X

PRIVACY POLICY



Through this Privacy Policy, PROVITAL, SA wishes to inform all those using and accessing the www.weareprovital.com/es website about how the company processes their personal data.


Prior registration is not required to access the website. Before sending requests for information through the contact form provided on this website, the User must agree to the Privacy Policy in order to give their express and informed consent for the data to be processed for the stated purposes.


In accordance with Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and Organic Law 3/2018 of 5 December on the Protection of Personal Data and the Guarantee of Digital Rights, PROVITAL, SA hereby provides the following information in its capacity as the Data Controller of the collected personal data:


1.  Data Controller


·      Data controller company: PROVITAL, SA

·      Tax Identification Number (NIF): A08584997

·      Address: Pol. Ind. Can Salvatella – Gorgs Lladó, 200 - 08210 Barberà del Vallès (Barcelona)

·      Email address: info@weareprovital.com


2.  User Registration


In order to register, the User must enter the following data:

 

·      Name

·      Surnames

·      City

·      Telephone

·      Email address



Once a password has been issued to the User, they shall be responsible for the confidential and responsible treatment of the login and password provided by PROVITAL, SA, and they may not make them available to others.


Purpose of data processing

·      To manage requested access to the PROVITAL, SA Intranet.

·      To send information about our organisation by e-mail or similar electronic means of communication.


Legal basis for data processing

·     The basis for the processing of personal data is that it is necessary for the performance of an agreement, in accordance with 6.1.b) of the GDPR.


·   The legal basis for the processing of data for the purpose of sending communications is the prior and express consent given by the User by checking the corresponding box, in accordance with the provisions of Art. 21 of the LSSI-CE (Ley de Servicios de la Sociedad de la Información y del Comercio Electrónico) [Spanish Act Regulating Information Society Services and E-Commerce].


Retention period

The data received on this basis will not be kept any longer than the fulfilment of the purpose for which they were collected, except in the case of compliance with a legal obligation.


The User's e-mail address will be kept for as long as their subscription to receive informative communications from the organisation remains active.


Communication of data

Data is not shared with third parties unless a legal requirement exists or the data subject has given their express consent.


International data transfers

The data subject is hereby informed that commercial communications will be sent via HubSpot, whose registered office and servers are located in the USA. Furthermore, the data subject is informed that Hubspot has standard contractual clauses which allow international transfers to be carried out under the guarantees set out in the GDPR.


3.  Newsletter subscription

The User is given the opportunity to receive the PROVITAL, SA Newsletter:

 

·      Name

·      Surnames

·      Email address

·      City

·      Language

 

Purpose of data processing

·      To send information about our organisation by e-mail or similar electronic means of communication.


Legal basis for data processing

·      The legal basis for the processing of personal data is the consent given by the data subject via the relevant acceptance box, in accordance with Article 6.1.a) of the GDPR, and with the provisions of Art. 21 of the LSSI-CE.


Retention period

The data will be kept for as long as the Newsletter subscription is active.


Communication of data

Data is not shared with third parties, unless a legal requirement exists or the data subject has given their express consent.


International data transfers

The data subject is hereby informed that commercial communications will be sent via Hubspot, whose registered office and servers are located in the USA. Furthermore, they are also informed that Hubspot has standard contractual clauses which allow international transfers to be carried out under the guarantees set out in the GDPR.


4.  Work with PROVITAL, SA

The User is given the opportunity to join the team at PROVITAL, SA. A data collection form has been created for this purpose to collect the following details:

 

·      Name

·      Surnames

·      City

·      Telephone no.

·      Email address

·      CV

 

Purpose of data processing

·      To process your application and analyse your profile in order for you to participate in staff selection processes.


Legal basis for data processing

·      The legal basis for the processing of personal data is the consent given by the data subject via the relevant acceptance box, in accordance with Article 6.1.a) of the GDPR.


Retention period

The data will be kept for two years. After this period they will be destroyed.


Communication of data and international data transfers

Provided that you have given your consent, the data will be made known to companies in the group in order for you to participate in their selection process.


The disclosure of this data involves international data transfers. Therefore, if you consent to your data being made available, you are implicitly consenting to these transfers for the sole purpose of your participation in a selection process.


Refusal to agree to the data's disclosure and to data transfers will mean that the candidate will not be able to participate in selection processes by other companies in the PROVITAL group.


You can consult the companies in the group by clicking here.


5.  Complaints channel

In accordance with the principles of business ethics, honesty, transparency and quality, and in order to boost the respect and trust of our collaborators and other stakeholders, PROVITAL puts this Ethical Channel at your disposal.

The complaint through our channel can be made confidentially. In this case, the following contact details will be requested: name, surname and contact email address.


Access to the data contained in these systems shall be limited exclusively to the persons responsible for internal control and compliance functions, or to the persons appointed to data processing tasks. Notwithstanding this, the said data may be accessed by other persons or even disclosed to third parties when this is necessary for disciplinary measures to be taken or for any legal proceedings that might be required.


