This is the Cooperativa de Plantes Ornamentals del Maresme SCCL data protection policy. It refers to the data it processes through its commercial activities in compliance with the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016) and the Organic Law 3/2018, of December 5, on Data Protection and Guarantee of Digital Rights.
Who is responsible for processing personal data?
The body responsible for the processing of personal data is Cooperativa de Plantas Ornamentales del Maresme SCCL (hereinafter, CORMA), with CIF F08668824 registered in the Register of Cooperatives with the number BN-1212, domiciled at Premià de Dalt 08338 Barcelona,telephone 937549000, email email@example.com and website www.corma.es.
CORMA is an integral part of the CLADE group, which also includes Abacus Cooperativa, Blanquerna-URL, Comunidad Minera Olesana, Cooperativa Plana de Vic, Escola Sant Gervasi, SOM, Lavola, Orquesta Sinfónica del Vallés and Suara Cooperativa (more information about the group www.grupclade.com).
¿Who is the Data Protection Officer?
The Data Protection Officer (DPO) is the person supervising the enforcement of the Data Protection Policy of CORMA, ensuring that personal data are properly processed and that the rights of individuals are protected. One of their duties is to answer any questions, suggestions, complaints or claims from the people to whom the data belong. The Data Protection Officer may be contacted in writing at CORMA SCCL, Camí del mig, 20 08338 Premià de Dalt, through the phone number 937549000 and via e-mail at firstname.lastname@example.org
Why do we process data?
At CORMA, we process personal data for the following reasons:
Answer the inquiries of the people who contact us through contact forms on our website. We use it only for this purpose.
Providing support for people who contact us through this route. In order to offer more quality in the service, conversations can be recorded over the telephone, with the person with whom we communicate being informed of this beforehand.
Receiving the CVs of people interested inworking with us and managing personal data generated by participation in recruitment processes, in order to analyse the adequacy of the profile of candidates based on the vacant or newly created places. Our criterion is to keep the data of people who do not end up being hired for a maximum of one year, in case a new vacancy or a new job becomes available in the short term. However, in the latter case, we immediately remove the data if the interested party asks us to do so.
Register new customers and additional data that may be generated as a result of the commercial relationship with customers. In the hiring process, the essential data are requested, among which must appear bank details (current account number or credit card number) that will be sent to banking entities that manage the collection (they can only be used for this purpose). The commercial relationship entails other processing, such as incorporating the data to the accounting, billing or information provided to the tax administration. By accessing the customer area of our website it is possible to manage your own data, take on products, check consumption and billing, access promotions and discounts or know the status of inquiries and claims made through this channel. Access to the client area gives us information about the activity of the user of this service.
Record the data of the cooperative’s members and the additional data that may be generated as a result of their participation in the cooperative. The data is used to organize the services, to inform the members of the cooperative’s initiatives, to summon them to events or to the mandatory meetings and to inform them of the products or services.
Product and service information
Provided that there is a contractual relationship with its customers, CORMA SCCL uses this contact information to communicate its own information, which may incidentally include references to our products or services, whether of a general nature or referred more specifically to the characteristics and needs of a particular client.
Other product and service information
With the customers’ explicit authorisation, once the contractual relationship is finished, the contact information is kept to send advertising related to our services or products, or information of a general or more specific nature depending on the characteristics of the client. This information is sent to those who, despite not being a client, ask us or accept it by filling out our forms.
Advertising of products and services from companies in our group
Always with the previous and explicit authorization of the persons indicated in the previous section, the contact data serve to elaborate advertising, both of a general nature and adapted to the characteristics of the person, along with information on products or services from the group’s companies. Likewise, with the explicit consent of the interested party, the contact data may be communicated to these companies so that these companies can directly send advertisements for their products or services.
Managing our suppliers’ data
We record and process the data of the providers from whom we obtain services or goods. This can be data from people who act as freelancers and also data from representatives of legal entities. We obtain the data needed to maintain the commercial relationship, we only use it for this purpose and we appropriately use this kind of relationship.
When accessing our facilities, you are informed of the video surveillance cameras via the certified labels. The cameras record images only of the points where it is justified to ensure the safety of the goods and people and the images are used only for this purpose.
Other data collection channels
We also obtain data through face-to-face relationships and other channels such as receiving emails or through our profiles on social networks. In all cases, the data is intended only for the explicit purposes that justify its collection and processing.
What is the legal legitimacy for processing the data?
The data processing we carry out have different legal bases, depending on the nature of each process.
