Privacy and Data Protection

PRIVACY AND DATA PROTECTION POLICY

(Last change: June 21, 2018)

 

1 INTRODUCTION: OUR COMMITMENT TO PRIVACY

From EVOLUCIÓN INTERIOR S.L.U. We have always considered the privacy and intimacy of our clients to be especially important. The protection of your personal data has been a constant in the commitment that we have assumed from the first moment in which they placed their trust in us.

We want respect for your fundamental right to the protection of your data to be a constant. We will try to give you control over your own information.

The Privacy Policy that we detail below can help you better understand how we use your personal data. In it we explain in more detail the types of personal data we collect, how we collect them, for what purposes we can use them and with whom we can share them.

For this reason and for the importance that YOUR privacy has for us, the application of the new Regulation (EU) 2016/679 of the European Parliament and of the council of April 27, 2016 regarding the protection of natural persons in regard to treatment of personal data and the free circulation of these data (GDPR), rather than assuming a decalogue of obligations and restrictions, has not come to confirm the importance that privacy and privacy have acquired in our days. An era marked by technological advances, whose good use is always welcome, but which “sensu contrary” can be an invasion and interference in the life of any citizen.

So without further delay we set out the basic principles on which we base the processing of personal data, the custody of them and their exclusive use for the purposes entrusted, always making available to the owner of them (YOU) the ultimate capacity of decision.

However, if you do not feel like reading our privacy policy, if you have already done so or if you have any specific question that you need to consult personally, our Data Protection Delegate (DPO) is at your disposal for what you want to tell us (privacy@innermastery.org).

This Privacy Policy applies to the website of EVOLUCIÓN INTERIOR S.L.U. www.consciousschool.org/contact, as well as the rest of the products and services that you can or can contract with us.

We intend to describe to you what data we collect, the purposes for which we carry out its collection, how we use that data and all the possibilities we offer, including how to access and update the data. In short, we intend to make you aware of all the essential elements that you should know about our use of your personal data and our invariable commitment to your custody.

In addition, you will see that the “definitions” tab is available. A tool that can be useful to understand those concepts or actions that, due to their specificity, need a short description as simple as possible.

From EVOLUCIÓN INTERIOR S.L.U. We intend that our privacy policy be a “live” element, which suffers the modifications and updates necessary to be aware of the privacy developments that may best come to you. Therefore, if you are interested in receiving information about the developments that occur, do not hesitate to consent to the shipment through the following LINK www.consciousschool.org/contact

 

2 WHO IS RESPONSIBLE FOR YOUR PERSONAL DATA?

Although in the “definitions” tab you will find the definition of the person responsible for Regulation (EU) 2016/679, we prefer to explain in a simple way who is responsible for your personal data.

EVOLUCIÓN INTERIOR S.L.U. It is responsible for any personal data that you own and that is treated by us.

We are responsible for safeguarding your data, giving them the proper use and protecting them with the necessary measures to prevent their misuse.

It is important to recognize at this time the breadth of meaning that the expression “personal data” has.

Gone are the times when personal name meant first name, last name, postal address and landline number. Today, personal data is any information that allows the identification of a person or any information that serves to make it identifiable. Therefore, the name is a personal data, obviously, but so is the IP address of a computer or a car license plate.

Consequently and considering the infinity of personal data that can be collected at present, EVOLUCIÓN INTERIOR S.L.U. redouble its efforts to comply with the principle of data minimization, that is, use only strictly necessary personal data, by the minimum number of people needed and the least number of times.

Our postal address is: Cañada del Barco Viejo nº28, Fuente el Saz del Jarama, Madrid (28140).

To finish the section remind you of the name and other contact information of our Delegate in Data Protection (DPO): J. Iñaki Hernández Aznar (privacidad@escuelaconsciente.org)

 

3 WHEN DO WE COLLECT YOUR PERSONAL DATA?

In EVOLUCIÓN INTERIOR S.L.U. We collect personal data about you every time you have a relationship with us, including the provision of any of our services, when you use our website or when you interact with us electronically.

At no time will we collect your data for purposes other than the purpose of EVOLUCIÓN INTERIOR S.L.U., which is none other than the development of our professional activity, which is why you came to us.

For example, we will collect your data when you make a withdrawal with us, participate in one of our programs through the website, etc., etc.

 

4 FOR WHAT PURPOSE DO WE PROCESS YOUR DATA?

We treat your data to provide you with a help service in your internal evolution as a human being, either through internal evolution retreats, conferences and workshops that allow you a greater degree of development or through trips to the Amazon rainforest.

On the website of EVOLUCIÓN INTERIOR S.L.U. You can find more information about our services. In the different sections you will obtain in detail the answer you are looking for in each of the professional activities we carry out.

All of them are related to each other and linked to our purpose, our reason for being.

We reiterate: at no time will we collect your data for purposes other than our corporate purpose, which is none other than the development of our professional activity.

It is important to remind you that the data has been collected exclusively for specific, explicit and legitimate purposes, and will not be further processed in a manner incompatible with those purposes.

