PRIVACY AND DATA PROTECTION POLICY
In accordance with the provisions of current legislation, AmbTu (hereinafter also the Website) undertakes to adopt the necessary technical and organisational measures according to the appropriate level of security for the risk of the data collected.
• Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the “GDPR”).
• Spanish Organic Law 3/2018 of 5 December, on Protection of Personal Data and Guarantee of Digital Rights (the “OLPD-GDR”).
• Royal Decree 1720/2007 of 21 December, approving the Regulations for the implementation of Organic Law 15/1999 of 13 December, concerning Protection of Personal Data.
• Spanish Law 34/2002 of 11 July, on Information Society and E-commerce Services (LISS-EC).
Identity of the data controller of the personal data
The data controller of the processing of the personal data collected at AmbTu is: AMBTUCOOP, SCCL, with tax identity number F01823699, registered in: the Barcelona Register of Cooperatives with the following registration details: Entry 1, registration sheet 15545, and represented by: Rebeca Segura Alonso (hereinafter the Data controller). Her contact details are as follows:
Address: c/ Sagitari 4, 08818 Olivella (Barcelona, Spain)
Contact telephone number: 93 232 34 23
Contact email: firstname.lastname@example.org
Personal Data Register
Pursuant to the provisions of the GDPR and the OLPD-GDR, you are hereby informed that the personal data collected by AmbTu through the contact form will be incorporated and processed in our file in order to facilitate, expedite and fulfil the commitments made between AmbTu and the User and to maintain the relationship established in the forms that the User fills out, or to deal with to a request or query made by the User. Likewise, in accordance with the provisions of the GDPR and the OLPD-GDR, unless the exception provided for in article 30.5 of the GDPR is applicable, a record of processing activities will be maintained that specifies the processing activities carried out according to their purposes and the other circumstances provided for in the GDPR.
Principles applicable to personal data processing
The processing of the User’s personal data will be subject to the following principles contained in article 5 of the GDPR and in article 4 and those following of Organic Law 3/2018 of 5 December on Protection of Personal Data and Guarantee of Digital Rights:
• Principle of lawfulness, fairness and transparency: the User’s consent will be required at all times, subject to completely transparent information on the purposes for which the personal data is collected.
• Principle of purpose limitation: the personal data will be collected for specific, explicit and legitimate purposes.
• Principle of data minimisation: the personal data collected will be limited to the data strictly necessary for the purposes for which they are processed.
• Principle of accuracy: the personal data must be accurate and always kept up to date.
• Principle of storage limitation: the personal data will only be kept in a way that allows the User to be identified for no longer than is necessary for the purposes for which the data is processed.
• Principle of integrity and confidentiality: the personal data will be treated in a way that ensures their security and confidentiality.
• Principle of proactive accountability: the Data Controller will be responsible for ensuring compliance with the above principles.
Categories of personal data
The categories of data that are processed in AmbTu are only identifying data. No special categories of personal data as listed in Article 9 of the GDPR are processed.
Legal basis for the processing of the personal data
The legal basis for the processing of the personal data is consent. AmbTu undertakes to obtain the express and verifiable consent of the User for the processing of their personal data for one or more specific purposes.
The User shall be entitled to withdraw their consent at any time. The withdrawal of consent will be as simple as giving it. Withdrawal of consent will not affect the use of the Website.
On the occasions on which the User has to or is able to provide their data through forms to make inquiries, request information or for reasons related to the content of the Website, they will be informed if the completion of any of these forms is mandatory as a result of them being essential for the operation to be carried out correctly.
Purposes of the processing to which the personal data are subjected
The personal data are collected and managed by AmbTu in order to facilitate, expedite and fulfil the commitments made between the Website and the User, or to maintain the relationship established in the forms that the latter fills out or to deal with a request or query.
Likewise, the data may be used for operational and statistical commercial personalisation purposes, and activities related to the corporate purpose of AmbTu, and for the extraction and storage of data and marketing studies to adjust the Content offered to the User, and to improve the quality, operation and navigation experience of the Website.
When the personal data are obtained, the User will be informed about the specific purpose or purposes of the processing which the personal data will undergo; that is to say, the use or uses that will be made of the information collected.
Personal data retention periods
The personal data will only be retained for the minimum time necessary for the purposes of its processing, and under all circumstances only for the following period: one year, or until the User requests its deletion.
At the time the personal data are obtained, the User will be informed about the length of the period for which the personal data will be kept, or when this is not possible, the criteria used to determine this period.
Recipients of personal data
The User’s personal data will not be shared with third parties.
The User will under all circumstances be informed about the recipients or categories of recipients of the personal data at the time the personal data are obtained.
