Privacy policy

Epigraph Basic information (1st layer, summarized) Additional information (2nd layer, detailed)
Responsible

of the processing of personal data

ARELUX PRODUCTOS Y SERVICIOS S.L.

CIF: B99161036

Adress: Avda. del Rosario nº 8, Edif. Nodriza. 50410, Cuarte de Huerva, (Zaragoza – Spain) rgpd@grupoarelux.com

+ information
Purpose

of the processing of personal data

Management and marketing of products and services

Sending information about our products and services

+ information
Legitimation

of the processing of personal data

We process your data to comply with a legal obligation, to provide the services we are required to provide, to manage sales of our products, to provide contracted services or for legitimate purposes, such as making our activity known + information
“Recipients” (of assignments or transfers) Cessions

– Competent public administration (Social Security, Tax Agency, other…)

– Banks/Financial institutions

+ information
Rights of clients and users We recognize our customers and users their rights of access, rectification, deletion and portability of their data, and the limitation or opposition to their processing, which can be exercised in the manner legally provided at the addresses above + information

 

Responsible for processing of personal data ARELUX PRODUCTOS Y SERVICIOS S.L. CIF: B99161036

Adress: Avda. del Rosario nº 8, Edif. Nodriza. 50410, Cuarte de Huerva, (Zaragoza – Spain)

Email: rgpd@grupoarelux.com Activity:

Purpose of the processing of personal data Management and marketing of products and services

Sending information about our products and services

Legitimation of the processing of personal data We treat your data to comply with a legal obligation, to provide the services we are required to provide, to manage the sales of our products or for legitimate purposes such as publicizing our activity.

Obligation or not to provide data and consequences of not doing so: You must answer all questions raised or give all the information requested because otherwise the operation can not be performed or not provide the services requested. No more information is requested than is strictly necessary for the purposes for which it is intended.

Data retention periods or criteria: Those stipulated by tax legislation with respect to the prescription of responsibilities and those stipulated by civil or mercantile legislation for claiming payments or proving the correct provision of the service or the operation carried out.

Automated decisions, profiles and applied logic: Not adopted

– You have the right to withdraw your consent

– You have the right to complain to the Supervisory Authority. In Spain the Spanish Data Protection Agency (www.agpd.es)

Recipients of personal data communications – Competent public administration (Social Security, Tax Agency, other…)

– Banks/Financial Institutions

There are no international transfers of personal data outside of authorized cases.

Rights of customers and users We recognize our customers and users their rights of access, rectification, deletion and portability of their data, and the limitation or opposition to its processing, which can be exercised in the manner legally provided at the addresses indicated above. See our procedure for rights of control of personal data by its holders here:

CONTROL RIGHTS MANAGEMENT PROCEDURE OF THE INTERESTED TO THEIR PERSONAL DATA

PROCEDURE FOR THE EXERCISE OF THE RIGHT OF ACCESS

  1. A person interested in the Entity makes a communication to this exercising their right of access to their personal data.
  2. The person receiving the communication will immediately forward it to the SAFETY AND PRIVACY RESPONSIBLE (1) or to the SAFETY AND PRIVACY RESPONSIBLE
  3. After the access request has arrived, the RESPONSIBLE FOR SAFETY AND PRIVACY or THE RESPONSIBLE FOR TREATMENT will examine the request so that resolve (2) on it within a maximum period of one month from the reception of the request (3) .

In order to proceed with such an examination, the SAFETY AND PRIVACY RESPONSIBLE must take into account what is specified in the ANNEX to this procedure.

This resolution may be FAVOURABLE or FAVOURABLE:

A) FAVOURABLE RESOLUTION of the access request:

If the request is granted and the person in charge does not provide the legally required information with his or her communication, access shall be effective within ten days of said communication.

The information provided, whatever the medium in which it is provided, will be given in legible and intelligible form, without using codes that require the use of specific mechanical devices.

Such information shall comprise:

  • All the basic data of the person concerned.
  • Those resulting from any elaboration or computer process.
  • Available information on the origin of the data.
  • The transferees of the data.
  • The specification of the specific uses and purposes for which the data were stored.

