Privacy Policy

As you are surely aware, the entry into force of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of personal data (hereinafter RGPD) and Organic Law 3/2018 of 5 December on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD), highlights the need to strengthen the levels of security and protection of personal data.

We would like to inform you that IMASA TECHNOLOGIES complies with all the requirements that such legislation demands and that all the data, under our responsibility, are being treated in accordance with the legal requirements and keeping the due security measures that guarantee the confidentiality of the same. However, given the new legislative developments, we believe it is appropriate to bring to your attention and submit to your acceptance the following privacy policy:

Who is the data controller of your data?

In the Legal Notice of this website, the company name of the owner of this website is specified as responsible for the processing of data managed by the same: IMASA TECHNOLOGIES with registered office in Llanera, Parque Tecnológico de Asturias, calle Faya nº 10, CP 33428 ASTURIAS.
Contact Data Protection Officer: rgpd@imasatechnologies.com

For what purposes do we process your personal data?

IMASA TECHNOLOGIES processes the personal data provided for the following purposes:

  • Attention to your queries and requests: Management of Response to Queries, Complaints or Incidents, Requests for technical or corporate information, Resources and/or Activities.
  • Contact management with the interested party through the means of communication provided (mail, postal address and/or telephone) in order to arrange meetings and visits, manage the queries you send us through the channels provided for this purpose, manage notices, communications relating to the service (sending technical documentation (lighting studies, technical data sheets), administrative documentation, invoices, management of payments and collections), coordination of activities, request for authorization to use the facilities, resolution of incidents and coordination of actions arising from the services you request from us by persons related to the organization and/or by persons in charge of the organization and/or those in charge of the installations, administrative documentation, invoices, management of payments and collections), coordination of activities, request for authorization to use facilities, resolution of incidents and coordination of actions derived from the services requested by persons related to the organization and/or by persons in charge of processing contracted by the organization for the purposes legitimized and/or consented to.
  • Offer and Commercial Management of the products and services offered by IMASA TECHNOLOGIES. Contact for the request of commercial data in order to manage the design and proposal of products and services.
  • Management of Regulatory Compliance (applicable regulations as well as mandatory internal regulations): Investigation, monitoring and auditing of controls established for the prevention of crimes, establishing access controls to the facilities, as well as controls related to the use of images captured by the video surveillance systems for the investigation of accidents and/or incidents that may occur, as well as non-compliance with regulations, crimes or illegal behavior.
  • Internal use, performance of operations and administrative, economic and accounting management derived from the commercial and/or contractual relationship.
  • Management of the organization’s contracting and provision of services, as well as compliance with contractual and regulatory requirements related to the organization or operation requested.
  • Sending commercial communications about products or services similar to those contracted by the customer with whom there is a prior contractual relationship, legitimized under Article 21 of the LSSICE.
  • Quality control of our products and services, quality management of processes and activities, as well as the evaluation of the results of satisfaction/perception and performance of the organization’s stakeholders.
  • Provision of evidence of justification for campaigns, activities, promotions, contests, projects and grants in which the organization participates.
  • Regulatory Compliance Management (applicable regulations as well as mandatory internal regulations): Investigation, monitoring and auditing of controls established for the prevention of crimes, with the possibility of establishing access controls to the facilities.
  • Profiling, to the extent you have given us your unambiguous consent “In order to provide you with products and services tailored to your interests and to enhance your user experience, we will create a “profile” based on the information you provide. No automated decisions will be made on the basis of this profile”.
  • Evaluation of Equity and Credit Solvency in order to confirm the economic viability of the requested operation, as well as, if applicable, the communication and management associated with the claim of the amounts agreed for the provision of the service.
  • To consult the advertising exclusion systems that could affect its performance, excluding from the processing the data of those affected who have expressed their opposition or refusal to it through the consultation of the advertising exclusion systems published by the competent control authority.
  • Associated management, including its prior communication, which could arise from the development of any operation of structural modification of companies or the contribution or transfer of business or branch of business activity, as long as the processing is necessary for the successful completion of the operation and ensure, where appropriate, the continuity in the provision of services.
  • Inclusion in the whistleblower channel systems of the data associated with the reporting (even anonymously) of the commission within the organization or in the actions of third parties contracting with it, of acts or conduct that could be contrary to the general or sectorial regulations applicable to it.
  • Statistical and historical purposes that allow us to improve the commercial strategy of our products and services.
  • Management and audit of the organization’s process and facility management and compliance systems.
  • Management of Access, Visits and Video Surveillance of Facilities and vehicles, as well as security and regulatory compliance therein, preserving the safety of people, property and facilities, as well as for the exercise of the functions of control of workers provided for in Article 20.3 of the Workers’ Statute, the investigation of possible incidents or accidents, management of associated insurance and management of warnings or penalties for breaches of safety regulations.
  • Dissemination of our best practices referring to the services we have provided and/or the publication and/or communication of graphic material that may incorporate the image of the owner and/or personnel in charge in corporate media (for example and not limited to, web, social networks, newsletters, activity report, reports, presence in the media) and/or other public media (sectorial publications and/or reports in the written press, TV, …..), as dissemination of the results of the activity, promotion and dissemination, management of campaigns, activities and events and/or as accreditation of technical solvency before requests for evidence of justification in bidding processes, technical bids, projects and grants in which IMASA TECHNOLOGIES participates, to the extent that we had unequivocally consented to it.
  • The contact and sending of personal communications, invitations to events and gifts aimed at customers, congratulate you on special dates, conduct quality and satisfaction surveys, as well as to periodically inform you of new developments, news and corporate information, information on publication of grants, competitions, rates, offers, catalogs and promotions of other products and services of IMASA TECHNOLOGIES in order to evaluate the quality of our processes and provide offers of products and services of interest by telephone, written or electronic means through the media provided, to the extent that we had unequivocally consented.
  • The international transfer of your data to the extent strictly necessary to comply with the management of a project in a country outside the EU or because of the location of the processing systems of processing management applications (please note that part of the information processing systems of the processing applications may be located in countries outside the EU).
  • We may carry out international transfers of your data to the extent strictly necessary to comply with the management of the contracted service in a country outside the EU or by the location of the processing systems of processing management applications (we inform you that part of the processing systems of the brand information may be in countries outside the EU. We recommend you to access the privacy policies of the brand).

