Data Privacy Policy Webinar

As you may already know, the entry into force of the Regulation (EU) 2016/679 of the European Parliament and of the Council dated April 27, 2016, regarding the protection of personal data (hereinafter RGPD, for its acronym in Spanish) and the Organic Law 3/2018 of December 5 on the Protection of Personal Data and the Guarantee of Digital Rights (hereinafter LOPDGDD, for its acronym in Spanish), states the need to strengthen the levels of security and protection in terms of personal data.

We hereby inform you that we comply with all the requirements that this legislation demands and that all the data, under our responsibility, is being treated based on in the legal requirements and keeping the necessary security measures that guarantee the confidentiality of the same.

However, given new legislative developments, we believe it is appropriate to inform you about them and submit the following privacy policy so you can express consent:

Who is responsible for the treatment or processing of your data?

Identity: ARMANDO ÁLVAREZ, S.A. (ARMANDO ÁLVAREZ)
Mailing Address: Av. Pablo Garnica, 20 – 39300 Torrelavega (Cantabria) – 39300 Torrelavega – Cantabria
E-mail: gdpr@armandoalvarez.com

For what purpose do we process the personal data you provide to us? (*) The updated list of activities associated with the Armando Alvarez Group is available at www.armandoalvarez.com

  • Offer and Commercial Management to hire the service of participants for a webinar in the app Zoom, management development and promotion of the webinar -including the management of the registration emails, reminders and promotion to be sent to the users who have previously accepted their data processing- and content adaptation for an appropriate communication with the participants.
  • Internal use, development of operations and management arising from the relationship with the user and with the collaborator/lecturer (commercial and/or contractual relationship): Internal use, promotion, offer and management of the contact of interested parties and/or students with the staff and external collaborators (through photos, description and contact form (via LinkedIn + email) through the internal and external website of Agriplastics, as well as through online training media/platforms (transmission and recording of images and presentations through webinar, videos, streaming,….) that can be recorded and used as a “downloadable complaint” to add quality contacts to the data controller’s network (such as downloadable pdfs).
  • Management of the process to hire collaborators and the provision of services by the organization, as well as the compliance of contractual and regulatory requirements related to the organization or operation requested.
  • Management of the contact with the interested party through the means of communication provided (mail, mailing address and/or telephone number) to manage the training activity, manage the queries received through the channels enabled for this purpose, manage notices, communications related to the service (sending documentation or information), coordination of activities, application for the authorization to use the means and facilities or resources, problem resolution and coordination of actions arising from the services requested by people related to the organization and/or by individuals hired for the treatment of the data for legitimate and/or consensual purposes.
  • Sending commercial communications about products or services similar to those hired based on a prior contractual relationship, legitimized according to Article 21 of the Law on Information Society Services and Electronic Commerce (LSSICE, for its acronym in Spanish).
  • Attention/handling inquiries and requests: Response Management for Inquiries, Complaints or Incidents, Requests for Information, Resources and/or Activities.
  • Quality control of our products and services, quality management of processes and activities, as well as the evaluation of the satisfaction/perception results and performance of the organization’s stakeholders.
  • Providing evidence to justify campaigns, activities, promotions, contests, projects and grants where the organization participates.
  • Compliance Management (applicable regulations as well as internal mandatory regulations): Research, monitoring and auditing of controls established for the prevention of crimes, where for the access to the facilities could be established, as well as controls related to the use of images for the investigation of accidents and/or incidents that may occur, as well as breaches of the regulations, crimes or illicit behaviours.
  • Assessment of Financial Solvency and Creditworthiness to confirm the economic viability of the operation requested, as well as, where appropriate, the communication and management associated with the claim of the amounts agreed for the provision of the service.
  • Consult the systems of advertising exclusion that could affect its performance, excluding from the processing the data of those affected who have expressed their opposition or refusal to it through the consultation of the systems of advertising exclusion published by the competent supervisory authority.
  • Associated Management, including prior communication, that may arise from the development of any business structural modification operation or the contribution or transmission of business or branch of business, provided that the treatments are necessary for the proper purpose of the operation and the same guarantee, where appropriate, the continuity of the provision of services.
  • Inclusion in the complaint reporting channel systems of the data associated with the notification (even anonymously) of the commission within the organization or through the actions of third contracting parties, of acts or behaviours that could result contrary to the general or sectoral regulations applicable to the same.
  • Statistical and historical purposes that allow us to improve the business strategy of our products and services.
  • Management and auditing of the organization’s regulatory management and compliance systems for processes and facilities.
  • Dissemination of our best practices regarding the services provided and/or the publication and/or communication of graphic material that may incorporate the image of the owner and/or its staff in corporate media (e.g. and not limited to, web, social media, newsletters, activity memory, reports, media presence) and/or other public media (sectoral publications and/or reports in written press, TV, ….), as the disclosure of the results of the activity, promotion and communication, management of campaigns, activities and events and/ or as accreditation of technical solvency for the requests of evidence of justification in bidding processes, technical offers, projects and grants where the companies of the Armando Alvarez Group participates,* to the extent in which you had unequivocally given us consent.
  • Making contact and sending personal communications, invitations to events and gifts addressed to customers, congratulate you on special dates, conduct quality and satisfaction surveys, as well as to periodically inform you about innovations, news and corporate information for the publication of grants, contests, fees, offers, catalogues and promotions of other products and services of the organization and companies of the Armando Alvarez Group* to evaluate the quality of our processes and facilitate the offers of products and services of your interest by telephone, written or electronic means through the communication means provided, to the extent in which you had unequivocally given us consent.
  • The international transfer of your data to the extent strictly necessary to comply with the management of a project in a country outside the EU or due to the location of the treatment management systems and applications (we inform you that part of the application processing systems and training and/or communications management platforms may be in countries outside the EU. We recommend that you access the privacy policies of those apps). To the extent that if you do not authorize such processing, we will not be able to process your registration request.

