INDEX
1. OBJECTIVE OF THE POLICY
This "Privacy and Data Protection Policy" aims to make known the conditions governing the collection and processing of your personal data by IOT to ensure fundamental rights, your honor and freedoms, all in compliance with current regulations that regulate the Protection of Personal Data according to the European Union. In accordance with these regulations, we need to have your authorization and consent for the collection and processing of your personal data, so below, we indicate all the details of your interest regarding how we carry out these processes, with what finalities, that other entities could have access to your data and what your rights are. For all the above, once reviewed and read our Data Protection Policy, it is essential that you accept it in proof of your agreement and consent.
2. DEFINITIONS
«Personal data»: means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
«Processing»: means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
«Restriction of processing»: means the marking of stored personal data with the aim of limiting their processing in the future.
«Profiling»: means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.
«Pseudonymisation»: means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
«Filing system»: means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.
«Controller»: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
«Processor»: means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
«Recipient»: means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.
«Third party»: means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
«Consent of the data subject»: means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
«Personal data breach»: means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
«Genetic data»: means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.
«Biometric data»: means personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or con rm the unique identification of that natural person, such as facial images or dactyloscopic data.
«Data concerning health»: means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.
«Main establishment»: means:
1. As regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment.
2. As regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation.
«Representative»: means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation.
«Enterprise»: means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity.
«Group of undertakings»: means a controlling undertaking and its controlled undertakings.
«Binding corporate rules»: means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity.
«Supervisory authority»: means an independent public authority which is established by a Member State pursuant to Article 51.
«Supervisory authority concerned»: means a supervisory authority which is concerned by the processing of personal data because:
1. The controller or processor is established on the territory of the Member State of that supervisory authority.
2. Data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or
3. A complaint has been lodged with that supervisory authority.
«Cross-border processing»: means either:
1. Processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or
2. Processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.
«Relevant and reasoned objection»: means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union.
«Information society service»: means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council (¹).
«International organisation»: means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.
3. IDENTITY OF THE DATA CONTROLLER
Who collects and processes your data?
The Data Controller is that natural or legal person, of a public or private nature, or administrative body, which alone or jointly with others determines the extent and means of the processing of personal data; in case the extent and means of the treatment are determined by the Law of the European Union. In this case, our identification data as Data Controller are the following: INDIZEN OPTICAL TECHNOLOGIES SL CIF B84465921
How can you contact us?
Who can help you with our Data Protection Policy?
We have a person or entity specialized in data protection, which is responsible for ensuring the correct compliance in our entity with current legislation and regulations. This person is called Data Protection Officer (DPO) and, if needed, can contact him as follows:
AURATECH LEGAL SOLUTIONS SLP- CIF B87984621
Email: rgpd@auratechlegal.es- Phone: 0034 91 113 49 63
4. APPLICABLE LAWS AND REGULATIONS
This Privacy and Data Protection Policy is developed based on the following data protection regulations and laws:
5. PRINCIPLES APLICABLES TO THE PROCESSING OF PERSONAL DATA
The personal data collected and processed through this website will be treated in accordance with the following principles:
6. SECURITY MEASURES
What do we do to guarantee the privacy of your data?
IOT adopts the necessary organizational and technical measures to guarantee the security and privacy of your data, prevent its alteration, loss, treatment or unauthorized access, depending on the state of technology, the nature of the stored data and the risks to which they are exposed.
Among others, the following measures stand out:
On the other hand, IOT manages information systems according to the following principles:
7. PURPOSES OF THE TREATMENT
What do we want to process your data for?
We need your authorization and consent to collect and process your personal data, so below we detail the intended uses and purposes:
Web users Management of potential customers and contacts; Management and contact with users.
Social networks Share information on Social Networks.
User management E-commerce.
Patient portal Management and processing of the patient portal with the interested parties themselves.
Cookies, pixels and tracking Obtain statistical data on user navigation, identify problems, analyze their preferences and offer them advertising adapted to their interests.
Curriculum management Personnel selection.
How long do we keep your data?
We use your data for the time strictly necessary to fulfill the reasons indicated above. Unless there is an obligation or legal requirement, the expected storage periods are:
Website users: For a period of 5 years from the last confirmation of interest Social networks: Until its deletion is requested by the interested party
User management: For a period of 5 years from the last confirmation of interest
Patient portal: For a period of 5 years from the last confirmation of interest. The personal data provided will be kept as long as their deletion is not requested by the interested party and it proceeds, and as long as they are necessary - including the need to keep them during the applicable limitation periods - or relevant to the purpose for which they were collected or registered.
Cookies, pixels and tracking: Other. You must access our cookie policy to know the retention time of each cookie as well as the information that has been collected.
Curriculum management: For a period of 1 year from the last confirmation of interest. The personal data provided will be kept as long as its deletion is not requested by the interested party and it proceeds, and as long as they are necessary - including the need to keep them during the applicable limitation periods - or relevant to the purpose for which they were collected or registered. If you do not update the resume or do not carry out any job search management for a period of one year, your data will be deleted, implying the blocking of them.
8. LEGITIMATION OF TREATMENT
Why do we process your data?
The collection and processing of your data is always legitimated by one or more legal bases, which we detail below:
Users of the website: Explicit consent of the interested party
Social networks: Explicit consent of the interested party
User management: Explicit consent of the interested party
Patient portal: (Art. 6.1.b GDPR) Existence of a contractual relationship with the interested party by contract or pre-contract
Cookies, pixels and tracking: (Art. 6.1.a GDPR) Consent of the interested party
Curriculum management: Explicit consent of the interested party
9. RECIPIENTS OF YOUR DATA
To whom do we transfer your data within the European Union?