Likewise, in the case of candidates who provide us with their curriculum vitae, we also process their data for the following purposes:

  • Internal use for selection processes for job positions, for its incorporation to the Job Board and for the offer and management of possible job offers or collaboration that could be generated.
  • Management of competency assessment of candidates and people in selection and/or internal promotion to job positions.
  • Use in connection with the development of the application and its incorporation into the IMASA TECHNOLOGIES Job Bank for the offer and management of possible job offers or collaboration that could be generated, to the extent that you have consented unequivocally. If you do not consent to this purpose, we will not be able to receive your application, since the management of candidates is carried out through the aforementioned employment exchange.
  • Use of your CV in the technical offer to projects in which your incorporation is valued, if you have unequivocally consented to it.
  • Regulatory Compliance Management (applicable regulations as well as mandatory internal regulations): Investigation, monitoring and auditing of controls established for the prevention of crimes, establishing access controls to facilities, information systems and printing of documentation for all personal data under the responsibility of the organization and therefore for all information systems of said entity, as well as controls related to the use of images captured by video surveillance systems for the investigation of accidents and/or incidents that may occur, as well as breaches of labor regulations, crimes or unlawful behavior.
  • Management of the Contact with the interested party through the means of communication provided (mail and/or telephone) in order to manage notices and coordinate actions for the management of the selection process by persons related to IMASA TECHNOLOGIES and/or third parties to whom they hire the selection processes of candidates for vacancies or jobs.
  • The completion of the tests and/or aptitude certificates that may be required for personnel selection purposes, which will be optional, will be understood as an expression of the user’s consent for the inclusion of the data provided, as well as, eventually, their evaluation, in the IMASA TECHNOLOGIES* Job Bank database and their automated processing for the purpose of carrying out the selection process. As a consequence of the access to the facilities that may require the performance of such tests and/or aptitude certificates, processing associated with the security of such facilities may be carried out by means of access registration and/or video surveillance systems.
  • Management of Visits and Video Surveillance of the Facilities, as well as security and regulatory compliance therein, preserving the safety of persons, property and facilities, as well as for the exercise of the functions of control of workers provided for in Article 20.3 of the Workers’ Statute, the investigation of possible incidents or accidents, management of associated insurance and management of warnings or penalties for breaches of safety regulations.
  • The international transfer of your data to the extent strictly necessary to comply with your incorporation to a project in a country outside the EU, if you have unequivocally consented to this. Non-acceptance of this clause will prevent its incorporation to the project in that country.
  • Associated management, including its prior communication, which could arise from the development of any operation of structural modification of companies or the contribution or transfer of business or branch of business activity, provided that the processing is necessary for the successful completion of the operation and ensure, where appropriate, the continuity in the provision of services.
  • Inclusion in the whistleblower channel systems of the data associated with the reporting (even anonymously) of the commission, within the organization or in the actions of third parties contracting with it, of acts or conduct that could be contrary to the general or sectorial regulations applicable to it.

