Privacy Policy

Privacy Policy

1. Introduction

At Pato Garabatos, SL, we ensure the security and confidentiality of information and, more specifically, of personal data, not only of the users of the website, but of all those people who maintain any link or relationship with the entity in any of its areas, whether they are clients, suppliers, staff, etc.

In this sense, in compliance with the provisions of the regulations on data protection, that is, Regulation EU 2016/679 of the European Parliament and of the Council of April 27, 2016 regarding the protection of natural persons with regard to the processing of personal data and the circulation of these data (RGPD) and Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD), this policy is prepared, where we offer information related to the processing of personal data managed by the entity.


2. Data Controller

In terms of data protection, Pato Garabatos, SL, must be considered the Data Controller, in relation to the files/treatments it manages.


The identifying details of the owner of this website are listed below:

Duck Scribbles, SL

B32349524
Postal address: C/ Santo Domingo, N60, Xesta Shopping Center, Local 13, 32004, Ourense
Email address: info@joyeriasuyza.com
Telephone: 988 23 37 78

3. Purposes and legal bases

Completing the basic information on data protection provided through each of the data collection channels, additional information is provided below regarding the purposes and legitimizing bases of the following files or treatments:

Customers

The data will be processed for the following main purposes, the legal basis that legitimizes these treatments being the execution of a contract to which the interested party is a party (art. 6.1.b) RGPD), as well as compliance with legal obligations (art. 6.1 .c) GDPR):

Management and provision of the requested or contracted service or product.
Administrative management, which entails billing management, management of non-payment of fees, insurance processing.
Prevention of money laundering.
Sending commercial information.

In relation to the purchasing process, the user may register, thus being able to save their data for future purchases, or identify themselves only for the chosen operation. In both cases, the forms provided will indicate which data are necessary, indicating the mandatory field with an asterisk (*). Those who opt for the registration process will have a “Personal Area”, where they can manage, modify or update personal data, as well as delivery addresses.

These data will be used for the processing and management of commercial relations with clients and users, the execution of after-sales service and/or warranty of purchases made, as well as for sending information related to products and services by any means, including email or equivalent electronic means.

Commercial information: the entity proceeds to send information about products or services of its own entity similar to those previously contracted based on a legitimate interest, all in accordance with the provisions of article 20.2 of the LSSICE.

Staff

The data will be processed for the purpose of managing all services related to the field of human resources, which entails accounting, tax and administrative management, payroll management, training management and management of occupational risk prevention and time control, among others.

The legal basis that legitimizes the treatment is, in general terms, the execution of a contract to which the interested party is a party (art. 6.1.b) RGPD), as well as compliance with legal obligations (art. 6.1.c) RGPD).

Suppliers

The data will be processed for the purpose of managing the contractual relationship, which involves accounting, tax and administrative management and management of payment for services, among others. The legal basis that legitimizes this processing is the execution of a contract to which the interested party is a party (art. 6.1.b) GDPR), as well as compliance with legal obligations (art. 6.1.c) GDPR).

Web Users

Through the website, personal data is collected for various purposes, including:

- Contact section to raise questions, complaints, suggestions or claims
- Blog, to manage user participation in it.
- User registration and contracting section, said data will be processed to register the user in the private section of the website and facilitate and allow the contracting of products or services offered through the website.
- Analysis of browsing habits through analytical cookies and advertising cookies. (see Cookies Policy published on the website).

The legal basis that legitimizes the treatment is the consent of the interested party through electronic forms with an automated consent system.

Video surveillance

The images captured through the video surveillance systems installed at the company's headquarters will be processed in order to guarantee the security of the assets, facilities and people who access them. The legal basis that legitimizes the processing is that they are installed for the fulfillment of a mission carried out in the public interest (art. 6.1. e. GDPR). The data may be communicated to the security forces and judicial bodies, upon request.

Curricula

The company receives CVs through various channels, mainly in person or through the general corporate accounts, so that if they are CVs that may fit one of our candidacies, they are treated with the purpose of carrying out the necessary selection processes. However, if the CV does not fit or will not fit any of the positions in the company, it will be deleted or permanently destroyed.

The legitimate basis for processing is the express consent of the interested party, as it is the owner of the CV who voluntarily provides his or her personal data.

