Privacy policy

Language English

Contenedor Gavias lozin

Privacy policy

Introduction

This Privacy Policy has been developed taking into account the provisions of Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD), as well as Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the movement of such data, hereinafter the GDPR.

The purpose of this Privacy Policy is to inform the holders of personal data, in respect of which information is being collected, of the specific aspects relating to the processing of their data, including the purposes of the processing, the contact details for exercising the rights to which they are entitled, the retention periods for the information and the security measures, among other things.

Data Controller

In terms of data protection EMPRESA MUNICIPAL DE TURISMO DE SANTANDER M.P. S.A. (SANTANDER DESTINO), shall be considered Data Controller, in relation to the processing operations identified in this policy, specifically in the Data Processing section.

The following are the identification details of the owner of this website:

Data Controller: EMPRESA MUNICIPAL DE TURISMO DE SANTANDER M.P. S.A. (SANTANDER DESTINO)

Postal address: PALACIO DE EXPOSICIONES AVENIDA RACING S/N 39005 SANTANDER CANTABRIA

E-mail address: dporsc@santanderdestino.es

Data processing

The personal data requested, where applicable, will consist only of those data that are strictly necessary to identify and respond to the request made by the owner of the data, hereinafter the data subject. Furthermore, the personal data will be collected for specific, explicit and legitimate purposes, and will not be further processed in a way that is incompatible with those purposes.

The data collected from each data subject shall be adequate, relevant and not excessive in relation to the corresponding purposes for each case, and shall be updated whenever necessary.

The data subject will be informed, prior to the collection of his/her data, of the general points in this policy so that he/she can give express, precise and unequivocal consent to the processing of his/her data, in accordance with the following aspects.

Purposes of processing

The explicit purposes for which each of the processing operations are carried out are set out in the informative clauses included in each of the data collection methods (web forms, paper forms, announcements or posters and informative notes).

However, the personal data of the interested party will be processed for the sole purpose of providing them with an effective response and attending to the requests made by the user, specified next to the option, service, form or data collection system used by the owner.

Legitimation

As a general rule, prior to the processing of personal data, the Data Controller obtains the express and unequivocal consent of the data subject, through the incorporation of informed consent clauses in the different information collection systems.

However, in the event that the data subject's consent is not required, the legitimate basis for the processing on which the Data Controller relies is the existence of a law or specific regulation authorising or requiring the processing of the data subject's data.

Addressees

As a general rule, the Data Controller does not transfer or communicate data to third parties, except as required by law. However, if necessary, the data subject is informed of such transfers or communications by means of informed consent clauses contained in the different personal data collection channels.

Source

As a general rule, personal data are always collected directly from the data subject; however, in certain exceptions, data may be collected through third parties, entities or services other than the data subject. In this regard, the data subject shall be informed of this through the informed consent clauses contained in the different information collection channels and within a reasonable period of time, once the data have been obtained, and at the latest within one month.

Conservation periods

The information collected from the data subject will be kept for as long as it is necessary to fulfil the purpose for which the personal data were collected, so that, once the purpose has been fulfilled, the data will be cancelled. Said cancellation will give rise to the blocking of the data, which will only be kept at the disposal of the Public Administrations, Judges and Courts, in order to attend to any possible liabilities arising from the processing, during the period of limitation of such liabilities, after which time the information will be destroyed.

For information purposes, the legal data on the conservation of information in relation to different matters are set out below:

DOCUMENT	DEADLINE	REF. LEGAL
Documentation of an employment or social security nature	4 years	Article 21 of Royal Legislative Decree 5/2000, of 4 August 2000, approving the revised text of the Law on the revised text of the Law on Offences and Penalties in the Social Order.
Accounting and tax documentation for commercial purposes	6 years	Art. 30 Commercial Code
Accounting and tax documentation for tax purposes	4 years	Articles 66 to 70 General Tax Law
Building access control	1 month	AEPD Instruction 1/1996
Videovigilancia	1 month	AEPD Instruction 1/2006 Organic Law 4/1997
CVs of applicants and candidates	Until the end of the initial selection process for those who do not pass the process. For CVs that have been included in the job bank, a maximum of 2 years if they have not been updated since they were submitted.	-

Navigation data

In relation to the browsing data that may be processed through the website, in the event that data subject to the regulations are collected, we recommend that you consult the Cookies Policy published on our website.

Rights of data subjects

Data protection regulations grant a series of rights to data subjects or data subjects, users of the website or users of the Controller's social network profiles.

The rights that apply to interested parties are as follows:

Right of access: The right to obtain information on whether their personal data is being processed, the purpose of the processing, the categories of data being processed, the recipients or categories of recipients, the retention period, and the origin of such data.
Right of rectification: The right to obtain the rectification of inaccurate or incomplete personal data.
Right of erasure: The right to obtain the erasure of data in the following cases:
- When the data is no longer necessary for the purpose for which it was collected.
- When the data subject withdraws consent.
- When the data subject objects to the processing
- When it must be erased in compliance with a legal obligation.
- When the data has been obtained as part of an information society service based on the provisions of Article 8(1) of the European Data Protection Regulation.

Right of objection: The right to object to a specific processing based on the consent of the data subject.
Right of restriction: The right to obtain the restriction of the processing of data in any of the following cases:
- When the data subject contests the accuracy of the personal data, for a period that allows the entity to verify the accuracy of the data.
- When the processing is lawful, and the data subject objects to the erasure of the data.
- When the entity no longer needs the data for the purposes for which it was collected, but the data subject requires it for the formulation, exercise, or defense of claims.
- When the data subject has objected to the processing while it is verified whether the legitimate grounds of the entity override those of the data subject.
Right to data portability: The right to obtain data in a structured, commonly used, and machine-readable format, and to transmit it to another data controller when:
- The processing is based on consent.
- The processing is carried out by automated means.
Right to lodge a complaint with the competent supervisory authority.

The interested parties may exercise the rights mentioned by contacting the Data Controller in writing, sending it to the following address: dporsc@santanderdestino.es, with the right they wish to exercise indicated in the subject line.

In this regard, the Data Controller will address the request as soon as possible, considering the timeframes established by data protection regulations.

Security

The security measures adopted by the Data Controller are those required, in accordance with Article 32 of the GDPR. In this regard, the Data Controller, taking into account the state of the art, application costs, and the nature, scope, context, and purposes of the processing, as well as the risks of varying probability and severity for the rights and freedoms of individuals, has established the appropriate technical and organizational measures to ensure a level of security suitable to the existing risk.

In any case, the Data Controller has implemented sufficient mechanisms to:

a) Guarantee the confidentiality, integrity, availability, and permanent resilience of the processing systems and services.

b) Restore the availability and access to personal data quickly in the event of a physical or technical incident.

c) Regularly verify, assess, and evaluate the effectiveness of the technical and organizational measures implemented to ensure the security of the processing.

d) Pseudonymize and encrypt personal data, where applicable.