DATA PROTECTION

CUSTOMER PRIVACY POLICY


Download of Models

RESPONSIBLE FOR THE TREATMENT

VICO BLACK 98 SL with CIF B-01916006, with address in Tomares (Seville), Puerta Aljarafe Building, Parque Aljarafe s/n, represented by José Antonio Garcés Cabrera, with NIF 28.484.346-L in his capacity as Delegate of Protection of Data, with contact telephone number 954.25.73.25 and email protecciondatos@grupoq.net .

The aforementioned report has been prepared based on the information provided by the Data Controller

PRIVACY POLICY

As you surely know, the entry into force of Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016, regarding the protection of personal data (hereinafter GDPR) and Organic Law 3/2018, of 5 of December, Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD), highlights the need to reinforce the levels of security and protection of personal data. We want to inform you that we meet all the requirements that said legislation requires and that all data, under our responsibility, is being treated in accordance with legal requirements and keeping the appropriate security measures that guarantee their confidentiality. However, given the legislative developments that have occurred, we believe it appropriate to inform you of the following privacy policy:

    Who is responsible for processing your data?

    Identity: Vico Black 98 SL

    Postal Address: Puerta Aljarafe Building, Parque Aljarafe s/n (CP 41940 TOMARES) SEVILA

    · Telephone: + 34 954-25-73-25

    Email: protecciondatos@grupoq.net

    What are your rights?

    · Anyone has the right to obtain confirmation as to whether or not we are processing personal data that concerns them.

    Interested persons have the right to access their personal data, as well as to request the rectification of inaccurate data or, where appropriate, request its deletion when, among other reasons, the data is no longer necessary for the purposes for which it was collected.

    · It is not possible to exercise the right to rectification in the case of video surveillance treatment since, due to the nature of the data -images taken from reality that reflect an objective fact-, it would be the exercise of an impossible content right.

    · In certain circumstances, the interested parties may request the limitation of the processing of their data, in which case we will only keep them for the exercise or defense of claims.

    In certain circumstances and for reasons related to their particular situation, the interested parties may oppose the processing of their data, in which case the Data Controller will stop processing the data, except for compelling legitimate reasons, or the exercise or defense of possible claims. In this sense, and in relation to video surveillance images, the exercise of the right to oppose poses enormous difficulties. If this is interpreted as the impossibility of taking images of a specific subject within the framework of video surveillance facilities linked to private security purposes, it would not be possible to satisfy it to the extent that security protection prevails.

    · By virtue of the right to portability, the interested parties have the right to obtain the personal data that concerns them in a structured format of common use and mechanical reading and to transmit them to another person in charge

    · In the event that you have granted consent for a specific purpose, you have the right to withdraw consent at any time, without affecting the legality of the treatment based on the consent prior to its withdrawal. How can rights be exercised?

    3.1) Where to go to exercise your rights:

    If you wish to exercise your rights, please go to the channel established for the exercise of rights by the data controller protecciondatos@grupoq.net so that we can respond to your request in a managed manner»

    3.2) Information required to exercise your rights:

    · In order to exercise your rights, we need to prove your identity and the specific request you make to us, as we request the following information:

    Documented information (written/email) of the request in which the request is specified.

    Proof of identity as the owner of the data object of the exercise (Name, surname of the interested party and photocopy of the DNI of the interested party and/or of the person representing him, as well as the document accrediting such representation (legal representative, if applicable).

    · In the case of exercising rights related to data of deceased persons: Copy of:

    · Family Book or Civil Registry in which the kinship or de facto relationship with the deceased is recorded and/or,

    · Testament in which the applicant is declared as heir and/or,

    · Express designation of the requesting person or institution, by the deceased.

    Documentation proving the legal representation of the deceased.

    · In the case of exercising rights of rectification and/or deletion: Responsible Declaration of the applicant in which he accredits having the consensus of the rest of the people linked to the deceased for family or factual reasons, as well as his heirs to carry out said application.

    · When the data controller has reasonable doubts regarding the identity of the natural person making the request, they may request that the additional information necessary to confirm the identity of the interested party be provided.

    · Address for the purposes of notifications, date and signature of the applicant (in the case of writing), or full name and surname (in the case of email), or validation of the application in the private area of the communication channel with a personal authentication code of your identity)

    · When exercising the right of rectification recognized in article 16 of the GDPR, the affected party must indicate in his request what data he refers to and the correction that must be made. It must accompany, when necessary, supporting documentation of the inaccuracy or incompleteness of the data being processed.

    Likewise, when we process a large amount of data related to the data subject and they exercise their right of access without specifying whether it refers to all or part of the data, the data controller may request, before providing the information, that the data subject specify the data or processing activities to which the request refers.

    3.3) General Procedure for the Exercise of your rights:

    Once the required information is received, we will proceed to respond to your request in accordance with the organization's general procedure for exercising rights:

    The controller will provide the data subject with information regarding their actions on the basis of a request in accordance with articles 15 to 22 (Rights of the data subject), and, in any case, within one month of receipt. of the request.

    · Said term may be extended for another two months if necessary, taking into account the complexity and number of requests.

    · The person in charge will inform the interested party of any of said extensions within a month from the receipt of the request, indicating the reasons for the delay.

    · When the interested party submits the application by electronic means, the information will be provided by electronic means when possible, unless the interested party requests that it be provided in another way.

    · Only in cases in which the treatment systems of the person in charge so allow, the right of access may be facilitated through a system of remote, direct and secure access to personal data that guarantees, permanently, access to its entirety. For this purpose, the communication by the person in charge to the affected person of the way in which he can access said system will suffice to have the request for the exercise of the right taken care of. However, the interested party may request from the Data Controller the information referring to the ends provided for in article 15.1 of the GDPR that is not included in the remote access system.

    · If the person responsible for the treatment does not process the request of the interested party, he will inform him without delay, and no later than one month after receipt of the request, of the reasons for his non-action and of the possibility of presenting a claim before a control authority and exercise judicial actions.

    · The information provided will be free of charge, except for a reasonable fee for administrative costs. When the affected party chooses a means other than the one offered that entails a disproportionate cost, the request will be considered excessive, so said affected party will assume the excess costs that their choice entails. In this case, only the satisfaction of the right of access without undue delay will be required of the Data Controller.

    · The data controller may refuse to act on the request, although it will bear the burden of demonstrating the manifestly unfounded or excessive nature of the request. For the purposes established in article 12.5 of the GDPR, the exercise of the right of access may be considered repetitive on more than one occasion during a period of six months, unless there is legitimate cause for it.

    · In the cases in which the exercise of rectification or deletion proceeds, your data will be blocked: The blocking of the data consists of the identification and reservation of the same, adopting technical and organizational measures, to prevent its treatment, including their visualization, except for the provision of the data to judges and courts, the Public Prosecutor's Office or the competent Public Administrations, in particular the data protection authorities, for the requirement of possible responsibilities derived from the treatment and only for the their prescription period. After this period, the data will be destroyed. The blocked data may not be processed for any purpose other than that indicated above. (art. 16 GDPR and art.32 LOPDGDD).

    · When the deletion derives from the exercise of the right of opposition in accordance with article 21.2 of the GDPR, the Treatment Manager may keep the identification data of the affected party necessary in order to prevent future processing for direct marketing purposes. In the cases in which you do not want your data to be processed for the sending of commercial communications, we refer you to the existing advertising exclusion systems, in accordance with the information published by the competent control authority (AEPD) in its electronic headquarters www. aepd.es

    · In cases in which the processing of personal data is limited, it will clearly appear in the information systems of the Data Controller.

