Privacy Policy
As you probably know, the entry into force of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of personal data (hereinafter RGPD) and Organic Law 3/2018 of 5 December on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD) highlights the need to strengthen the levels of security and protection of personal data.
We would like to inform you that Moonoff, SL complies with all the requirements of said legislation and that all data, under our responsibility, are treated in accordance with legal requirements and with the appropriate security measures in place to guarantee their confidentiality.
However, given the legislative developments that have taken place, we believe it is appropriate to inform you and submit for your acceptance the following privacy policy:
Table of contents
Who is responsible for processing your data?
For what purpose do we process your personal data?
Moonoff, SL (MOONOFF)
c/República Checa 23-25,
15707 Santiago de Compostela,
A Coruña , Spain
rgpd@moonoff.com
· Attention to your queries and requests: Management of Responses to Queries, Complaints or Incidents, Requests for Technical or Corporate Information, Resources and/or Activities.
· Contact with the interested party through the means of communication provided (email, postal address and/or telephone) in order to manage the queries that you send us through the channels enabled for this purpose, manage notifications and coordinate actions derived from the services that you request from us by persons related to MOONOFF and/or by data processors related to it for the legitimate and/or consented purposes.
· Offer and Commercial Management of products and services.
· Internal use, carrying out operations and administrative, economic and accounting management derived from the relationship with the owner (commercial and/or contractual relationship).
· Management of the contracting and provision of services of the organization, as well as compliance with contractual and regulatory requirements linked to the requested organization or operation.
· Processing and managing the orders you place (including online distance selling), processing payment (including management of the online store payment gateway) and managing the shipping and delivery of the products purchased.
· Management of Contact with the interested party through the means of communication provided (email, postal address and/or telephone) in order to arrange meetings and visits, manage the queries that you send us through the channels enabled for this purpose, manage notices, communications related to the service (sending technical documentation (lighting studies, technical sheets), administrative documentation, invoices, management of payments and collections), coordination of activities, request for authorization to use facilities, resolution of incidents and coordination of actions derived from the services requested by people related to the organization and/or by data processors contracted by it for the legitimate and/or consented purposes.
· Sending commercial communications about products or services similar to those contracted by the client with whom there is a prior contractual relationship, legitimised in accordance with article 21 of the LSSICE.
· Quality control over our products and services, quality management of processes and activities, as well as evaluation of the results of satisfaction/perception and performance of the organization’s interest groups.
· Provision of evidence justifying campaigns, activities, promotions, contests, projects and grants in which the organization participates.
· Regulatory Compliance Management (applicable regulations as well as mandatory internal regulations): Investigation, monitoring and auditing of controls established for the prevention of crimes, which may include establishing access controls to the facilities, as well as controls relating to the use of images captured by video surveillance systems for the investigation of accidents and/or incidents that may occur, as well as non-compliance with regulations, crimes or illegal behaviour.
· Assessment of Credit and Asset Solvency in order to confirm the economic viability of the requested operation, as well as, where appropriate, the communication and management associated with the claim for the amounts agreed for the provision of the service.
· Statistical and historical purposes that allow us to improve the commercial strategy of our products and services.
· Management and auditing of the organization’s processes and facilities’ regulatory compliance and management systems.
· Dissemination of our best practices in relation to the services we have provided to you and/or the publication and/or communication of graphic material that may incorporate the image of the owner and/or his/her staff in corporate media (for example, and not limited to, websites, social networks, newsletters, activity reports, reports, presence in the media) and/or other public media (sector publications and/or reports in print media, TV, etc.), such as dissemination of the results of the activity, promotion and dissemination, management of campaigns, activities and events and/or as accreditation of technical solvency in response to requests for evidence of justification in tendering processes, technical offers, projects and subsidies in which related companies and/or the group participate, to the extent that you have unequivocally consented to this.
· Contacting you and sending you personal communications, invitations to events and gifts for clients, congratulating you on special dates, conducting quality and satisfaction surveys, and periodically informing you of new features, corporate news and information, information on the publication of grants, competitions, rates, offers, catalogues and promotions of products and services of the organisation and of companies related to Moonoff* in order to evaluate the quality of our processes and provide you with offers of products and services of interest to you by telephone, written or electronic means through the means of communication provided, to the extent that you have unequivocally consented to this.
· Communication with other related companies*, belonging to the sectors of design, development, manufacturing and marketing of LED lighting, electrical and electronic products and/or official after-sales services, whose updated list appears on the brand’s official website for contact and sending personal communications, invitations to events and gifts aimed at customers, conducting opinion surveys, as well as to periodically inform you of news, products and/or services, as well as corporate news and information and offers and promotions of products and services by telephone, written or electronic means, such information may be appropriate to your particular profiles, to the extent that you have unequivocally consented to us doing so.
