Privacy Policy
PRIVACY POLICY
In accordance with the provisions of the General Data Protection Regulation (GDPR), Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, concerning the protection of personal data, the processing thereof and the free movement of such data, and Organic Law 3/2018 of 5 December on the Protection of Personal Data and the Guarantee of Digital Rights, we hereby provide you with the following information regarding the processing of your personal data.
Who is the data controller for your data?
- Company name: UCO TRADING SPAIN, S.L.
- CIF: nº B74346263
- Address: C/ Melquiades Alvarez Nº6, 2º izquierda letra-D, 33002 Oviedo, Asturias (España)
- Telephone: 985 757 156
- Email: info@ucotrading.com
- Email DPO: dpo@labyfis.es
Why do we process your personal data?
- Handling enquiries, queries, complaints or incidents; the exercise of rights and/or requests for information relating to the provision of services offered by the organisation, via email, telephone, social media, as well as any other means of contact provided and/or consented to by the data subject.
- Contacting the data subject via the contact details provided in order to manage responses to enquiries, requests and/or communications made by the data subject and/or arising from the contractual or collaborative relationship.
- Internal use, relationship management, contractual and regulatory compliance, and administrative, financial and accounting matters arising from the contractual relationship.
- Assessment of suppliers/partners with whom the Data Controller has a contractual or commercial relationship, in order to verify their compliance with the various regulations and/or policies that apply to them and/or are required of them by the Data Controller, including the necessary data protection safeguards.
- Sending commercial communications to the customer provided that a prior contractual relationship exists, in accordance with the provisions of Article 21 of the LSSICE, insofar as they relate to services similar to those contracted.
- Management of site visits, as well as safety and regulatory compliance on site; investigation of potential incidents or accidents; management of associated insurance; and handling of warnings or penalties for breaches of safety regulations.
- Contacting the data subject and sending commercial communications via the contact details provided by them, provided they have given their express consent, insofar as such communications are not covered by Article 21 of the LSSICE; in such cases, we will first consult the advertising opt-out systems (the Robinson List or similar registers established for this purpose).
- Quality control of the organisation’s services for internal use, including the assessment of customer/user satisfaction.
- Regulatory Compliance Management (applicable regulations and mandatory internal policies): Investigation, monitoring and auditing of controls put in place to prevent criminal offences, including the establishment of access controls to premises, for the investigation of any accidents and/or incidents that may occur, as well as regulatory breaches, criminal offences or unlawful conduct.
- Handling of complaints arising from non-compliance with contractual, regulatory and/or internal policy requirements established by the Data Controller.
- For statistical and historical purposes, with a view to improving the commercial strategy for the services offered by the Data Controller (in which case the data will be anonymised as far as possible).
- Handling of complaints/reports submitted via the complaints channel set up for this purpose for the organisation’s stakeholders within the framework of the service provision agreed between the parties.
- Processing arising from the implementation of any corporate restructuring operation or the transfer or assignment of a business or a branch of business, provided that such processing is necessary for the successful completion of the operation and ensures, where appropriate, the continuity of service provision.
- Should you have provided us with your CV or applied to take part in a recruitment process managed by the company itself or by an external firm engaged for that purpose, your data will be processed internally for the purposes of managing that process, adding you to our talent pool, and offering and managing any potential job or collaboration opportunities that may arise in the future. Furthermore, your data may be processed for the assessment of skills and to request references from companies or third parties with whom you have had any kind of professional or training relationship, as well as for inclusion in future recruitment processes, to the extent that you have expressly authorised this.
- Other purposes described in any additional consent forms expressly requested by the organisation, where applicable.
No se elaborará ningún tipo de “perfil” en base a la información facilitada ni se tomarán decisiones automatizadas en base a perfiles.
All the data requested by the Data Controller is necessary for the purposes outlined above to be fulfilled. Withholding information or failing to provide it may affect the outcome of our services or make it impossible for us to provide them.
What is the legal basis for processing your data?
The legal basis for the processing of your data is as follows:
- La ejecución de un contrato y/o la solicitud del interesado. Los datos solicitados son necesarios para la correcta prestación del mismo (artículo 6.1.b) del RGPD).
- Cumplir con una obligación jurídica: Normativa administrativa, mercantil, tributaria, fiscal, contable, civil y financiera, legislación de defensa de consumidores y usuarios, así como la normativa inherente a la actividad de la organización (artículo 6.1.c) del RGPD).
- To satisfy a legitimate interest of the data controller (Article 6(1)(f) of the GDPR): processing of data as part of a commercial relationship and/or contract, where such processing is necessary for the maintenance or performance of the relationship, fraud prevention, cases of legitimate interest where the data controller may be an aggrieved party and it is necessary to process and disclose the data of the non-compliant party to third parties in order to manage regulatory compliance and defend the interests of the data controller, the legitimate interest in direct marketing permitted by the LSSICE (sending commercial electronic communications regarding products or services similar to those contracted by the customer with whom there is a prior contractual relationship), as well as cases of legitimate interest in specific processing operations provided for in the LOPDGDD (Article 19. Processing of contact details and data of sole traders; Article 20. Credit information systems; Article 21. Processing related to the performance of certain commercial transactions (corporate restructuring or business transfers); Article 23. Advertising opt-out systems; Article 24. Internal reporting systems).