    · Given the existence of a true, overdue and enforceable debt, a communication is sent to the debtor at the time of requesting payment about the possibility of inclusion in said systems (debt treatment of the organization), indicating those in those that participate (collection management entities for the management of the pertinent claim...) in the event that the debt is not resolved within a maximum period of 15 days from the notification of insolvency, information is provided on the possibility of exercising the rights established in articles 15 to 22 of the GDPR within thirty days of notification of the debt to the system, the data remaining blocked during that period.

    · The persons linked to the deceased for family or de facto reasons, as well as their heirs, may contact the person in charge or in charge of the treatment in order to request access to the personal data of that person and, where appropriate, their rectification or deletion. As an exception, the persons referred to in the previous paragraph may not access the data of the deceased, nor request its rectification or deletion, when the deceased person has expressly prohibited it or so is established by law. Said prohibition will not affect the right of the heirs to access the patrimonial data of the deceased.

    · In order to comply with the current regulations on video surveillance Inst 1/2006 of the AEPD, we inform you that the period of conservation of the recordings is 1 month from their capture, since we will not be able to attend formalized requests in later periods. Likewise, to avoid affecting the rights of third parties, in the case of an access request, we will proceed to issue a certificate in which, with the greatest possible precision and without affecting the rights of third parties, the data that has been subject to data is specified. treatment. Eg “Your image was registered in our systems on the ___ day of the month of the year between _ hours and _ hours. Specifically, the system records your access and exit from the facility.»

  1. What claim channels are there?

    If you consider that your rights have not been duly addressed, you have the right to file a claim with the competent data protection authority ( www.agpd.es ).


  2. ADDITIONAL INFORMATION TREATMENT OF CONTACT DATA
      For what purpose do we process the personal data you provide us?

      · Attention to your queries and requests: Management of Response to Queries, Claims or Incidents, Requests for technical or corporate information, Resources and/or Activities, and in case you have consented, for the purposes described in the additional consents

      · Contact with the interested party through the means of communication provided (mail, postal address and/or telephone) in order to manage the queries that they send us through the channels enabled for this purpose, manage notices and coordinate actions derived from the services requested by people related to the company or the group to which it belongs and/or by data processors related to it for legitimate and/or consented purposes.

      Management of registration in conferences and events of the company or the Group to which it belongs

      · Newsletter subscription management.

      · The contact and/or sending of satisfaction surveys, newsletters and corporate information and offers and promotions of products and services of the organization and of hotels and activities in order to evaluate the quality of our processes and provide offers of services of your interest through the means of communication provided, if you have consented

      · The capture and subsequent publication of audiovisual and/or graphic material in which they may be involved in corporate media (for example and not limited to, web, social networks, newsletters, activity report, reports, presence in the media ) and/or other means of public communication (sectoral publications and/or reports in the written press, TV,...), such as dissemination of the results of the activity, promotion and dissemination, management of campaigns, activities and events, if so has consented

      Associated management, including its prior communication, that could derive from the development of any operation of structural modification of companies or the contribution or transfer of business or branch of business activity, provided that the treatments were necessary for the good end of the operation and guarantee, when appropriate, continuity in the provision of services.

      · Inclusion in the whistleblowing channel systems of the data associated with the disclosure (even anonymously) of the commission within the organization or in the actions of third parties that contracted with it, of acts or behaviors that could be contrary to the general or sectoral regulations that may be applicable to it.

      How long do we keep the data provided?

      The data provided will be kept as long as the relationship of legality of treatment is maintained and, once its validity has expired, its deletion is not requested by the interested party, with the exception of its conservation for the formulation, exercise or defense of claims by the person responsible for treatment or with a view to protecting the rights of another natural or legal person and/or for reasons of legal obligation.

      · The data processed for the remission of commercial communications will be kept until the consent granted is revoked.

      The data of the person who makes the communication of a complaint and of the employees and third parties are kept in the complaints system to decide on the origin of initiating an investigation into the reported facts, as well as later as evidence of the operation of the prevention model of the commission of crimes by the legal person, in accordance with the provisions of article 24 of the LOPDGDD.

      What is the legitimacy for the processing of your data?

      · The legal basis for the treatment of your data is the fulfillment of the request that you make to us. The requested data is necessary for the correct provision of the same.

      Satisfy a legitimate interest of the Controller: Cases of legitimate interest in which the controller could be an injured party and it is necessary to process and communicate the data of the non-compliant party to third parties in order to manage regulatory compliance and defend the interests of the Controller. responsible for treatment, as well as cases of legitimate interest of specific treatments contemplated in the LOPDGDD: Article 19. Treatment of contact data and individual entrepreneurs; Article 20. Credit information systems; Article 21. Treatments related to carrying out certain commercial operations (corporate restructuring or business transfers) Article 22. Treatments for video surveillance purposes; Article 23 Advertising exclusion systems; Article 24 Information systems for internal complaints).

      The consent of the interested party that he has provided us unequivocally through formal means and/or by checking the boxes enabled for this purpose in the data protection clauses enabled in the base document that has regulated the commercial relationship depending on the channel of contact.

      To which recipients can your data be communicated?

      · Organizations or people directly contracted by the Treatment Manager for the provision of services related to the treatment purposes: Collaborators, Subcontracted Entities for the execution of projects/services object of request or consultation.

      Complaints Channel (Complaints about violation of regulations and code of conduct are transmitted to the Regulatory Compliance Unit): Access to the data contained in these systems will be limited exclusively to those who, whether incorporated or not within the entity, perform internal control and compliance functions, or those in charge of processing that are eventually designated for this purpose. However, its access by other people, or even its communication to third parties, will be lawful when it is necessary for the adoption of disciplinary measures or for the processing of judicial procedures that, if applicable, proceed.

      · Security Forces and Corps: To the extent that a justified right of access is required in the investigation of a regulatory breach.

      · Others (specify): Media and specialized magazines for the Promotion of Organization Activities.

      Under what guarantees are your data communicated?

      The communication of data to third parties is carried out to entities that accredit the provision of a Personal Data Protection System in accordance with current legislation.

      How have we obtained your data?

      The interested party himself, through the communication sent and/or through professional social networks.

      What category of data do we process?

      Identification and contact data, those related to and/or provided with the Query, Request for Technical or Corporate Information, Resources and/or Activities, Claims or Incidents that you make to us, as well as the personal data of third parties that you could provide us.

      How is your personal data stored securely?

      Vico Black98 SL takes all necessary measures to keep your personal data private and secure. Only authorized persons, authorized personnel of treatment managers or authorized personnel of hotels and activities (who have the legal and contractual obligation to keep all information securely) have access to your personal data. All staff who have access to your personal data are required to agree to respect the Hotel's Privacy Policy and data protection regulations, and all Third Party employees who have access to your personal data are required to sign the confidentiality commitments in the terms established in the current legislation. In addition, you contractually ensure that third-party companies that have access to your personal data keep it secure. To ensure that your personal data is protected, Vico Black 98 SL has an IT security environment and adopts the necessary measures to prevent unauthorized access.

      Vico Black 99 SL has formalized agreements to guarantee that we treat your personal data correctly and in accordance with the data protection law. These agreements reflect the respective roles and responsibilities in relation to you, and contemplate which entity is in the best position to meet your needs. These agreements do not affect your rights under data protection law. For more information on these agreements, please do not hesitate to contact us.

      ADDITIONAL INFORMATION TREATMENT OF CUSTOMER DATA:
        For what purpose do we process the personal data you provide us?