Without prejudice to the competent authority’s notification of events that might constitute a criminal or administrative offence, access may be granted to staff with human resources management and supervisory duties, but only in circumstances in which disciplinary measures might be taken against an employee.


Purpose of data processing

·    To process and manage all matters relating to the complaint filed through this channel.

·    To inform you of the progress of your complaint.


Legal basis for data processing

·    The legal basis for the processing of your data is the organisation's legitimate interest, in accordance with Article 24.4 of the LOPDGDD (Ley Orgánica de Protección de Datos Personales y Garantía de los Derechos Digitales) [Organic Law on Data Protection and Guarantee of Digital Rights].


Retention period

The details of the complainant and of employees and third parties must only be kept in the complaints system as long as is required to determine whether it is appropriate to open an investigation into the reported events, under the terms set out in Art. 24.4 of the LOPDGDD.


Disclosure of data and international data transfers

The disclosure of the filed complaint to third parties shall be permissible when this is necessary for disciplinary measures to be taken or for any required legal proceedings to be carried out.

 

6.  Rights of the data subject

When the User's personal data are processed, they shall be deemed to be a data subject, as established in the GDPR, and, as such, they shall be entitled to the fulfilment of the following rights by the data controller:


Right of access

They may ask the data controller to confirm whether their personal data are being processed by the latter.

 

If their data are being processed, information can be requested from the data controller about:

 

·      the purpose for which the personal data are being processed;

·      the categories of personal data that will be processed;

·      the recipients or types of recipients of the personal data relating to the User that has been/will be disclosed;

·      the period during which the personal data will be kept or, failing that, the criteria used to determine this period;

·      the right to rectification or erasure of the personal data concerning them, the right to the restriction of processing by the controller or the right to object to such processing;

·      the right to lodge a complaint with a supervisory authority;

·      all available information on the source of the data when the personal data have not been obtained from the data subject;

·      automated decision-making, including profiling, in accordance with Art. 22 (1) and (4) of the GDPR and, in such cases at least, meaningful information on the applied logic and the significance and expected effects of such processing for the data subject.

 

The data subject may also request information about whether their personal data have been transferred to a third country or to an international organisation. They may ask to be informed about this in accordance with Article 46 of the GDPR on the transfer of data.

 

Right to rectification

If the personal data concerning the data subject should be inaccurate or incomplete, they may have the said information rectified or completed by the data controller. The controller shall rectify the data without delay.


Right to restrict processing

The User may ask to restrict the processing of their personal data when any of the following conditions are met:

 

·      If they dispute the accuracy of their personal data within a period of time that allows the controller to verify the accuracy of the data;


·      The processing is unlawful and the User objects to having their personal data deleted and instead asks for their use to be restricted;


·      The controller no longer needs the personal data for the data processing purpose, but the User needs them in order to establish, exercise or defend claims;


·      If the User has objected to the processing, pursuant to Art. 21(1) of the GDPR, while it is being determined whether the controller's legitimate reasons outweigh those of the User.

 

When the processing of the personal data has been restricted, with the exception of their retention, such data may be processed only with the data subject's consent or for the purpose of establishing, exercising or defending claims or protecting the rights of another natural or legal person or for reasons of high public interest to the European Union or a Member State.

 

If the processing has been restricted in accordance with the above conditions, the data subject will be informed by the controller before such restriction is terminated.

 

Right to erasure

The data subject may ask the controller to erase their personal data immediately, and the controller must erase this information without delay in any of the following circumstances:

 

·      The personal data are no longer necessary for the purposes for which they were collected or otherwise processed.

·      If the User withdraws the consent that was the basis for the processing of the data pursuant to Art. 6 (1) (1)(a) or Art. 9 (2)(a) of the GDPR, and there is no other legal basis for the processing.

·      If the User objects to the processing pursuant to Art. 21 (1) of the GDPR and there are no compelling legitimate grounds for the processing, or if the User objects to the processing pursuant to Art. 21 (2) of the GDPR.

·      If their personal data have been unlawfully processed.

·      The personal data must be erased in order to comply with a legal obligation under European Union law or the law of the Member States to which the controller is subject.

·      The User's personal data have been collected in connection with information society services offered in accordance with Art. 8 (1) of the GDPR.

 

If the data controller has made the User's personal data public and it is obliged to erase them pursuant to Art. 17 (1) of the GDPR, it shall take all appropriate steps–including technical ones, dependent on the available technology and implementation costs–, to inform data controllers that the User, as a data subject, has requested the deletion of all links to their personal data or copies or replicas of the said information.

 

The right to erasure shall not exist when the processing is necessary:

 

·      to exercise freedom of expression and information;

·      to comply with a legal obligation to process the data, as required by European Union law or the Member State law to which the controller is subject, or in order to carry out a task in the public interest, or in order to exercise a public scope of authority conferred upon the controller;

·      for reasons of public interest in the field of public health, in accordance with Art. 9 (2)(h) and (i) and Art. 9 (3) of the GDPR.

·      for archival purposes in the public interest, scientific or historical research purposes or statistical ones in accordance with Art. 89 (1) of the GDPR, insofar as the law referred to in section a) is likely to render impossible or seriously impair the fulfilment of the purposes of such processing, or

·      to establish, exercise or defend claims.


