Please read it carefully. Thank you.
INFORMATION ON DATA PROTECTION
1. Brigitta Tima (hereinafter Data Controller) respects the privacy of all those persons whose personal data it controls and is committed to the protection of personal data. On the one hand with regard to this intention on the other for the compliance with the Regulation (EU) 2016/679 of the EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (here in after: GDPR) which shall be applied obligatory from 25 May 2018 the Data Controller created this information on data protection.
2. The Data Controller issues this Information in order to make the Interested Parties understand the way in which the Data Controller processes their personal data and to understand their rights related to data processing.
3. The Data Controller pursuant to Article 13 of the GDPR provides the following information:
3.1. Company name: EXIT/SALIDA
3.2. Registered office: 28004 Madrid, Calle Jesús de Valle, 32
3.3. Website: https://lasalida.net/
3.4. E-mail: email@example.com
3.5. Data Protection Officer: the data protection officer pursuant to Article 37 of the GDPR is not obliged to appoint a data protection officer.
3.6. Data protection requests: if you had any request or question regarding the data processing you may send your request via post to the address indicated in Section 4.2 or by electronic means to the e-mail address: firstname.lastname@example.org We send our reply without delay but no later than 30 days to the address requested by you.
4. The purpose of the intended processing of personal data, and the legal basis of the data processing:
4.1. The purpose of data processing:
▪ Controller wants to help online visitors get in touch with the Controller easily with their questions and remarks (https://lasalida.net/) and make possibility for the visitors to place their order in the website.
Controller requires some basic personal data from those, who fill out this form:
4.2. The legal basis of the processing of personal data:
the consent of the data subject according to point a) paragraph (1) Article 6 of the GDPR, which consent shall especially cover their possible retention.
5. The recipients of personal data, and the categories of the recipients:
The Data Controller shall not provide personal data with the recipient specified in Article 4 (9) of the GDPR.
6. The period for which the personal data is stored, and the criterion to define such period:
6.1. The data requested from the clients shall be processed by the Data Controller until the data subject exercises his/her right to data erasure, data restriction and data portability pertaining to his/her personal data.
7. The categories of personal data concerned:
8. The rights of the data subject:
8.1. Right of access by the data subject
8.1.1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and all significant information on the data processing, namely:
● the purposes of the data processing;
● the categories of personal data concerned;
● the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
● the envisaged period for which the personal data will be stored;
● the right to rectification, erasure or restriction of processing of personal data or the right to object;
● the right to lodge a complaint with a supervisory authority;
● information on data sources;
● the existence of automated decision-making, including profiling,
● meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
● Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards relating to the transfer.
8.2. Right to rectification:
8.2.1. The data subject shall have the right to obtain from the controller the rectification of inaccurate personal data and the completion of incomplete data.
8.3. Right to erasure
8.3.1. The data subject shall have the right to obtain from the controller upon his/her request the erasure of personal data concerning him or her and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
● the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
● the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
● the data subject objects to the processing, and there are no overriding legitimate grounds for the processing
● the personal data have been unlawfully processed;
● the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
● the personal data have been collected in relation to the offer of information society services.
8.4. Right to restriction of processing:
8.4.1. Upon the request of the data subject the controller restricts the processing where one of the following applies:
● the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
● the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
● the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; or
● the data subject has objected to processing; in this case the restriction is pending the verification whether the legitimate grounds of the controller override those of the data subject.
8.5. Right to data portability:
8.5.1. The Data Subject shall have the right to receive the personal data concerning him or her, which he or she has provided, in a structured, commonly used and machine-readable format and shall have the right to transmit those data to another controller.
8.6. Right to object:
8.6.1. The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her or to object to the processing necessary for the purposes of the legitimate interests pursued by the controller or by a third party, including profiling based on those provisions.
8.6.2. In case of objection the data controller shall no longer process the personal data unless the processing is justified by such compelling legitimate grounds which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.
9. Security of processing
9.1. The data controller for the processing of personal data selects and operates the information devices in the course of the provision of service in a way that
9.1.1. the processed data is available for the ones authorized to do so (availability);
9.1.2. the authenticity and the authentication of the processed data is secured (authenticity of data processing);
9.1.3. the consistency of the processed data is verifiable (integrity of the data);
9.1.4. the processed data is protected against unauthorized access (confidentiality of the data).
9.2. The data controller protects the data by adequate measures in particular against unlawful access, alteration, transfer, disclosure, erasure, or destruction and against accidental destruction, damage, in addition against becoming inaccessible due to the alteration of the applied technique.
9.3. The data controller in order to protect the sets of data processed electronically in its different records, secures by means of an adequate technical solution that the stored data, unless it is enabled by the law, shall not be directly linked and assigned to the data subject.
9.4. The data controller in view of the current technological development shall ensure the protection of the data processing’s security by way of such technological, organizational, and structural measures, which provides the adequate protection level against the risks which emerge in relation to the data processing.
9.5. Data Controller informs the data subjects that the electronic messages transmitted through the internet, regardless of the protocol (e-mail, web, ftp, etc.), are vulnerable to such network threat which result to improper activity or disclosure, alteration of information. In order to protect from such threats the data controller shall take all reasonable precaution measures to the best of its ability. It shall observe the systems in order to record all security deviations and to be able to provide evidence in case of all security matters. In addition, the system observation enables the monitoring of the applied precaution measures’ efficiency.
10. Proceeding rules in the event of the data subject’s request
10.1. The controller shall provide information on action taken on a request (application) to the data subject without undue delay and in any event within one month of receipt of the request. Where necessary, taking into account the complexity of the request and the number of the requests, this time limit may be extended by two months.
10.2. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.
10.3. The data controller provides the requested information and communication free of charge. Where the request from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the data controller taking into account the administrative costs of providing the information or communication or taking the action requested may charge a reasonable fee or refuse to act on the request.
10.4. The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means, unless otherwise requested by the data subject.
11. Damages and compensation:
11.1. Any person who has suffered material or non-material damage as a result of an infringement of the data protection regulation shall have the right to receive compensation from the controller or processor for the damage suffered.
11.2. A processor shall be liable for the damage caused by processing only where it has not complied with obligations provided by the law specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.
11.3. A controller or processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.
12. Laws on which the data processing is based:
12.1. The Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR).
12.2. Act V of 2013 on the Civil Code
12.3. Act CXII of 2011 on Informational Self-Determination and the Freedom of Information (“Privacy Act”)
Data controller informs the data subjects, that according to the legal view and the legal interpretation of the controller from the 25th of May 2018 the provisions of the GDPR Regulation shall prevail primarily, particularly in the event that the sectorial laws referred to in this section in the individual case(s) contain a provision contrary to the guidance of the GDPR. In the event that the referred sectorial laws govern matters that are not governed by the GDPR then the referred sectorial laws shall prevail. The sectorial laws shall also prevail in the case when they provide stricter requirements in order to protect personal data than the GDPR.