AQUALAND S.A. is an Organization in which personal data is collected through the various means available to it, which attributes to it a significant responsibility in the design and organization of procedures, ensuring they are aligned with legal compliance in Data Protection. Therefore, AQUALAND S.A. will adopt all necessary security measures to ensure the protection of the collected data.
In the exercise of these responsibilities, and with the objective of establishing the general principles that must govern the processing of personal data within the Organization, AQUALAND S.A. approves this Personal Data Protection Policy, which it notifies and makes available to all its stakeholders, while also respecting the following regulations:
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR).
- Organic Law 3/2018 of December 5 on the Protection of Personal Data and guarantee of digital rights (LOPD-GDD).
- Law 34/2002 of July 11 on Information Society Services and Electronic Commerce (LSSI-CE).
I. Scope of Application
This Personal Data Protection Policy shall apply to AQUALAND S.A., its administrative bodies, management, and staff, as well as to all individuals who interact with the Organization, expressly including service providers with access to data (“Data Processors”).
The data controller for the personal data collected within the Organization is: AQUALAND S.A., provided with NIF: A28973907, represented by: MºDEL MAR ASESIO GUIXE (hereinafter, Data Controller). Their contact details are as follows:
- Address: AUTOVIA A7 KM 209, MIJAS COSTA, MALAGA, 29651
- Contact Phone: 952460404, 679162988
- Contact Email: [email protected]
II. Information on the Data Controller and Processing of Personal Data
Additional information regarding data processing is a set of more specific and expanded details that entities must provide to data subjects on how their personal data is managed. This concept derives from the principle of transparency in the General Data Protection Regulation (GDPR) and complements the basic information initially provided, offering a higher level of detail about the processing activities.
Below, AQUALAND S.A. provides additional information on the data processing activities it carries out:
Additional Information on Data Protection
DATA CONCERNING THE DATA CONTROLLER
| Identity |
AQUALAND S.A. |
| Address |
AUTOVIA A7 KM 209, MIJAS COSTA, MALAGA, 29651 |
| Contact Phone |
952460404, 679162988 |
| Email Address |
[email protected] |
PURPOSES OF PERSONAL DATA PROCESSING
| Data Processing |
Purpose of Processing |
Retention Period |
| VIDEO SURVEILLANCE |
OTHER PURPOSES, HUMAN RESOURCES, PRIVATE SECURITY, MASS VIDEO SURVEILLANCE |
HUMAN RESOURCES: 4 years
PRIVATE SECURITY: 1 month
MASS VIDEO SURVEILLANCE: 1 month |
| WORK DAY REGISTRATION |
HUMAN RESOURCES |
HUMAN RESOURCES: 4 years |
| WEB FORM |
CUSTOMER MANAGEMENT, ACCOUNTING, FISCAL AND ADMINISTRATIVE, ADVERTISING AND COMMERCIAL PROSPECTION |
– Customer management: 5 years
– Accounting, fiscal and administrative: 6 years |
| WHISTLEBLOWING CHANNEL |
CUSTOMER MANAGEMENT, ACCOUNTING, FISCAL AND ADMINISTRATIVE |
– Customer management: for the duration of the relationship and, once finalized, blocked and retained during the limitation periods for legal actions/potential liabilities
– Accounting: 6 years
– Fiscal: 4 years
– Administrative: for the time necessary for management and, once finalized, blocked and retained during the limitation periods for legal actions/potential liabilities |
| CUSTOMERS |
ELECTRONIC COMMERCE, CUSTOMER MANAGEMENT, ACCOUNTING, FISCAL AND ADMINISTRATIVE, ADVERTISING AND COMMERCIAL PROSPECTION |
– ELECTRONIC COMMERCE: for the duration of the contractual relationship and, once finalized, blocked during the limitation period for potential liabilities
– CUSTOMER MANAGEMENT: for the duration of the contractual relationship and, once finalized, blocked during the limitation period for potential liabilities
– ACCOUNTING, FISCAL AND ADMINISTRATIVE: 6 years (accounting/commercial documentation) and 4 years (tax obligations)
– ADVERTISING AND COMMERCIAL PROSPECTION: as long as the purpose is maintained; after its cessation, blocked during the limitation period for potential liabilities |
| INVOICING AND ACCOUNTING |
CUSTOMER MANAGEMENT, ACCOUNTING, FISCAL AND ADMINISTRATIVE |
– Customer management: while the contractual relationship is maintained and, subsequently, during the limitation periods for applicable legal liabilities.
