We inform you below, in the form of questions and answers, of the terms on which our company processes your personal data:
Who is the data controller of the processing?
- Identity: OLIVA-AYALA ABOGADOS, S.L.P. Tax ID: B-85340388.
- Postal address: C/ Miguel Ángel, 14 – 3º, 28010 – Madrid.
- Telephone: 913911290.
- Email: email@example.com.
Who is the firm’s Data Protection Officer (DPO) and how can they help you?
The DPO is a figure required by law, whose main duties are to inform and advise our firm on the obligations that affect it in terms of personal data protection and to supervise its compliance.
The DPO also acts as a contact for any matters relating to personal data processing, so if you have any queries, doubts or suggestions in relation to how we use your personal data, you can contact them:
- • DPO’s email address: firstname.lastname@example.org
For what purposes do we process your personal data?
We process the personal data you provide for the following purposes:
- To manage our relationship with our clients and for billing and collection of services. It is mandatory for clients to provide these data, otherwise the fulfilment of the contract will be prevented.
- To manage our relations with our suppliers, and for the invoicing and payment of services. For this purpose, it is obligatory for suppliers to provide us with their data, otherwise the contract cannot be fulfilled.
- To channel any requests for information, suggestions and complaints that you may send us, to contact the sender of the information, to respond to your requests and queries, and to follow up subsequently. Providing the data for this purpose is voluntary, although if you do not do so, we will not be able to respond to your request, query or complaint. Therefore, submitting your personal data for these purposes is a necessary requirement for us to be able to deal with these requests.
- If you become a friend or follower of ours on social networks, we will process your data to keep you informed of our activities and promotions through these channels. Providing the data for this purpose is voluntary, although, if you do not do so, you will not be able to be our friend or follower on the corresponding social network. The categories of data processed for this purpose are identified as follows.
How long will we process your data for?
We only keep your data for the period of time necessary to fulfil the purpose for which they were collected, to comply with the legal obligations imposed on us and to meet any possible liabilities that may arise from fulfilling the purpose for which the data were collected.
The data for managing the relationship with clients and suppliers and for billing and collection of services will be kept for this purpose for as long as the contract is in force. Once this relationship has ended, if applicable, the data may be kept for the time required by the applicable legislation and until any liabilities arising from the contract lapse.
The data of potential clients who do not contract our products or services and who do not wish to receive commercial information will be deleted when it is confirmed that the contract will not be carried out. If the previous relationship between the parties, even if not yet consummated, could give rise to possible liabilities, the data will be kept until the statute of limitations expires.
The data processed to deal with requests, applications, queries or complaints will be kept for the time necessary to respond to them and to consider them definitively closed. After that, they will be kept as a communications history for a period of one year, unless you request their deletion before then.
The data provided through social networks will be kept for as long as you remain a friend or follower of ours on the corresponding platform.
What is the legal basis for the processing of your data?
The legal basis for the processing of client and supplier data is the performance of the service contract.
The processing of personal data for the purpose of responding to your requests for information, enquiries, queries and complaints is based on the consent of the data subject. This consent may be withdrawn at any time, although this will not affect the lawfulness of any processing previously carried out.
Data provided through social networks will be processed on the legal basis of your consent, which may be withdrawn at any time, although this will not affect the lawfulness of the processing previously carried out.
The categories of data processed are those requested in each case in the form or contract through which you provide us your data.
Which recipients will your data be communicated to?
The data will be communicated to the following entities:
- The competent Public Administrations, including judges and courts, in the cases provided for by law and for the purposes defined in it.
- Financial institutions used to manage collections and payments.
Although this is not a transfer of data, third-party companies may, acting as our suppliers, access your information to provide the service. These third parties will access your data following our instructions and without being able to use them for any other purpose, maintaining the strictest confidentiality and on the basis of a contract in which they undertake to comply with the requirements of current legislation on the protection of personal data.
What are your rights when you provide us your data?