How long do we keep the data provided?

  • The data provided will be kept as long as the relationship of lawfulness of the data processing is maintained, its deletion is not requested by the interested party after formal termination in writing of the relationship with the data subject, except for its preservation for the formulation, exercise or defence of claims of the controller of the data or for purposes of the protection of the rights of another natural or legal person and/or due to legal obligation motives.
  • In any case, at the end of the relationship, the Data of the data subject will be duly blocked according to the current data protection regulations.
  • Accounting and Tax Documentation – For Tax Purposes: Accounting books and other mandatory books of records according to applicable tax regulations (IRPF, VAT, IS, etc.), as well as documentary support justifying the entries recorded in the books (including computer programs and files and any other documents of tax significance) should be kept at least during the period in which the Administration has the right to verify and investigate and, consequently, to liquidate tax debt (Arts. 66 to 70 of the General Tax Law). The limitation period of tax offences associated with the verification of the bases or quotas compensated or pending compensation or deductions applied or pending application and to Crimes against the Public Treasury and Social Security – Art. 66 bis General Taxation Law and Criminal Code, respectively. – 4 years. Prescription for violations 10 years.
  • Accounting and Tax Documentation – For Commercial Purposes: Books, correspondence, documentation and justifications concerning your business, duly ordered from the last record included in the books, except as provided by general or special provisions. This commercial obligation extends to both mandatory books (income, expenses, investment goods and provisions in addition to the documentation and justifications supported by notes on the books (invoices issued and received, tickets, rectified invoices, banking documents, etc.) (Art.30 of the Code of Commerce) – 6 years.
  • Solvency/creditworthiness files: Data relating to verified debts, overdue and payable and uncollected debts (Art. 20 LOPDGDD) –as long as the default persists, with a maximum limit of five years from the expiration date of the monetary, financial or credit obligation – 5 Years.
  • The images/sounds captured by the video surveillance systems will be deleted within a maximum period of one month from the capturing, except when they must be kept to prove the commission of acts that violate the integrity of persons, property or facilities (in which case, the images will be made available to the competent authority within 72 hours of becoming aware of the existence of the recording), or if they are related to serious or very serious criminal or administrative offences in the field of public safety, with an ongoing police investigation or with an open judicial or administrative procedure (Instruction 1/2006, of 8 November, of the AEPD (Spanish Data Protection Agency, for its acronym in Spanish), on the processing of personal data for surveillance purposes through camera systems or video cameras and Art.22 of the LOPDGDD) – 30 days.
  • The data included in the automated treatments created to control the access to buildings (Instruction 1/1996, of March 1, of the AEPD, on automated Files established to control the access to buildings) – 30 days.
  • The data processed in connection with the legal guarantee will be kept for the duration of such legal guarantee and upon expiration of the same, during the period when there may be a judicial or administrative claim concerning the legal guarantee.
  • The data processed to send commercial communications will be kept until you revoke the consent granted.
  • The data of the person who issues the communication of a complaint and data related to the employees and third parties are kept in the complaint system to decide on the feasibility of initiating an investigation regarding the facts reported, as well as subsequently as evidence of the model for the preventing the commission of crimes by a legal person, under Article 24 of the LOPDGDD.
  • Therefore, the data will be kept as long as the commercial relationship remains in force, based on the retention periods established by the current regulations already mentioned, as well as the legal or contractual deadlines provided for the exercise or limitation of any liability action for the contractual breach by the interested party or the Organization (the reform of the Civil Code establishes 5 years to carry out a civil liability action, a period that starts as of the date on which compliance of the obligation may be required or demanded).

