Privacy policy

INDEX

1. Purpose of the Privacy Policy
2. Definitions
3. Identity of the Data Controller
4. Applicable Laws and Regulations
5. Principles Applicable to the Processing of Personal Data
6. Data Processing Activities Undertaken
7. Necessary and Updated Information
8. Personal Data of Minors
9. Technical and Organizational Security Measures
10. Rights of Data Subjects
11. Complaints to the Supervisory Authority
12. Acceptance and Changes to the Privacy Policy

1.- PURPOSE OF THE PRIVACY POLICY

This “Privacy and Data Protection Policy” aims to outline the conditions governing the collection and processing of personal data by INDUMARSAN, making every effort to safeguard fundamental rights, honor, and freedoms of individuals whose personal data is processed, in compliance with the applicable data protection regulations and laws in force in the European Union and in the Spanish Member State, specifically as detailed under the “Data Processing Activities” section of this Privacy Policy.

Consequently, this Privacy and Data Protection Policy informs users of the website https://www.indumarsan.com of all relevant details regarding how these processes are carried out, for what purposes, which other entities may access their data, and what users’ rights are.

2.- DEFINITIONS

“Personal Data”: Any information relating to an identified or identifiable natural person (“the Website user”); an identifiable natural person is someone whose identity can be determined, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier, or one or more factors specific to that person’s physical, physiological, genetic, mental, economic, cultural, or social identity.

“Processing”: Any operation or set of operations conducted on personal data or personal data sets, whether by automated means or not, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, transmission, dissemination or disclosure by any other means, alignment or combination, restriction, erasure, or destruction.

“Restriction of Processing”: The marking of personal data, in order to limit their processing in the future.

“Profiling”: Any form of automated processing of personal data comprising the use of personal data to evaluate certain personal aspects relating to a natural person, particularly to analyze or predict aspects concerning that person’s work performance, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.

“Pseudonymization”: The processing of personal data in such a manner that the data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

“File”: Any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized, or functionally or geographically distributed.

“Controller” or “Data Controller”: The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of processing; where the purposes and means of processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may also be determined by Union or Member State law.

“Processor” or “Data Processor”: A natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller.

“Recipient”: A natural or legal person, public authority, agency, or other body to whom personal data are disclosed, whether a third party or not. However, public authorities that may receive personal data in the context of a specific investigation pursuant to Union or Member State law are not regarded as recipients; the processing by those public authorities shall be in compliance with applicable data protection rules for the purposes of processing.

“Third Party”: A natural or legal person, public authority, agency, or body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorized to process personal data.

“Consent of the Data Subject”: Any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which they signify agreement to the processing of personal data relating to them, whether by a statement or by a clear affirmative action.

“Breach of Personal Data Security”: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

“Genetic Data”: Personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about their physiology or health, in particular obtained from analysis of a biological sample of that person.

“Biometric Data”: Personal data resulting from specific technical processing relating to the physical, physiological, or behavioral characteristics of a natural person which allow or confirm the unique identification of that person, such as facial images or fingerprint data.

“Health Data”: Personal data relating to the physical or mental health of a natural person, including the provision of healthcare services, which reveal information about that person’s health status.

“Main Establishment”: **a)** for a controller with establishments in more than one Member State, the place of its central administration in the Union unless the decisions on the purposes and means of the processing are taken in another establishment which can be considered to exercise such power, in which case that other establishment is considered the main establishment; **b)** for a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if none, the establishment in the Union where the main processing activities are carried out in the context of the activities of an establishment in the Union, provided that the processor is subject to specific obligations under this Regulation.

“Representative”: A natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27 of the GDPR, represents the controller or processor with regard to their Union obligations under the GDPR.

“Enterprise”: A natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in economic activity.

“Supervisory Authority”: An independent public authority established by a Member State in accordance with Article 51 of the GDPR. In Spain, the Supervisory Authority is the Spanish Data Protection Agency.

“Cross-border Processing”: **a)** Processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union, where the controller or processor is established in more than one Member State; or **b)** processing of personal data which takes place in the context of activities of a single establishment in the Union, but which substantially affects or is likely to affect data subjects in more than one Member State.

“Information Society Service”: Any service normally provided for remuneration, at a distance, by electronic means, and at the individual request of a recipient.