Right to information

If the data subject has exercised their right to rectification, erasure or restriction of processing with the controller, the latter shall be obliged to inform all the recipients of the said disclosed personal data of this rectification, erasure or restriction of processing, unless this proves impossible or involves a disproportionate effort.

 

The User has the right to be informed by the data controller of the recipients' identities.

 

Right to data portability

The data subject has the right to receive the personal data that they supplied the controller with in a structured, commonly used and machine-readable format. Furthermore, they have the right to transfer this data to another data controller without being prevented from doing so by the controller to whom the said data were provided, when

 

·      the processing is based on consent as established in Art. 6 (1)(1)(a) of the GDPR or Art. 9(2)(a) of the GDPR or in a contract pursuant to Art. 6 (1) (1) (b) of the GDPR, and

·      the processing is carried out by automated means.

 

In exercising this right, the User shall also be entitled to have the personal data transferred directly from one controller to another, when this is technically feasible. The freedoms and rights of others may not be adversely affected by this.

 

This right to data portability shall not apply to any processing of personal data that is necessary for the performance of a task carried out in the public interest or for the exercise of a public scope of authority conferred on the controller.

 

Right to object

The User has the right to object at any time to the processing of their personal data pursuant to Art. 6 (1) (1) e) or f) of the GDPR for reasons relating to their personal situation; this also applies to profiling on the basis of these provisions.

 

The controller shall stop processing the User’s personal data unless it can demonstrate compelling legitimate grounds for such processing which override the User’s interests, rights and freedoms or if processing is intended for the purpose of establishing, exercising or defending claims.

 

If the User’s personal data is being processed for the purpose of direct marketing, they have the right to object at any time to the processing of their personal data for the purpose of such advertising; this also applies to profiling insofar as it is associated with such direct marketing activities.

 

If the User objects to processing for the purposes of direct marketing, their personal data will no longer be processed on such a basis.

 

The User has the option of exercising their right to object through automated procedures that use technical specifications relating to the use of information society services, irrespective of the provisions of Directive 2002/58/EC.

 

4.8 Right to withdraw consent regarding data protection

 

The User has the right to withdraw their consent regarding data protection at any time. Any withdrawal of consent shall not affect the lawfulness of the processing that took place on the basis of the consent given prior to its withdrawal.

 

Automated decision-making, including profiling

The User has the right not to be subject to a decision based solely on automated processing, including profiling, in situations in which it has legal effects on them or significantly affects them in a similar way. This shall not apply if the decision:

 

·      is necessary for a contract between the User and the controller to be entered into or performed;

·      is authorised under European Union legislation or the Member State legislation to which the controller is subject and where such legislation contains reasonable measures to safeguard the rights and freedoms and legitimate interests of the data subject, or

·      if it is based on their explicit consent.

 

However, such decisions shall not be based on the special categories of personal data specified in Art. 9(1) of the GDPR, unless Art. 9(2)(a) or (b) of the GDPR applies and appropriate measures have been taken to safeguard the User's rights and freedoms and their legitimate interests.

 

With regard to the cases referred to in points 1 and 3, the controller shall take appropriate steps to safeguard the User's rights and freedoms and legitimate interests, including at least the right to human intervention on the controller’s part, the User's right to present their point of view, and their right to challenge the decision.

 

Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, the User shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their residence, place of work or place where the alleged infringement occurred, if they consider that the processing of their personal data is in breach of the GDPR.

 

The supervisory authority with which the complaint has been lodged shall inform the complainant of the status and outcome of the complaint, including the possibility of seeking a judicial remedy in accordance with Art. 78 of the GDPR.


7.  Where can the User exercise their rights?

The User may exercise their rights by sending a letter to Pol. Ind. Can Salvatella - Gorgs Lladó, 200 - 08210 Barberà del Vallès (Barcelona), or by e-mail to info@weareprovital.com.


Likewise, the data subject is hereby informed that they can revoke their consent to receive marketing correspondence by sending an e-mail to info@weareprovital.com.


8.  Is it mandatory to provide all the information requested in the Contact section?

With regard to the forms on the website, the User must fill in all fields marked “required”. Failing to fill in the required personal data or only providing part of the data may prevent PROVITAL, SA from attending to the User’s requests. In such an event, PROVITAL, SA shall be exempt from any liability that may arise for not providing the requested services, whether fully or in part.


The personal data given to PROVITAL, SA by the User must be up to date to ensure that the information on record is current and free of mistakes. The User is responsible for the accuracy of the provided data.


9.  What security measures has the company set in place?

PROVITAL, SA hereby informs the User that personal data is processed at all times in accordance with the applicable legislation on data protection and information society services.


PROVITAL, SA informs the User that it has set in place the necessary technical and organisational security measures to guarantee the security of the User’s personal data and to prevent this data from being modified, lost, processed and/or accessed without authorisation, in accordance with the state of the art, the nature of the stored data and the risks to which it is exposed, whether by human action or by physical or natural means, and in compliance with current regulations.