The affected party may opt to receive the information through one or more of the following consultation systems:

  • On-screen display
  • Written, copy or photocopy sent by post, certified or not.
  • Telecopy.
  • Electronic mail or other electronic communications systems.
  • Any other system that is adequate to the configuration or material implantation of the treatment or to the nature of the treatment, offered by the person in charge

Therefore, the TREATMENT RESPONSIBLE will deliver the information according to the system to which the interested party has opted

These systems from consultation may be restricted depending on the configuration or material implementation of the treatment or the nature of the treatment, provided that the treatment offered to the affected party is free of charge and ensures written communication if required.

If the data controller offers a certain system to make the right of access effective and the data subject rejects it, the data controller will not be held responsible for the possible risks to the security of the information that may derive from the choice.

B) DISFAVORABLE RESOLUTION

The TREATMENT RESPONSIBLE may deny access to personal data within a maximum period of one month from receipt of the request when:

  1. The right has already been exercised in the twelve months prior to the application , unless a legitimate interest is credited.
  2. Access may also be denied in cases where provides a law or a rule of community law directly applicable or when these avoid responsible treatment reveal to those affected the treatment of the data to which the access refers.
  3. In any case, the TREATMENT RESPONSIBLE will inform the affected person of his/her right to collect protection from the Spanish Data Protection Agency or, as the case may be, from the control authorities of the autonomous communities.
RIGHTS GUARANTEE. The interested party to whom the exercise of the rights of opposition, access, rectification or suppression is totally or partially denied may inform the Data Protection Agency or, as the case may be, the competent body of each Autonomous Community, which must ensure that the denial comes from or is not appropriate.

The maximum period in which the express decision on the protection of rights must be issued is six months.A contentious-administrative appeal will be filed against the decisions of the Data Protection Agency.

What is the right of access?

The right of access is the right of the data subject to obtain information on whether his or her own personal data:

  • They are being processed, the purpose of the processing, if any, is being carried out.
  • Available information on the origin of such data.
  • The communications made or planned thereof.

By exercising this right, the data subject may obtain from the data controller:

  • Information relating to specific data
  • Data included in a certain treatment
  • The totality of your data submitted to treatment

How do you exercise your right of access?

The right of access can be exercised by means of communication addressed to the TREATMENT RESPONSIBLE . It can be exercised by:

  • The affected person proving their identity, as planned. Required:
    • Name and surname of the interested party.
    • Photocopy of his national identity document, or of his passport or other valid document that identifies him and, where appropriate, of the person representing him, or equivalent electronic instruments; as well as the document or electronic instrument accrediting such representation. The use of an electronic signature identifying the person concerned shall exempt the presentation of photocopies of the DNI or equivalent document.
    • Request in which the request is specified.
    • Address for notification purposes, date and signature of the applicant.
    • Documents accrediting the petition, if any.

In the event that the application does not meet the requirements specified here, the TREATMENT RESPONSIBLE must request their correction.

  • When the affected person is in situation of incapacity or minority of age that makes it impossible for him/her to exercise this right personally, it may be exercised by his/her legal representative , in which case it will be necessary for him/her to prove such condition.
  • The right of access may also be exercised through voluntary representative, expressly designated for the exercise of the right. In this case, the identity of the represented party must be clearly accredited by means of a copy of his National Identity Document or equivalent document, and the representation conferred by him.

The right of access will be DENIED when the request is made by a person other than the affected person and it is not accredited that the same acts on behalf of that person..

The right of access of the interested party to the documentation of the history of the Entity cannot be exercised to the detriment of the right of third parties to the confidentiality of the data contained therein collected in the therapeutic interest of the interested party, nor to the detriment of the right of the professionals participating in its elaboration, which can oppose to the right of access the reservation of their subjective annotations.

Health centres and individual exercise physicians will only facilitate access to the history of the deceased interested parties’ Entity to the persons linked to it, for family reasons or in fact, except where the deceased would have expressly forbidden it and so is credited . In any case, the access of a third party to the history of the Entity motivated by a risk to its health will be limited to the pertinent data. No information will be provided that affects the privacy of the deceased or the subjective notes of professionals, or that harms third parties.

The interested party must be granted a simple and free medium for the exercise of the right of access.

