Privacy policy

 

In compliance with the provisions of Article 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter, GDPR) and Article 11 of Organic Law 3/2018,  of 5 December 2018, on the protection of personal data and guarantee of digital rights, we inform you of the following:

The User must carefully read this Privacy Policy, drafted in clear and accessible language to facilitate its understanding, in order to allow the User to determine in a free, informed and voluntary manner whether they wish to provide their personal data or those of third parties to BUFETE PRAT & ROCA, S.L.P. (hereinafter, the Entity).

Who is responsible for the processing of your personal data?

• Data controller: BUFETE PRAT & ROCA, S.L.P.
• NIF: B61840120
• Address: CALLE TUSET, 10 – 1 3, CP 08006, BARCELONA (BARCELONA).
• E-mail Personal Data Protection Officer: ROCAPLA@PRATROCA.COM
• Data Protection Channel: https://corporate-line.com/cnormativo-prat-roca

What do we process your personal data for and how long will we keep it for?

The Entity will process the personal data that it contains for the following purposes and during the storage periods indicated below:

• To manage the provision and performance of the contracted services and/or products. The personal data provided in the contracts, offers and/or proposals for services, as well as those of other people whose intervention is necessary, will be kept for as long as the contracted services are in force. Subsequently, the data will be kept duly blocked during the limitation periods of any legal action that may arise and/or the legally enforceable periods.
• To manage any type of request, suggestion, complaint, claim and/or request related to our services and/or contracted products that the User or the interested person formulates through the email or contact form on the website; carrying out their management and, if appropriate, transferring them to the corresponding department for appropriate attention and compliance with the applicable regulatory framework, keeping personal data for the time necessary to fulfil this purpose. Subsequently, the data will be kept duly blocked during the limitation periods of any legal action that may arise and/or the legally enforceable periods.
• To manage the sending of informative communications by email in relation to services similar to those already contracted by the Client. Personal data will be kept until the User opposes the processing. Subsequently, the data will be kept duly blocked during the limitation periods of any legal action that may arise and/or the legally enforceable periods.
• Where appropriate, to manage the sending of commercial communications (mailings). Personal data will be kept until the User revokes the consent given through the newsletter subscription form. Subsequently, the data will be kept duly blocked during the limitation periods of any legal action that may arise and/or the legally enforceable periods.
• Manage the voluntary collection or sending of your CV (self-application) through contact email or the website. Personal data will be kept until your consent is revoked or, at the latest, for a period of one (1) year from the receipt of your CV. Subsequently, the data will be kept duly blocked during the limitation periods of any legal action that may arise and/or the legally enforceable periods.
• Guarantee the safety of the facilities and people through the video surveillance systems, where appropriate, installed. Personal data will be kept for a maximum period of 30 days or, where appropriate, for the time essential for compliance with legal obligations applicable to the data controller. Subsequently, the data will be kept duly blocked during the limitation periods of any legal action that may arise and/or the legally enforceable periods.
• Comply with the professional relationship established with our suppliers for the management of the services contracted by the Entity. Personal data will be kept for the time necessary for the management of the contracted service and the time essential for compliance with legal obligations applicable to the data controller. Subsequently, the data will be kept duly blocked during the limitation periods of any legal action that may arise and/or the legally enforceable periods.
• Manage and control the operation of the internal mechanisms, policies and procedures established by the Entity for regulatory compliance purposes. Personal data will be kept for the time necessary to comply with legal obligations applicable to the data controller. Subsequently, the data will be kept duly blocked during the limitation periods of any legal action that may arise and/or the legally enforceable periods.
• Manage requests received through the Data Protection Channel enabled. Personal data will be kept for the time necessary to comply with legal obligations applicable to the data controller. Subsequently, the data will be kept duly blocked during the limitation periods of any legal action that may arise and/or the legally enforceable periods.
• Comply with the legal provisions that apply to the Entity. Personal data will be kept for the time necessary to comply with legal obligations applicable to the data controller. Subsequently, the data will be kept duly blocked during the limitation periods of any legal action that may arise and/or the legally enforceable periods.

What categories of data do we process and where does it come from?

In general, the Entity may process identification and contact data, professional data (company/position), billing and contract management data, and, where applicable, image (video surveillance) and data contained in the contact channels.

Personal data will generally come from the User or the entity/company they represent within the framework of the contractual or pre-contractual relationship.

Why can we process your personal data?

The processing of personal data collected by the Entity is carried out on the basis of different legitimations:

• Performance of a contract

The processing is necessary for the performance of a contract to which the data subject is a party, such as the management of the requested services or the management of the contract signed between the suppliers and the Entity.