– Accounting: 6 years.
– Fiscal: 4 years.
– Administrative: while necessary for the purpose and, subsequently, during the limitation periods for applicable legal liabilities. |
| PAYROLL AND PERSONNEL |
PAYROLL MANAGEMENT, OTHER PURPOSES, OCCUPATIONAL RISK PREVENTION, HUMAN RESOURCES |
– PAYROLL MANAGEMENT: 4 years
– OCCUPATIONAL RISK PREVENTION: 5 years (clinical documentation derived from health surveillance)
– HUMAN RESOURCES: 4 years |
| CVs / RESUMES |
HUMAN RESOURCES |
HUMAN RESOURCES: 4 years |
| MEDICAL REPORTS |
CLINICAL HISTORY healthcare process |
CLINICAL HISTORY: minimum of 5 years from the date of discharge of each healthcare process |
LAWFUL BASIS FOR PERSONAL DATA PROCESSING
| Data Processing |
Lawful Basis |
| VIDEO SURVEILLANCE |
Legitimate interest in the security of the facilities |
| WORK DAY REGISTRATION |
Legitimate interest in labor relations |
| WEB FORM |
Express consent of the data subject |
| WHISTLEBLOWING CHANNEL |
Legal obligation under applicable regulations |
| CUSTOMERS |
Execution of a purchase-sale contract |
| INVOICING AND ACCOUNTING |
Execution of a purchase-sale contract and/or service provision contract |
| PAYROLL AND PERSONNEL |
Execution of an employment contract |
| CVs / RESUMES |
Express consent of the data subject |
| MEDICAL REPORTS |
Express consent of the data subject |
RECIPIENTS OF YOUR PERSONAL DATA
| Data Processing |
Envisaged Disclosures |
International Transfers |
| VIDEO SURVEILLANCE |
PUBLIC ADMINISTRATION WITH JURISDICTION IN THE MATTER |
No |
| WORK DAY REGISTRATION |
No disclosures are envisaged |
No |
| WEB FORM |
No disclosures are envisaged |
No |
| WHISTLEBLOWING CHANNEL |
No disclosures are envisaged |
No |
| CUSTOMERS |
No disclosures are envisaged |
No |
| INVOICING AND ACCOUNTING |
No disclosures are envisaged |
No |
| PAYROLL AND PERSONNEL |
No disclosures are envisaged |
No |
| CVs / RESUMES |
No disclosures are envisaged |
No |
| MEDICAL REPORTS |
No disclosures are envisaged |
No |
YOUR RIGHTS AND THE MEANS AVAILABLE TO EXERCISE THEM
Any person has the right to obtain confirmation as to whether AQUALAND S.A. is processing personal data concerning them.
Data subjects have the right to access their personal data, as well as to request the rectification of inaccurate data or, where appropriate, request its erasure when, among other reasons, the data is no longer necessary for the purposes for which it was collected.
In certain circumstances, data subjects may request the restriction of the processing of their data, in which case we will only retain it for the exercise or defense of legal claims, as well as to comply with legally established retention periods.
Likewise, data subjects may object to the processing of their personal data. Consequently, AQUALAND S.A. will cease processing their data, except for compelling legitimate grounds, or for the exercise of potential legal claims.
In the same vein, when certain circumstances apply and it is technically feasible, data subjects shall have the right to have their personal data transmitted directly to another data controller or processor, upon request.
To exercise the aforementioned rights, you must contact us by sending a written request to:
- ● AQUALAND S.A. AUTOVIA A7 KM 209, MIJAS COSTA, MALAGA, 29651, or by email at [email protected]. We recommend accompanying your request with a copy of your ID.
III. Principles Applicable to Personal Data Processing
The Personal Data Protection Policy is a proactive responsibility measure intended to ensure compliance with the applicable legislation in this field and, in relation to it, respect for the right to honor and privacy in the processing of personal data of all individuals who interact with AQUALAND S.A..
