Privacy Policy

Home
/
Exlabesa
/
Privacy Policy

Data Controllers

ControllerEXLABESA EXTRUSION PADRON, S.L.EXLABESA BUILDING SYSTEMS, S.A.U.
TINB70056957A15313752
AddressPol. Ind. F. Quintá – Padrón, 15980 – A CoruñaLugar de Campaña s/n, 36645, Valga, Pontevedra
Email addressproteccion.datos@exlabesa.comproteccion.datos@exlabesa.com

Purposes and Legal Bases

In addition to the basic data protection information provided through each of the data collection channels, the following section offers further details regarding the purposes for which we collect data and the legal bases for the corresponding processing activities:

Unsolicited Applications: If unsolicited applications are received through the section provided for this purpose, these will be reviewed to assess whether the applicant’s profile matches any of our available positions. The lawfulness of the processing is based on art. 6(1)(a) of the GDPR: “the data subject has given consent to the processing of their personal data for one or more specific purposes.

Contact Section: The data provided will be used to handle enquiries, complaints, suggestions, or claims. The lawfulness of the processing is based on Article 6(1)(a) of the GDPR: “the data subject has given consent to the processing of their personal data for one or more specific purposes.”

Cookies: The data will be used to ensure the proper functioning of the website and for the purposes outlined in the Cookie Policy. The lawfulness of the processing is based on Article 6(1)(a) of the GDPR: “the data subject has given consent to the processing of their personal data for one or more specific purposes.”

Ethics Channel: The data provided will be used to process reports submitted through the Ethics Channel. The lawfulness of the processing is based on Article 6(1)(c) of the GDPR: “processing is necessary for compliance with a legal obligation to which the controller is subject,” as well as the provisions of Spanish Law 2/2023 of 20 February, regulating the protection of persons who report regulatory infringements and the fight against corruption.

Data Transfers or Disclosures

Your data will not be disclosed to third parties without your prior consent, except in cases provided for by law.

For the management of certain services, it is necessary to grant access to your data to specific providers who deliver essential services for the operation of our business. To ensure the highest level of protection, we have entered into the appropriate data processing agreements. These agreements ensure that the providers process the data solely in accordance with our instructions, thereby guaranteeing the security and integrity of the information they access during the performance of the contracted service.

Data Retention Periods

In addition to the basic data protection information provided through each data collection channel, the following section details additional information regarding the retention periods for the different types of data we process through our website.

Unsolicited Applications: Data will be retained for 1 year.

Contact Section: Data will be retained for as long as necessary for the purpose for which it was collected and will be duly blocked during the statute of limitations period applicable to any potential liabilities.

Cookies: Data will be retained for the periods established in the Cookie Policy.

Internal Information System: Data will be retained for the periods established in Spanish Law 2/2023.

Profiling and International Data Transfers

International Data Transfers: Although we have offices in various location worldwide, there will be no international transfers of personal data to third countries outside the European Economic Area (EEA). All data is processed and stored within the EEA, ensuring that information is protected in accordance with current regulations.

Automated Profiling: We will not create automated profiles with the information collected, except in the case of accepting personalisation cookies, through which automated profiling will be created based on your preferences and browsing behaviour.

Withdrawal of Consent

In cases where the processing of personal data is based on consent, please note that you have the right to withdraw your consent at any time, easily and free of charge, by contacting us at the postal addresses provided or via proteccion.datos@exlabesa.com. Withdrawal of consent shall not affect the lawfulness of processing carried out prior to such withdrawal.

Data Subject Rights

Data protection law grants you several rights concerning the protection of your information. These include:

  • Right of access: The right to obtain information as to whether or not your personal data is being processed, and access the information regarding the purposes of the processing, the categories of data involved, the recipients or categories of recipients, the storage period, and the source of the data.
  • Right to rectification: The right to request the correction of inaccurate or incomplete personal data.
  • Right to object: The right to object to specific types of processing based on consent previously given.
  • Right to erasure: The right to have your data erased in the following situations:
    • The personal data is no longer necessary for the purpose for which it was collected.
    • The data subject withdraws consent.
    • The data subject objects to the processing.
    • Erasure is required due to a legal obligation.
    • The data was obtained through an information society service in accordance with Article 8(1) of the European General Data Protection Regulation (GDPR).
  • Right to restriction: The right to obtain restriction of the processing of your data when any of the following circumstances apply:
    • The accuracy of the personal data is contested by the data subject, for a period allowing the company to verify its accuracy.
    • The processing is unlawful, and the data subject opposes the erasure of the data.
    • The company no longer needs the data for the purposes for which it was collected, but the data subject requires the data for the establishment, exercise, or defence of legal claims.
    • The data subject has objected to the processing pending verification of whether the company’s legitimate grounds override those of the data subject.
  • Right to data portability: The right to receive your personal data, when processing is carried out by automated means, in a structured, commonly used, machine-readable, and interoperable format, and to transmit those data to another data controller, provided that the processing is based on consent or is necessary for the performance of a contract.
    • This right, by its very nature, does not apply where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
  • Right not to be subject to a decision based solely on automated processing: The right not to be subject to a decision based solely on the processing of personal data, including profiling, in a manner which produces legal effects or similarly significantly affects the data subject.

This right does not apply when:

  • It is necessary for the conclusion or performance of a contract between you and the controller.
  • The processing of your data is based on your previously given consent.

* In these first two cases, the controller must guarantee the data subjects’ right to obtain human intervention, to express their point of view, and to challenge the decision.

  • It is authorised by Union or Member State law, and appropriate measures are in place to safeguard the rights, freedoms, and legitimate interests of the data subject.

* In turn, these exceptions shall not apply to special categories of data (Article 9.1), unless Article 9.2 (a) or (g) applies and the appropriate measures referred to in the preceding paragraph have been taken.

You can exercise the above rights by writing to the postal addresses indicated at the beginning of this Privacy Policy or by email at proteccion.datos@exlabesa.com.

We will respond to your request as soon as possible, taking into account the deadlines established by data protection regulations. Furthermore, please be informed that if you believe your rights have been violated, you have the right to file a complaint with the Spanish Data Protection Agency at www.aepd.es.

Security

The security measures adopted are those required under Article 32 of the Spanish GDPR. Considering the state of the art, implementation costs, as well as the nature, scope, context, and purposes of the processing, and assessing the risks – both in terms of probability and severity – to the rights and freedoms of individuals, we have implemented appropriate technical and organisational measures to ensure the highest level of protection for the data processed.

We have put in place sufficient mechanisms to:

  • Ensure the confidentiality, integrity, availability and resilience of processing systems and services.
  • Restore availability and access to personal data quickly in the event of physical or technical incident.
  • Regularly verify, evaluate and, assess the effectiveness of the technical and organisational measures implemented to ensure the security of the processing.
  • Pseudonymise and encrypt personal data, where necessary.