· Management of registration for MOONOFF conferences and events.
· Management of subscription to the MOONOFF newsletter.
· The international transfer of your data to the extent that it is strictly necessary to comply with the management of a project in a country outside the EU or due to the location of the data processing systems of data management applications (we inform you that part of the brand’s information processing systems may be located in countries outside the EU).
· Recording images/audios using devices (mobile phones, telephones, audio systems, video, playback, etc.) is strictly prohibited within MOONOFF facilities, unless explicitly authorized and formalized by Management. Only devices expressly authorized by the company’s Management are permitted. The company may make video recordings on the premises with the aim of improving performance, productivity, method and time studies, as well as safety and fire measures, without prejudice to what is indicated in the following paragraph regarding the safety of the facilities and the control of compliance with labor obligations.
· Management of Visits and Video Surveillance of the Facilities, as well as security and regulatory compliance in the same, investigation of possible incidents or accidents, management of associated insurance and management of warnings or sanctions for non-compliance with safety regulations.
· Consult the advertising exclusion systems that could affect their performance, excluding from processing the data of those affected who have expressed their opposition or refusal to do so by consulting the advertising exclusion systems published by the competent control authority.
· Consult the advertising exclusion systems that could affect their performance, excluding from processing the data of those affected who have expressed their opposition or refusal to do so by consulting the advertising exclusion systems published by the competent control authority.
· Associated management, including prior communication thereof, which may arise from the development of any structural modification operation of companies or the contribution or transfer of a business or branch of business activity, provided that the processing is necessary for the successful completion of the operation and guarantees, where appropriate, continuity in the provision of services.
· Inclusion in the reporting channel systems of data associated with the reporting (even anonymously) of the commission within the organization or in the actions of third parties contracted with it, of acts or conduct that could be contrary to the general or sectoral regulations applicable to it.
· Time and/or attendance control and monitoring through access registration, video surveillance and confirmation of functional performance both in the organization’s facilities and in third-party facilities where the interested party carries out service provision functions for MOONOFF (surveillance and control to verify compliance by the supplier/collaborator with contractual obligations).
· To demonstrate the Organization’s Regulatory Compliance to a third party that requires it: Communication to third parties of those data relating to the interested party that are required by them in order to comply with the coordination of business activities, to demonstrate regulatory compliance of the organization and the internal regulations of the third party and/or for the management of access to facilities. In cases where the interested party unequivocally consents, communication of that information/documentation required by the third party that is not explicitly included in the established regulatory or legal obligations, but in the internal regulations of the third party, may be carried out to the extent that they have consented to it.
· Verify compliance by workers with their work obligations and duties in accordance with article 20.3 of the Workers’ Statute, which authorizes the employer to adopt surveillance and control measures for this purpose (controls relating to the use of images captured by video surveillance systems for the investigation of accidents and/or incidents that may occur, as well as breaches of labour regulations, crimes or illicit behaviour).
· Health and safety management (prevention of occupational risks and safety surveillance) and compliance assessment.
· And in the event that you have consented, for the purposes described in the additional consents that you have provided us unequivocally through formal means and/or by checking the boxes enabled in the data protection clauses enabled in the form or base document that has regulated the relationship with MOONOFF, depending on the contact channel.
To the extent that you have provided us with your CV, the uses and purposes for which we process your data are:
· Internal use for job selection processes, for your inclusion in the Job Bank and for the offer and management of possible job or collaboration offers that may arise.
· Management of competency assessment of candidates and people in selection and/or internal promotion to job positions.
· Use in relation to the development of the application and your incorporation into the Job Bank of companies related to MOONOFF* for the offer and management of possible job or collaboration offers that may arise, to the extent that you have unequivocally consented to this. To the extent that you do not consent to this purpose, we would not be able to proceed with the receipt of your application, as the management of candidates is carried out through the aforementioned job bank.
· Use of your CV in the technical offer for projects in which your incorporation is valued, if you have unequivocally agreed to do so.
· Regulatory Compliance Management (applicable regulations as well as mandatory internal regulations): Investigation, monitoring and auditing of controls established for the prevention of crimes, which may include establishing access controls to facilities, information systems and printing of documentation for all personal data under the responsibility of the organization and therefore for all information systems of said entity, as well as controls relating to the use of images captured by video surveillance systems for the investigation of accidents and/or incidents that may occur, as well as breaches of labor regulations, crimes or illegal behavior.
