Privacy policy
Data Controller
The Data Controller is VULGALIA, S.L., C/ Zapateros 27 and 29 Pol. Tres Hermanas 03680 Aspe (Alicante), Spain.
Principles of privacy
At VULGALIA, S.L. we are committed to working continuously to guarantee your privacy when processing your personal data, and to offering you the most comprehensive and clear information that we can at all times. We encourage you to read this section carefully before providing us with your personal details.
If you are under the age of fourteen, we ask you not to provide us with your data without consent from your parents or guardians.
In this section, we inform you about how we process the data regarding people that have a relationship with our organisation. Starting with our principles:
– We do not request personal information, unless it is necessary in order to provide you with the services you require.
– We never share personal information with anyone else, except to comply with the law, when required to provide you with the service or if we have your express authorisation.
– We will never use your personal data for purposes other than those stated in this privacy policy.
– Your data will always be processed with an appropriate level of protection in line with data protection legislation, and we will not subject it to automated decisions without expressly informing you.
This privacy policy has been written taking into account the requirements of current data protection legislation:
– Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27th 2016 regarding the protection of natural persons (GDPR).
– Spanish Organic Law 3/2018, of December 5th, on the Protection of Data of a Personal Nature and the guarantee of digital rights (LOPD).
– Spanish Royal Decree 1720/2007, of December 21st (RLOPD).
This privacy policy has been written and dated December 6th, 2018.
Due to the modification of processing criteria, in the interests of facilitating its understanding or to adapt it to current legislation, we may modify this privacy policy. We will update the modification date so that you can check its validity.
The processing that we carry out
PROCESSING OF EMPLOYEES
Legal basis: GDPR: 6(1)(b) Processing necessary for the performance of a contract that the individual concerned is party to, or for application at the request of the individual concerned prior to entering into a contract.
GDPR: 6(1)(c) Processing necessary for compliance with a legal obligation that the controller is subject to.
Royal Legislative Decree 2/2015, of October 23rd, approving the Codified Text of the Law on the Statute of Rights for Workers.
Purposes of the Processing: – Management of recruited staff.
– Personal record. – Control of working hours. Training. Pension Plans. Prevention of Occupational Risks.
– Processing of staff payroll.
– Managing union activity.
Group: Employees
Data categories: – Name and Surname(s), DNI/CIF/Identification Document, personnel record number, Social Security / Insurance number, address, signature, telephone number.
– Special categories of data: health data (sick leave, work-related accidents and degree of incapacity, without inclusion of diagnoses), trade union membership, exclusively for the purpose of paying union fees (if applicable), trade union representative (if applicable), own and third party proof of attendance.
– Details of personal characteristics: Sex, marital status, nationality, age, date and place of birth and family information. Data relating to family circumstances: Start and leave date, licenses, permits and authorisations.
– Academic and professional details: Qualifications, training and professional experience.
– Employment details: job post and administrative career. Incompatibilities.
– Attendance monitoring data: date/time of entry and departure, reasons for absence.
– Economic-financial data: Economic data regarding payroll, credits, loans, guarantees, tax deductions, salary reductions corresponding to the previous job (if applicable), judicial deductions (if applicable), other deductions (if applicable) Bank details.
Recipient categories: – Entity that is responsible for managing occupational risks.
– Social Security Fund.
– Trade union organisations.
– Financial bodies.
– State Tax Administration Agency.
– Main contractors that we provide services to as subcontractors.
International Transfers: There is no intention to transfer your information internationally.
Deletion Deadline: The information will be kept for the necessary time to comply with the purpose for which it was collected and to determine possible liabilities that may arise from this purpose and the processing of the information.
The financial data regarding this processing activity will be kept in line with the provisions of Law 58/2003, of December 17th, General Taxation Law.
Security Measures: In line with the requirements of Regulation (EU) 2016/679, General Data Protection Regulation.
PROCESSING OF CONTACTS
Legal basis: Consent of the person concerned
Purposes of the Processing: To deal with a request, send out information and monitor the request.
