As you may surely know, the entry into force of Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, on the Protection of Personal Data (hereinafter, GDPR) and the Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Safeguard of Digital Rights (hereinafter, LOPDGDD), underscores the need to strengthen the levels of personal data protection and security.
We would like to inform you that we meet all the requirements provided by such law, and that all the data under our responsibility are being processed in accordance with the legal requirements, observing the appropriate security measures that guarantee the confidentiality thereof.
Who is the data controller of your data?
Delfin Tubes, S.A.
C/Nicolás Redondo Urbieta, 414
For which purposes do we process the personal data you provide us?
- Response to queries and requests: Management of Replies to Queries, Complaints or Incidents, Requests for technical or corporate Information, Resources and/or Activities.
- Contact with the data subject through the communication methods provided (email, postal address, and/or telephone) in order to manage the queries received through the channels available for such purpose, to manage notices and to coordinate actions derived from the requested services carried out by people related to DELFIN TUBES and/or data processors related thereto for the legitimate and/or consented purposes.
- Offer and Commercial Management of products and services.
- Internal use, execution of operations and administrative, economic and accounting management derived from the relationship with the data subject (commercial and/or contractual relationship).
- Management of the Contracting and provision of the organisation’s services as well as compliance with the contractual and regulatory requirements related to the organisation or requested operation.
- Management of the Contact with the data subject through the communication methods provided (email, postal address, and/or telephone) for the purposes of arranging meetings and visits, managing the queries received through the channels available for such purpose, managing notices and communications related to the services (sending of technical documentation — studies, technical dossiers — administrative documentation, invoices, payment and collection management), coordinating activities, requesting authorisations to use premises, solving incidents and coordinating the actions derived from your requested services carried out by people related to the organisation and/or data processors contracted by the latter for the legitimate and/or consented purposes.
- Sending of commercial communications about products or services similar to those contracted by the client with whom there is a previous contractual relationship, legitimised under article 21 of the Act on Information Society Services (LSSICE).
- Quality control on our products and services, process and activity Quality management, as well as assessment of the satisfaction/perception and performance results of the stakeholders of the organisation.
- Submission of supporting evidence for campaigns, activities, promotions, tenders, projects and subsidies in which the organisation takes part.
- Reference to executed projects in order to prove technical solvency when requested in authorisations, offers, subsidies or R&D&i projects.
- Authorisation to use your image in graphic reports on projects or project supporting reports.
- Management of Regulatory Compliance (applicable regulations and internal mandatory rules): Investigation, monitoring and audit of the controls established for crime prevention, including the possibility of establishing access controls to the premises and controls related to the use of the footage captured by the video surveillance systems for the investigation of the accidents and/or incidents that may occur as well as regulatory breaches, crimes or unlawful behaviours.
- Assessment of Financial Solvency and Creditworthiness in order to confirm the economic viability of the requested operation, as well as, where appropriate, the communication and management related to the claim of the amounts agreed for the provision of the service. Financial, administrative and accounting management of credit lines (umbrella insurance that may involve credits, guarantees, securities, currencies and foreign trade operations...).
- Statistical or historical purposes that allow us to improve the commercial strategy of our products and services.
- The management and audit of the organisation’s process and premises regulatory compliance and management systems.
- Dissemination of our best practices regarding the services we have provided you and/or the publishing and/or communication of graphic material that may include the image of the data subject and/or employees in his/her charge in corporate media (for example and not by way of limitation, website, social media, newsletters, business report, articles, presence in the media) and/or other public media (sectoral publications and/or reports in written press, TV, etc.) as well as the dissemination of business performance, promotion and dissemination, campaign management, activities and events and/or evidence for technical solvency when requested to provide supporting evidence in bidding processes, technical offers, campaigns, activities, promotions, tenders, projects and subsidies in which the related companies and/or group companies take part, provided you have given your unequivocal consent.
- The contact and sending of personal communications, invitations to events and gifts aimed at clients, to greet you on special dates, to conduct quality and satisfaction surveys, and to inform you on a regular basis about news and corporate information, information on the publishing of subsidies, tenders, fees, offers, catalogues and promotions of products and services of the organisation and companies related to DELFIN TUBES* for the purpose of assessing the quality of our processes and providing you with product and service offers of your interest by telephone, written or electronic means through the communication channels provided, insofar as you have given your unequivocal consent.
