In compliance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 and Organic Law 3 enacted on 5 December 2018 on Personal Data Protection and the Guarantee of Digital Rights, we hereby inform you that the data you provide us with will be incorporated onto a database whose Data Controller is: MAGNUM & PARTNERS REAL ESTATE S. L. – CIF (corporation tax no.): B-85815942
- Postal address: C/ Padilla nº 32. Esc. Izda. 2ºD, 28006 – Madrid.
- Tel. no.: 917452570
- e-mail: email@example.com
Any reference to “we” or “us” in this data protection communication refers to the aforementioned entity.
I.- Which data do we process?
The carrying out of our business relationships requires the processing of data related with our clients. In the event that these data pertain to a natural person (for example, if you are a self-employed professional and establish a relationship with us), they will be regarded as personal data. Regardless of the legal form of the counterparty, we will process the data relating to the contact persons who act as a client.
Please make this informative document about data protection available to the people in your organisation who participate in the business relationship with us («contact persons»).
- Basic data: We process a certain number of general data relating to our clients and contact persons and their employment relationship with us, collectively the “basic data”. The basic data include:
- a) Any information that has been provided to us during the establishment of the business relationship or that we have requested from our clients or from a contact person (for example, name, address and other contact details; and
- b) Any information collected or processed in relation to the establishment of the business relationship (for example, details of agreements entered into).
- Performance data: Whilst the business relationship is in force, we will collect personal data, besides the mere updating of your basic data which will be processed and referred to as “performance data”. The performance data include:
- a) Information on the fulfilment of the contractual obligations of our clients in relation to the agreements entered into.
- b) Information on compliance with our contractual obligations, in relation to the agreements entered into.
- c) Information that a client or a contact person has provided us with during the course of the commercial relationship, either on their own initiative or upon our request; and
- d) Personal data provided to us during the course of a business relationship by our client, a contact person or third parties.
- To the extent permitted by law, we may add personal data provided by third parties to the aforementioned basic and performance data. Said data may include information relating to the credit/commercial rating of our clients in the event that this proves necessary for the assessment of financial risks (for example, late payments).
II. For what purposes and based on what legal grounds do we process your personal data?
- We process basic, performance and usage data for the undertaking of the contractual relationship with our clients or for pre-contractual measures in application of Article 6.1 b) of the GDPR. Regardless of the legal form of our clients, we process basic and performance data in relation to one or more contact persons for the purposes of our legitimate interest in the performance of the business relationship in application of Article 6.1 (f) of the GDPR.
- We may also process basic, performance and usage data in compliance with our legal obligations; this processing is carried out pursuant to Article 6, Section 1 c) of the GDPR. Legal obligations may include, in particular, the mandatory communication of personal data to (tax) authorities.
- To the extent necessary, we carry out the processing of personal data (other than processing for reasons of a business relationship or to comply with our legal obligations) for the purposes arising from our legitimate interest or the legitimate interests of third parties, in accordance with Article 6, Section 1 f) of the GDPR. Legitimate interest may include:
- a) Processes, at group level, for the internal management of client data.
- b) The filing of, or defence against, legal actions.
- c) The prevention and investigation of crimes.
- d) Maintaining the security of our computer systems.
- e) Maintaining the security of our facilities and infrastructure.
- f) The management and carrying out of our business operations, including risk management.
- a) Processes, at group level, for the internal management of client data.
- If we offer a natural person the option to declare their consent to the processing of personal data, we will process the personal data included in the consent, for the purposes specified in said consent, pursuant to Article 6, Section 1 a) of the GDPR.
Please note that:
The declaration of conformity is voluntary. However, your failure to provide consent or the subsequent revocation thereof may have consequences which we will inform you of before offering you the option of declaring your consent.
You may revoke your consent at any time taking future effects, for example, notifying us by post, fax or e-mail, using the contact details indicated on the first page of this data protection communication.
III. Is there an obligation to provide personal data?
The provision of the basic and performance data specified in section I hereof is necessary to initiate and maintain a business relationship with us, unless otherwise specified prior to the collection of said data. If said data are not provided, we will not be able to start and maintain a business relationship.
In the event that we request new data, we will inform you whether said request for information is due to legal or contractual obligations, or whether it is necessary for the performance of a contract. We usually indicate which information is not due to legal or contractual obligations, nor is it necessary for the performance of a contract and can be provided voluntarily.
