Privacy policy
PERSONAL DATA PROTECTION POLICY
GORTARI STUDIO S.L. is an organization that collects personal data through various means, which gives it significant responsibility in designing and organizing procedures to align with legal compliance in Data Protection. Therefore, GORTARI STUDIO S.L. will adopt all necessary security measures to ensure the protection of collected data.
In the exercise of these responsibilities, and to establish the general principles that should govern the processing of personal data within the Organization, GORTARI STUDIO S.L. approves this Personal Data Protection Policy, which it notifies and makes available to all its Stakeholders, also respecting the following regulations:
- Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR).
- Organic Law 3/2018, of December 5, on Personal Data Protection and guarantee of digital rights (LOPD-GDD).
- Law 34/2002, of July 11, on Services of the Information Society and Electronic Commerce (LSSI-CE).
I. SCOPE OF APPLICATION
This Personal Data Protection Policy will apply to GORTARI STUDIO S.L., its administrative and management bodies, staff, as well as all individuals associated with the Organization, including service providers with data access ("Data Processors").
The data controller for personal data collected by the Organization is: GORTARI STUDIO S.L., with NIF: B23837016, whose representative is: ELENA LOPEZ GORTARI (hereinafter, the Data Controller). Their contact details are as follows:
Address: CALLE IMAGEN 4, 4º D - 41003 SEVILLE.
Contact email: contact.gortari@gmail.com
II. INFORMATION ABOUT THE CONTROLLER AND PROCESSING OF PERSONAL DATA AT GORTARI STUDIO S.L.
Additional information on data processing is a set of more specific and detailed information that entities must provide to interested individuals about how their personal data is managed. This concept derives from the transparency principle of the General Data Protection Regulation (GDPR) and complements the basic information initially provided, offering a greater level of detail on the processing activities.
Below, GORTARI STUDIO S.L. provides additional information about the data processing it carries out:
Identity: GORTARI STUDIO SL
Address: Calle Imagen 4, 4º D - 41003 SEVILLE
Email: contact.gortari@gmail.com
| Data Processing | Purpose of Processing | Retention Period |
|---|---|---|
| CLIENTS | Client, accounting, tax, and administrative management | Client management: 5 years. Accounting and tax: 6 years. Administrative: 5 years |
| SUPPLIERS | Client, accounting, tax, and administrative management | Client management: 5 years. Accounting, tax, and administrative: 4 years |
| EMPLOYEES | Payroll, occupational risk prevention, and human resources management | Payroll management: 4 years. Occupational risk prevention: 5 years. Human resources: for the time necessary to investigate the facts and 3 months if the blocking obligation does not apply |
| NEWSLETTER | E-commerce | 5 years |
| WEB FORM | E-commerce | 5 years |
| Data Processing | Legal Basis |
|---|---|
| CLIENTS | Execution of a service provision and/or sales contract |
| SUPPLIERS | Execution of a service provision and/or sales contract |
| EMPLOYEES | Execution of an employment contract |
| NEWSLETTER | Express consent of the interested party |
| WEB FORM | Express consent of the interested party |
| Data Processing | Anticipated Transfers | International Transfers |
|---|---|---|
| CLIENTS | No transfers anticipated | No |
| SUPPLIERS | No transfers anticipated | No |
| EMPLOYEES | No transfers anticipated | No |
| NEWSLETTER | No transfers anticipated | No |
| WEB FORM | No transfers anticipated | No |
RIGHTS OF INTERESTED PARTIES
Any individual has the right to obtain confirmation as to whether GORTARI STUDIO S.L. is processing personal data concerning them.
Interested parties have the right to access their personal data, as well as to request the rectification of inaccurate data, or, where appropriate, to request its deletion when, among other reasons, the data is no longer necessary for the purposes for which it was collected.
In certain circumstances, interested parties may request the restriction of the processing of their data, in which case we will only retain it for the exercise or defense of claims, as well as to comply with legally established retention periods.
Likewise, interested parties may object to the processing of their personal data. Therefore, GORTARI STUDIO S.L. will cease processing their data, except for legitimate and compelling reasons, or in the exercise of possible claims.
Similarly, when certain circumstances arise and it is technically possible, interested parties will have the right to have their personal data transmitted directly to another data controller or processor, upon request.
To exercise the aforementioned rights, you must contact us by sending a written request to:
● GORTARI STUDIO S.L. Calle Imagen 4, 4º D - 41003 SEVILLE, or by email to contact.gortari@gmail.com. We recommend enclosing a copy of your ID with your request.