- Disclosure to the other related companies, belonging to the sectors of design, development, manufacture and marketing of products for the oil, gas, chemical, energy generation and heat recovery system industry and/or official after-sales services, the updated list of which is shown on the official website of the brand, for contacting you and sending you personal communications, invitations to events and gifts aimed at clients, conducting opinion surveys, and informing you on a regular basis about news, products and/or services, as well as corporate news and information and offers and promotions of products and services by telephone, written or electronic means; such information may be adjusted to your personal profiles, insofar as you have given your unequivocal consent.
- Management of registrations for conferences and events organised by DELFIN TUBES.
- Management of subscriptions to the DELFIN TUBES newsletter.
- The international transfer of your data insofar as it may be strictly necessary for fulfilling the management of a project in a country outside the EU or due to the location of the processing systems of processing management applications (we inform you that part of the information processing systems of the brand may be located in countries outside the EU).
- Image/audio recording by using devices (mobile phones, telephones, audio and video systems, players, etc.) is strictly forbidden inside the premises of DELFIN TUBES, unless it has been explicitly and formally authorised by the Management. Only the devices expressly authorised by the company’s Management are permitted. The company may make video recordings in the premises with the aim of improving performances, productivity, studies on methods and times and safety and fire protection measures, without prejudice to what is set in the following paragraph about the security of the premises and the control of the compliance with the labour obligations.
- Management of visitors and video surveillance of the premises as well as security and regulatory compliance therein, investigation of potential incidents or accidents, management of related insurance and management of warnings or disciplinary measures resulted from breaches of security rules.
- Consulting the advertising exclusion systems that may affect you, excluding from the processing the data of the concerned parties who have expressed their objection or refusal thereto by consulting the advertising exclusion systems published by the relevant supervisory authority.
- Related management, including its prior disclosure, that may be derived from the development of any corporate structural modification operation or any allocation or transfer of business or business activity branch, provided the processing is required for the success of the operation and guarantees, where appropriate, continuity in the provision of services.
- Inclusion in the reporting channel systems of data associated with the reporting (even anonymously) of the perpetration of acts and behaviours, within the organisation or in actions of third parties contracted by the latter, that may be against the applicable general or sectoral regulations.
- Internal use, commercial and relational Management, Execution of transactions and administrative, economic and accounting Management derived from the relation with the supplier/partner, requests for certificates and inspections that may include personal data, curriculum vitae of assigned technical staff (for example, in international inspections) to guarantee technical solvency.
- Time control and/or on-site or attendance control and monitoring through access recording, video surveillance and confirmation of operational performance, both in the organisation’s premises and in third parties’ in which the data subject carries out his/her duties as regards the provision of services to DELFIN TUBES (surveillance and control to verify the supplier’s/partner’s compliance with the contractual obligations).
- To prove the Organisation’s Regulatory Compliance to a third party requiring so: Disclosure to third parties of those data concerning the data subject that are required by the former in order to comply with the internal rules of such third parties and/or for the management of access to premises. To provide the contracted or contracting entity with data regarding access hours, performance of the service or incidents that may occur during the provision of the service. To provide professionals’ CV to third parties that may require so to prove their technical solvency for projects or tenders. Refusing to provide such information will result in the restriction of the data subject’s participation in the projects in which such information is a prerequisite for their execution. In the cases in which the data subject unequivocally consents to it, we may disclose information/documentation requested by the third party that is not explicitly included in the established regulatory or legal obligations, but in the internal rules of the third party.
- To verify the employees’ compliance with their obligations and work duties under article 20.3 of the Workers’ Statute, which empowers the employer to take surveillance and control measures for such purpose (controls regarding the use of images captured by video surveillance systems for the investigation of the accidents and/or incidents that may occur as well as breaches of work rules, crimes or unlawful behaviours).
- Health and Safety Management (occupational health and safety management and safety monitoring) as well as compliance assessment.
- And provided you have given your consent, for the purposes described in the additional consents that you have unequivocally given us through formal means and/or by marking the boxes enabled in the data protection clauses contained in the form or basis document that has governed the relationship with DELFIN TUBES, according to the contact channel.
Insofar as you have given us your CV, the purposes and uses for which we process your data are:
- Internal use for recruitment processes, for including you in the Job Bank and for offering and managing potential job offers or partnership proposals that may arise.
- Management of competence assessment of candidates and applicants in recruitment and/or internal promotion processes
- Use related to the processing of the application and your inclusion in the Job Bank of companies related to DELFIN TUBES* for the purposes of offering and managing potential job offers or partnership proposals that may arise, insofar as you have unequivocally consented to it. Should you not give your consent to such purpose, we would not be able to proceed to accept your application, as the management of candidates is carried out through the mentioned job bank.