IV. Who has access to the personal data?
Generally speaking, the processing of personal data is carried out at our company. Depending on the personal data categories concerned, it may be the case that only some specialised departments/divisions have access to your personal data. Said divisions include, to be precise, the Sales Department and – in the event that the processing is carried out through our IT infrastructure – also our Information Technology department. Based on a role/rights management model, access to personal data is limited to the duties and to the extent necessary to fulfil the specific purpose of the processing.
To the extent permitted by law, we may transfer your data to recipients outside our company. Such external recipients may include:
- Subsidiaries of MAGNUM & PARTNERS REAL ESTATE S.L.
- Service providers who (pursuant to individual contracts signed with us) offer services that may include the processing of personal data, as well as the subcontractors of said service providers.
- Public and private organisations, to the extent that we are obliged to transfer your personal data owing to a legal obligation to which we are subject.
V. Do we use automated decisions?
We do not normally use automated decisions (including profiling) during the term of the business relationship, according to the meaning set out in Article 22 of the GDPR. If, in the future, we apply this type of procedure, we will inform data subjects individually in accordance with the applicable legal provisions.
VI. Are the data sent to countries outside the EU/EEA?
The processing of personal data is carried out within the European Union or within the European Economic Area.
Transfer of data to non-EEA countries
When personal data is transferred to locations outside the European Union/EEA, we will ensure, as required by law, that your data protection rights are properly protected, either because the European Commission has decided that the country to which the personal data are being transferred guarantees an adequate level of protection (art. 45 of the GDPR) or because the transfer is subject to appropriate guarantees (for example, standard contractual clauses) of the European Union agreed with the recipient (art. 46 of the GDPR), unless the GDPR determines any exception (art. 49 of the GDPR). Furthermore, where necessary, we intend to agree upon additional measures with recipients to ensure an adequate level of data protection. Copies of the appropriate guarantees (when we rely on them) and a list of non-EEA recipients may be requested.
VII. How long are these data retained for?
We usually keep personal data for as long as there is a legitimate interest to retain them and the interest of the data subject to refrain from processing does not prevail.
Even where there is no legitimate interest, we may retain the data if there is a legal obligation (for example, to comply with legal retention obligations). Even if the data subject does not take any action, we delete the personal data as soon as their retention is no longer necessary for the purposes for which the data were collected or otherwise processed or if, for some other reason, their retention is not permitted by law.
In general, the basic data and the rest of the data collected during your commercial relationship will be retained at least until the end of the corresponding business relationship. The data will be deleted, in any case, if the purposes of its collection or processing have been fulfilled. This time will arrive after the end of your business relationship with us. In the event that personal data must be retained to comply with a legal obligation, said data will be retained until the end of the corresponding retention period. By dint of the provisions of Law 10/2010, the retention period for documents pertaining to PML&FT will be 10 years.
In the event that the processing of personal data is carried out exclusively to comply with a legal obligation, access to said data is usually restricted in such a way that the data are only available if they are required for the purposes of said obligation.
VIII. What are the rights of the data subjects with regard to the processing?
Data subjects in the processing may:
- Request access to their personal data, Article 15 of the GDPR.
- Request the rectification of erroneous personal data, Article 16 of the GDPR.
- Request the deletion of their personal data, Article 17 of the GDPR.
- Request the restriction of the processing of their personal data, Article 18 of the GDPR.
- Exercise their right to data portability, Article 20 of the GDPR.
- Oppose the processing of their personal data, Article 21 of the GDPR.
The aforementioned rights may be asserted against us, for example, by sending us a notification using the contact details detailed on the first page of this informative document on data protection.
You are hereby informed that MAGNUM & PARTNERS REAL ESTATE, SL has appointed a Data Protection Officer (“DPO”) to whom you may submit any matter related with the processing of your personal data. You can contact the “DPO” at the following e-mail address: firstname.lastname@example.org; Or you can contact by post to the following address: Data Protection Officer C/ Padilla nº 32.- Esc Izq.- 2º Dcha. 28006 Madrid
Furthermore, the data subject may file a claim in relation to the management of their personal data to the competent supervisory authority, pursuant to Article 77 of the GDPR.