DATA PROTECTION POLICY
This is the data protection policy of Lavola 1981 SAU (hereinafter Lavola), with CIF A58635269, domiciled at Avda. de Roma, 252-254, tel. +34 938 515 055, Manlleu (CP 08560), e-mail address firstname.lastname@example.org, www.lavola.com, entered in the Mercantile Register of Barcelona, General Section, volume 42724, folio 168, sheet 158.397, entry 27.
This policy refers to the personal data that Lavola processes in the exercise of its activities as a service company. The principles, guidelines and requirements of the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016) and Organic Law 3/2018 of 5 December on the protection of personal data and the guarantee of digital rights (LOPDGDD) are applied at all times to the processing of personal data.
Who is responsible for the processing of personal data?
Lavola is responsible for the processing of personal data obtained through this website. It is also responsible for the personal data it obtains from its customers and suppliers, as well as the data of its employees and collaborators. In these cases, Lavola is responsible for the processing of the data within the meaning of article 4.7 of the General Data Protection Regulations.
Due to its nature and specialisation, Lavola also processes data in compliance with its customers’ orders. In these cases, the person responsible for the processing will be the client, Lavola assuming the function of data processor, in the sense of article 4.8 of the General Data Protection Regulations.
For what purpose do we process the data?
We treat personal data with people’s rights in mind and always proportionally. Lavola’s main activities include the organisation and management of communication campaigns, educational projects, participation sessions and consultancy services, activities that it carries out on behalf of companies and public bodies.
On the other hand, Lavola processes data under its sole responsibility. The following is a list of the main purposes of the processing carried out by Lavola as data controller.
Customer services. We register our customers and process any additional data that may be generated as a result of the business relationship. During the contracting process, essential data is requested, which must include bank details that will be communicated to banks at the time of invoicing and only for this purpose. The relationship between the provision of services entails other treatments, such as incorporating the data into the accounts, invoicing or information to the tax administration.
Information about our products and services. While there is a contractual relationship with its customers Lavola uses contact data to communicate information about this relationship, information that may circumstantially include references to our services, whether general or more specifically referred to the characteristics and needs of the customer. Lavola sends information about its services to people who request it, whether or not there was a previous commercial relationship. In these cases your explicit consent is requested.
Management of our suppliers’ data. We register and treat the data of the suppliers from whom we obtain services or goods. This can be the data of persons acting as freelancers and also data of representatives of legal persons. We collect the data necessary to maintain the business relationship, we use them only for this purpose and make use of this type of relationship.
Attention to queries. We attend the consultations of the people who contact with us by means of forms of contact of our web page. We use them only for this purpose. We attend by telephone the people who contact us by this way.
Personnel selection. We keep the curriculum vitae sent to us by people interested in working with us and we also process personal data resulting from personnel selection processes. We do this in order to analyse the suitability of the profile of candidates for vacant or newly created posts. Our criterion is to keep for a maximum period of two years also the data of people who do not end up being hired, in case in the short term there is a new vacancy or new job. However, in the latter case, we immediately delete the data if the interested party asks us to do so.
Video surveillance. In the access to our facilities it informs, when it is the case, of the existence of cameras of video-surveillance by means of the homologated labels. The cameras record images only of the points where it is justified in order to guarantee the safety of goods and people. The images are only used for this purpose.
What is the legal legitimacy for data processing?
The data processing we carry out has different legal grounds, depending on the nature of each processing. We list the main cases where Lavola is responsible for the processing.
In compliance with a pre-contractual relationship. Case of data of potential customers or suppliers with whom we have relationships prior to the formalization of a contractual relationship, such as the preparation or study of budgets). It is also the case of the processing of data of people who have sent us their curriculum vitae or who participate in selective processes.
In compliance with a contractual relationship. Case of the relations with our clients and suppliers and all the actions and uses that these relations entail.
In compliance with legal obligations. The communication of data to the tax administration is established by rules regulating commercial relations. It may be necessary to communicate data to judicial bodies or law enforcement agencies in compliance with legal regulations that require collaboration with these public bodies.
On the basis of consent. When sending information about our products or services, we process the contact details of the recipients with their explicit authorisation or consent. The navigation data that we can obtain through cookies are obtained with the consent of the person visiting our website, consent that can be revoked at any time by uninstalling these cookies.
For legitimate interest. The images we obtain with video surveillance cameras are treated for the legitimate interest of our company to preserve its assets and facilities. Our legitimate interest also justifies the processing of data obtained from contact forms.
To whom is the data communicated?
As a general criterion we only communicate data to administrations or public authorities and always in compliance with legal obligations. For the purpose of invoicing our services, data may be communicated to banks. In justified cases we will communicate the data to the competent law enforcement agencies or judicial bodies.
In other respects, for certain tasks we obtain the services of companies or individuals who bring their experience and expertise. In some occasions these external companies must access personal data of our responsibility. It is not a transfer of data, but a processing order. Services are only contracted from companies that guarantee compliance with data protection regulations. At the time of contracting, their confidentiality obligations are formalised and their actions are monitored. This may be the case of data hosting services, computer support services or legal, accounting or tax advice.
How long do we keep the data?
The data are kept until the legal responsibilities derived from the contractual relation are prescribed. In the case of data that is processed on the basis of the consent of the person concerned, it is kept until this person revokes this consent. The images obtained by video surveillance cameras are kept for a maximum of one month, although in the case of incidents that justify it, the necessary time will be kept to facilitate the actions of the security forces or judicial bodies.
What rights do people have in relation to the data we process?
As provided for in the General Data Protection Regulations, the persons whose data we process have the following rights:
- I don’t know if they’re treated. Everyone has the first right to know whether we process their data, regardless of whether there has been a previous relationship.
- To be informed in the collection. When the personal data are obtained from the interested party, at the time of providing them, they must have clear information on the purposes for which they will be used, who will be responsible for the processing and the other aspects arising from this processing.
- Access. A very broad right that includes the right to know precisely what personal data are being processed, the purpose for which they are being processed, the communications to other persons that will be made (where applicable) or the right to obtain a copy or to know the conservation period foreseen.
- To request its rectification. This is the right to have inaccurate data processed by us corrected.
- To ask for its suppression. In certain circumstances, you have the right to request the deletion of data when, among other reasons, they are no longer necessary for the purposes for which they were collected and for which they were processed.
- Requesting limitation of processing. The right to request limitation of the processing of data is also recognised in certain circumstances. In this case they will cease to be processed and will only be kept for the exercise or defence of claims, in accordance with the General Data Protection Regulations.
- In portability. In the cases provided for in the regulations, the right to obtain one’s own personal data in a machine-readable structured format for common use, and to transmit them to another data controller if the data subject so decides.
- To oppose processing. A person may invoke motives related to his particular situation, motives that will result in his data not being processed to the extent or to the extent that it may cause harm, except for legitimate motives or the exercise or defence against claims.
- Not to receive commercial information. We will immediately respond to requests to stop sending commercial information to people who have previously authorized us to do so.
How can rights be exercised or defended?
The rights listed above can be exercised by sending a written request to Lavola at the postal address Avenida de Roma, 254, Manlleu (CP 08560), or by sending an email to email@example.com, indicating in all cases “Protection of personal data”. If no satisfactory answer has been obtained in the exercise of the rights it is possible to present a claim before the Spanish Data Protection Agency, by means of the forms or other channels accessible from its page www.agpd.es.