- Use of your CV in the technical offer for projects in which your recruitment is being assessed, provided you have unequivocally consented to it.
- Management of Regulatory Compliance (applicable regulations and internal mandatory rules): Investigation, monitoring and audit of the controls established for crime prevention, including the possibility of establishing access controls to the premises, to the information and documentation printing systems for all the personal data under the responsibility of the organisation and thus, to all the information systems of such entity as well as controls related to the use of the footage captured by the video surveillance systems for the investigation of accidents and/or incidents that may occur as well as breaches of labour rules, crimes or unlawful behaviours.
- Management of the Contact with data subjects through the provided communication channels (email and/or telephone) in order to manage notices and coordinate actions for the management of the recruitment process carried out by individuals connected with the companies related to the trade name DELFIN TUBES* and/or third parties contracted to carry out recruitment processes for filling vacancies or positions.
- Taking the tests and/or eligibility certificates that may be requested for recruitment purposes, which will be optional, will be considered the expression of the user’s consent to the inclusion of the provided data as well as, possibly, their assessment, in the database of the Job Bank of the companies related to DELFIN TUBES* and to their automated processing for the purpose of carrying out such recruitment process. As a consequence of the access to the premises that may be required to take such tests and/or eligibility certificates, processing associated with the security of such premises may be carried out by access recording and/or video surveillance systems.
- Management of visitors and video surveillance of the premises as well as security and regulatory compliance therein, investigation of potential incidents or accidents, management of related insurance and management of warnings or disciplinary measures resulted from breaches of security rules.
(*) The updated list of companies related to DELFIN TUBES is available at www.delfintubes.com
How long do we retain the provided data?
- The data provided will be retained for as long as the lawful processing relationship is maintained and the data subject does not request their deletion once the relationship with the data subject has been formally concluded in writing, except for their retention for the filing, exercise or defence against complaints by the Data Controller or for the purposes of protecting the rights of another natural person or legal entity and/or for legal obligation reasons.
- In any case, upon the conclusion of the relationship, the data subject’s data will be duly blocked, according to the provisions set in the current data protection regulation.
- Accounting and Tax Documentation - For Tax purposes: Accounting books and other mandatory record books under the appropriate tax regulations (personal income tax, VAT, corporate tax, etc.) as well as documentary evidence supporting the entries registered in the books (including computer programmes and files and any other receipt that has fiscal significance) must be kept, at least, for the limitation period for Tax Offences - General Tax Law and Criminal Code, Limitation of offences 10 years.
- Accounting and Tax Documentation - For Mercantile purposes: Books, letters, documentation and receipts concerning your business - Commercial Code-6 years.
- Solvency files: Data regarding officially recognised, due and enforceable and unclaimed debts (Article 20 of the LOPDGDD) - for as long as the breach exists, with a maximum limit of five years from the due date of the monetary, financial or credit obligation - 5 years.
- Documentation on Occupational Health and Safety Management - Documentation on information and training provided to workers. Files regarding occupational accidents or illnesses - Act on Infringements and Penalties in the Social Legal System - 5 years.
- The footage/sound captured by the video surveillance systems will be erased within a maximum period of one month from their capture, except where they must be retained to prove the perpetration of acts against the safety of people, goods or premises (in such case, the footage will be put at the disposal of the relevant authority within 72 hours maximum from the moment the existence of the recording is known), or where they are related to criminal offences or serious or gross administrative offences on public security matters, to an ongoing police investigation or to a current judicial or administrative procedure (Instruction 1/2006, of 8 November of the AEPD on the processing of personal data for surveillance purposes through camera or video camera systems, and article 22 of the LOPDGDD) - 30 days.
- Data included in automated processing systems created to control access to buildings - Instruction 1/1996 AEPD on automated filing systems established for the purpose of controlling access to buildings - 30 days.
- The data processed with regard to the legal guarantee will be retained for the validity of the legal guarantee and, once the validity thereof has expired, for the period in which a legal or administrative complaint may be lodged concerning the legal guarantee.
- The data of those filing a report and employees’ and third parties’ will be retained in the report system in order to decide about the appropriateness to initiate an investigation on the reported events, and, subsequently, to be used as evidence for the operation of the model to prevent crimes by legal entities, pursuant to the provisions set in article 24 of the LOPDGDD.
- The data processed for sending commercial communications will be retained until the granted consent is withdrawn.
