PRIVACY AND DATA PROTECTION POLICY
- Data controller of your data
In accordance with the provisions of Regulation (EU) 2016/679 on general data protection (GDPR) and of Organic Law 3/2018 on the protection of personal data and guarantee of digital rights, we inform you that the data CONTROLLER (Legally Responsible Person) of your data, according to the network used, is TRAMVIA METROPOLITÀ SA with Value Added Tax Identification Number (NIF) A62415641 regarding TRAMBAIX, or TRAMVIA METROPOLITÀ DEL BESÒS SA SA with Value Added Tax Identification Number (NIF) A63061626 regarding TRAMBESÒS, both with post address at carrer Còrsega, 270, planta 4ª porta 6, 08008 Barcelona and email address email@example.com.
- Purpose of the processing of your personal data
The data CONTROLLER processes the information provided by the concerned persons in order to manage and keep appropriate professional, commercial, administrative relationships, if any, or provide the passenger transport service regarding the CONTROLLER activity, as well as concerning the employment relationship with its employees.
- Data conservation period
The personal data provided will be kept as long as the professional, commercial, governmental, service, or labour relationship with the persons concerned is in force and the parties involved do not request that it be deleted. Nevertheless, the data CONTROLLER may keep it, duly blocked, for the period of time legally foreseen for dealing with making and defending against complaints, as well as handling possible governmental or other legal responsibilities. Once the relationship between the CONTROLLER and the person concerned is concluded, the CONTROLLER will totally erase all of the personal data that it disposes of, except in the cases where it is blocked.
- Legitimacy for the handling of your data
The legal basis that legitimises the CONTROLLER’s handling will be the consent of the persons concerned , the providing of service, the exercising of public powers deriving from governmental granting, or, finally, the legitimate interest of the CONTROLLER.
The person concerned is required to provide the personal data necessary for the providing of the service requested, if this is the case. If the person concerned doesn’t provide information, or that information is imprecise, the CONTROLLER will be exonerated from all responsibility that may derive from the consequences of the imprecise or erroneous information.
The handling of the information services of interest is based on the consent requested from the person concerned, without the withdrawal of this consent in any case conditioning the execution of the services to be provided, if suitable.
- Destination of your data
The CONTROLLER will not grant or communicate the personal information provided by the person concerned to third parties, except as legally obliged to do so, or because it is necessary for the providing of the service inherent in the CONTROLLER’s activity and the organizations related to this service, such as the organizations operating the service, in charge of handling the information, or public transport organizations. The transfer of data to third countries is not foreseen.
- Rights of the person concerned
6.1. Right of access: The person concerned will have the right to obtain confirmation from the CONTROLLER about whether the personal data concerned is being handled or not and, in this case, he or she will have the right to access the personal information, the purposes for which it is being handled, the categories of personal information being handled, and who will receive it. The person concerned will also have the right to be informed about the period that the data will be kept, to request the rectification or deleting of the data, the limitation of handling, or opposition to it. The person concerned will also have the right to be informed about the right to present a complaint before the Control Authority about the existence of automated decisions, and to receive information about suitable guarantees in case of an international transfer of data.
6.2. Right to rectification: The person concerned will have the right to rectify inaccurate data and to complete incomplete information, even with an additional declaration.
6.3. Right to deletion: The person concerned will have the right to have his or her data deleted without undue delay when one of the terms set out in article 17 of the GDPR is met, such as the illicit handling of data, or when the purpose behind the handling or collection of data has disappeared. Nevertheless, the regulations have a series of exceptions in which this right is not in effect, for example, when the right to the freedom of expression or information must prevail, or for reasons of public interest.
6.4. Right to the limitation of handling: The person concerned will have the right to request of the CONTROLLER that the handling of his or her data be suspended when one of the requirements of article 18 of the GDPR is met, when the data is accused of being imprecise, while it’s being verified, or when the person concerned opposes deletion in the face of illicit handling and prefers the limitation of handling, when the person concerned no longer needs the data for the purpose of the handling; But on the other hand, the person concerned needs them for the exercising of his or her rights, or while the reasons for the right of opposition to the data are verified.
6.5. Right to the portability of information: The person concerned will have the right to receive the personal data provided in a structured format, of common use and mechanical reading, and to be able to transmit it to another CONTROLLER, as long as it is technically possible.
6.6. Right of opposition: The person concerned will have the right to oppose the handling of data when, due to its personal situation, the CONTROLLER must cease handling the data, unless a legitimate interest is accredited, or it is necessary for making or defending against complaints, or when, for example, the handling is for the purpose of direct sales techniques.
6.7. Right not to be the object of individual decisions: The person concerned will have the right not to be the object of a decision based solely on automated handling, including the creating of profiles, whether it has legal effects or not.
According to articles 15 to 22 of the GDPR, for the exercising of the rights of access to personal information regarding the person concerned, and its rectification or deletion, or the limitation of its handling, or for opposing handling, as well as the right of portability of the information, the person concerned may send something with his or her identifying information, a photocopy of his or her identity card and address for the purpose of notifications, in which the corresponding request is made to the post address: Còrsega, 270, planta 4ª porta 6, 08008 Barcelona, or email address: firstname.lastname@example.org, where it will be passed on to the body in charge of managing these rights, as corresponds, and the relationship will continue with the person concerned for these purposes.
If the request is exercised through a voluntary/legal representative, it will also be necessary to inform of the identity of the person represented, providing a copy of his or her identity card or an equivalent document, and the document of representation granted by the owner of the personal information.
- Security measures
The CONTROLLER has implemented the legally required security measures in their facilities, systems and processing, in accordance with the provisions of Regulation (EU) 2016/679 on general data protection, of 27 April 2016, and of Organic Law 3/2018 on the protection of personal data and guarantee of digital rights.
- Duty of confidentiality and secrecy
All of the information regarding the personal information provided by the persons concerned will be kept in the strictest confidentiality and, therefore, the CONTROLLER promises not to divulge it, except strictly for the performance of a request made by the person concerned or the fulfilment of a legal obligation or an imperative legal order.