In furtherance of the provisions of this Policy, the Principles that govern data processing within the organization are established, and consequently, the procedures, organizational, and security measures that the persons affected by this Policy undertake to implement within their area of responsibility.
In relation to the foregoing, AQUALAND S.A. will ensure compliance with the following principles:
➔ Lawfulness, fairness, transparency, and purpose limitation. Data processing must always be informed to the affected individual through established clauses and procedures; and it will only be considered legitimate if there is consent for the data processing (with special attention to that provided by minors), or if it relies on another valid lawful basis, and the purpose thereof complies with the applicable regulations.
➔ Data minimization. The processed data must be adequate, relevant, and limited to what is necessary in relation to the various purposes of the processing.
➔ Accuracy. Data must be accurate and, if necessary, kept up to date. In this regard, necessary measures will be adopted so that personal data that is inaccurate with respect to the purposes of the processing is erased or rectified without delay.
➔ Storage limitation. Data shall be kept in a form that permits identification of data subjects for no longer than is necessary for the purpose of the specific processing.
➔ Integrity and Confidentiality. Personal data shall be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.
➔ Data disclosures. The purchase or procurement of personal data whose origin comes from illegitimate sources, or in cases where such data has been collected or disclosed in violation of the law or where its legitimate provenance is not sufficiently guaranteed, is strictly prohibited.
➔ Procurement of providers with access to data. Only providers offering sufficient guarantees to implement appropriate technical and security measures in data processing will be selected for contracting. A proper contract regarding this matter will be documented with them.
➔ International data transfers. Any processing of personal data subject to European Union regulations that involves a transfer of data outside the European Economic Area must be carried out in strict compliance with the requirements established by applicable law.
➔ Rights of affected individuals. The Organization will facilitate the exercise of the rights of access, rectification, erasure, restriction of processing, objection, and portability for affected individuals, establishing internal procedures for this purpose, and in particular, the models necessary and appropriate for their exercise, which must satisfy, at minimum, the applicable legal requirements in each case.
AQUALAND S.A. will promote that the principles set forth in this Personal Data Protection Policy are taken into account:
- In the design and implementation of all work procedures
- In the products and services offered
- In all contracts and obligations they formalize or assume, and
- In the implementation of all systems and platforms that allow access by its workforce/employees or third parties and/or the collection or processing of personal data.
IV. Personal Data of Minors
In accordance with the provisions of Article 8 of the GDPR and Article 7 of Organic Law 3/2018 of December 5 on the Protection of Personal Data and guarantee of digital rights, only individuals over 14 years of age may lawfully grant their consent for the processing of their personal data by AQUALAND S.A.. In the case of a minor under 14 years of age, the consent of the parents or guardians will be required for the processing, and it will only be considered lawful to the extent that they have authorized it.
V. Secrecy and Security of Personal Data
AQUALAND S.A. undertakes to notify the user, without undue delay, when a personal data security breach occurs that is likely to result in a high risk to their rights and freedoms.
Following the provisions of Article 4 of the GDPR, a personal data breach means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
Personal data will be treated as confidential by the Data Controller, who undertakes to inform and guarantee via a legal or contractual obligation that such confidentiality is respected by its workers, associates, and any person to whom they make the information accessible.
VI. Commitment of AQUALAND S.A. Personnel
In light of the foregoing, we express that the workers and employees of AQUALAND S.A. are informed of this Policy, and declare themselves aware that personal information is an asset of AQUALAND S.A., and in this regard, they adhere to it, committing to the following:
- Complete the Data Protection awareness training that AQUALAND S.A. makes available to them.
- Apply user-level security measures applicable to their job position, without prejudice to any design and implementation responsibilities that might be assigned to them based on their role within AQUALAND S.A.
- Use the established formats for the exercise of Rights by the affected users, and inform AQUALAND S.A. immediately so that the response can be made effective.
- Inform AQUALAND S.A., as soon as they become aware, of any deviations from the provisions of this Policy, particularly regarding “Personal data security breaches”, using the format established for that purpose.
VII. Control and Evaluation
AQUALAND S.A. will conduct an annual verification, evaluation, and assessment—as well as whenever significant changes occur in data processing—regarding the effectiveness of the technical and organizational measures to guarantee the security of the processing.
