I. PRIVACY AND DATA PROTECTION POLICY
In compliance with current legislation, IriusRisk (hereinafter, “Website”) undertakes to adopt the technical and organisational measures necessary to ensure a level of security appropriate to the risk associated with the collected data.
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter, “GDPR”).
- The Organic Law 3/2018 of December 5 on Protection of Personal Data and Guarantee of Digital Rights (hereinafter, “LOPD-GDD”)
- Royal Decree 1720/2007, of 21 December 2007, approving the Regulations implementing Organic Law 15/1999, of 13 December 1999.
- Law 34/2002 of 11 July on Information Society and Electronic Commerce Services.
Identity of the data controller
The administrator responsible for processing the personal data collected by IriusRisk is IriusRisk with identification data as follows:
Registered name: IriusRisk, SL
Tax ID: B22341713
Registered in the Mercantile Registry of Huesca with the following registration data: T 655, F 120, S 8, H HU 9950,
Representative: Stephen Leendert deVries (hereinafter, the Controller)
Registered address: Parque Tecnológico Walga, Ctra. Zaragoza N-330A, Km. 566, 22197 Cuarte (Huesca), Spain
Contact email: firstname.lastname@example.org
Personal Data Registration
In accordance with GDPR and LOPD-GDD, we inform you that the personal data collected by IriusRisk via forms on its website will be processed and incorporated into our files in order to:
- facilitate, expedite and fulfil the commitments established between IriusRisk and the User;
- maintain the relationship established or process a request made in the forms filled by the User.
In addition, pursuant to GDPR and LOPD-GDD and except where exempted by Article 30.5 of GDPR, IriusRisk shall maintain a record of all data-processing activities and other circumstances considered in GDPR according to their respective purposes.
Applicable principles for processing of personal data
The processing of the User’s personal data shall be governed by the following principles referred to in Article 5 of GDPR and in Article 4 and following of LOPD-GDD:
- Lawfulness, fairness and transparency principle: personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.
- Purpose limitation principle: personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
- Data minimisation principle: personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
- Accuracy principle: personal data shall be accurate and, where necessary, kept up to date.
- Storage limitation principle: personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
- Integrity and confidentiality principle: personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
- Accountability principle: the controller shall be responsible for and be able to demonstrate compliance with the Data Protection Principles.
Categories of personal data
The categories of data collected and processed by IriusRisk are considered to be personal data exclusively for identification purposes. No special categories of data described in Article 9 of GDPR shall be processed under any circumstance.
Legal basis for the processing of personal data
The legal basis for the processing of personal data is consent. IriusRisk undertakes to obtain the User’s express verifiable consent for the processing of their personal data for one or more specific purposes.
The User has the right to withdraw their consent at any time. Withdrawal of consent shall be as easy as the granting thereof. As a general rule, withdrawal of consent should not condition the use of the Website.
On the occasions when the User may or must provide their data via forms to make enquiries or request information, or for reasons related to the content of the Website, they shall be informed when the data are mandatorily required for the successful processing of the operation.
Purposes of the processing of personal data
Personal data are gathered and processed by IriusRisk with the aim of facilitating, expediting and fulfilling the commitments established between IriusRisk and the User, or to maintain the relationship established or process a request made in the forms filled by the User.
Furthermore, the data may be used:
- for the commercial purpose of personalisation, or for operational or statistical purposes and for the activities that are the object of the company;
- for the extraction and storing of the data and market research aimed to adequate the Content offered to the User;
- to improve the quality, functionality and navigation of the Website.
At the moment of the obtention of the personal data, the User is to be informed about the specific end(s) to which such data are intended, that is, the use(s) that the gathered information will be given.
Retention periods of personal data
Personal data shall be kept for no longer than is necessary for the purposes for which they are processed and, in any case, only during the following time: During the course of the Demo and Community Services until termination of the Demo and Community Agreement and deactivation of your Account either by you or us. Ultimately, the User can request the data to be eliminated at any given time.
At the moment of the obtention of the personal data, the User is to be informed about the period of conservation of said data or the criteria used to determine the period of conservation, when applicable.