In other words, we will not use your data for any other purpose than the one included in this tab, reminding you again that we will try to give you control over your own information.

As for the terms of conservation, we will maintain them while the existing contractual or commercial relationship is prolonged, being subsequently blocked as long as we are obliged by the sector regulations.

And to end this section, announce that from EVOLUCIÓN INTERIOR S.L.U. At no time will automated decisions be made with your personal data. In all treatments of the company there will always be human intervention.

 

5 WHAT DATA ARE WE PROCESSED AND FROM WHAT SOURCE ARE THEY OBTAINED?

On the occasion of your relationship with us, the following categories of personal data can be processed: (it will have to be modified depending on the client).

a) Identification data. Here you can include the signature, some image, health card, social security number or mutual.
b) Health related data. It may be the case that some personal characteristic or social circumstance is included, as long as it is necessary for the service provided.
c) Data of an economic or transactional nature, such as payments, income, transfers or debts.

The data may come from the owner himself, his representative or a third party.

 

6 WHAT IS THE LEGITIMATION FOR THE TREATMENT OF YOUR DATA?

The Regulation, in its spirit and intention to avoid the arbitrary processing of personal data, establishes requirements for its use.

To put it another way, the Regulation relates to us what are the reasons why personal data can be processed, being the person responsible for that treatment the one in charge of “justifying it” based on the possibilities that are included in the regulations.

In general it establishes the conditions in Article 6, leaving for Article 9 the treatments where especially sensitive data is collected.

In our case, the legitimate basis to process your personal data is as follows:

Your consent, if you have given it.
The provision of services that have occurred.
The legitimate interest of the company, which seeks exclusively the best provision of the services it offers.

We do not want to remind you that for the correct achievement of the objectives when processing your personal data, it is essential that they are correctly updated. Therefore, if in the absence of an opportunity to update them, you are aware of the need for this, please contact our DPO to carry out as many updates as necessary. It is essential to keep your data up to date.

 

7 MINORS

Both the national regulations and the European Regulation itself establish limitations on the processing of the personal data of a “minor”.

Therefore, from EVOLUCIÓN INTERIOR SLU, and making our age recommended in the Regulation, all data processing of a child under 16 must have the authorization of their parent or guardian, which will be duly accredited and in accordance with the applicable regulations .

In this sense, we will implement all the measures that we deem convenient and possible to proceed to the effective verification of the child’s age.

 

8 WILL WE COMMUNICATE YOUR PERSONAL DATA? TO WHO?

From EVOLUCIÓN INTERIOR S.L.U. we will not transfer your personal data to third parties, unless:

It is necessary to provide the contracted service.
There is a legal obligation to do so.
That you have given us your consent for it.

We put at your disposal a list of categories of companies to which we transfer your data in the Third parties section. (It is necessary to put a list of the transfers of data that are carried out and of the categories of processors that we have).

Section a) indicates the cases in which to be able to provide an adequate service and manage the relationship we have with you, it is necessary for certain companies to process your data, as part of the provision of contracted services.

In these cases, all relationships will be regulated by a data protection contract. Document that will regulate the confidentiality and commitment to regulatory compliance, referenced in Regulation (EU) 2016/679 of the European Parliament.

B) indicates only the cases where a law requires us to transfer the data (for example, Tax Agency).

And c) refers to situations where they will be asked for their consent for cases where it is necessary to have their approval. These situations will be protected by your consent, which will be duly managed to be able to inform you whenever you need it and so that in case you change your mind and revoke it, you have no problem doing so.

We insist that you are the owner of the data, and our commitment is to give you control of your own information.

What happens if you do not consent ?: Nothing forces you to give us this consent, but if you do not, you will lose information about our products, services and other activities that without having a direct relationship with the contractual relationship that we could maintain, would suit you very well to know the evolution, news and offer of our company.

It is important to note, although we hope that it is not necessary, that by virtue of the legal relationship that may exist and in the event of any default, the data related to the debt may be communicated to files related to the fulfillment or breach of monetary obligations (asset solvency files).

 

9 INTERNATIONAL DATA TRANSFERS

Prior to the explanation of the Control Authority on international data transfers, from EVOLUCIÓN INTERIOR S.L.U. We want to inform you that we will not carry out any international transfer without your consent, insisting again that you will be in control of your information.

Once this fundamental aspect is clarified, we can gather what the Spanish Data Agency says about this matter:

International data transfers involve a flow of personal data from Spanish territory to recipients established in countries outside the European Economic Area (the countries of the European Union plus Liechtenstein, Iceland and Norway).

Those responsible and responsible for the processing may make international transfers of data without the need of an authorization from the Spanish Agency for Data Protection provided that the data processing observes the provisions of the European Regulation and the following assumptions are given.

The European Commission has declared the following countries with an adequate level of security.