Personal data of minors
In accordance with the provisions of articles 8 of the GDPR and 7 of Organic Law 3/2018 of 5 December, on Protection of Personal Data and Guarantee of Digital Rights, only people over 14 years of age may lawfully grant their consent for the processing of their personal data by AmbTu. If the minor is less than 14 years of age, the consent of their parents or guardians will be required for the processing, and this will only be considered lawful insofar as parents or guardians have authorised it.
Secrecy and security of personal data
AmbTu undertakes to adopt the necessary technical and organisational measures according to the level of security appropriate to the risk of the data collected, in order to ensure the security of the personal data and to prevent the accidental or unlawful destruction, loss or alteration of the personal data transmitted, stored or otherwise processed, and unauthorised communication or access to the data.
The Website has an SSL (Secure Socket Layer) certificate, which ensures that personal data are transmitted securely and confidentially, as the transmission of data between the server and the User and in feedback is fully ciphered or encrypted.
However, given that AmbTu cannot guarantee the impregnability of the Internet or the total absence of hackers or other parties fraudulently accessing the personal data, the Data Controller undertakes to notify the User without undue delay in the event of a breach of personal data security that is likely to pose a high risk to the rights and freedoms of natural persons. According to the provisions of article 4 of the GDPR, a breach of personal data security is considered to be any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed, or unauthorised communication or access to that data.
The personal data will be treated as confidential by the Data Controller, who undertakes to inform and guarantee through a legal or contractual obligation that this confidentiality is respected by its employees, associates, and everyone who has access to the information.
Rights arising from the processing of personal data
The User has the following rights with regard to AmbTu recognised in the GDPR and Organic Law 3/2018 of 5 December on Protection of Personal Data and Guarantee of Digital Rights, and may therefore exercise them with the Data Controller:
• Right of access: This is the User’s right to obtain confirmation as to whether or not AmbTu is processing their personal data and if so, to obtain information about their specific personal data and the processing of them that AmbTu has carried out or carries out, as well as the information available on the source of the data and the recipients of the communications made or planned concerning them, among other information.
• Right to rectification: This is the User’s right to amend their personal data that is inaccurate or that is incomplete for the purposes of the processing.
• Right to erasure (“the right to be forgotten”): This is the User’s right, provided that the current legislation does not establish otherwise, to have their personal data erased when they are no longer necessary for the purposes for which they were collected or processed; the User has withdrawn their consent to the processing and there is no other legal basis for the processing; the User objects to the processing and there is no other legitimate grounds to continue it; the personal data have been unlawfully processed; the personal data must be erased in accordance with a legal obligation; or the personal data have been obtained as a result of a direct offer of information society services to a child under 14 years of age. In addition to erasing the data, and taking into account available technology and the cost of its application, the Data Controller must take reasonable steps to inform controllers processing the personal data of the data subject’s request to erase any links to those personal data.
• Right to restriction of processing: This is the User’s right to restrict the processing of their personal data. The User has the right to restriction of processing when they contest the accuracy of their personal data; the processing is unlawful; the data controller no longer needs the personal data, but the User needs it to make claims; and when the User has objected to the processing.
• Right to data portability: In the event that the processing is carried out by automated means, the User shall have the right to receive their personal data from the Data Controller in a structured, commonly used and machine-readable format, and to transmit the data to another data controller. Whenever technically possible, the Data Controller must transmit the data directly to the other controller.
• Right to object: This is the User’s right to object to the processing of their personal data being carried out or to the processing of the data by AmbTu to stop at any time.
• Right not to be the subject of a decision based solely on automated processing, including profiling: This is the User’s right not to be the subject of an individualised decision based solely on the automated processing of their personal data, including profiling, unless the applicable legislation stipulates otherwise.
The User may exercise their rights by a written communication addressed to the Data Controller with the reference “RGPD-www.ambtu.coop”, specifying:
• The User’s name and surname(s) and attaching a copy of their national identity document. In cases where representation is permitted, the person representing the User must also identify themselves by the same means, and include a document certifying the representation. The photocopy of the national identity document may be replaced by any other legally valid means that proves identity.
• A request stating the specific reasons for the request or the information desired.
• Address for correspondence.
• Date and signature of the applicant.
• Any document that accredits the request made.
This application and any other attached documents may be sent to the following address and/or email:
Postal address: c/ Sagitari 4, 08818 Olivella (Barcelona, Spain)
Links to third party websites
The Website may include hyperlinks or links that enable access to web pages of third parties other than AmbTu, and which are therefore not operated by AmbTu. The owners of these websites will have their own data protection policies, and are themselves responsible for their own files and their own privacy practices in each case.
Complaints to the supervisory authority
If the User considers that a problem or a breach of the applicable regulations in the way in which their personal data are being processed has arisen, they are entitled to effective judicial protection and to file a claim with a supervisory authority in particular, in their habitual country of residence, place of work or the place where the alleged breach took place. The supervisory authority in Spain is the Spanish Data Protection Agency (https://www.aepd.es/).