INDEX
1. Purpose of the Privacy Policy
2. Definitions
3. Identity of the Data Controller
4. Applicable laws and regulations
5. Principles applicable to the processing of personal data
6. Data processing activities carried out
7. Necessary and updated information
8. Personal data of minors
9. Technical and organizational security measures
10. Rights of the interested parties
11. Claims befare the Control Authority
12. Acceptance and changes in the Privacy
Policy
1.- PURPOSE OF THE PRIVACY POLICY
The purpose of this “Privacy and Data Protection Policy” is to publicize the conditions that govern the collection and processing of personal data by MYKONOS, making every effort to ensure the fundamental rights, honor and freedoms of the peo ple whose personal data is processed in compliance with the
regulations and laws in force that regulate the Protection of Personal Data according to the European Union and the Spanish Member State and, specifically, those expressed in the “Processing Activities” section of this Privacy Policy. Privacy.
Far all of which, in this Privacy and Data Protection Policy, users of the Website https://www.mykonosceramica.com/ are informed of all the details of interest regarding how these processes are carried out, far what purposes, that other entities could have access to your data and what are the rights of users.
2.- DEFINITIONS
«Personal data»: Any information about an identified or identifiable natural p~rson (“the user of the Website”); an identifiable natural person is any person whose identity can be determined, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more elements of identity physical, physiological, genetic, psychic, ecohomic, cultural or social of said person.
“Processing”: any operation or set of operations carried out on personal data or sets of personal data, whether by automated procedures or not, súch as collection, registration, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication
by transmission, diffusion or any other form of authorization of access, collation or interconnection, limitation, suppression or destruction.
“Límítatíon of processing”: the marking of the personal data stored in order to limit their processing in the future.
“Profiling”: any form of automated processing of personal data consisting of using personal data to evaluate certain personal aspects of a natural person, in particular to analyze or predict aspects related to professional performance, economic situation, health, personal preferences, interests , reliability, behavior, location or movements of said natural person.
“Pseudonymization”: the processing of personal data in such a way that they can no longer be attributed to a data subject without the use of additional information, provided that such additional information appears separately and is subject to technical and organizational measures designed to ensure that the personal data is not attributed to an identified or identifiable natural person.
“File”: any structured set of personal data, accessible according to certain criteria, whether centralized, decentralized or distributed functionally or geographically.
“Responsible for the treatment” or “responsíble”: the natural or legal person, public authority, service or other body that, alone orjointly with others, determines the purposes and means of the treatment; If Union or Member State law determines the purposes and means of the processing, the controller or the specific criteria for his or her appointment may be_ established by Union or Member State law.
“Data Processor” or “Data Processor”: the natural or legal person, public authority, service or other body that processes personal data on behalf of the data controller. “Recipient”: the natural or legal person, public authority, service or otherbody to which personal data is commun.icated, whether or not it is a third party. However, public authorities that may receive personal data in the context of a specific investigation in accordance with Uníon or Member State law shall not be considered recipients; the processing of such data by said public authorities will be in accordance with the data protection regulations applicable to the purposes of the process.
Third Party”: natural or legal person, public authority, service or .body other than the interested party, the data controller, the data processor and the persons authorized to process personal data under the direct authority of the data controller or data processor.
“Consent of the interested party”: any free, specific, informed and unequivocal expression of will by which the interested party accepts, either by means of a declaration ora clear affirmative action, the processing of personal. data that concerns him.
“Personal Data Security Breach”: any security breach that results in the accidental or unlawful destruction, loss, or alteration of personal data transmitted, stored, or otherwise processed, or the unauthorized communication of, or access to, such data;
“Genetic data”: personal data relating to the inherited or acquired genetic characteristics of a natural person that provide unique information about the physiology or health of that person, obtained in particular from the analysis of a biological sample of such person.
“Biometric data”: personal data obtained from a specific technical treatment, related to the physical, physiological or behavioral characteristics of a natural person that allow or confirm the unique identification of said person, such as facial images or dactyloscopic data.
“Health-related data”: personal data relating to the physical or mental health of a natural person, including the provision of health care services, which reveals information about their state of health.
“Main establishment”: a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless decisions on the purposes and means of processing are taken in another establishment of the controller in the Union and the latter establishment has the power to enforce such decisions, in which case the establishment that has taken such decisions shall be deemed to be the main establishment; b) in the case of a data processor with establishments in more than one Member State, the place of its central administration in the Union or, if there is no central administration, the establishment of the processor in the Union where the processing is carried out. main processing activities in the context of the activities of an\establishment of the processor to the extent that the processor is subject to specific obligations under this Regulation. “Representatíve”: natural or legal person established in the Union who, having been designated in writing by the controller or processor in accordance with article 2 7 of the RGPD, represents the controller or the processor with regard to their respective obligatíons in under this Regulation.