4. Transfers or communications of data

In order to manage certain services offered by the entity, it is necessary to allow access to certain data to third-party service providers contracted for this purpose. In this regard, the entity has signed the necessary data processing manager contracts and has given precise instructions to the different service providers or data processors to ensure the security and integrity of the data to which they have access as a result of the contracted service provision.

Apart from the above cases, your personal data will not be transferred to third parties, except in the cases indicated below:

Clients, staff and suppliers

The data may be communicated to the following groups of recipients:

Public administrations: in the event that it is required by virtue of a regulation, for example, the State Agency for Tax Administration, and to the rest of the competent tax or other authorities, in order to comply with the obligations imposed by current legislation.

Banking entities: for the management of collection and payment of services.

Commission for the Prevention of Money Laundering in cases established by law.


5. Data retention period

Completing the basic information on data protection provided through each of the data collection channels, additional information regarding the purposes and legal bases of the following files or processing is provided below:

Customers: the data will be kept until the end of the contractual relationship and will be kept, duly blocked, during the limitation periods of the liabilities that may be required. For example, taking into account the regulation of

Prevention of money laundering the retention period would be 10 years.

Personal: the data will be kept until the end of the contractual relationship and will be kept, duly blocked, during the limitation periods of the liabilities that may be required. For example, in the case of time recording, the data will be kept for a period of 4 years.

Suppliers: the data will be kept until the end of the contractual relationship and will be kept, duly blocked, during the limitation periods of any liabilities that may be required.

Web Users: the data will be kept as long as necessary to meet the indicated purposes.

Video surveillance: will be kept for one month.

CVs: data will be retained as long as the CV profile can fit one of our candidates, filtering and cleaning documents.


6. Revocation of consent

In those cases where the processing of personal data is based on consent, interested parties are informed of their right to withdraw their consent at any time, in a simple and free manner, by writing to the address of the data controller or through the following email address info@joyeriasuyza.com, attaching a copy of their NIF or equivalent document. The revocation of consent will not affect the lawfulness of the processing based on consent prior to its withdrawal.

7. Rights of interested parties.

Data protection regulations grant a series of rights to interested parties or data owners. These rights are available to interested parties and are the following:

Right of access: right to obtain information about whether your own data is being processed, the purpose of the processing being carried out, the categories of data being processed, the recipients or categories of recipients, the retention period and the origin of said data.

Right to rectification: right to obtain rectification of inaccurate or incomplete personal data.

Right to deletion: right to obtain the deletion of data in the following cases:
When the data is no longer necessary for the purpose for which it was collected
When the owner thereof withdraws consent
When the interested party opposes the treatment
When they must be deleted in compliance with a legal obligation
When the data has been obtained pursuant to an information society service based on the provisions of art. 8 section 1 of the European Data Protection Regulation.

Right to object: right to object to certain processing based on the data subject's consent.

Right to limitation: right to obtain limitation of data processing when any of the following situations apply:
When the interested party challenges the accuracy of the personal data, for a period that allows the company to verify the accuracy of the same.
When the processing is unlawful and the data subject opposes the deletion of the data.
When the company no longer needs the data for the purposes for which it was collected, but the interested party needs it for the formulation, exercise or defense of claims.

When the interested party has opposed the treatment while it is verified whether the legitimate reasons of the company prevail over those of the interested party.

Interested parties may exercise the indicated rights by contacting the entity in writing, sent to the following address: COMPANY EMAIL, indicating in the Subject line the right they wish to exercise.

In this regard, the entity will respond to your request as soon as possible and taking into account the deadlines provided for in the regulations on data protection.

Furthermore, it should be noted that the interested party or data owner may at any time file a complaint with the competent supervisory authority.

8. Security

The security measures adopted by the entity are those required in accordance with the provisions of article 32 of the GDPR. In this regard, the entity, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the risks of varying probability and severity for the rights and freedoms of natural persons, has established appropriate technical and organizational measures to ensure the level of security appropriate to the existing risk.

In any case, the entity has implemented sufficient mechanisms to:

a) Ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
b) Restore the availability and access to personal data quickly, in the event of a physical or technical incident.
c) Verify, evaluate and assess, on a regular basis, the effectiveness of the technical and organisational measures implemented to ensure the security of the processing.
d) Pseudonymize and encrypt personal data, where appropriate.