Privacy Policy

At GRUPO HIEMESA we are committed to the protection of privacy and the correct use of personal data.

To that end, this Privacy Policy aims to inform about the processing of personal data that GRUPO HIEMESA carries out on this website and on any of its subdomains.

1. Who is responsible for the processing of your personal data?

The company that owns each domain is responsible for the processing of the data collected through it.

However, as indicated in the Legal Disclaimer, the domains of the different companies are managed by HIEMESA S.L.

You can contact us at:

  • Address: Pol. Industrial Zona Franca, Sector M, 08040 Barcelona or at the address indicated in each of the companies of the Group
  • Email:comercial@hiemesa.com
  • Tel: (+34) 932 237 520
  • Data Protection Officer: dpo@hiemesa.com

2. Why do we process your personal contact data?

We may process your personal data for different purposes:

  • Web forms:
    • The personal data collected through the contact form or any other web form, or because you send us an email, will be processed by the company that owns said web form, in its capacity as the Data Controller, in order to manage and respond to your request or inquiry, questions, complaints, etc., or the for the specific purpose indicated in the web form.
  • Electronic newsletter:
    • In addition, if you specifically request this by requesting to receive oure-newsletter, we will keep you informed of the latest developments in relation to the Hiemesa Group’s products and services. You can unsubscribe at any time if you no longer wish to receive such information. You will find a link to that effect at the footer of each newsletter. You can also unsubscribe at any time or communicate your request to us using the contact options specified at the end of this document.
  • Management of CVs:
    • We may also process your data to take into account your application for possible vacancies or jobs that may arise in any of the group companies that fit your profile and experience. We inform you that the management of personnel is carried out by our parent company HIEMESA S.L., so your data will be communicated to them and the rest of the group companies in which job vacancies may become available. If you do not agree with us forwarding them your data, we will not be able to manage your application.
  • Contact details:
    • For the management of your contact details and, where appropriate, those relating to the role or position performed in your company, for your professional location and only for maintaining relationships of any kind with the legal entity in which the affected person provides its services.

3. What is the legal basis that legitimizes the processing of your personal data? In other words, what is the basis for processing your personal data or what enables us to do so?

The legal basis that legitimizes our processing of your personal data can be diverse:

  • In some cases it may be the consent of the interested parties (subscription to an electronic newsletter, completion of a web form, sending of a CV, etc.). When the processing is based on your consent, it will be understood to be granted unequivocally, considering that providing such information is a clear affirmative act on your part, which manifests such consent.
  • In other cases, it is to fulfill a legal obligation on our part.
  • The performance of a contract or the legitimate interest of the Data Controller (management of contact data and, where appropriate, data relating to the role or position performed by the natural persons providing services within a legal entity).

The provision of the requested data is mandatory because it is essential in order to process your request and/or provide our services. If you do not provide this data, we will not be able to respond to your request or provide our services.

4. How long do we keep your personal data?

Personal data will be kept for as long as the attention of the object of the communication requires and, in the case of sending commercial communications, as long as we have your consent and you have not expressed any opposition thereto.

Even if the deletion is requested, they will remain blocked for the necessary time, and limiting their treatment, only for one of these cases: to comply with legal/contractual obligations of any kind to which we are subject and/or during the legal terms established for the limitation of any responsibilities on our part and/or the exercise or defense of claims derived from the relationship maintained with the data subject.

5. Who should keep the data up to date?

On the other hand, in an effort to ensure that the data in our files, digital and/or paper, is always current, we will try to keep it updated. Hence, for these purposes, the User must make the changes directly when enabled to do so, either by communicating by reliable means to the corresponding area or department or by sending an email to dpo@hiemesa.com.

 

6. Who can be assignees or recipients of your personal data?

Personal data will not be transferred or communicated to third parties, except in the cases necessary for the development, control and fulfillment of the expressed purpose(s), in the cases provided by Law.

