Privacy Policy
INDEX
1. Purpose of the Privacy Policy
2. Definitions
3. Identity of the Data Controller
4. Applicable Laws and Regulations
5. Principles Applicable to the Processing of Personal Data
6. Data Processing Activities Carried Out
7. Necessary and Up-to-Date Information
8. Personal Data of Minors
9. Technical and Organisational Security Measures
10. Rights of Data Subjects
11. Complaints to the Supervisory Authority
12. Acceptance and Changes to the Privacy Policy
1.- PURPOSE OF THE PRIVACY POLICY
The purpose of this "Privacy and Data Protection Policy" is to inform users of
the conditions governing the collection and processing of personal data by
UCERSA, making every effort to safeguard the fundamental rights, honour and
freedoms of the individuals whose personal data are processed, in compliance
with the regulations and laws in force governing the Protection of Personal Data
under the European Union and the Spanish Member State and, in particular,
those set out in the "Processing Activities" section of this Privacy Policy.
Therefore, this Privacy and Data Protection Policy informs users of the Website
http://www.ucersa.com of all relevant details regarding how these processes
are carried out, for what purposes, which other entities may have access to their
data, and what rights users have.
2.- DEFINITIONS
'Personal data': any information relating to an identified or identifiable natural
person ('the Website user'); an identifiable natural person is one who can be
identified, directly or indirectly, in particular by reference to an identifier such
as a name, an identification number, location data, an online identifier or one or
more factors specific to the physical, physiological, genetic, mental, economic,
cultural or social identity of that natural person.
'Processing': any operation or set of operations which is performed on personal
data or on sets of personal data, whether or not by automated means, such as
collection, recording, organisation, structuring, storage, adaptation or alteration,
retrieval, consultation, use, disclosure by transmission, dissemination or
otherwise making available, alignment or combination, restriction, erasure or
destruction.
'Restriction of processing': the marking of stored personal data with the aim of
limiting their processing in the future.
'Profiling': any form of automated processing of personal data consisting of the
use of personal data to evaluate certain personal aspects relating to a natural
person, in particular to analyse or predict aspects concerning that natural
person's performance at work, economic situation, health, personal preferences,
interests, reliability, behaviour, location or movements.
'Pseudonymisation': the processing of personal data in such a manner that the
personal data can no longer be attributed to a specific data subject without the
use of additional information, provided that such additional information is kept
separately and is subject to technical and organisational measures to ensure that
the personal data are not attributed to an identified or identifiable natural person.
'Filing system': any structured set of personal data which are accessible
according to specific criteria, whether centralised, decentralised or dispersed on
a functional or geographical basis.
'Controller' or 'data controller': the natural or legal person, public authority,
agency or other body which, alone or jointly with others, determines the purposes
and means of the processing of personal data; where the purposes and means of
such processing are determined by Union or Member State law, the controller or
the specific criteria for its nomination may be provided for by Union or Member
State law.
'Processor' or 'data processor': a natural or legal person, public authority,
agency or other body which processes personal data on behalf of the controller.
'Recipient': a natural or legal person, public authority, agency or another body,
to which the personal data are disclosed, whether a third party or not. However,
public authorities which may receive personal data in the framework of a
particular inquiry in accordance with Union or Member State law shall not be
regarded as recipients; the processing of those data by those public authorities
shall be in compliance with the applicable data protection rules according to the
purposes of the processing.
'Third party': a natural or legal person, public authority, agency or body other
than the data subject, controller, processor and persons who, under the direct
authority of the controller or processor, are authorised to process personal data.
'Consent of the data subject': any freely given, specific, informed and
unambiguous indication of the data subject's wishes by which he or she, by a
statement or by a clear affirmative action, signifies agreement to the processing
of personal data relating to him or her.
'Personal data breach': a breach of security leading to the accidental or unlawful
destruction, loss, alteration, unauthorised disclosure of, or access to, personal
data transmitted, stored or otherwise processed.
'Genetic data': personal data relating to the inherited or acquired genetic
characteristics of a natural person which give unique information about the
physiology or the health of that natural person and which result, in particular,
from an analysis of a biological sample from the natural person in question.
'Biometric data': personal data resulting from specific technical processing
relating to the physical, physiological or behavioural characteristics of a natural
person, which allow or confirm the unique identification of that natural person,
such as facial images or dactyloscopic data.