The cases in which the data controller establishes as a means for the data subject to exercise his rights the sending of registered letters or similar, the use of telecommunications services that imply an additional tariff for the data subject or any other means that imply an excessive cost for the data subject shall not be considered in accordance with the provisions of the General Data Protection Regulation (GDPR).

When the TREATMENT RESPONSIBLE has services of any kind for the attention to its public or the exercise of claims related to the service provided or the products offered to it, the affected party may be granted the possibility of exercising their right of access through such services . In this case, the identity of the interested party will be considered accredited by the means established for the identification of the clients of the responsible party in the provision of their services or contracting of their products.

The person in charge of the treatment must take the appropriate measures to ensure that the people in his organization who have access to personal data can inform about the procedure to be followed by the person affected for the exercise of his right.

PROCEDURE FOR THE EXERCISE OF THE RIGHT OF OPPOSITION

(Article 21 of the General Data Protection Regulation (GDPR)).

  1. A person interested in the Entity makes a communication to the Entity exercising their right to object to their personal data, including or not their history
  2. The person receiving the communication will immediately forward it to the SAFETY RESPONSIBLE
  3. After the opposition request has arrived, the RESPONSIBLE FOR SECURITY AND PRIVACY will examine the request so that the RESPONSIBLE FOR THE TREATMENT resolves (4) on it within a maximum period of ten days from receipt of the request(5). In order to proceed with this examination, the RESPONSIBLE FOR SECURITY AND PRIVACY must take into account what is specified in the ANNEX to this procedure.

In order to proceed with this examination, the RESPONSIBLE FOR SECURITY AND PRIVACY must take into account what is specified in the ANNEX to this procedure.

This resolution may be FAVOURABLE or FAVOURABLE:

A) FAVOURABLE RESOLUTION:

In this case the treatment is not carried out of the personal data of the interested or the treatment is stopped. It is given in the following assumptions:

  • The information provided, whatever the support in which it is provided, will be given in legible and intelligible form, without using keys or codes that require the use of specific mechanical devices.

Such information shall comprise:

  • When your consent is not required for treatment, as a consequence of the concurrence of a legitimate and well-founded reason, referring to your specific personal situation, which justifies it, provided that a law does not provide otherwise. When the opposition is based on this assumption, in the application it must be stated the justified and legitimate reasons relating to a specific personal situation of affected, which justify the exercise of this right.
  • In the case of treatments whose purpose is to carry out advertising and commercial prospecting activities.
  • When the purpose of the treatment is to make a decision referred to the affected person and based solely on an automated treatment of their personal data.

In any case, reliable notification will be made to the interested party.

B) DISFAVORABLE RESOLUTION:

The RESPONSIBLE FOR THE TREATMENT must reasonably deny the interested party’s application in the term maximum of ten days counting from the reception of the application, with reliable notification to the interested party.

In any case, the TREATMENT RESPONSIBLE will inform the affected person of his/her right to collect protection from the Spanish Data Protection Agency or, as the case may be, from the control authorities of the autonomous communities.

RIGHTS GUARANTEE. Actions contrary to the provisions of this Law may be subject to complaint by the interested parties before the Data Protection Agency, in the manner determined by regulation.

The interested party to whom the exercise of the rights of opposition, access, rectification or suppression is totally or partially denied may inform the Data Protection Agency or, as the case may be, the competent body of each Autonomous Community, which must ensure that the denial comes from or is not appropriate.

The maximum period in which the express decision on the protection of rights must be issued is six months.

A contentious-administrative appeal will be filed against the decisions of the Data Protection Agency.

In order to communicate this resolution, the communication will be sent in such a way that it accredits both the fulfillment of the same, as well as its content. The data controller shall be responsible for proving compliance with the duty to respond, and shall retain the accreditation of compliance with the aforementioned duty.

RIGHT OF OPPOSITION TO DECISIONS BASED SOLELY ON AUTOMATED DATA PROCESSING

Stakeholders have the right to not be subject to a decision with legal effects on them or that significantly affects them, that is based solely on automated data processing to evaluate certain aspects of their personality, such as their job performance, credit, reliability or behaviour.

