- Identity of the Data Controller
- Applicable Laws and Regulations
- Principles applicable to the processing of personal data
- Data Processing Activities carried out
- Necessary and up-to-date information
- Personal data of minors
- Technical and organizational security measures
- Rights of data subjects
- Complaints to the Supervisory Authority
Therefore, in this Privacy and Data Protection Policy, users of the website http://www.serra.com.es are informed about all relevant details regarding how these processes are carried out, the purposes for which they are conducted, any other entities that may have access to their data, and the rights of the users.
"Personal data": Any information relating to an identified or identifiable natural person ("the user of the Website"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
"Processing": Any operation or set of operations performed on personal data or sets of personal data, whether by automated means or not, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
"Restriction of processing": The marking of stored personal data with the aim of limiting its processing in the future.
"Profiling": Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
"Pseudonymization": The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.
"File": Any structured set of personal data accessible according to specific criteria, whether centralized, decentralized, or dispersed on a functional or geographical basis.
"Controller" or "data controller": The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
"Processor" or "data processor": A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.
"Recipient": A natural or legal person, public authority, agency, or another body to whom the personal data are disclosed, whether a third party or not. However, public authorities that may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of such data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.
"Third party": A natural or legal person, public authority, agency, or body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorized to process personal data.
"Consent of the data subject": Any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
"Personal data breach": A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
"Genetic data": Personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or health of that person and which result, in particular, from an analysis of a biological sample from the natural person.
"Biometric data": Personal data resulting from specific technical processing relating to the physical, physiological, or behavioral characteristics of a natural person
that allow or confirm the unique identification of that person, such as facial images or fingerprint data.
"Data concerning health": Personal data relating to the physical or mental health of a natural person, including the provision of health services, which reveal information about their health status.
a) In relation to a data controller with establishments in more than one EU member state, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing are taken in another establishment of the controller in the Union, in which case the establishment that has taken such decisions shall be considered the main establishment;
b) In relation to a data processor with establishments in more than one EU member state, the place of its central administration in the Union, or if it has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of a controller's establishment are carried out, to the extent that the processor is subject to specific obligations under this Regulation.
"Representative": A natural or legal person established in the Union who has been designated in writing by the data controller or processor in accordance with Article 27 of the GDPR to represent them regarding their respective obligations under this Regulation.
"Enterprise": A natural or legal person engaged in an economic activity, regardless of its legal form, including partnerships or associations regularly engaged in an economic activity.
"Supervisory authority": An independent public authority established by a member state in accordance with Article 51 of the GDPR. In the case of Spain, it is the Spanish Data Protection Agency.
a) The processing of personal data in the context of the activities of establishments in more than one EU member state of a controller or processor in the Union, where the controller or processor is established in more than one EU member state, or
b) The processing of personal data in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one EU member state.
"Information society service": Any service provided normally for remuneration, at a distance, by electronic means, and at the individual request of a recipient of services.
3.- DATA CONTROLLER IDENTITY
The Data Controller is the natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data. This applies when the purposes and means of the processing are determined by the European Union law or the law of an EU member state.
In the context of the provisions outlined in this Data Protection Policy, the identity and contact details of the Data Controller are as follows:
Talleres Serra, S.L. - CIF B08695678
Avda Comte de Llobregat, 46. 08760, Martorell (Barcelona), España
Email: [email protected]
4.- APPLICABLE LAWS AND REGULATIONS
This Privacy and Data Protection Policy is developed based on the following data protection laws and regulations:
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, commonly known as the GDPR.
- Organic Law 3/2018 of 5 December on the Protection of Personal Data and Guarantee of Digital Rights, commonly referred to as the LOPD/GDD.
- Law 34/2002 of 11 July on Information Society Services and Electronic Commerce, commonly known as the LSSICE.