• Compliance with a legal obligation

The Entity carries out processing to comply with the legal obligations that are applicable to it or the management of requests to exercise rights received through the Data Protection Channel.

• Consent of the data subject

The processing is based on the free, specific, informed and unequivocal consent granted by the interested party in the following situations: sending their curriculum vitae (CV) and sending suggestions, complaints and/or requests through the contact forms available on the website or receiving commercial communications via email (mailings).

• Legitimate interest of the Entity

The Entity may process personal data when necessary to satisfy its own legitimate interests, provided that the fundamental rights and freedoms of the data subject do not prevail. These interests include: guaranteeing the security of the facilities through video surveillance systems or sending informative communications related to products or services similar to those previously contracted by the User.

Who do we provide your personal data to?

The Entity may communicate your personal data to the following recipients:

• Companies in charge of the processing that provide their services to the Entity with which the corresponding data processor contract has been signed and that have the appropriate security measures.
• Any other third party to whom it is necessary for compliance with a legal obligation.
• International transfers: in general, no international transfers of data outside the European Economic Area are envisaged. If, exceptionally, they are necessary, they will be carried out with the appropriate guarantees required by the applicable regulations.

What are your rights?

You may exercise your data protection rights at any time by the following means:

• Data Protection Channel enabled for this purpose: https://corporate-line.com/cnormativo-prat-roca
• Email of the Data Protection Officer: ROCAPLA@PRATROCA.COM
• You can also file a complaint with the Spanish Data Protection Agency (aepd.es)

The Data Protection rights you have are the following:

• Right of access: you have the right to know if the Entity is processing your personal data.
• Right to rectification: You have the right to request the correction of inaccurate data.
• Right to erasure: you have the right to request the deletion of your personal data when it is no longer necessary for the purpose collected.
• Right to restriction of processing: you have the right to request that the use of your data be restricted, which is maintained only for the purpose of defending claims.
• Right to object: you have the right to object to the processing of your personal data, except when there are legitimate reasons or they are necessary to defend claims.
• Right to portability: You have the right to receive the data in a structured and readable format to transfer it to another controller, whenever possible.
• Right to revoke consent: you have the right to withdraw the consent given at any time, except when the processing is protected by law or is necessary for a contracted service, without retroactive effect.
• Right not to be subject to automated decisions: You have the right not to be subjected to automated decisions based on personal data that significantly affect you, such as profiling.

You also have the right to lodge a complaint with the Spanish Data Protection Agency (www.aepd.es) if you consider that the processing of your personal data does not comply with applicable regulations.

Data Protection Channel

The Entity has implemented a Channel, contemplating the highest commitment, rigor and professionalism in terms of security, experience, independence and knowledge in the treatment of the communications received.

The Channel, which includes use in the field of Data Protection, has been implemented through a web platform, developed and managed by an independent external expert, to provide and guarantee our previous commitments.

Through the Channel, you will be able to communicate and process the exercise of your Rights (see previous section) and communicate any indication or knowledge you have of possible security breaches, cyberattacks and/or possible breaches or irregularities with the Data Protection regulations and this Entity Policy.

The access data to the Canal are detailed at the beginning of this Policy.

Security and control measures

General

The Entity will process the personal data applying the appropriate technical, legal, organizational and security measures, in order to guarantee the confidentiality and integrity of the information it manages in accordance with the provisions of current regulations.

Channel

Through the Channel, you will be able to communicate and process the exercise of your Rights (see previous section) and communicate any indication or knowledge you have of possible security breaches, cyberattacks and/or possible breaches or irregularities with the Data Protection regulations and this Entity Policy.

Cybersecurity

As a specific and complementary concept to the above, the Entity applies cybersecurity measures to prevent and manage possible attacks and fraud by cybercriminals that threaten the privacy and protection of the data that our Entity processes and accesses within the scope of its activities and operations.

In this regard, we would like to warn that in the event of possible risk situations due to communications whose content and/or format generate doubts of authenticity, we recommend omitting them and contacting the Entity through the contact details indicated in this Privacy Policy.

Likewise, any request received from our Entity regarding changes in payment methods, requests for contact details or persons or confidential (non-public) information, bank and/or credit card details and/or other official data, should not be dealt with without the direct confirmation of our Entity by another alternative means.

We appreciate and need your collaboration with the communication and reporting of any notification in relation to this type of request and other possible situations of risk of cyberattacks in which our Entity may be used, as well as for any possible security risk that you may be aware of.

The website may use cookies or similar technologies. You can consult detailed information in the Cookies Policy available on the website.

Care and support

Interested parties may communicate to the Entity any questions about the processing of their personal data or interpretation of our Policy by contacting the Data Protection Officer (DPO) at the address indicated at the beginning of this Policy.