Privacy Policy

TABLE OF CONTENTS

1. Purpose of the Privacy Policy
2. Definitions
3. Identity of the Data Controller
4. Applicable laws and regulations
5. Principles applicable to the processing of personal data
6. Data Processing Activities Carried Out
7. Necessary and updated information
8. Personal data of minors
9. Technical and organizational security measures
10. Rights of data subjects
11. Complaints to the Supervisory Authority
12. Acceptance and changes to the Privacy Policy

 

1.- PURPOSE OF THE PRIVACY POLICY

The purpose of this “Privacy and Data Protection Policy” is to make known the conditions that govern the collection and processing of personal data by INNOIT
CONSULTING, making every effort to ensure the fundamental rights, honor and freedoms of the people whose personal data is processed, complying with the regulations and laws in force that regulate the protection of personal data according to the European Union and the Spanish Member State and, specifically, those expressed in the “Data Processing Activities” section of this Privacy Policy.

Therefore, in this Privacy and Data Protection Policy, users of the Website https://www.inno-it.es/ are informed of all the details of interest regarding how these processes are carried out, for what purposes, what other entities may have access to their data and what are the rights of users.

2.- DEFINITIONS

«Personal data»: Any information relating to an identified or identifiable natural person (“the Website user”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

«Processing»: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

«Restriction of processing»: the marking of stored personal data with the aim of limiting their processing in the future.

«Profiling»: any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.

«Pseudonymization»: the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

«File»: any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis.

«Data controller» or «controller»: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

«Data processor» o «processor»: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

«Recipient»: a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

«Third party»: a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.

«Consent of the data subject»: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

«Personal data breach»: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

«Genetic data»: personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.

«Biometric data»: personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.

«Data concerning health»: personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.

«Main establishment»: a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment which has taken such decisions shall be considered to be the main establishment; b) as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation.

«Representative»: a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27 of the GDPR, represents the controller or processor with regard to their respective obligations under this Regulation.

«Company»: a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity.

«Supervisory authority»: the independent public authority which is established by a Member State pursuant to Article 51 of the GDPR. In the case of Spain, it is the Spanish Data Protection Agency.

«Cross-border processing»: a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.

«Information society service»: any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.

 

3.- IDENTITY OF THE DATA CONTROLLER

The Data Controller is the natural or legal person, of a public or private nature, or administrative body, that alone or jointly with others determines the purposes and means of the processing of personal data; in the event that the purposes and means of the processing are determined by European Union Law or the Spanish Member State.

In the aspects expressed in this Data Protection Policy, the identity and contact details of the Data Controller are:

INNOIT CONSULTING S.L. – CIF B66958752
C/ Diputació, 280, bajos 2ª, 08009 Barcelona (Barcelona), Spain
• Email: privacidad@inno-it.es
• Telephone: 931 720 620

4.- APPLICABLE LAWS AND REGULATIONS

This Privacy and Data Protection Policy is developed based on the following data protection regulations and laws:

• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
  on the protection of natural persons with regard to the processing of personal data
  and on the free movement of such data. Hereinafter GDPR.
• Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights.
  Hereinafter LOPD/GDD.
• Law 34/2002, of July 11, on Information Society Services and Electronic Commerce.
  Hereinafter LSSICE.

5.- PRINCIPLES APPLICABLE TO THE PROCESSING OF PERSONAL DATA

The personal data collected and processed through this Website will be treated in accordance with the following principles:

• Principle of lawfulness, fairness and transparency: All processing of personal data carried out
  through this Website will be lawful and fair, being totally clear to the user when
  personal data concerning him or her is being collected, used, consulted or processed. The
  information relating to the processing carried out will be transmitted in a prior, easily
  accessible and easy to understand manner, in simple and clear language.
• Principle of purpose limitation: All data will be collected for specific
  , explicit and legitimate purposes, and will not be further processed in a manner
  incompatible with the purposes for which they were collected.
• Principle of data minimization: The data collected will be adequate, relevant and
  limited to what is necessary in relation to the purposes for which they are processed.
• Principle of accuracy: The data will be accurate and, if necessary, updated, adopting all reasonable measures to ensure that personal data that are inaccurate with respect to the purposes for which they are processed are suppressed or rectified without delay.
• Principle of limitation of the retention period: The data will be kept in a way that allows the identification of the data subjects for no longer than is necessary for the purposes of the processing of personal data.
• Principle of integrity and confidentiality: The data will be processed in such a way as to guarantee adequate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss or damage, through the application of appropriate technical and organizational measures.
• Principle of proactive responsibility: The entity owning the Website will be responsible for compliance with the principles set forth in this section and will be able to demonstrate it.

6.- DATA PROCESSING ACTIVITIES

The following details the data processing activities carried out through the Website, specifying each of the following sections:
• Activity: Name of the data processing activity
• Purposes: Each of the uses and treatments that are carried out with the data collected
• Legal basis: The legal basis that legitimizes the processing of data
• Data processed: Type of data processed
• Origin: Where the data is obtained from
• Conservation: Period during which the data is kept
• Recipients: Third parties or entities to whom the data is provided
• International transfers: Cross-border transfers of data outside the European Union

6.1 MAIN PROCESSING ACTIVITIES

These are those data processing activities whose purposes are necessary and essential for the provision of services.

6.2 OPTIONAL PROCESSING ACTIVITIES (if the user has marked their acceptance)

These are those personal data processing activities whose purposes are not essential for the provision of the service and that are only carried out if the user has marked YES in the consent for carrying out these activities.

Website management
Legal bases

(Art. 6.1.a GDPR) Consent of the data subject; (Art. 6.1.f GDPR) Legitimate interest
of the Data Controller or third parties; Organic Law on
Personal Data Protection and Guarantee of Digital Rights (LOPDGDD)
3/2018, Regulation (EU) 2016/679 on the protection of personal data
Purposes
The data requested through the contact form, sent through the
email or provided through the telephone published on our website will be
used to answer your query and send you information about our
organization and services. The consequences of not providing us with this data will be the
impossibility of contacting you and providing you with an answer to your request. You
have the right to receive an answer to any question, query or clarification that may
arise from this form or from the other means of contact published on
the corporate website, by calling us, sending us an email or visiting our
facilities.
Categories of
data and groups Web users (Identification data)
Origin of
data The data subject or his legal representative
Category of
recipients
We do not transfer your data to anyone, but we may allow its processing by
third parties only for technical, legal and/or service provision reasons.
International
transfer Not planned
Term of
conservation
For a period of 1 year from the last confirmation of interest. Or the term
necessary if there is any legal obligation or legitimate interest in this regard.
Security measures

The implemented security measures correspond to those described in the
documents that make up the organization’s data protection and information security policy.

Subscriber management
Legal bases Explicit consent of the interested party
Purposes Marketing, advertising and commercial prospecting
Data categories
and groups Subscribers (Identification data)
Origin of
data The interested party or their legal representative
Category of
recipients Not planned
Transfer
international
THE ROCKET SCIENCE GROUP LLC D/B/A MAILCHIMP – States
United (Newsletter) – Adequate Guarantees
Term of
conservation Until its deletion is requested by the interested party
Security measures

The implemented security measures correspond to those described in the
documents that make up the organization’s data protection and information security policy.

Internal CV processing
Legal bases
(Art. 6.1.a GDPR) Consent of the interested party; (Art. 6.1.b GDPR) Existence of
a contractual relationship with the interested party through a contract or pre-contract; Organic Law
on the Protection of Personal Data and Guarantee of Digital Rights
(LOPDGDD) 3/2018, Regulation (EU) 2016/679 on the protection of personal data
.

