RESPONSIBLE FOR THE TREATMENT

The Data Controller is SPACO, SA, Avenida de la Industria 8, 28760, Tres Cantos (MADRID).

Privacy principles

At SPACO, SA we are committed to working continuously with you to guarantee privacy in the processing of your personal data, and to offer you at all times the most complete and clear information that we can. We encourage you to read this section carefully before providing us with your personal data.
If you are under fourteen years of age, we ask you not to provide us with your data without the consent of your parents.
In this section we inform you about how we process the data of people who have a relationship with our organization. Starting with our principles:
- We do not request personal information, unless it is necessary to provide you with the services you require.
- We never share personal information with anyone, except to comply with the law, or we have your express authorization.
- We will never use your personal data for purposes other than those expressed in this privacy policy.
- Your data will always be treated with a level of protection appropriate to data protection legislation, and we will not subject it to automated decisions.

We have drafted this privacy policy taking into account the requirements of current data protection legislation:
- Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons (GDPR).
- Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (LOPD).
- Royal Decree 1720/2007, of December 21 (RLOPD).

This privacy policy was written on December 6, 2018.
Due to the modification of treatment criteria, in order to facilitate its understanding or to adapt it to current legislation, it is possible that we modify this privacy policy. We will update the date of the same, so that you can check its validity.


Treatments we perform


TREATMENT OF EMPLOYEES
Legal Basis: RGPD: 6.1.b) Treatment necessary for the execution of a contract in which the interested party is a party or for the application at the request of the interested party of pre-contractual measures.
RGPD: 6.1.c) Treatment necessary for compliance with a legal obligation applicable to the person responsible for the treatment.
Royal Legislative Decree 2/2015, of October 23, which approves the consolidated text of the Workers' Statute Law.
Purposes of Treatment: - Management of hired personnel.
- Personal file. Time control. Training. Pension plans. Prevention of occupational hazards.
- Issuance of staff payroll.
- Management of union activity.
Collective: Employees
Data Categories: - Name and surname, DNI/CIF/Identification document, personnel registration number, Social Security/Mutual Insurance number, address, signature and telephone number.
- Special categories of data: health data (sick leave, work accidents and degree of disability, without including diagnoses), union membership, for the exclusive purposes of paying union dues (if applicable), union representative (if applicable), case), proof of attendance from their own and third parties.
- Personal characteristics data: Sex, marital status, nationality, age, date and place of birth and family data. Data on family circumstances: Date of registration and cancellation, licenses, permits and authorizations.
- Academic and professional data: Qualifications, training and professional experience.
- Employment and administrative career detail data. Incompatibilities.
- Presence control data: date/time of entry and exit, reason for absence.
- Economic-financial data: Economic data on payroll, credits, loans, guarantees, tax deductions, loss of salary corresponding to the previous job (if applicable), judicial withholdings (if applicable), other withholdings (if applicable) . Bank data.
Categories of Recipients: - Entity entrusted with the management of occupational risks.
- General Treasury of Social Security.
- Union organizations.
- Financial entities.
- State Tax Administration Agency.
- Main contractors to whom we provide services as subcontractors.
International Transfers: International transfers of data are not planned.
Deletion Period: They will be kept for the time necessary to fulfill the purpose for which they were collected and to determine the possible responsibilities that may arise from said purpose and from the processing of the data.
The economic data of this processing activity will be kept under the provisions of Law 58/2003, of December 17, General Tax.
Security Measures: Adapted to the requirements of Regulation (EU) 2016/679, General Data Protection Regulation.

CONTACT TREATMENT
Legal Basis: Consent of the interested party
Purposes of Treatment: Respond to your request, send you information and track the request.
Collective: Contact people, clients, suppliers
Data Categories: Name and surname, telephone number, email address
Categories of Recipients: Transfers of data to third parties are not contemplated.
International Transfers: International transfers of data are not planned.
Deletion Period: The contact data will be kept for an indefinite period, or until the interested party requests its deletion.
Security Measures: Adapted to the requirements of Regulation (EU) 2016/679, General Data Protection Regulation.