In addition, to the extent that you are a supplier/collaborator of the organization, we also process your data for the following purposes:

  • Time and/or attendance or attendance control and monitoring through access registration, video surveillance and confirmation of functional performance both in the organization’s facilities and in facilities of third parties in which the interested party carries out service provision functions to IMASA TECHNOLOGIES (surveillance and control to verify compliance by the supplier/collaborator of the contractual obligations).
  • Evidence of the Organization’s Regulatory Compliance before a third party that requires it: Communication to third parties of those data related to the interested party that are required by them in order to comply with the coordination of business activities, evidence of regulatory compliance of the organization and of the internal regulations of the third party and/or for the management of access to facilities. In those cases in which the interested party unequivocally consents, the communication of the information/documentation required by the third party that are not explicitly included in the established regulatory or legal obligations, but in the internal regulations of the third party, may be carried out, to the extent that the third party has consented to it.
  • Verify compliance by workers with their labor obligations and duties in accordance with article 20.3 of the Workers’ Statute, which empowers the employer to adopt surveillance and control measures for this purpose (controls relating to the use of images captured by video surveillance systems for the investigation of accidents and/or incidents that may occur, as well as non-compliance with labor regulations, crimes or illegal behavior).
  • Quality management of processes and activities, as well as the evaluation of the results of satisfaction/perception and performance of the organization’s stakeholders. Conducting surveys.
  • Management of the Contact with the interested party through the corporate means of communication provided by the organization (mail and/or telephone) in order to manage notices and coordinate actions by persons related to the organization, as well as providing such means to third parties requesting contact with the interested party. In cases in which the interested party unequivocally consents, the use and provision of private means of contact (e-mail and private telephone numbers) to persons related to the organization and to third parties who request it, may be carried out.
  • Statistical and historical purposes: statistics and performance indicators, health and safety, as well as history of professional relationship with the organization.
  • The management and audit of management systems and/or management of occupational safety and regulatory compliance of processes and facilities of the organization, as well as the reservation of the right to conduct periodic audits at its facilities as part of the agreements reached in the business relationship, in cases where the interested party unequivocally consents.
  • Evidence of the Organization’s Regulatory Compliance before a third party that requires it: Communication to third parties of those data related to the interested party that are required by them in order to comply with the coordination of business activities, evidence of regulatory compliance of the organization and of the internal regulations of the third party and/or for the management of access to facilities. In those cases in which the interested party unequivocally consents, the communication of the information/documentation required by the third party that are not explicitly included in the regulatory or legal obligations established, but in the internal regulations of the third party, may be carried out.
  • Health and safety management (occupational risk prevention and safety surveillance) and compliance assessment.
  • Management of Access, Visits and Video Surveillance of Facilities and vehicles, as well as security and regulatory compliance in the same, preserving the safety of people, property and facilities, investigation of possible incidents or accidents, management of associated insurance and management of warnings or penalties for non-compliance with safety regulations.

And in case you have consented, for the purposes described in the additional consents that you have provided us unequivocally through formal means and/or by checking the boxes enabled in the data protection clauses enabled in the form or base document that has regulated the relationship with IMASA TECHNOLOGIES, depending on the contact channel.

How long do we keep your data?

The data provided will be kept for as long as the lawfulness of the processing relationship is maintained, their deletion is not requested by the data subject following the formalized termination in writing of the relationship with the data subject, with the exception of their retention for the formulation, exercise or defense of claims by the data controller or for the protection of the rights of another natural or legal person and/or for reasons of legal obligation.

In any case, at the end of the relationship, the data of the interested party will be duly blocked, in accordance with the provisions of current data protection regulations.

Accounting and Tax Documentation – For Tax Purposes: The accounting books and other books and records required by the applicable tax regulations (Personal Income Tax, VAT, Corporate Income Tax, etc.), as well as the documentary supports that justify the entries recorded in the books (including computer programs and files and any other supporting documents of fiscal significance), must be kept at least during the statute of limitations period for Tax Offenses – General Tax Law and Criminal Code, Statute of Limitations – 10 years.

Accounting and Tax Documentation – For Mercantile purposes: Books, correspondence, documentation and justifications concerning your business -Commerce Code- 6 years.

Solvency files: Data referring to certain debts, due and payable and not claimed (Art. 20 of LOPDGDD) – as long as the non-compliance persists, with a maximum limit of five years from the due date of the monetary, financial or credit obligation – 5 years.

The images/sounds captured by video surveillance systems shall be deleted within a maximum period of one month from their capture, except when they are to be kept to prove the commission of acts that threaten the integrity of persons, goods or facilities (in which case, the images shall be made available to the competent authority within a maximum period of 72 hours from the time the existence of the recording is known),or are related to serious or very serious criminal or administrative offenses in matters of public security, to an ongoing police investigation or to an open judicial or administrative proceeding (Instruction 1/2006, of November 8, of the AEPD, on the processing of personal data for surveillance purposes through camera or video camera systems and Art.22 LOPDGDD) – 30 days.

Data included in the automated processing created to control access to buildings – Instruction 1/1996 AEPD on automated files established for the purpose of controlling access to buildings – 30 days

Solvency files: Data referring to certain debts, due and payable and unclaimed -LOPD – 5 years

Occupational Risk Prevention Documentation – Documentation on information and training for workers. Occupational accident or occupational disease files – Law on Infractions and Penalties in the Social Order – 5 years.

The data processed in connection with the legal warranty will be retained for the duration of the legal warranty and after the expiration of the legal warranty, for as long as there may be a judicial or administrative claim in connection with the legal warranty.

