BYG SAU – NIF: ES-A08220014 – with registered office in El Pla 45. Polígono El Pla. 08750 Molins de Rei, in the person of the interim legal representative, as controller of the data processing (hereinafter also “Controller”), wishes to inform you that, pursuant to art. 13 of EU Regulation no. 679/2016 (hereinafter “GDPR”), it needs to process your personal data in compliance with current regulations, as specified more clearly below.
1. Purpose of the Processing and categories of data processed:
- the Controller will process the personal identification data (merely by way of example: name, surname, address, telephone number, e-mail, etc., as well as any information provided during registration to the site and/or when filling in the forms provided there – hereinafter also “Data” -) freely communicated by you in order to avail of specific services offered by the site, which needs to be acquired in order to meet your requests.
- The Controller will also process all the data accessible through the computer systems and software procedures used to operate the site (navigation data), and in any case all the information that must be acquired in order to control the operation and use of the site for security and maintenance reasons, as well as for relations with the supervisory authorities and the fulfillment of all other legal and contractual obligations, and also, subject to your consent, for any marketing and profiling activities related to specific initiatives as further specified below.
The Controller does not knowingly collect personal data from persons under 18 years of age.
2. Purpose and legal basis of the processing and the consequences of the failure to communicate the data.
Your data are processed lawfully and in accordance with propriety for the purposes described below:
A. With regard to navigation data:
a) to allow the Controller to obtain anonymous statistical information concerning the use of the “bygmining.com” website, and to monitor its proper operation;
b) for security purposes (spam filters, firewalls and virus detection), in order to block attempts to damage the site or cause harm to users, and in any case to prevent harmful or criminal activities;
d) to enable the Controller to fulfill legal, accounting, fiscal, administrative and contractual obligations related to the management of the site and provision of the services requested, as well as to properly manage relations with authorities, control bodies and third-party public bodies for purposes related to particular requests, the fulfillment of legal obligations or other procedures.
This information will be acquired by the Controller, pursuant to art. 6 paragraph 1(b) of the GDPR, to allow you to browse the site properly, for the reasons already outlined in the first part.
B. With regard to data provided by the user voluntarily, the previously mentioned category also includes information (name, surname, email address, CV data, content acquired through the form filled in online, information provided by the user via e-mail and/or by calling the phone number given online, etc.) voluntarily provided by the user through specific sections of the site (if necessary, by filling and sending BYG SAU the specific documentation available on line), including the “Work with us” and “Newsletter” pages. This information will also be acquired by the Controller, pursuant to art. 6 paragraph 1(b) of the GDPR, in order to respond to your requests.
With particular reference to the voluntary sending of curriculum vitae – through the contact details given on the site – it should be noted that the personal data contained therein will be used by the Controller to initiate selection processes.
C. Marketing and business communications
In some cases, business promotion, sales and service improvement initiatives may be implemented, as well as market research. Entirely subject to your specific and clear consent (art. 7 GDPR), which you are free to grant or withhold, these activities are designed to:
C.1. allow the Controller to conduct market research and analysis aimed at determining the level of customer satisfaction with the quality and type of services provided and initiatives for the improvement of the services, as well as to send you promotional material and/or communications and information of a commercial and direct marketing nature regarding new services offered by the Controller or by third parties [also including other companies related in any way with BYG S.A.U (parent companies, subsidiaries and/or affiliates)], as well as related offers, discounts and any other promotional and loyalty initiative reserved to you, by means of conventional contact systems (printed mail or operator calls).
C.2. allow the Controller to conduct market research and analysis aimed at determining the level of customer satisfaction with the quality and type of services provided and initiatives for the improvement of the services, as well as to send you promotional material and/or communications and information of a commercial and direct marketing nature regarding new services offered by the Controller or by third parties [also including other companies related in any way with BYG S.A.U. (parent companies, subsidiaries and/or affiliates)], as well as related offers, discounts and any other promotional and loyalty initiative reserved to you, with the use of automated calling systems or call communication systems without operator intervention, or by email and/or SMS (Short message Service).
