POLÍTICA DE PRIVACIDAD

Privacy Policy

INDEX

Objective of the Privacy Policy
Definitions
Identity of the Data Controller
Applicable Laws and Regulations
Principles Applicable to the Processing of Personal Data
Data Processing Activities Performed
Necessary and Updated Information
Personal Data of Minors
Technical and Organizational Security Measures
Rights of the Data Subjects
Complaints to the Supervisory Authority
Acceptance and Changes in the Privacy Policy

1. OBJECTIVE OF THE PRIVACY POLICY

This "Privacy and Data Protection Policy" aims to inform the conditions governing the collection and processing of personal data by COLOPAK PACKAGING SECUNDARIO, SL, making every effort to safeguard the fundamental rights, honor, and freedoms of the individuals whose personal data are processed, in compliance with the applicable regulations and laws governing the protection of personal data under European Union law and Spanish national law, specifically as outlined in the "Data Processing Activities" section of this Privacy Policy.
Therefore, this Privacy and Data Protection Policy provides users of the website https://www.colopak.com with all relevant details concerning how these processes are carried out, their purposes, which other entities may have access to their data, and what rights users have.

2. DEFINITIONS

"Personal data": Any information related to an identified or identifiable natural person ("the website user"); an identifiable natural person is one whose identity can be determined, directly or indirectly, particularly by means of an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.

"Processing": Any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or any other form of access, comparison, or interconnection, restriction, erasure, or destruction.

"Restriction of processing": The marking of stored personal data to limit its future processing.

"Profiling": Any form of automated processing of personal data involving the use of personal data to evaluate certain personal aspects of a natural person, in particular to analyze or predict aspects related to that person's professional performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

"Pseudonymization": The processing of personal data in such a way that it can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and subject to technical and organizational measures to ensure that the personal data cannot be attributed to an identified or identifiable person.

"File": Any structured set of personal data that is accessible according to specific criteria, whether centralized, decentralized, or distributed in a functional or geographical manner.

"Data controller" or "controller": The natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data; where the law of the Union or the Member States determines the purposes and means of processing, the controller or the specific criteria for its appointment may be set by Union or Member State law.

"Data processor" or "processor": The natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller.

"Recipient": A natural or legal person, public authority, agency, or other body to which personal data are disclosed, whether or not they are a third party. However, public authorities that may receive personal data in the context of a specific investigation in accordance with Union or Member State law are not considered recipients; the processing of such data by these public authorities shall be in accordance with the applicable data protection rules for the purposes of processing.

"Third party": A natural or legal person, public authority, agency, or body other than the data subject, the controller, the processor, and those authorized to process the data under the direct authority of the controller or processor.

"Consent of the data subject": Any freely given, specific, informed, and unambiguous indication of the data subject's wishes, either by a statement or a clear affirmative action, by which the data subject agrees to the processing of personal data relating to them.

"Personal data breach": A breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data transmitted, stored, or otherwise processed.

"Genetic data": Personal data relating to the inherited or acquired genetic characteristics of a natural person that provide unique information about the physiology or health of that person, obtained in particular from the analysis of a biological sample from that person.

"Biometric data": Personal data resulting from a specific technical processing relating to the physical, physiological, or behavioral characteristics of a natural person which allow or confirm the unique identification of that person, such as facial images or fingerprints.

"Data related to health": Personal data relating to the physical or mental health of a natural person, including the provision of healthcare services, which reveals information about the individual's health status.

"Main establishment": a) With regard to a controller with establishments in more than one Member State, the place of its central administration in the Union, unless decisions regarding the purposes and means of processing are taken in another establishment of the controller in the Union, and this latter establishment has the power to implement such decisions, in which case the establishment where such decisions are taken shall be considered the main establishment; b) With regard to a processor with establishments in more than one Member State, the place of its central administration in the Union or, if there is none, the establishment of the processor in the Union where the main processing activities are carried out in the context of the activities of one of the processor's establishments, provided the processor is subject to specific obligations under this Regulation.

"Representative": A natural or legal person established in the Union who, having been designated in writing by the controller or processor under Article 27 of the GDPR, represents the controller or processor in relation to their respective obligations under this Regulation.

"Enterprise": A natural or legal person engaged in an economic activity, irrespective of its legal form, including companies or associations regularly involved in economic activities.

"Supervisory authority": An independent public authority established by a Member State in accordance with Article 51 of the GDPR. In Spain, this is the Spanish Data Protection Agency (Agencia Española de Protección de Datos).

"Cross-border processing": a) Processing of personal data carried out in the context of the activities of establishments in more than one Member State of a controller or processor in the Union, where the controller or processor is established in more than one Member State, or b) Processing of personal data carried out in the context of the activities of a single establishment of a controller or processor in the Union, but which substantially affects or is likely to substantially affect data subjects in more than one Member State.

