Privacy Policy
DATA CONTROLLER
The Data Controller is Lucía Marín Peidro, with NIF/DNI 22144678W and registered address at Calle San Lorenzo 8, 1º, 03801, Alcoy (Alicante).
PRIVACY PRINCIPLES
At Aitana Consultores Legales, we are committed to continuously working to ensure the privacy of your personal data and to provide you with the most complete and clear information at all times. We encourage you to read this section carefully before providing us with your personal data.
If you are under fourteen years old, please do not provide us with your data without parental consent.
In this section, we inform you about how we process the data of individuals who have a relationship with our organization.
Starting with our principles:
- We do not request personal information unless it is necessary to provide you with the services you require.
- We never share personal information with anyone, except to comply with the law or with your express authorization.
- We will never use your personal data for purposes other than those expressed in this privacy policy.
- Your data will always be treated with a level of protection appropriate to the data protection legislation, and we will not subject it to automated decisions.
This privacy policy has been drafted considering the requirements of the current data protection legislation:
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons (GDPR).
- Organic Law 3/2018, of 5 December, on the Protection of Personal Data and guarantee of digital rights (LOPD).
- Royal Decree 1720/2007, of 21 December (RLOPD).
This privacy policy is dated 1 February 2023.
Due to changes in processing criteria, to facilitate its understanding, or to adapt it to current legislation, we may modify this privacy policy.
We will update the date of the same, so you can check its validity.
PROCESSING ACTIVITIES WE CARRY OUT
Contact Processing
Legal Basis: Consent of the data subject
Purpose of Processing: To attend to your request, send you information, and follow up on the request.
Data Subjects: Contact persons, clients, suppliers
Categories of Data: Name and surname, telephone, email address
Categories of Recipients: No data transfers to third parties are envisaged.
International Transfers: No international data transfers are planned.
Retention Period: Contact data will be kept for an indefinite period or until the data subject requests its deletion.
Security Measures: Adapted to the requirements of Regulation (EU) 2016/679, General Data Protection Regulation.
Supplier Processing
Legal Basis: GDPR: 6.1.b) Processing necessary for the performance of a contract to which the data subject is a party or to take pre-contractual steps at the request of the data subject. GDPR: 6.1.c) Processing necessary for compliance with a legal obligation to which the data controller is subject. Royal Legislative Decree 2/2015, of 23 October, approving the revised text of the Workers’ Statute Law. Law 58/2003, of 17 December, General Taxation.
Purpose of Processing:
- Acquisition of products and/or services we need for the development of our activity.
- Control of subcontractors if applicable.
Data Subjects:
- Suppliers.
- Workers of our suppliers.
Categories of Data:
- Name and surname, DNI/NIF/Identification document, address, signature, and telephone.
- Employment details: job position, occupational safety training.
- Economic, financial and insurance data: Banking data.
Categories of Recipients: – Financial institutions.
(Payment of invoices) - State Tax Administration Agency.
International Transfers: No international data transfers are planned.
Retention Period: They will be kept for the necessary time to fulfill the purpose for which they were collected and to determine the possible responsibilities that may arise from that purpose and the data processing, according to Law 58/2003, of 17 December, General Taxation,
Security Measures: Adapted to the requirements of Regulation (EU) 2016/679, General Data Protection Regulation.
Customer Processing
Legal Basis: GDPR: 6.1.a) The data subject has given consent to the processing of their personal data for one or more specific purposes.
GDPR: 6.1.b) Processing necessary for the performance of a contract to which the data subject is a party or to take pre-contractual steps at the request of the data subject.
GDPR: 6.1.c) Processing necessary for compliance with a legal obligation to which the controller is subject.
GDPR: 6.1.f) Processing necessary for the purposes of the legitimate interests pursued by the controller.
Royal Legislative Decree 2/2015, of October 23, approving the revised text of the Workers’ Statute Law.
Law 58/2003, of December 17, General Taxation.
Purpose of Processing: Provision of our products/services.
Data Subjects: Customers
Categories of Data:
- Name and surname, DNI/NIF/Identification document, address, signature, and telephone.
- Economic, financial, and insurance data: Bank details
Categories of Recipients:
- Financial entities.
- State Tax Administration Agency.
International Transfers: No international data transfers are planned.
Retention Period: They will be kept for the necessary time to fulfill the purpose for which they were collected and to determine the possible responsibilities that may arise from that purpose and the data processing, according to Law 58/2003, of 17 December, General Taxation,
Security Measures: Adapted to the requirements of Regulation (EU) 2016/679, General Data Protection Regulation.
ARCO Rights Processing
Legal Basis: GDPR: 6.1.c) Processing necessary for compliance with a legal obligation to which the controller is subject.
General Data Protection Regulation.
Purpose of Processing: To attend to requests in the exercise of rights established by the General Data Protection Regulation: Right of access, rectification, deletion, limitation, portability, and opposition to automated decision-making.
Data Subjects: Individuals who request it (employees, customers, suppliers, contact persons)
Categories of Data: Name and surname, address, signature, and phone number.
Categories of Recipients: Personal data may be communicated to the Supervisory Authority (Spanish Data Protection Agency) within the framework of an investigation for the protection of rights initiated by the data subject.
International Transfers: No international data transfers are planned.
Retention Period: Data will be kept for five years from the date of the request.
