Privacy and Data Protection Policy
In the event that you are a Client of AUXADI, this Privacy and Data Protection Policy will be incorporated into the contract that governs your relationship with AUXADI, in order to guarantee the security of the data that you provide to us as the Data Controller or Responsible Party.
In the event that you are only a user of our website, you should read this Privacy and Data Protection Policy whenever you browse the website and before sending data through the forms provided for this purpose. AUXADI CONTABLES & CONSULTORES S.A. (hereinafter, AUXADI), with registered address at Calle Nanclares de Oca 1B, 28022 Madrid, is also the owner of the website www.Auxadi.com , and this policy also applies to the data that may be collected through the website.
The User guarantees that the data provided are true, accurate, complete and up to date, and is responsible for any direct or indirect damage or harm that may be caused as a consequence of non-compliance with this obligation. In the event that the data provided belong to a third party, the User guarantees that he/she has informed said third party of the aspects contained in this document and obtained their authorization to provide their data to Auxadi for the aforementioned purposes.
AUXADI may change the conditions established in this Privacy and Data Protection Policy, either partially or in full, with the aim of ensuring that this document is always up to date and in line with the requirements established in national and international regulations. In any case, our policy will always be duly updated on our website.
2. AUXADI AND ITS COMMITMENT TO PRIVACY
AUXADI, as a firm that advocates ethics, honesty and transparency, is firmly committed to the Protection of Personal Data, the secrecy and security of the same, and the privacy of Users/Customers.
AUXADI complies with the current legislation on Data Protection – Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016, which was applicable as of 25 May 2018-, for which it has adopted the necessary technical and organizational measures to prevent the loss, misuse, alteration, unauthorized access and theft of the personal data provided; all of the above, taking into account the state of technology, the nature of the data and the risks to which they are exposed (such as the increase and increasing sophistication of cyber-attacks, some of which seek to steal, block, expose, etc. data of companies and their customers).
AUXADI will only obtain personal data when it is adequate, relevant and not excessive in relation to the specific, explicit and legitimate scope and purposes for which it has been obtained. In other words, AUXADI will only collect those data that are strictly necessary for each of the purposes pursued.
You, as Owner and/or Responsible for the personal data you provide us with, must comply with this Privacy and Data Protection Policy.
AUXADI’s commitment to privacy is embodied in the following guidelines for conduct:
- AUXADI respects the privacy of Clients and/or Users as well as their choices at all times, and therefore incorporates respect for privacy in each of its actions.
- AUXADI will never send commercial communications unless you have expressly consented to it. You may change your mind about your preferences at any time, and AUXADI will respect and guarantee this choice.
- AUXADI will never offer or sell the data you provide to us.
- Your data will be safe and protected, and your confidentiality will always be guaranteed. Therefore, AUXADI only accepts high standards of quality and trust in its relationships.
- We will never use your data for purposes other than those for which they were collected.
As the Holder or Controller of the data you provide us with, you are responsible for ensuring that the data you provide us with is accurate, complete and up to date. Thus, you shall be solely responsible in the event that the data you have provided us with is false, inaccurate, incomplete or not up to date, or it personal data relating to third parties in respect of whom you have not obtained their express consent or informed them of their processing.
The consent given to the Client by the data subject shall be considered legally valid provided that it has been given freely, expressly, specifically and unequivocally for the explicit purpose for which such data is requested, and provided that the Client has previously provided the data subject with, at least, the following basic information:
- The identity of the controller or its representative, where applicable.
- The purpose of the processing.
- The categories of data undergoing processing.
- The sources from which the data originate (if they have not been obtained directly from the data subject).
- The possibility of exercising the rights of access, rectification, erasure, limitation of processing, portability or objection.
- The right not to allow their data to be processed for profiling purposes and not to be subject to automated individual decision-making.
In addition, the Client, as Data Controller, must make available to the owner an e-mail address or other means that allows him/her to easily and immediately access any other information that may affect the protection of his/her personal data.
Likewise, the Client undertakes to notify Auxadi of any change or modification of the relevant data for the correct provision of the contracted services.
Any loss or damage caused to AUXADI as Data Controller or Data Processor, due to the communication of erroneous, inaccurate, incomplete or third-party information without their informed consent, both in the contractual relationship and in the registration forms, will be the sole responsibility of the Client and/or User.
In cases where AUXADI acts as Data Processor of personal data for which the Client is Responsible as Data Controller, both parties undertake to collaborate to ensure the protection of such data and the effective exercise of the rights of their owners.