What are the legal grounds for the processing of your data?

  • The legal basis for the processing of your data is the execution of a contract: fulfilment of your request, offer, order and/or commercial contract, for which the data provided will be communicated to the responsible of the Brand to properly respond, where appropriate, to the guarantees and responsibilities of the products and services provided. The data requested is necessary for the correct provision of the same.
  • Compliance with legal obligations: Regulations with administrative, commercial, tributary, fiscal, accounting and financial regulations, as well as consumer and user protection legislation.
  • Satisfy a legitimate interest of the Responsible party/controller: Data processing as part of a commercial relationship and/or contract, which are deemed necessary for its maintenance or compliance, transmissions of data within business groups for internal administrative purposes, direct marketing, fraud prevention, cases of legitimate interest in which the controller could be the injured party, being necessary the processing and communication of the data regarding the non-compliant individual to third parties to manage regulatory compliance and for the defence of the interests of the controller, video surveillance for purposes of the legitimate interest of the organization in the protection of its assets, the legitimate interest of direct marketing enabled by the LSSICE (sending commercial communications on products or services similar to those hired based on a prior contractual relationship), as well as assumptions of legitimate interest of specific treatments contemplated in the LOPDGDD: Article 19. Processing of contact details and individual entrepreneurs; Article 20. Credit information systems; Article 21. Processing related to the execution of certain commercial transactions (corporate restructuring or business transfers) Article 22. Treatments for video surveillance purposes; Article 23 Advertising exclusion systems; Article 24 Internal Complaint Information Systems).
  • The consent of the data subjects that you have provided us unequivocally through formal means and/or by checking the boxes enabled for this purpose in the data protection clauses enabled in the base document that regulates the commercial relationship according to the commercial channel of contact.

To which recipients can your data be communicated/disclosed?