"Information society service": Any service provided normally for remuneration, at a distance, by electronic means, and at the individual request of a service recipient.

3.- IDENTITY OF THE DATA CONTROLLER

The Data Controller is the individual or legal entity, whether public or private, or an administrative body, that alone or jointly with others determines the purposes and means of processing personal data; in cases where the purposes and means of processing are determined by European Union Law or Spanish national law.

Regarding the aspects expressed in this Data Protection Policy, the identity and contact details of the Data Controller are:

COLOPAK PACKAGING SECUNDARIO, SL - VAT Number B67545921
C/Santa María, 33 bajos – 08980 Sant Feliu de Llobregat (Barcelona), Spain
Email: jmc@colopak.com
Phone: +34 936856405

4.- APPLICABLE LAWS AND REGULATIONS

This Privacy and Data Protection Policy is developed based on the following data protection laws and regulations:

Regulation (EU) 2016/679 of the European Parliament and of the Council, dated April 27, 2016, on the protection of individuals with regard to the processing of personal data and the free movement of such data. Hereinafter, the GDPR.
Organic Law 3/2018, of December 5, on Personal Data Protection and Guarantee of Digital Rights. Hereinafter, the LOPD/GDD.
Law 34/2002, of July 11, on Information Society Services and Electronic Commerce. Hereinafter, the LSSICE.

5.- PRINCIPLES APPLICABLE TO PERSONAL DATA PROCESSING

Personal data collected and processed through this Website will be handled in accordance with the following principles:

Lawfulness, fairness, and transparency principle: Any personal data processing carried out through this Website will be lawful and fair, with complete transparency for the user regarding the collection, use, consultation, or processing of their personal data. Information about the processing activities will be provided beforehand, in an easily accessible manner, and in a clear, simple, and understandable language.
Purpose limitation principle: All data will be collected for specified, legitimate, and clear purposes, and will not be further processed in a manner incompatible with those purposes.
Data minimization principle: The data collected will be adequate, relevant, and limited to what is necessary for the purposes for which it is processed.
Accuracy principle: Data will be accurate and, where necessary, kept up to date, taking all reasonable measures to ensure the prompt deletion or correction of inaccurate data.
Storage limitation principle: Data will be kept in a form that allows identification of the data subjects for no longer than is necessary for the purposes of data processing.
Integrity and confidentiality principle: Data will be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and accidental loss or damage, using appropriate technical and organizational measures.
Accountability principle: The entity owning the Website will be responsible for ensuring compliance with the principles outlined in this section and will be able to demonstrate such compliance.

6.- DATA PROCESSING ACTIVITIES

Below are the data processing activities carried out through the Website, detailing each of the following sections:

Activity: Name of the data processing activity
Purposes: Each of the uses and processing carried out with the collected data
Legal basis: The legal basis that justifies the data processing
Processed data: Types of data processed
Source: Where the data is obtained from
Storage: Duration for which the data is retained
Recipients: Persons or entities to whom the data is provided
International transfers: Cross-border data transfers outside the European Union

6.1 MAIN DATA PROCESSING ACTIVITIES

These are data processing activities whose purposes are necessary and essential for the provision of services.

RECEPTION OF CVs
Legal basis: (Art. 6.1.f GDPR) Legitimate interest of the Data Controller or third parties
Purposes: Reception of CVs
Categories of data and groups: Potential employees (Identifying data; Academic and professional data; Personal characteristics; Employment details)
Data source: The data subject or their legal representative
Recipient category: Not envisaged
International transfer: Not envisaged
Storage period: Until deletion is requested by the data subject
BUDGET PROCESSING
Legal basis: (Art. 6.1.f GDPR) Legitimate interest of the Data Controller or third parties
Purposes: Budget processing
Categories of data and groups: Clients (Identifying data); Potential clients (Identifying data)
Data source: The data subject or their legal representative
Recipient category: Not envisaged
International transfer: Not envisaged
Storage period: Until deletion is requested by the data subject
CLIENT BILLING
Legal basis: (Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through a contract
Legal basis or pre-contract: (Art. 6.1.f GDPR) Legitimate interest of the Data Controller or third parties
Purposes: Client billing
Categories of data and groups: Clients (Identifying data; Economic, financial, and insurance data)
Data source: The data subject or their legal representative
Recipient category: Not envisaged
International transfer: Not envisaged
Storage period: As long as the business relationship is maintained

6.2 OPTIONAL DATA PROCESSING ACTIVITIES (if the user has marked their consent)

These are data processing activities whose purposes are not essential for service provision and are only carried out if the user has given their consent by marking "YES" for these activities.

7.- NECESSARY AND UPDATED INFORMATION

All fields marked with an asterisk (*) in the Website forms are mandatory. Failure to complete any of these fields may result in the inability to provide the requested services or information.
You must provide truthful information to ensure that the data is always up-to-date and error-free. If there are any changes or corrections to your personal data, you must inform the Data Controller as soon as possible by sending an email to: jmc@colopak.com.
By clicking the "Accept" button (or equivalent) in the forms, you declare that the information and data provided are accurate and true, and that you understand and accept this Privacy Policy.