· Management of Contact with the interested party through the means of communication provided (email and/or telephone) in order to manage notifications and coordinate actions for the management of the selection process by companies related to MOONOFF* and/or third parties who are contracted for the selection processes of candidates for vacancies or jobs.
· The performance of tests and/or aptitude certificates that may be required for personnel selection purposes, which will be optional, will be understood as an expression of the user’s consent for the inclusion of the data provided, as well as, eventually, its assessment, in the database of the Job Bank of companies related to MOONOFF* and its automated processing for the purpose of carrying out said selection. As a consequence of access to the facilities that may require the performance of said tests and/or aptitude certificates, treatments associated with the security of said facilities may be carried out by means of access registration and/or video surveillance systems.
· Management of Visits and Video Surveillance of the Facilities, as well as security and regulatory compliance in the same, investigation of possible incidents or accidents, management of associated insurance and management of warnings or sanctions for non-compliance with safety regulations.
How long do we retain your data?
· The data provided will be kept as long as the relationship of lawful processing is maintained, and the interested party does not request its deletion after the formal termination in writing of the relationship with the interested party, with the exception of its conservation for the formulation, exercise or defense of claims by the data controller or with a view to the protection of the rights of another natural or legal person and/or for reasons of legal obligation.
· In any case, at the end of the relationship, the Data of the interested party will be duly blocked, as provided for in current data protection regulations.
· Accounting and Tax Documentation – For Tax Purposes: Accounting books and other mandatory registration books according to the applicable tax regulations (IRPF, VAT, IS, etc.), as well as documentary evidence that justifies the entries recorded in the books (including computer programs and files and any other supporting documents of tax significance), must be kept for at least the duration of the statute of limitations for Tax Offences – General Tax Law and Criminal Code, Statute of Limitations on Infringements: 10 years.
· Accounting and Tax Documentation – For Commercial Purposes: Books, correspondence, documentation and justifications concerning your business – Commercial Code – 6 years.
· Solvency Files: Data referring to certain, overdue, payable and unclaimed debts (Art. 20 of LOPDGDD) – while the breach persists, with a maximum limit of five years from the due date of the monetary, financial or credit obligation – 5 years.
· Occupational Risk Prevention Documentation – Documentation on information and training for workers. Records of occupational accidents or occupational diseases – Law on Infringements and Sanctions in the Social Order – 5 years.
· Images/sounds captured by video surveillance systems will be deleted within a maximum period of one month from their capture, except when they have to be kept to prove the commission of acts that threaten the integrity of people, property or facilities (in which case, the images will be made available to the competent authority within a maximum period of 72 hours from when the existence of the recording became known), or are related to serious or very serious criminal or administrative offences in matters of public safety, with an ongoing police investigation or with an open judicial or administrative procedure (Instruction 1/2006, of 8 November, of the AEPD, on the processing of personal data for surveillance purposes through camera or video camera systems and Art. 22 LOPDGDD) – 30 days.
· Data included in automated processing created to control access to buildings – Instruction 1/1996 AEPD on automated files established for the purpose of controlling access to buildings – 30 days.
· The data processed in relation to the legal guarantee will be kept for the duration of the legal guarantee and, once the validity of the same has expired, for the period in which there may be a judicial or administrative claim in relation to the legal guarantee.
· The data of the person who makes the communication of a complaint and of the employees and third parties are kept in the complaints system to decide on the appropriateness of initiating an investigation into the reported facts, as well as subsequently as evidence of the functioning of the model for preventing the commission of crimes by the legal entity, in accordance with the provisions of article 24 of the LOPDGDD.
· The data processed for the purpose of sending commercial communications will be retained until you revoke the consent granted.
· Data relating to candidates who provide their CV will be kept for the calendar year associated with the date on which it was received (except in cases where the candidate is selected, in which case, they will become part of the HR data processing of the contracting organisation), as well as the legally established periods for the exercise or prescription of any liability action due to breach of contract by the interested party or the Organisation.
· Therefore, the data will be kept for as long as the commercial relationship remains in force, based on the conservation periods established by the current regulations mentioned above, as well as the legally or contractually established periods for the exercise or prescription of any liability action due to breach of contract by the interested party or the Organization (Civil Code establishes a period of 5 years to be able to carry out an action for civil liability, a period that is computed from the date on which compliance with the obligation may be required).
What is the legitimacy for the processing of your data?
· The legal basis for the processing of your data is the fulfillment of the request you make to us. The requested data are necessary for the correct provision of the same.
· The execution of a contract, request, offer, order and/or commercial contract, for which the data provided will be communicated to the person responsible for the Brand in order to adequately address, where appropriate, the guarantees and responsibilities of the products and services it supplies.