'Data concerning health': personal data related to the physical or mental health
of a natural person, including the provision of health care services, which reveal
information about his or her health status.
'Main establishment': a) with regard to a controller with establishments in more
than one Member State, the place of its central administration in the Union,
unless the decisions on the purposes and means of the processing of personal
data are taken in another establishment of the controller in the Union and that
establishment has the power to have such decisions implemented, in which case
the establishment having taken such decisions is to be considered to be the main
establishment; b) with regard to a processor with establishments in more than
one Member State, the place of its central administration in the Union, or, if the
processor has no central administration in the Union, the establishment of the
processor in the Union where the main processing activities in the context of the
activities of an establishment of the processor take place to the extent that the
processor is subject to specific obligations under this Regulation.
'Representative': a natural or legal person established in the Union who, having
been designated in writing by the controller or processor pursuant to Article 27
of the GDPR, represents the controller or processor with regard to their
respective obligations under this Regulation.
'Enterprise': a natural or legal person engaged in an economic activity,
irrespective of its legal form, including partnerships or associations regularly
engaged in an economic activity.
'Supervisory authority': an independent public authority which is established by
a Member State pursuant to Article 51 of the GDPR. In the case of Spain, this
is the Spanish Data Protection Agency (AEPD).
'Cross-border processing': a) the processing of personal data which takes place
in the context of the activities of establishments in more than one Member State
of a controller or processor in the Union where the controller or processor is
established in more than one Member State; or b) the processing of personal
data which takes place in the context of the activities of a single establishment
of a controller or processor in the Union but which substantially affects or is
likely to substantially affect data subjects in more than one Member State.
'Information society service': a service as defined in point (b) of Article 1(1)
of Directive (EU) 2015/1535, i.e. any service normally provided for
remuneration, at a distance, by electronic means and at the individual request of
a recipient of services.
3.- IDENTITY OF THE DATA CONTROLLER
The Data Controller is the natural or legal person, of a public or private nature,
or administrative body, who alone or jointly with others determines the purposes
and means of the processing of personal data; where the purposes and means of
processing are determined by European Union or Spanish Member State law.
In the matters described in this Data Protection Policy, the identity and contact
details of the Data Controller are:
UCERSA TECHNOLOGY S.A - VAT No. A12027488
C/San Jaime, No. 198 (P.O. Box 118). 12550, Almazora (Castellón), Spain
Email: ucersa@ucersa.com
Phone: 964 503 333
4.- APPLICABLE LAWS AND REGULATIONS
This Privacy and Data Protection Policy has been developed in accordance with
the following data protection regulations and laws:
Regulation (EU) 2016/679 of the European Parliament and of the Council of
27 April 2016 on the protection of natural persons with regard to the processing
of personal data and on the free movement of such data. Hereinafter GDPR.
Organic Law 3/2018 of 5 December on the Protection of Personal Data and
Guarantee of Digital Rights. Hereinafter LOPD/GDD.
Law 34/2002 of 11 July on Information Society Services and Electronic
Commerce. Hereinafter LSSICE.
5.- PRINCIPLES APPLICABLE TO THE PROCESSING OF PERSONAL DATA
Personal data collected and processed through this Website shall be processed
in accordance with the following principles:
Principle of lawfulness, fairness and transparency: All processing of personal
data carried out through this Website shall be lawful and fair, and it shall be
entirely clear to the user when their personal data are being collected, used,
consulted or processed. Information relating to the processing carried out shall
be provided in advance, in an easily accessible and easy-to-understand manner,
using plain and clear language.
Principle of purpose limitation: All data shall be collected for specified,
explicit and legitimate purposes and shall not be further processed in a manner
incompatible with those purposes.
Principle of data minimisation: The data collected shall be adequate, relevant
and limited to what is necessary in relation to the purposes for which they are
processed.
Principle of accuracy: Data shall be accurate and, where necessary, kept up to
date, taking every reasonable step to ensure that personal data that are inaccurate
with regard to the purposes for which they are processed are erased or rectified
without delay.
Principle of storage limitation: Data shall be kept in a form which permits
identification of data subjects for no longer than is necessary for the purposes
for which the personal data are processed.
Principle of integrity and confidentiality: Data shall be processed in a manner
that ensures appropriate security of the personal data, including protection
against unauthorised or unlawful processing and against accidental loss or
damage, by means of appropriate technical and organisational measures.
