Privacy Policy - CAVISA, Caolines de Vimianzo

1. Introduction

In Caolines de Vimianzo, S.A.U. we enthuse for the security and confidentiality of the information and, more specifically, the personal data, not only of the users of the website, but of all those people who have any link or relationship with the entity in any of its areas, be they customers, suppliers, staff, etc.

In this regard, in compliance with the provisions of the data protection regulations, this is EU Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and the movement of such data (GDPR) and Organic Law 3/2018 on the Protection of Personal Data and the Guarantee of Digital Rights (LOGDPDD), we proceed to the elaboration of this policy, where we offer information on the processing of personal data managed by the entity.

2. Data Controller

In terms of data protection Caolines de Vimianzo, S.A.U. should be considered Data Controller, in relation to the files/treatments it manages.

The following are the identifying data of the owner of this website:

Main Headquarters

Mailing address: Place of Cerbán-Castrelo, 19. 15128. Vimianzo

E-mail address: info@e-cavisa.com

Phone: +34981716125

3. Purposes and legal bases

Completing the basic information on data protection provided through each of the data collection channels, the following provides the additional information regarding the purposes, legitimizing bases of the following files or treatments:

Customers

The data will be processed for the following main purposes, being the legal basis that legitimizes these processing synages the execution of a contract to which the data subject is a party (art. 6.1.b) GDPR), as well as compliance with legal obligations (art. 6.1.c) GDPR):

Management and provision of the requested or contracted service.
Administrative management, what it entails, billing management, management of non-payment of fees, processing of insurance.

Personal

The data will be processed in order to manage all services linked to the field of human resources, which entails, fiscal and administrative accounting management, payroll management, training management and management of prevention of occupational risks and time control, among others.

The legal basis that legitimizes the processing is, in general, the execution of a contract to which the data subject is a party (art. 6.1.b) GDPR), as well as compliance with legal obligations (art. 6.1.c) GDPR).

Suppliers

The data will be processed in order to manage the contractual relationship, which involves accounting, tax and administrative management and payment management of the services, among others. The legal basis that legitimizes this processing is the performance of a contract to which the data subject is a party (art. 6.1.b) GDPR), as well as the fulfilment of legal obligations (art. 6.1.c) GDPR).

Web Users

Through the website, personal data are collected for various purposes, including:

Contact section for inquiries, complaints, suggestions or complaints
Analysis of browsing habits through analytical cookies (see Cookies Policy published on the website).

The legal basis that legitimizes the processing is the consent of the data subject through electronic forms with automated consent system.

Video surveillance

The images captured through the video surveillance systems installed in the headquarters of the entity will be treated in order to guarantee the security of the goods, facilities and people who access them. The legal basis for the processing is that they are installed for the fulfillment of a mission carried out in the public interest (Art. 6.1. e. GDPR).

In addition, the cameras are installed for another additional purpose, that is, to monitor the quality and performance of workers, as well as to verify the fulfilment of labour obligations and duties, being the legitimizing basis of the Article 20.3 of the Workers' Statute.

Curricula

The entity receives curricula through various channels, mainly in person or through general corporate accounts, so that they, in case they are curricula that may fit into one of our applications are dealt with with the to carry out the necessary selection processes. However, if the curriculum does not fit or fit into any of the positions of the entity, it will be eliminated or destroyed definitively.

The legitimizing basis of the processing is the express consent of the data subject.

4. Data transfers or communications

For the management of certain services offered by the entity it is necessary to allow access to certain data to third-party service providers contracted for this purpose, in this sense, the entity proceeds to sign the respective contracts necessary processors, and has given the precise instructions to the different service providers or processors, to ensure the security and integrity of the data to which they have access in connection with the provision of the service Hired.

Apart from the above cases, your personal data will not be transferred to third parties, except in the following cases:

Customers, staff and suppliers

Data may be communicated to the following groups of recipients:

Public administrations: if required under a rule, for example, State Agency of the Tax Administration, and other competent tax or other authorities, in order to comply with the obligations imposed by the legislation in force.
Banking entities: for the management of the collection and payment of services.

Video surveillance

Data may be communicated to the Security Forces and judicial bodies upon request.

5. Data retention period

Customers: the data will be kept until the end of the contractual relationship and will be kept, duly blocked, during the limitation periods of the responsibilities that may be enforceable.
Personal: the data will be kept until the end of the contractual relationship and will be kept, duly blocked, during the limitation periods of the responsibilities that may be enforceable. For example, in the case of time registration, the data will be kept for the period of 4 years.
Suppliers: the data will be kept until the end of the contractual relationship and will be kept, duly blocked, during the limitation periods of the responsibilities that may be enforceable.
Web users: the data will be kept as long as they are necessary to serve the purposes indicated.
Video surveillance: will be kept for one month.
Curriculums: the data will be kept as long as the curriculum profile can fit into one of our applications, making filters and cleaning documents.

6. Revocation of consent

In cases where the processing of personal data is based on consent, the Interested Parties are informed of the right to withdraw their consent at any time, in a simple and free way, by writing to the address of the controller or through the following email address info@e-cavisa.com, attaching a copy of their ID or equivalent document. The revocation of consent shall not affect the lawfulness of the processing based on the consent prior to its withdrawal.

7. Rights of interested parties

The data protection legislation grants a number of rights to data subjects or data subjects, these rights that assist interested persons are as follows:

Right of access: right to obtain information on whether your own data are being processed, the purpose of the processing being carried out, the categories of data concerned, the recipients or categories of recipients, the period of preservation and the source of such data.
Right of rectification: right to obtain rectification of inaccurate or incomplete personal data.
Right to delete: right to obtain the deletion of the data in the following cases:
- When the data is no longer necessary for the purpose for which they were collected
- When the holder of the same withdraws the consent
- When the data subject objects to the treatment
- When they must be removed in compliance with a legal obligation
- Where the data have been obtained under an information society service on the basis of Article 8(8) of the European Data Protection Regulation.
Right to object: right to object to a certain processing based on the consent of the data subject.
Right of limitation: right to obtain the limitation of the processing of data when one of the following situations occurs:
- When the data subject challenges the accuracy of the personal data, for a period that allows the company to verify the accuracy of the same.
- Where the processing is unlawful and the data subject objects to the deletion of the data.
- When the company no longer needs the data for the purposes for which they were collected, but the interested party needs it for the formulation, exercise or defense of claims.
- Where the data subject has objected to the processing while checking whether the legitimate reasons of the company prevail over those of the data subject.

The interested parties may exercise the rights indicated, by contacting the entity, by writing, sent to the following address: info@e-cavisa.com indicating in the subject line the right that you wish to exercise.

In this sense, the entity will respond to its request as soon as possible and taking into account the deadlines provided for in the data protection regulations.

Furthermore, it should be borne in mind that the data subject or data subject may at any time lodge a complaint with the competent supervisory authority.

8. Security

The security measures adopted by the entity are those required in accordance with Article 32 of the GDPR. In this sense, the entity, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the risks of variable probability and severity for the rights and freedoms of persons has the appropriate technical and organisational measures in place to ensure the level of security appropriate to the existing risk.

In any case, the entity has sufficient mechanisms in place to:

Ensure the permanent confidentiality, integrity, availability and resilience of treatment systems and services.
Restore availability and access to personal data quickly, in the event of a physical or technical incident.
Check, evaluate and assess, on a regular basis, the effectiveness of the technical and organizational measures implemented to ensure the safety of the treatment.
Pseudonymize and encrypt personal data, if applicable.