DATA CONTROLLER
The Data Controller is COALCAFE, SL, C/ Caves de Agres 1, 03829, L'Alcudia de Cocentaina (ALICANTE).
Privacy principles
At COALCAFE, SL, we are committed to continuously working to ensure the privacy of your personal data and to provide you with the most complete and clear information possible at all times. We encourage you to carefully read this section before providing us with your personal data.
If you are under fourteen years old, please do not provide us with your data without your parents' consent.
In this section, we explain how we process the data of individuals who have a relationship with our organization. Starting with our principles:
– We do not request personal information unless it is necessary to provide you with the services you request.
– We never share personal information with anyone, except to comply with the law, or with your express authorization.
– We will never use your personal data for purposes other than those stated in this privacy policy.
– Your data will always be treated with a level of protection appropriate to data protection legislation, and we will not subject it to automated decisions.
This privacy policy has been drafted taking into account the requirements of current data protection legislation:
– Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons (GDPR).
– Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (LOPD).
– Royal Decree 1720/2007, of December 21 (RLOPD).
This privacy policy was written on December 6, 2018.
Due to changes in processing criteria, in order to facilitate understanding or to adapt it to current legislation, we may modify this privacy policy. We will update the date so you can verify its validity.
Treatments we perform
SUPPLIER TREATMENT
Legal Basis: GDPR: 6.1.b) Processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract.
GDPR: 6.1.c) Processing necessary for compliance with a legal obligation to which the controller is subject.
Royal Legislative Decree 2/2015, of October 23, approving the consolidated text of the Workers' Statute Law.
Law 58/2003, of December 17, General Tax Law.
Purposes of the Processing: – Acquisition of products and/or services that we need for the development of our activity.
– Control of subcontractors if applicable.
Group: – Suppliers.
– People who work for our suppliers.
Data Categories: – Name and surname, ID/Tax ID/Identification document, address, signature and telephone.
– Detailed employment information: job title. Occupational safety training.
– Economic, financial and insurance data: Bank details.
Categories of Recipients: – Financial institutions. (Payment of invoices)
– State Tax Administration Agency.
International Transfers: No international transfers of data are planned. Retention Period: Data will be retained for the time necessary to fulfill the purpose for which it was collected and to determine any possible liabilities that may arise from said purpose and the processing of the data, in accordance with Law 58/2003, of December 17, General Tax Law.
Security Measures: Adapted to the requirements of Regulation (EU) 2016/679, General Data Protection Regulation.
CUSTOMER SERVICE.
Legal Basis: GDPR: 6.1.a) The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
GDPR: 6.1.b) Processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract.
GDPR: 6.1.c) Processing necessary for compliance with a legal obligation to which the controller is subject.
GDPR: 6.1.f) Processing is necessary for the purposes of the legitimate interests pursued by the controller.
Royal Legislative Decree 2/2015, of October 23, approving the consolidated text of the Workers' Statute Law.
Law 58/2003, of December 17, General Tax Law.
Purpose of Processing: Provision of our products / services
Group: Clients
Data Categories: – Name and surname, ID/Tax ID/Identification document, address, signature and telephone.
– Financial and insurance data: Bank details
Categories of Recipients: – Financial entities.
– State Tax Administration Agency.
International Transfers: No international transfers of data are planned.
Retention Period: They will be kept for the time necessary to fulfill the purpose for which they were collected and to determine any possible liabilities that may arise from said purpose and the processing of the data, in accordance with Law 58/2003, of December 17, General Tax Law,
Security Measures: Adapted to the requirements of Regulation (EU) 2016/679, General Data Protection Regulation.
VIDEO SURVEILLANCE TREATMENT
Legal Basis: GDPR: 6.1.c) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.
Organic Law 2/1986, of March 13, on Security Forces and Corps.
Purposes of the Processing: To guarantee the safety of people, property and facilities and labor control.
Group: Workers, clients and suppliers, users.
Data Categories: Image and sound.
Categories of Recipients: The recordings may be communicated to the Security Forces and Corps, if required by them, or if they serve as evidence of the commission of crimes.
International Transfers: No international transfers of data are planned. Deletion Period: No longer than one month, except in cases of notification to Law Enforcement Agencies and/or Courts and Tribunals.
Security Measures: Adapted to the requirements of Regulation (EU) 2016/679, General Data Protection Regulation.
CONTACT MANAGEMENT
Legal Basis: Consent of the interested party
Purposes of Processing: To process your request, send you information and follow up on the request.
Group: Contact persons, clients, suppliers
Data Categories: First and last name, telephone number, email address
Categories of Recipients: No data transfers to third parties are contemplated.
International Transfers: No international transfers of data are planned. Retention Period: Contact details will be kept indefinitely, or until the data subject requests their deletion.
Security Measures: Adapted to the requirements of Regulation (EU) 2016/679, General Data Protection Regulation.
TREATMENT OF THE RIGHTS OF PERSONS (ARCO)
Legal Basis: GDPR: 6.1.c) Processing is necessary for compliance with a legal obligation to which the controller is subject.
General Data Protection Regulation.
Purposes of Processing: To address requests in the exercise of the rights established by the General Data Protection Regulation: Right of access, rectification, erasure, limitation, portability and objection to automated decision-making.
Group: Individuals who request it (employees, clients, suppliers, contact persons)
Data Categories: Name and surname, address, signature and telephone.
Categories of Recipients: Personal data may be communicated to the Supervisory Authority (Spanish Data Protection Agency) within the framework of an investigation for the protection of rights initiated by the interested party.
International Transfers: No international transfers of data are planned. Retention Period: Data will be retained for a period of five years from the date of the request.