“Company”: natural ar-legal person engaged in an economic activity, regardless ofits legal form, including companies or associations that regularly perform
4.- APPLICABLE LAWS ANO REGULATIONS
This Privacy and Data Protection Policy is developed based on the following regulations and data protection laws:
• Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 2 7, 2016, regarding the protection of natural persons with regard to the processing of personal data and the free circulation of these data. Hereinafter GDPR.
• Organic Law 3/2018,.of December 5, Protection of Personal Data and Guarantee of Digital Rights. Hereinafter LOPD /GDD.
• Law 34/2002, of July 11, on Services of the Information Society and Electronic Commerce. Hereinafter LSSICE.
5.- PRINCIPLES APPLICABLE TO THE PROCESSING OF PERSONAL DATA
The personal data collected and processed through this website will be treated in accordance with the following principles:
• Principle of legality, loyalty and transparency: All processing of personal data carried out through this Website will be legal and fair, making it completely clear to the user when the personal data concerning him/her_ is being collected, used, consulted or processed. The information regarding the treatments carried out will be transmitted in advance, easily accessible and easy to understand, in simple and clear language.
• Principle of limitation of the term of conservation: The data will be kept in a way that allows the identification of the interested parties forno longer than is necessary for the purposes of the processing of personal data.
• Principle of integrity and confidentiality: The data will be treated in such a way as to guarantee adequate security of personal data, including protection against unauthorized or illicit treatment and against accidental loss or damage, through the application of technical and organizational measures, appropriate
• Principle of proactive responsibility: The entity that owns the Website will be responsible for compliance with the principles set forth in this section and will be able to demonstrate it.
6.- DATA PROCESSING ACTIVITIES
Security measures SECURITY IN DATA AVAILABILITY
• Making regular copies of data on media and locations different from the original data.
SECURITY IN DATA INTEGRITY
• Systems to prevent and detect malicious software (antimalware)
• Registration and access control
• Files or offices under lock and key
• Secure remate connections
• Encrypted communications
• Incident management procedures
SECURITY IN THE CONFIDENTIALITY OF DATA
• Formalization of a commitment to the duty of
secrecy and confidentiality with all the parties involved in the life cycles of the data.
• Programmed blocking of session in the equipment
• Data transmission with security measures
• Equipment shutdown at the end of the day
• Clean tables policy
• Robust username and passwords, unipersonal and with periodic change management
OTHER MEASURES
• Periodic programming of audits and analysis of technical and organizational risks
• Recruitment of an external data protection support, advice and management service.
• Appointment of a data protection officer in the organization
• Availability of an IT and Compliance
department
• Request for guarantees and evidence of data protection regulatory compliance to service providers contracted by the organization
7.- NECESSARY AND UPDATED INFORMATION
All the fields that appear marked with an asterisk (*) in the Website forms must be filled in, in such a way that the omission of any of them could make it impossible far the services or information requested to be provided.
You must provide true information, so that the information provided is always updated and does not contain errors, you must notify the Treatment Manager as soon as possible, the modifications and rectifications of your personal data that are produced through an email to the address: mykonos@mykonosceramica.com.
Likewise, by” clicking” on the “I accept” button ( or equivalent) incorporated in the aforementioned forms, you declare that the information and data that you have provided in them are accurate and true, as well as that you understand and accept this Privacy Policy.
8.- DATA OF MINORS
In compliance with the provisions of article 8 of the RGPD and article 7 ofthe LOPD/GDD, only those over 14 years of age may grant their consent far the processing of their personal data in a legal manner by MYKONOS.
Therefore, children under 14 years of age may not use the services available through the Website without the prior authorization of their parents, guardians or legal representatives, who will be solely responsible far all acts carried out through the Website by them. minors in their charge, including the completion of the electro ni e forms with the personal data of said minors and the marking, where appropriate, of the boxes that accompany them.
9.- TECHNICAL ANO ORGANIZATIONAL SECURITY MEASURES
The Data Controller adopts the necessary organizational and technical measures to guarantee the security and privacy of your data, prevent its alteration, loss, treatment or unauthorized access, depending on the state of the technology, the nature of the data stored and the risks to which they are exposed. Among others, the following measures stand out:
• Guarantee the permanent confidentiality,
integrity, availability and resilience of treatment systems and services.
• Restare availability and access to personal data quickly, in the event of a physical or technical incident.
• Verify, evaluate and assess, on a regular basis, the effectiveness of the technical and organizational measures implemented to guarantee the security of the treatment.
• Pseudonymize and encrypt personal data, in the case of sensitive data. ••
On the other hand, the Data Controller has made the decision to manage the information systems in accordance with the following principies:
• Principie of regulatory compliance: All information systems will comply with the regulations of regulatory and sectoral legal application that affect the security of information, especially those related to the protection of personal data, security of systems, data, communications and electronic services.