In other words, he considers them fit to make transfers with them, equating them at a level similar to the EU member states themselves. (listed as of June 2018)

  • Commission Decision 2000/518 / EC of July 26, 2000.
  • Canada. Commission Decision 2002/2 / EC of December 20, 2001, regarding entities subject to the scope of the Canadian data protection law.
  • Commission Decision 2003/490 / EC of June 3, 2003.
  • Commission Decision 2003/821 / EC of November 21, 2003.
  • Isle of Man. Commission Decision 2004/411 / EC of April 28, 2004.
  • Commission Decision 2008/393 / EC of May 8, 2008.
  • Faroe Islands. Commission Decision 2010/146 / EU of March 5, 2010.
  • Commission Decision 2010/625 / EU of October 19, 2010.
  • Commission Decision 2011/61 / EU of January 31, 2011.
  • New Zealand. Commission Decision 2013/65 / EU of December 19, 2012.
  • U.S. Applicable to entities certified under the EU-US Privacy Shield. Commission Decision (EU) 2016/1250 of July 12, 2016. The Privacy Shield offers a series of rights and obliges companies to protect personal data in accordance with the “Privacy Principles”.

In cases where the country is not included in the previous relationship, it will be necessary:

A legally binding and enforceable instrument between public authorities or bodies.
Binding corporate norms.
Standard data protection clauses adopted by the Commission that remain valid.
Decision 2001/497 / EC of June 15, 2001, concerning standard contractual clauses for the transfer of personal data between data controllers to a third country and Commission Decision 2010/87 / EU of February 5, 2010 , relating to the standard contractual clauses for the transfer of personal data to those responsible for processing established in third countries, in accordance with Directive 95/46 / EC of the European Parliament and of the Council.
Type data protection clauses adopted by a control authority and approved by the Commission.
Codes of conduct, together with binding and enforceable commitments of the person in charge or the person in charge of the treatment in the third country of applying adequate guarantees, including those related to the rights of the interested parties.
Certification mechanisms, together with binding and enforceable commitments of the person in charge or the person in charge of the treatment in the third country of applying adequate guarantees, including those related to the rights of the interested parties.

If the specific case also does not meet the preceding requirements, these are, in the absence of an appropriateness decision and adequate guarantees, they can only be carried out if any of the following conditions are met:

  • The interested party has explicitly given his consent.
  • The transfer is necessary for the execution of a contract between the interested party and the person responsible for the treatment or for the execution of pre-contractual measures adopted at the request of the interested party.
  • The transfer is necessary for the conclusion or execution of a contract, in the interest of the interested party, between the person responsible for the treatment and another natural or legal person
  • The transfer is necessary for important reasons of public interest
  • The transfer is necessary for the formulation, exercise or defense of claims.
  • The transfer is necessary to protect the vital interests of the interested party or of other persons, when the interested party is physically or legally incapacitated to give his consent.
  • The transfer is made from a public registry that, in accordance with the law of the Union or the Member States, is intended to provide information to the public and is open for consultation by the general public or any person who can prove a legitimate interest , but only to the extent that, in each particular case, the conditions established by the law of the Union or of the Member States for consultation are met.

When none of these exceptions are applicable, a transfer may only be made if it is not repetitive, it affects only a limited number of interested parties, it is necessary for the purposes of compelling legitimate interests pursued by the person responsible for the treatment for those who do not the interests or rights and freedoms of the interested party prevail, and the person responsible for the treatment evaluated all the concurrent circumstances in the data transfer and, based on this evaluation, offers appropriate guarantees regarding the protection of personal data.

In this case, the controller will inform the transfer control authority. In addition to the information referred to in articles 13 and 14 of the GDPR, the data controller shall inform the data subject of the transfer and of the legitimate legitimate interests pursued.

Binding Corporate Standards (BCR):

The binding corporate rules (or BCR for its acronym in English) are “the personal data protection policies assumed by a person responsible or in charge of the treatment established in the territory of a Member State for transfers or a set of transfers of personal data to a responsible or responsible in one or more third countries, within a business group or a union of companies engaged in a joint economic activity ”.

Business groups are those “constituted by a company that exercises control and its controlled companies”.

The competent supervisory authority shall approve binding corporate standards (better known by its acronym in English BCR (Binding Corporate Rules) in accordance with the consistency mechanism established in Article 63 of the GDPR.

 

10 FOR HOW LONG WILL WE KEEP YOUR DATA?

From EVOLUCIÓN INTERIOR S.L.U. We want to convey the firm purpose of keeping your personal data strictly as long as necessary. Whether you maintain a relationship with us, why there is a provision of services, you are interested in receiving information about our services or any other circumstance that requires the processing of your personal data. That is, during the time strictly necessary for the purpose for which they were collected.

Regarding the security of the facilities, the images captured through the video surveillance systems will be kept for a maximum period of 30 days, unless there is knowledge of any event that could be relevant for a subsequent judicial action.

Once the reason for the processing of your personal data is extinguished, we will keep them as long as we are bound by the sector regulations that may affect them.

In this sense, and as an example, the sector regulations related to money laundering, Tax Agency, Commercial Code regulations, patient autonomy or medical history, Courts and Courts of Justice before potential claims, scientific research and / or statistics, etc, et cetera.

In any case, for the cases where we have to keep the data in accordance with the obligations imposed by the different legal norms, we will do so by blocking them, preventing any treatment that is not exclusively mentioned.