However, the persons concerned may be subject to one of these decisions when that decision is taken:

  • t has been adopted in the framework of the conclusion or execution of a contract at the request of the interested party, as long as he is given the opportunity to make whatever he deems appropriate, in order to defend his right or interest. In any case, the TREATMENT RESPONSIBLE must inform the affected person beforehand, clearly and precisely , that decisions will be taken with the characteristics indicated above and will cancel the data in the event that it is not finally held.
  • It is authorized by a norm with the rank of Law that establishes measures that guarantee the legitimate interest.

The right of opposition can be exercised by means of communication addressed to the TREATMENT RESPONSIBLE. It can be exercised by:

  • The affected person, proving their identity, as planned. The following is required:
    • Name and surname of the interested party.
    • Photocopy of his national identity document, or of his passport or other valid document that identifies him and, where appropriate, of the person representing him, or equivalent electronic instruments; as well as the document or electronic instrument accrediting such representation. The use of an electronic signature identifying the person concerned shall exempt the presentation of photocopies of the DNI or equivalent document.
    • Request in which the request is specified
    • Address for notification purposes, date and signature of the applicant.
    • Documents accrediting the petition, if any.

n the event that the application does not meet the requirements specified here, the person responsible for processing must request their correction.

When the affected person is in a situation of incapacity or minority of age which makes it impossible for him/her to exercise this right personally, it may be exercised by his/her legal representative, in which case it will be necessary for him/her to prove this condition.

The right of opposition may also be exercised through voluntary representative, expressly designated for the exercise of the right. In this case, the identity of the represented party must be clearly accredited by means of a copy of his National Identity Document or equivalent document, and the representation conferred by him.

The right to object will be DENIED when the request is made by a person other than the affected person and it is not accredited that the same is acting on behalf of that person..

The interested party must be granted a simple and free medium for the exercise of the right of opposition.

The cases in which the data controller establishes as a means for the interested party to exercise his/her rights the sending of registered letters or similar, the use of telecommunications services that imply an additional tariff for the affected party or any other means that imply an excessive cost for the interested party will not be considered in conformity with the provisions of General Data Protection Regulation (GDPR).

When the RESPONSIBLE FOR THE TREATMENT has services of any kind for the attention to his public or the exercise of claims related to the service provided or the products offered to the same , the affected person may be granted the possibility of exercising his right of opposition through said services . In this case, the identity of the interested party will be considered accredited by the means established for the identification of the clients of the responsible party in the provision of their services or contracting of their products.

The RESPONSIBLE FOR THE TREATMENT must attend the request of opposition exercised by the affected even if the same had not used the procedure established specifically for the purpose by him, provided that the interested party has used a means to accredit the sending and receipt of the request, and that it contains the elements referred to above.

The TREATMENT RESPONSIBLE must take the appropriate measures to ensure that people of your organization who have access to personal data can report the procedure to be followed by the affected for the exercise of their right of opposition.

PROCEDURE FOR THE EXERCISE OF RECTIFICATION AND SUPRESSION RIGHTS.

(Article 16 of the General Data Protection Regulation (GDPR)).

  1. An interested party of the Entity makes a communication to the Entity exercising its right of rectification or its right of suppression to its personal data, including or not its history
  2. The person receiving the communication will immediately forward it to the SAFETY RESPONSIBLE
  3. After the request for rectification or the request for suppression has arrived, the PRIVACY AND SAFETY RESPONSIBLE will examine the request so that the TREATMENT RESPONSIBLE resolves (6) about it within the maximum period of ten days counting from the receipt of the request(7).

In order to proceed with such an examination, the SAFETY AND PRIVACY RESPONSIBLE must take into account what is specified in the ANNEX to this procedure.

Said resolution may PROVIDE or REFUSE the exercise of the right of rectification or suppression:

A) GIVING RECTIFICATION of the data:

In this case the modification of the data will take place that result to be inaccurate or incomplete, previous reliable notification to the interested.

B) GIVING SUPRESSION of the data:

In this case, the data suppression will occur which result in inadequate or excessive , without prejudice to the duty to block according to General Data Protection Regulation (GDPR), previous reliable notification to the interested party.