Internal CV processing
Purposes
Receipt and processing of Curriculum Vitae (CV) for personnel selection procedures for the organization.
The consequences of not giving your
consent for the aforementioned purposes will be the impossibility of
contacting you and managing your CV in our internal personnel selection processes.
You have the right to receive an answer to any question, query or
clarification that arises from this form, by calling us, sending us an
e-mail or visiting our facilities.
Categories of
data and groups Candidate (Identification data; Academic and professional)
Origin of
data
The interested party or their legal representative; The candidate themselves or their
legal representative submit their CV
Category of
recipients Not planned
Transfer
international Not planned
Term of
conservation
Other. We keep your data for a period of 6 years from the last
confirmation of interest, except in the event that they were incorporated into a
employment file or while you do not request its deletion during this time or the
time necessary if there is any legal obligation or legitimate interest in this regard.
Security measures

The implemented security measures correspond to those described in the
documents that make up the data protection and information security policy
of the organization.

7.- NECESSARY AND UPDATED INFORMATION

All fields that appear marked with an asterisk (*) in the forms on the Website must be completed, in such a way that the omission of any of them could lead to the impossibility of providing you with the services or information requested.

You must provide truthful information, so that the information provided is always up-to-date and does not contain errors, you must notify the Data Controller as soon as possible of any modifications and rectifications of your personal data that may occur through an email to the address: privacidad@inno-it.es.

Likewise, by clicking on the “I accept” button (or equivalent) incorporated in the aforementioned
forms, you declare that the information and data that you have provided in them are accurate and truthful, as well as that you understand and accept this Privacy Policy.

8.- DATA OF MINORS

In compliance with the provisions of article 8 of the GDPR and article 7 of the LOPD/GDD, only those over 14 years of age may grant their consent for the lawful processing of their personal data by INNOIT CONSULTING.

Therefore, minors under 14 years of age may not use the services available through the Website without the prior authorization of their parents, guardians or legal representatives, who will be solely responsible for all acts carried out through the Website by the minors in their care, including the completion of telematic forms with the personal data of said minors and the marking, where appropriate, of the boxes that accompany them.

9.- TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

The Data Controller adopts the necessary organizational and technical measures to guarantee the security and privacy of your data, prevent its alteration, loss, treatment or unauthorized access, depending on the state of technology, the nature of the data stored and the risks to which they are exposed.

Among others, the following measures stand out:

• Guarantee the confidentiality, integrity, availability and permanent resilience of the
  treatment systems and services.
• Restore availability and access to personal data quickly, in the event of a
  physical or technical incident.
• Verify, evaluate and assess, on a regular basis, the effectiveness of the technical measures and
  organizational implemented to guarantee the security of the treatment.
• Pseudonymize and encrypt personal data, in the case of sensitive data.

On the other hand, the Data Controller has made the decision to manage information systems in accordance with the following principles:

• Principle of regulatory compliance: All information systems will comply with the regulatory and sectoral legal regulations applicable to information security, especially those related to the protection of personal data, security of systems, data, communications and electronic services.
• Risk management principle: Risks will be minimized to acceptable levels and a balance will be sought between security controls and the nature of the information. Security objectives must be established, reviewed and consistent with information security aspects.
• Principle of awareness and training: Training programs, awareness and awareness campaigns will be articulated for all users with access to the
  information, in matters of information security.
• Principle of proportionality: The implementation of controls that mitigate the security risks of assets will be carried out seeking a balance between security measures, the nature and information and risk.
• Principle of responsibility: All members of the Data Controller will be responsible for their conduct in terms of information security, complying with the established rules and controls.
• Principle of continuous improvement: The degree of effectiveness of the security controls implemented in the organization will be reviewed on a recurring basis to increase the capacity of
  adaptation to the constant evolution of risk and the technological environment.