And after the legally established deadlines, we will destroy or anonymize your data.

 

11 WHAT ARE YOUR RIGHTS?

As the holder of the fundamental right to the protection of your personal data, the regulations recognize you some rights, which from the GDPR have been reinforced.

The recognized rights are the following: ACCESS, RECTIFICATION, SUPPRESSION, LIMITATION, PORTABILITY AND OPPOSITION.

Your exercise is FREE and WITH NO COST.

The interested party may exercise their rights by requesting it in writing, and together with a copy of a reliable document proving their identity, at the following postal address:

C / Cañada del Barco Viejo nº28, Source el Saz del Jarama, Madrid (28140).
E-mail: privacidad@escuelaconsciente.org

Therefore, from EVOLUCIÓN INTERIOR S.L.U. We want to follow the current imposed from Europe and provide it with all the necessary tools so that it can exercise its rights, understand them and know the importance of them.

Both from this privacy policy and from the assistance provided by our Data Protection Delegate, we provide you with information and mechanisms necessary for this purpose.

Right of Access.- First right included in the GDPR, in its article 15:

  1. The interested party will have the right to obtain confirmation from the person responsible for the processing of whether or not personal data concerning them are being processed and, in such case, the right to access personal data and the following information:
  2. a) the purposes of the treatment;
    b) the categories of personal data in question;
    c) the recipients or categories of recipients to whom personal data were communicated or will be communicated, in particular recipients in third parties or international organizations;
    d) if possible, the expected period of retention of personal data or, if not possible, the criteria used to determine this period;
    e) the existence of the right to request from the responsible party the rectification or deletion of personal data or the limitation of the processing of personal data related to the interested party, or to oppose said processing;
    f) the right to file a claim with a supervisory authority;
    g) when personal data has not been obtained from the interested party, any information available on its origin;
    h) the existence of automated decisions, including profiling, referred to in article 22, paragraphs 1 and 4, and, at least in such cases, significant information on the logic applied, as well as the importance and the expected consequences of said treatment for the interested party.
  3. When personal data is transferred to a third country or to an international organization, the interested party shall have the right to be informed of the appropriate guarantees under article 46 regarding the transfer.
    The data controller will provide a copy of the personal data processed. The person in charge may receive a reasonable fee based on administrative costs for any other copy requested by the interested party. When the interested party submits the request electronically, and unless it requests that it be provided otherwise, the information will be provided in a common electronic format.
    The right to obtain a copy mentioned in section 3 will not adversely affect the rights and freedoms of others.

In other words and looking for an easy explanation, what is intended is that the owner of the data has the capacity to access them and know what data has been collected.

Right of Rectification.- It is included in the RGPD in its article 16:

  1. The interested party will have the right to obtain the rectification of inaccurate personal data concerning him without undue delay from the data controller. Taking into account the purposes of the treatment, the interested party will have the right to complete personal data that is incomplete, including by means of an additional declaration.
  2. An elementary right that recognizes the holder the possibility of demanding that their data be correct and updated.

Right of Suppression (also called the Right to Oblivion) ​​.- Article 17 of the GDPR:

  1. a) personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
    b) the interested party withdraws the consent on which the treatment is based in accordance with article 6, paragraph 1, letter a), or article 9, paragraph 2, letter a), and this is not based on another legal basis;
    c) the interested party opposes the treatment in accordance with article 21, paragraph 1, and other legitimate reasons for the treatment do not prevail, or the interested party opposes the treatment in accordance with article 21, paragraph;
    d) personal data have been treated illegally;
    e) personal data must be deleted for the fulfillment of a legal obligation established in the law of the Union or of the Member States that applies to the person responsible for the processing;
    f) the personal data have been obtained in relation to the offer of services of the information society mentioned in Article 8, paragraph 1.
  2. When he has made the personal data public and is obliged, by virtue of the provisions of section 1, to delete said data, the data controller, taking into account the available technology and the cost of its application, will take reasonable measures, including measures techniques, with a view to informing those responsible who are treating the personal data of the interested party’s request to delete any link to that personal data, or any copy or replica of them.

  3. Sections 1 and 2 shall not apply when the treatment is necessary:
    a) to exercise the right to freedom of expression and information;
    b) for the fulfillment of a legal obligation that requires the processing of data imposed by the law of the Union or of the Member States that is applied to the person responsible for the treatment, or for the fulfillment of a mission carried out in the public interest or in the exercise of public powers conferred on the person in charge;
    c) for reasons of public interest in the field of public health in accordance with article 9, paragraph 2, letters h) and i), and paragraph 3;
    d) for archival purposes in the public interest, scientific or historical research purposes or statistical purposes, in accordance with article 89, paragraph 1, to the extent that the right indicated in paragraph 1 could make it impossible or seriously impede the achievement of the objectives of said treatment, or
    e) for the formulation, exercise or defense of claims.

    Delete your personal data when they are not necessary for the purposes for which they were collected, among other reasons.