Security Measures: Adapted to the requirements of Regulation (EU) 2016/679, General Data Protection Regulation.
EMPLOYEE TREATMENT
Legal Basis: GDPR: 6.1.b) Processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract.
GDPR: 6.1.c) Processing necessary for compliance with a legal obligation to which the controller is subject.
Royal Legislative Decree 2/2015, of October 23, approving the consolidated text of the Workers' Statute Law.
Purposes of Processing: – Management of contracted personnel.
– Personnel file. Timekeeping. Training. Pension plans. Occupational risk prevention.
– Issuance of the staff payroll.
– Management of union activity.
Group: Employees
Data Categories: – Name and surname, ID/Tax ID/Identification document, personnel registration number, Social Security/Mutual Insurance number, address, signature and telephone.
– Special categories of data: health data (sick leave, work accidents and degree of disability, excluding diagnoses), union membership, for the sole purpose of paying union dues (if applicable), union representative (if applicable), proof of attendance of oneself and of third parties.
– Personal characteristics data: Sex, marital status, nationality, age, date and place of birth, and family details. Family circumstances data: Date of entry and exit, licenses, permits, and authorizations.
– Academic and professional data: Qualifications, training and professional experience.
– Detailed employment and administrative career information. Incompatibilities.
– Attendance control data: date/time of entry and exit, reason for absence.
– Financial data: Payroll information, loans, guarantees, tax deductions, severance pay from previous job (if applicable), court-ordered withholdings (if applicable), other withholdings (if applicable). Bank details. Categories of Recipients: – Entity entrusted with occupational risk management.
– General Treasury of Social Security.
– Trade union organizations.
– Financial institutions.
– State Tax Administration Agency.
– Main contractors to whom we provide services as subcontractors.
International Transfers: No international transfers of data are planned. Retention Period: Data will be retained for the time necessary to fulfill the purpose for which it was collected and to determine any potential liabilities that may arise from said purpose and the processing of the data.
The economic data of this processing activity will be kept in accordance with the provisions of Law 58/2003, of December 17, General Tax Law.
Security Measures: Adapted to the requirements of Regulation (EU) 2016/679, General Data Protection Regulation.
SECURITY BREACH NOTIFICATION PROCESS
Legal Basis: GDPR: 6.1.c) Processing is necessary for compliance with a legal obligation to which the controller is subject.
General Data Protection Regulation. Articles 33 and 34
Purpose of Processing: Management and evaluation of security breaches that may occur in our organization.
Group: Variable: Employees, Customers, Suppliers, Contact Persons (will depend on the security breach) Data Categories: Variable. (Will depend on the security breach)
Categories of Recipients: – Spanish Data Protection Agency.
– State Security Forces and Corps.
International Transfers: No international transfers of data are planned. Retention Period: Data will be retained for the time necessary to fulfill the purpose for which it was collected and to determine any potential liabilities that may arise from said purpose and the processing of the data. The provisions of the regulations on archives and documentation will apply.
Security Measures: Adapted to the requirements of Regulation (EU) 2016/679, General Data Protection Regulation.
CANDIDATE PROCESSING AND SELECTION PROCESSES (HR)
Legal Basis: GDPR 6.1.a) The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
GDPR: 6.1.b) Processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract.
Purpose of Processing: Staff selection and provision of jobs.
Group: Candidates applying for job placement procedures. Data Categories: – Name and surname, ID/Tax ID/Identification document, personnel registration number, address, signature and telephone number.
– Personal characteristics data: Sex, marital status, nationality, age, date and place of birth and family data.
– Academic and professional data: Qualifications, training and professional experience.
– Detailed employment data.
Categories of Recipients: No data transfers to third parties are planned.
International Transfers: No international transfers of data are planned. Retention Period: Data will be retained for the time necessary to fulfill the purpose for which it was collected and to determine any potential liabilities that may arise from said purpose and the processing of the data.
Security Measures: Adapted to the requirements of Regulation (EU) 2016/679, General Data Protection Regulation.
YOUR RIGHTS
You have the right to request a copy of your personal data, to rectify inaccurate data or complete it if it is incomplete, or where appropriate, to delete it when it is no longer necessary for the purposes for which it was collected.
You also have the right to limit the processing of your personal data and to obtain your personal data in a structured and readable format.
You can object to the processing of your personal data in some circumstances (in particular, where we do not have to process them to comply with a contractual or other legal requirement, or where the purpose of the processing is direct marketing).
Once you have given us your consent, you can withdraw it at any time. At that point, we will stop processing your data or, if applicable, stop processing it for that specific purpose. If you decide to withdraw your consent, this will not affect any processing that took place while your consent was valid.
These rights may be limited; for example, if fulfilling your request would require us to disclose information about another person, or if you ask us to delete records that we are legally obligated to keep or that we have a legitimate interest in keeping, such as defending against claims. This also applies in cases where the right to freedom of expression and information must prevail.
You can contact us by any of the means indicated in the Data Controller section of this privacy policy, providing a copy of a document that proves your identity (usually your ID card).
Another of your rights is not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.
If your rights are violated, such as if we have not responded to your request, you have the right to file a complaint with the Data Protection Supervisory Authority. This could be the authority in your country (if you live outside of Spain) or the Spanish Data Protection Agency (if you live in Spain).
Links to third-party websites.
Our website may, on occasion, contain links to other websites. It is your responsibility to ensure that you read the data protection policy and legal terms that apply to each site.
Third-party data.
If you provide us with data from third parties, you assume the responsibility of informing them beforehand as established in Article 14 of the GDPR.