10.- RIGHTS OF INTERESTED PARTIES

The current data protection regulations protect the user in a series of rights in relation to the use that is given to their data. Each and every one of these rights are personal and non-transferable, that is, they can only be exercised by the owner of the data, after verifying their identity. Below, we detail what the rights of Website users are:

• Right of access: It is the right that the user of the Website has to obtain confirmation of whether or not the Data Controller is processing their personal data and, if so, obtain information about their specific personal data and the treatment that the Data Controller has carried out or carries out, as well as, among others, the information available on the origin of said data and the recipients of the communications made or planned therein.
• Right of rectification: It is the right that the user of the Website has to have their personal data modified that is inaccurate or, taking into account the purposes of the treatment, incomplete.
• Right of deletion: It is usually known as the “right to be forgotten”, and it is the right that the user of the Website has, provided that current legislation does not establish otherwise, to
  obtain the deletion of their personal data when these are no longer necessary for the purposes for which they were collected or processed; the User has withdrawn their consent to the
  treatment and this does not have another legal basis; the User opposes the treatment and there is no other legitimate reason to continue with it; personal data has been processed unlawfully; personal data has been obtained as a result of a direct offer of information society services to a minor under 14 years of age. In addition to deleting the data, the Data Controller, taking into account the available technology and the cost of its application, will adopt reasonable measures to inform other possible controllers who are processing the personal data of the interested party’s request to delete any link to those personal data.
• Right to limit data: It is the right of the User of the Website to limit the processing of their personal data. The User of the Website has the right to obtain the
  limitation of the treatment when it challenges the accuracy of its personal data; the treatment is illegal; the Data Controller no longer needs the personal data, but the User needs it to make claims; and when the User of the Website has opposed the treatment.
• Right to data portability: In those cases in which the treatment is carried out by automated means, the User of the Website will have the right to receive from the Data Controller their personal data in a structured format, of common use and mechanical reading, and to transmit them to another data controller. provided that it is technically possible, the Data Controller will directly transmit the data to that other Controller.
• Right of opposition: It is the right of the User to not have their personal data processed or to cease the processing thereof by the Data Controller
  Treatment.
• Right not to be subject to automated decisions and/or profiling: It is the right of the User of the Website not to be subject to an individualized decision based solely on the automated processing of their personal data, including profiling, existing unless current legislation establishes otherwise.
  • Right to revoke consent: It is the right of the User of the Website to withdraw, at any time, the consent given for the processing of their data.

The user of the Website can exercise any of the aforementioned rights by contacting the Data Controller and after identifying the User using the following contact information:

• Responsible: INNOIT CONSULTING S.L.
• Address: C/ Diputació, 280, bajos 2ª, 08009 Barcelona (Barcelona), Spain
• Telephone: 931 720 620
• E-mail: privacidad@inno-it.es
• Website: https://www.inno-it.es/

11.- RIGHT TO CLAIM BEFORE THE CONTROL AUTHORITY

The user is informed of their right to file a claim with the Spanish Data Protection Agency if they consider that an infringement of the legislation on
data protection has been committed regarding the processing of their personal data. Contact information of the control authority:

Spanish Data Protection Agency
Email: info@aepd.es
Telephone: 912663517
Website: https://www.aepd.es
Address: C/. Jorge Juan, 6. 28001, Madrid (Madrid), Spain

12.- ACCEPTANCE AND CHANGES IN THE PRIVACY POLICY

It is necessary that the user of the Website has read and agrees with the data protection conditions contained in this Privacy Policy, as well as that they accept the processing of their personal data so that the Data Controller can proceed with it in the manner, terms and purposes indicated. The Data Controller reserves the right to modify this Privacy Policy, according to its own criteria, or motivated by a legislative, jurisprudential or doctrinal change of the Spanish Data Protection Agency. The changes or updates made to this Privacy Policy that affect the purposes, retention periods, transfers of data to third parties, international data transfers, as well as any right of the User of the Website, will be explicitly communicated to the user.

Version of March 3, 2025