Processing of personal data and rights of those affected
Ercros has a personal data processing policy and a procedure for the rights of those affected that you can consult on this page
Personal data processing and data subjects' rights
The purpose of the personal data processing policy and the procedure for the rights of those affected, specifically, is to guide and define the best practices for complying with the obligation to exercise the rights of data subjects, by virtue of the principle of transparency, regarding the circumstances and conditions of the processing of personal data that Ercros S.A. companies carry out in the legal capacity of data controller.
The exercise of the rights of those affected will be made by direct communication to the privacy officer, supported by the legal area to define the legal requirements of this process.
The privacy officer will be responsible for ensuring that this procedure is kept up to date. He/she is also responsible for directing it to other potential departments or areas whose information is relevant to the organisation within the Ercros S.A. documentation scheme and internal communication processes.
Legal and regulatory references
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
- Organic Law on data protection and guarantee of digital rights (Law 3/2018 of 5 December).
Rights of those affected
- The rights of data subjects are regulated in articles 15 to 22 of the GDPR. Ercros S.A. undertakes to make it easy for data subjects to exercise their rights, procedures and forms, and to this end they must be visible, accessible and simple.
- From the outset, when personal data is collected, Ercros S.A. informs data subjects of their rights and how they can exercise them.
- Procedures must be put in place that make it easy for data subjects to prove that they have exercised their rights, including by electronic means.
- Right to information.
- Right of access.
- Right of rectification.
- Right of erasure (right to be forgotten).
- Right to limitation of processing.
- Right of objection.
- Right to data portability.
Right to information
The obligation to inform data subjects about the circumstances relating to the processing of their data lies with the controller.
The information must be made available to data subjects at the time the data are requested, prior to collection or recording, if the data are obtained directly from the data subject.
In the event that the data are not obtained from the data subject himself, because they are obtained from a legitimate transfer, or from publicly available sources, the data controller shall inform the data subjects within a reasonable period of time, but in any case:
- No later than one month after the personal data were obtained.
- Before or at the first communication with the data subject.
- Before the data, if any, have been disclosed to other recipients.
This obligation must be fulfilled without the need for a request and the person responsible must be able to prove, at a later date, that the reporting obligation has been fulfilled.
The GDPR adds additional requirements regarding the need to inform data subjects, generalising the concept of processing, and broadly incorporating the following details:
- The contact details of the data protection officer, if applicable.
- The legal basis or legitimacy for the processing.
- The period or criteria for the storage of the information.
- The existence of automated decisions or profiling.
- The provision for transfers to third countries.
- tHe right to lodge a complaint with the supervisory authorities.
- And, in addition, in the event that the data are not obtained from the data subject himself/herself.
- The origin of the data.
- The categories of data.
Right of access
The right to obtain a copy of the personal data processed is recognised. Ercros S.A. may meet this right by providing remote access to a secure system that offers the data subject direct access to their personal data.
Right of rectification
The data subject shall have the right to obtain without undue delay from the controller the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data supplemented, including by means of an additional statement.
Right of suppression
1. The data subject shall have the right to obtain without undue delay from the controller the erasure of personal data relating to him/her, who shall be obliged to erase personal data without undue delay in any of the following circumstances:
- The personal data are no longer necessary for the purposes for which they were collected or otherwise processed.
- The data subject withdraws the consent on which the processing is based.
- The data subject objects to the processing and no other legitimate grounds for the processing prevail.
- The personal data have been unlawfully processed.
- The personal data must be erased in order to comply with a legal obligation under Union or Member State law applicable to the controller.
- The personal data have been obtained in connection with the provision of information society services.
2. Where he or she has made personal data public and is obliged to erase such data, the controller shall, taking into account available technology and the cost of its implementation, take reasonable steps, including technical measures, with a view to informing controllers who are processing the personal data of the data subject's request to erase any link to those personal data, or any copy or replication thereof.
3. Paragraphs 1 and 2 shall not apply where treatment is necessary:
- For the purposes of exercising the right to freedom of expression and information,
- For compliance with a legal obligation requiring the processing of data imposed by Union or Member State law applicable to the controller, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- For reasons of public interest in the field of public health, for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes, insofar as the right referred to in paragraph 1 would make it impossible or hinder the performance of such a task.
- For archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes, insofar as the right referred to in paragraph 1 would make impossible or seriously impede the achievement of the purposes of such processing, or for the establishment, exercise or defence of claims.
Right to be forgotten
It is not considered an autonomous right or distinct from the classic ARCO rights, but the consequence of the application of the right to erasure of personal data. It is a manifestation of the right to erasure or opposition in the online environment.
Right to object
The data subject shall have the right to object at any time, on grounds relating to his or her particular situation, to the processing of personal data relating to him or her, including profiling on the basis of those provisions. The controller shall no longer process the personal data unless he or she establishes compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of claims.
Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning him or her, including profiling insofar as it is related to such marketing.
Where the data subject objects to the processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly mentioned to the data subject and shall be presented clearly and separately from any other information.
Limitation to treatment
The restriction of processing means that, at the request of the data subject, the processing operations that would be applicable in each case will not be applied to his or her personal data.
A request for restriction may be made when:
- The data subject has exercised the rights of rectification or objection and the controller is in the process of determining whether to comply with the request.
- The processing is unlawful, which would result in the erasure of the data, but the data subject objects.
- The data are no longer necessary for the processing, which would also result in their erasure, but the data subject requests the restriction because he or she needs them for the formulation, exercise or defence of claims.
For the duration of the restriction, the data controller may only process the data concerned, beyond their retention, with the data subject's consent:
- With the consent of the data subject.
- For the purposes of formulating, exercising or defending claims.
- For protecting the rights of another natural or legal person.For reasons of important public interest of the Union or of the Member State concerned.
The right to data portability is an advanced form of the right of access whereby the copy provided to the data subject must be in a structured, commonly used and machine-readable format.
This right can only be exercised:
- Where the processing is carried out by automated means.
- Where the processing is based on consent or on a contract.
- Where the data subject so requests in respect of data which he or she has provided to the controller and which relate to him or her, including data arising from the data subject's own activity.
The right to portability means that the data subject's personal data are transferred directly from one controller to another, without the need for prior transmission to the data subject himself/herself, provided that this is technically possible.
- To data of third parties that a data subject has provided to a controller.
- Where the data subject has requested the portability of data relating to him or her but provided to the controller by a third party.
What treatments can we provide answers to these questions?
In those processing operations in which Ercros S.A. acts as the data controller, the data subjects may exercise their rights and we may respond to them:
- Customers, contacts or direct suppliers.
- Staff visiting our facilities.
- Any other person whose personal data is contained in any processing where any Group company is a data controller.
In the rest of the processing operations in which Ercros S.A. (or another Group company) acts as data processor, the right of data subjects must be referred to the corresponding data controller.
Internal procedure for exercising and responding to data subjects
- The following points are established to guarantee, on the one hand, the exercise of rights by the interested parties and, on the other, compliance with the duties of Ercros S.A. to respond in a timely manner to the requests received in this area.
- In general, the entire Ercros S.A. organisation should be informed that any request for access rights should be made through our website www.ercros.es (access my rights) or by email to firstname.lastname@example.org.
- If the interested party comes to the organisation by any other means, he/she should be referred to the website or email, or send him/her Annex 1.
- Together with Annex 1, the documentation and information to be provided by persons wishing to exercise these rights is as follows: name and surname(s) of the interested party, photocopy of the identity card of the interested party or, where appropriate, photocopy of the identity card of the person representing the interested party and document accrediting the representation, request in which the request is made, address for notification purposes, date, signature of the applicant and documents accrediting the request being made.
- If the person concerned uses his or her own form, it should be checked that it contains the same data and that it is accompanied by the documentation required in each case. In general, however, the use of Annex 1 should be sent to the person concerned.
- In order to ensure a timely response, the Privacy Officer shall communicate by e-mail, or other means of communication, the response indicated in Annex 2.
- As a first task, an investigation should be carried out as to which data subjects wish to exercise their rights. Only the rights for which we are responsible for processing should be answered.
- If, following this investigation, it emerges that we are not the data processor or simply not the controller, the response in Annex 3 should be sent to the data subject.
- The privacy officer shall resolve within the period indicated in table 6, and shall issue a response by reliable means (certified mail with acknowledgement of receipt, if the affected party has requested this means) or by e-mail, also notifying the corresponding Ercros S.A. centre that processed the request and the director of the centre or corporate body, and shall coordinate the granting of these rights. The models in the appendix may be used for the reply.
The following deadlines are established for Ercros S.A. to respond and resolve these rights:
- Access: seven days to resolve and 10 days to enable access.
- Rectification: seven days to respond and 30 days to resolve.
- Deletion: seven days to respond and 30 days to resolve.
- Opposition: seven days to respond and 30 days to resolve.
- Restriction of processing: seven days to respond and 30 days to resolve.
- Portability: seven days to respond and 30 days to resolve.
Audit, evaluation and ongoing review
Ercros S.A. must carry out actions of:
- Monitoring, measurement and control of the implementation of this procedure to adapt legal regulations and internal policies.
- Have a risk analysis of personal data that consists of identifying success vulnerabilities of this procedure and estimating the treatments for the risks identified in a manner that they are mitigated, and adopt the actions that must be established within the framework of the organization's management.
- Keep the corresponding body of Ercros S.A. informed. of the results of external evaluations and audits, determining and adopting the decisions and strategies of the security level defined by both parties.