· Comply with a legal obligation: Administrative, commercial, tax, fiscal, accounting, civil and financial regulations, current legislation on labor, prevention of occupational risks (coordination of business activities) and social security and consumer and user protection legislation, as well as regulations inherent to the contracted operation and those associated with the sector.
· Satisfy a legitimate interest of the Controller: Processing of data as part of a business relationship and/or contract, which are necessary for its maintenance or fulfilment, data transmissions within business groups for internal administrative purposes, direct marketing, fraud prevention, cases of legitimate interest in which the controller could be an injured party and it is necessary to process and communicate the data of the defaulting party to third parties in order to manage regulatory compliance and defend the interests of the data controller, video surveillance purposes as a legitimate interest of the organisation in protecting its assets, the legitimate interest of direct marketing enabled by the LSSICE (sending commercial communications about products or services similar to those contracted by the client with whom there is a prior contractual relationship), as well as cases of legitimate interest of specific treatments contemplated in the LOPDGDD: Article 19. Processing of contact data and of individual entrepreneurs; Article 20. Credit information systems; Article 21. Processing related to the performance of certain commercial transactions (corporate restructuring or business transfers); Article 22. Processing for video surveillance purposes; Article 23. Advertising exclusion systems; Article 24. Internal reporting systems).
· Security and cases of legitimate interest in which the controller could be an injured party and it would be necessary to process and communicate the data of the non-complier to third parties in order to manage regulatory compliance and defend the interests of the controller.
· Art. 20.3 and 4 Royal Legislative Decree 1/1995, of March 24, approving the revised text of the Workers’ Statute Law (ET): The employer may adopt the measures it deems most appropriate for surveillance and control to verify the worker’s compliance with his or her work obligations and duties, taking into account in their adoption and application the consideration due to his or her human dignity and taking into account the real capacity of disabled workers, where applicable.
· In the case of data of candidates who provide their CV, the basis for legitimacy of the processing is compliance with the application for incorporation into the employment pool of the interested party through the self-candidacy of the candidate by sending his or her CV through the contact channels of the organization and/or selection companies contracted for the selection of candidates for vacancies or jobs, as well as satisfying a legitimate interest of the Controller: video surveillance purposes as a legitimate interest of the organization in protecting its assets, preventing fraud and cases of legitimate interest in which the controller could be an injured party and it would be necessary to process and communicate the data to third parties in the event of non-compliance in order to manage regulatory compliance and defend the interests of the data controller.
· The consent of the interested party that has been provided to us unequivocally through formal means and/or by checking the boxes enabled for this purpose in the data protection clauses enabled in the base document that has regulated the commercial relationship based on the contact channel.
To which recipients can your data be communicated?
· Organisations or persons directly contracted by the Data Controller to provide services related to the purposes of processing: Clients who contract services, Subcontracted Entities for the execution of work/services that are the subject of the contract with the client, Distributors, collaborators and other linked and/or group companies, Commercial collaborators, Companies related to the management of the transport of our products, Advertising/Marketing Agencies, Legal Consultants, Tax Consultants, Accounting Consultants, Debt Collection and Credit Insurance Management Entities, Management and/or Regulatory Compliance Auditors.
· Companies related to MOONOFF*, to the extent that you have consented to this.
· Responsible for the Brand for the purposes arising from the contractual relationship (guarantees and responsibilities of the indicated article and the products and services it supplies) and in the event that you have consented, for the purposes described in the additional consents.
· Administrative Bodies.
· Organizations or persons directly contracted by the Data Controller for the provision of services related to video surveillance processing purposes: video surveillance system maintenance and security companies, as well as the owner of the establishment, due to a legitimate interest in the protection of the assets under their ownership.
· Insurance Agents and Insurers: Insurance taken out by the organization in case of incidents.
· Creditworthiness assessment entities in order to evaluate the credit capacity of the interested party for payment methods or financing conditions that require it.
· Public Administration bodies or organs with jurisdiction over the matters subject to the purposes of the processing: AEAT
· Financial Institutions: Direct debit of receipts and/or management of collection of effects and other means of payment.
· Security Forces and Corps: To the extent that a justified right of access is required in the investigation of a regulatory breach.
· Compliance Reporting Channel (Reports on violations of regulations and code of conduct are forwarded to the Regulatory Compliance Unit).
· Insurance Entities: In the event of a loss, incident or accident, the data is provided to insurance entities for the investigation of the event in order to determine the scope and coverage of the insurance premium contracted by the data controller.
· In the case of data from candidates who provide their CV, the possible recipients could also be companies related to MOONOFF*, Organizations or people directly hired by the Data Controller for the provision of services related to the processing purposes: ETTs and third parties contracted for the selection processes of candidates for vacancies or jobs in companies related to MOONOFF*.
