We at JESÚS OÑATE. SAU are committed to the protection of privacy and the correct use of the personal data that we process and that you provide us, both online (on this website and, where applicable, any of its sub-domains and microsites) and offline.
By accessing this website, using any of its services or providing us with your data, whether online or offline, we will understand this as a clear provision of your consent (when required) to process your data for the purposes indicated below.
2. Who is the data controller?
JESÚS OÑATE. SAU
Postal address: C/ Larrosoloeta Kalea 8, 48200, Durango (Biscay)
Email address: email@example.com
Telephone number: (+34) 946 20 18 00
3. How did we obtain your data?
- Obtained from the interested party.
If you are a client (current client or potential client) or a user of our website, you provided your data to us by requesting our products or services, whether online or offline, or by contacting us to ask for information. You also provided us with your data if you visited one of our premises in person.
By providing us with your data, you guarantee that you are qualified to do so, and that the information is true, up-to-date and does not infringe any contractual restrictions or third party rights. You are responsible for ensuring that your data and profile are correct and up-to-date. JESÚS OÑATE SAU cannot be held responsible for your failure to do so.You undertake not to impersonate other Users by using their registration data for the different services and/or contents of the website.
- Obtained automatically by visiting our website:
When you visit our website or any of our platforms (social media networks, mobile applications, etc.), we collect information through cookies and other website analysis and tracking technologies. In other words, data are sent from your browser to our servers to optimise our services and to improve your user experience. Such data may be automatically collected and stored by us or by third parties on our behalf. Please consult our cookies policy.
- Communication by a third party of data of the interested party.
It is possible that your details have not been provided to us directly by you, but that they have been provided to us by a third party who we work with to whom you have previously provided these details. These may include public registries such as the civil registry, commercial registry and the property registry; or other public administration registries such as our commercial or distributor network after providing your details to some of our salespeople, etc.
- Communication by the interested party of the data of third parties:
You must respect the privacy of other people’s data, taking special care when communicating or publishing their personal data. Only the owner of the data can authorise the processing of their personal data. The publication of third party data without their consent may infringe the right to honour, privacy or self-image of said third parties, in addition to data protection regulations.
4. What types of data do we process?
The categories of data that we process may include:
- Those obtained from the interested party: identification data (name and surname, Spanish tax ID no.), contact details (telephone number, postal address, email address, invoicing or delivery address), commercial and financial details (information about the products requested, the client’s order history and payment details e.g. bank, credit card, etc.) and details of online profiles (information, preferences and interests).
- Those obtained automatically by visiting our website: user’s IP address, the date and time of the visit, the URL of the site from which the user comes, the pages visited on our website and information about the browser user (type and version of the browser, operating system, etc.).
- Those communicated by a third party: identification data; personal data; data on social, academic and professional situation; financial, economic and insurance data; data on transactions of goods and services; and employment details.
Regarding data that have special protection: We do not process special categories of data
5. Why do we process your data?
The data that you provide us with, as well as those which are generated during the relationship that we maintain with you, can be processed for various purposes:
- If you are a current or potential client: to maintain contact and communication with you and to manage our contractual and/or commercial relationship, including after-sales services.
- If you are a user of our website or a sender or recipient of an email: to manage requests that you send us online and to get in contact with you.
- If you access our facilities as a visitor: to manage the access and control of visits
- To send you, via electronic communications, information about our activities, products and/or services similar to those being requested, including advertising and/or commercial communications in accordance with the provisions of art. 21 LSSICE 34/2002. If we already have a prior contractual relationship, we will send such communications on the basis of our legitimate interest. If we do not have a prior contractual relationship, we will only send you these kinds of communications if you authorise us to do so by marking the box that is expressly included for this purpose in the corresponding forms. The electronic communications that we send you will include, in the communication itself, the option to stop receiving them. If you choose this option, we will stop sending you this type of communication.
6. For how long will we store your data?
- General storage time
The personal data that you send us will be stored for the duration of the contractual, pre-contractual or commercial relationship and, once this has elapsed, for as long as the interested party does not request its deletion. Even when deletion is requested, we may store these data for as long as necessary, only processing the data in order to:
- Comply with the legal/contractual obligations to which we are bound,
- and/or for the legal periods foreseen for the prescription of any responsibility on our part,
- and/or for the exercise or defence of claims derived from the relationship maintained with the interested person.
In coordination with the previous criteria, the deletion of personal data either in computer records or on paper may be carried out, at the discretion of the organisation, depending on logistical needs and/or storage space that make it advisable to delete information or documentation.
- If you’ve sent your CV as part of a job application: we will store it until you ask us to delete it/for its validity period, so that we can contact you for selection processes.
- In the event of complaints issued via the complaints channel: the data of the person making the communication and of the employees or third parties included in the complaint will be stored in the complaints system, only for the time necessary, to decide on the appropriateness of initiating an investigation into the events being reported. In any case, three months after the data are entered they will be deleted from the complaints system, unless the purpose of their storage is to prove the functioning of the model for preventing crimes being committed by the legal person. Complaints that have not been acted upon may be stored anonymously. Once this period of 3 months has elapsed, the data may continue to be processed by the corresponding body, in accordance with Article 24.2 of the LOPDGDD, in order to investigate the events being reported, and will not be kept in the internal complaints information system itself.