- Ultimately, the express consent of the data subject and/or their legal representative, provided unambiguously through data protection clauses. Such consent may be withdrawn at any time (Article 6(1)(a) of the GDPR).
How did we obtain your data?
- Through the data subject themselves or their legal representative.
- Through third parties with whom the data controller has a commercial or service provision relationship.
- Through third parties at the request of the data subject.
- Through public bodies relevant to the purpose of the contracted service provision.
- Data taken from publicly available sources.
What categories of data do we process?
We process personal and contact details; commercial information; financial and/or payment terms data; insurance data; and other types of data: contact details of individuals within the organisation who are involved in or associated with the service covered by the contract or request.
The data set in question does not contain any sensitive personal data, nor does it contain any data relating to criminal convictions or offences.
How long do we keep your data?
Your data will be retained for the period strictly necessary to fulfil the purposes of the processing, without prejudice to its retention for the purpose of making it available to the competent authorities and for dealing with complaints. In such cases, the data will be retained in a locked format until the end of the limitation period, after which it will be deleted.
Specifically, the statutory time limits we apply are:
- Accounting and Tax Documentation – For Tax Purposes: Accounting books and other mandatory records required under the relevant tax regulations (personal income tax, VAT, corporation tax, etc.), as well as the supporting documents justifying the entries recorded in the books (including computer programmes and files and any other supporting documents of tax significance), must be retained for at least the limitation period for tax offences – General Tax Law and Criminal Code: Statute of limitations for offences is 10 years.
- Accounting and Tax Documentation – For commercial purposes: Books, correspondence, documentation and supporting evidence relating to your business – Commercial Code – 6 years.
- Credit reference files: Data relating to debts that are certain, due and payable, and unclaimed – 5 years.
- CVs: 1 year, except in cases where the candidate is selected, in which case they will be included in the contracting organisation’s HR data processing.
- Data processed for the purpose of sending marketing communications will be retained until you withdraw your consent and/or request that its processing be restricted.
- The details of the person submitting a report are retained in the reporting system to determine whether to initiate an investigation into the alleged facts, and subsequently as evidence of the functioning of the legal entity’s crime prevention model, in accordance with the provisions of Article 24 of the LOPDGDD. In any event, three months after the data has been entered into the reporting channel, the data will be deleted from the system, unless it is retained as evidence of the functioning of the Management System.
- Data relating to potential users (customers/suppliers) of our products, or collected in response to a request for information, will be retained for a maximum of one year from the date of collection, after which it will be deleted if no contractual relationship has been established, or upon request by the data subject.
To whom may your data be disclosed?
Your data will not be sold, rented out or made available to third parties, with the exception of data processors, where required by law or with your express consent. Your data may therefore be disclosed or transferred to:
- Organisations or individuals engaged by the Data Controller to provide services related to the purposes of processing (for example: employment, tax and/or accounting consultancy firms; management, accounting and/or regulatory compliance auditors; IT maintenance companies; other professionals providing services in collaboration with and/or on behalf of the organisation; and recruitment agencies). These third-party service providers of the Data Controller will access the user’s personal data in their capacity as data processors. In any event, data will only be disclosed to third parties provided that they can demonstrate that they have a Personal Data Protection System in place that complies with the requirements of current legislation and regulations in this area.
- Public administration bodies or departments with jurisdiction over the matters covered by the purposes of the processing: the Spanish Tax Agency (AEAT), the Social Security system, public registers, etc.
- Third parties who have been expressly authorised by the data subject and/or their legal representative.
- Financial institutions: Direct debit arrangements and/or the processing of payments by cheque and other means of payment.
- Partners or organisers of events, projects and grants in which the organisation is involved, for the purpose of providing technical or financial justification for them.
- Law enforcement agencies: Where a legitimate interest is required for the investigation of a regulatory breach and/or similar matter.
- Reports of breaches of regulations and the code of conduct are forwarded to the Compliance Unit, where appropriate.
What are your rights?
You have the right to obtain confirmation as to whether or not we are processing personal data concerning you.
Data subjects have the right to access their personal data, as well as to request the rectification of inaccurate data or, where appropriate, to request its erasure when, amongst other reasons, the data is no longer necessary for the purposes for which it was collected.
In certain circumstances, data subjects may request that the processing of their data be restricted, in which case we will retain it solely for the purpose of establishing or defending legal claims.
Furthermore, for reasons relating to a specific situation, data subjects may object to the processing of their data, in which case the data controller will cease processing the data, unless there are compelling legitimate grounds for doing so, or for the establishment, exercise or defence of legal claims.
Under the right to data portability, data subjects have the right to receive the personal data concerning them in a commonly used, machine-readable, structured format and to transmit those data to another controller.
If you have given your consent for a specific purpose, you have the right to withdraw that consent at any time, without this affecting the lawfulness of the processing carried out on the basis of your consent prior to its withdrawal.