In cases in which the interested party invokes the exercise of the right of suppression to revoke the previously given consent, the provisions of the General Data Protection Regulation (GDPR) shall apply.

C)  REJECTION of the RECTIFICATION of data:

The right of rectification may be refused in cases where a law or a directly applicable rule of Community law so provides or where such rules prevent the controller from disclosing to data subjects the processing of the data to which access relates.

This decision shall be notified to the data subject.

D)  REJECTION of the DELETION of the data:

Deletion shall not proceed when:

  • Personal data must be kept for the periods laid down in the applicable provisions.
  • Personal data must be kept for the periods provided for in the contractual relations between the person or entity responsible and the data subject that justified the processing of the data.
  • A law or a rule of Community law directly applicable or when these prevent the data controller from disclosing to the data subjects the processing of the data to which the access refers.

In any case, the TREATMENT RESPONSIBLE shall inform the data subject of his/her right to collect protection from the Spanish Data Protection Agency or, as the case may be, from the control authorities of the autonomous communities.

RIGHTS GUARANTEE. Actions contrary to the provisions of this Law may be subject to complaint by the interested parties before the Data Protection Agency, in the manner determined by regulation.

The interested party to whom the exercise of the rights of opposition, access, rectification or suppression is totally or partially denied may inform the Data Protection Agency or, as the case may be, the competent body of each Autonomous Community, which must ensure that the denial comes from or is not appropriate.

The maximum period in which the express decision on the protection of rights must be issued is six months.

A contentious-administrative appeal will be filed against the decisions of the Data Protection Agency.

In order to communicate this resolution, the communication will be sent in such a way that it accredits both the fulfillment of the same, as well as its content. The data controller shall be responsible for proving compliance with the duty to respond, and shall retain the accreditation of compliance with the aforementioned duty.

ANNEX DATA SUPRESSION OR RECTIFICATION PROCEDURE

How are the right of rectification and suppression exercised?

a) IN THE RECTIFICATION APPLICATION it should be indicated:

  1. At which data it is referred.
  2. The correction to make.
  3. It must be accompanied by supporting documentation

b) IN THE SUPRESSION APPLICATION, the interested party must indicate:

  1. At which data it is referred
  2. It must be accompanied by supporting documentation

If the rectified or cancelled data had been previously transferred , the TREATMENT RESPONSIBLE must communicate the rectification or deletion made to the transferee, within the same period, so that the latter, also within ten days counted from receipt of such communication, also proceeds to rectify or cancel the data.

The rectification or deletion made by the transferee will not require any communication to the interested party, without prejudice to the exercise of rights by the interested parties recognized in the General Data Protection Regulation (GDPR).

The right to rectification and deletion may be exercised by means of communication addressed to the TREATMENT RESPONSIBLE . It can be exercised by:

  • The affected person, proving their identity, as planned. Required:
    • Name and surname of the interested party
    • Photocopy of his national identity document, or of his passport or other valid document that identifies him and, where appropriate, of the person representing him, or equivalent electronic instruments; as well as the document or electronic instrument accrediting such representation. The use of an electronic signature identifying the person concerned shall exempt the presentation of photocopies of the DNI or equivalent document.
    • Request in which the request is specified.
    • Address for notification purposes, date and signature of the applicant.
    • Documents accrediting the petition, if any.

In the event that the application does not meet the requirements specified here, the TREATMENT RESPONSIBLE must request their correction.

When the affected person is in a situation of incapacity or minority of age which makes it impossible for him/her to exercise these rights personally, they may be exercised by his/her legal representative , in which case it will be necessary for him/her to prove such condition.

The rights may also be exercised through voluntary representative, expressly designated for the exercise of the right. In this case, the identity of the represented party must be clearly accredited by means of a copy of his National Identity Document or equivalent document, and the representation conferred by him.

The rights will be DENIED when the request is made by a person other than the affected person and it is not accredited that the same acts on behalf of that person..

A simple and free channel for the exercise of the rights of rectification and deletion shall be granted to the data subject.

The cases in which the data controller establishes as a means for the interested party to exercise his/her rights the sending of registered letters or similar, the use of telecommunications services that imply an additional tariff for the affected party or any other means that imply an excessive cost for the interested party will not be considered in conformity with the provisions of General Data Protection Regulation (GDPR).