5.- PRINCIPLES APPLICABLE TO THE PROCESSING OF PERSONAL DATA
The personal data collected and processed through this website will be treated in accordance with the following principles:
- Principle of lawfulness, fairness, and transparency: All processing of personal data carried out through this website will be lawful and fair, and it will be made clear to the user when their personal data is being collected, used, accessed, or processed. Information regarding the processing activities will be provided in advance, easily accessible, and presented in a clear and straightforward language.
- Principle of purpose limitation: All data will be collected for specified, explicit, and legitimate purposes and will not be further processed in a manner that is incompatible with those purposes.
- Principle of data minimization: The collected data will be adequate, relevant, and limited to what is necessary for the purposes for which they are processed.
- Principle of accuracy: The data will be accurate and, if necessary, kept up to date, taking all reasonable steps to promptly rectify or erase personal data that is inaccurate or incomplete with regard to the purposes for which it is processed.
- Principle of storage limitation: The data will be kept in a form that permits identification of the data subjects for no longer than is necessary for the purposes of processing personal data.
- Principle of integrity and confidentiality: The data will be processed in a manner that ensures appropriate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical and organizational measures.
- Principle of accountability: The entity owning the website will be responsible for complying with the principles set forth in this section and will be able to demonstrate such compliance.
6.- DATA PROCESSING ACTIVITIES
Below are the data processing activities carried out through the website, specifying each of the following sections:
- Activity: Name of the data processing activity
- Purposes: Each of the uses and treatments performed with the collected data
- Legal basis: The legal basis that legitimizes the data processing
- Data processed: Typology of the processed data
- Source: Where the data is obtained from
- Retention: Period during which the data is retained
- Recipients: Individuals or third-party entities to whom the data is provided
- International transfers: Cross-border transfers of data outside the European Union
6.1 MAIN PROCESSING ACTIVITIES
These are the data processing activities whose purposes are necessary and essential for the provision of services.
6.2 OPTIONAL PROCESSING ACTIVITIES (if the user has given consent)
These are the data processing activities whose purposes are not essential for the provision of the service and are only carried out if the user has selected YES in the consent for the performance of these activities.
Explicit consent of the data subject
Marketing, advertising, and commercial prospecting
Categories of data and data subjects
Customers (Identifying data)
Potentials (Identifying data)
The data subject or their legal representative
No recipients are foreseen
No international transfers are foreseen
Until requested for deletion by the data subject.
7.- UP-TO-DATE AND NECESSARY INFORMATION
All fields marked with an asterisk (*) on the Website forms are mandatory. Failure to complete any of them may result in the inability to provide the requested services or information.
You must provide accurate information to ensure that the provided information is always up-to-date and free of errors. You should promptly notify the Data Controller of any modifications or rectifications to your personal data by sending an email to the following address: [email protected].
8.- DATA OF MINORS
In compliance with the provisions of Article 8 of the GDPR and Article 7 of the LOPD/GDD, only individuals aged 14 or older can consent to the processing of their personal data by Talleres Serra, S.L.
Therefore, individuals under the age of 14 cannot use the services available through the Website without the prior authorization of their parents, guardians, or legal representatives. They will be solely responsible for all acts carried out through the Website by the minors under their care, including the completion of online forms with the personal data of such minors and the selection, if applicable, of the accompanying checkboxes.
9.- TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES
The Data Controller implements the necessary organizational and technical measures to ensure the security and privacy of your data, and to prevent its alteration, loss, unauthorized access, or processing, taking into account the state of the technology, the nature of the stored data, and the risks to which it is exposed.
Among others, the following measures are implemented:
- Ensuring the permanent confidentiality, integrity, availability, and resilience of the processing systems and services.
- Promptly restoring the availability and access to personal data in the event of a physical or technical incident.
- Regularly verifying, assessing, and evaluating the effectiveness of the implemented technical and organizational measures to ensure the security of the processing.
- Pseudonymizing and encrypting personal data, especially sensitive data.
Furthermore, the Data Controller has decided to manage information systems according to the following principles:
- Principle of regulatory compliance: All information systems will comply with applicable legal, regulatory, and sector-specific requirements concerning information security, especially those related to the protection of personal data, system security, data, communications, and electronic services.