Sometimes, in order to comply with our legal obligations and our contractual commitment to you, we are faced with the obligation and need to transfer some of your data to certain categories of recipients, which we specify below:
Social networks: Entities providing social media services
Cookies, pixels and tracking: Companies dedicated to advertising or direct marketing
Curriculum management: Organizations or people directly related to the person in charge. As a result of the management of the authorized purposes, your data may be communicated to job seekers that may interest your profile
10. DATA PROCESSING ACTIVITIES
The following are the data processing activities carried out through the website specifying each of the following sections:
10.1. Main treatment activities
They are those data processing activities whose purposes are necessary and essential for the provision of services:
PATIENT PORTAL
10.2. Optional processing activies
They are those activities of processing personal data whose terms are not essential for the provision of the service and that are only carried out if the user has marked YES in the consent to carry out these activities.
WEB USERS
SOCIAL NETWORKS
USER MANAGEMENT
COOKIES, PÍXELS AND TRACKING
CURRICULUM MANAGEMENT
11. DATA OF MINORS
Minors under 14 years of age may not use the services available through the Website without the prior authorization of their parents, guardians or legal representatives, who will be solely responsible for all acts carried out through the Website by the minors in their charge, including the completion of the telematic forms with the personal data of said minors and the marking, where appropriate, of the boxes that accompany them.
In compliance with the provisions of Article 8 of the GDPR and Article 7 of the LOPD/GDD, only those over 14 years of age may give their consent to the processing of their personal data lawfully by IOT.
12. ORIGIN AND TYPES OF DATA PROCESSED
Where have we obtained your data from?
Users of the website
Social networks
User management
Patient portal
Cookies, pixels and tracking
Curriculum management
What types of data have we collected and processed yours?
Users of the website
Social networks
Followers
User management
Registered users
Patient portal
Patients
Cookies, pixels and tracking
Users of the website
Curriculum management / Job board
Employees
Job candidates
13. RIGHTS OF THE INTERESTED PARTIES
What are your rights?
Current data protection regulations protect you in a series of rights in relation to the use we give to your data. Each and every one of your rights are one-person and non-transferable, that is, they can only be performed by the owner of the data, after verification of your identity.
Below, we indicate what your rights are:
Right of access: It is the right of the user of the Website to obtain confirmation of whether or not the Data Controller is processing his personal data and, if applicable, obtain information about his specific personal data and the treatment that the Data Controller has carried out or carries out, as well as, among others, of the available information about the origin of said data and the recipients of the communications made or provided for therein.
Right of rectification: It is the right that the user of the Website has to have their personal data modified that turn out to be inaccurate or, taking into account the purposes of the treatment, incomplete.
Right of deletion: It is usually known as "right to be forgotten", and it is the right that the user of the Website has, provided that current legislation does not establish otherwise, to obtain the deletion of his personal data when these are no longer necessary for the purposes for which they were collected or processed; the User has withdrawn his consent to the treatment and he does not have another legal basis; the User opposes the treatment and there is no other legitimate reason to continue with it; the personal data have been processed illicitly; the personal data have been the product of a direct offer of information society services to a child under 14 years of age. In addition to deleting the data, the Data Controller, taking into account the available technology and the cost of its application, will take reasonable measures to inform other potential controllers who are processing the personal data of the data subject's request for deletion of any link to that personal data.
Right to limitation of data: It is the right of the User of the Website to limit the processing of their personal data. The Website User has the right to obtain the limitation of processing when he challenges the accuracy of his personal data; the processing is illegal; the Data Controller no longer needs the personal data, but the User needs it to make claims; and when the Website User has objected to the treatment.
Right to data portability: In those cases where the processing is carried out by automated means, the Website User will have the right to receive his personal data from the Data Controller in a structured, commonly used and machine-readable format, and to transmit them to another controller. whenever technically possible, the Data Controller will transmit the data directly to that other Responsible.
Right to object: It is the User's right not to carry out the processing of their personal data or to cease the processing of them by the Data Controller.
Right not to be subject to automated decisions and / or profiling: The right of the Website User not to be the subject of an individualized decision based solely on the automated processing of their personal data, including profiling, existing unless current legislation establishes otherwise.
Right to revoke consent: It is the right of the Website User to withdraw, at any time, the consent given for the processing of their data.
Right to file a data protection claim with the Control Authority: Spanish Data Protection Agency.
The interested party can exercise any of the aforementioned rights by contacting the Data Controller and after identifying the User using the following contact information:
You can also exercise your rights before the Data Protection Officer:
Email: rgpd@auratechlegal.es - Phone: 0034 91 113 49 63
How can you exercise your rights in relation to your data?
Or the exercise of your rights of access, rectification, deletion, limitation or opposition, portability and withdrawal of your consent, you can do so as follows:
Users of the website
Social networks
User management
Patient portal
Cookies, pixels and tracking
Curriculum management
How can you file a claim?
In addition to your rights, if you believe that your data is not being collected or processed in accordance with current Data Protection regulations, you can make a claim with the Control Authority, whose contact details we indicate below:
Agencia Española de Protección de Datos
C/. Jorge Juan, 6. 28001, Madrid (Madrid), España
Email: info@aepd.es- Phone: 912663517
Website: https://www.aepd.es
14. ACCEPTANCE
Acceptance and making available to you this document indicates that you understand and accept all the clauses of our privacy policy so you authorize the collection and processing of your personal data in these terms. This acceptance is made by activating the "Reading and Acceptance" checkbox of our Privacy Policy. IOT reserves the right to modify this Privacy Policy, in accordance with its own criteria, or motivated by a legislative, jurisprudential or doctrinal change of the Spanish Data Protection Agency. Changes or updates made to this Privacy Policy that affect the purposes, retention periods, data transfers to third parties, international data transfers, as well as any right of the Website User, will be explicitly communicated to the user.
Last updated: December 22, 2021