Security Measures: Adapted to the requirements of Regulation (EU) 2016/679, General Data Protection Regulation.
Security Breach Notification Processing
Legal Basis: GDPR: 6.1.c) Processing necessary for compliance with a legal obligation to which the controller is subject.
General Data Protection Regulation. Articles 33 and 34
Purpose of Processing: Management and evaluation of security breaches occurring in our organization.
Data Subjects: Variable: Employees, Customers, Suppliers, Contact Persons (depending on the security breach)
Categories of Data: Variable. (Depending on the security breach)
Categories of Recipients:
- Spanish Data Protection Agency.
- Law Enforcement Agencies.
International Transfers: No international data transfers are planned.
Retention Period: Data will be kept for the necessary time to fulfill the purpose for which they were collected and to determine any responsibilities that may arise from that purpose and data processing. Provisions on archives and documentation will apply.
Security Measures: Adapted to the requirements of Regulation (EU) 2016/679, General Data Protection Regulation.
Purpose of Processing
- Administrative Procedures: Registration and deregistration of vehicles, aircraft, and boats; contact and commercial activities with clients.
- Agenda: Appointment and agenda control.
- Job Pool: Personnel selection.
- Accounting, Taxation, and Treasury: Management of clients/suppliers, accounting, tax, and administrative management.
- Management of Clients and Suppliers: Management of clients/suppliers, accounting, tax, and administrative management. Management of potential clients and contacts.
- Data Protection: Data protection and privacy of information.
- Subscriber Management: Marketing, advertising, and commercial prospecting.
- Commercial Communications: Marketing, advertising, and commercial prospecting.
- Occupational Risk Prevention: Occupational risk prevention.
- Social Networks: Sharing information on social networks; commercial communications.
- Customer Tax Accounting Processing: Management of clients/suppliers, accounting, tax, and administrative management. Management, processing, and electronic submission of the Personal Income Tax (IRPF).
- Labor Management and Contract Preparation and Social Security Procedures: Payroll and labor contract management, both for our own staff and on behalf of clients.
- Legal Advisory: Legal defense.
- Subcontracted Labor: Payroll and labor contract management on behalf of third parties (sub-contracted). Assistance with mortgage loan signings (sub-contracted). Assistance with the sale of real estate from bank portfolios (sub-contracted).
Legal Basis for Processing
The collection and processing of your data are always legitimized by one or more legal bases, which we detail below:
- Explicit consent of the data subject.
- Existence of a contractual relationship with the data subject through contract or pre-contract.
- Legal obligation of the Data Controller.
- Consent for compliance with Article 28.4 of Regulation 679/2016.
- Consent necessary to formalize the relationship with the Authorized party in the RED system of Social Security.
- Consent necessary for the formalization of electronic submissions to the AEAT.
Data Retention
Data will be retained as long as the commercial relationship is maintained. Data will be kept for 5 years after the end of the contractual relationship, without prejudice to the provisions of Article 21 of Law 10/2010 on the Prevention of Money Laundering and Financing of Terrorism, which allows obligated parties to retain relationship data for a period of 10 years.
In cases of marketing, communication with potential clients, and regarding the curriculum data of job applicants, data will be retained for a period of one year, provided the contractual relationship does not materialize.
Data Recipients
Occasionally, to fulfill our legal obligations and our contractual commitment to you, we may be required and need to transfer some of your data to certain categories of recipients, which we specify below:
- Professional associations
- Notaries and solicitors
- Tax Administration
- Public administrations with jurisdiction in the matter
- Social Security organizations; Mutual societies
- Occupational risk management entities
- Law enforcement agencies when requested by legal mandate.
International Transfers
We will not make international transfers of your data.
Data Source
The data subject or their legal representative themselves; we do not collect data about you from other places or entities without your consent.
Your Rights
You have the right to request a copy of your personal data, rectify inaccurate data, or complete them if they are incomplete, or, where appropriate, delete them when they are no longer necessary for the purposes for which they were collected.
You also have the right to restrict the processing of your personal data and to obtain your personal data in a structured and readable format.
You can object to the processing of your personal data in certain circumstances (particularly when we do not have to process them to meet a contractual or other legal requirement, or when the purpose of the processing is direct marketing).
When you have given us your consent, you can withdraw it at any time. At that moment, we will stop processing your data or, where appropriate, we will stop doing so for that specific purpose. If you decide to withdraw your consent, this will not affect any processing that has taken place while your consent was valid.
These rights may be limited; for example, if to fulfill your request we had to disclose data about another person, or if you ask us to delete some records that we are required to keep by a legal obligation or by a legitimate interest, such as the exercise of defense against claims. Or even in those cases where the right to freedom of expression and information must prevail.
You can contact us through any of the means indicated in the Data Controller section of this privacy policy, providing a copy of a document that proves your identity (usually the DNI).
Another of your rights is not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or significantly affects you.
In the event of any infringement of your rights, such as if we have not addressed your request, you have the right to file a complaint with the Supervisory Authority in the field of data protection. This can be that of your country (if you live outside of Spain) or the Spanish Data Protection Agency (if you live in Spain).
Additional Information
Links to Third-Party Websites
Our website may occasionally contain links to other websites. It is your responsibility to ensure that you read the data protection policy and the legal conditions applicable to each site.
Third-Party Data
If you provide us with third-party data, you assume the responsibility of informing them in advance as established in Article 14 of the GDPR.