- The data related to candidates who provide their CV will be retained for the calendar year associated with the date on which it has been received (except in the cases in which the candidate is recruited, in which case, they will be included in the Human Resources data processing system of the contracting organisation) as well as for the periods provided by the law for the exercise or limitation of any liability action resulted from a contractual breach by the concerned party or the Organisation.
- Therefore, the data will be retained for as long as the commercial relationship is in effect, according to the retention periods set in the previously mentioned current regulation, as well as for the legal or contractual periods envisaged for the exercise or limitation of any liability action for contractual breach by the data subject or the Organisation (the Civil Code sets a 5-year period to bring a civil liability action, starting from the date on which the obligation may be enforced).
Which is the legitimation for the processing of your data?
- The legal basis for the processing of your data is the fulfilment of the request submitted by you. The data requested are necessary for the proper provision of the service.
- The execution of a contract, request, offer, order and/or commercial contract, for which the provided data will be disclosed to the Brand manager in order to properly meet, where appropriate, the guarantees and responsibilities of the products and services supplied by it.
- To comply with a legal obligation: Administrative, mercantile, tax, fiscal, accounting, civil and financial regulations, current laws on labour, occupational health and safety management (coordination of business activities) and social security matters and laws on the protection of consumers and users as well as the regulation inherent to the contracted operation and the regulation associated with the industry.
- To meet a legitimate interest of the Data Controller: Data processing as part of a commercial relationship and/or contract, which may be required for its maintenance or performance; data transfers within corporate groups for internal administrative purposes; direct marketing; fraud prevention; cases of legitimate interest in which the Data Controller may be the damaged party and the processing and disclosure to third parties of the breaching party’s data may be required to manage regulatory compliance and the defence of the Data Controller’s interests; for video surveillance purposes as a legitimate interest of the organisation in the protection of its assets; the legitimate interest of direct marketing envisaged by the LSSICE (sending of commercial communications about products or services similar to those contracted by the client with whom there is a previous contractual relationship) and in the cases of legitimate interest envisaged in LOPDGDD: Article 19. Processing of contact data and data of individual employers; Article 20. Credit information systems; Article 21. Processing related to the execution of certain business operations (corporate restructuring or business transfers) Article 22. Processing for video surveillance purposes; Article 23 Advertising exclusion systems; Article 24 Internal Reporting Systems.
- Security and cases of legitimate interest in which the Data Controller may be the damaged party and the processing and disclosure of the breacher’s data to third parties may be necessary in order to manage regulatory compliance and the defence of the Data Controller’s interests.
- Article 20.3 and 4 of the Royal Legislative Decree 1/1995, of 24 March, passing the consolidated text of the Workers’ Statute Act: The employer may take the surveillance and control measures he/she may deem most appropriate to verify the employees’ compliance with their obligations and work duties, duly taking into consideration, when adopting and applying them, their human dignity, and taking into account the actual capacity of disabled employees, where appropriate.
- In the case of data of candidates who provide their CV, the legitimate basis for the processing is the compliance with the data subject’s request to be included in the job bank through the self-proposal of the candidate by sending his/her CV through the contact channels of the organisation and/or the recruitment companies contracted for the selection of candidates for filling vacancies or positions, as well as meeting a legitimate interest of the Data Controller: video surveillance purposes as the organisation’s legitimate interest in the protection of its assets, fraud prevention, and cases of legitimate interest in which the Data Controller may be the damaged party and the data processing and disclosure of data breaches to third parties may be necessary in order to manage regulatory compliance and the defence of the Data Controller’s interests.
- The consent unequivocally given by the data subject through formal means and/or by marking the boxes enabled for such purposes in the data protection clauses contained in the basis document that has governed the commercial relationship according to the contact channel.
To which recipients may your data be disclosed?
- Organisations or individuals directly related to the Data Controller for the provision of services linked to the processing purposes: Clients that contract services, Subcontracted Entities for the execution of works/services subject matter of the contract with the client, Distributors, partners, commercial agents and other related companies or group companies, commercial Partners, Companies related to the management of the transport of our products, Advertising/Marketing Agencies, Legal Advisers, Tax Advisers, Accounting Advisers, Collection Management and Credit Insurance Entities, Management and/or Regulatory Compliance Auditors.
- Parent company in Italy.
- Subsidy-granting entities for the purposes of project supporting evidence.
- Companies related to DELFIN TUBES*, insofar as you have given your consent.
- Brand Manager for the purposes derived from the contractual relationship (guarantees and responsibilities regarding the specified item and the products and services it supplies) and, in case you have given your consent, for the purposes described in the additional consents.
