Privacy Policy

Introduction

This Privacy Policy has been drawn up taking into account the provisions set out by the Organic Law on the Protection of Personal Data, as well as by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, hereinafter referred to as GDPR.

This Privacy Policy sets out to inform data subjects, from whom information is being collected, about specific aspects relating to the processing of their data, such as the purposes of processing, contact information to exercise the corresponding rights, that assist them, the retention periods of information and security measures.

Data Controller

In terms of data protection, Ivascular, S.L.U shall be considered the data controller in relation to the files/processing identified in this policy, specifically in the Data Processing section.

Below are the details of the owner of this website:

Data Controller: Ivascular, S.L.U

Postal address: Camino De Can Ubach n11, 08620, Sant Vicenç dels Horts, (Barcelona).

Email address: info@ivascular.es

Data Processing

The personal data requested, where appropriate, shall consist only of data strictly necessary to identify and respond to the request made by its owner, hereinafter referred to as the data subject. This information shall be treated in a fair, lawful and transparent manner in relation to the data subject. Meanwhile, personal data shall be collected for explicit and legitimate purposes and shall not be processed in any way other than for the aforementioned purposes.

The data collected from each data subject shall be appropriate, relevant and not excessive in relation to the corresponding purposes for each case, and shall be updated whenever necessary.

The data subject shall be informed, prior to the collection of their data, of the general purposes regulated in this policy in order to give their express, precise and unequivocal consent for the processing of their data, in accordance with the following aspects.

Purpose of the processing.

The explicit purposes for which each type of processing is carried out are included in the information clauses within all data collection channels (website forms, paper forms, voice messages, posters and information sheets).

However, the data subject’s personal data shall be processed with the sole purpose of providing an effective response and answering the requests made by the user, specified next to the option, service, form or data collection system which the data subject uses.

Lawful basis

As a general rule, prior to the processing of personal data, Ivascular, S.L.U shall obtain the express and unequivocal consent from the data subject through the incorporation of informed consent clauses in the various information collection systems.

However, if the data subject’s consent is not required, the lawful basis of the processing which covers Ivascular, S.L.U is the existence of a specific law or regulation which authorises or requires the processing of the data subject’s data.

Recipients

As a general rule, Ivascular, S.L.U shall not transfer or disclose any data to third parties, unless required by law. However, if necessary, the data subject shall be informed of any such transfers or disclosures of data via the consent clauses included in each data collection channel.

Source

As a general rule, personal data is always collected directly from the data subject. However, in certain exceptions, data may be collected through third parties, entities or services other than the data subject. In this sense, this purpose shall be transferred to the data subject via the informed consent clauses contained in the data collection channels and within a reasonable time, once the data has been collected, and at the latest within one month.

Retention periods

The information collected from the data subject shall be retained for as long as it is necessary to fulfil the purpose for which the personal data was collected. Therefore, once the purpose has been fulfilled, the data shall be erased. Said cancellation shall result in the encryption of all data except those which are available to public authorities, judges and courts, as evidence for any possible legal action arising from the processing and for a predetermined period of time. Once the aforementioned period has elapsed, the information shall be destroyed.

For information purposes, below are the legal terms for the retention of information in relation to various matters:

DOCUMENT DURATION REF.  LEGAL
Occupational or social security documents 4 years Article 21 of the Royal Legislative Decree 5/2000 of 4 August, approving the reviewed text of the Law on Offences and Sanctions in the Social Order.
Accounting and fiscal documentation for commercial purposes 6 years Article 30 of the Code of Commerce
Accounting and tax documents for tax purposes 4 years Articles 66 to 70 of the General Tax Law
Control of access to buildings 1 month Instruction 1/1996 of the Spanish Data Protection Agency
Video surveillance 1 month

Instruction 1/2006 of the Spanish Data Protection Agency

Organic Law 4/1997

Browsing data.

In relation to the browsing data which may be processed via the website, if data is collected which is covered by the regulation, please refer to the Cookie Policy published on our website.

Rights of data subjects.

The regulations on data protection grant a series of rights to data subjects and to users of the KIDS EUROSWAN, S.L. website or social media profiles.

The rights which apply to data subjects are as follows:

  • Right of access: right to obtain confirmation as to whether or not their personal data is being processed, the purposes of the processing, the categories of data concerned, the recipients or categories of recipient, the envisaged retention period and the source of said data.
  • Right to rectification: right to obtain the rectification of any inaccurate or incomplete personal data.
  • Right to erasure: right to request the erasure of data in the following cases:
    • When data is no longer necessary in relation to the purposes for which it was collected
    • When the data subject withdraws consent
    • When the data subject objects to the processing
    • When the personal data has to be erased for compliance with a legal obligation
    • When the personal data has been collected in relation to the offer of information society services referred to in Art. 8, section 1 of the European General Data Protection Regulation.
  • Right to object: right to object to processing based on the data subject’s consent.
  • Right to restriction: right to obtain from the controller restriction of processing where one of the following applies:
    • When the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data.
    • When the processing is unlawful and the data subject opposes the erasure of the personal data.
    • When the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims.
    • When the data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject.
  • Right to portability: the right to obtain data in a structured, commonly used and machine-readable format, and to transmit it to another data controller when:
    • The processing is based on consent
    • The processing is carried out by automated means
  • The right to lodge a complaint with the Supervisory Authority

Data parties may exercise the indicated rights, by writing to KIDS EUROSWAN, S.L. at the following address: arco@ivascular.global indicating in the subject line the right they wish to exercise.

In this sense,  Ivascular, S.L.U shall deal with their request as soon as possible and taking into account the terms set out in the regulations on data protection.

Security

The security measures adopted by Ivascular, S.L.U are those required by the provisions of Article 32 of the GDPR. In this sense, Ivascular, S.L.U, taking into account the state of the technology, the costs of application and the nature, scope, context and purposes of the property, as well as the risks of variable probability and severity for the rights and freedoms of natural persons, has implemented the appropriate technical and organisational measures to guarantee the risk-appropriate level of security.

In any case, Ivascular, S.L.U  has implemented sufficient mechanisms to:

  1. Ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
  2. Restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
  3. Regularly test, assess and evaluate the effectiveness of technical and organisational measures for ensuring the security of the processing.
  4. Pseudonymise and encrypt personal data, if applicable.