 

Right of Limitation.- Article 18 GDPR:

  1. The interested party will have the right to obtain from the data controller the limitation of the data processing when any of the following conditions is met:
    a) the interested party challenges the accuracy of the personal data, during a period that allows the person responsible to verify the accuracy of the same;
    b) the processing is illegal and the interested party opposes the deletion of personal data and requests instead the limitation of its use;
    c) the person in charge no longer needs the personal data for the purposes of the treatment, but the interested party needs them for the formulation, exercise or defense of claims;
    d) the interested party has opposed the treatment under article 21, paragraph 1, while verifying whether the legitimate motives of the person responsible prevail over those of the interested party.
    When the processing of personal data has been limited by virtue of section 1, said data may only be processed, with the exception of its conservation, with the consent of the interested party or for the formulation, exercise or defense of claims, or with for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a particular Member State.
    Any interested party who has obtained the limitation of treatment in accordance with paragraph 1 will be informed by the person responsible before lifting said limitation.

Limit the treatment by us of all or part of your personal data in the circumstances determined by law.

Portability Law.- Article 20 of the GDPR:

  1. The interested party will have the right to receive the personal data that concerns him, that he has provided to a person in charge of the treatment, in a structured format, of common use and mechanical reading, and to transmit them to another person in charge of the treatment without being prevented by the person responsible for I would have provided them, when:
    a) the treatment is based on consent under article 6, paragraph 1, letter a), or article 9, paragraph 2, letter a), or on a contract under article 6, paragraph 1, letter b) , Y
    b) the treatment is carried out by automated means.
    By exercising their right to data portability in accordance with section 1, the interested party will have the right to have personal data transmitted directly from responsible to responsible when technically possible.
    The exercise of the right mentioned in section 1 of this article shall be without prejudice to article 17. Such right shall not apply to the treatment that is necessary for the fulfillment of a mission carried out in the public interest or in the exercise of public powers conferred on the person responsible. of treatment
    The right mentioned in section 1 will not adversely affect the rights and freedoms of others.

Request the portability of your personal data in an interoperable and self-sufficient format.

 

Right of Opposition.- Article 21 GDPR:

  1. The interested party will have the right to object at any time, for reasons related to their particular situation, to the fact that personal data concerning them are subject to a treatment based on the provisions of article 6, paragraph 1, letters e) of), including the profiling based on these provisions. The person responsible for the processing will stop processing the personal data, unless it proves compelling legitimate reasons for the treatment that prevail over the interests, rights and freedoms of the interested party, or for the formulation, exercise or defense of claims.
    When the processing of personal data is aimed at direct marketing, the interested party will have the right to object at all times to the processing of personal data that concerns him, including the elaboration of profiles to the extent that it is related to the aforementioned marketing.
    When the interested party opposes the processing for direct marketing purposes, personal data will no longer be processed for such purposes.
    At the latest at the time of the first communication with the interested party, the right indicated in sections 1 and 2 will be explicitly mentioned to the interested party and will be presented clearly and apart from any other information.
    In the context of the use of information society services, and notwithstanding the provisions of Directive 2002/58 / EC, the interested party may exercise his right to oppose by automated means that apply technical specifications.
    When personal data is processed for scientific or historical research purposes or statistical purposes in accordance with article 89, paragraph 1, the interested party shall have the right, for reasons related to his or her particular situation, to oppose the processing of personal data concerning him, unless it is necessary for the fulfillment of a mission carried out for reasons of public interest.

    Or what summarizing could be: oppose certain treatments in the circumstances and for reasons related to your particular situation.

    As the last element of the section referring to the rights of the owners, it is important to warn them that they may withdraw, at any time, the previously granted consents.

 

12 BEFORE WHICH CONTROL AUTHORITY CAN EXERCISE CLAIMS?

The Regulation, in order to protect the owner of the data, reflects a route for the case of not having obtained the expected response in the exercise of rights related to the protection of damages.

  • In these cases, you can file a complaint with the Spanish Agency for Data Protection, the data protection control authority, at the following address:

    C / Jorge Juan, 6. Madrid (28001)
    URL: agpd.es

 

13 WHEN WILL WE SEND COMMERCIAL COMMUNICATIONS?

When we collect data directly from you, we may ask you whether or not you wish to receive our commercial communications.

In this regard, it should be taken into account that if these communications are related to goods, services or developments related to the relationship with us, we can carry them out under the existing legitimate interest.

It does not have to be the case but if they are commercial communications that have no direct relationship with the relationship you have with us, or even are third-party companies, these commercial communications will always be preceded by your consent.

Consent that, as you know, may be revoked whenever it deems appropriate.

 

14 SOCIAL NETWORKS

Confirm this end.

EVOLUCIÓN INTERIOR S.L.U. It has a profile on some of the main social networks on the Internet, recognizing itself responsible for the treatment in relation to the data published in those profiles or the data that users send privately to the mailbox that appears in the profile (for example, questions or advice).

Purpose and legitimation: The treatment that will be carried out with the data within each of the aforementioned networks will be, at most, that the social network allows for corporate profiles.

