DATA CONTROLLER

Who is the data controller?

  • Owner: HERRERO & ASOCIADOS, S.L. (hereinafter ‘Herrero & Asociados’).
  • Corporate domicile: Edificio Aqua. Calle Agustín de Foxá 4 - 10. C.P. 28036, Madrid.
  • Spanish Tax Identification Number (CIF): B-28865236.
  • Registry Information: Commercial Registry of Madrid in Volume 6.660, General 594, Section 4, Folio 10.698.
  • Telephone No.: (+34) 91 522 74 20
  • Fax No.: (+34) 91 522 62 49
  • E-mail: info@herrero.es.
  • E-mail of the Data Protection Officer: dpo@herrero.es.

PURPOSES FOR WHICH THE DATA SHALL BE PROCESSED AND TYPES OF DATA PROCESSED

With what purposes shall we process your personal data?

H&A shall process the User’s data for the following purposes:

1. To deal with enquiries, requests or suggestions put forth via the contact form and via corporate e-mail accounts.

2. To manage the contracting, invoicing and to guarantee the services contracted.

3. To manage the publication in our Blog of comments made by interested parties.

4. To access our clients’ private area.

5. To send electronic communications concerning news and updates of the goods and/or services contracted, unless stated otherwise or when the user objects thereto or revokes their consent.

6. To periodically send commercial information (newsletter) regarding services and news related to our professional activity, provided that the interested party provides us with the corresponding consent, and giving them the possibility of revoking the aforesaid consent at any time.

7. In the event of forwarding your CV or registering in any of the different employment offers that we may publish, we shall process your data with the purpose of assessing and managing your employment application and, where applicable, to conduct the necessary actions for the selection and hiring of personnel, in order to offer positions that are suitable to your profile. Unless stated otherwise, the provision of the requested data is necessary, and failure to provide the same shall mean that the selection process cannot continue.

8. To comply with the legally established obligations, as well as to verify compliance of contractual obligations, including the prevention of fraud.

9. Manage the implementation, processing and resolution of complaints made through the Whistleblower Channel.

What types of data do we process?

With regard to the foregoing purposes, H&A processes the following types of data:

  • Identification data: name, surnames, postal address, e-mail address, postcode, telephone number.
  • Academic and professional data: training/qualifications, professional experience, membership of professional bodies or associations, in the event of selection processes.
  • Metadata of electronic communications.
  • Commercial information.
  • Economic, financial and banking data.

In some cases the personal data requested is compulsory, and thus refusing to provide the same shall imply that it is impossible to provide the services contracted. These cases shall be indicated by the controller.

The user guarantees that the data provided is true, exact, complete and updated, being responsible for any damages or losses, direct or indirect, that may arise as a consequence of the breach of this obligation. In the event that the User provides third party data, they hereby declare to have the consent thereof, and undertake the commitment to forward thereto the information set forth in this clause, exempting H&A from any liability to this end. However, H&A may carry out verifications to confirm this, adopting the corresponding due diligence measures, in accordance with data protection legislation.

What is the legitimacy for processing your data?

1. The legitimacy for the processing of the data gathered from enquiries, requests or suggestions put forth via the contact form and/or via corporate e-mail accounts, resides in our own legitimate interest in providing a response to a potential client and in the consent given, which is a clear affirmative action on the part of the user whereby, when making an enquiry, they are authorising us to process their data solely and exclusively for the purpose of responding to the said enquiry.

2. For the management of the contracting of services, payments, invoicing and corresponding correspondence, the legitimacy resides on the execution itself of the contract.

3. The legitimacy to manage the publication in our Blog of comments resides in our own legitimate interests in knowing the opinions of interested parties and in the consent given, which is a clear affirmative action on the part of the user whereby, when writing the aforesaid comment, they are authorising us to process their data solely and exclusively for said purpose.

4. To access our clients’ private area the legitimacy resides in the user’s consent, granted when the created their account in the aforesaid private area, and in their contractual relationship with H&A.

5. To send electronic communications concerning news and updates of the goods and/or services contracted, the legitimacy for this processing resides in the legitimate interest of Herrero & Asociados to carry out said processing in accordance with the prevailing legislation.

6. To periodically send commercial information (newsletter) regarding services and news related to our professional activity, the legitimacy resides in the consent given by the user.

7. The legitimacy for the processing of data relative to the forwarding of CVs and registration in professional offers that we may publish, is based on the consent provided by the user that forwards their data.

8. For the processing of data in order to comply with legally established obligations, as well as to verify compliance of contractual obligations, including the prevention of fraud, the legitimacy resides, as indicated in the description of its purpose, in our compliance of a legal obligation.

9. Finally, for the management, processing and resolution of complaints made through the Whistleblower Channel, the legitimate basis is the express consent of the data subject, as well as the legitimate interest of the Controller.