        · Internal use, carrying out operations and administrative, economic and accounting management derived from the relationship with the assignor (commercial and/or contractual relationship associated with the management of lodging, catering and event services)

        · Offer and Commercial Management of the organization and its services "In order to provide interested parties with offers of services of interest"

        · Management of contracting and provision of organization services, as well as compliance with contractual requirements

        · Management Response to Queries, Claims or Incidents, Requests for Information, Resources and/or Activities

        · Promotion and Dissemination of the Organization: The Preparation, Publication and Communication of Statistics, Activity Reports, Success Stories and Information associated with the communication and transparency of its Activity, as well as the Recording and Publication of Informative Material, Communication and Management of Campaigns, Activities, Events, Contests and/or Recording and Publication, in the organization's media (including the web and social networks) and/or other public media, of videos, recordings and photos associated with the activities carried out by the organization that can incorporate people in the development of their functions "In order to provide stakeholders with information about the organization"

        Sending News Bulletins, Activity Reports and Information associated with the Organization's Activity (Newsletter)

        · Quality management of processes and activities, as well as the evaluation of the results of satisfaction/perception and performance of the organization's interest groups. Satisfaction surveys

        · Contribution of evidence of technical solvency in the presentation of offers and/or application, management and justification of campaigns, activities, events, contests, projects and subsidies in which the organization participates

        · Regulatory Compliance Management (applicable regulations as well as mandatory internal regulations): Investigation, monitoring and auditing of controls established for the prevention of crimes, being able to establish access controls to facilities, information systems and printing of documentation for all personal data under the responsibility of the organization and therefore for all the information systems of said entity, as well as the controls related to the use of the images captured by the video surveillance systems for the investigation of accidents and/or incidents that may occur, as well as breaches of labor regulations, crimes or illegal behavior.

        · Analysis of Profiles «In order to be able to offer you products and services according to your interests, as well as to improve your user experience, we will create a "profile" based on the information provided. No automated decisions will be made based on said profile.

        · Assessment of Patrimonial Solvency and Credit

        Contact Management / Agenda

        Statistical, historical purposes

        · Management of Visits and Video Surveillance of the Facilities, as well as security and regulatory compliance in the same, the investigation of possible incidents or accidents, management of associated insurance and management of warnings or sanctions for breaches of security regulations.

        · Quality management and auditing, environmental management and/or occupational safety management of the organization's processes and facilities

        Sending offers and promotions through electronic communications. Sending Christmas Greetings.

        Consult the advertising exclusion systems that could affect its performance, excluding from the treatment the data of those affected who have expressed their opposition or refusal to it through the consultation of the advertising exclusion systems published by the competent control authority.

        Associated management, including its prior communication, that could derive from the development of any operation of structural modification of companies or the contribution or transfer of business or branch of business activity, provided that the treatments were necessary for the good end of the operation and guarantee, when appropriate, continuity in the provision of services.

        · Inclusion in the whistleblowing channel systems of the data associated with the disclosure (even anonymously) of the commission within the organization or in the actions of third parties that contracted with it, of acts or behaviors that could be contrary to the general or sectoral regulations that may be applicable to it.

        · Others (specify): In the case of deposit contracts, they reserve the right to carry out periodic audits at the facilities of clients and other debtors.

        · The international transfer of your data to the extent that it is strictly necessary to comply with its incorporation into a project in a country outside the EU. Non-acceptance of this clause will prevent their incorporation into the project in said country.

        How long do we keep your data?

        The data provided will be kept as long as the relationship of legality of treatment is maintained, its deletion is not requested by the interested party after formalized termination in writing of the relationship with the interested party, with the exception of its conservation for the formulation, exercise or defense of claims of the data controller or with a view to protecting the rights of another natural or legal person and/or for reasons of legal obligation.

        · In any case, at the end of the relationship, the Data of the interested party will be duly blocked, as provided in the current data protection regulations.

        · Registration Book and Entry Reports for Hotel Establishments: Entry reports must be kept available to the Security Forces and Bodies, then disposed of in a way that does not allow access to the personal information contained therein (OM INT 1922/2003, of July 3, of register books and parts of entry of travelers in hospitality establishments and other similar) – 3 years

        · Accounting and Tax Documentation - For Tax purposes: Accounting books and other mandatory record books according to the applicable tax regulations (IRPF, VAT, IS, etc.), as well as documentary supports that justify the entries recorded in the books (including computer programs and files and any other proof that has fiscal significance), must be kept, at least, during the period in which the Administration has the right to verify and investigate and, consequently, to settle the tax debt (Articles 66 to 70 of the General Law tax). Prescription period for Tax Offenses associated with the verification of the bases or fees compensated or pending compensation or deductions applied or pending application and Offenses against the Public Treasury and Social Security – Art. 66 bis General Tax Law and Penal Code, respectively . - 4 years. Prescription infractions 10 years.

        · Accounting and Fiscal Documentation – For Commercial purposes: Books, correspondence, documentation and justifications concerning your business, duly ordered from the last entry made in the books, except for what is established by general or special provisions. This commercial obligation extends to both the mandatory books (income, expenses, capital goods and provisions, as well as the documentation and supporting documents that support the entries recorded in the books (invoices issued and received, tickets, rectifying invoices, bank documents, etc) (Art.30 Commercial Code) – 6 years.

        · Solvency Files: Data referring to certain debts, due and demandable and unclaimed (Art. 20 of LOPDGDD) - while the breach persists, with a maximum limit of five years from the expiration date of the monetary, financial or debt obligation. credit – 5 years

        · The images/sounds captured by video surveillance systems will be deleted within a maximum period of one month from their capture, except when they have to be kept to prove the commission of acts that violate the integrity of people, property or facilities (in which case, the images will be made available to the competent authority within a maximum period of 72 hours from the knowledge of the existence of the recording), or are related to serious or very serious criminal or administrative offenses in the field of public safety, with an ongoing police investigation or with an open judicial or administrative procedure (Instruction 1/2006, of November 8, of the AEPD, on the processing of personal data for surveillance purposes through camera or video camera systems and Art. 22 LOPDGDD) – 30 days.

        The data included in the automated processing created to control access to buildings (Instruction 1/1996, of March 1, of the AEPD, on automated files established for the purpose of controlling access to buildings) – 30 days

        · The data processed in relation to the legal guarantee will be kept during the validity of the legal guarantee and after its validity expires, during the period that there could be a judicial or administrative claim in relation to the legal guarantee.

        · The data processed for the remission of commercial communications will be kept until the consent granted is revoked.

        The data of the person who makes the communication of a complaint and of the employees and third parties are kept in the complaints system to decide on the origin of initiating an investigation into the reported facts, as well as later as evidence of the operation of the prevention model of the commission of crimes by the legal person, in accordance with the provisions of article 24 of the LOPDGDD.

        · Therefore, the data will be kept as long as the relationship with the organization remains in force, based on the conservation periods established by the current regulations indicated above, as well as the legal or contractual periods established for the exercise or prescription of any action. of liability for breach of contract by the interested party or the Organization (reform of the Civil Code establishes a period of 5 years to be able to carry out an action for civil liability, a period that runs from the date on which compliance with the obligation can be demanded ).

        What is the legitimacy for the processing of your data?

        · The execution of a contract: Compliance with the offer, reservation, order and/or commercial contract for lodging, catering and event services.

        · Comply with a legal obligation: Regulations with the rank of administrative, commercial, tax, fiscal, accounting and financial law and consumer and user defense legislation. Basic regulations governing the book-registration of travelers.