Everyone has the right to obtain confirmation as to whether or not we are processing personal data concerning them. Data subjects have the right to access their personal data, and to request to have any imprecise data rectified, or if applicable, to request to have them erased for reasons such as the data no longer being necessary for the purposes for which they were collected.
Under the conditions provided for in the General Data Protection Regulation, data subjects may request the limitation of the processing of their data or their portability, in which case we will only retain them for the bringing or defending against claims.
In certain circumstances and on grounds relating to their particular situation, data subjects may object to the processing of their data. If you have given consent for a specific purpose, you have the right to withdraw your consent at any time, without affecting the lawfulness of the processing based on the consent before its withdrawal. In those cases, we will stop processing the data or, as the case may be, we will stop processing them for that specific purpose, except for compelling legitimate reasons, or for the bringing or defending against possible claims.
In addition, data protection legislation allows you to object to being subject to decisions based solely on automated processing of your data, where appropriate.
The above rights are characterised by the following:
- They may be asserted free of charge, except in the case of manifestly unfounded or excessive requests (e.g. repetitive requests), in which case a fee proportional to the administrative costs incurred or refusal to act may be charged
- You may exercise your rights directly or through your legal representative or volunteer
- Your request must be answered within one month, although, taking into account the complexity and number of requests, the deadline may be extended by a further two months.
- We are obliged to inform you about the means of asserting these rights, which must be accessible and without being able to prevent you asserting the right on the sole ground that you choose another means. If the request is made electronically, the information will be provided electronically where possible, unless you ask us to do otherwise.
- If, for whatever reason, the request is not acted upon, we will inform you, at the latest within one month, of the reasons for this and of the possibility to complain to a supervisory authority.
To help you assert these rights, links to the application form for each of these rights are provided below:
- Right of access assertion form
- Right of rectification assertion form
- Right of objection to processing assertion form
- Right of data erasure (‘right to be forgotten’) assertion form
- Right to restriction of processing assertion form
- Right to data portability assertion form
- Right to freedom from individual automated decisions assertion form
All the rights above may be asserted through the means of contact listed at the beginning of this clause.
In all cases, you must prove your identity by attaching a photocopy or scanned copy of your ID card or equivalent document, or a document proving representation, if the right is exercised through a representative.
In the event of any infringement of your rights, especially when you have not obtained satisfaction in exercising them, you may file a complaint with the Spanish Data Protection Agency (contact details available at www.aepd.es), or other competent supervisory authority. You can also obtain further information about your rights by contacting those bodies.
How do we protect your personal data?
We are committed to protecting the personal data we process. We use reasonably reliable and effective physical, organisational and technological measures, controls and procedures to preserve the integrity and security of your data and ensure your privacy.
In addition, all staff with access to personal data have been trained and are aware of their obligations in relation to the processing of your personal data.
In the case of the contracts we sign with our suppliers, we include non-disclosure clauses with respect to the personal data to which they have had access by virtue of the assignment, that also require them to implement the necessary technical and organisational security measures to guarantee the permanent confidentiality, integrity, availability and resilience of their systems and services for the processing of personal data.
All these security measures are regularly reviewed to ensure their adequacy and effectiveness.
However, absolute security cannot be guaranteed and no security system is impenetrable, so if any information we process and that is under our control is compromised as a result of a security breach, we will take appropriate steps to investigate the incident, notify the Supervisory Authority and, where appropriate, those users who may have been affected so that they can take appropriate action.
What is your responsibility as a data subject?
By providing us with their personal data, data subjects warrant that they are over 14 years of age and that the data provided is true, accurate, complete and up to date.
To this effect, data subjects are responsible for the veracity of the data and must keep them suitably updated so that they correspond to their real situation, taking responsibility for any false or inaccurate data that they may provide, as well as for any direct or indirect damage, that may arise.
If you provide data of third parties, you assume the responsibility of informing them in advance of all the provisions of Article 14 of the General Data Protection Regulation as established in that law.