7. Security of the Personal Data

HIEMESA S.L. will adopt the appropriate technical and organizational measures in its information system, complying with the principle of proactive responsibility, in order to guarantee the security and confidentiality of the stored data, thus avoiding its alteration, loss, processing or unauthorized access, taking into account the state of the art, the application costs, and the nature, scope, context and purposes of the processing, as well as variable probability and severity risks associated with each instance of processing.

8. What are your data protection rights and how can you exercise them?

You may exercise the rights of access, rectification, deletion, limitation, portability or, where appropriate, opposition, for these purposes, by writing a request, accompanied by a photocopy of your ID or equivalent identification document, addressed to dpo@hiemesa.com or to the address of each of the Group companies indicated in the Legal Disclaimer. In case you act through a representative, legal or voluntary, you must also provide documentation proving the representation and a piece of identification for said representative.

Likewise, if you consider that your right to the protection of personal data has been violated, you may file a complaint with our Data Protection Officer (dpo@hiemesa.com) or, where appropriate, with the Spanish Data Protection Agency (www.aepd.es).

More information is provided below about how to exercise your data protection rights:

  1. What are my rights?
  2. Who can exercise these rights?
  3. How and where can I exercise these rights?
  4. Additional information

   

1) What are my rights?

The data protection regulations allow you to exercise your rights of access, rectification, opposition, portability, deletion (“right to be forgotten”), limitation of processing and not to be subject to individualized decisions, in accordance with Regulation (EU) 2016/679, of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter “GDPR”) and Organic Law 3/2018, of December 5, Protection of Personal Data and Guarantee of Digital Rights (LOPD-GDD):

Right of access

You have the right to know:

  • Whether or not we are processing personal data concerning you.
  • The origin of your data, if you did not provide it to us.
  • The purposes of processing your data.
  • The categories of data concerned.
  • The recipients or categories of recipients to whom the personal data have been or will be disclosed.
  • Where possible, the envisaged period for which the personal data will be stored (or, if not possible, the criteria used to determine this period).
  • The right to lodge a complaint with a supervisory authority.
  • If we make automated decisions – including profiling – using your personal data.

Right to rectification

  • You have the right to have your personal data rectified:
  • Completing your data, if it was incomplete.
  • Updating or rectifying it, if for any reason it does not reflect your current situation or it is inaccurate.
  • By exercising the right of rectification, we will ensure that all your personal data is accurate and complete

Right of deletion

  • You have the right to have your personal data deleted when one of the following conditions is met:
  • Such data is no longer necessary for the purposes for which it was collected or processed.
  • You withdraw the consent on which we base the processing of your data and this can not be protected on another basis of legitimacy.
  • You have successfully exercised the right to object to the processing of your data.
  • Your personal data has been processed unlawfully.

Right to restriction on processing

  • You have the right to obtain a restriction on the processing of your personal data (i.e. that we keep it without using it for the intended purposes).

Right of opposition

You have the right to ask us to stop using your personal data, for example, when you believe that the personal data we hold about you may be incorrect or you believe that we no longer need to use it.

Right of portability

When the processing of your data is based on consent or is necessary for the execution of a contract or pre-contract and is carried out by automated means, you have the right to the portability of your data, that is, for it to be delivered to you in a structured format, commonly used and machine-readable, even to send it to a new data controller. For this purpose, the data controller will facilitate the portability of your data to the new data controller.

 

2) Who can exercise these rights?

You as interested party or owner of the personal data, acting in your own name and right.

Through another duly authorized person acting as a legal representative (e.g. when the holders of parental authority or guardianship act on behalf of a person under the age of 14 or when acting as a legal representative of a person with functional diversity) or volunteer (person that you have freely and voluntarily granted powers of representation for these purposes).

 

3) How and where can I exercise these rights?

By Postal Mail

You can present the letter at the address of each of the companies of the Group indicated in the Legal Disclaimer.

Online

You can submit the letter by sending an email to the following address dpo@hiemesa.com.