When the RESPONSIBLE FOR THE TREATMENT has services of any kind for the attention to his public or the exercise of claims related to the service provided or the products offered to the same , the affected person may be granted the possibility of exercising his right of opposition through said services . In this case, the identity of the interested party will be considered accredited by the means established for the identification of the clients of the responsible party in the provision of their services or contracting of their products.

The RESPONSIBLE FOR THE TREATMENT must attend the request of opposition exercised by the affected even if the same had not used the procedure established specifically for the purpose by him, provided that the interested party has used a means to accredit the sending and receipt of the request, and that it contains the elements referred to above.

The TREATMENT RESPONSIBLE must take the appropriate measures to ensure that people of your organization who have access to personal data can report the procedure to be followed by the affected for the exercise of their right of opposition.

PORTABILITY RIGHT

  • The personal data concerning him/her, which he/she has provided to the Entity, will be given to the interested parties who request it.
  • Delivery will be in a structured format, commonly used and mechanically readable.
  • f requested, they shall be transferred to another controller where it is technically possible and the processing is based on consent pursuant to Article 6(1)(a) or Article 9(2)(a) or on a contract pursuant to Article 6(1)(b) and (b) of the European Data Protection Regulation and the processing is carried out by automated means.
  • The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17 of the European Data Protection Regulation on the right of deletion of applicant data subjects.
  • That right shall not apply to processing which is necessary for the performance of a task carried out in the public interest or in the exercise of public authority conferred on the controller.
  • This right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.
  • The right to portability shall refer only to automated processing operations directly or indirectly subject to the will or authorisation of the data subject (based on consent or on a contractual relationship).
  • The right will be extended to “Current Data” understood not only as those related to the present moment, without taking into account those that have been provided by the interested party or obtained through the use of the product or service previously contracted and that at the time of exercising the right are being processed.
  • Due to its comp

RIGHT OF LIMITATION

This right shall be granted to the persons concerned if one of the following conditions is met:

  • The interested party challenges the accuracy of the personal data, during a period that allows the responsible to verify the accuracy of data.
  • The processing is unlawful and the data subject opposes the deletion of personal data and requests instead the limitation.
  • The data controller no longer needs the personal data for the purposes of processing, but the data subject needs them for the formulation, exercise or defense.
  • he interested party has opposed the treatment under Article 21, paragraph 1, while verifying whether the legitimate motives of the responsible party prevail over those of the company.

Effects of the exercise of the right by the interested parties

Where the processing of personal data has been restricted, such data may be processed only with the consent of the data subject or for the purpose of making, pursuing or defending claims, or for the protection of the rights of another natural or legal person or for reasons of substantial public interest of the Union or of a particular Member State, with the exception of storage.

Any data subject who has obtained limitation of processing in accordance with the foregoing shall be informed by THE ENTITY prior to the lifting of such limitation.

Because of the complexity of the case where a data subject exercises this right, each case will be studied on a case-by-case basis, seeking specialised professional assistance if necessary.


1 – If any

2 – In the event that you do not have personal data of those affected, you must also communicate it within the same period. The person responsible for the treatment must answer the request addressed to him in any case, regardless of whether or not personal data of the affected person is included in his information systems.

3 – After the deadline without expressly responding to the request for access, the interested party may file the claim provided for in article 12.4 of the General Data Protection Regulation (GDPR).

4 – In the event that you do not have personal data of the affected party, you must also communicate it within the same period. The person responsible for the treatment must answer the request addressed to him in any case, regardless of whether or not personal data of the affected person is included in his information systems.

5 – After the deadline without expressly responding to the request for access, the interested party may file the claim provided for in article 12.4 of the General Data Protection Regulation (GDPR).

6 – In the event that you do not have personal data of the affected party, you must also communicate it within the same period. The person responsible for the treatment must answer the request addressed to him in any case, regardless of whether or not personal data of the affected person is included in his information systems.

7 – After the deadline without expressly responding to the request for rectification or deletion, the interested party may file the claim provided for in article 12.4 of the General Data Protection Regulation (GDPR).