Recipients of personal data
Personal data of users are not shared with third parties.
In any case, at the moment of the obtention of the personal data the User shall be informed of the recipient or the categories of possible recipients.
Personal data of minors
In compliance with Article 8 of GDPR and Article 7 of LOPD-GDD, the User must be above the age of 14 to give their consent for the processing of their personal data. In the case of Users below the age of 14, the consent of their parents or legal guardians will be required for the lawful processing of their data.
Confidentiality and privacy of personal data
IriusRisk undertakes to adopt the necessary technical and organisational measures to guarantee confidentiality and avoid accidental or unlawful destruction, loss, alteration or unauthorised disclosure of personal data stored or otherwise processed. Such measures shall be appropriate to the level of risk associated with the collected data.
However, since IriusRisk cannot guarantee the invulnerability of the Internet nor the absence of hackers or others that may fraudulently access personal data, the Controller undertakes to notify the User without undue delay in the event of a personal data breach which may imply a high level of risk to the rights and freedoms of individuals. In compliance with Article 4 of GDPR, ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Personal data shall be treated as confidential by the Controller, who undertakes to inform and guarantee, by the means of a statutory or contractual obligation, that said confidentiality is respected by employees, associates or any other person who has access to the aforementioned personal data.
Rights related to the processing of personal data
As stated in GDPR and LOPD-GDD, the User shall have, and therefore may exercise against the Controller the following rights:
- Right of access: the right to obtain from the Controller confirmation as to whether or not personal data concerning them are being processed, and, where that is the case, access to the personal data and information regarding the origin, processing and/or planned and previous communications - including the recipients if applicable - of such data.
- Right to modification: the right to obtain from the Controller without undue delay the rectification of inaccurate or incomplete personal data concerning them.
- Right to erasure (‘right to be forgotten’): the right to obtain from the Controller the erasure of personal data concerning them where one of the following grounds applies:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the data subject withdraws consent on which the processing is based, and where there is no other legal ground for the processing;
- the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
- the personal data have been unlawfully processed;
- the personal data have to be erased for compliance with a legal obligation to which the Controller is subject;
- the personal data have been collected in relation to the offer of information society services from a child below the age of 14.
In addition to the erasure of personal data, the Controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to those personal data.
- Right to restriction of processing: the right to obtain from the Controller restriction of processing where one of the following applies:
- the accuracy of the personal data is contested by the data subject;
- the processing is unlawful;
- the Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
- the data subject has objected to processing.
- Right to data portability: whenever the processing is carried out by automated means, the User shall have the right to receive their personal data in a structured, commonly used and machine-readable format and the right to transmit those data to another controller. The personal data transmitted directly from one controller to another, where technically feasible.
- Right to object: the right to object at any time to processing of personal data concerning them by the Controller.
- Automated individual decision-making, including profiling: the right not to be subject to a decision based solely on automated processing, including profiling, unless authorised by current State law to which the Controller is subject.
Therefore, the User shall exercise their rights by written communication addressed to the Controller with the reference "RGPD-https://www.iriusrisk.com/", indicating:
- The User's first and last name and a photocopy of their National ID document, passport or any other valid legal document of identification. In cases where representation is allowed, the representative shall provide the same identification details.
- The concrete reasons justifying the request or information the User wishes to access.
- An address for notification purposes.
- The date and signature of the person making the request.
- Any document which supports the User’s petition.
This request and any accompanying document shall be sent to the following postal and/or email address(es):
Postal address: Parque Tecnológico Walga, Ctra. Zaragoza N-330A, Km. 566, 22197 Cuarte (Huesca), Spain
Email address: email@example.com
Links to third-party websites
The Website may provide links to websites operated by entities other than IriusRisk. Said entities shall have their own privacy and data protection policies and shall therefore be responsible for their own files and privacy practices.
Lodging a complaint with a supervisory authority
In the event that the User considers that the manner in which their personal data are being processed fails to comply with existing laws, they shall have the right to an effective judicial tribunal and to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement. The supervisory authority in Spain is The Spanish Data Protection Agency’ (https://www.aepd.es/).