• Risk management principie: Risks will be minimized to acceptable levels and seek a balance between security controls and the nature of the information. Security objectives should be established, reviewed and consistent with information security aspects.
• Principie of awareness and training: Training, awareness programs and awareness
campaigns will be coordinated for all users with access to information, in terms of information security.
• Principie of proportionality: The implementation of controls that mitigate the
. security risks of assets will be carried out seeking a balance between security measures, nature and information and risk.
• Principle of responsibility: All members of the Data Controller will be responsible for their conduct in terms of information security, complying with the established standards and controls.
• Principle of continuous improvement: The degree of effectiveness of the security controls irnplemented in the organization will be reviewed on a recurring basis to increase the ability to adapt to the constant evolution of ris1< an d the technological environment.
10.- RIGHTS OF INTERESTED PARTIES
Current data protection regulations protect trie user in a series of rights in relation to the use given to their data. Each and every one of sucb rights are unipersonal and non-transferable, thar is, they can only be exercised by the owner of the data, after verifying their identity.
The rights of Website users are detailed below
• Right of access: It is the right that the user of the Website has to obtain confirmation of Whether or not the Data Controller is treating their personal data and, if so, to obtain information about their specific personal data and the treatment that the Data Controller streating.
Responsible for rhe Treatment has carried out or carries out, as well as, among others, the i•nformation available on the on.of saíd d ata and the recipients of the cominunicati0ns made or foreseen them.
• Right of rectification: lt is tne right that the user of the Website has to modify their persanal data that turns out to be m. accurate or, taking into account the purposes of the treatlhent, incomplete.
• Right of deletion: lt is usually known as “right to be forgotten”, and it is the right that the user of the Website has, provided that the current legislation does not establish otherwise, to obtain the deletion of their personal data when these are no longer necessary for the purposes for which they were collected or processed; the User has withdrawn their consent to the treatment and this does not have another legal basis; the User opposes the treatment and there is no other legitimate reason to continue with it; the personal data has been unlawfully processed; the personal data has been obtained as a result of a direct offer of information • society services to a child under 14 years of
age. In addition to deleting the data, the Data Controller, taking into account the available technology and the cost of its application, will take reasonable measures to inform other possible controllers who are processing the personal data of the interested party’s request to delete any link to those personal data.
• Right to data limitation: It is the Website User’s right to limit the processing of their personal data. The U ser of the Website has the right to obtain the limitation of the treatment when he contests the accuracy of his personal data; the processing is unlawful; the Data Controller no longer needs the personal data, but the U ser needs it to make claims; and when the U ser of the Website has opposed the treatment.
•• Right to data portability: In those cases where the processing is carried out by automated means, the Website User shall have the right to receive from the Data Controller their personal data in a structured, commonly used and mechanically readable forrnat, and to transmit them to another data controller. Whenever technically possible, the Data Controller will transmit the data directly to that other Controller.
• Right of opposition: It is the right of the User to not carry out the processing of their personal data or to cease the processing thereof by the Data Controller,
Right not to be subject to automated decisions and/or profiling: The Website User’s right not to be subject to an individualized decision based solely on the automated processing of their personal data, including profiling, existing except that the current legislation establishes otherwise.
• Right to revoke consent: lt is the Website User’s right to withdraw, at any time, the consent given for the processing of their data.
The Website user can exercise any of the aforementioned rights by contacting the Data Controller and prior identification of the User using the following contact information:
• Responsible: MIKONOS MOSAIC S.L.
• Address: Pol. Ind. El Colomer, C/ Melilla, 1.
12200, Onda (Castellón), Spain
• Telephone: 964914091
• E-mail: mykonos@mykonosceramica.com
• Website:
11.- RIGHT TO CLAIM BEFORE THE CONTROL AUTHORITY
The user is informed of his right to file a claim with the Spanish Data Protection Agency if he considers that an infringement of data protection legislation has been committed regarding the processing of his personal data. Control authority contact information:
Spanish Data Protection Agency
Email: info@aepd.es
Telephone: 912663517
Website: https://www.aepd.es
Address: C/. Jorge Juan, 6. 28001, Madrid
(Madrid), Spain
12.-ACCEPTANCE AND CHANGES IN THE PRIVACY POLICY
It is necessary that the user of the Website has read and agrees with the data protection conditions contained in this Privacy Policy, as well as accepting the processing of their personal data so that the Data Controller can proceed with it in the manner, deadlines and purposes indicated.
The Data Controller reserves the right to modify this Privacy Policy, according to its own criteria, or motivated by a legislative, jurisprudential or doctrinal change of the Spanish Data Protection Agency. The changes
or updates made to this Privacy Policy that affect the purposes, retention periods, data transfers to third parties, international data transfers, as well as any right of the U ser of the Website, will be explicitly communicated to the user.
Version of July 05, 2022