In both cases, you must:

  • Provide sufficient data and information to respond to the request. For these purposes, you may use the form templates that the Spanish Data Protection Agency makes available to you at https://www.aepd.es/es/derechos-y-deberes/conoce-tus-derechos
  • Sign the form in a handwritten way or, where appropriate, and if have a recognized digital certificate, sign it electronically.
  • Attach a photocopy of your national ID card, passport, or other equivalent government-issued ID. In case of acting on behalf of a third party, a copy of your ID or equivalent identification document must also be included, as well as the document substantiating the representation of the interested party.
  • Send the form and documents proving your identity by any of the aforementioned means.

 

4) Additional information

The Data Controller will analyze whether or not the request complies with the law. The Data Controller shall inform the petitioner of the decision made, proceeding accordingly: if it admits the request, it shall adopt the appropriate measures according to the right exercised; if it denies the request, it shall indicate the system of recourse provided by law. If requests are manifestly unfounded or excessive (e.g. repetitive), the Data Controller may: (i) collect a fee proportional to the administrative costs incurred (ii) refuse to act.

 

For more information or clarification about your rights in the protection of personal data, please contact our Data Protection Officer dpo@hiemesa.com.

 

ADDITIONAL INFORMATION ON DATA PROTECTION

  1. VIDEO SURVEILLANCE IN BUILDINGS AND FACILITIES

In order to guarantee the security of property, facilities and premises, as well as that of the people who work or access them, we inform you that surveillance cameras or video cameras have been set up on site. It is a matter of putting in place a measure that enables us to anticipate and prevent against possible risks, dangers or infractions which affect said people, property and facilities.

The images captured by the video surveillance systems are processed by the Data Controller of the HIEMESA Group entity that owns the system.

The lawfulness of the processing is based on Article 6.1(f) of the GDPR: The processing is necessary for the satisfaction of legitimate interests pursued by the controller or by a third party, provided that such interests do not prevail over the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.

The images (personal data) will be kept for a maximum period of one month, unless they must be blocked in order to be turned over to the competent public authorities, in case they have detected illegal or irregular acts.

Thus, the images may be transferred, where appropriate, to Security Forces and Bodies, as well as to Courts or Tribunals.

 

  1. CANDIDATES

Your data is processed by each entity of the Group as data controller.

The purpose of the processing of the data contained in your CV is to carry out the staff hiring processes in our organization.

The legality of the processing is based on Article 6.1.a) of the GDPR: The interested party gave their consent to the processing of their personal data for one or more specific purposes.

The Curriculum Vitae will be kept for a maximum period of one year, provided that the applicant has not revoked the consent granted.

Personal data may be communicated to other companies in the Group, provided that you have previously given us your explicit consent.

Your data will not be transferred or communicated to third parties.

 

  1. CONTROLLED ACCESS TO FACILITIES

Your data is processed by the company of the HIEMESA Group that performs such control as data controller.

The purpose of the processing of your data is to manage and control access of all those members and people who access the entity’s facilities.

The lawfulness of the processing is based on Article 6.1(a) of the GDPR: The data subject gave his consent to the processing of his personal data for one or more specific purposes.

The retention period will be:

  • For the suppliers and customers of the HIEMESA Group entity, three months
  • For the entity’s staff, during the time necessary to comply with the corresponding legal obligations.

Unless, in both cases, the data must be blocked in case of having detected illegal or irregular acts; having the data available for the purposes of applying the sanctioning regime and, where appropriate, making the data available to the competent public authority, as well as Courts or Tribunals.

The personal data collected for this purpose will be kept until the end of the employment relationship with the employee and once it is finished, it will be kept based on the legal periods for conservation of personal data as regards employment matters.

The data may be transferred or communicated to the competent courts and tribunals.

 

  1. CUSTOMERS

Your data is processed by each entity of the Group as data controller.

Your personal data will be used for the purpose of maintaining relationships of any kind with our customers as a result of the contractual relationship we have entered into, especially relationships relating to the economic, administrative and fiscal management, quality control, and personalized attention necessary to fulfill the contractual relationship.

The lawfulness of the processing is based on Article 6.1(b) of the GDPR: The processing is necessary for the performance of a contract to which the data subject is a party or for the application at the request of the latter of pre-contractual measures and 6.1c) The processing is necessary for the fulfillment of a legal obligation incumbent on the Data Controller.

