I. PRIVACY AND DATA PROTECTION POLICY
In compliance with the provisions of current legislation, the holder Delaviuda Confectionery Group S.L., hereinafter the website https://delaviudacg.com, commits to adopting the necessary technical and organizational measures according to the level of security appropriate to the risk of the collected data.
Laws incorporated into this privacy policy
This privacy policy is adapted to the Spanish and European legislation in force regarding the protection of personal data on the Internet. In particular, it complies with the following regulations:
- Regulation (EU) 2016/679 of the European Parliament and Council of April 27, 2016, regarding the protection of individuals concerning the processing of personal data and the free movement of such data (GDPR).
- Organic Law 3/2018, of December 5, on the protection of personal data and the guarantee of digital rights (LOPD-GDD).
- Law 34/2002, of July 11, on information society services and electronic commerce (LSSI-CE).
Identity of the data controller
The data controller of the personal data collected on the website https://delaviudacg.com is: Delaviuda Confectionery Group S.L. with CIF(hereinafter, the Data Controller). Its contact details are as follows:
- Address: Calle Cardenal Marcelo Spínola nº2, 3rd floor
- Contact number: 91 383 80 52
- Contact email: [email protected]
- Data Protection Officer details: Consulting & Strategy GFM S.L.
- DPO contact: [email protected]
Register of personal data
In compliance with the provisions of the GDPR and the LOPD-GDD, we inform you that the personal data collected by the Data Controller via the forms on its pages will be incorporated and processed to facilitate, expedite, and comply with the commitments established between the Data Controller and the User, or to maintain the relationship established in the forms filled out by the User, or for the purposes of the website https://delaviudacg.com. Furthermore, in accordance with the provisions of the GDPR and the LOPD-GDD, unless an exception provided for in Article 30.5 of the GDPR applies, a record of processing activities is maintained, specifying, according to their purposes, the processing activities carried out and the other circumstances established in the GDPR.
Principles applicable to the processing of personal data
The processing of the User’s personal data will be subject to the following principles, as collected in Article 5 of the GDPR and in Article 4 and subsequent articles of Organic Law 3/2018, of December 5, on the protection of personal data and the guarantee of digital rights:
- Principle of legality, fairness, and transparency: The User’s consent will be required at all times, after being fully informed of the purposes for which the personal data is collected.
- Principle of purpose limitation: Personal data will be collected for specific, explicit, and legitimate purposes.
- Principle of data minimization: The personal data collected will only be strictly necessary concerning the purposes for which it is processed.
- Principle of accuracy: Personal data must be accurate and always kept up to date.
- Principle of storage limitation: Personal data will be retained only for as long as necessary for the purposes of their processing and for the reasonable time necessary to demonstrate that we comply with our duties and obligations.
- Principle of integrity and confidentiality: Personal data will be processed in a way that ensures its security and confidentiality.
- Principle of proactive accountability: The Data Controller will be responsible for ensuring that the above principles are respected.
Categories of personal data
The categories of data processed on the website https://delaviudacg.com are only identification data. In no case are special categories of personal data within the meaning of Article 9 of the GDPR processed.
Legal basis for the processing of personal data
The legal basis for the processing of personal data is consent. The Data Controller commits to obtaining the explicit and verifiable consent of the User for the processing of their personal data for one or more specific purposes.
The User will have the right to withdraw their consent at any time. Withdrawing consent will be as easy as giving it. In general, the withdrawal of consent will not condition the use of the Website.
In cases where the User must or may provide their data through forms to make inquiries, request information, or for reasons related to the content of the Website, they will be informed if completing any of them is mandatory since this information is essential for the proper conduct of the operation carried out.
Purposes of the processing of personal data.
Personal data are collected and managed by Delaviuda Confectionery Group S.L. to facilitate, expedite, and comply with the commitments and services established between the Website and the User or to maintain the relationship established in the forms that the latter fills out or to respond to a request or inquiry.