- Management bodies.
- Organisations or individuals directly contracted by the Data Controller for the provision of services related to the surveillance purposes of the processing: maintenance of video surveillance systems and security companies, as well as the owner of the premises, based on the legitimate interest in the protection of the assets owned thereby.
- Insurance Agents and Insurance Companies: Insurance underwritten by the organisation in case of incidents.
- Solvency assessment entities for the purpose of assessing the data subject’s creditworthiness when required by payment or financing terms.
- Bodies or organs of the Public Administration with competence on the matters object of the processing purposes: Spanish Tax Agency (AEAT)
- Financial entities: Direct debit of receipts and/or management of collection of bills and other payment instruments.
- Security Forces and Bodies: Insofar as a grounded access right is required in the investigation of a regulatory non-compliance.
- Compliance Reporting Channel (The reports on breaches of regulations and the code of conduct are transmitted to the Regulatory Compliance Unit).
- Representatives of Workers/Health and Safety Coordination, external Auditors: In compliance with R. D. 171/2004 - Proof of delivery of risks by Coordination of Business Activities.
- Insurance entities: In case of loss, incident or accident, data are provided to insurance entities for the investigation of the event in order to assess the extent and coverage of the insurance premium underwritten by the Data Controller.
- In the case of data of candidates who provide their CV, the potential recipients may be also companies related to DELFIN TUBES*, Organisations or individuals directly contracted by the Data Controller for the provision of services related to the processing purposes: Temporary Employment Agencies and third parties contracted to carry out recruitment processes for filling vacancies or positions in companies related to DELFIN TUBES*.
- Compliance Reporting Channel (The reports on breaches of regulations and the code of conduct are transmitted to the Regulatory Compliance Unit): The access to the data contained in these systems will be exclusively limited to those who, integrated or not in the entity, perform internal control and compliance duties, or to the data processors who are occasionally designated for such purpose. Nevertheless, their access by other people, or even their disclosure to third parties, will be lawful where it is necessary for adopting disciplinary measures or processing the judicial proceedings that may be appropriate.
- Others: We may carry out international transfers of your data insofar as it is strictly necessary to fulfil the management a project in a country outside the European Union (entities related to the import/export of goods: Logistics agents, Customs...) or due to the location of the processing systems of the processing management applications (we inform you that part of the information processing systems of the brand may be located in countries outside the EU. We recommend you to visit the privacy policies of the brand).
Under which guarantees are your data disclosed?
- Data are disclosed to the third parties that prove to be equipped with a Personal Data Protection System in compliance with the current laws.
- With the organisations to which international data transfers may be done, we sign the standard contractual clauses on data protection approved by the supervisory authorities.
Which are your rights?
- You are entitled to obtain confirmation as to whether we are processing personal data that concern you or not.
- Data subjects are entitled to access their personal data and to request the rectification of inaccurate data or, where appropriate, their erasure where, among other reasons, the data are no longer required for the purposes for which they were collected. It is not possible to exercise the right to rectification in the case of video surveillance processing since, given the nature of the data — images taken from reality reflecting an objective event —, it would involve exercising a right whose content is impossible.
- Under certain circumstances, data subjects may request the restriction of the processing of their data, in which case, we will only retain them for the exercise of or defence against complaints.
- Under certain circumstances and for reasons related to their particular situation, data subjects may object to the processing of their data, in which case the Data Controller will cease processing the data, except for pressing legitimate reasons or for the exercise of or defence against potential complaints.
- Under the right to portability, data subjects are entitled to obtain the personal data that concern them in a structured, commonly used and machine-readable form, and to transmit them to another data controller.
- In case you have given your consent to some specific purpose, you are entitled to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
Where to address for the exercise of your rights?
- If you wish to exercise your rights, please, address the channel established by the Data Controller for the exercise of rights: firstname.lastname@example.org so that we can respond to your request in a managed way.
- Which information is required for the exercise of your rights?
- For the exercise of your rights, we need you to prove your identity and the specific request you are making; thus, we will ask you the following information:
- Documented information (written statement/email) of the petition that specifies your request.
- Proof of identity as holder of the data object of exercise (Name, surnames and photocopy of the National Identity Card of the data subject and/or the person representing him/her) as well as the document supporting such representation (legal representative, where appropriate).