8.- DATA OF MINORS

In compliance with Article 8 of the GDPR and Article 7 of the LOPD/GDD, only those over the age of 14 may consent to the processing of their personal data by COLOPAK PACKAGING SECUNDARIO, SL.

Therefore, minors under the age of 14 cannot use the services available through the Website without the prior authorization of their parents, guardians, or legal representatives, who will be solely responsible for all actions carried out through the Website by the minors under their care. This includes completing online forms with the minor’s personal data and, where applicable, checking the associated boxes.

9.- TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

The Data Controller adopts the necessary organizational and technical measures to ensure the security and privacy of personal data, preventing its alteration, loss, unauthorized processing, or access, depending on the state of technology, the nature of the stored data, and the risks to which they are exposed.

Among other measures, the following are highlighted:

Ensure the confidentiality, integrity, availability, and permanent resilience of treatment systems and services.

Restore the availability and access to personal data quickly in the case of a physical or technical incident.

Regularly verify, assess, and evaluate the effectiveness of the technical and organizational measures implemented to ensure the security of processing.

Pseudonymize and encrypt personal data when sensitive data is processed.

The Data Controller has also decided to manage information systems based on the following principles:

Compliance Principle: All information systems will comply with applicable legal and regulatory norms, especially those related to personal data protection, system security, data, communications, and electronic services.

Risk Management Principle: Risks will be minimized to acceptable levels, seeking a balance between security controls and the nature of the information. Security objectives must be established, reviewed, and consistent with information security aspects.

Awareness and Training Principle: Training programs, awareness campaigns, and sensitivity efforts will be implemented for all users with access to information on information security matters.

Proportionality Principle: The implementation of controls to mitigate risks will be done in balance with the nature of the information and the risks.

Responsibility Principle: All members of the Data Controller will be responsible for their conduct concerning information security, adhering to established rules and controls.

Continuous Improvement Principle: The effectiveness of the implemented security controls will be regularly reviewed to enhance adaptability to the evolving risks and technological environment.

10.- RIGHTS OF DATA SUBJECTS

The applicable data protection regulations protect users' rights concerning their data. These rights are personal and non-transferable, meaning they can only be exercised by the data subject after verifying their identity.

Here are the rights of users of the Website:

Right of Access: The user has the right to obtain confirmation on whether the Data Controller is processing their personal data, and, if so, to receive detailed information about their specific data and the processing done.

Right of Rectification: The user has the right to have any inaccurate or incomplete personal data corrected.

Right to Erasure (Right to be Forgotten): The user can request the deletion of their personal data when no longer necessary, when consent is withdrawn, when there is an objection to the processing, or when data has been unlawfully processed.

Right to Restriction of Processing: The user can request that the processing of their data be limited under certain conditions, such as when data accuracy is contested, processing is unlawful, or the data is no longer needed.

Right to Data Portability: Users can request their personal data in a structured, commonly used, and machine-readable format to transfer to another Data Controller when processing is automated.

Right to Object: The user can object to the processing of their personal data.

Right not to be subject to automated decisions and profiling: The user has the right not to be subject to decisions based solely on automated processing, including profiling, unless permitted by law.

Right to Withdraw Consent: The user can withdraw consent at any time, without affecting the legality of processing based on consent before its withdrawal.

Users can exercise these rights by contacting the Data Controller at the following contact details:

Data Controller: COLOPAK PACKAGING SECUNDARIO, SL

Address: Carrer Santa María, 33 bajos, 08980, Sant Feliu de Llobregat (Barcelona), Spain

Phone: 93 6856405

Email: jmc@colopak.com

Website: https://www.colopak.com

11.- RIGHT TO LODGE A COMPLAINT WITH THE SUPERVISORY AUTHORITY

Users are informed of their right to file a complaint with the Spanish Data Protection Agency if they believe that there has been a violation of data protection laws concerning the processing of their personal data.

Contact Information for the Supervisory Authority:

Spanish Data Protection Agency

Email: info@aepd.es

Phone: 912663517

Website: https://www.aepd.es

Address: C/. Jorge Juan, 6. 28001, Madrid (Spain)

12.- ACCEPTANCE AND CHANGES TO THE PRIVACY POLICY

It is necessary for the user to have read and agreed to the data protection conditions in this Privacy Policy, as well as to accept the processing of their personal data so that the Data Controller can proceed with the same under the specified terms, timelines, and purposes.

The Data Controller reserves the right to modify this Privacy Policy based on its discretion or due to a legislative, jurisprudential, or doctrinal change by the Spanish Data Protection Agency. Any changes or updates to the Privacy Policy that affect the purposes, data retention periods, data transfers, and user rights will be explicitly communicated to the user.