Confidentiality and Data Protection Policy
CIRCONTROL, S.A. (hereinafter the Entity) is committed to due diligence and compliance with Data Protection regulations.
Below is detailed information on the confidentiality policy and Personal Data Protection in compliance with the provisions of article 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016, regarding the protection of individuals with regard to the processing of personal data and the free movement of these data (General Data Protection Regulation or GDPR) and article 11 of Organic Law 3/2018, on the Protection of Personal Data and Guarantee of Digital Rights (LOPD GDD).
Data of the Data Controller and contact of the Data Controller (DPD):
> Identity: CIRCONTROL, S.A.
> Address / C. P: C/Innovació 3. VILADECAVALLS (08232).
> Phone: 93.736.29.40
> E-mail: firstname.lastname@example.org
> Contact details of the RPD / DPD: Jordi Huguet
> Data Protection Channel: https://corporate-line.com/cnormativo-grupcir
Purposes of the treatment
The Entity will process the information provided by interested parties for the following purposes:
> Manage your attention, visit and meeting at our facilities.
> Manage the provision and realization of the contracted services and products.
> Manage any type of request, suggestion or request about our professional services that interested parties make to us.
> Information and commercial communications: processing of your data for the purpose of informing you about activities, articles of interest and general information related to our activity and the services / products contracted.
> Manage data provided by job candidates through the Curriculum Vitae (CV) or other means for the selection and recruitment process.
> Carry out training for third parties interested, such as clients or employees, through e-learning platforms and / or in person.
> Manage the chosen platform for reporting incidents by customers about the products of the Entity.
> Formalize and manage the relationship with the suppliers and collaborators of the Entities.
> Ensure the security of offices, facilities and people through access controls, video surveillance systems and other access control / identification systems.
> Comply with the legal provisions that apply to the Entity and its activities in health, equality and occupational risk prevention matters.
> Manage and attend to the communications presented by the informants through the Internal Information System, in accordance with Law 2/2023, of February 20, regulating the protection of persons who report regulatory infractions and the fight against corruption
> Manage and control the operation of the internal mechanisms, policies and protocols established by the Entity for compliance and management of the complaint channels for this purpose.
> All those treatments that are applicable to us for the due compliance with the regulations and official / sectoral requirements to which our activity is subject.
For the good purpose and development of your attention and management of the aforementioned purposes, the processing of your data for the purposes that correspond to the aforementioned will be carried out under the strictest compliance with Data Protection regulations and the Policy that we are detailing. At any time you can exercise your rights (see specific section).
Data retention criteria
> Management of services / products contracted with the Entity: the personal data provided in the contracts, offers and / or service proposals, as well as those of the rest of the people whose intervention is necessary, will be kept for the time that the contracted services are in force. At the end of the provision of the contracted service / s, the personal data will be kept in the cases that may arise responsibilities with the Entity and / or in compliance with other regulatory frameworks that are applicable to the Entity or a law with the rank of law that requires the conservation of these. Personal data will be kept in such a way that allows the identification and exercise of the Rights of the affected and, under the technical legal and organizational measures that are necessary to guarantee the confidentiality and integrity of these.
> Curriculum Vitae Management: the Entity, as a rule, keeps its Curriculum Vitae for a maximum period of one year; at the end of this period, it will be automatically destroyed, in compliance with the data quality principle.
> Management of Employment Contracts: personal data will be kept, in any case, for the time that the employment relationship is in force and, at the end of it, in the cases that responsibilities may arise between the parties and when a law with the rank of law requires it.
> Others: the rest of the data and information provided by the user by any means, will be kept for the time necessary to fulfill the purpose for which they were collected.
The legal basis that enables the Entity to process the personal data of users, clients, potential clients by virtue of the following titles:
> The consent of the interested parties for the processing and management of any request for information or consultation about our services and products.
> The consent given by job candidates for selection and recruitment purposes.
> The consent of the interested parties to carry out the training given by the Entity.
> The framework for the provision and / or contracting of services / products with the Entity.
> The legitimate interest to send you informative, commercial communications and / or promotional offers related to the activity of the Entity and the services / products contracted by email or any other means.
> Compliance with legal obligations and internal compliance procedures.
> The legitimate interest to ensure the security of offices, facilities and people.
Personal data is not transferred to third parties, except by legal provision.
Personal data is obtained directly from interested parties and our collaborators. The categories of personal data provided by us are as follows:
> Identification data.
> Postal or electronic addresses.
> Data provided and / or consented by the interested parties related and necessary for the management and realization of the requested service / product.
Right of Access, Rectification and Deletion: interested parties have the right to obtain confirmation as to whether the Entity is processing personal data that concerns them, or not. Interested parties have the right to access their personal data, as well as to request the rectification of inaccurate data or request its deletion when, among other reasons, the data is no longer necessary for the purposes for which it was collected.
Right to Limitation and Opposition: in certain circumstances, interested parties may request the limitation of the processing of their data, in which case we will only keep them for the exercise or defense of claims. In certain circumstances and, for reasons related to their particular situation, interested parties may object to the processing of their data. The Entity will stop processing the data in this case, except for compelling legitimate reasons, or for the exercise or defense of possible claims.
Right to revoke the consent given: interested parties have the right to withdraw their consent at any time, except in the case of personal data processing provided for in the Data Protection regulations or necessary for the provision of the contracted service, which do not require said consent. However, this withdrawal does not have retroactive effects, so it will not affect the legality of the treatment based on consent previously granted.
These rights can be exercised in our Data Protection Channel, whose access data is detailed at the beginning of this Policy.
Security and Control Measures
In compliance with data protection regulations, the Entity will process personal data by applying the appropriate technical, legal, organizational and security measures, in order to guarantee the confidentiality and integrity of the information it manages in accordance with the provisions of current regulations.
As a specific and complementary concept to the above, the Entity applies cybersecurity measures to prevent and manage possible attacks and fraud by cybercriminals that threaten the privacy and protection of the data that our Entity processes and accesses in the scope of its activities and operations.
Likewise, any request received from our Entity about changes in payment methods, request for data or contact persons or confidential information (not public), bank and / or credit card data and / or other official data, should not be attended to without the direct confirmation of our Entity by another alternative means. We appreciate and need your collaboration for your communication and denunciation of any notification of this type of requests and other possible risk situations of cyberattacks in which our Entity may be used, as well as for any possible security risk that they may be aware of.
Internal Information System
The Entity has implemented an Internal Information System (SIIF) , which is configured as a fundamental axis for the supervision, control and prevention in the field of regulatory compliance, contemplating the highest commitment, rigor and professionalism in security, confidentiality, data protection, experience, independence and knowledge in the treatment of the communications received.
The internal information channels integrated in the System have been implemented through technical tools, which contemplate all the necessary requirements to provide and guarantee our previous commitments. Likewise, the SIIF guarantees the basic principles of anonymity, adequate registration, conservation and non-alteration, prevention of conflicts of interest, protection of the informant and prevention of reprisals.
Through this System, every informant must communicate in good faith any indication, suspicion or evidence of possible regulatory breaches, crimes, unethical behaviors and, in general, non-compliance with the protocols, rules and codes of conduct of the Entity.
Access to the SIIF has been enabled in a separate section of our website.
In case of disagreements with the Entity regarding the processing of your data, you have the right to file a claim with the corresponding Data Protection Control Authority. In Spain, this Authority is the Spanish Data Protection Agency (www.aepd.es).
Attention and support
Interested parties may communicate to the Entity any questions about the processing of their personal data or interpretation of our Policy, by contacting the Person in charge (RPD) at the address indicated at the beginning of this Policy.