        Satisfy a legitimate interest of the Responsible: Data processing as part of a commercial relationship and/or contract, which are necessary for its maintenance or fulfillment, data transmissions within business groups for internal administrative purposes, direct marketing, fraud prevention, cases of legitimate interest in which the person in charge could be an aggrieved party and it is necessary to process and communicate the data of the non-compliant party to third parties in order to manage regulatory compliance and defend the interests of the person in charge of treatment, video surveillance purposes such as legitimate interest of the organization in the protection of its assets, the legitimate interest of direct marketing enabled by the LSSICE (sending commercial communications about products or services similar to those contracted by the client with whom there is a prior contractual relationship), as well as cases of legitimate interest of specific treatments contemplated in the LOPDGDD: Article 19. Treatment of contact data and individual entrepreneurs; Article 20. Credit information systems; Article 21. Treatments related to carrying out certain commercial operations (corporate restructuring or business transfers) Article 22. Treatments for video surveillance purposes; Article 23 Advertising exclusion systems; Article 24 Information systems for internal complaints).

        · Fulfill the purposes of the treatment by unequivocal consent of the interested party through the acceptance of the clauses enabled in the forms and/or the established clauses of consent depending on the channel through which they have contacted the company and/or through formal means and/or by checking the boxes enabled for this purpose in the data protection clauses enabled in the base document that has regulated the commercial relationship based on the commercial contact channel.

        To which recipients can your data be communicated?

        · Organizations or people directly contracted by the Treatment Manager for the provision of services related to the treatment purposes (specify): Travel Agencies and Intermediaries, Community Manager, Subcontracted Entities for the execution of works/services object of the service with the client , Auditors of Management and/or Regulatory Compliance

        · Financial Entities: Domiciliation of receipts and/or management of collection effects and other means of payment, for legitimate interest associated with the collection of services provided.

        · Organizations or bodies of the Public Administration with competences in the matters object of the purposes of the treatment: AEAT

        · Security Forces and Corps: Civil Guard and/or National Police, in accordance with the Basic Regulations regulating the book-registry of travelers and to the extent that a justified right of access is required in the investigation of a regulatory breach, for legal compliance .

        · Entity that processes the reservation and/or manages the payment of the invoice and the services that we have provided if you have consented. In the event that you do not authorize this use, you must pay for the services we have provided.

        · Media and specialized magazines for the Promotion of Organization Activities, to the extent that you consent to the recording, publication and/or reference in the organization's media and/or other public media, of videos, recordings and photos associated with the services we have provided as promotional material, justification of technical solvency and/or justification of events, projects and subsidies in which the organization participates.

        · Compliance Complaints Channel (Complaints about violation of data protection regulations are transmitted to the "Chief Privacy Officer" located in the matrix), for legitimate interest: Access to the data contained in these systems will be limited exclusively to who, whether incorporated or not within the entity, carry out internal control and compliance functions, or those in charge of treatment that are eventually designated for this purpose. However, its access by other people, or even its communication to third parties, will be lawful when it is necessary for the adoption of disciplinary measures or for the processing of judicial procedures that, if applicable, proceed.

        · Others: We can carry out international transfers of your data to the extent that it is strictly necessary to comply with its incorporation into a project in a country outside the EU or due to the location of the treatment systems of treatment management applications. .

        Under what guarantees are your data communicated?

        The communication of data to third parties is carried out to entities that accredit the provision of a Personal Data Protection System in accordance with current legislation.

        How have we obtained your data?

        The interested party and other companies of the Business Group to which Vico Black 98 SL belongs, travel agencies and intermediaries, the entity that processes the reservation and/or manages the payment with which the data controller maintains a contractual or service provision relationship. and for which it must have personal data of contact persons, users and/or guests for administrative and operational management in order to manage their access to the hosting, catering and/or event service.

        What category of data do we process?

        Commercial data and contact persons for administrative and operational management associated with the execution of the contract/service; Data related to the position of contact persons for the administrative and operational management associated with the execution of the contract/service; Commercial data and contact persons for administrative and operational management associated with the execution of the contract/service; Economic, financial and/or payment terms data; Goods and services received by the affected party, Financial transactions; Name, surnames and NIF of legal representative, contact details of people from the organization involved or related to the project object of the contract/service.

        It does not contain specially protected data or data related to criminal convictions and infractions, except those stated by the interested party for the adaptation of the required service (eg reduced mobility, food intolerances, ...).

        How is your personal data stored securely?

        In relation to the processing of your personal data, we inform you:

        All necessary steps are taken to keep your personal data private and secure. Only authorized persons in charge of treatment or authorized personnel of hotels and activities (who have the legal and contractual obligation to keep all information securely) have access to your personal data. All personnel who have access to your personal data are required to agree to respect the Privacy Policy and the data protection regulations and all Third Party employees who have access to your personal data sign the confidentiality commitments in the terms established in the current legislation. In addition, you contractually ensure that third-party companies that have access to your personal data keep it secure. To ensure that your personal data is protected, we have an IT security environment and take the necessary measures to prevent unauthorized access.

        The company and group members have entered into agreements to ensure that we treat your personal data correctly and in accordance with data protection law. These agreements reflect the respective roles and responsibilities in relation to you, and contemplate which entity is in the best position to meet your needs.

        These agreements do not affect your rights under data protection law. For more information on these agreements, please do not hesitate to contact us.

        In relation to personal data that could be accessed as a result of the contracted services, we inform you:

        The provision of services that are the object of the contract may imply physical access by company personnel to premises or facilities capable of storing personal data for which the client is responsible for processing. In this sense, the company has signed with its staff clauses that prohibit access to all types of confidential information and, specifically, to personal data belonging to the client, unless the service contemplates within its scope the treatment of transfer, repair , destruction and/or management of computer media that could contain personal data, in which case, Vico Black 98 SL would act as data processor, establishing in that case the relevant contract in accordance with current data protection regulations that would include among other aspects, the object, duration, nature, purpose, category of the data subject to treatment, security measures, obligations and rights of the person in charge, organizational and technical security measures to guarantee confidentiality during the process, as well as the agreements adopted between client and manager in relation to the transmission of security violations and/or exercise of rights. The non-formalization of the personal data processing service in a contract by the client, presupposes that Vico Black 98 SL has no associated responsibility as the person in charge of their treatment.

        Notwithstanding the foregoing, in the event that he came to know any type of confidential information for the purpose of providing the service, he agrees to keep it secret, not to disclose or publish it, either directly or through third parties. or companies, or to make it available to third parties. This confidentiality obligation is indefinite, subsisting at the end of the contract for any reason. Vico Black 98 SL undertakes to communicate and enforce compliance with the personnel under its charge and contracted on its own, the obligations established in terms of confidentiality.

      ADDITIONAL INFORMATION SUPPLIER DATA PROCESSING:
        For what purpose do we process the personal data you provide us?

        · Internal use, commercial and relational management, carrying out operations and administrative, economic and accounting management derived from the relationship with the supplier/collaborator

        · Internal use, carrying out operations and administrative, economic and accounting management derived from the relationship with the assignor (commercial and/or contractual relationship)

        · Management of contracting and provision of organization services, as well as compliance with contractual requirements

        · Management Response to Queries, Claims or Incidents, Requests for Information, Resources and/or Activities

        · Promotion and Dissemination of the Organization: The Preparation, Publication and Communication of Statistics, Activity Reports and Information associated with the communication and transparency of its Activity, as well as the Recording and Publication of Informative Material, Communication and Management of Campaigns, Activities, Events, Contests and/or Recording and Publication, in the organization's media (including the web and social networks) and/or other public media, of videos, recordings and photos associated with the activities carried out by the organization that may incorporate people in the development of their functions "In order to provide stakeholders with information about the organization"

        Sending News Bulletins, Activity Reports and Information associated with the Organization's Activity

        · Quality management of processes and activities, as well as the evaluation of the results of satisfaction/perception and performance of the organization's interest groups.