· Compliance Reporting Channel (Reports on violations of regulations and code of conduct are forwarded to the Regulatory Compliance Unit): Access to the data contained in these systems will be limited exclusively to those who, whether or not they are part of the entity, carry out internal control and compliance functions, or to those in charge of processing them who may be designated for this purpose. However, access by other persons, or even communication to third parties, will be lawful when necessary for the adoption of disciplinary measures or for the processing of any legal proceedings that may be required.
· Others: We may carry out international transfers of your data to the extent strictly necessary to comply with the management of a project in a country outside the EU (Entities associated with the import/export of merchandise: Logistics agents, Customs, etc.) or due to the location of the data processing systems of data management applications (we inform you that part of the brand’s information processing systems may be located in countries outside the EU. We recommend that you access the brand’s privacy policies).
Under what guarantees are your data communicated?
· Data is communicated to third parties to entities that prove the availability of a Personal Data Protection System in accordance with current legislation.
· Standard contractual clauses approved by data protection control bodies are signed with organisations to which international data transfers may be made.
What are your rights?
· Standard contractual clauses approved by data protection control bodies are signed with organisations to which international data transfers may be made.
· You have the right to obtain confirmation as to whether or not we are processing personal data concerning you.
· Interested parties have the right to access their personal data, as well as to request the rectification of inaccurate data or, where appropriate, to request its deletion when, among other reasons, the data is no longer necessary for the purposes for which it was collected. It is not possible to exercise the right of rectification in the case of video surveillance processing, since due to the nature of the data – images taken from reality that reflect an objective fact – it would be the exercise of a right of impossible content.
· In certain circumstances, interested parties may request that the processing of their data be restricted, in which case we will only retain them for the exercise or defence of claims.
· In certain circumstances and for reasons related to their particular situation, interested parties may object to the processing of their data, in which case the Data Controller will stop processing the data, except for compelling legitimate reasons, or the exercise or defense of possible claims.
· Under the right to portability, data subjects have the right to obtain the personal data concerning them in a structured, commonly used and machine-readable format and to transmit it to another controller.
· If you have given consent for a specific purpose, you have the right to withdraw consent at any time, without affecting the lawfulness of the processing based on consent prior to its withdrawal.
Where can you go to exercise your rights?
· If you wish to exercise your rights, please contact the data controller’s established channel for exercising rights: rgpd@moonoff.com so that we can respond to your request in a managed manner.
What information is required to exercise your rights?
· To exercise your rights, we need to prove your identity and the specific request you make, so we request the following information from you:
– Proof of identity as the data subject (Name, surname of the interested party and photocopy of the ID of the interested party and/or the person representing him/her, as well as the document proving such representation (legal representative, if applicable).
– In the case of exercising rights related to data of deceased persons: Copy of:
· Family Book or Civil Registry in which the relationship of kinship or fact with the deceased is recorded.
· Will in which the applicant is declared as heir and/or.
· Express designation of the requesting person or institution by the deceased and/or.
· Documentation proving legal representation of the deceased.
· In the case of exercising the rights of rectification and/or deletion: Responsible Declaration of the applicant in which he/she certifies that he/she has the consent of the rest of the people linked to the deceased for family or de facto reasons, as well as his/her heirs, to carry out said request.
– When the data controller has reasonable doubts regarding the identity of the natural person making the request, he or she may request that additional information necessary to confirm the identity of the data subject be provided.
– Address for notifications, date and signature of the applicant (in the case of a written request), or full name and surname (in the case of an email), or validation of the request in the private area of the communication channel with a personal authentication key for your identity).
· When exercising the right to rectification recognized in article 16 of the GDPR, the affected party must indicate in his/her request which data it refers to and the correction that must be made. He/she must accompany, where necessary, the supporting documentation for the inaccuracy or incompleteness of the data being processed.
· Likewise, when we process a large amount of data relating to the affected party and the affected party exercises their right of access without specifying whether it refers to all or part of the data, the controller may request, before providing the information, that the affected party specify the data or processing activities to which the request refers.
What is the general procedure for exercising your rights?
Once we have received the required information, we will proceed to respond to your request in accordance with MOONOFF’s general procedure for exercising rights:
· The controller shall provide the data subject with information concerning its actions on the basis of a request pursuant to Articles 15 to 22 (Rights of the data subject), and in any event within one month of receipt of the request.
· This period may be extended by another two months if necessary, taking into account the complexity and number of applications.
· The controller shall inform the interested party of any such extensions within one month of receipt of the request, stating the reasons for the delay.