Group: Contact persons, clients, suppliers
Data categories: Name and Surname(s), telephone number, email address
Recipient categories: There is no intention to transfer information to third parties.
International Transfers: There is no intention to transfer your information internationally.
Deletion Deadline: Contact details will be kept for an indefinite period, or until the person concerned requests their deletion.
Security Measures: In line with the requirements of Regulation (EU) 2016/679, General Data Protection Regulation.
PROCESSING FOR DEALING WITH PEOPLE’S RIGHTS (ARCO)
Legal basis: GDPR: 6(1)(c) Processing necessary for compliance with a legal obligation that the controller is subject to.
General data protection regulation.
Purposes of the Processing: Handling requests in the exercising of rights established by the General Data Protection Regulation: Right of access, rectification, deletion, limitation, portability and opposition to automated decision-making.
Group: Natural persons that request it (employees, clients, suppliers, contact persons)
Data categories: Name and Surname(s), address, signature and telephone number.
Recipient categories: Personal data may be communicated to the Control Authority (Spanish Data Protection Agency) in the context of an investigation into the protection of rights initiated by the individual concerned.
International Transfers: There is no intention to transfer your information internationally.
Deletion Deadline: The data will be kept for a period of five years from the time of the request.
Security Measures: In line with the requirements of Regulation (EU) 2016/679, General Data Protection Regulation.
PROCESSING OF CANDIDATES IN SELECTION PROCESSES (HR)
Legal basis: 6(1)(a) The individual concerned has given consent to the processing of his or her personal data for one or more specific purposes.
GDPR: 6(1)(b) Processing necessary for the performance of a contract that the individual concerned is party to or for application at the request of the individual concerned prior to entering into a contract.
Purposes of the Processing: Staff recruitment and filling vacant posts.
Group: Candidates that have applied via the procedure for filling vacant posts.
Data categories: – Name and Surname(s), DNI/CIF/Identification Document, personnel record number, address, signature and telephone number.
– Details of personal characteristics: Sex, marital status, nationality, age, date and place of birth and family information.
– Academic and professional details: Qualifications, training and professional experience.
– Employment details.
Recipient categories: There is no intention to transfer your data to third parties.
International Transfers: There is no intention to transfer your information internationally.
Deletion Deadline: The information will be kept for the necessary time to comply with the purpose for which it was collected and to determine possible liabilities that may arise from this purpose and the handling of the information.
Security Measures: In line with the requirements of Regulation (EU) 2016/679, General Data Protection Regulation.
PROCESSING OF SUPPLIERS
Legal basis: GDPR: 6(1)(b) Processing necessary for the performance of a contract that the individual concerned is party to or for application at the request of the individual concerned prior to entering into a contract.
GDPR: 6(1)(c) Processing necessary for compliance with a legal obligation that the controller is subject to.
Royal Legislative Decree 2/2015, of October 23rd, approving the Codified Text of the Law on the Statute of Rights for Workers.
Law 58/2003, of 19th December, General Taxation Law.
Purposes of the Processing: – Purchase of products and/or services that we require to carry out our activity.
– Control of subcontractors if applicable.
Group: – Suppliers.
– People who work for our suppliers.
Data categories: – Name and Surname(s), DNI/NIF/Identification document, address, signature and telephone number.
– Employment details: job post. Training in workplace health and safety.
– Economic / financial and insurance details: Bank details.
Recipient categories: – Financial bodies. (Payment of invoices)
– State Tax Administration Agency.
International Transfers: There is no intention to transfer your information internationally.
Deletion Deadline: The information will be kept for the necessary time to comply with the purpose for which it was collected and to determine possible liabilities that may arise from this purpose and the processing of the information, in accordance with Law 58/2003, of December 17, General Taxation Law,
Security Measures: In line with the requirements of Regulation (EU) 2016/679, General Data Protection Regulation.
PROCESSING OF CLIENTS.
