DATA PROTECTION POLICY
1. WHO IS THE DATA CONTROLLER?
The Data Controller is the company GRUPO HAFESA SUMINISTROS PETROLIFEROS S.L., with Tax ID B95840583 and registered in the Mercantile Register of Madrid, Folio 159, Volume 34623, Sheet M622897 Entry NA, for the processing of those personal data that are processed through the website www.grupohafesa.com
Contact details for data protection purposes:
Address: Calle Orense 34, Edificio Norte, Planta 1ª Izda, 28020 Madrid (Spain)
Telephone: +34 917839410
2. WHAT IS THE PURPOSE AND THE LEGAL BASIS FOR PROCESSING YOUR PERSONAL DATA?
The processing of your data has the purposes and the corresponding legal bases that are described below.
All our forms have verification boxes that must be checked to access the services that are offered.
1. Website contact:
Purpose: Send you the requested information and answer any questions you may have asked through the contact sections provided on the website.
Legal basis: The legal basis is the consent given.
Purpose: Take part in the selection processes we may carry out. If we receive your curriculum through the form on the website, we may include it in the staff selection processes we organize. To this end, you authorize us to analyze the documents you send so as to assess your application and, if appropriate, offer you a job. If you are not selected, we may store your curriculum so as to include it in future recruitment processes for up to one year, unless you state otherwise.
Legal basis: Express consent when you send us your curriculum.
- The legal basis for the processing of data through cookies, in the case of technical cookies, i.e., those cookies that are essential to browse this website and receive the services offered through it, is the agreement by which you decide to use this website and its services.
- The legal basis for the use of the rest of the cookies is the user’s consent, which is requested when you access this website and can be withdrawn at any time. The withdrawal of said consent will not affect the possibility of browsing this website and using its services, nor will it affect the lawfulness of the data processing that may have been carried out before the withdrawal.
4. Social media Contacts:
Purpose: The website may host other social media applications or services in order to allow the exchange of content. Any personal information provided by the user may be shared with other users of that service, over whom we have no control whatsoever.
We process your personal data in order to (i) answer your questions and requests, (ii) manage the requested service, interact with you and create a community of followers.
The website may offer features to share content through third-party applications, such as LinkedIn, Twitter, Facebook and YouTube. These applications may collect and process information related to the user’s browsing on the different websites. Any personal information that is collected through these applications may be used by third-party users. Their interactions are subject to the privacy policies of the companies that provide the applications.
Legal basis: The legal basis for the processing of your data is the acceptance of the contractual relationship with the provider of the social network concerned, stated when registering on their application and subject to their privacy policies, which are external to us and over which we have no control.
5. Exercise of data protection rights or claims:
Purpose: When your enquiry is related to the exercise of data protection rights, about which we will inform you below, or with claims related to our services, the purpose is to deal with the user’s request or claim. To fulfil these obligations, we may disclose your data to Public Administrations and Courts, provided this information is requested through the established legal processes.
Legal basis: The legal basis to process your data is compliance with legal obligations.
3. WHAT TYPE OF DATA DO WE PROCESS AND HOW DO WE OBTAIN THEM?
For the purposes described in the previous section it is a set of personal data that can be divided into the following sources:
- Data provided directly by the user: As sent through the different forms on the website or any other means available to you. The user guarantees that the data provided for the provision of the requested services truly correspond to their actual situation and will notify any change that may affect them. Consequently, the user will be liable to the Provider for any damages caused as a consequence of the failure to comply with the obligations undertaken in this clause.
- Data collected indirectly: All those data which, if consent has been given, are collected by the Provider from external sources.
- Data derived from the provision of the service itself: All those data collected during the provision of the service.
4. HOW LONG WILL WE RETAIN YOUR DATA?
The data you provide shall be retained, on a general basis, as long as there is a relationship between us or you do not exercise your right of erasure, objection to and/or limitation of processing, in which case, the information will be blocked and given no use other than its being retained while it may be necessary for the exercise or defence of claims or while some kind of liability that has to be addressed may derive.