The Client undertakes not to provide AUXADI at any time with information or personal data that are not necessary or relevant for the execution of the contractual relationship.
4. WHAT IS PERSONAL DATA?
Personal data means any information relating to identified or identifiable natural persons. In other words, personal data are data that identify a natural person (e.g. first name or surname) or make it possible to identify that person (e.g. address).
Information relating to legal persons is not considered personal data and the processing of contact data and, where appropriate, data relating to the function or position held by natural persons providing services in a legal person shall be presumed lawful, provided that the following requirements are met:
- That the processing relates solely to the data necessary for his or her professional location.
- That the purpose of the processing is solely to maintain relations of any kind with the legal entity in which the data subject provides his or her services.
The same presumption shall apply to the processing of data relating to sole proprietors and liberal professionals, when it refers to them solely in that capacity and is not processed in order to establish a relationship with them as natural persons.
Likewise, and in the absence of proof to the contrary, any processing of data that Auxadi may carry out as a result of the development of any operation involving the structural modification of companies or the contribution or transfer of a business or branch of business activity will be presumed to be lawful, provided that the processing is necessary for the successful completion of the operation and guarantees, where appropriate, the continuity of the provision of services. In the event that the operation is not concluded, Auxadi, as the assignee of the said data, will proceed diligently to delete the data.
If you are a client of AUXADI, the personal data that may be collected are those that are necessary or directly contribute to the correct execution of the service. Among others: name and surname, telephone, e-mail, official identity document, professional data. All this depending on the type of service provided by AUXADI.
The personal data collected by AUXADI are strictly necessary for the purpose pursued, which is the correct provision of the contracted service.
AUXADI will never collect personal data of special or sensitive categories.
5. COLLECTION AND USE OF PERSONAL DATA
Before providing us with your data, you should be aware of the purposes for which they are processed, the Data Controller, the Data Processor (if applicable), the legitimate basis, the recipients of the data (if applicable) and your rights; among other aspects.
Therefore, in order to facilitate your understanding, below you will find a table with detailed information on all the aspects related to the Protection of Personal Data according to the purpose of the processing.
|OWNER OF THE DATA||PURPOSE||DATA CONTROLLER||DATA PROCESSOR||LEGAL BASIS FOR PROCESSING||WHAT PERSONAL DATA DO WE COLLECT?||RECIPIENT OF SUCH PERSONAL DATA|
|CLIENT||Provision of contracted services||AUXADI ACCOUNTANTS & CONSULTANTS S.A. (and/or subsidiaries of AUXADI) and/or Clients||AUXADI ACCOUNTANTS & CONSULTANTS,S.A. and/or subsidiaries of the Group according to location.||Consent of the Data Subject and contact for the provision of services.||First name, surname, e-mail, company, telephone number, professional position.||Auxadi Group companies. Occasionally, trusted suppliers and/or Authorities.|
|Provision of payroll services.||CLIENT||Contract for the provision of services and consent of the Client’s employees.||Name, first name, surname, e-mail address, company details, telephone number, job title, employee ID number, social security no.||Auxadi Group companies. Authorities such as Social Security, where applicable.|
|CLIENTE and/or USER||Sending of news, publications, offers and/or services provided by Auxadi related to the services provided||AUXADI ACCOUNTANTS & CONSULTANTS S.A.||Consent of the Data Subject.||Name, surname, e-mail, company, telephone, professional position.||Auxadi Group companies.|
|USER||Possibility of participating in the selection processes carried out at AUXADI and of incorporating your CV into our incorporate your CV into our databases.||AUXADI ACCOUNTANTS & CONSULTANTS S.A. and/or providers of recruitment services such as Linkedin, Talent Clue or Infojobs.||Consent of the Data Subject.||Name, surname, e-mail address, telephone number and other personal and professional data included in the CV.||Auxadi Group companies.|
6. WHO CAN ACCESS YOUR DATA?
AUXADI Group companies:
Depending on the services contracted, the data may be processed by AUXADI Group companies on the legal basis of the Group’s legitimate interest, for the provision of the service and to fulfil administrative and/or legal purposes.
We also contract with trusted suppliers, who we require to comply with applicable data protection laws, to provide certain services and to perform a variety of business transactions on our behalf. We only provide them with the information strictly necessary for the performance of the service, and we require them not to use your personal data for any other purpose. In the event that the Customer does not consent to the provision of a service by a trusted supplier, we will either engage another supplier or not provide the service.
