DATA CONTROLLER
 

The Data Controller is CAN JORDI ENTERPRISES, SL, Can Jordi Nº47 – San Lorenzo de Balafia, 07812, Ibiza (ILLES BALEARS).
 

Privacy Principles
 

At CAN JORDI ENTERPRISES, SL we commit ourselves to continuously working to guarantee the privacy in the processing of your personal data and to provide you with the most complete and clear information possible at all times. We encourage you to carefully read this section before providing us with your personal data.
 

If you are under fourteen years of age, please do not provide us with your data without your parents' consent.

​

In this section we inform you about how we process the data of people who have a relationship with our organisation. Starting with our principles:
 

• We do not request personal information unless it is necessary to provide the services you request from us.

• We never share personal information with anyone except to comply with the law or if we have your authorisation.

• We will never use your personal data for purposes other than those stated in this policy.

• Your data will always be processed with a level of protection appropriate to data protection legislation, and we will not subject your data to automated decisions.
   

We have drafted this privacy policy taking into account the requirements of current data protection legislation:
 

• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons (GDPR).

• Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights (LOPD).

• Royal Decree 1720/2007, of 21 December (RLOPD).
   

This privacy policy is drafted as of 6 December 2018.

​

Due to changes in processing criteria, in order to facilitate its understanding or adapt it to current legislation, we may modify this privacy policy. We will update its date so you can check its validity.
 

Processing Activities
 

EMPLOYEE PROCESSING

Legal basis:
GDPR: 6.1.b) Processing necessary for the performance of a contract to which the data subject is party or for pre-contractual measures at the request of the data subject.
GDPR: 6.1.c) Processing necessary for compliance with a legal obligation applicable to the controller.
Royal Legislative Decree 2/2015, of 23 October, approving the Workers' Statute.

Purpose of processing:

• Management of employed personnel.

• Personnel file. Timekeeping control. Training. Pension plans. Occupational risk prevention.

• Payroll processing.

• Activity management.

Group: Employees.

Categories of data:

• Name and surname, ID/NIF/identification document, personnel registration number, Social Security/Mutuality number, address, signature, and telephone number.

Special categories of data:

• Health data (sick leave, work-related accidents, and degree of disability, excluding diagnoses), trade union membership exclusively for payment of union dues (if applicable), trade union representative (if applicable), attendance records of own and third parties.

• Personal characteristics data: Gender, marital status, nationality, age, date and place of birth, and family data.

• Family circumstances data: Date of start and termination, licences, permits, and authorisations.

• Academic and professional data: Qualifications, training, and experience.

• Employment details and administrative career.

• Presence control data: date/time of entry and exit, reason for absence.

• Economic-financial data: Payroll data, loans, guarantees, tax deductions, salary deductions from previous employment (if applicable), court retentions (if applicable), other deductions (if applicable).

Recipient categories:

• Entity entrusted with occupational risk management.

• General Treasury of Social Security.

• Organisations and Entities.

• State Tax Administration Agency.

• Principal contractors to whom we provide services.

International transfers: No international data transfers foreseen.

Deletion period: Data will be kept for the time necessary to fulfil the purpose for which they were collected and to determine any possible responsibilities arising from this purpose and the processing of the data. Economic data will be retained in accordance with Law 58/2003, of 17 December, General Taxation.

Security measures: Compliant with Regulation (EU) 2016/679, GDPR.
 

CONTACTS PROCESSING
 

Legal basis: Consent of the data subject.

Purpose of processing: Responding to your request, sending information and following up on the request.

Group: Contact persons, customers, suppliers.

Data categories: Name and surname, telephone, email address.

Recipient categories: No third-party data transfers foreseen.

International transfers: No international transfers foreseen.

Deletion period: Contact data will be kept indefinitely or until deletion requested by the data subject.

Security measures: Compliant with Regulation (EU) 2016/679, GDPR.
 

PROCESSING TO RESPOND TO DATA SUBJECT RIGHTS (ARCO)
 

Legal basis: GDPR: 6.1.c) Processing necessary to comply with a legal obligation applicable to the controller (GDPR).

Purpose of processing: Responding to requests exercising rights established in GDPR.

Group: Individuals requesting it (employees, customers, suppliers, contacts).

Data categories: Name and surname, address, signature, and telephone number.

Recipient categories: Data may be communicated to the supervisory authority (Spanish Data Protection Agency) within the framework of an investigation regarding protection of rights initiated by the data subject.

International transfers: No international transfers foreseen.

Deletion period: Retained for five years from the request.

Security measures: Compliant with Regulation (EU) 2016/679, GDPR.
 

CANDIDATES PROCESSING (HR SELECTION)
 

Legal basis: GDPR: 6.1.b) Processing necessary for the performance of a contract or pre-contractual measures.

Purpose of processing: Staff selection and job vacancies.

Group: Candidates in recruitment processes.

Data categories: Name and surname, ID/CIF/identification document, personnel registration number, address, signature, and telephone number.
Personal characteristics: Gender, marital status, nationality, age, date/place of birth.
Academic/professional data: qualifications, training, experience.

Recipient categories: No third-party data transfers foreseen.

International transfers: No international transfers foreseen.

Deletion period: Data kept for necessary period for fulfilment of purpose and possible derived responsibilities.