For how long shall we store your data?

H&A shall store users’ personal data for as long as it is necessary for complying with the purposes for which said data was gathered, and while the consent granted has not been revoked. Subsequently, where necessary, the information shall be stored for as long as required for the purposes of covering potential liabilities.

With regard to the data provided in relation with employment offers for which you wish to apply, the data shall be stored for one year, as of the date of the last update. Once said period has elapsed, without any further updates, the data shall be erased, unless you state otherwise.

What security measures do we implement to protect your data?

H&A is committed to the protection of personal data, the privacy of users and cyber security, and thus to protect the different types of data set forth in this privacy policy, it shall adopt the necessary technical and organisational security measures so as to prevent the loss, manipulation, disclosure or modification thereof, such as the encryption of communications between the user’s device and the servers of H&A, perimeter security systems or proactive IDS/IPS systems, inter alia.

DATA DISCLOSURE

To whom may the data be disclosed?

The Data Controller contracts with third party processors in order to provide its services. With the exception of these entities, your data will not be disclosed to other third parties. If for any reason it is necessary to communicate such data to third parties, you will be informed in advance and, where appropriate, you will be asked for your consent and the purposes of the communication and the identity of the third party to whom the data will be communicated will be specified. 

All of the above, with the exception of those cases in which a legal requirement makes it necessary to communicate said data to a third party.

USERS’ RIGHTS

What are the rights of interested parties?

Persons who provide us with their data have the following rights in relation to such data:

  1. Right of access
  2. Right of rectification or deletion
  3. Right to restriction of processing
  4. Right to portability
  5. Right to object
  6. Right to withdraw consent

1. Right of access: Any person has the right to obtain from the Data Controller confirmation as to whether or not personal data concerning him/her are being processed and, if so, the right of access to the personal data.

2. Right of rectification: This is the right to obtain the rectification of personal data held by us concerning him/her.

3. Right of deletion: This is the right to obtain the deletion of your personal data.

4. Right to limitation of processing: This is the right for your data to cease to be subject to the relevant processing operations when one of the following conditions is met:

  • When you have exercised the rights of rectification or opposition and the Controller is in the process of determining whether the request is admissible.
  • If the data processing was unlawful, which implies the erasure of the data, but you do not wish your data to be erased by the Controller.
  • When the data are no longer necessary for processing, which implies the erasure of the data, but you wish the Controller to restrict the processing of the data and to keep them in order to be able to formulate, exercise or defend yourself against claims.

5. Right to portability: This is the right to obtain from the Data Controller, in the event of automated processing of your data, a copy of your data in a structured, commonly used and machine-readable format or to have this copy transmitted directly to the Data Controller indicated by you. Please note that this right does not apply to:

  • Data of third parties that you have provided to the Data Controller.
  • Data concerning you, but provided to the Data Controller by third parties.

6. Right to object: This is the right to object to the processing of your personal data. As far as the processing carried out by the Controller is concerned, you may object to the sending of commercial communications both from the Controller and from third parties.

These rights may be exercised by means of a written communication, accompanied with a copy of their official identification document, addressed to Herrero & Asociados, Edificio Aqua. Calle Agustín de Foxá 4 – 10. C.P. 28036, Madrid, to the attention of the Data Protection Officer. You may also contact us for this purpose via e-mail dpo@herrero.es.

Additionally, we inform you with regard to the possibility of filing a claim with the competent Supervisory Authority, in this case the Spanish Data Protection Agency, in particular, in those cases where you failed to obtain satisfaction in the exercise of your rights. You may contact the Spanish Data Protection Agency via telephone, 901 100 099 and 912 663 517, or visit it at C/ Jorge Juan, 6. 28001 – Madrid.

SECURITY MEASURES

The Controller guarantees to the user that the processing carried out complies with all the provisions of the aforementioned data protection regulations, GDPR and LOPDGDD, and that the data are processed lawfully, fairly and transparently in relation to the data subject and are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

Likewise, the Controller guarantees that it has implemented appropriate technical and organisational policies to apply the security measures established by the GDPR and the LOPDGDD in order to protect the rights and freedoms of USERS and has provided them with the appropriate information so that they can exercise them.

ORIGIN AND VERACITY OF THE DATA

All the data collected comes from the interested party. The User, by accepting this Privacy Policy, declares and undertakes to guarantee the truthfulness and accuracy of the data provided, as well as being the legitimate owner of the same.

Likewise, the User undertakes to keep his/her data updated at all times, and to inform the Responsible without delay of any significant modification in relation to the information provided through the relevant forms on the H&A website.

In this sense, the User shall be solely responsible for the non-fulfilment of the aforementioned, exonerating H&A from any responsibility with respect to those data that the User has not previously communicated.