        · Management of the Selection, Homologation and Contracting of Suppliers/Collaborators and verification of regulatory compliance

        · Health and safety management (occupational risk prevention and safety surveillance) and compliance assessment

        · Management of presentation of technical solvency in presentation of offers and/or application, management and justification of campaigns, activities, events, contests, projects and subsidies in which the organization participates

        · Time and/or face-to-face or attendance control and monitoring of functional performance

        · Regulatory Compliance Management (applicable regulations as well as mandatory internal regulations): Investigation, monitoring and auditing of controls established for the prevention of crimes, being able to establish access controls to facilities, information systems and printing of documentation for all personal data under the responsibility of the organization and therefore for all the information systems of said entity, as well as the controls related to the use of the images captured by the video surveillance systems for the investigation of accidents and/or incidents that may occur, as well as breaches of labor regulations, crimes or illegal behavior.

        Contact Management / Agenda

        · Statistical, historical or scientific purposes

        · Access control and Video Surveillance of the Facilities, as well as security and regulatory compliance in them, preserve the safety of people and property and facilities, as well as for the exercise of the control functions of the workers provided for in the Article 20.3 of the Workers' Statute, the investigation of possible incidents or accidents, management of associated insurance and management of warnings or sanctions for breaches of safety regulations.

        · Quality management and auditing, environmental management and/or occupational safety management of the organization's processes and facilities

        Associated management, including its prior communication, that could derive from the development of any operation of structural modification of companies or the contribution or transfer of business or branch of business activity, provided that the treatments were necessary for the good end of the operation and guarantee, when appropriate, continuity in the provision of services.

        · Inclusion in the whistleblowing channel systems of the data associated with the disclosure (even anonymously) of the commission within the organization or in the actions of third parties that contracted with it, of acts or behaviors that could be contrary to the general or sectoral regulations that may be applicable to it.

        · Others: Reserves the right to carry out periodic audits in the facilities of suppliers and creditors

        How long do we keep your data?

        The data provided will be kept as long as the relationship of legality of treatment is maintained, its deletion is not requested by the interested party after formalized termination in writing of the relationship with the interested party, with the exception of its conservation for the formulation, exercise or defense of claims of the data controller or with a view to protecting the rights of another natural or legal person and/or for reasons of legal obligation.

        · In any case, at the end of the relationship, the Data of the interested party will be duly blocked, as provided in the current data protection regulations.

        · Accounting and Tax Documentation - For Tax purposes: Accounting books and other mandatory record books according to the applicable tax regulations (IRPF, VAT, IS, etc.), as well as documentary supports that justify the entries recorded in the books (including computer programs and files and any other proof that has fiscal significance), must be kept, at least, during the period in which the Administration has the right to verify and investigate and, consequently, to settle the tax debt (Articles 66 to 70 of the General Law tax). Prescription period for Tax Offenses associated with the verification of the bases or fees compensated or pending compensation or deductions applied or pending application and Offenses against the Public Treasury and Social Security – Art. 66 bis General Tax Law and Penal Code, respectively . - 4 years. Prescription infractions 10 years.

        · Accounting and Fiscal Documentation – For Commercial purposes: Books, correspondence, documentation and justifications concerning your business, duly ordered from the last entry made in the books, except for what is established by general or special provisions. This commercial obligation extends to both the mandatory books (income, expenses, capital goods and provisions, as well as the documentation and supporting documents that support the entries recorded in the books (invoices issued and received, tickets, rectifying invoices, bank documents, etc) (Art.30 Commercial Code) – 6 years.

        · Occupational Risk Prevention Documentation – Documentation on information and training for workers. Records of accidents at work or occupational diseases (Legislative RD 5/2000, of August 4, which approves the revised text of the Law on Offenses and Sanctions in the Social Order) – 5 years.

        · The images/sounds captured by video surveillance systems will be deleted within a maximum period of one month from their capture, except when they have to be kept to prove the commission of acts that violate the integrity of people, property or facilities (in which case, the images will be made available to the competent authority within a maximum period of 72 hours from when the existence of the recording became known), or are related to serious or very serious criminal or administrative offenses in matters of public safety, with an ongoing police investigation or with an open judicial or administrative procedure (Instruction 1/2006, of November 8, of the AEPD, on the processing of personal data for surveillance purposes through camera or video camera systems and Art. 22 LOPDGDD) – 30 days.

        The data included in the automated processing created to control access to buildings (Instruction 1/1996, of March 1, of the AEPD, on automated files established for the purpose of controlling access to buildings) – 30 days

        · The data processed in relation to the legal guarantee will be kept during the validity of the legal guarantee and after its validity expires, during the period that there could be a judicial or administrative claim in relation to the legal guarantee.

        · Solvency Files: Data referring to certain debts, due and demandable and unclaimed (Art. 20 of LOPDGDD) - while the breach persists, with a maximum limit of five years from the expiration date of the monetary, financial or debt obligation. credit – 5 years

        · The data processed for the remission of commercial communications will be kept until the consent granted is revoked.

        The data of the person who makes the communication of a complaint and of the employees and third parties are kept in the complaints system to decide on the origin of initiating an investigation into the reported facts, as well as later as evidence of the operation of the prevention model of the commission of crimes by the legal person, in accordance with the provisions of article 24 of the LOPDGDD.

        · Therefore, the data will be kept as long as the commercial relationship is in force, based on the conservation periods established by the current regulations indicated above, as well as the legal or contractual periods established for the exercise or prescription of any liability action. due to breach of contract by the interested party or the Organization (reform of the Civil Code establishes a period of 5 years to be able to carry out an action for civil liability, a period that runs from the date on which compliance with the obligation can be demanded).

        What is the legitimacy for the processing of your data?

        · The execution of a contract: Fulfillment of the offer, order and/or commercial contract.

        · Comply with a legal obligation: Regulations with the rank of administrative, commercial, tax, fiscal, accounting and financial law, occupational risk prevention, social security and applicable regulations of the sector.

        Satisfy a legitimate interest of the Responsible: Data processing as part of a commercial relationship and/or contract, which are necessary for its maintenance or fulfillment, data transmissions within business groups for internal administrative purposes, fraud prevention, as well as alleged of legitimate interest in which the person in charge could be an aggrieved party and it is necessary to process and communicate the data of the non-compliant party to third parties in order to manage regulatory compliance and defend the interests of the person in charge of treatment, video surveillance purposes as an interest legitimate of the organization in the protection of its assets, as well as cases of legitimate interest of specific treatments contemplated in the LOPDGDD: Article 19. Treatment of contact data and individual entrepreneurs; Article 20. Credit information systems; Article 21. Treatments related to carrying out certain commercial operations (corporate restructuring or business transfers) Article 22. Treatments for video surveillance purposes; Article 24 Information systems for internal complaints).

        The consent of the interested party that he has provided us unequivocally through formal means and/or by checking the boxes enabled for this purpose in the data protection clauses enabled in the base document that has regulated the commercial relationship depending on the channel of contact.

        To which recipients can your data be communicated?

        · Organizations or people directly contracted by the Data Controller for the provision of services related to the purposes of treatment: Hotels, Legal Advice, Management and/or Regulatory Compliance Auditors, Prevention Services, third parties to whom data is provided of subcontracted workers for access to their facilities.