Principle of accountability: The entity owning the Website shall be responsible
for compliance with the principles set out in this section and shall be able to
demonstrate such compliance.
6.- DATA PROCESSING ACTIVITIES
The following section details the data processing activities carried out through
the Website, specifying each of the following items:
Activity: Name of the data processing activity
Purposes: Each of the uses and processing operations carried out with the
collected data
Legal basis: The legal basis that legitimises the processing of the data
Data processed: Types of data processed
Source: Where the data are obtained from
Retention: The period during which the data are retained
Recipients: Third-party persons or entities to whom the data are provided
International transfers: Cross-border transfers of data outside the European
Union
6.1 MAIN PROCESSING ACTIVITIES
These are data processing activities whose purposes are necessary and essential
for the provision of services.
6.2 OPTIONAL PROCESSING ACTIVITIES (if the user has given
their consent)
These are personal data processing activities whose purposes are not essential
for the provision of the service and which are only carried out if the user has
indicated YES to the consent for these activities.
Website Enquiries
Legal bases Explicit consent of the data subject
Purposes Response to enquiries received through the website's
electronic contact form
Data categories and
groups Website contacts (Identification data)
Data source The data subject themselves or their legal representative
Recipient categories None foreseen
International
transfer None foreseen
Retention period For a period of 1 year from the last confirmation of interest
User Management
Legal bases Explicit consent of the data subject
Purposes E-commerce
Data categories and
groups Registered users (Identification data)
Data source The data subject themselves or their legal representative
Recipient categories None foreseen
International
transfer None foreseen
Retention period For a period of 5 years from the last confirmation of interest
7.- NECESSARY AND UP-TO-DATE INFORMATION
All fields marked with an asterisk (*) in the Website forms are mandatory, such
that omitting any of them may result in the inability to provide the requested
services or information.
You must provide truthful information. To ensure that the information provided
is always up to date and free of errors, you must notify the Data Controller as
soon as possible of any changes or corrections to your personal data by sending
an email to: ucersa@ucersa.com.
Likewise, by clicking the "I Accept" button (or equivalent) included in said
forms, you declare that the information and data you have provided are accurate
and truthful, and that you understand and accept this Privacy Policy.
8.- PERSONAL DATA OF MINORS
In compliance with Article 8 of the GDPR and Article 7 of the LOPD/GDD,
only individuals aged 14 and over may give their consent to the processing of
their personal data in a lawful manner by UCERSA.
Therefore, individuals under the age of 14 may not use the services available
through the Website without the prior authorisation of their parents, guardians
or legal representatives, who shall be solely responsible for all actions carried
out through the Website by the minors in their care, including the completion of
electronic forms with the personal data of said minors and, where applicable,
the ticking of the accompanying checkboxes.
9.- TECHNICAL AND ORGANISATIONAL SECURITY MEASURES
The Data Controller adopts the necessary organisational and technical measures
to ensure the security and privacy of your data, to prevent its alteration, loss,
processing or unauthorised access, taking into account the state of technology,
the nature of the stored data and the risks to which they are exposed.
Among others, the following measures are highlighted:
Ensuring the ongoing confidentiality, integrity, availability and resilience
of processing systems and services.
Restoring the availability and access to personal data in a timely manner
in the event of a physical or technical incident.
Regularly verifying, assessing and evaluating the effectiveness of
technical and organisational measures implemented to ensure the security
of processing.
Pseudonymising and encrypting personal data, where sensitive data are
involved.
Furthermore, the Data Controller has decided to manage its information systems
in accordance with the following principles:
Principle of regulatory compliance: All information systems shall comply
with the applicable legal, regulatory and sectoral regulations affecting
information security, in particular those related to the protection of personal
data, security of systems, data, communications and electronic services.
Principle of risk management: Risks shall be minimised to acceptable
levels and a balance shall be sought between security controls and the nature
of the information. Security objectives shall be established, reviewed and
consistent with information security aspects.
Principle of awareness and training: Training programmes, awareness
initiatives and awareness campaigns shall be developed for all users with
access to information, in the field of information security.
Principle of proportionality: The implementation of controls to mitigate
security risks to assets shall be carried out by seeking a balance between
security measures, the nature of the information and the risk.