- In the case of exercising rights related to deceased people’s data: A copy of:
- Family Record Book or Register of Births, Marriages and Deaths certificate recording the kinship or civil union with the deceased and/or,
- Will in which the applicant is declared heir and/or,
- Express designation of the applicant individual or institution by the deceased and/or
- Documentation supporting the legal representation of the deceased.
- In case of exercising rights to rectification and/or erasure: Affidavit issued by the applicant confirming that he/she has obtained the consent of the rest of people related to the deceased by kinship or civil union as well as his/her heirs in order to carry out such application.
- Where the Data Controller has reasonable doubts concerning the identity of the individual making the request, the Controller may ask for additional information required to confirm the identity of the data subject.
- Address for service, date and signature of the applicant (in case of a written statement) or full name and surnames (in case of email), or else validation of the request in the personal area of the communication channel using the personal identity authentication code)
- When exercising the right to rectification set out in article 16 of the GDPR, the data subject shall specify in his/her request to which data he/she is referring and the rectification that should be made. He/she shall append, where required, the documentation supporting the inaccuracy or incomplete nature of the data undergoing processing.
- Likewise, where we process a significant amount of data concerning the data subject and the latter exercises his/her right of access without specifying whether he/she refers to all or some of the data, the Data Controller may ask the data subject, before providing the information, to specify the data or processing activities referred in the request.
- Which is the General Procedure for the Exercise of your rights?
- Once we have received the information required, we will proceed to respond to your request according to DELFIN TUBES’ general procedure for the exercise of rights:
- The Data Controller shall provide information on action taken on a request pursuant to Articles 15 to 22 (Data subjects’ rights) to the data subject, and in any event within one month of receipt of the request.
- That period may be extended by two further months where necessary, taking into account the complexity and the number of requests.
- The Data Controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay.
- Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.
- Only in the cases in which the processing systems of the Data Controller allow it, the right of access may be exercised through a direct and secure remote access system to personal data that guarantees, at all times, access to their totality. For such purposes, the Data Controller’s communication to the data subject of the way in which the latter may access such system will suffice to consider the request for exercise of the right met. However, the data subject may request the Data Controller to provide the information referred to the provisions set out in article 15.1 of the GDPR that is not included in the remote access system.
- If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay, and at the latest within one month of receipt of the request, of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
- Information will be provided free of charge, except for a reasonable fee for administrative costs. Where the data subject chooses a method other than the one offered involving a disproportionate cost, the request will be considered excessive; consequently, such data subject shall assume the additional costs entailed by his/her choice. In this case, the Data Controller will be only required to meet the right of access without undue delay.
- The Data Controller may refuse to act on the request, although it shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request. For the purposes of Article 12.5 of the GDPR, the exercise of the right of access may be considered repetitive where it is requested more than once within six months, unless there is a legitimate cause for it.
- In the cases in which the exercise of the rectification or erasure right is appropriate, we will proceed to block your data: Data blocking consists in the identification and saving thereof, adopting technical and organisational measures to prevent their processing, including their viewing, except for data disclosures to judges and courts, the Public Prosecutor or the relevant Public Administrations, in particular data protection authorities, for any potential accountability for the processing and only for the limitation period thereof. After such period, we will proceed to destroy the data. The blocked data may not be processed for any purpose other than the aforementioned. (Article 16 GDPR and Article 32 LOPDGDD).
- Where data are erased as a result of exercising the right to objection pursuant to Article 21.2 of the GDPR, the Data Controller may retain the identification data of the data subject required to prevent future processing for direct marketing purposes. In the cases in which you do not wish to have your data processed for being sent commercial communications, we refer you to the existing advertising exclusion systems, pursuant to the information published by the relevant supervisory authority (AEPD) on its website aepd.es
- In the cases in which the personal data processing is restricted, this will be clearly specified in the information systems of the Data Controller.
- In case of existing an officially recognised, due and enforceable debt, the debtor will be sent, upon the demand for payment, a communication about the possibility to be included in such systems (bad debtor processing of the organisation), specifying those in which he/she will be included (collection management entities for the management of the pertinent claim...) in case the debt is not settled within a maximum period of 15 days from the notice of the insolvency; he/she is informed about the possibility to exercise the rights established in articles 15 to 22 of the GDPR within the thirty days following the debt notice to the system, having his/her data blocked for such period.
- The people related to the deceased by kinship or civil union, as well as his/her heirs, may address the Data Controller or Data Processor in order to request access to the personal data of the deceased and, where appropriate, their rectification or erasure. As an exception, the people referred in the previous paragraph may not access the data of the deceased or request their rectification or erasure where the deceased had expressly forbidden it or the law so provides. Such prohibition will not affect the heirs’ rights to access the property data of the deceased.