Depending on the services finally contracted by the Customer, we may communicate your data to certain authorities in order to comply with the service of filing taxes or managing registrations and cancellations in the social security system; among others.
7. YOUR RIGHTS AND HOW TO EXERCISE THEM
As the Owner of your data, you may exercise your rights of access, rectification, deletion, limitation of data, portability and opposition, as well as the right to be forgotten, which are contemplated in the applicable regulations, by sending an email to the address GDPR@Auxadi.com, indicating “Exercise of rights” in the subject line, or by post to the address: Calle Nanclares de Oca 1B, 28022 Madrid, accompanied in both cases by a copy of your ID card or official document accrediting your identity.
Below, we detail, for your easy understanding, the essential content of each of your rights as defined in the General Data Protection Regulation 2016/679 (“GDPR”). However, please refer to the GDPR (and related legislation within the European Union) and/or your applicable local legislation for more information about your rights.
- Right of access: The Data Subject has the right to obtain from the Controller confirmation as to whether or not personal data concerning him/her are being processed and, if so, the right of access to the personal data.
- Right of rectification: The Data Subject shall have the right to obtain without delay from the Controller the rectification of inaccurate personal data concerning him/her.
- Right “to be forgotten”: The data subject shall have the right to obtain without delay from the controller the erasure of personal data relating to him/her. It should be noted that this is not an absolute right, as there may be legal or legitimate grounds for retaining the data. In particular, where the erasure of the data results from the exercise of the right to oppose, the Controller may retain the data subject’s identification data necessary to prevent future processing for direct marketing purposes.
- Right to oppose: This right allows the data subject to oppose to the processing of his or her personal data at any time. In this case, the data controller will have to stop processing the data, although there are limits to this right. The data subject may only exercise this right when his or her personal data are being used for a task that is not based on the public interest or the legitimate interest of the data controller or a third party, or that is based on profiling. In addition, he or she must justify the particular reasons justifying such an objection. Data controllers will then have to stop processing the data. However, there are exceptions for which they may not do so, such as proving that there are legitimate reasons for the processing that are more relevant than the user’s rights. Logically, the reasons must be substantial and sufficiently justified in order to be able to oppose the right to object. Also, when you can justify that the processing is essential for the filing or defense of legal claims.
- Right to restrict processing: The Data Subject shall have the right to obtain from the Data Controller the restriction of the processing of its data. According to the law, this right can only be exercised in certain circumstances as defined by the GDPR. When data processing is restricted due to a prior request from the data subject, this fact must be clearly stated in the Controller’s information systems.
- Right to data portability: The Data Subject shall have the right to receive the personal data concerning him/her, which he/she has provided to a Controller, in a structured, commonly used and machine-readable format, and to transmit it to another Controller without being prevented from doing so by the Controller to whom he/she had provided it, where the circumstances provided for in the GDPR apply. Such action may entail a reasonable fee to be paid by the User, depending on the administrative costs incurred in fulfilling the request, in accordance with the GDPR.
In turn, as the Owner of your data, we inform you of your rights as follows:
- Right to information: You have the right to obtain clear, transparent and easy to understand information about how we use your personal data and about your rights. This right to information is made effective through this Privacy and Data Protection Policy.
- Right to withdraw consent at any time where data processing is based on consent: You may withdraw your consent to the processing of your personal data where the processing is based on your consent. This withdrawal of consent will not affect the lawfulness of the processing based on consent prior to its withdrawal. If you wish to withdraw your consent, please contact us by the means set out above.
- Right to lodge a complaint with a supervisory authority: You have the right to complain to the Spanish Data Protection Agency about AUXADI’s Privacy and Data Protection practices. However, before filing a complaint, please contact us by the means indicated above.
8. INTERNATIONAL DATA TRANSFERS
AUXADI does not carry out international data transfers. However, in the event that, for the provision of a contracted service, it is necessary to make a transfer outside the European Union, the Client will be informed beforehand so that he/she may give his/her consent to the transfer, and will be informed that all our subsidiaries and suppliers are obliged to comply with European Data Protection regulations, wherever they may be located.
9. HOW LONG DO WE STORE YOUR PERSONAL DATA?
AUXADI will only retain your personal data for the time necessary to fulfil the purposes for which they were collected or to comply with legal obligations.
AUXADI, at the Client’s choice, will delete or return the personal data to the Client at the end of the provision of the service, without prejudice to the fact that by legal obligation, regulation, requirement of courts, administrative authorities, etc., it must keep or maintain them for a certain period of time.