The processing of data for the above purposes (both “C.1.” and “C.2.”) is permitted in relation to the free circulation of data as provided for in the GDPR and may be implemented in activities designed to meet the legitimate commercial interests of the Controller, including commercial development activities carried out by the latter.
The provision of data for these purposes is optional. You can therefore decide not to provide any information or revoke consent to the processing of data already provided: if this case, you will not receive commercial communications and promotional material regarding the services offered by the Controller.
D. Provision of “tailored” products and services and processing of information regarding preferences, habits and consumption choices (profiling).
Entirely subject to your specific and clear consent (art. 7 GDPR), which you are free to grant or withhold, the Controller may need to process information about preferences, habits and consumption choices aimed at dividing stakeholders into homogeneous groups based on behaviours or characteristics (profiling), also through the use of advanced techniques or algorithms and computer systems and through data enrichment in order to develop, promote and provide “tailored” services from the Controller or from third parties [also including other companies in any way associated with BYG S.A.U. (parent, subsidiaries and/or affiliate companies)].
Profiling may also be done through “profiling cookies”, described in the Cookies Policy available through the following link https://byg.com/en/cookie-policy/ or based on data you have freely provided through the site.
Consent is given separately for profiling cookies and for data freely provided by the user.
The provision of data for these purposes is optional. You can therefore decide not to provide any information or revoke consent to the processing of data already provided: in this case, you will not receive dedicated commercial communications.
3. Methods of data processing:
The processing of your data is carried out by means of the operations indicated in art. 4 no. 2) GDPR and namely: collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction of the data.
Your data may be processed on paper means as well as using electronic and/or automated means.
The data acquired will be processed in full compliance with the law, as well as with the principles of lawfulness, propriety, transparency, moderation and protection of your privacy and rights.
- Data storage period:
The Controller retains the data in compliance with local laws and internal corporate policies and procedures for the time necessary to fulfil the aforementioned purposes and to satisfy their own legitimate business interests and legal obligations or to establish, exercise or defend legal rights. Once the need to retain the data for these purposes is finished, the data will be eliminated in a secure manner.
- Categories of personal data recipients:
Your data may be disclosed for the purposes described above:
- to the Controller’s employees and collaborators in Spain and – in some cases – also abroad, in their capacity as data processors and/or sub-processors, namely persons authorised to process personal data in accordance with the GDPR, and/or persons provided with specific functions and tasks pursuant to art. 2 quaterdecies of Legislative Decree no. 196/2003;
- to other companies connected in any way (parent companies, subsidiaries and/or affiliates) with BYG S.A.U., whether in Spain or abroad, and to their employees and collaborators (for example, for administrative and accounting purposes);
- to other companies or entities [merely by way of example, companies that support facility management activities, banks (also for online payment by users), financial intermediaries, credit insurance institutions, professional firms, consultants etc.)] who carry out outsourcing activities on behalf of the Controller, in their capacity as external data processors, including suppliers or persons appointed to provide services ancillary or instrumental to the purposes indicated above, with which the Controller signs special agreements.
The Controller also reserves the right to make personal data accessible to certain third parties, including: IT providers for system development and technical assistance purposes; auditors and consultants to ensure compliance with internal and external requirements; legal entities, law enforcement agencies and stakeholders, in accordance with legal obligations regarding disclosure or claims; any successors or business partners of the Controller or of companies associated with them (parent companies, subsidiaries and/or affiliates) in the case of sale, transfer or other extraordinary transactions, also including other companies engaged by the Controller in the above transactions for various purposes, where appropriate; police forces, armed forces and other public administrations, for the fulfilment of legal obligations, regulations or EU legislation.
If these parties are based in non-EU Countries, the Controller shall ensure that the transfer of data outside of the EU is done in accordance with the applicable legal provisions, subject to drafting of the standard contractual clauses required by the European Commission, as specified in the article below. In the case of data acquired through video surveillance systems, all relevant requirements will be complied with, in accordance with current legislation.