The period of conservation of your personal data will be for the duration of the established relationship, and once it has ended, your data will be kept based on the legal terms of conservation in economic and fiscal matters, which based on the type of document, can range from a minimum of 4 years to a maximum of 10 years.

  1. SUPPLIERS

The personal data of the signatories of the contract, s well as the people who participate or are in contact with the provision of the service, will be processed by each entity of the Group in their capacity as data controller.

The legal basis that legitimizes the processing of the data is the contractual relationship, for the entering into the relationship and executing the contract.

The purpose of the data processing is to maintain the contractual relationship, in the economic and technical aspects derived, as well as to perform and monitor the contracted service(s) and, where appropriate, to submit information on incidents related to those.

The data will not be disclosed to third parties, unless it is communicated to public or private entities, to which it is necessary or mandatory to transfer said data in order to manage the contractual relationship, as well as in the cases provided for by law.

The data will be stored for the time necessary to fulfill the purpose for which it was collected and to determine the possible liabilities that may arise from that purpose and the processing of the data and may be required by the competent public authorities (Tax Agency or Courts).

 

  1. SOCIAL MEDIA

Each entity has different profiles on social media to publicize their activities and interact with users. Users of these social networks who voluntarily decide to follow or become friends, express their consent to the processing of their personal data relating to their profile in order to interact on social media. The HIEMESA entity that owns the profile does not collect data from social media for purposes other than those mentioned. The use of social media involves an international transfer of data for the provision of the service. This communication is based on the adoption by the social media of standard contractual clauses, in accordance with Decision 2010/87 of the European Commission. You can stop following or being a friend of the entity at any time.

The user must respect the rights of third parties, especially the rights of privacy and data protection, as well as the rules of intellectual and industrial property, as regards any and all information that they publish on the entity’s website. The publication of information that in any way violates morality, public order, fundamental rights, public freedoms, with special attention to the honor, privacy or image of third parties and, in general, against human rights, is prohibited. The user will be the sole party responsible for the information they publish.

We recommend you review the privacy settings of the social media and we attach a link to the different privacy policies:

Twitter: https://twitter.com/es/privacy

Facebook: https://es-es.facebook.com/privacy/explanation

 

  1. EMAIL

The personal data we process as a result of the reception and/or exchange of emails will be processed in order to attend and respond to your request for information or inquiry, to maintain commercial or professional contacts and relationships that occur as a result of these, or to maintain any contractual relationship.

In the case of completing a form prepared through the tools provided by Google, we inform you that it involves an international transfer of data to Google LLC for the provision of the Service. This communication is based on the adoption by Google of standard contractual clauses, in accordance with Decision 2010/87 of the European Commission.

  1. NEWSLETTER

In addition, in the event that you expressly authorize it by marking the corresponding box or through your express request, we will keep you informed about our activities through an electronic newsletter. For your registration to be effective, we need a valid email address. To verify that the request comes from the actual owner of the email address, we use the response method. To do this, we register the order of the newsletter and send you a confirmation email.

The consent to process your personal data and its further use for sending newsletters can be revoked at any time. You will find a link to that effect at the footer of each newsletter. You can also unsubscribe at any time or communicate your request to us using the contact options specified at the end of this document.

If you subscribe to our newsletter, we inform you that we use the Mailchimp application for its management, which implies an international transfer of data to Mailchimp (The Rocket Science Group LLC) for the provision of the service. The use of Mailchimp involves an international transfer of data for the provision of the service. This communication is based on the adoption by Mailchimp of standard contractual clauses, in accordance with Decision 2010/87 of the European Commission.

Likewise, we inform you that this company uses devices for tracking the activity of the recipients, in order to control the opening of the emails and clicking of the links contained in the emails and to collect information such as the IP address, browser, type of email client and similar details, in order to be able to create campaign tracking reports with the information collected and to improve the effectiveness of Mailchimp services. For more information, you can consult the Mailchimp Policy: https://mailchimp.com/legal/privacy/.