At the time the personal data is obtained, the User will be informed of the specific purposes of the processing to which the personal data will be destined, i.e., the uses that will be made of the collected information.
Periods for the retention of personal data
Personal data will only be retained for the minimum time necessary for the purposes of their processing and for the reasonable time necessary to demonstrate that we comply with our duties and obligations.
Recipients of personal data
The User’s personal data will be shared with the following recipients or categories of recipients:
- Individuals and/or organizations linked to the data controller, necessary for providing our services.
Personal data of minors
In compliance with the provisions of Articles 8 of the GDPR and 7 of Organic Law 3/2018, of December 5, on the protection of personal data and the guarantee of digital rights, only individuals over 14 years old may provide their consent for the processing of their personal data lawfully. If the individual is under 14 years old, consent from parents or guardians will be necessary for the processing, and this will only be considered lawful to the extent that they have authorized it.
Confidentiality and security of personal data
The Data Controller commits to adopting the necessary technical and organizational measures according to the level of security appropriate to the risk of the collected data, ensuring the security of personal data and avoiding the accidental or unlawful destruction, loss, or alteration of personal data transmitted, stored, or otherwise processed, or unauthorized communication or access to such data.
The website has an SSL (Secure Socket Layer) certificate, which ensures that personal data is transmitted securely and confidentially; the transmission of data between the server and the User, and vice versa, is completely encrypted.
However, since the Data Controller cannot guarantee the inviolability of the Internet nor the total absence of hackers or others fraudulently accessing personal data, the Data Controller commits to inform the User promptly when a security breach of personal data is likely to result in a high risk to the rights and freedoms of individuals. According to Article 4 of the GDPR, a personal data breach is understood as any breach of security leading to the accidental or unlawful destruction, loss, or alteration of personal data transmitted, stored, or otherwise processed, or unauthorized communication or access to such data.
Personal data will be treated as confidential by the Data Controller, who commits to informing and ensuring, by legal or contractual obligation, that this confidentiality is respected by its employees, associates, and anyone to whom it provides information.
Rights arising from the processing of personal data
The User may exercise the following rights recognized in the GDPR and Organic Law 3/2018, of December 5, on the protection of personal data and the guarantee of digital rights with the Data Controller:
- Right of access: This is the User’s right to obtain confirmation of whether the Data Controller is processing their personal data or not, and if so, to obtain information about their specific personal data and the processing they have carried out or are carrying out, as well as, among other things, information available about the origin of such data and the recipients of communications made or planned regarding them.
- Right of rectification: This is the User’s right to modify their personal data that are inaccurate or, considering the purposes of the processing, incomplete.
- Right to erasure (“right to be forgotten”): The User has the right, unless otherwise established by law, to obtain the erasure of their personal data when they are no longer necessary for the purposes for which they were collected or processed; when the User has withdrawn their consent to the processing, and there is no other legal basis; when the User objects to the processing, and there is no other legitimate reason to continue; when the personal data have been processed unlawfully; when personal data must be erased to comply with a legal obligation; or when the personal data have been obtained following a direct offer of information society services to a minor under 14 years of age. In addition to erasing the data, the Data Controller, taking into account the technology available and the cost of its implementation, must take reasonable steps to inform those responsible for the processing of the personal data of the request of the data subject regarding the erasure of any link to such personal data.
- Right to restrict processing: The User has the right to limit the processing of their personal data. They may obtain a restriction of processing when they contest the accuracy of their personal data; the processing is unlawful; the Data Controller no longer needs the personal data, but the User needs it to formulate claims; and when the User has objected to the processing.
- Right to data portability: If the processing is carried out by automated means, the User has the right to receive their personal data from the Data Controller in a structured, commonly used, and machine-readable format and to transmit it to another Data Controller. Whenever technically possible, the Data Controller will directly transmit the data to that other Controller.
- Right to object: The User has the right to object to…