Legal basis: GDPR: 6(1)(a) The individual concerned has given consent to the processing of his or her personal data for one or more specific purposes.
GDPR: 6(1)(b) Processing necessary for the performance of a contract that the individual concerned is party to or for application at the request of the individual concerned prior to entering into a contract.
GDPR: 6(1)(c) Processing necessary for compliance with a legal obligation that the controller is subject to.
GDPR: 6(1)(f) Processing is necessary in order to satisfy the legitimate interests pursued by the data controller.
Royal Legislative Decree 2/2015, of October 23rd, approving the Codified Text of the Law on the Statute of Rights for Workers.
Law 58/2003, of 19th December, General Taxation Law.
Purposes of the Processing: Supply of our products / services
Group: Clients
Data categories: – Name and Surname(s), DNI/NIF/Identification document, address, signature and telephone number.
– Economic / financial and insurance details: Bank details
Recipient categories: – Financial bodies.
– State Tax Administration Agency.
International Transfers: There is no intention to transfer your information internationally.
Deletion Deadline: The information will be kept for the necessary time to comply with the purpose for which it was collected and to determine possible liabilities that may arise from this purpose and the processing of the information, in accordance with Law 58/2003, of December 17, General Taxation Law,
Security Measures: In line with the requirements of Regulation (EU) 2016/679, General Data Protection Regulation.
PROCESSING FOR THE NOTIFICATION OF SECURITY BREACHES
Legal basis: GDPR: 6(1)(c) Processing necessary for compliance with a legal obligation that the controller is subject to.
General data protection regulation. Articles 33 and 34
Purposes of the Processing: Management and assessment of security breaches that may arise in our organisation.
Group: Variable: Employees, Customers, Suppliers, Contact Persons (will depend on the security breach)
Data categories: Variable. (dependent on the security breach)
Recipient categories: – Spanish Data Protection Agency.
Law Enforcement Agents.
International Transfers: There is no intention to transfer your information internationally.
Deletion Deadline: The information will be kept for the necessary time to comply with the purpose for which it was collected and to determine possible liabilities that may arise from this purpose and the processing of the information. The provisions of the legislation regarding files and documentation will apply.
Security Measures: In line with the requirements of Regulation (EU) 2016/679, General Data Protection Regulation.
Your rights
You have the right to ask us for a copy of your personal data, to rectify inaccurate or incomplete data, or delete it if applicable, when the data is no longer required for the purposes for which it was collected.
You also have the right to limit the processing of your personal data and to obtain your personal data in a structured and readable format.
You can oppose the processing of your personal data in some circumstances (in particular, when we are not required to process it in order to comply with a contractual or other legal requirement, or when the purpose of processing is direct marketing).
Where you have given us your consent, you will be able to withdraw it at any time. At that moment, we will stop processing your data or, if applicable, we will stop doing so for that specific purpose. If you decide to withdraw your consent, this will not affect any processing that has been carried out while the consent was in place.
These rights may be limited; for example, if we need to reveal data about another person in order to fulfil your request, or if you ask us to delete a record that we are obliged to keep due to a legal obligation or a legitimate interest, such as to defend ourselves against any claims. There are even cases where the right to freedom of expression and information must prevail.
You can contact us through any of the means stated in the Data Controller section of this privacy policy, providing a copy of a document that proves your identity (usually your DNI).
Another of your rights is to not be the subject of a decision based solely on automated processing, including the creation of profiles which produce legal implications or that affect you.
In the event of any breach of your rights, such as, for example, that we have not dealt with your request, you have the right to file a complaint with the Supervisory Authority in relation to data protection. This may be the authority in your own country (if you reside outside Spain) or the Spanish Data Protection Agency (if you live in Spain).
Links to third party websites.
Our website may sometimes contain links to other websites. It is your responsibility to ensure you read the data protection policy and legal conditions that apply to each site.
Third party data.
If you provide us with data regarding a third party, you assume the responsibility for notifying them in advance in accordance with the provisions of Article 14 of the GDPR.