        · Organizations or bodies of the Public Administration with competences in the matters object of the purposes of the treatment: AEAT

        · Financial Entities: Transfer and/or management of payment effects.

        Unions, Personnel Boards/Company Committee: Workers' Representatives: Contractors or subcontractors that are established (including self-employed) (art.35.2 CC and art.42 ET): CIF/NIF, company name, registered office, purpose of the contract, Social Security employer registration number, place of execution of the contract, coordination of activities from the point of view of occupational hazards, estimated duration of the contract (start and end date). Number of workers that will be employed by the contractor or subcontractor in the workplace of the main company.

        · Compliance Complaints Channel (Complaints about violation of data protection regulations are transmitted to the "Chief Privacy Officer" located in the matrix), for legitimate interest: Access to the data contained in these systems will be limited exclusively to who, whether incorporated or not within the entity, carry out internal control and compliance functions, or those in charge of treatment that are eventually designated for this purpose. However, its access by other people, or even its communication to third parties, will be lawful when it is necessary for the adoption of disciplinary measures or for the processing of judicial procedures that, if applicable, proceed.

        · Risk Prevention Delegates are empowered to access the information and documentation related to the working conditions that are necessary for the exercise of their functions and, in particular, to that provided for in articles 18, 23 and 36 LPRL. Prevention Delegates will be subject to the provisions of section 2 of article 65 of the Workers' Statute regarding the professional secrecy due to the information to which they had access as a result of their work in the company. (Article 37.3 LPRL).

        · Occupational Risk Prevention Services: the treatment by the occupational risk prevention services of the medical history, a consequence of the medical examinations carried out on the workers, must be limited to the provisions of article 22.4 of the LPRL. In this sense, access to medical information obtained under the provisions of the LPRL by the employer or any third party is prohibited, including persons or bodies with responsibilities for prevention, other than "medical personnel and authorities that carry out the surveillance of the health of the workers”, with the sole exception of the conclusions derived from said monitoring regarding the aptitude of the workers for the performance of the job.

        Under what guarantees are your data communicated?

        The communication of data to third parties is carried out to entities that accredit the provision of a Personal Data Protection System in accordance with current legislation. How have we obtained your data?

        The interested party or his legal representative

        · Vico Black 98 SL, as well as the entity with which the data controller maintains a contractual or service provision relationship and for which it must have personal data of contact persons for administrative and operational management in order to manage their access, incorporation into the project/service object and/or verification of regulatory compliance under the responsibility of the organization (eg, data related to workers who are going to carry out the contracted work in terms of coordination of business activities associated with the prevention of occupational risks) .

        What category of data do we process?

        Commercial data, contact persons for the administrative and operational management associated with the execution of the contract/project and workers who are going to carry out the contracted work in terms of coordination of business activities associated with the prevention of occupational risks; As a consequence of the contribution of the curriculum of the supplier's personnel involved in the provision of the service/work, in order to prove technical solvency in offers; In the case of workers who are going to carry out the contracted work in terms of coordination of business activities associated with the prevention of occupational risks (The data that could be derived from possible incidents or accidents at work of subcontractors would be included in the treatment "Prevention of Occupational hazards"); Licenses or approvals, in the case of workers who are going to carry out the contracted work in terms of coordination of business activities associated with the prevention of occupational risks; Professional details and employment details as a result of the contribution of the curriculum of the provider's personnel involved in the provision of the service/work, in order to prove technical solvency in offers; Commercial information and approval data; Economic, financial data and/or collection conditions; Goods and services supplied by the affected party, Financial transactions; Other types of data: Name, surnames and NIF of legal representative, contact details of people in the organization involved or related to the project object of the contract/order.

        The data structure that we process does not contain data related to criminal convictions and offenses, nor sensitive data, except in cases in which the owner has special conditions and must provide documentation that incorporates said information so that it can be accredited or justified compliance with said condition.

        How is your personal data stored securely?

        Vico Black 98 SL takes all necessary measures to keep your personal data private and secure. Only authorized persons, authorized personnel of Third Parties or authorized personnel of our companies (who have the legal and contractual obligation to keep all information securely) have access to your personal data. All personnel who have access to your personal data are required to agree to respect the Privacy Policy and the data protection regulations and all Third Party employees who have access to your personal data sign the confidentiality commitments in the terms established in the current legislation. In addition, you contractually ensure that third-party companies that have access to your personal data keep it secure. To ensure that your personal data is protected, since it has an IT security environment and adopts the necessary measures to prevent unauthorized access. Group companies have entered into agreements to ensure that we treat your personal data correctly and in accordance with data protection law. These agreements reflect the respective roles and responsibilities in relation to you, and contemplate which entity is in the best position to meet your needs. These agreements between group companies do not affect your rights under data protection law. For more information on these agreements, please do not hesitate to contact us.

        CONFIDENTIALITY AND INFORMATION TO THIRD PARTIES WHO PROVIDE US WITH DATA

        In compliance with the provisions of the personal data protection regulations, we process the information you provide us (as well as the personal data of contact persons for administrative and operational management in order to manage your access, incorporation into the project/service object of the contracted service and/or verification of regulatory compliance under the responsibility of the organization, personal data of the legal representatives of the entity and/or of the people involved in the project (curriculum vitae) and/or personal references from previous jobs in order to accredit technical solvency and, where appropriate, personal data relating to workers who are going to carry out the contracted work in terms of coordination of business activities associated with the prevention of occupational risks) in accordance with the provisions of the clause and additional information on data protection .

        With the acceptance and/or validation of the process that serves as the basis for the formalization of your relationship with Vico Black 98 SL, you expressly consent to the processing of data in accordance with the provisions of the clause and additional information on data protection, as well as to inform and have the consent of third parties who provide us with personal data for said treatment. Likewise, and to the extent that as a consequence of their relationship you can access personal data and/or confidential information, you agree to maintain absolute confidentiality and discretion regarding the information obtained about the activities, interested parties and entities related to Vico Black 98 SL or group companies, especially with regard to Personal Data, even after the end of their relationship with the organization.

        In accordance with the aforementioned, it undertakes to inform on behalf of and expressly, precisely and unequivocally the owners of the data of whom it transfers information to the company-within the month following the time of communication of the data to Vico Black 98 SL, of the following aspects “Your personal data will be communicated to the Treatment Manager VICO BLACK 98 SL–protecciondatos@grupoq.net. Said communication of data and the treatment of these, is carried out in compliance with current legislation on contractual, labor, occupational risk prevention and social security matters, with the purpose of informing, verifying and controlling compliance with the applicable legislation in relationship with the personnel designated by the supplier/collaborator for the execution of the contracted service and the maintenance of commercial relationship histories. Said treatment is mandatory in accordance with current legislation. The refusal to provide the data may lead to the termination of the contract. Likewise, the interested party is informed that, in accordance with current legislation, they must communicate the information and data obtained in the contracting process to organizations and third parties to whom, by virtue of current regulations, they have the obligation to communicate the data. Rights: The interested party may access, rectify and delete the data, as well as limit, withdraw or oppose the treatment in accordance with the procedures established in our privacy policy. If you consider that the exercise of your rights has not been fully satisfactory, you may file a claim with the national control authority by contacting the Spanish Agency for Data Protection, C/ Jorge Juan, 6 – 28001 Madrid. Origin: The data we process comes from the entity with which the data controller maintains a contractual or service provision relationship and for which it must have personal data of contact persons for administrative and operational management in order to manage their access, incorporation into the project/service object and/or verification of regulatory compliance under the responsibility of the organization (eg, data related to workers who are going to carry out the contracted work in terms of coordination of business activities and prevention of occupational hazards). The Data Structure that we process does not contain sensitive data, except in cases in which the owner is the beneficiary of special conditions and has to provide records that allow accrediting or justifying compliance with said condition. You can consult our Privacy Policy on the corporate website”

        ADDITIONAL INFORMATION TREATMENT OF VIDEO SURVEILLANCE DATA AND ACCESS RECORD:

        For what purpose do we process the personal data you provide us?