- In order to meet the current regulation on surveillance matters Inst. 1/2006 of the AEPD, you are informed that the retention period for the recordings is 1 month from their capture; therefore, we cannot process requests formalised after such period. Likewise, in order to avoid affecting third parties’ rights, in the case of requests for access, we will proceed to issue a certificate specifying, as accurately possible and without affecting third parties’ rights, the data that have undergone processing. Example: ‘Your image was recorded in our systems on ___ (day, month, year) between _ hours and _ hours. Specifically, the system has recorded your access and exit of the premises.’
- Which are the existing complaint procedures?
- If you believe that your rights have not been duly respected, you may lodge a complaint with the supervisory authority, addressing for these purposes the Spanish Data Protection Agency (AEPD), in c/Jorge Juan, 6 - 28001 Madrid
- How have we obtained your data?
- The data subject or his/her legal representatives, through the communication sent and/or through professional social networks.
- Distributors, partners and other companies related to DELFIN TUBES*, group companies of the marketed Brands, belonging to the sectors of design, development, manufacture and marketing of products for the oil, gas, chemical, energy generation and heat recovery system industry; sectoral events, fairs and conferences organised by the organisation and/or in which the latter participates; public information related to tenders/bids; legitimate commercial databases; professional social networks; search engines and databases on the Internet; and third parties with which the Data Controller has a contractual relationship or a service agreement and for which it requires your personal data for processing the requested service or performing our contractual commitments and tax and accounting obligations related to the service contracted and/or verifying the regulatory compliance under the responsibility of the organisation; public information related to tenders/bids; legitimate commercial databases; professional social networks; search engines and databases on the Internet; and third parties with which the Data Controller has a contractual relationship or a service agreement and for which it requires your personal data for processing the requested service or performing our contractual commitments and tax and accounting obligations related to the service contracted and/or verifying the regulatory compliance under the responsibility of the organisation.
- In the case of data of candidates who provide their CV, data may come from, in addition to the data subject, temporary employment agencies, entities with which there are established internship agreements or training programmes with recruitment commitments, professional social networks and/or third parties contracted to carry out recruitment processes for filling vacancies or positions in companies related to the trade name DELFIN TUBES*
- Which data categories do we process?
- The data structure processed by us does not contain data regarding convictions or criminal offences, or especially protected data, except in the cases in which the data subject is a beneficiary of a special condition that must be taken into consideration in the provision of the services and/or in the management of the subsidy that may be processed (e.g., disability) and must provide documentation proving so, as well as in the cases in which the data subject has special conditions and must provide documentation that includes such information in order to prove that he/she meets such condition.
- Identification data and contact details, for example, by way of illustration and not by way of limitation: name, surnames, telephone or email, commercial information data, economic, financial and/or payment term data; Other type of data: contact details of the people of the organisation involved in or related to the service subject matter of the contract/request as well as data related to and/or submitted with the Query, Requests for technical or corporate Information, Resources and/or Activities, Complaints or Incidents lodged by you, as well as third parties’ personal data you may provide us.
- Commercial data, data of contact persons for the administrative and operational management related to the execution of a contract/projects and of workers who are going to carry out the contracted works in terms of coordination of business activities related to occupational health and safety management; In the case of workers who are going to carry out the contracted works in terms of coordination of business activities related to occupational health and safety management; Permits and authorisations, in the case of workers who are going to carry out the contracted works in terms of coordination of business activities related to occupational health and safety management; Data about commercial information and authorisation; Economic and financial data and/or data on collection terms; Goods and services supplied by the concerned party, financial Transactions; Other type of data (please, specify): Name, surnames and Tax Identification Number of the legal representative, data of the organisation’s contact persons involved in or related to the project subject matter of the contract/order.
- In the case of data of candidates who provide their CV, the structure of the processed data would be, by way of illustration and not by way of limitation, identification and contact data (address, contact telephone and contact email); academic and professional data regarding education, qualifications and professional experience; personal data related to civil status, family data, date and place of birth, age, sex, nationality; work permit; data on occupational status; other data (professional goals, leisure and hobbies). Where the candidate informs us about a disability condition, we may request the certificates supporting such condition.
- How are your data stored in a secure way?
- As regards the processing of your personal data, you are informed that:
The Data Controller has formalised agreements to guarantee that we process your personal data appropriately and in accordance with the current data protection regulations. These agreements contain the respective duties and responsibilities as regards you, and they consider which entity is better positioned to meet your needs. These agreements do not affect your rights under the data protection law. To obtain more information about these agreements, please, do not hesitate to contact us.