The data processed for the sending of commercial communications will be kept until you revoke the consent given.

Data relating to candidates who provide their curriculum vitae will be kept for 1 calendar year from the date on which it was received (except in cases where the candidate is selected, in which case it will become part of the HR data processing of the hiring organization), as well as the legally established time periods for the exercise or prescription of any liability action for breach of contract by the interested party or the Organization.

The data of the person making the report and of the employees and third parties are kept in the reporting system to decide on the appropriateness of initiating an investigation into the reported facts as well as subsequently as evidence of the functioning of the model of prevention of the commission of crimes by the legal person, in accordance with the provisions of Article 24 of the LOPDGDD.

Therefore, the data will be kept for as long as the business relationship remains in force, based on the retention periods established by the aforementioned current regulations, as well as the legal or contractual periods established for the exercise or prescription of any liability action for breach of contract by the interested party or the Organization (the Civil Code establishes a period of 5 years to be able to carry out an action for civil liability, a period that is calculated from the date on which compliance with the obligation can be demanded).

What is the legitimacy for the processing of your data?

The legal basis for the processing of your data is the fulfillment of your request. The requested data are necessary for the correct provision of the service.

The execution of a contract, request, offer, order and/or commercial contract.

Comply with a legal obligation: administrative, commercial, tax, fiscal, accounting, civil and financial regulations, current legislation on labor matters, occupational risk prevention (coordination of business activities) and social security and consumer and user protection legislation, as well as the regulations inherent to the contracted operation and those associated with the sector.

To satisfy a legitimate interest of the Controller: Data processing as parties to a commercial relationship and/or contract, which are necessary for its maintenance or fulfillment, data transmissions within business groups for internal administrative purposes, direct marketing, fraud prevention, cases of legitimate interest in which the controller could be an injured party and it was necessary the processing and communication of the data of the non-compliant party to third parties in order to manage regulatory compliance and the defense of the interests of the controller, video surveillance purposes as a legitimate interest of the organization in the protection of its assets, the legitimate interest of direct marketing enabled by the LSSICE (sending commercial communications about products or services similar to those contracted by the customer with whom there is a prior contractual relationship), as well as cases of legitimate interest of specific processing contemplated in the LOPDGDD: Article 19. Processing of contact data and data of individual entrepreneurs; Article 20. Credit information systems; Article 21. Treatment related to certain business transactions (corporate restructuring or business transfers) Article Processing for video-surveillance purposes; Article 23 Advertising exclusion systems; Article 24 Internal complaint information systems).

Security and cases of legitimate interest in which the controller could be an injured party and the processing and communication of the non-compliant party’s data to third parties is necessary in order to manage regulatory compliance and the defense of the controller’s interests.

Art. 20.3 and 4 Royal Legislative Decree 1/1995, of March 24, 1995, approving the revised text of the Workers’ Statute Law (ET): The employer may adopt the measures he deems most appropriate for surveillance and control to verify the worker’s compliance with his labor obligations and duties, keeping in their adoption and application the consideration due to his human dignity and taking into account the real capacity of disabled workers, if any.

In the case of data of candidates who provide their curriculum, the basis of legitimacy of the treatment is the fulfillment of the request for incorporation into the employment exchange of the person concerned through the self-candidacy of the person concerned by sending their cv through the contact channels of the organization and / or selection companies hired for the selection of candidates for vacancies or jobs, as well as to satisfy a legitimate interest of the Responsible: fraud prevention and cases of legitimate interest in which the controller could be an injured party and the processing and communication of the data in the event of non-compliance to third parties is necessary in order to manage regulatory compliance and the defense of the interests of the controller.

Likewise, the legal basis may be determined by the consent of the data subject that has been provided to us unequivocally through formal means and/or by checking the boxes provided for this purpose in the data protection clauses provided in the basic document that has regulated the relationship depending on the contact channel.

To which recipients may your data be communicated?

We only use, transfer or share personal data with third parties as described in this Privacy Policy. IMASA TECHNOLOGIES does not sell or rent your personal data to third parties and will only disclose it to persons or entities if we obtain your prior consent or in compliance or in accordance with applicable law where such consent is not required for a specific transfer. We will share or give third parties access to your personal data when doing so is necessary to achieve one of the purposes described below and in accordance with applicable law:

  • Organizations or persons directly contracted by the Data Controller for the provision of services related to the purposes of processing.
  • Governing Bodies: Board of Directors and Shareholders.
  • Responsible for the Brand for the purposes derived from the contractual relationship (guarantees and responsibilities of the products and services provided) and in case you have consented, for the purposes described in the additional consents.
  • Insurance Agents and Insurers: Insurance underwritten by the organization in case of incidents.
  • Creditworthiness assessment entities in order to evaluate the creditworthiness of the interested party for payment methods or financing conditions that require it.
  • Agencies or bodies of the Public Administration with competence in the matters covered by the purposes of the processing: AEAT (Tax Agency)
  • Financial Institutions: Direct debit of bills and/or collection management of bills and other means of payment.
  • Security Forces and Corps: To the extent that a right of access is required in the investigation of a breach of regulations.
  • Compliance Complaints Channel (Complaints about violations of regulations and code of conduct are forwarded to the Compliance Unit): Access to the data contained in these systems shall be limited exclusively to those who, whether or not they are part of the entity, carry out the functions of internal control and compliance, or to the persons in charge of the processing that may be appointed for this purpose. However, its access by other persons, or even its communication to third parties, will be lawful when it is necessary for the adoption of disciplinary measures or for the processing of the legal proceedings that, if applicable, may be required.
  • Workers’ Representatives/Safety and Health Coordination, External Auditors: In compliance with R.D. 171/2004 – Accreditation delivery of risks by Coordination of Business Activities.
  • Insurance Companies: In the event of a claim, incident or accident, insurance companies are provided to investigate the event in order to determine the scope and coverage of the insurance premium contracted by the data controller.
  • We may carry out international transfers of your data to the extent strictly necessary to comply with the management of a project in a country outside the EU (Entities associated with the import/export of goods: Logistics agents, Customs, ….) or by the location of the processing treatment systems.
  • In the case of data of candidates who provide their curriculum, the possible recipients could also be Organizations or persons directly hired by the Data Controller for the provision of services related to the purposes of treatment: ETT’s and third parties to whom the processes of selection of candidates for vacancies or jobs in IMASA TECHNOLOGIES are contracted.

Under what guarantees are your data communicated?

The communication of data to third parties is made to entities that accredit the provision of a Personal Data Protection System in accordance with current legislation.

What are your rights?

You have the right to obtain confirmation as to whether or not we are processing personal data concerning you.

Interested parties have the right to access their personal data, as well as to request the rectification of inaccurate data or, where appropriate, to request its deletion when, among other reasons, the data is no longer necessary for the purposes for which it was collected. It is not possible to exercise the right of rectification in the case of video-surveillance processing since, due to the nature of the data -images taken from reality that reflect an objective fact-, it would be an exercise of a right of impossible content.

In certain circumstances, the interested parties may request the limitation of the processing of their data, in which case we will only keep them for the exercise or defense of claims.

In certain circumstances and for reasons related to their particular situation, data subjects may object to the processing of their data, in which case the Data Controller will stop processing the data, except for compelling legitimate reasons, or the exercise or defense of possible claims.

Under the right to portability, data subjects have the right to obtain the personal data concerning them in a structured, commonly used, machine-readable format and to transmit it to another data controller.

In the event that you have given consent for any specific purpose, you have the right to withdraw your consent at any time, without affecting the lawfulness of the processing based on the consent prior to its withdrawal.

Where to go to exercise your rights?

If you wish to exercise your rights, please contact the channel established for the exercise of rights by the data controller: rgpd@imasatechnologies.com so that we can respond to your request in a managed manner.

What information is required to exercise your rights?

In order to exercise your rights, we need to prove your identity and the specific request you are making, as we request the following information:

  • Documented information (writing/e-mail) of the request in which the request is specified.
  • Proof of identity as owner of the data subject to exercise (Name, surname(s) of the data subject and photocopy of the ID of the data subject and/or of the person representing him/her, as well as the document proving such representation (legal representative, if applicable).
  • In the case of exercising rights related to data of deceased persons: Copy of:
    • Family Book or Civil Registry in which the relationship of kinship or de facto relationship with the deceased and/or,
    • Will in which the applicant is declared as heir and/or,
    • Express designation to the applicant person or institution, by the deceased and/or
    • Documentation proving legal representation of the deceased.
  • In the case of exercising rights of rectification and/or suppression: Responsible Declaration of the applicant in which he/she accredits to have the consent of the rest of the persons linked to the deceased for family or de facto reasons as well as his/her heirs to carry out such request.
  • Where the controller has reasonable doubts as to the identity of the natural person making the request, the controller may request that additional information necessary to confirm the identity of the data subject be provided.
  • Address for notification purposes, date and signature of the applicant (in case of writing), or full name and surname (in case of e-mail), or validation of the request in the private area of the communication channel with a personal identity authentication key).
  • When exercising the right of rectification recognized in article 16 of the RGPD, the data subject must indicate in his request to which data he refers and the correction to be made. It must be accompanied, when necessary, by documentation justifying the inaccuracy or incompleteness of the data being processed.
  • Likewise, when we process a large amount of data relating to the data subject and he/she exercises his/her right of access without specifying whether it concerns all or part of the data, the data controller may request, before providing the information, that the data subject specifies the data or processing activities to which the request relates.

What is the General Procedure for Exercising your rights?