7. What are the legal grounds for the processing of your data?
The legal grounds that legitimise us for the processing of your data may be diverse:
- Compliance with the existingcontractual or commercial legal relationship if you are already a customer, supplier, or participant in our activities. If you are a potential client or supplier, we are legitimised by our pre-contractual relationship.
- The provision of the requested data is compulsory as they are essential in order to formalise and/or maintain the contractual or pre-contractual relationship and to fulfil the legal obligations arising from it; if you do not provide them, we will not be able to provide the service arising from this relationship.
- Consent: your consent can also constitute legal grounds for processing if you have made a request or petition or if you have issued your consent for a specific purpose: For example, if you have entered our website; if you have sent us your CV; if you have visited our facilities; if you have provided your consent for the sending of commercial communications, etc. You unequivocally provide your consent when you send us your data, whether online or offline, with this contribution being deemed a clear affirmative act that expresses such consent.
The provision of the requested data is compulsory as it is essential to address your request; if you do not provide them, we will not be able to provide the requested service.
You can withdraw this consent at any time by sending us an email to firstname.lastname@example.org. Said withdrawal does not affect the processing of your data for the rest of the purposes described, but it may mean that we cannot answer your request.
- Complying with a legal obligation or regulation: such as those established in fiscal, tax, social security, occupational risk prevention, consumer and user regulations on the prevention of money laundering, criminal code (art. 31 bis: establishment of a complaints channel), etc.
- Our legitimate interest as an organisation also constitutes legal grounds for the processing of your data. As per article 47 of the GDPR, we hold an interest in:
- Informing you of our activities, products and/or services, including electronic communications
- If we already have a prior contractual relationship, we will send such communications on the basis of our legitimate interest. Otherwise, we will only send you this type of communication if you give us your consent by checking the option that is expressly included for that purpose in the corresponding forms.
- In any case, the indicated processing of your data is considered to be proportionate and has a minimum impact on your privacy, but your interests, rights or freedoms will always prevail over our legitimate interest. Therefore, if you do not want us to process your data for these purposes, please send us an e-mail to that effect to email@example.com, and we will abide by these wishes.
- Communicating your data, as per article 48 of the GDPR, to other companies from the group to provide the client with a comprehensive or specialised service requiring the intervention of interdisciplinary teams; or to use your data for internal administrative purposes including the processing of personal data pertaining to clients or employees.
8. To whom can we SEND your data?
You are hereby informed that the data you provide us with may be communicated to third parties for purposes directly related to legitimate functions of the transferor and transferee, such as:
- To banking entities: for the management of collections and payments.
- To our labour, accounting and tax consultancy: for the management of our accounting and invoicing, management of our workforce, and the rest of the organisation’s legal obligations.
- To our legal consultancy, for the provision of legal advice.
- To entities or bodies to whom we are legally obliged to communicate data: e.g. the Tax Administration
- To the Executive Service of the Committee for the Prevention of Money Laundering and Monetary Offences in order to report suspicious operations, as legally required to do so.
- To Notaries, Courts or Tribunals, Registers, Solicitors, Experts, etc.
- To insurance companies: for the management and insurance of commercial risks and, in the case of credit and surety insurance, to ensure the collection of operations or civil liability insurance.
9. International Data Transfer
We at JESÚS OÑATE. SAU might use service providers located outside of the European Union who may have access to your personal data for the provision of services that assist our activity (accommodation, housing, SaaS, remote backup, computer maintenance or support services, email managers, the sending of emails, email marketing, file transfers, etc.).
These companies may vary over time. However, we will always select companies who are bound by the Privacy Shield agreement that exists between the USA and the EU, or those from countries which are deemed to have a suitable level of protection i.e. those which undertake to abide by requirements that are equivalent to European data protection regulations.
In any case, by accepting this data protection policy you expressly and unequivocally authorise the communication of your data to said companies, knowing that this implies an international transfer of data to a country outside the European Economic Area, giving your unequivocal consent to said transfer.
10. Instant messaging applications.
- Use of WhatsApp instant messaging service
While this kind of instant messaging application can be useful in certain circumstances, please remember that the information that you publish online can be accessed by lots of people, both people you know and strangers, so there is a risk for your privacy and that of other people.
We suggest that you don’t send personal, private and/or intimate information that you want to keep confidential via this medium, as there are safer ways of doing it. We cannot be held responsible for the operation and availability of the service, as it is provided by unaffiliated third parties rather than ourselves.
11. What are your rights when you send us your data?
- Right of access: You may ask us which personal data we are processing and can even request a copy thereof.
- Right of rectification: You can ask us to rectify inaccurate personal data or to complete those which are incomplete, even by means of an additional declaration.
- Right of deletion (right to being forgotten): You can ask us to delete your personal data when: they are not necessary for the purposes for which they were collected; you withdraw your consent; when they have been illicitly processed; or to comply with a legal obligation.
- Right to the limitation of processing: You can ask us to limit the processing of your data. In this case, we will only store them for the exercise or defence of complaints.
- Right of opposition: You can oppose the processing of your data if said processing is based on the legitimate interest of the data controller or is for advertising purposes.
Once we have received any of the above requests we will respond within the legally established deadlines. You can lodge a complaint before the Spanish Data Protection Agency. If you would like more information about the rights that you can exercise, and to request templates for right exercise forms, you can visit the website of the Spanish Data Protection Agency: www.aepd.es.