In compliance with a pre-contractual relationship. This is data from possible clients or suppliers with whom we have relations prior to the formalization of a contractual relationship, such as the preparation or the study of budgets). It is also the case of data processing of people who have sent us their CVs or who participate in selective processes.
In compliance with a contractual relationship. This relates to the relationships with our clients and suppliers and all the actions and uses that these relationships entail.
In compliance with legal obligations. Data is communicated to the tax administration under regulations which govern commercial relationships. This may involve having to communicate data to judicial bodies or security forces and bodies, also in compliance with legal norms that require collaboration with these public bodies.
Based on consent. When we send information about our products or services, we process the contact details of the recipients with their authorization or explicit consent. The browsing data that we can obtain through cookies is obtained with the consent of the person who visits our website, whose can revoke their consent at any time by uninstalling these cookies. It is also with the prior consent of each person that we communicate their data to other companies in our group.
For legitimate interest. The images that we obtain with the video surveillance cameras are processed in the legitimate interest of our company to preserve its assets and facilities. Our legitimate interest also justifies the processing of data that we obtain from the contact forms, as well as data from the people who register to comment on our social networks.
Who is the data communicated to?
As a general criterion we only communicate data to administrations or public authorities and always in compliance with legal obligations. When sending invoices to customers, the data can be communicated to banking entities. In justified cases, we will communicate the data to the security forces or bodies or the competent judicial entities. Furthermore, if consent has been given, the data may be communicated to other companies in our group for the purposes indicated above. We do not transfer data beyond the scope of the European Union (international transfer).
In another sense, for certain tasks we obtain the services of companies or people who provide us with their experience and expertise. In some cases, these external companies need access to personal data under our responsibility. It is not really a transfer of data but a commission for processing. Only services from companies that guarantee compliance with data protection regulations are contracted. When entering into a contract, their confidentiality obligations are formalized and their actions monitored. This may refer to hosting services, computer support services or legal, accounting or tax advice.
For how long will we keep the data?
We comply with the legal obligation to limit the period of data conservation to the maximum. For this reason it is only kept for the necessary time in line with the purpose for its collection. In certain cases, such as the data that appear in the accounting and billing documents, the fiscal regulations means that we keep them until these responsibilities expire. For data processed based on the consent of the person concerned, they are kept as long as this person has not revoked this consent. The images obtained by the video surveillance cameras are kept for a maximum of one month, although in the case of incidents that justify it, it will be preserved for the time needed to facilitate the actions of the security forces or bodies or judicial entities.
What rights do people have regarding the data that we process?
As stipulated in the General Data Protection Regulations, the people from whom we process data have the following rights:
To know if it is being processed. Anyone has, first of all, the right to know if we are processing your data, regardless of whether there has been a prior relationship.
To be informed that is it being collected. When the personal data is obtained from the interested party, when it is being provided they must have clear information about the purposes for which the data will be used, who will be responsible for the processing and the rest of the aspects derived from this processing .
To have access to it. Very broad right that includes knowing precisely which personal data is subject to processing, what is the purpose of the processing, any communications to other people (if applicable) or the right to obtain a copy or to know the expected period of conservation.
To request that it be modified. It is the right to modify inaccurate data that is being used by us.
To request that it be deleted. In certain circumstances you can request that the data be deleted when, among other reasons, it is no longer necessary for the purposes for which it was collected and which justified its processing.
To request limits on its processing. Also in certain circumstances you have the right to request a limit on the data processing. In this case they will cease to be processed and will only be kept for exercising or defending claims, in accordance with the General Data Protection Regulations.
The transferability. In the cases provided for in the regulations, the right to obtain personal data in a structured format of common use readable by machine is recognized and transmitted to another processing controller if the interested person so decides.
To oppose the processing. A person can produce reasons related to their particular situation, reasons that will lead to their data no longer being processed to the extent or way which may cause harm, except for legitimate reasons or the exercise or defence of claims.
To not receive any commercial information. We will immediately respond to requests to stop sending commercial information to people who previously authorised it.
How can my rights be exercises or defended?
The rights that we have just listed can be exercised by sending a written request to CORMA SCCL to the postal address Camí del Mig, 20, of Premià de Dalt (CP 08338), or through the electronic form available at www.corma.es, or by sending an email to email@example.com, indicating in all cases “Protection of personal data”.
If a satisfactory response has not been obtained when exercising the rights, it is possible to file a claim with the Spanish Agency for Data Protection, through the forms or other channels accessible from its website www.agpd.es.
The Data Protection officer may be contacted at all times through the e-mail address firstname.lastname@example.org to submit a claim, ask for clarifications or make suggestions.