- Data Transfer:
The data are stored on servers and storage devices within the European Union. It is in any case understood that, should the need arise, the Controller may also transfer the data to countries outside the European Union or the European Economic Area recognised by the European Commission that guarantee an adequate level of protection of the personal data or, otherwise, only if a level of personal data protection compared with that of the European Union is contractually guaranteed and the rights of the data subjects are ensured. In this event, the Controller hereby assures that data shall be transferred to non-EU Countries in compliance with applicable law provisions, subject to the standard contractual clauses to be stipulated as provided by the European Commission.
The Controller shall implement all necessary protection measures in the aforementioned transfers pursuant to the current legislation on privacy.
- Rights of the data subject:
In your capacity as data subject, you have rights under Articles 13, paragraph 2 (b), (c) and (d), 15, 16, 17, 18, 19 and 21 of the GDPR and specifically the rights to:
- obtain confirmation on the existence or non-existence of your personal data, even if not yet recorded, and to receive communication thereof in an intelligible form;
- obtain information about: a) the origin of data; b) the purposes and methods of the processing, as well as its legal basis; c) the methods and criteria applied for data processing using electronic means; d) the identification details of the Controller, the data protection officer and any representative appointed pursuant to art. 13, paragraph 1 of the GDPR; e) the subjects or categories of subjects to whom personal data may be communicated or who may become aware of such information as appointed representative in the territory of the State and as persons in charge;
- obtain: a) the updating, the correction or, when of interest, the integration of data; b) the deletion, conversion to an anonymous form or blocking of the information processed in violation of the law, there including any data that do not need to be stored in relation to the purposes for which they were collected or processed at a later date; c) a statement certifying that the operations provided for under letters a) and b) have been made known, including their content, to the persons whom the data were communicated or divulged, except in the event that such certification is impossible or involves the use of means that are clearly non-proportional with respect to the protected right;
- object, in full or in part: a) for legitimate reasons, to the processing of your personal data, even if such processing pertains to the scope of data collection; b) to the processing of your personal data for the purpose of sending advertising or direct sales materials or for conducting market research or sales communication surveys, using automated call systems without operator, e-mails and/or standard telephone or postal marketing methods. We underline that the data subject’s right to object, outlined under point b) above, for direct marketing purposes using automated means also encompasses standard marketing methods. In any event, the data subject shall always be entitled to exercise his/her objection right even only in part. Accordingly, the data subject may decide whether to receive communications only through standard means, or only automated communications or none of the above;
- where applicable, you also have the rights referred to in Articles 16-21 of the GDPR (the right of rectification, right to be forgotten, right of limitation of treatment, right to data portability, right of opposition), as well as the right of complaint to the Data Protection Authority.
- revoke the consent you give at any time.
With regard to the right to data portability, the data subject may ask to receive or transfer his or her personal data held by the Controller, in a commonly used and legible structured format, for further personal use or to provide it to other data controllers.
With reference to the service relationship, in general terms the data that may be subject to portability are personal details and contact information.
- How to exercise your rights:
You may at any time exercise your rights or make a request by sending: a registered letter with return receipt to BYG S.A.U. – NIF: ES-A08220014 – with registered office in El Pla 45. Polígono El Pla. 08750 Molins de Rei; or an e-mail to the address: [email protected]
The deadline for the reply is one month. This period may be extended by two months in particularly complex cases: where this occurs, the Controller shall send a notification regarding the reasons for the extension within one month.
The Controller has the right to request information necessary for the identification of the applicant.
In general terms, the exercise of these rights is free, except in cases of manifestly unfounded or excessive demands, for which the Controller may reserve the right to require the data subject to make a reasonable expense contribution based on the administrative costs involved.
- Controllers and Data processors:
BYG SAU – NIF: ES-A08220014 – with registered office in El Pla 45. Polígono El Pla. 08750 Molins de Rei in the person of the interim legal representative.
The updated list of the categories of data processors is kept at the Controller’s main office.