Thus, from EVOLUCIÓN INTERIOR S.L.U. We can inform “our” followers, when the law does not prohibit it, about activities, offers, as well as provide any personalized customer service.

Data extraction: In no case will we extract data from social networks, unless the user’s consent for it was obtained promptly and expressly.

Rights: When, due to the very nature of social networks, the effective exercise of data protection rights is required by some owner, our DPO may inform and advise you for this purpose, to the extent possible.

 

15 15.- DATA SECURITY

At the moment in which we are responsible for your data and treat it for the relevant purposes, the necessary organizational and security measures will be applied to guarantee integrity, confidentiality, availability, resilience or invulnerability, to avoid loss, misuse and access Unauthorized to your personal data. All this in accordance with the provisions of the aforementioned Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, concerning the protection of natural persons with regard to the processing of personal data, as well as what is established in the national regulations that apply.

For security and strictly authorized access, we will block your data if necessary, we will proceed to encrypt them when the action so advises and even anonymize them if we achieve our objective, which is none other than the correct custody and proper use of your personal data .

We have also reviewed our policy regarding data collection, storage and processing, including physical security measures, to prevent unauthorized access to our systems.

In compliance with the principle of data minimization, we limit access to personal information that must be processed and ensure that all participants comply with the strict contractual confidentiality obligations.

Failure to comply with the disciplinary conditions set forth will be sufficient grounds for sanction, contractual termination or dismissal.

 

16.- COOKIES

Confirm these extremes with the IT department

A cookie is a small data file that contains a string of characters and is sent to your computer when you visit a website. When you revisit that website, the cookie allows the site to recognize your browser.

The duration of a cookie on your computer or mobile device depends on whether it is a “persistent” or “session” cookie.

In EVOLUCIÓN INTERIOR S.L.U. both types of cookies are used.

Session cookies will only remain on your device while you are browsing.

Persistent cookies remain on your computer or mobile device until they expire or are deleted.

We use the following types of cookies on our website.

Strictly necessary cookies: these cookies are essential for you to browse our website and use their functions. Without these cookies you cannot offer certain.

Performance cookies: these cookies collect information on how to use our website. This data can be used to optimize our website and facilitate navigation.
Functional cookies: these cookies allow you to remember your options on our website and personalize your experience.

Third-party cookies: third-party cookies are enabled by entities or websites outside EVOLUCIÓN INTERIOR S.L.U .. These cookies can be used on our website to improve our products or services or help us offer more relevant ads. These cookies are subject to the corresponding privacy policies of these external services, such as for example the “data use policy” of Facebook.

Analytical cookies: we use analytical cookies, such as those offered by Google Analytics, to learn about aspects such as how long visitors stay on our website, the pages they find most useful and the way they reach our website.
How to control cookie settings.-
Most browsers allow you to control cookies through settings preferences. However, if you limit the ability of websites to set cookies, your overall user experience may get worse.

Some browsers offer a “Do not track” (“DNT”) signal with which you can indicate your preferences for cross-site tracking and tracking.
Pixels.-
In addition to cookies, we sometimes use small graphic images called “pixels” (also known as web beacons, transparent GIFs or pixel tags).

We use pixels in email communications that we send to help us know if our email communication has been seen. We also use third-party pixels (such as Google, Facebook and other advertising networks) to help us offer advertising based on your interests.

17 DEFINITIONS

It is our intention to facilitate as much as possible the understanding and understanding of the glossary of concepts that hide behind your fundamental right to data protection.

Therefore, and then, serve the following definitions as “clarifying.”

However, the company’s Data Protection Delegate is at your disposal for any questions you may have.

.- It would be interesting that all the words object of definition have a direct link to reach the definition contained in this tab (automated decision underlining to lead to the definition tab).