        Control of Accesses/Visits and Video Surveillance of the Facilities, as well as security and regulatory compliance in them, preserve the safety of people and property and facilities, as well as for the exercise of the control functions of the workers provided in article 20.3 of the Workers' Statute, the investigation of possible incidents or accidents, management of associated insurance and management of warnings or sanctions for breaches of safety regulations, through the video surveillance system.

        · Verify compliance by workers with their labor obligations and duties in accordance with article 20.3 of the Workers' Statute that authorizes the employer to adopt surveillance and control measures for this purpose (controls related to the use of images captured by video surveillance systems for the investigation of accidents and/or incidents that may occur, as well as breaches of labor regulations, crimes or illegal behavior).

        · Health and safety management (occupational risk prevention and safety surveillance) and compliance assessment

        · Time and/or face-to-face or attendance control and monitoring of functional performance

        · Regulatory Compliance Management (applicable regulations as well as mandatory internal regulations): Investigation, monitoring and auditing of controls established for the prevention of crimes, being able to establish access controls to facilities, information systems and printing of documentation for all personal data under the responsibility of the organization and therefore for all the information systems of said entity, as well as the controls related to the use of the images captured by the video surveillance systems for the investigation of accidents and/or incidents that may occur, as well as breaches of labor regulations, crimes or illegal behavior.

        · Registration of Accesses/Visits and Video Surveillance of the Facilities, as well as security and regulatory compliance in them, the investigation of possible incidents or accidents, management of associated insurance and management of warnings or sanctions for breaches of security regulations.

        · Others (specify): the investigation of possible incidents or accidents at work, management of associated insurance, as well as for the investigation of incidents and confirmation of compliance with the security regulations and protection of personal data established in the data protection systems. data and management systems implemented for all personal data under the responsibility of the organization and therefore for all the information systems of said entity, as well as the controls related to the use of the images captured by the video surveillance systems for the Investigation of accidents and/or incidents that may occur, as well as breaches of labor regulations, crimes or illegal behavior.

        · Temporary control of body temperature to be able to access the entity for the following purposes (detect possible infected people and prevent their access to a certain place and their contact within it with other people):

        Protect the health and life of the people who are in this workplace.

        · Contribute to the containment of the pandemic.

        · Comply with occupational risk prevention regulations.

        · Verify compliance, by workers, with the obligation to go to the workplace without fever.

        · Inclusion in the whistleblowing channel systems of the data associated with the disclosure (even anonymously) of the commission within the organization or in the actions of third parties that contracted with it, of acts or behaviors that could be contrary to the general or sectoral regulations that may be applicable to it.

        How long do we keep the data provided?

        · The images/sounds captured by video surveillance systems will be deleted within a maximum period of one month from their capture, except when they have to be kept to prove the commission of acts that violate the integrity of people, property or facilities (in which case, the images will be made available to the competent authority within a maximum period of 72 hours from when the existence of the recording became known), or are related to serious or very serious criminal or administrative offenses in matters of public safety, with an ongoing police investigation or with an open judicial or administrative procedure (Instruction 1/2006, of November 8, of the AEPD, on the processing of personal data for surveillance purposes through camera or video camera systems and Art. 22 LOPDGDD) – 30 days.

        The data included in the automated files created to control access to buildings (Instruction 1/1996, of March 1, of the AEPD, on automated files established for the purpose of controlling access to buildings) – 30 days

        The data of the person who makes the communication of a complaint and of the employees and third parties are kept in the complaints system to decide on the origin of initiating an investigation into the reported facts, as well as later as evidence of the operation of the prevention model of the commission of crimes by the legal person, in accordance with the provisions of article 24 of the LOPDGDD.

        · The entity has established as a period of conservation of the temperature control data as the necessary to face possible legal actions derived from the decision to deny access

        What is the legitimacy for the processing of your data?

        The legal basis for the processing of your data is to satisfy a legitimate interest of the Responsible:

        · Security and cases of legitimate interest in which the controller could be a harmed party and it is necessary to process and communicate the data of the offender to third parties in order to manage regulatory compliance and defend the interests of the controller, as well as cases of legitimate interest of specific treatments contemplated in the LOPDGDD: Article 19. Treatment of contact data and individual entrepreneurs; Article 22. Treatments for video surveillance purposes; Article 24 Information systems for internal complaints).

        · Art. 20.3 and 4 Royal Legislative Decree 1/1995, of March 24, which approves the consolidated text of the Workers' Statute Law (ET): The employer may adopt the measures he deems most appropriate for surveillance and control to verify compliance by the worker with his labor obligations and duties, keeping due consideration for his human dignity in its adoption and application and taking into account the real capacity of disabled workers, if applicable.

        · The employer may verify the state of illness or accident of the worker that is alleged by him to justify his lack of attendance at work, through examination by medical personnel. The refusal of the worker to such acknowledgments may determine the suspension of the economic rights that may exist in charge of the employer due to said situations.

        · ( ) Constitutional Court Judgment 39/2016, of March 3 (LAW. 218/2016), arguing that this power of control is legitimized by art. 20.3 of the ET, which expressly authorizes the employer to adopt surveillance and control measures to verify compliance by workers with their labor obligations. This general power of control provided for in the law, legitimizes the corporate control of compliance by the workers with their professional tasks and the consent of the workers to such effects is implicit in the conclusion of the employment contract. The legitimacy of this purpose is fulfilled by the existence of several emblems displayed by the organization in the facilities that announce the presence of installation of cameras and image capture and with explicit information, if possible in writing, consisting of the fact that they are going to to record, with the sole purpose of monitoring compliance with labor obligations and that they may be penalized based on the recorded images in the event of verified non-compliance. In the same sense, STS 77/2017 of January 31, 2017.

        · AEPD Video Surveillance Guide: Article 20.3 of the Workers' Statute authorizes the employer to adopt the surveillance and control measures he deems most appropriate to verify compliance by the worker with his labor obligations and duties, keeping in their adoption and application the consideration due to their human dignity and taking into account the real capacity of the handicapped workers, if applicable. These measures may include the capture and/or processing of images without consent. However, such practices are fully subject to the LOPD and Instruction 1/2006 and must comply with specific requirements.

        · As a legal basis for the treatment associated with temperature control, compliance with the legal obligation to guarantee the safety and health of workers is specified. This legal basis is specified in this case in the following rules:

        · Status of workers.

        · Law 21/1995 on Occupational Risk Prevention.

        · Royal Decree 664/1997 on the protection of workers against risks related to exposure to biological agents during work


        · Action procedure for occupational risk prevention services against exposure to SARS-CoV-2

        · Guidelines for good practices in the industrial sector in relation to Covid-19 (National Institute for Occupational Safety and Health).

        · Guidelines adopted by the ORP service of the entity by legal authorization and delegation of preventive functions.

        To which recipients can your data be communicated?

        · Organizations or people directly contracted by the Treatment Manager for the provision of services related to the treatment purposes (specify): Contracted security company

        · Insurance Entities (specify): In the event of a loss, incident or accident, insurance entities are provided for the investigation of the event in order to define the scope and coverage of the insurance premium contracted by the person responsible for treatment.