Once we receive the required information we will proceed to respond to your request according to the general procedure for exercising IMASA TECHNOLOGIES’ rights:

  • The controller shall provide the data subject with information concerning its actions on the basis of a request pursuant to Articles 15 to 22 (Rights of the data subject), and in any event within one month of receipt of the request.
  • This period may be extended for a further two months if necessary, taking into account the complexity and number of applications.
  • The person in charge shall inform the interested party of any such extension within one month of receipt of the request, stating the reasons for the delay.
  • When the data subject submits the request by electronic means, the information will be provided by electronic means whenever possible, unless the data subject requests that it be provided in another way.
  • Only in cases where the controller’s processing systems so permit, the right of access may be provided through a system of remote, direct and secure access to personal data that guarantees, on a permanent basis, access to its entirety. For such purposes, the communication by the data controller to the data subject of the manner in which he/she may access such system shall be sufficient to consider the request for the exercise of the right as having been complied with. However, the data subject may request from the Data Controller the information referred to in Article 15.1 of the GDPR that is not included in the remote access system.
  • If the controller does not act on the data subject’s request, the controller shall inform the data subject without delay, and at the latest within one month of receipt of the request, of the reasons for its failure to act and of the possibility of lodging a complaint with a supervisory authority and of taking legal action.
  • The information provided will be free of charge, except for a reasonable fee for administrative costs. When the affected party chooses a means other than the one offered that entails a disproportionate cost, the request will be considered excessive, and the affected party will assume the excess costs that his choice entails. In this case, only the satisfaction of the right of access without undue delay shall be enforceable against the Data Controller.
  • The controller may refuse to act on the request, but shall bear the burden of proving the manifestly unfounded or excessive nature of the request. For the purposes set forth in Article 12.5 of the GDPR, the exercise of the right of access on more than one occasion during the six-month period may be considered repetitive, unless there is legitimate cause for this.
  • In cases in which you proceed to the exercise of rectification or deletion, we will proceed to block your data: The blocking of the data consists of the identification and reservation of the same, adopting technical and organizational measures, to prevent its processing, including its visualization, except for the provision of the data to the judges and courts, the Public Prosecutor’s Office or the competent Public Administrations, in particular the data protection authorities, for the demand of possible responsibilities derived from the processing and only for the period of prescription of the same. Once this period has elapsed, the data will be destroyed. The blocked data may not be processed for any purpose other than that stated above. (art. 16 RGPD and art.32 LOPDGDD).
  • Where the erasure results from the exercise of the right to object pursuant to Article 21.2 of the GDPR, the Data Controller may retain the data subject’s identification data necessary to prevent future processing for direct marketing purposes. In cases where you do not want your data to be processed for the sending of commercial communications, we refer you to the existing advertising opt-out systems, in accordance with the information published by the competent supervisory authority (AEPD) on its website www.aepd.es.
  • In cases where the processing of personal data is limited, it will be clearly stated in the information systems of the Data Controller.
  • Upon the existence of a certain, due and payable debt, a communication is sent to the debtor at the time of requesting payment about the possibility of inclusion in such systems (organization’s delinquency treatments), with indication of those in which it participates (collection management entities for the management of the relevant claim ….) in the event that the debt is not resolved within a maximum period of 15 days from the notification of insolvency, you are informed about the possibility of exercising the rights set forth in Articles 15 to 22 of the RGPD within thirty days from the notification of the debt to the system, the data remaining blocked during that period.
  • Persons related to the deceased for family or de facto reasons, as well as their heirs, may contact the data controller or data processor in order to request access to their personal data and, where appropriate, their rectification or erasure. As an exception, the persons referred to in the preceding paragraph may not access the data of the deceased, nor request its rectification or deletion, when the deceased had expressly forbidden it or it is so established by law. Such prohibition shall not affect the right of the heirs to access the data of the deceased’s estate.
  • In order to comply with the current regulations on video surveillance Inst. 1/2006 of the AEPD, we inform you that the period of conservation of the recordings is 1 month, as we will not be able to respond to requests formalized in later periods. Likewise, in order to avoid affecting the rights of third parties, in the case of a request for access, we will issue a certificate in which, as precisely as possible and without affecting the rights of third parties, we specify the data that have been processed. Ex. “Your image was recorded in our systems on the ___ day of the month of the year between _ hours and _ hours. Specifically, the system records your access to and exit from the building.

What complaint procedures are available?

If you feel that your rights have not been properly addressed, you have the right to lodge a complaint with the competent data protection authority ( www.aepd.es ).

How did we obtain your data? Through:

  • The interested party or its legal representative, through the communication sent and/or through professional social networks.
  • Commercial partners, events, trade fairs and conferences organized and/or in which the organization participates, legitimate commercial databases, professional social networks, search engines and internet databases, as well as third parties with which the data controller maintains a commercial relationship or service provision and for which it must have your personal data for the processing of the requested service or to fulfill our contractual commitments and fiscal and accounting obligations associated with the service under contract and/or for the verification of regulatory compliance under the responsibility of the organization.
  • In the case of data of candidates who provide their curriculum, the possible origin of the data could be, in addition to the interested party itself, temporary employment companies, entities with which agreements have been established for internships or training programs with commitment to hiring, professional social networks and/or third parties to whom the selection processes of candidates for vacancies or jobs of IMASA TECHNOLOGIES are contracted.