· Where the interested party submits the request by electronic means, the information will be provided by electronic means whenever possible, unless the interested party requests that it be provided otherwise.
· Only in cases where the data controller’s processing systems allow it, the right of access may be provided through a remote, direct and secure access system to personal data that guarantees, permanently, access to all of them. For such purposes, the communication by the controller to the affected party of the way in which the latter may access said system will be sufficient to consider the request to exercise the right to be attended to. However, the interested party may request from the Data Controller the information regarding the matters provided for in article 15.1 of the GDPR that was not included in the remote access system.
· If the data controller does not comply with the data subject’s request, he or she shall inform the data subject without delay, and no later than one month after receipt of the request, of the reasons for his or her failure to act and of the possibility of lodging a complaint with a supervisory authority and of taking legal action.
· The information provided will be free of charge, except for a reasonable fee for administrative costs. When the affected party chooses a method other than the one offered that entails a disproportionate cost, the request will be considered excessive, and the affected party will therefore assume the excess costs that their choice entails. In this case, the Data Controller will only be required to satisfy the right of access without undue delay.
· The data controller may refuse to act on the request, although it shall bear the burden of proving that the request is manifestly unfounded or excessive. For the purposes established in article 12.5 of the GDPR, the exercise of the right of access on more than one occasion during the six-month period may be considered repetitive, unless there is legitimate cause for doing so.
· In cases where you proceed to exercise rectification or deletion, your data will be blocked: Data blocking consists of identifying and reserving the data, adopting technical and organizational measures to prevent its processing, including its viewing, except for making the data available to judges and tribunals, the Public Prosecutor’s Office or the competent Public Administrations, in particular the data protection authorities, to enforce possible responsibilities arising from the processing and only for the limitation period of the same. After this period, the data will be destroyed. The blocked data may not be processed for any purpose other than that indicated above. (art. 16 RGPD and art. 32 LOPDGDD).
· When the deletion is due to the exercise of the right to object pursuant to Article 21.2 of the GDPR, the Data Controller may retain the data subject’s identification data necessary to prevent future processing for direct marketing purposes. In cases where you do not wish your data to be processed for the purpose of sending commercial communications, we refer you to the existing advertising exclusion systems, in accordance with the information published by the competent supervisory authority (AEPD) on its website www.aepd.es
· In cases where the processing of personal data is limited, this will be clearly stated in the information systems of the Data Controller.
· In the event of a certain, due and payable debt, a communication is sent to the debtor at the time of requesting payment about the possibility of inclusion in said systems (the organization’s late payment treatments), indicating those in which it participates (debt collection entities for the management of the relevant claim, etc.) In the event that the debt is not resolved within a maximum period of 15 days from the notification of insolvency, information is provided on the possibility of exercising the rights established in articles 15 to 22 of the GDPR within thirty days following notification of the debt to the system, the data remaining blocked during that period.
· Persons linked to the deceased for family or factual reasons, as well as his or her heirs, may contact the person responsible for or in charge of processing the data in order to request access to the deceased’s personal data and, where appropriate, their rectification or deletion. As an exception, the persons referred to in the previous paragraph may not access the deceased’s data, or request their rectification or deletion, when the deceased has expressly prohibited this or when a law so provides. This prohibition shall not affect the heirs’ right to access the deceased’s personal data.
· In order to comply with current regulations on video surveillance Inst 1/2006 of the AEPD, we inform you that the period of conservation of the recordings is 1 month from their capture, as we will not be able to attend to requests made after later periods. Likewise, to avoid affecting the rights of third parties, in the case of an access request, we will proceed to issue a certificate in which, with the greatest possible precision and without affecting the rights of third parties, the data that have been processed are specified. E.g. “Your image was recorded in our systems on day ___ of the month of the year between _ hours and _ hours. Specifically, the system records your entry and exit from the facility.”
What avenues for making a claim exist?
If you consider that your rights have not been properly addressed, you have the right to file a claim with the competent data protection authority www.agpd.es
How did we obtain your data?
Through:
· The interested party or his/her legal representative, through the communication sent and/or through professional social networks.
Distributors, collaborators and other companies associated with MOONOFF*, companies of the group of the marketed Brands belonging to the sectors of design, development, manufacturing and marketing of LED lighting, electrical and electronic products, events, fairs, colloquia and sectoral conferences organized and/or in which the organization participates, public information associated with competitions/tenders, legitimized commercial databases, professional social networks, search engines and databases on the Internet, as well as third parties with which the data controller maintains a commercial or service provision relationship and for which your personal data must be available for the processing of the requested service or to comply with our contractual commitments and tax and accounting obligations associated with the service being contracted and/or to verify regulatory compliance under the responsibility of the organization.