  • Entity hired for purposes of the management of the webinar as a treatment officer to hire the service of participants for the webinar, management of the development and promotion of the webinar, management of the delivery of registration emails, reminders and promotion to the users who have previously accepted their data processing, adapting the content for a better communication with the participants.
  • Collaborators and staff of the companies of the Armando Alvarez Group* for the coordination of the training activity/webinar.
  • Organizations or individuals directly hired by the Data Controller for the provision of services related to the purposes of data treatment: Subcontracted Entities for the execution of works/services related to the service, Distributors, collaborators and other companies of the Armando Alvarez Group,* Commercial Partners, Advertising/Marketing Agencies, Legal Advice, Tax Advice, Accounting Advice, Collection Management and Credit Insurance Entities, Regulatory Compliance and/or Management Auditors.
  • Other users registered in the training activity/webinar based on the user’s queries or entries.
  • Responsible for the Brand for the purposes arising from the contractual relationship (guarantees and responsibilities of the products and services it provides) and if it has been consented, for the purposes described in the additional consents.
  • Agencies or bodies of the Public Administration with competences in the subject matter of the purposes of the processing: AEAT (State Tax Administration, for its acronym in Spanish).
  • Financial Entities: Management of bills of exchange, transfers and other means of payment.
  • Law Enforcement: To the extent that a justified right of access was required in the investigation of a regulatory breach.
  • Complaints Channel (Complaints about regulatory violations and violations of the code of conduct are sent to the Compliance Unit): Access to the data contained in these systems will be limited exclusively to those who, whether or not they are in within the entity, develop the functions of internal control and compliance, or to those in charge of the processing that could be eventually designated for this purpose. However, the access by other persons, or even communication to third parties, will be deemed lawful when necessary for the enforcement of disciplinary actions or for the processing of feasible judicial proceedings, where appropriate.
  • Others: We may carry out the international transfer of your data to the extent strictly necessary to comply with the management of a project in a country outside the EU or due to the location of the treatment management systems and applications (we inform you that part of the application processing systems and training and/or communications management platforms may be in countries outside the EU. We recommend that you access the privacy policies of those apps). To the extent that if you do not authorize such processing, we will not be able to process your registration request.

Under what guarantees are your data communicated/disseminated?

The communication of data to third parties is made to entities that prove to have a Personal Data Protection System based on the current legislation.

When it comes to organizations to which international data transfers can be made, the standard contractual clauses approved by the data protection control bodies are signed.

  • Anyone has the right to obtain confirmation as to whether or not we are processing personal data concerning them.
  • The people concerned have the right to access their data, as well as to request the rectification of inaccurate data or, where appropriate, request its deletion when, among other reasons, the data is no longer necessary for the purposes it was collected for.
  • Under certain circumstances, the interested parties may request the limitation of the processing of their data, in which case we will only keep said data for the pursuit or defence of claims.
  • Under certain circumstances and for reasons related to their particular situation, the interested parties may object to the processing of their data, in which case the Data Controller will stop processing the data, except for compelling legitimate reasons, or the pursuit or defence of possible claims.
  • Under the right to portability, data subjects have the right to obtain the personal data concerning them in a structured format of common use that is machine-readable reading and to transmit said data to another controller.
  • If you have given consent for any specific purpose, you have the right to withdraw your consent at any time, without affecting the lawfulness of the processing based on the consent before your withdrawal.

How can you exercise your rights?

Where should you go to exercise your rights:

If you wish to exercise your rights, please go to the channel established for that purpose by the data controller: gdpr@armandoalvarez.com so that we can answer your request in a managed way.

Information required to exercise your rights:

  • To exercise your rights, we need to prove/confirm your identity and the specific request you are making; therefore, we request the following information:

– Documented information (document/email) petition in which the request is specified.

– Proof of identity as the owner of data subject to the exercise (Name, the surname of the interested party and photocopy of the ID of the interested party and/or the person representing the same, as well as the document proving such representation (legal representative, if applicable).

– In the case of the exercise of rights related to data of deceased persons: we need a copy of:

o Family Book or Civil Registry stating the relationship of kinship or de facto relationship with the deceased and/or
o Will in which the applicant is declared as heir and/or,
o Express designation issued by the deceased to the requesting person or institution and/or
o Documentation certifying the legal representation of the deceased.
o In case of the exercise of rights of rectification and/or deletion: Affidavit of the applicant where the same proves to have the consensus of other people related to the deceased as family members or due to de facto reasons as well as their heirs to carry out such application.

– Where the controller has reasonable doubts regarding the identity of the natural person making the request, the same may request additional information necessary to confirm the identity of the data subject.

– Mailing address for notification purposes, date and signature of the applicant (if presented in writing), or full name and surname (in case of email), or validation of the request in a private area of the communication channel with a personal key to authenticate its identity).