After that time, the data will be erased in accordance with the provisions in the data protection regulations, which involves their being blocked and available only at the request of Judges and Courts, the Prosecution Service or the appropriate Public Administrations, in particular the Data Protection Administration, during the limitation period for the actions that may derive, to be subsequently deleted.
Limitation periods vary depending on the type of service; by way of example, the limitation period for most personal civil actions is usually 5 years.
In addition to the general processing in the previous section, the following will be observed with regard to data retention:
- Data from Clients: retention period of 4 years (Art. 66 and following of the General Taxation Law) and 6 years for accounting records and invoices (Art. 30 of the Code of Commerce).
- Data included in curricula vitae: up to 1 year for future selection processes unless it is stated otherwise.
- Data provided to receive information of interest: from the time the User gives their consent to the time they withdraw it.
5. WHAT ARE YOUR RIGHTS WHEN YOU PROVIDE YOUR DATA TO US?
Data protection regulations grant you a number of rights related to the data processing our services involve, which can be summarized as follows:
- Right of access: Know the type of data we are processing and the characteristics of the processing we are carrying out.
- Right to rectification: Be able to request the modification of your data due to their being inaccurate or untrue.
- Right to portability: Be able to obtain a copy in an interoperable format of the data that are being processed.
- Right to restriction of processing, in those cases defined in the Law.
- Right to erasure: Request the erasure of your data when the processing is no longer necessary.
- Right to object: Request not to be sent commercial communications in the stated terms.
- Right to withdraw the consent given.
- In the case of cookies, these rights may be exercised subject to the limitations derived from the nature of these files.
To exercise these rights, you must send an express request, together with a copy of your ID card or similar ID document (in case we are not able to identify you) using the means stated below. If once the request has been made, you do not receive an answer in due time and form from us, or you find it unsatisfactory, you are informed that the appropriate control authority is the Spanish Data Protection Agency (www.aepd.es).
- E-MAIL to the address email@example.com with subject Data Protection and Right you wish to exercise. This request must be sent from the email address that you included in our forms. Otherwise, it will not be displayed, due to our considering that your identity has not been sufficiently established.
On the website of the Spanish Data Protection Agency (AEPD) you will find a number of templates that will help you exercise your rights.
We expressly inform and guarantee users that their personal data will in no event be disclosed to third parties except when required by law. Any exception to this will require prior express, informed and unambiguous consent.
7. SECURITY MEASURES
In accordance with the provisions in the regulations in force on personal data protection (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 and Organic Law 3/2018 of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights), we comply with all the provisions for the processing of the personal data we are responsible for as well as the principles described in Article 5 of the GDPR, under which personal data are processed in a lawful, fair and transparent manner with regard to the data subject, and are adequate, relevant and limited to what is necessary in connection with the purposes for which they are processed.
The website uses HTTPS (secure connection). This is a security protocol that makes your data travel in a safe and secure manner, that is, the transfer of data between a server and the web user, as well as the feedback, is totally encrypted.
We guarantee that we have implemented appropriate technical and organizational policies to apply the security measures established in the GDPR and the LOPDGDD to protect your rights and freedoms, and provided all the necessary information for you to exercise your rights. We have installed all the means and technical measures available to us to prevent the loss, misuse, alteration, unauthorized access and theft of the personal data you provide to us. Nevertheless, you must be aware of the fact that security measures on the Internet are not impregnable.
Minors (children under 14) cannot use the services available through the website without the prior authorization from their parents, guardians or legal representatives, who will be solely responsible for all the actions carried out on the website by the minors in their care, including filling in forms with the personal data of said minors and checking, where appropriate, the boxes that go with them. We assume no responsibility for the truthfulness and accuracy of the data they may enter.
The processing of the personal data of a minor can only be based on their own consent when they are over fourteen years of age.
An exception is made in those cases in which the law requires the attendance of those who hold the parental authority or guardianship to carry out the legal action or transaction in whose context the consent for the processing is sought.
The processing of data of children under 14, based on consent, will only be lawful if it can be proved that it has been given by those who hold parental authority or guardianship, within the scope determined by those who hold parental authority or guardianship.
Regardless of the above, we may terminate, suspend or interrupt at any time, with no prior notice, the access to the contents of the Website, without the User being entitled to any kind of compensation.