III. PRINCIPLES APPLICABLE TO PERSONAL DATA PROCESSING
The Personal Data Protection Policy is a proactive accountability measure aimed at ensuring compliance with applicable legislation in this area and, in relation to it, respect for the right to honor and privacy in the processing of personal data of all individuals associated with GORTARI STUDIO S.L..
In furtherance of the provisions of this Policy, the principles governing data processing within the organization are established, and consequently, the procedures and organizational and security measures that individuals affected by this Policy commit to implement within their sphere of responsibility.
In connection with the above, GORTARI STUDIO S.L. will ensure compliance with the following principles:
– Lawfulness, fairness, transparency, and purpose limitation.
Data processing must always be communicated to the data subject through established clauses and procedures; and it will only be considered legitimate if there is consent for data processing (with special attention to that provided by minors), or it has another valid legal basis, and its purpose is in accordance with the applicable regulations.
– Data minimization.
The data processed must be adequate, relevant, and limited to what is necessary in relation to the different purposes of the processing.
– Accuracy.
The data must be accurate and, if necessary, updated. In this regard, necessary measures will be adopted to ensure that personal data that is inaccurate with respect to the purposes of processing is deleted or rectified without delay.
– Storage limitation.
Data will be kept in a form that allows identification of interested parties for no longer than is necessary for the purpose of the processing in question.
– Integrity and Confidentiality.
Personal data will be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, by implementing appropriate technical or organizational measures.
– Data transfers.
The purchase or obtaining of personal data whose origin comes from illegitimate sources, or in those cases where such data has been collected or transferred in contravention of the law or its legitimate origin is not sufficiently guaranteed, is prohibited.
– Engagement of suppliers with data access.
Only suppliers offering sufficient guarantees to implement appropriate technical and security measures in data processing will be selected for engagement. A proper contract will be documented with them in this regard.
– International data transfers.
All personal data processing subject to European Union regulations that involves a transfer of data outside the European Economic Area must be carried out in strict compliance with the requirements established in the applicable law.
– Rights of data subjects.
The Organization will facilitate to data subjects the exercise of the rights of access, rectification, erasure, restriction of processing, objection, and data portability, establishing for this purpose the internal procedures, and in particular, the necessary and appropriate forms for their exercise, which must meet, at least, the legal requirements applicable in each case.
GORTARI STUDIO S.L. will promote that the principles set out in this Personal Data Protection Policy are taken into account:
1. In the design and implementation of all work procedures
2. In the products and services offered
3. In all contracts and obligations that they formalize or assume, and
4. In the implementation of all systems and platforms that allow access by their employees or third parties and/or the collection or processing of personal data.
IV. PERSONAL DATA OF MINORS
Respecting the provisions of articles 8 of the GDPR and 7 of Organic Law 3/2018, of December 5, on Personal Data Protection and guarantee of digital rights, only individuals over 14 years of age may grant their consent for the lawful processing of their personal data by GORTARI STUDIO S.L.. If the individual is under 14 years of age, the consent of parents or guardians will be necessary for processing, and this will only be considered lawful to the extent that they have authorized it.
V. SECRECY AND SECURITY OF PERSONAL DATA
GORTARI STUDIO S.L. undertakes to notify the user, without undue delay, when a personal data security breach occurs that is likely to result in a high risk to their rights and freedoms. Following the provisions of Article 4 of the GDPR, a personal data security breach is understood as any security breach that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed. Personal data will be treated as confidential by the Data Controller, who undertakes to inform and guarantee, through a legal or contractual obligation, that such confidentiality is respected by its employees, associates, and all persons to whom the information is made accessible.
VI. COMMITMENT OF GORTARI STUDIO S.L. STAFF
Therefore, we state that the employees of GORTARI STUDIO S.L. are informed of this Policy, and declare themselves aware that personal information is an asset of GORTARI STUDIO S.L., and in this regard, they adhere to it, committing to the following:
– Complete the Data Protection awareness training provided by GORTARI STUDIO S.L..
– Apply user-level security measures applicable to their job position, without prejudice to the responsibilities in their design and implementation that may be attributed to them based on their role within GORTARI STUDIO S.L..
– Use the established forms for the exercise of Rights by affected users, and immediately inform GORTARI STUDIO S.L. so that a response can be effectively provided.
– Inform GORTARI STUDIO S.L., as soon as they become aware, of any deviations from this Policy, particularly concerning "Personal Data Security Breaches," using the established form for this purpose.
VII. CONTROL AND EVALUATION
GORTARI STUDIO S.L. will conduct an annual verification, evaluation, and assessment, as well as whenever there are significant changes in data processing, of the effectiveness of technical and organizational measures to ensure processing security.
GORTARI STUDIO S.L.