  • “Personal data”: all information about an identified or identifiable natural person (the interested party); Any person whose identity can be determined, directly or indirectly, in particular by means of an identifier, such as a name, an identification number, location data, an online identifier or one or more elements of the identity itself physical, physiological, genetic, psychic, economic, cultural or social of said person.
    Treatment means any operation or set of operations carried out on personal data or personal data sets, whether by automated procedures or not, such as collection, registration, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other means of enabling access, collation or interconnection, limitation, deletion or destruction.
    “Limitation of treatment”: the marking of personal data kept in order to limit its treatment in the future.
    Profiling means any form of automated processing of personal data consisting of using personal data to evaluate certain personal aspects of a natural person, in particular to analyze or predict aspects related to professional performance, economic situation, health, personal preferences, interests , reliability, behavior, location or movements of said natural person.
  • “Pseudonymisation” means the processing of personal data in such a way that it can no longer be attributed to an interested party without using additional information, provided that such additional information is contained separately and is subject to technical and organizational measures aimed at ensuring that personal data is not Attribute to an identified or identifiable natural person.
  • “File”: any structured set of personal data, accessible according to certain criteria, whether centralized, decentralized or distributed in a functional or geographical way.
  • “Responsible for the treatment” or “responsible”: the natural or legal person, public authority, service or other body that, alone or together with others, determines the purposes and means of the treatment; If the law of the Union or of the Member States determines the purposes and means of the treatment, the person responsible for the treatment or the specific criteria for their appointment may be established by the law of the Union or of the Member States.
    Responsible for the treatment or “responsible”: the natural or legal person, public authority, service or other body that processes personal data on behalf of the person responsible for the treatment.
  • “Recipient”: the natural or legal person, public authority, service or other body to which personal data is communicated, whether or not it is a third party. However, public authorities that may receive personal data in the context of a specific investigation in accordance with the law of the Union or of the Member States shall not be considered recipients; The processing of such data by said public authorities will be in accordance with the rules on data protection applicable to the purposes of the processing.
  • “Third”: natural or legal person, public authority, service or agency other than the interested party, the person responsible for the treatment, the person in charge of the treatment and the persons authorized to process the personal data under the direct authority of the person responsible or the person in charge.
    Consent of the interested party means any manifestation of free, specific, informed and unambiguous will by which the interested party accepts, whether by means of a statement or a clear affirmative action, the processing of personal data concerning him.
  • Violation of the security of personal data means any breach of security that causes the destruction, loss or accidental or unlawful alteration of personal data transmitted, stored or otherwise processed, or unauthorized communication or access to such data.
  • “Genetic data”: personal data relating to the genetic characteristics inherited or acquired from a natural person that provide unique information about the physiology or health of that person, obtained in particular from the analysis of a biological sample of that person.
  • Biometric data: personal data obtained from a specific technical treatment, related to the physical, physiological or behavioral characteristics of a natural person that allow or confirm the unique identification of said person, such as facial images or fingerprint data.
  • Health data: personal data relating to the physical or mental health of a natural person, including the provision of health care services, that reveal information about their health status.
  • Main establishment:
    • a) as regards a person responsible for the treatment with establishments in more than one Member State, the place of their central administration in the Union, unless decisions on the purposes and means of treatment are taken at another establishment of the person responsible in the Union and the latter establishment has the power to enforce such decisions, in which case the establishment that has adopted such decisions shall be considered as the principal establishment.
      b) as regards a person in charge of the treatment with establishments in more than one Member State, the place of his central administration in the Union or, if he lacks this, the establishment of the person in charge in the Union in which the main treatment activities in the context of the activities of a manager’s establishment to the extent that the manager is subject to specific obligations under this Regulation.
  • “Representative” means a natural or legal person established in the Union who, having been designated in writing by the person responsible or the person in charge of the treatment in accordance with Article 27, represents the person in charge or the person in charge of their respective obligations under this regulation.
  • “Company”: a natural or legal person dedicated to an economic activity, regardless of its legal form, including companies or associations that regularly carry out an economic activity.
  • “Business group”: a group consisting of a company that exercises control and its controlled companies.
  • “Binding corporate rules”: the personal data protection policies assumed by a person in charge or in charge of the treatment established in the territory of a Member State for transfers or a set of transfers of personal data to a person in charge or in charge in one or more third countries , within a business group or a union of companies dedicated to a joint economic activity.
    Control authority means the independent public authority established by a Member State in accordance with the provisions of Article 51 of the GDPR.
  • “Interested control authority” means the control authority affected by the processing of personal data because:
    • a) the controller or controller is established in the territory of the Member State of that supervisory authority.
    • b) interested parties residing in the Member State of that supervisory authority are substantially affected or are likely to be substantially affected by the treatment, or
    • c) a claim has been filed with that supervisory authority.
  • “Cross-border treatment”:
    • a) the processing of personal data carried out in the context of the activities of establishments in more than one Member State of a person in charge or a person in charge of the processing in the Union, if the person responsible or the person in charge is established in more than one Member State, or
    • b) the processing of personal data carried out in the context of the activities of a single establishment of a person responsible or a person in charge of the processing in the Union, but which substantially affects or is likely to substantially affect those interested in more than one Member State.
  • “Relevant and motivated objection”: the objection to a proposal for a decision on the existence or not of infringement of this Regulation, or on the conformity with this Regulation of actions envisaged in relation to the person responsible or in charge of the treatment, which clearly demonstrates the importance of the risks involved in the draft decision for the fundamental rights and freedoms of the interested parties and, where appropriate, for the free movement of personal data within the Union.
  • “Information society service” means any service in accordance with the definition of Article 1 (1) (b) of Directive (EU) 2015/1535 of the European Parliament and of the Council.
  • International organization means an international organization and its subordinate entities of public international law or any other body created by means of an agreement between two or more countries or under such agreement.
  • Cookie: Small file that sends a web server to the hard disk of the Internet user who visits it with information about your preferences and browsing patterns.
  • “IP Address”: number that identifies, in a logical and hierarchical way, a Network Interface (communication / connection element) of a device (computer, tablet, laptop, smartphone) that uses the IP (Internet Protocol) protocol or, which corresponds to the network level of the TCP / IP model (example, 205.45.128.30).
  • “Visitor counter”: a computer program that indicates the number of visitors that a given web page has received. Once configured, these counters will be incremented one by one after each visit to the website. Web counters are not necessarily reliable. A webmaster could configure it to start in any large number, giving the impression that your site is more popular than it really is.
  • Browser: Program that allows you to browse the internet or other communications computer network.
  • “Automated decision” – Explanation of Recital 71 of the GDPR: the interested party must have the right not to be the subject of a decision, which may include a measure, that evaluates personal aspects related to it, and that is based solely on automated processing and produces legal effects on it or significantly affect it in a similar way, such as the automatic denial of an online credit application or network contracting services in which there is no human intervention. This type of treatment includes the elaboration of profiles consisting of any form of treatment of personal data that evaluates personal aspects related to a natural person, in particular to analyze or predict aspects related to work performance, economic situation, health , personal preferences or interests, reliability or behavior, situation or movements of the interested party, to the extent that it produces legal effects on it or significantly affects it in a similar way. However, decisions based on such treatment should be allowed, including profiling, if expressly authorized by the law of the Union or of the Member States applicable to the controller, including for the purpose of fraud control and prevention and tax evasion, carried out in accordance with the regulations, standards and recommendations of the institutions of the Union or national supervisory bodies and to ensure the safety and reliability of a service provided by the controller, or necessary for the conclusion or execution of a contract between the interested party and a person in charge of the treatment, or in the cases in which the interested party has given his explicit consent. In any case, such treatment must be subject to the appropriate guarantees, which include specific information to the interested party and the right to obtain human intervention, to express their point of view, to receive an explanation of the decision taken after such evaluation already challenge the decision. Such a measure should not affect a minor.