CARE TREATMENT RIGHTS OF PEOPLE (ARCO)
Legal Basis: RGPD: 6.1.c) Treatment necessary for compliance with a legal obligation applicable to the person responsible for the treatment.
General Data Protection Regulation.
Purposes of Treatment: Respond to requests in the exercise of the rights established by the General Data Protection Regulation: Right of access, rectification, deletion, limitation, portability and opposition to automated decision-making.
Collective: Natural persons who request it (employees, clients, suppliers, contact persons)
Data Categories: Name and surname, address, signature and telephone number.
Categories of Recipients: Personal data may be communicated to the Control Authority (Spanish Data Protection Agency) within the framework of an investigation for protection of rights initiated by the interested party.
International Transfers: International transfers of data are not planned.
Deletion Period: They will be kept for a period of five years from the moment of the request.
Security Measures: Adapted to the requirements of Regulation (EU) 2016/679, General Data Protection Regulation.

TREATMENT OF CANDIDATES SELECTION PROCESSES (HR)
Legal Basis: RGPD 6.1.a) The interested party gave their consent to the processing of their personal data for one or more specific purposes.
RGPD: 6.1.b) Treatment necessary for the execution of a contract in which the interested party is a party or for the application at the request of the interested party of pre-contractual measures.
Purposes of Processing: Selection of personnel and provision of jobs.
Collective: Candidates presented for job provision procedures.
Data Categories: - Name and surname, DNI/CIF/Identification document, personnel registration number, address, signature and telephone number.
- Personal characteristics data: Sex, marital status, nationality, age, date and place of birth and family data.
- Academic and professional data: Qualifications, training and professional experience.
- Job detail data.
Categories of Recipients: No transfer of data to third parties is planned.
International Transfers: International transfers of data are not planned.
Deletion Period: They will be kept for the time necessary to fulfill the purpose for which they were collected and to determine the possible responsibilities that may arise from said purpose and from the processing of the data.
Security Measures: Adapted to the requirements of Regulation (EU) 2016/679, General Data Protection Regulation.

TREATMENT OF SUPPLIERS
Legal Basis: RGPD: 6.1.b) Treatment necessary for the execution of a contract in which the interested party is a party or for the application at the request of the interested party of pre-contractual measures.
RGPD: 6.1.c) Treatment necessary for compliance with a legal obligation applicable to the person responsible for the treatment.
Royal Legislative Decree 2/2015, of October 23, which approves the consolidated text of the Workers' Statute Law.
Law 58/2003, of December 17, General Tax.
Purposes of Processing: - Acquisition of products and/or services that we need for the development of our activity.
- Control of subcontractors if applicable.
Collective: - Suppliers.
- People who work for our suppliers.
Data Categories: - Name and surname, DNI/NIF/Identification document, address, signature and telephone number.
- Employment detail data: job position. Training in occupational safety.
- Economic, financial and insurance data: Banking data.
Categories of Recipients: - Financial entities. (Bill Payment)
- State Tax Administration Agency.
International Transfers: International transfers of data are not planned.
Deletion Period: They will be kept for the time necessary to fulfill the purpose for which they were collected and to determine the possible responsibilities that may arise from said purpose and from the processing of the data, in accordance with Law 58/2003, of 17 December, General Tax,
Security Measures: Adapted to the requirements of Regulation (EU) 2016/679, General Data Protection Regulation.

CUSTOMER TREATMENT.
Legal Basis: RGPD: 6.1.a) The interested party gave their consent to the processing of their personal data for one or more specific purposes.
RGPD: 6.1.b) Treatment necessary for the execution of a contract in which the interested party is a party or for the application at the request of the interested party of pre-contractual measures.
RGPD: 6.1.c) Treatment necessary for compliance with a legal obligation applicable to the person responsible for the treatment.
RGPD: 6.1.f) Treatment necessary for the satisfaction of the legitimate interests of the person responsible for the treatment.