  • By exercising the right of rectification recognised in Article 16 of the RGPD, the person concerned must indicate in the request what is the data subject of the request and the correction to be made. Also, when necessary, said person must include the supporting documentation of the inaccuracy or incompleteness of the data being processed.
  • Likewise, when we process a large amount of data relating to the person concerned and exercise that person’s right of access without specifying whether it relates to all or part of the data, the controller may request that the person concerned specifies the data or processing activities to which the application relates before providing the information.

General Procedure to exercise your rights:

  • Once we have received the information required, we will proceed to respond to your request according to the general procedure for the exercise of rights of the organization:
  • The controller shall provide the data subject with information concerning its activities based on an application under Articles 15 to 22 (Rights of the data subject) and, in any case, within one month as of the date of receipt of the request.
  • That period may be extended by another two months if necessary, considering the complexity and number of applications.
  • The controller shall inform the interested party of any such extensions within one month as of the date of receipt of the request, indicating the reasons for the delay.
  • When the data subject applies by electronic means, the information shall be provided by electronic means whenever possible, unless the data subject requests that it be provided differently.
  • Only in cases where the processing systems of the controller allow so, the right of access may be provided through a system of remote, direct and secure access to personal data that permanently guarantees full access. For that purpose, the communication between the controller and the affected person will be carried out in such a way that the access of the later to the system shall suffice to guarantee that the application for the exercise of the right is addressed. However, the data subject may request to the Data Controller the information referred to in Article 15.1 of the RGPD that was not included in the remote access system.
  • If the controller does not process the request of the data subject, the controller will inform the case as soon as possible, and no later than one month as of the date of receipt of the request, stating the reasons behind its inaction and the possibility of filing a complaint before a control authority and to exercise legal proceedings.
  • The information provided shall be free of charge, except for reasonable fees for administrative costs. When the person concerned chooses a means other than the one offered, which bears a disproportionate cost, the application shall be deemed excessive so that the person concerned shall bear the excess costs that such choice implies. In this case, only the Data Controller will be required to satisfy the right of access without undue delay.
  • The controller may refuse to act regarding the application but shall bear the burden of demonstrating the excessive and manifestly ill-founded nature of the application. For the purposes stipulated in Article 12.5 of the RGPD, the exercise of the right of access may be considered repetitive on more than one occasion within six months, unless there is a legitimate cause for doing so.
  • In cases where you proceed with the rectification or deletion, your data will be blocked: The blocking of the data consists in the identification and preservation of the same, adopting technical and organizational measures, to prevent its processing, including its display, except to make such data available to judges and courts, the Public Prosecutor’s Office or the competent Public Administrations, in particular data protection authorities, for the requirement of possible responsibilities arising from the processing and only for the limitation period thereof. After this period, the data will be destroyed. Blocked data may not be processed for any purpose other than what was already mentioned. (Art. 16 RGPD and Art.32 LOPDGDD).
  • Where the deletion arises from the exercise of the right of opposition under Article 21.2 of the RGPD, the Data Controller may retain the data identifying the affected person necessary to prevent future processing for purposes of direct marketing. In cases where you do not want your data to be processed for the referral of commercial communications, we refer you to existing advertising exclusion systems, according to information published by the competent supervisory authority (AEPD) at its electronic headquarters www.aepd.es
  • In cases where the processing of personal data is limited, such fact will be recorded in the information systems of the Data Controller.
  • In the event of a verified, due and enforceable debt, a communication is sent to the debtor at the time of payment regarding the possibility of inclusion in such systems (treatments of late payment of the organization), indicating those in which participate (collection management entities for the management of the relevant claim …) if the debt is not collected within a maximum period of 15 days from the notification of the insolvency, reporting the possibility of exercising the rights established in the Articles 15 to 22 of the RGPD within thirty days following the notification of the debt to the system, and data will remain blocked during that period.
  • People related to the deceased as family members or due to de facto reasons as well as their heirs may contact the controller or processor to request access to the personal data of the deceased and, where appropriate, its rectification or deletion. As an exception, the people referred to in the preceding paragraph may not access the data of the deceased, or request its rectification or deletion, when the person deceased has expressly prohibited it, or it is so established by law. This prohibition shall not affect the right of heirs to access property-related data of the deceased.