Where should you go to exercise your rights?
If you wish to exercise your rights, please contact the channel established by the data controller for this purpose (dpo@labyfis.es), so that your request can be dealt with, and/or by writing to the postal address set out in this Privacy Policy.
What information is required to exercise your rights?
In order for you to exercise your rights, we need to verify your identity and the specific request you are making; we therefore ask you to provide the following information:
- Documented information (in writing or by email) regarding the request, setting out the details of the application.
- Proof of identity as the data subject in respect of whom the request is made (first name and surname of the data subject, and a photocopy of the data subject’s national identity card and/or that of their representative, as well as a document proving such representation, where applicable).
- Address for service of notices, date and signature of the applicant (in the case of a written application), or full name (in the case of an email application), or validation of the application in the private area of the communication channel using a personal authentication code to verify their identity.
- Where the data controller has reasonable doubts as to the identity of the natural person making the request, they may ask for the additional information necessary to confirm the data subject’s identity.
What is the general procedure for exercising your rights?
Once we have received the required information, we will respond to your request in accordance with the data controller’s standard procedure for exercising data subject rights:
- The data controller shall provide the data subject with information regarding the actions taken in response to a request made pursuant to Articles 15 to 22 (Rights of the data subject), and in any event within one month of receiving the request.
- This deadline may be extended by a further two months if necessary, taking into account the complexity and number of applications.
- The data controller shall inform the data subject of any such extension within one month of receiving the request, stating the reasons for the delay.
- Where the data subject submits the request electronically, the information shall be provided electronically where possible, unless the data subject requests that it be provided in another form.
- If the data controller does not act on the data subject’s request, it shall inform the data subject without delay, and no later than one month after receiving the request, of the reasons for its failure to act and of the possibility of lodging a complaint with a supervisory authority and of taking legal action.
- The information provided will be free of charge, subject to a reasonable fee to cover administrative costs.
- The data controller may refuse to act on the request, although the burden of proving that the request is manifestly unfounded or excessive shall lie with the data controller.
Forms for exercising rights under the AEPD
- Form for exercising the right of access.
- Form for exercising the right to rectification
- Form for exercising the right to erasure.
- Form for exercising the right to object.
- Form for exercising the right to data portability.
- Form for exercising the right to restrict processing.
What avenues of redress are available?
If you feel that your rights have not been properly upheld, you have the right to lodge a complaint with the relevant data protection authority (www.agpd.es).
International data transfers
It is possible that some of our service providers may process personal data in a third country outside the European Union (as a general rule, data is processed and/or stored within the EU). In such cases, our organisation will implement all available measures and controls within its power to protect your personal data. The main measures adopted in such cases include the signing of standard contractual clauses approved by the European Commission, adherence to international agreements, and the request for approved and recognised certifications or codes of conduct. We have selected the platforms and providers that offer the greatest guarantees in this regard.
Similarly, information collected by third-party cookies may also be subject to such processing. You can find out more about these transfers in our Cookie Policy.
In any case, if you have any complaints or are aware of any misuse or malpractice on the part of these companies, please let us know so that we can take the necessary action by emailing our DPO at: dpo@labyfis.es.
User responsibility
Users who provide us with their personal data warrant that they are over 14 years of age and that the data provided to the Data Controller is true, accurate, complete and up to date. To this end, the user confirms that they are responsible for the accuracy of the data provided and that they will keep such information suitably up to date so that it reflects their actual situation, accepting responsibility for any false or inaccurate data they may provide, as well as for any direct or indirect damages that may arise.
Furthermore, where the user provides personal data relating to third parties, they are obliged to inform those third parties and obtain their consent for such processing.
Confidentiality and security in data processing
The data processed by our company will be treated with the utmost discretion and confidentiality. Our company has put in place all the technical and organisational measures at its disposal to prevent the loss, misuse, alteration, unauthorised access or copying of the data provided.
With regard to the personal data to which the Data Controller may have access as a result of the services contracted, we would like to inform you that the necessary confidentiality agreements have been signed with staff.
UCO TRADING SPAIN, S.L. undertakes to maintain the confidentiality of any information to which it has access, and not to disclose or publish it, either directly or through third parties or companies, or to make it available to third parties, except where required by law, or where it is disclosed to suppliers with whom it has signed the relevant Data Processor Agreement and/or where it has the authorisation of the data subject or their legal representative. This confidentiality obligation is of indefinite duration and shall survive the termination of the contract for any reason. UCO TRADING SPAIN, S.L. undertakes to communicate and ensure compliance by its staff and any personnel it employs with the obligations established regarding confidentiality and data protection.
Changes to the Privacy Policy
The Data Controller reserves the right to make, at any time, any amendments, changes, deletions or cancellations to the content and the way in which it is presented that it deems appropriate; we therefore recommend that you consult our privacy policy whenever you consider it relevant. If you do not agree with any of the changes, you may exercise your rights in accordance with the procedure described in this Privacy Policy.
If you require further information regarding any of the points set out in this Privacy Policy, please contact us at dpo@labyfis.es.