Principle of responsibility: All members of the Data Controller's organisation
shall be responsible for their conduct with regard to information security,
complying with the established rules and controls.
Principle of continuous improvement: The effectiveness of the security
controls implemented in the organisation shall be reviewed on a recurring
basis to increase the capacity to adapt to the constant evolution of risk and
the technological environment.
10.- RIGHTS OF DATA SUBJECTS
Current data protection regulations protect users with a series of rights in
relation to the use of their data. Each and every one of these rights is personal
and non-transferable, meaning they can only be exercised by the data owner,
subject to prior verification of their identity.
The following sets out the rights of Website users:
Right of access: This is the right of the Website user to obtain confirmation
as to whether or not the Data Controller is processing their personal data and,
if so, to obtain information about their specific personal data and the processing
carried out or being carried out by the Data Controller, as well as, among
other things, available information about the origin of such data and the
recipients of any communications made or envisaged.
Right to rectification: This is the right of the Website user to have their
personal data modified where it proves to be inaccurate or, taking into account
the purposes of the processing, incomplete.
Right to erasure: Commonly known as the "right to be forgotten", this is the
right of the Website user, unless current legislation provides otherwise, to
obtain the erasure of their personal data when they are no longer necessary
for the purposes for which they were collected or processed; the User has
withdrawn consent and there is no other legal basis for processing; the User
objects to the processing and there is no other legitimate reason to continue;
the personal data have been processed unlawfully; the personal data were
obtained in connection with a direct offer of information society services to a
child under 14 years of age. In addition to erasing the data, the Data Controller,
taking into account available technology and the cost of implementation, shall
take reasonable steps to inform other possible controllers processing the
personal data of the data subject's request for erasure of any links to such
personal data.
Right to restriction of processing: This is the right of the Website User to
restrict the processing of their personal data. The Website User has the right
to obtain restriction of processing where they contest the accuracy of their
personal data; the processing is unlawful; the Data Controller no longer needs
the personal data but the User requires them for the establishment, exercise or
defence of legal claims; and where the Website User has objected to processing.
Right to data portability: Where processing is carried out by automated
means, the Website User shall have the right to receive from the Data Controller
their personal data in a structured, commonly used and machine-readable
format, and to transmit those data to another controller. Where technically
feasible, the Data Controller shall transmit the data directly to that other
Controller.
Right to object: This is the right of the User to object to the processing of
their personal data or to require the Data Controller to cease processing them.
Right not to be subject to automated decision-making and/or profiling:
This is the right of the Website User not to be subject to a decision based solely
on automated processing of their personal data, including profiling, except
where current legislation provides otherwise.
Right to withdraw consent: This is the right of the Website User to withdraw,
at any time, the consent given for the processing of their data.
The Website user may exercise any of the above rights by contacting the Data
Controller and providing prior identification using the following contact details:
Controller: UCERSA TECHNOLOGY S.A
Address: C/San Jaime, No. 198 (P.O. Box 118). 12550, Almazora
(Castellón), Spain
Phone: 964 503 333
E-mail: ucersa@ucersa.com
Website: http://www.ucersa.com
11.- RIGHT TO LODGE A COMPLAINT WITH THE SUPERVISORY AUTHORITY
Users are informed of their right to lodge a complaint with the Spanish Data
Protection Agency (AEPD) if they consider that an infringement of data
protection legislation has been committed in relation to the processing of their
personal data.
Contact details of the supervisory authority:
Spanish Data Protection Agency (AEPD)
Email: info@aepd.es
Phone: 912663517
Website: https://www.aepd.es
Address: C/. Jorge Juan, 6. 28001, Madrid (Madrid), Spain
12.- ACCEPTANCE AND CHANGES TO THE PRIVACY POLICY
It is necessary for the Website user to have read and agreed to the data protection
conditions contained in this Privacy Policy, and to accept the processing of their
personal data, in order for the Data Controller to proceed with such processing
in the manner, timeframes and for the purposes indicated.
The Data Controller reserves the right to modify this Privacy Policy at its own
discretion, or as prompted by a legislative, case law or doctrinal change by the
Spanish Data Protection Agency. Any changes or updates made to this Privacy
Policy that affect the purposes, retention periods, transfers of data to third
parties, international data transfers, as well as any right of the Website User,
shall be explicitly communicated to the user.
Version of 20 December 2023