How can a complaint be filed?

If you believe that your rights have not been properly addressed, you have the right to file a complaint with the competent data protection authority (www.aepd.es)

How have we obtained your data?

  • From the interested party or its legal representative
  • Entity hired for purposes of the management of the webinar as a treatment officer to hire the service of participants for the webinar, management of the development and promotion of the webinar, management of the delivery of registration emails, reminders and promotion to the users who have previously accepted their data processing, adapting the content for a better communication with the participants.
  • Other Companies of the Group, Commercial Agents, as well as the Entity with which the controller maintains a commercial relationship or for the provision of services, for which it must have personal data of contact persons for the administrative and operational management to manage their access, incorporation to the project/service object and/or verification of regulatory compliance under the responsibility of the organization.

What category of data do we process?

Identification data of Potential and Effective Users and Collaborators and/or Personnel of Armando Alvarez and contact persons for the administrative and operational management associated with the execution of the webinar or project: data of users who register to participate in the webinar (name, last name, email, company, position and telephone, attendance data, image if applicable, as well as data related to the queries that may be made), data of collaborators and/or employees of Armando who participate in the webinar to use them in the communications (first name, last name, email, position, company, corporate phone, LinkedIn profile and/or other social media accounts and image).

The data structure does not contain data relating to convictions and criminal offences, nor sensitive data, except in cases where the holder is a beneficiary of special conditions and must provide documentation incorporating such information for the holder to prove or justify the compliance of said condition.

How is your data stored securely?

Concerning the processing of your data, we inform you:

The Controller takes all necessary measures to store your data privately and securely. Only authorized personnel of ARMANDO ÁLVAREZ, authorized personnel of third parties directly hired by the Data Controller for the provision of services connected to the purposes of treatment or authorized personnel of companies related to the trade name of ARMANDO ÁLVAREZ (which have a legal and contractual obligation to store all information securely) have access to your data. All the staff at ARMANDO ÁLVAREZ who have access to your data are required to commit to respecting the Privacy Policy of the data controller and the data protection regulations and all employees of Third Parties who have access to your data sign confidentiality agreements under the terms outlined in the current legislation. Also, it is contractually ensured that third-party companies that have access to your data must keep it secure. To guarantee that your data is protected, ARMANDO ÁLVAREZ has an IT security environment and takes the necessary measures to prevent unauthorized access.

The Data Controller has entered into agreements to guarantee that we process your data correctly and according to current data protection regulations. These agreements reflect the respective roles and responsibilities concerning you and include which entity is better prepared to meet your needs. These agreements do not affect your rights under data protection law. For more information about these agreements, please feel free to contact us.

ACCEPTANCE AND CHANGES IN THE PRIVACY POLICY

ARMANDO ÁLVAREZ reserves the right to make, at any time, any modifications, variations, deletions or cancellations in the contents and in the form of presentation of the same that deems appropriate, since we recommend that you consult our privacy policy whenever you deem convenient. If you do not agree with any of the changes, you may exercise your rights under the procedure described by sending an email to gdpr@armandoalvarez.com

In compliance with the provisions of the regulations on the protection of personal data, we process the information you provide us during the commercial relationship (as well as the personal data of other people that you could provide us) for the purposes specified in this privacy policy. In this sense, you declare that you have been informed, that you consent, and that you will inform and have the consent of third parties from which you provide us with personal data for such processing.

With the acceptance and/or validation of the process, you declare to be over 14 years of age and have legal capacity* and expressly consents to the processing of data according to the provisions of the clause and additional information on data protection. If you have checked the corresponding consent box, the legal basis for such purposes is your consent, which you may withdraw at any time.

(*) In cases where a person with legal incapacity is being represented, you responsibly declare to have the corresponding legal representation, the justification of which may be required by the Data Controller to legitimize the accepted consent.