Royal Legislative Decree 2/2015, of October 23, which approves the consolidated text of the Workers' Statute Law.
Law 58/2003, of December 17, General Tax.
Purposes of Processing: Supply of our products/services
Collective: Clients
Data Categories: - Name and surname, DNI/NIF/Identification document, address, signature and telephone number.
- Economic, financial and insurance data: Bank details
Categories of Recipients: - Financial entities.
- State Tax Administration Agency.
International Transfers: International transfers of data are not planned.
Deletion Period: They will be kept for the time necessary to fulfill the purpose for which they were collected and to determine the possible responsibilities that may arise from said purpose and from the processing of the data, in accordance with Law 58/2003, of 17 December, General Tax,
Security Measures: Adapted to the requirements of Regulation (EU) 2016/679, General Data Protection Regulation.

VIDEO SURVEILLANCE TREATMENT
Legal Basis: RGPD: 6.1.c) the treatment is necessary for the satisfaction of legitimate interests pursued by the person responsible for the treatment or by a third party.
Organic Law 2/1986, of March 13, on Security Forces and Bodies.
Purposes of Treatment: Guarantee the safety of people, goods and facilities and labor control.
Collective: Workers, clients and suppliers, users.
Data Categories: Image
Categories of Recipients: The recordings may be communicated to the Security Forces and Corps, and to the Courts and Tribunals, in case of their request, or in case they serve as evidence of the commission of crimes or infractions.
International Transfers: International transfers of data are not planned.
Deletion Period: No more than one month, unless communicated to Security Forces and Corps or/and Courts and Tribunals.
Security Measures: Adapted to the requirements of Regulation (EU) 2016/679, General Data Protection Regulation.

SECURITY BREAK NOTIFICATION PROCESSING
Legal Basis: RGPD: 6.1.c) Treatment necessary for compliance with a legal obligation applicable to the person responsible for the treatment.
General Data Protection Regulation. Articles 33 and 34
Purposes of Treatment: Management and evaluation of security breaches that occur in our organization.
Collective: Variable: Employees, Clients, Suppliers, Contact Persons (will depend on the security breach)
Data Categories: Variable. (It will depend on the security breach)
Categories of Recipients: - Spanish Data Protection Agency.
- State Security Forces and Bodies.
International Transfers: International transfers of data are not planned.
Deletion Period: They will be kept for the time necessary to fulfill the purpose for which they were collected and to determine the possible responsibilities that may arise from said purpose and from the processing of the data. The provisions of the archives and documentation regulations will apply.
Security Measures: Adapted to the requirements of Regulation (EU) 2016/679, General Data Protection Regulation.



YOUR RIGHTS


You have the right to request a copy of your personal data from us, to rectify inaccurate data or complete it if it is incomplete, or, where appropriate, delete it, when it is no longer necessary for the purposes for which it was collected.

You also have the right to limit the processing of your personal data and to obtain your personal data in a structured and readable format.

You can object to the processing of your personal data in some circumstances (in particular, where we do not need to process it to comply with a contractual or other legal requirement, or where the purpose of the processing is direct marketing).

Once you have given us your consent, you can withdraw it at any time. At that moment we will stop processing your data or, where appropriate, we will stop doing so for that specific purpose. If you decide to withdraw your consent, this will not affect any processing that took place while your consent was in force.

These rights may be limited; For example, if to fulfill your request we would have to reveal data about another person, or if you ask us to delete some records that we are obliged to maintain due to a legal obligation or a legitimate interest, such as the exercise of defense against claims. Or even in those cases where the right to freedom of expression and information must prevail.

You can contact us by any of the means indicated in the Data Controller section of this privacy policy, providing a copy of a document that proves your identity (normally your DNI). The most convenient way to exercise your rights is by accessing our RIGHTS PORTAL: https://www.adelopd.com/portalderechos/spaco .

Another of your rights is not to be subject to a decision based solely on automated processing, including profiling that produces legal effects or affects you.

In the event of any violation of your rights, such as, for example, if we have not responded to your request, you have the right to file a claim with the Supervisory Authority regarding data protection. This can be that of your country (if you live outside of Spain) or the Spanish Data Protection Agency (if you live in Spain).

Additional Information


Links to third party websites.
Our website may, on occasion, contain links to other websites. It is your responsibility to ensure that you read the data protection policy and legal conditions that apply to each site.

Third party data.
If you provide us with data from third parties, you assume the responsibility of informing them in advance in accordance with the provisions of article 14 of the RGPD.