The personal data obtained when you give your consent for the execution of the commercial relationship and/or for the sending of communications, services, news, etc., will be kept until you inform us that you wish us to delete your data, exercising your previously explained rights.
In the case of Candidates, the personal data obtained for their participation in future selection processes will be kept until you unilaterally inform us that you wish us to delete them (exercising your rights explained above) or when 1 year has passed since the end of the selection process.
AUXADI will permanently and securely delete the personal data within six months after the end of the purpose for which it was provided or the period during which it must comply with the legal obligation in question.
10. SECURITY AND CONFIDENTIALITY OF PERSONAL DATA
In order to guarantee the security and confidentiality of your data, AUXADI has adopted the required security levels for the protection of personal data, having installed the technical and personal means at its disposal to prevent the loss, misuse, alteration, unauthorized access and theft of the personal data provided.
The personal data that AUXADI may collect, derived from the contractual relationship that binds you to us or through the various communications that AUXADI maintains with the Client/User will be treated with absolute confidentiality.
The technical and organizational measures implemented by AUXADI to guarantee the security of your data are detailed below. All measures are implemented in the Group’s subsidiaries, regardless of whether or not they process personal data of persons resident in the European Union, so that we guarantee the highest level of protection wherever AUXADI operates.
AUXADI has implemented this Privacy and Data Protection Policy, which is available to all employees of the organization. It is reviewed periodically. Likewise, employees receive regular training on data protection and data security.
All AUXADI employees and suppliers sign a confidentiality commitment, thus guaranteeing the duty of secrecy that they must maintain in all their actions with and/or for AUXADI.
Physical access controls to data
With regard to measures to control physical access to personal data, AUXADI keeps the data in a restricted location and with appropriate security measures. In this way, the implemented access restrictions do not allow the access to unauthorized persons to the centers where the data is stored.
The central building where the Auxadi Group’s head office is located (at Calle Nanclares de Oca 1B, 28022, Madrid) is equipped with alarm devices and uses CCTV surveillance technology for access, in order to guarantee the security of the building and the documentation stored in all the facilities.
The Auxadi Group also has measures in place to guarantee the secure disposal of documents or files containing personal data at each of its locations. For this reason, in the case of paper documents, AUXADI provides its employees with shredding machines that can be used for this purpose.
System access controls
With regard to the control of access to the systems, AUXADI has a user and password authentication system for access to its systems. At the same time, in order to have greater control, we have a list of persons/users who have access to the data processing systems for authentication purposes, thus identifying each access.
All data processing systems are password-protected to prevent unauthorized persons from accessing personal data.
All employees are trained on how to protect their computer equipment and at all times safeguard the information contained therein. The computer equipment is programmed so that, after detecting inactivity in a short period of time, they are blocked to prevent unauthorized access to the system. The account is also blocked after multiple sequential unsuccessful login attempts.
With regard to the security systems used to guarantee data security, AUXADI has established exhaustive control at each site through a firewall to ensure that only authorized equipment is used to provide the service.
AUXADI also has encryption at rest (Bitlocker-AES 256 encryption) and encryption in transit on all computers and servers using Office365 mail with TLS and sending files encrypted with a password using Zip, rar or Sophos solution. In addition, the use of secure passwords and their change every 90 days is mandatory to ensure greater security.
In cases where remote work is required, remote access is via SSL VPN, with connection audits. It also has technical security measures in all PCs and servers such as Sophos antivirus, multifactor identification for all users, production servers in Azure environment, ensuring geographical availability.
Back-up copies are created at AUXADI. These backups are stored in protected environments. AUXADI also has the ability to restore data from these backups.
11. INCIDENT MANAGEMENT
AUXADI has determined a procedure for managing incidents, so that, if at any time a security breach or violation occurs, it can be reported to the Spanish Data Protection Agency and/or the Data Controller within 72 hours.
Any incident relating to the protection of personal data may be reported either by email to GDPR@auxadi.com , or through the Auxadi Group’s complaints channel, both of which are easily accessible through our website www.auxadi.com.
If you have any questions regarding Personal Data Protection, please write to us at GDPR@auxadi.com or by post to our Legal Department located at our headquarters: Calle Nanclares de Oca 1B 28022 Madrid, writing in the subject line GPDR.
Please, remind that in the event that you wish to exercise your rights, you must write “Exercise of rights” in the subject line and attach a copy of your official identity document to your communication.
This Privacy and Data Protection Policy is available in both Spanish and English. In the event of any discrepancy between them, the Spanish version shall prevail.