3.- IDENTITY OF THE DATA CONTROLLER

The Data Controller is the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of processing personal data; when purposes and means of processing are determined by Union or Member State law.

As stated in this Data Protection Policy, the identity and contact details of the Data Controller are:

INDUMARSAN S.L – Tax ID B96594775

Pol. Ind. Aeropuerto, C/Maestro Serrano, Nº23. 46940, Manises (Valencia), Spain

• Email: colas@indumarsan.com
• Telephone: 961 534 101

4.- APPLICABLE LAWS AND REGULATIONS

This Privacy and Data Protection Policy has been developed based on the following data protection regulations and laws:

• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, regarding the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”).
• Organic Law 3/2018, of 5 December, on Personal Data Protection and Guarantee of Digital Rights (“LOPD/GDD”).
• Law 34/2002, of 11 July, on Information Society Services and Electronic Commerce (“LSSICE”).

5.- PRINCIPLES APPLICABLE TO THE PROCESSING OF PERSONAL DATA

The personal data collected and processed through this Website will be handled in accordance with the following principles:

• Lawfulness, Fairness, and Transparency Principle: All personal data processing carried out through this Website will be lawful and fair, making it clear to the user when personal data concerning them is being collected, used, consulted, or processed. Information regarding processing activities will be provided beforehand, be easily accessible, and be understandable, in simple and clear language.
• Purpose Limitation Principle: All data will be collected for specific, explicit, and legitimate purposes and will not be processed subsequently in a manner incompatible with those purposes.
• Data Minimization Principle: The data collected will be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
• Accuracy Principle: The data will be accurate and, where necessary, kept up to date, taking all reasonable steps to erase or rectify personal data that is inaccurate with regard to the purpose for which it is processed, without delay.
• Storage Limitation Principle: The data will be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
• Integrity and Confidentiality Principle: Processing will be carried out in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, through appropriate technical and organizational measures.
• Accountability Principle: The entity operating the Website will be responsible for, and able to demonstrate compliance with, all the above data protection principles.

6.- DATA PROCESSING ACTIVITIES

The data processing activities carried out through the Website are detailed below, specifying each of the following items:

• Activity: Name of the data processing activity
• Purposes: Each use and processing carried out with the collected data
• Legal Basis: The legal basis legitimizing the processing of data
• Data Processed: Categories of data processed
• Source: Where the data comes from
• Retention: Period during which the data is retained
• Recipients: Third parties to whom the data is disclosed
• International Transfers: Cross-border transfers of the data outside the European Union

6.1 MAIN PROCESSING ACTIVITIES

These are processing activities whose purposes are necessary and essential for the provision of services.

6.2 OPTIONAL PROCESSING ACTIVITIES (if the user has given their consent)

These are data processing activities whose purposes are not essential for the provision of the service and are carried out only if the user has marked YES in the consent for the performance of these activities.

Website Inquiries
Legal Basis	Explicit consent of the data subject
Purposes	Management of potential clients and contacts; Response to inquiries received via the website’s electronic form
Data Categories and Groups	Web contacts (Identifying data)
Data Source	The data subject or their legal representative
Recipient Category	Not applicable
International Transfer	Not applicable
Retention Period	For a period of 1 year from the last confirmation of interest

7.- NECESSARY AND UPDATED INFORMATION

All fields marked with an asterisk (*) in the Website’s forms are mandatory. Failure to complete any of these may result in the inability to provide the requested services or information.

You must provide truthful information so that the data provided is always up to date and free of errors. You must communicate any changes or corrections to your personal data to the Data Controller as soon as possible by sending an email to: colas@indumarsan.com.

By clicking the “Accept” button (or equivalent) included in the aforementioned forms, you declare that the information and data you have provided are accurate and truthful, and that you understand and accept this Privacy Policy.

8.- MINORS’ DATA

In compliance with Article 8 of the GDPR and Article 7 of the LOPD/GDD, only individuals over the age of 14 may lawfully consent to the processing of their personal data by INDUMARSAN.

Therefore, minors under the age of 14 may not use the services available through the Website without prior authorization from their parents, guardians, or legal representatives, who will be solely responsible for all actions carried out through the Website by the minors under their charge, including the completion of electronic forms with the minors’ personal data and, where applicable, marking the corresponding checkboxes.