 

Principles in the Protection of Personal Data

  • Personal data will be:
    • a) treated in a lawful, loyal and transparent manner in relation to the interested party (“legality, loyalty and transparency”).
      b) collected for specific, explicit and legitimate purposes, and will not be treated further in a manner incompatible with those purposes; in accordance with article 89, paragraph 1, the further processing of personal data for the purpose of archiving in the public interest, scientific and historical research purposes or statistical purposes shall not be considered incompatible with the initial purposes (“limitation of purpose”) .
      c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimization”).
      d) accurate and, if necessary, updated; All reasonable measures will be taken so that personal data that is inaccurate with respect to the purposes for which it is processed (“accuracy”) is deleted or rectified without delay.
      e) maintained in a way that allows the identification of the interested parties for no longer than necessary for the purposes of the processing of personal data; personal data may be kept for longer periods provided that they are processed exclusively for archival purposes in the public interest, scientific or historical research purposes or statistical purposes, in accordance with article 89, paragraph 1, without prejudice to the application of the measures appropriate technical and organizational requirements imposed by this Regulation in order to protect the rights and freedoms of the interested party (“limitation of the conservation period”).
      f) treated in such a way as to ensure adequate security of personal data, including protection against unauthorized or unlawful treatment and against its loss, destruction or accidental damage, through the application of appropriate technical or organizational measures (‘integrity and confidentiality »).
  • The controller will be responsible for compliance with the provisions of section 1 and capable of demonstrating it (“proactive responsibility”).

 

18 WIFI FOR VISITORS

Any interested party who wants to access the WIFI network of EVOLUCIÓN INTERIOR S.L.U. You can do this, knowing that information about the connected device is stored, not about navigation.

In our facilities a specific SSID is offered so that customers and other visitors can surf the Internet for free.

And the following data of each device that is connected is stored: name, MAC, IP, channel (wifi or ethernet) and moment of connection. Navigation information is not stored.

Purpose and legitimacy: Security measure necessary to know which devices are connected to the company’s network and, where appropriate, to block the connection to the unauthorized.

 

19 CHANGES IN THE PRIVACY POLICY

EVOLUCIÓN INTERIOR S.L.U. It intends that its privacy policy be a living element that is updated as many times as necessary, to which new aspects of current affairs are incorporated and those that due to technological evolution or any other circumstance enjoy less popularity or importance are suppressed.

Therefore, EVOLUCIÓN INTERIOR S.L.U. You can modify or update this “policy” when necessary.

Check it frequently. It will serve as an element to assess the good practices that we carry out.

When we update this “policy”, we will modify the date of the last update that appears at the beginning of it.

If there is any significant change in the “policy” or in the way in which your personal data is used, you will be notified by publishing a notice of such changes before they become effective or by directly sending you a notification if you have consented.

We share your personal data with your consent or as necessary to complete any transaction or provide any service that you have requested or authorized. For example, we share your content with third parties when you tell us to do so. When you provide payment information to make a purchase, we will share payment data with banks and other entities that process payment transactions or provide other financial services, and for fraud prevention and credit risk reduction. In addition, we share personal data between our subsidiaries and controlled subsidiaries. We also share personal data with suppliers or agents that work on our behalf for the purposes described in this statement. For example, the companies we hire to provide customer service assistance or help protect and protect our systems and services may need access to personal data in order to provide those functions. In such cases, these companies must comply with our privacy and data security requirements and are not allowed to use the personal data we receive from us for any other purpose. We may also disclose personal data as part of a corporate transaction, such as a merger or sale of assets.