· In the case of data from candidates who provide their CV, the possible source of the data could be, in addition to the interested party, temporary employment agencies, entities with which internship agreements or training programmes with a commitment to hire have been established, professional social networks and/or third parties who are contracted for the selection processes of candidates for vacancies or jobs in companies related to MOONOFF*.
What category of data do we process?
· The data structure we process does not contain data relating to criminal convictions and offences, nor specially protected data unless the interested party is the beneficiary of a special condition that must be considered in the provision of the service and/or in the management of the subsidy that may be processed (e.g.: disability situation) and provides documentation to prove it, as well as cases in which the holder has special conditions and must provide documentation that incorporates said information so that compliance with said condition can be accredited or justified.
· Identification and contact data, for example, but not limited to: name, surname, telephone number or email address, commercial information data, economic, financial and/or payment terms data; Other types of data: contact data of people in the organization involved or related to the service that is the subject of the contract/request, as well as those related to and/or provided with the Query, Request for technical or corporate information, Resources and/or Activities, Complaints or Incidents that you submit to us, as well as the personal data of third parties that you may provide to us.
· Business data, contact persons for administrative and operational management associated with the execution of the contract/project and workers who are going to carry out the contracted work in terms of coordination of business activities associated with the prevention of occupational risks; In the case of workers who are going to carry out the contracted work in terms of coordination of business activities associated with the prevention of occupational risks; Licences or approvals, in the case of workers who are going to carry out the contracted work in terms of coordination of business activities associated with the prevention of occupational risks; Commercial information and approval data; Economic, financial and/or payment conditions data; Goods and services supplied by the affected party, Financial transactions; Other type of data (specify): Name, surname and NIF of legal representative, contact details of people in the organization involved or related to the project that is the subject of the contract/order.
· In the case of data from candidates who provide their CV, the structure of data processed would be, by way of example, but not limited to, identification and contact data (address, contact telephone number and contact email); Academic and professional data relating to training, qualifications and professional experience; Personal data associated with marital status, family data, date and place of birth, age, sex, nationality; Work permit; Employment status data; Other data (professional aspirations, leisure and hobbies). To the extent that the candidate reports a disability condition, certificates accrediting this may be required.
How is your personal data kept secure?
Regarding the processing of your personal data, we inform you:
The Data Controller takes all necessary measures to keep your personal data private and secure. Only authorized persons from MOONOFF, authorized personnel from third parties directly contracted by the Data Controller for the provision of services related to the processing purposes or authorized personnel from MOONOFF (who have the legal and contractual obligation to keep all information secure) have access to your personal data. All MOONOFF personnel who have access to your personal data are required to agree to comply with the Data Controller’s Privacy Policy and data protection regulations and all employees of Third Parties who have access to your personal data are required to sign confidentiality agreements in accordance with the terms established in current legislation. In addition, it is contractually ensured that third-party companies that have access to your personal data keep them secure. To ensure that your personal data is protected, MOONOFF has an IT security environment and takes the necessary measures to prevent unauthorized access.
MOONOFF has entered into agreements to ensure that we treat your personal data correctly and in accordance with applicable data protection laws. These agreements reflect our respective roles and responsibilities with you, and consider which entity is best placed to meet your needs. These agreements do not affect your rights under data protection law. For more information about these agreements, please do not hesitate to contact us.
In relation to personal data that MOONOFF may access as a result of the contracted services, we inform you:
The provision of services covered by the contract may involve physical access by MOONOFF staff to premises or facilities that may store personal data for which the client is the data controller. In this regard, MOONOFF has signed clauses with its staff that prohibit access to all types of confidential information and, specifically, to personal data belonging to the client, unless the service includes the processing of personal data within its scope, in which case, MOONOFF would act as the data processor, establishing in such case the relevant contract in accordance with current data protection regulations that would include, among other aspects, the object, duration, nature, purpose, category of data being processed, security measures, obligations and rights of the data processor, organizational and technical security measures to guarantee confidentiality during the process, as well as the agreements adopted between the client and the data processor in relation to the transmission of security breaches and/or the exercise of rights. The failure to formalize the personal data processing service in a contract by the client presupposes that MOONOFF has no associated responsibility as the data processor.
However, in the event that you become aware of any type of confidential information for the purpose of providing the service, you agree to keep it confidential, not to disclose or publish it, either directly or through third parties or companies, or to make it available to third parties. This obligation of confidentiality is of an indefinite nature, subsisting after the termination of the contract for any reason. MOONOFF undertakes to communicate and enforce compliance with the obligations established in terms of confidentiality to the personnel under its charge and hired on its behalf.