- As regards the personal data which DELFIN TUBES may access as a consequence of the contracted services, you are informed that:
The provision of the services subject matter of the contract may involve the DELFIN TUBES staff’s physical access to premises or installations that may store personal data for which the client is the data controller. In this sense, DELFIN TUBES has signed with its staff clauses banning access to all kind of confidential information and, specifically, to personal data belonging to the client, except where the scope of the service envisages the personal data processing; in such case, DELFIN TUBES would act as data processor thereof, establishing in that case the pertinent contract under the current data protection regulation, which would include, inter alia, the subject matter, nature, purpose, category of the data under processing, security measures, obligations and rights of the data processor, and organisational and technical security measures to guarantee confidentiality during the process, as well as the agreements reached by the client and the data processor with regard to the transmission of security breaches and/or the exercise of rights. The client’s failure to formalise the personal data processing service in a contract presupposes that DELFIN TUBES has no associated responsibility as data processor thereof.
Notwithstanding the foregoing, should it gain knowledge of any kind of confidential information for the purpose of providing the service, it undertakes to keep such information confidential and not to disclose or publish it, whether directly or through third parties or companies, or to make it available to third parties. This confidentiality obligation has an indefinite nature and will survive the termination of the contract for any cause. DELFIN TUBES undertakes to communicate the established confidentiality obligations to the staff in its charge and contracted by it and make them comply with them.
- As regards the video surveillance systems with which the premises under the responsibility of DELFIN TUBES are equipped, we inform you that DELFIN TUBES takes all the necessary measures to keep your personal data confidential and secure and meets, in any case, the provisions set in Act 5/2014 of 4 April, on Private Security and their developing provisions. In this sense, it implements and informs you about the following security measures:
- LOCATION OF THE CAMERAS: DELFIN TUBES will only capture images of the public road insofar as it is essential for the purpose of guaranteeing security. In no case will DELFIN TUBES install sound recording or video surveillance systems in places intended for the workers’ or public employees’ rest or relaxation, such as changing rooms, toilets, dining halls and analogous places.
- SOUND CAPTURE: DELFIN TUBES will only record sounds where the risks to the security of the premises, property and people derived from the activity developed in the workplace are relevant, and always respecting the principle of proportionality and minimum intervention and the guarantees.
- LOCATION OF MONITORS: The monitors where the images from the cameras are viewed are located in a restricted access area so that they may not be accessed by unauthorised third parties.
- RETENTION: The footage/sound captured by the video surveillance systems will be erased within a maximum period of one month from their capture, except where they must be retained to prove the perpetration of acts against the safety of people, goods or premises (in such case, the footage will be put at the disposal of the relevant authority within 72 hours maximum from the moment the existence of the recording is known), or where they are related to criminal offences or serious or gross administrative offences on public security matters, to an ongoing police investigation or to a current judicial or administrative procedure (Instruction 1/2006, of 8 November of the AEPD on the processing of personal data for surveillance purposes through camera or video camera systems, and article 22 of the LOPDGDD) - 30 days.
- RIGHT OF ACCESS TO THE IMAGES: In order to comply with the data subject’s right of access, he/she will be asked to submit a recent picture and his/her National Identity Document as well as the details of the date and time to which the right of access refers. The data subject will not be given direct access to the images from the cameras where they contain images of third parties. In order to avoid affecting third parties’ rights, in the case of requests for access, we will proceed to issue a certificate specifying, as accurately possible and without affecting third parties’ rights, the data that have undergone processing. Example: ‘Your image was recorded in our systems on ___ (day, month, year) between _ hours and _ hours. Specifically, the system has recorded your access and exit of the premises.’
- By accepting and/or validating the process that is used as basis for the formalisation of your relationship with DELFIN TUBES, you expressly consent to the data processing pursuant to what is provided in the clause and additional information on data protection as well as to inform and obtain the consent of the third parties whose personal data you may provide us with for such processing. If you have marked the corresponding consent box, the legal basis for such purposes is your consent, which you may withdraw at any time.
- Likewise, and to the extent that, as a consequence of your relationship with DELFIN TUBES, you may access personal data and/or confidential information, you undertake to keep complete confidentiality and discretion regarding the obtained information about the activities, stakeholders and entities related to DELFIN TUBES, especially as regards Personal Data, even after the conclusion of your relationship with the organisation.