- Principle of risk management: Risks will be minimized to acceptable levels, striking a balance between security controls and the nature of the information. Security objectives will be established, reviewed, and aligned with information security aspects.
- Principle of awareness and training: Training programs, awareness initiatives, and campaigns will be implemented for all users with access to information, focusing on information security.
- Principle of proportionality: The implementation of controls that mitigate security risks will be carried out by seeking a balance between security measures, the nature of the information, and the level of risk.
- Principle of responsibility: All members of the Data Controller will be responsible for their conduct regarding information security, complying with established rules and controls.
- Principle of continuous improvement: The effectiveness of security controls implemented in the organization will be periodically reviewed to enhance the ability to adapt to the constantly evolving risk and technological environment.
10.- RIGHTS OF DATA SUBJECTS
Current data protection regulations protect users by granting them a series of rights regarding the use of their data. Each of these rights is personal and non-transferable, meaning that they can only be exercised by the data subject upon verification of their identity.
The following are the rights of users of the website:
Right of access: The user of the website has the right to obtain confirmation from the Data Controller as to whether or not their personal data is being processed. If the data is being processed, the user has the right to obtain specific information about their personal data and the processing activities performed or to be performed by the Data Controller. This includes information about the origin of the data and the recipients of any communications made or planned regarding the data.
Right of rectification: The user of the website has the right to request the correction of their inaccurate or incomplete personal data, taking into account the purposes of the processing.
Right to erasure: Also known as the "right to be forgotten," the user of the website has the right, unless otherwise provided by current legislation, to request the erasure of their personal data when it is no longer necessary for the purposes for which it was collected or processed, when the user has withdrawn their consent and there is no other legal basis for the processing, when the user objects to the processing and there are no overriding legitimate grounds for the processing, when the personal data has been unlawfully processed, or when the personal data has been obtained in relation to the offer of information society services to a child under 14 years of age. In addition to erasing the data, the Data Controller, considering the available technology and the cost of its implementation, will take reasonable measures to inform other potential data controllers who may be processing the data of the data subject's request for the erasure of any links to that personal data.
Right to restriction of processing: The user of the website has the right to restrict the processing of their personal data. This right can be exercised when the user contests the accuracy of their personal data, when the processing is unlawful, when the Data Controller no longer needs the personal data but the user requires it for the establishment, exercise, or defense of legal claims, or when the user has objected to the processing.
Right to data portability: In cases where the processing is carried out by automated means, the user of the website has the right to receive their personal data from the Data Controller in a structured, commonly used, and machine-readable format and to transmit those data to another data controller. Where technically feasible, the Data Controller will transmit the data directly to the other data controller.
Right to object: The user has the right to object to the processing of their personal data or to request the cessation of such processing by the Data Controller.
Right not to be subject to automated decision-making and profiling: The user has the right not to be subject to a decision based solely on automated processing, including profiling, unless provided otherwise by current legislation.
Right to withdraw consent: The user has the right to withdraw their consent for the processing of their data at any time.
The user of the website can exercise any of these rights by contacting the Data Controller and providing identification using the following contact information:
- Contact: Talleres Serra, S.L.
- Address: : Avda Comte de Llobregat, 46. 08760, Martorell (Barcelona), España
- Tel: 937754012
- E-mail: [email protected]
- Web: http://www.serra.com.es
11.- RIGHT TO LODGE A COMPLAINT WITH THE SUPERVISORY AUTHORITY
The user is informed of their right to lodge a complaint with the Spanish Data Protection Agency if they believe that there has been a breach of data protection legislation regarding the processing of their personal data.
Contact information for the supervisory authority:
Spanish Data Protection Agency
Email: [email protected]
Phone: +34 912663517
Address: C/. Jorge Juan, 6. 28001, Madrid (Madrid), Spain
Version dated July 28, 2022.