In relation to the video surveillance systems with which the facilities under the responsibility of MOONOFF are equipped, we inform you that MOONOFF takes all necessary measures to keep your personal data private and secure and will comply in any case with the provisions of Law 5/2014, of April 4, on Private Security and its implementing provisions. In this regard, it establishes and informs you of the following security measures:
· DUTY TO INFORM: Information is provided about the existence of cameras and image recording, in order to comply with the duty to inform provided for in article 12 of the GDPR through an informative device in a sufficiently visible place identifying the existence of the treatment, the identity of the person responsible and the possibility of exercising the rights provided for in articles 15 to 22 of the GDPR. A connection code or internet address to this information may also be included in the informative device. In any case, MOONOFF keeps the information referred to in the aforementioned regulation available to those affected in the Privacy Policy referenced in the aforementioned device. In the event that the flagrant commission of an illegal act has been captured, the duty to inform will be deemed to have been fulfilled when at least the video surveillance informative device exists.
· LOCATION OF CAMERAS: MOONOFF will only capture images of public roads to the extent that it is essential for the purpose of preserving security. Under no circumstances will MOONOFF install sound recording or video surveillance systems in places intended for the rest or recreation of workers or public employees, such as changing rooms, toilets, canteens and the like.
· SOUND RECORDING: MOONOFF will only record sounds when the risks to the safety of facilities, property and people arising from the activity carried out in the workplace are relevant and always respecting the principle of proportionality, minimum intervention and guarantees.
· LOCATION OF MONITORS: The monitors where the camera images are displayed are located in a restricted access area, so that they are not accessible to unauthorized third parties.
· STORAGE OF IMAGES: Images/sounds captured by video surveillance systems will be deleted within a maximum period of one month from their capture, except when they have to be kept to prove the commission of acts that threaten the integrity of people, property or facilities (in which case, the images will be made available to the competent authority within a maximum period of 72 hours from when the existence of the recording became known), or are related to serious or very serious criminal or administrative offences in matters of public safety, with an ongoing police investigation or with an open judicial or administrative procedure (Instruction 1/2006, of 8 November, of the AEPD, on the processing of personal data for surveillance purposes through camera or video camera systems and Art. 22 LOPDGDD) – 30 days.
· WORK CONTROL: The processing is carried out for the exercise of the functions of control of workers provided for in article 20.3 of the Workers’ Statute, within its legal framework and with the limits inherent to it. To the extent that the cameras can be used for the purpose of labor control as provided for in article 20.3 of the Workers’ Statute, workers and their representatives are informed about these control measures established by the employer with express indication of the purpose of labor control of the images captured by the cameras, as indicated in the inclusion notification clause and in this privacy policy.
· RIGHT OF ACCESS TO IMAGES: In order to comply with the right of access of the interested parties, a recent photograph and the National Identity Document of the interested party will be requested, as well as the details of the date and time to which the right of access refers. The interested party will not be given direct access to the images of the cameras in which images of third parties are shown. To avoid affecting the rights of third parties, in the case of a request for access, we will proceed to issue a certificate in which, with the greatest possible precision and without affecting the rights of third parties, the data that have been processed are specified. E.g. “Your image was recorded in our systems on day ___ of the month of the year between _ hours and _ hours. Specifically, the system records your entry and exit from the facility.”
Changes in Privacy Policy
· MOONOFF reserves the right to make, at any time, any modifications, variations, deletions or cancellations to the content and the way it is presented that it deems appropriate, so we recommend that you consult our privacy policy whenever you consider it pertinent. If you do not agree with any of the changes, you can exercise your rights in accordance with the procedure described by sending an email to rgpd@moonoff.com
· In compliance with the provisions of personal data protection regulations, we process the information you provide us during the commercial relationship (as well as the personal data of other people that you may provide us) for the purposes specified in this privacy policy. In this regard, you declare that you have been informed, consent, as well as inform and have the consent of third parties whose personal data you provide us for such processing.
· By accepting and/or validating the process that serves as the basis for formalizing your relationship with MOONOFF, you expressly consent to the processing of data in accordance with the provisions of the clause and additional information on data protection, as well as to inform and obtain the consent of third parties whose personal data you provide us with for such processing. If you have ticked the corresponding consent box, the legal basis for these purposes is your consent, which you can withdraw at any time.
· Likewise, and to the extent that as a result of your relationship MOONOFF may have access to personal data and/or confidential information, it undertakes to maintain absolute confidentiality and discretion regarding the information obtained about the activities, interested parties and entities related to MOONOFF, especially with regard to Personal Data, even after the termination of its relationship with the organization.