What category of data do we process?

  • The data structure we process does not contain data relating to criminal convictions and offenses, or specially protected data unless the data subject is the beneficiary of a special condition to be considered and provides documentation to prove it, as well as cases in which the holder has special conditions and has to provide documentation incorporating such information so that compliance with such condition can be accredited or justified.
  • Identifying and contact data such as, but not limited to: name, surname, telephone or e-mail, commercial information data, economic, financial data and/or payment conditions; contact data of persons of the organization involved or related to the service object of the contract/request, as well as those related and/or provided with the Consultation, Request for technical or corporate information, Resources and/or Activities, Complaints or Incidents that you formulate, as well as the personal data of third parties that you could provide us with.
  • Commercial data, contact persons for administrative and operational management associated with the execution of the contract/project and workers who will carry out the contracted work in terms of coordination of business activities associated with the prevention of occupational hazards; In the case of workers who will carry out the contracted work in terms of coordination of business activities associated with the prevention of occupational hazards; Licenses or approvals, in the case of workers who will carry out the contracted work in terms of coordination of business activities associated with the prevention of occupational hazards; Commercial information and approval data; Economic, financial data and/or collection conditions; Goods and services provided by the affected party, Financial transactions; Other data: Name, surname and NIF of legal representative, contact details of persons of the organization involved or related to the project object of the contract/order.
  • In the case of data of candidates who provide their resume, the structure of data processed would be, but not limited to, identification and contact data (address, contact telephone and e-mail contact); Academic and professional data relating to training, qualifications and professional experience; Personal data associated with marital status, family data, date and place of birth, age, sex, nationality; Work permit; Employment status data; Other data (career aspirations, leisure and hobbies). To the extent that the candidate reports a disability condition, certificates attesting to it may be required.

How is your personal data stored securely?