9.- TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

The Data Controller adopts the necessary technical and organizational measures to ensure the security and privacy of your data, to prevent its alteration, loss, unauthorized processing, or access, depending on the state of technology, the nature of the stored data, and the risks to which it is exposed.

Among others, the following measures are noteworthy:

• Ensure the confidentiality, integrity, availability, and resilience of the processing systems and services at all times.
• Restore the availability and access to personal data quickly in the event of a physical or technical incident.
• Regularly verify, evaluate, and assess the effectiveness of the technical and organizational measures implemented to ensure processing security.
• Pseudonymize and encrypt personal data when processing sensitive data.

Additionally, the Data Controller has decided to manage information systems according to the following principles:

• Compliance Principle: All information systems will comply with the applicable legal, regulatory, and sectoral standards that affect information security, especially those related to personal data protection, systems security, data, communications, and electronic services.
• Risk Management Principle: Risks will be minimized to acceptable levels and a balance will be sought between security controls and the nature of the information. Security objectives must be established, reviewed, and consistent with information security aspects.
• Awareness and Training Principle: Training programs, awareness, and campaigns will be implemented for all users with access to information regarding information security.
• Proportionality Principle: The implementation of controls to mitigate asset security risks will be carried out seeking a balance between security measures, the nature of the information, and the risk.
• Responsibility Principle: All members of the Data Controller’s organization are responsible for their conduct regarding information security, complying with the established rules and controls.
• Continuous Improvement Principle: The effectiveness of the security controls implemented in the organization will be regularly reviewed to enhance adaptability to evolving risks and the technological environment.

10.- DATA SUBJECTS’ RIGHTS

The current data protection regulations guarantee users a set of rights regarding the use of their data. Each of these rights is personal and non-transferable, meaning they can only be exercised by the owner of the data after verifying their identity.

The rights of Website users are as follows:

• Right of Access: The right to obtain confirmation from the Data Controller as to whether or not personal data concerning them is being processed, and if so, to access that personal data and information about its processing.
• Right to Rectification: The right to have inaccurate or incomplete personal data corrected.
• Right to Erasure (“Right to be Forgotten”): The right to request the deletion of their personal data when it is no longer necessary for the purposes for which it was collected or otherwise processed, among other reasons.
• Right to Restriction of Processing: The right to restrict the processing of their personal data under certain conditions.
• Right to Data Portability: The right to receive their personal data in a structured, commonly used, and machine-readable format, and to transmit it to another controller, where technically feasible.
• Right to Object: The right to object to the processing of their personal data, including profiling, under certain circumstances.
• Right not to be subject to automated individual decision-making: The right not to be subject to a decision based solely on automated processing, including profiling.
• Right to Withdraw Consent: The right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

The Website user may exercise any of these rights by contacting the Data Controller and verifying their identity using the contact information provided below:

• Controller: INDUMARSAN S.L
• Address: Pol. Ind. Aeropuerto, C/Maestro Serrano, Nº23. 46940, Manises (Valencia), Spain
• Telephone: 961 534 101
• Email: colas@indumarsan.com
• Website: https://www.indumarsan.com

11.- RIGHT TO LODGE A COMPLAINT WITH THE SUPERVISORY AUTHORITY

The user is informed of their right to file a complaint with the Spanish Data Protection Agency if they believe a violation of data protection legislation has occurred in the processing of their personal data.

Contact information of the supervisory authority:

Spanish Data Protection Agency
Email: info@aepd.es
Telephone: 912 66 35 17
Website: https://www.aepd.es
Address: C/. Jorge Juan, 6. 28001, Madrid, Spain

12.- ACCEPTANCE AND CHANGES TO THE PRIVACY POLICY

The Website user must have read and agreed to the data protection conditions contained in this Privacy Policy, as well as consent to the processing of their personal data for the purposes, durations, and terms specified herein.

The Data Controller reserves the right to modify this Privacy Policy at their own discretion, or prompted by a change in legislation, jurisprudence, or the Spanish Data Protection Agency’s doctrine. Changes or updates that significantly affect data processing will be explicitly communicated to users.

Version dated November 12, 2024