        · Security Forces and Bodies (specify): To the extent that a justified right of access is required in the investigation of a regulatory breach.

        · The owner of the establishment, for legitimate interest in the protection of the assets under his property

        · Judges and Courts, as well as Security Forces and Bodies: To the extent that a justified right of access is required in the investigation of a regulatory breach.

        · In the case of temperatures above the sanitary threshold, access to the person will not be allowed and they will be entrusted to the primary care services (in the case of external) or to the health surveillance service (in the case of inmates). ) for, in accordance with the protocol, diagnostic tests and other communications established in accordance with the pandemic control protocol.

        · Compliance Complaints Channel (Complaints about violation of data protection regulations are transmitted to the "Chief Privacy Officer" located in the matrix), for legitimate interest: Access to the data contained in these systems will be limited exclusively to who, whether incorporated or not within the entity, carry out internal control and compliance functions, or those in charge of treatment that are eventually designated for this purpose. However, its access by other people, or even its communication to third parties, will be lawful when it is necessary for the adoption of disciplinary measures or for the processing of judicial procedures that, if applicable, proceed.

        Under what guarantees are your data communicated?

        The communication of data to third parties is carried out to entities that accredit the provision of a Personal Data Protection System in accordance with current legislation.

        What claim channels are there?

        If you consider that the exercise of your rights has not been fully satisfactory, you may file a claim with the national control authority by contacting the Spanish Agency for Data Protection, C/ Jorge Juan, 6 – 28001 Madrid.

        What category of data do we process?

        Image and identification and professional data, as well as reasons for your visit and/or person to visit, time of access and exit from the facility

        Likewise, temperature control data may be available to the extent that temporary temperature controls are carried out for access to the facilities for the purposes of controlling pandemic avoidance, according to the COVID Data Treatment Protocol that may be established. in terms of guaranteeing the job security of people in the organization.

        How is your personal data stored securely?

        All the necessary measures are taken to keep your personal data private and secure and will in any case comply with the provisions of Law 5/2014, of April 4, on Private Security and its development provisions. In this sense, it establishes and informs you of the following security measures:

        DUTY OF INFORMATION: The existence of the cameras and recording of images is reported, in order to comply with the duty of information provided for in article 12 of the GDPR through an information device in a sufficiently visible place identifying the existence of the treatment , the identity of the person responsible and the possibility of exercising the rights provided for in articles 15 to 22 of the GDPR. A connection code or internet address to this information may also be included in the information device. In any case, the information referred to in the aforementioned regulation in this Privacy Policy referenced in the aforementioned device is kept available to those affected. In the event that the flagrant commission of an illegal act has been caught, the duty to inform will be understood to have been fulfilled when there is at least the video surveillance information device.

        · LOCATION OF THE CAMERAS: It will only capture images of the public thoroughfare to the extent that it is essential for the purpose of preserving security. In no case are sound recording or video surveillance systems installed in places intended for the rest or recreation of workers or public employees, such as changing rooms, toilets, dining rooms and the like.

        · SOUND RECORDING: Sound recording will only be carried out when the risks to the safety of facilities, goods and people arising from the activity carried out in the workplace are relevant and always respecting the principle of proportionality, that of minimal intervention and guarantees.

        · MONITOR LOCATION: The monitors where the camera images are displayed are located in a restricted access space so that they are not accessible to unauthorized third parties.

        · CONSERVATION: The images/sounds captured by the video surveillance systems will be deleted within a maximum period of one month from their capture, except when they have to be preserved to prove the commission of acts that violate the integrity of people, goods or facilities ( in which case, the images will be made available to the competent authority within a maximum period of 72 hours from the knowledge of the existence of the recording), or are related to serious or very serious criminal or administrative offenses in terms of security public, with an ongoing police investigation or with an open judicial or administrative procedure (Instruction 1/2006, of November 8, of the AEPD, on the processing of personal data for surveillance purposes through camera or video camera systems and Art.22 LOPDGDD) – 30 days.

        · LABOR CONTROL: The treatment is carried out for the exercise of the control functions of the workers provided for in article 20.3 of the Workers' Statute, within its legal framework and with the limits inherent to it. To the extent that the cameras can be used for the purpose of labor control as provided for in article 20.3 of the Workers' Statute, workers and their representatives are informed about the present control measures established by the employer with an indication of the purpose of labor control of the images captured by the cameras, in accordance with what is indicated in the inclusion notification clause and in this privacy policy.

        · RIGHT OF ACCESS TO THE IMAGES: To comply with the right of access of the interested parties, a recent photograph and the National Identity Document of the interested party will be requested, as well as the detail of the date and time to which the right of access refers. . The interested party will not be provided with direct access to the images from the cameras in which images from third parties are shown. To avoid affecting the rights of third parties, in the case of an access request, we will proceed to issue a certificate in which, with the greatest possible precision and without affecting the rights of third parties, the data that has been processed is specified. Eg “Your image was registered in our systems on the ___ day of the month of the year between _ hours and _ hours. Specifically, the system records your access and exit from the facility.

        Vico Black 98 SL has formalized agreements to guarantee that we treat your personal data correctly and in accordance with current data protection regulations. These agreements reflect the respective roles and responsibilities in relation to you, and contemplate which entity is in the best position to meet your needs. These agreements do not affect your rights under data protection law. For more information on these agreements, please do not hesitate to contact us.

        The Data Controller takes all necessary measures to keep your personal data private and secure. Only authorized persons, authorized personnel from third parties directly contracted by the Treatment Manager for the provision of services related to the purposes of treatment or authorized personnel of companies that operate under the trade name of Vico Black 98 SL (who have the legal and contractual obligation to keep all information secure) have access to your personal data. All VICO BLACK 98 SL personnel who have access to your personal data are required to undertake to respect the Privacy Policy of the person responsible for Treatment and the data protection regulations and all Third Party employees who have access to your data. personnel who sign the confidentiality commitments in the terms established in the current legislation. In addition, you contractually ensure that third-party companies that have access to your personal data keep it secure. To ensure that your personal data is protected, we have an IT security environment and take the necessary measures to prevent unauthorized access.

        CHANGES IN PRIVACY POLICY

        Vico Black 98 SL reserves the right to make, at any time, as many modifications, variations, deletions or cancellations in the contents and in the form of presentation of the same as it deems appropriate, as we recommend that you always consult our privacy policy. that you deem relevant. If you do not agree with any of the changes, you can exercise your rights in accordance with the procedure described by sending an email to protecciondatos@grupoq.net

        In compliance with the provisions of the personal data protection regulations, we treat the information that you provide us (as well as the personal data of other people that you may provide us with) for the purposes specified in this privacy policy. In this sense, you declare to have been informed, to consent, as well as to inform and have the consent of third parties who provide us with personal data for said treatment.

        By accessing the facilities subject to video surveillance, you expressly consent to the processing of data in accordance with the provisions of the clause and additional information on data protection, as well as to inform and have the consent of third parties who provide us with personal data for the processing of access log.

        Likewise, with the acceptance and/or validation of the process, you declare that you are over 14 years of age and have legal capacity** and expressly consent to the processing of data in accordance with the provisions of the clause and additional information on data protection. If you have checked the corresponding consent box, the legal basis for such purposes is your consent, which you can withdraw at any time.

        (**) In the cases in which they represent a minor under 14 years of age or a person with legal incapacity, they responsibly declare that they have parental authority or guardianship of the minor or the corresponding legal representation, whose justification may be required by of the Treatment Manager in order to legitimize the accepted consent.