
With regards the personal data collected for processing you are entitled to exercise your rights of access, rectification, deletion and portability. We also inform you that in certain circumstances you will have the right to request a limitation or to oppose the processing of your data in which case the Data Controller will stop processing and will only retain the data if legally required to do so or until the statute of limitations for any actions that may arise has expired.
If you would like more information about the aforementioned rights please continue reading or consult the infographic produced by the Spanish Data Protection Agency that can be accessed via the following link.
5.2 What are these rights?
Right of access: This right allows the data subject to obtain confirmation from the Data Controller as to whether or personal data concerning him is being processed and, if so, the right of access to the personal data as well as to the following additional information:
The processing purposes
The categories of personal data concerned
The recipients or categories of recipients
The expected period of retention, or the criteria used to determine this time period
The existence of the right to request the Data Controller to rectify or delete the personal data or to request that the processing of personal data related to the data subject be limited, or to object to such processing.
The right to file a complaint with a supervisory authority.
Information available on the source of the data.
The existence of automated decisions.
Right of rectification: This right entitled the data subject to request the Data Controller to rectify or supplement inaccurate personal data without delay. It is important that the data held in the databases is up to date and in this regard, we are ready and willing to rectify any errors or inaccuracies that may exist in the data.
Right to deletion: You are entitled, at any time, to ask us to delete your personal data. We will comply with such a request without delay unless any of the circumstances set out in the General Data Protection Regulations apply, including the fact that we must retain your data in order to comply with a legal obligation or so we are able to defend ourselves against a claim.
Right of portability: In the case of automated data based on your consent, you may request that we, in a structed, commonly used and machine-readable format, forward the personal data you have provided to another data controller.
Right of objection: This right entitles the data subject to object to the processing of his data by the data controller. This right is not absolute, which means that the data controller may continue to process the data provided that he can prove legitimate reasons that prevail over his interests, the rights of the data subject or for the submission, exercise and defense of claims.
Right to limit processing: This right entitles the data subject to request the data controller to limit the processing of his personal data under certain circumstances, as indicated below. If this right is exercised, the data controller may only process the data with the consent of the data subject. The circumstances under which this right may be exercised are those listed below:
If the data subject contests the accuracy of the personal data, for a period of time allowing the data controller to verify the accuracy of the data.
If the processing carried out by the data controller is unlawful and the data subject objects to the deletion of the personal data and instead requests that the use of the data be limited.
If the data controller no longer needs the personal data for processing purposes, but the data subject needs the data for the submission, exercise or defense of claims.
If the data subject has objected to the processing, while it is being verified whether the data controller’s legitimate reasons prevail over those of the data subject.
5.3 How and where can I exercise these rights?
We will be happy to answer any questions or complaints you may have regarding data protection. Similarly, you may submit your complaint or exercise your rights through any of the contact channels indicated at the beginning of this data protection policy.
You may also contact the supervisory authority which you consider appropriate to file your complaint (for example, in the country where you have your usual residence or place of work or where you consider the alleged infringement to have occurred). To this effect, we hereby inform you that in the Spain the Controlling Authority is the Spanish Data Protection Agency, and you may exercise your rights via the forms authorised by this entity for this purpose, and which are available on its online site.
5.4 How long may it take to process my request to exercise my rights?
The reference period is one month from the receipt of your request. However, this period may be extended by a further two months if necessary, taking into account the complexity and number of requests. The Data Controller will inform the data subject of any such extension within one month of receipt of the request, stating the reasons for the delay.
5.5 Will it cost me anything to exercise these rights?
It will not cost you anything to exercise your rights, except in the case of manifestly unfounded or excessive requests, in particular repetitive requests, the Data Controller may charge a fee to compensate for the administrative costs of dealing with the request or refusing to act (the fee must not imply extra revenue for the data controller, but must correspond effectively to the true cost of processing the request).
Version 1.0 – Updated to September 2018