Security measures: Compliant with Regulation (EU) 2016/679, GDPR.
 

SUPPLIER PROCESSING

Legal Basis:
GDPR: 6.1.b) Processing necessary for the performance of a contract to which the data subject is party or to implement pre-contractual measures at the request of the data subject.
GDPR: 6.1.c) Processing necessary for compliance with a legal obligation applicable to the data controller.
Royal Legislative Decree 2/2015, of 23 October, approving the Workers' Statute.
Law 58/2003, of 17 December, General Taxation.

Purposes of processing:

• Acquisition of products and/or services required for conducting our business activity.

• Monitoring of subcontractors, where applicable.

Group:

• Suppliers.

• Employees of our suppliers.

Categories of data:

• Name and surname, DNI/NIF/identification document, address, signature and telephone number.

• Employment details: job position, training in occupational safety.

• Economic-financial and insurance data.

Categories of recipients:

• Financial institutions (invoice payments).

• State Tax Administration Agency.

International transfers: No international data transfers are foreseen.

Deletion period: Data will be retained for the time necessary to fulfil the purpose for which they were collected and to determine any potential liabilities arising from this purpose and the processing of data, in accordance with Law 58/2003, of 17 December, General Taxation.

Security measures: Adapted to the requirements of Regulation (EU) 2016/679, General Data Protection Regulation.

CUSTOMER PROCESSING

Legal Basis:
GDPR: 6.1.a) The data subject has given consent for processing their personal data for one or more specific purposes.
GDPR: 6.1.b) Processing necessary for the performance of a contract to which the data subject is party or for pre-contractual measures at the request of the data subject.
GDPR: 6.1.c) Processing necessary for compliance with a legal obligation applicable to the data controller.
GDPR: 6.1.f) Processing necessary for the purposes of the legitimate interests pursued by the data controller.
Royal Legislative Decree 2/2015, of 23 October, approving the Workers' Statute.
Law 58/2003, of 17 December, General Taxation.

Purposes of processing:
Provision of our products/services.

Group: Customers.

Categories of data:

• Name and surname, DNI/NIF/identification document, address, signature and telephone number.

• Economic, financial and insurance data: Bank details.

Categories of recipients:

• Financial institutions.

• State Tax Administration Agency.

International transfers: No international data transfers are foreseen.

Deletion period: Data will be retained for the time necessary to fulfil the purpose for which they were collected and to determine any potential liabilities arising from this purpose and the processing of data, in accordance with Law 58/2003, of 17 December, General Taxation.

Security measures: Adapted to the requirements of Regulation (EU) 2016/679, General Data Protection Regulation.
 

VIDEO SURVEILLANCE PROCESSING
 

Legal Basis:
GDPR: 6.1.f) Processing necessary for the legitimate interests pursued by the data controller or by a third party.
Organic Law 2/1986, of 13 March, on Security Forces and Bodies.

Purposes of processing:
To guarantee the safety of individuals, goods and facilities, and for labour control.

Group: Employees, customers and suppliers, users.

Categories of data: Image and sound.

Categories of recipients:
Recordings may be communicated to the Security Forces and Bodies, if required by them, or if used as evidence of the commission of crimes.

International transfers: No international data transfers are foreseen.

Deletion period: Not exceeding one month.

Security measures: Adapted to the requirements of Regulation (EU) 2016/679, General Data Protection Regulation.
 

YOUR RIGHTS

You have the right to request a copy of your personal data, rectify inaccurate data or complete incomplete data, or delete it when it is no longer necessary for the purposes for which it was collected.
 

You also have the right to restrict the processing of your personal data and to obtain your personal data in a structured and readable format.
 

You may object to the processing of your personal data under certain circumstances (in particular, when we do not need to process it to fulfil a contractual or other legal requirement, or when the purpose of the processing is direct marketing).
 

When you have given us your consent, you may withdraw it at any time. At that moment, we will stop processing your data or, where appropriate, we will stop processing it for that specific purpose. If you decide to withdraw your consent, this will not affect any processing that has taken place while your consent was valid.
 

These rights may be limited; for example, if fulfilling your request would require us to disclose data about another person, or if you request us to delete certain records that we are legally obliged to maintain, or for a legitimate interest, such as exercising or defending claims. Or even in those cases where the right to freedom of expression and information must prevail.

​

You can contact us by any means indicated in the Data Controller section of this privacy policy, providing a copy of a document proving your identity (usually your DNI).

Another of your rights is not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or affects you significantly.
 

In the event of any violation of your rights, for example, if we have not attended to your request, you have the right to file a complaint with the Data Protection Authority. This can be the authority of your country (if you live outside Spain) or the Spanish Data Protection Agency (if you live in Spain).
 

ADDITIONAL INFORMATION
 

Processing your data outside the European Economic Area:

For the processing mentioned above, we may use the services of the following providers located outside the European Economic Area, but covered by the Privacy Shield agreement, approved by the data protection authorities of the European Union:

• Amazon: More information

• Apple iOS: More information

• Dropbox: More information

• Facebook/Instagram (FB Messenger): More information

• Google (Drive/Mail…): More information

• LinkedIn: More information

• Microsoft (Drive, Skype…): More information

• Twitter (Microblogging social network): More information

• WhatsApp (Mobile instant messaging): More information