  • In connection with the processing of your personal data, we inform you: The Data Controller takes all necessary measures to keep your personal data private and secure. Only authorized persons of IMASA TECHNOLOGIES, authorized personnel of third parties directly contracted by the Data Controller for the provision of services related to the purposes of processing or authorized personnel of IMASA TECHNOLOGIES (who have the legal and contractual obligation to keep all information secure) have access to your personal data. All IMASA TECHNOLOGIES personnel who have access to your personal data are required to agree to respect the Privacy Policy of the Data Controller and the data protection regulations and all employees of Third Parties who have access to your personal data are required to sign confidentiality commitments under the terms established in the current legislation. In addition, it is contractually ensured that third-party companies that have access to your personal data keep it secure. To ensure that your personal data is protected, IMASA TECHNOLOGIES has an IT security environment and takes the necessary measures to prevent unauthorized access. IMASA TECHNOLOGIES has formalized agreements to ensure that we treat your personal data correctly and in accordance with current data protection regulations. These agreements reflect the respective roles and responsibilities in relation to you, and contemplate which entity is in the best position to meet your needs. These agreements do not affect your rights under data protection law. For more information on these agreements, please do not hesitate to contact us.
  • In relation to personal data to which IMASA TECHNOLOGIES could access as a result of the contracted services, we inform you: The provision of services object of the contract may involve physical access by IMASA TECHNOLOGIES staff to premises or facilities likely to store personal data for which the client is responsible for processing. In this sense, IMASA TECHNOLOGIES has signed with its staff clauses that prohibit access to all types of confidential information and, in particular, to personal data belonging to the client, unless the service contemplated in its scope the processing of personal data, in which case, IMASA TECHNOLOGIES would act as processor of the same, establishing in such case the relevant contract in accordance with current data protection regulations that would include among other aspects the object, duration, nature, purpose, category of data to be processed, security measures, obligations and rights of the processor, organizational and technical security measures to ensure confidentiality during the process, as well as the agreements adopted between client and processor in relation to the transmission of security breaches and/or exercise of rights. The non-formalization of the personal data processing service in a contract by the customer, presupposes that IMASA TECHNOLOGIES has no associated responsibility as data processor. Notwithstanding the foregoing, in the event that it becomes aware of any confidential information for the purpose of providing the service, it undertakes to keep it secret, not to disclose or publish it, either directly or through third parties or companies, or to make it available to third parties. This confidentiality obligation is indefinite and shall survive the termination of the contract for any reason. IMASA TECHNOLOGIES undertakes to communicate and enforce the confidentiality obligations established to the personnel under its charge and hired on its behalf.
  • In relation to video surveillance systems, we inform you that IMASA TECHNOLOGIES takes all necessary measures to keep your personal data private and secure and will attend in any case to the provisions of Law 5/2014, of April 4, on Private Security and its implementing provisions. In this regard, it establishes and informs you of the following security measures:
    • DUTY OF INFORMATION: Information is provided about the existence of the cameras and image recording, in order to comply with the duty of information provided in Article 12 of the RGPD through an informative device in a sufficiently visible place identifying the existence of the processing, the identity of the data controller and the possibility of exercising the rights provided in Articles 15 to 22 of the RGPD. A connection code or internet address to this information may also be included in the information device. In any case, IMASA TECHNOLOGIES keeps at the disposal of those affected the information referred to in the aforementioned regulation in the Privacy Policy referenced in the aforementioned device. In the event that the flagrant commission of an unlawful act has been captured, the duty to report shall be deemed fulfilled when at least the video surveillance information device is in place.
    • LOCATION OF THE CAMERAS: IMASA TECHNOLOGIES will only capture images of the public road to the extent that it is essential for the purpose of preserving security. Under no circumstances does IMASA TECHNOLOGIES install sound recording or video surveillance systems in places intended for the rest or recreation of workers or public employees, such as changing rooms, toilets, canteens and the like.
    • SOUND RECORDING: IMASA TECHNOLOGIES will only carry out sound recording when the risks to the safety of the installations, goods and people derived from the activity carried out in the work center are relevant and always respecting the principle of proportionality, minimum intervention and guarantees.
    • MONITOR LOCATION: The monitors where the camera images are displayed are located in a restricted access area so that they are not accessible to unauthorized third parties.
    • CONSERVATION: The images/sounds captured by video surveillance systems shall be deleted within a maximum period of one month from their capture, except when they had to be kept to accredit the commission of acts that threaten the integrity of persons, property or facilities (in which case, the images shall be made available to the competent authority within a maximum period of 72 hours from the time the existence of the recording became known), or are related to serious or very serious criminal or administrative offenses in matters of public security, to an ongoing police investigation or to an open judicial or administrative proceeding (Instruction 1/2006, of November 8, of the AEPD, on the processing of personal data for surveillance purposes through camera or video camera systems and Art.22 LOPDGDD) – 30 days.
    • LABOR CONTROL: The processing is carried out for the exercise of the control functions of workers or public employees provided, respectively, in Article 20.3 of the Workers’ Statute and in the civil service legislation, within its legal framework and with the limits inherent to it. To the extent that the cameras may be used for the purpose of labor control as provided for in Article 20.3 of the Workers’ Statute, employees and their representatives are informed of these control measures established by the employer with express indication of the purpose of labor control of the images captured by the cameras, as indicated in the notice of inclusion clause and in this privacy policy.
    • RIGHT OF ACCESS TO IMAGES: In order to comply with the right of access of the interested parties, a recent photograph and the National Identity Document of the interested party will be requested, as well as details of the date and time to which the right of access refers. The data subject shall not be provided with direct access to camera images showing images of third parties. To avoid affecting the rights of third parties, in the case of a request for access, we will issue a certificate in which, as precisely as possible and without affecting the rights of third parties, we specify the data that has been processed. Ex. “Your image was recorded in our systems on the ___ day of the month of the year between _ hours and _ hours. Specifically, the system records your access to and exit from the facility.”

Changes in Privacy Policy

IMASA TECHNOLOGIES reserves the right to make, at any time, as many modifications, variations, deletions or cancellations in the contents and in the form of presentation of the same that it deems appropriate, so we recommend that you consult our privacy policy whenever it deems appropriate.

If you do not agree with any of the changes, you may exercise your rights according to the procedure described above by sending an email to rgpd@imasatechnologies.com.

With the acceptance and/or validation of the process that serves as the basis for the formalization of your relationship with IMASA TECHNOLOGIES, you expressly consent to the processing of data in accordance with the provisions of the clause and additional information on data protection, as well as to inform and obtain the consent of third parties from whom you provide us with personal data for such processing. If you have checked the corresponding consent box, the legal basis for such purposes is your consent, which you may withdraw at any time.

In compliance with the provisions of the regulations on the protection of personal data, we process the information you provide us (as well as the personal data of other persons that you may provide us) for the purposes specified in this clause and privacy policy. In this sense, he/she declares to have been informed, to consent, as well as to inform and to have the consent of third parties from whom he/she provides us with personal data for such processing.

Likewise, and to the extent that as a result of its relationship IMASA TECHNOLOGIES may have access to personal data and/or confidential information, it is obliged to maintain absolute confidentiality and discretion on the information obtained about the activities, stakeholders and entities related to IMASA TECHNOLOGIES, especially with regard to Personal Data, even after the termination of its relationship with the organization.

By accepting and/or validating the process, you declare that you are over 14 years of age and have legal capacity* and expressly consent to the processing of data in accordance with the provisions of the clause and additional information on data protection. If you have checked the corresponding consent box, the legal basis for such purposes is your consent, which you may withdraw at any time.

(**) In cases where he/she represents a minor under 14 years of age or a person with legal incapacity, he/she responsibly declares to have the parental authority or guardianship of the minor or the corresponding legal representation, whose justification may be required by the Data Controller in order to legitimize the consent accepted.