Records of Processing Activities

1.1. Processing Activity: Job Applicants (CVs)

Legal Basis

  • Art. 6(1)(b) GDPR: Processing is necessary for the implementation of pre-contractual measures taken at the data subject’s request, upon submission of their CV in response to advertised job vacancies.  
  • Art. 6(1)(a) GDPR: Consent of the data subject for inclusion in the talent pool. 
  • Art. 31(2)(a) FADP/LPD: Processing necessary for pre-contractual measures.  
  • Art. 6 FADP/LPD: Consent: Where the candidate is not selected for the current vacancy but the organisation wishes to retain their CV for future openings.   

Purpose

  • Collection and processing of CVs received for the management of the talent pool in connection with current and future vacancies within the organisation. Recruitment and personnel selection.

Categories of Data Subjects

  • Job Applicants.

Categories of Personal Data

  • Full name, address, email, telephone, photograph, personal characteristics, social circumstances, academic and professional background, employment details, disability percentage.  

Data Disclosures

  • Microsoft EU Zone (hosted by Izertia)   

International Transfers

  • YES. Destination: EU (Microsoft Europe). Legal Basis: Art. 16(1) FADP/LPD (Adequate level of protection).    

Retention Period

  • Data shall be retained for as long as necessary to fulfil the purpose for which they were collected and to determine any liabilities arising therefrom. Employment data: minimum 5 years from end of employment relationship; working time records: minimum 4 years; user accounts: maximum 1 year from termination.  

1.2. Processing Activity: Human Resources

Legal Basis

  • Art. 6(1)(b) GDPR: Processing is necessary for the performance of a contract to which the data subject is party, or for pre-contractual measures at the data subject’s request.
  • Art. 6(1)(c) GDPR: Processing is necessary for compliance with a legal obligation applicable to the controller:

  • Royal Legislative Decree 2/2015 of 23 October, approving the consolidated text of the Workers’ Statute.  

  • Law 31/1995 of 8 November on Occupational Risk Prevention.   

  • Royal Decree-Law 8/2019 of 8 March on urgent social protection and anti-precariousness measures regarding working hours.    

  • Law 10/2021 of 9 July on remote working.

    • Art. 31(2)(a) FADP/LPD Switzerland: Justification based on direct contractual nexus.   

    Purpose

    • Employee onboarding. Payroll and human resources management. Staff training and development. Workforce administration. Hirings, terminations, annual leave, social security contributions, tax withholdings, occupational health and safety. Working time recording.  

    Categories of Data Subjects

    • Employees.

    Categories of Personal Data

    • National ID/Tax ID, Social Security/Mutual Insurance number, full name, email, address, telephone, photograph, personal characteristics, social circumstances, academic and professional background, employment details, financial and insurance data, signature, clock-in time, clock-out time.   

    Data Disclosures

    • Advisory firms, banking institutions, competent public authorities, Microsoft EU Zone (hosted by Izertia), Bizneo (AWS Ireland), client companies where staff access their premises.     

    International Transfers

    • YES. Cross-border transfer between the Swiss headquarters and Spain. 

  • Legal Basis (Swiss perspective): Art.16(1) FADP/LPD (adequate level of protection in the recipient state – Spain/EU).

  • Legal Basis (EU perspective): Art. 45 GDPR (EU–Switzerland Adequacy Decision).

    • Retention Period

    • Data shall be retained for as long as necessary to fulfil the purpose for which they were collected and to determine any liabilities arising therefrom. Employment data: minimum 5 years from end of employment relationship; working time records: minimum 4 years; user accounts: maximum 1 year from termination.  

    1.3. Processing Activity: Clients and Suppliers

    Legal Basis

    • Art. 6(1)(f) GDPR: Processing is necessary for the purposes of the legitimate interests of the controller, namely maintaining commercial relationships with clients and suppliers pursuant to Art. 19 LOPDGDD.  
    • Art. 6(1)(c) GDPR: Compliance with a legal obligation.  
    • Art. 6(1)(b) GDPR: Processing necessary for the performance of a contract to which the data subject is party, or for pre-contractual measures at the data subject’s request.
    • Art. 31(2)(a) FADP/LPD: Justification based on contractual performance...

    Purpose

    • Management of client and supplier data, maintenance of contact records, preparation of quotes and proposals. Management of commercial contracts, invoicing, collections and payments. Associated financial and administrative management.  

    Categories of Data Subjects

    • Clients, suppliers, and contact people. 

    Categories of Personal Data

    • National ID/Tax ID, full name, address, telephone, signature, job title, email, commercial information, financial and insurance data, goods and services transactions.     

    Data Disclosures

    • Microsoft EU Zone (CRM hosting), advisory firms, banking institutions, competent public authorities, insurance companies, consulting and auditing firms.       

    International Transfers

    • YES. Destination: EU (Microsoft Europe).    

  • Legal Basis: Art.16(1) FADP/LPD (Adequate level of protection).

    • Retention Period

    • Data shall be retained for as long as necessary to fulfil the purpose for which they were collected and to determine any liabilities arising therefrom (minimum 10 years from end of commercial relationship; commercial contracts: minimum 15 years).   

    1.4. Processing Activity: Marketing

    Legal Basis

    • Art. 6(1)(f) GDPR: Processing is necessary for the purposes of the legitimate interests of the controller, namely sending clients communications regarding similar products or services to those already acquired and which may be of interest to them.  
    • Art. 6(1)(b) GDPR: Processing is necessary for the performance of a contract (event registration) or for pre-contractual measures. 
    • Art. 6(1)(a) GDPR: Consent of the data subject (non-client) for the sending of commercial communications.  
    • Art. 31(2)(b) FADP/LPD: Justification based on private interest (economic competition).
    • Art. 6(7) FADP/LPD: High-risk profiling or sensitive data. 

    Purpose

    • Building client loyalty, inviting clients to register for events, and sending communications about the organisation’s products or services that may be of interest to them.   

    Categories of Data Subjects

    • Clients and contacts. 

    Categories of Personal Data

    • Full name, job title, email, telephone.   

    Data Disclosures

    • Microsoft (CRM hosting), Reply.   

    International Transfers

    • Reply (USA) (Data Privacy Framework + Standard Contractual Clauses). YES. Destination: EU (Microsoft Europe).    

  • Legal Basis: Art.16(1) FADP/LPD (Adequate level of protection).

    • Retention Period

    • For as long as the commercial relationship is maintained and the data subject does not request erasure or withdraw their consent.

    1.5. Processing Activity: Images for Social Media and Website

    Legal Basis

    • Art. 6(1)(f) GDPR: Consent of the data subject. 
    • Images for internal use. Legal basis: Art. 31(2)(a) FADP/LPD (justification based on contractual relationship). 
    • Art. 6(6) FADP/LPD: Consent of the data subject for promotional purposes. 

    Purpose

    • Promoting the services and activities carried out by the organisation. 

    Categories of Data Subjects

    • Employees and visitors.

    Categories of Personal Data

    • Full name, job title, image/voice. 

    Data Disclosures

    • Meta, LinkedIn.

    International Transfers

    • Meta, LinkedIn (subject to prior consent and on an ad hoc basis).    
    • Art. 16(1) FADP/LPD: Where the provider is certified under the Swiss-U.S. Data Privacy Framework.    
    • Transfers outside the EU/USA. Art. 16(2) FADP/LPD.     

    Retention Period

    • For as long as they are considered relevant and the data subject does not request their erasure.

    1.6. Processing Activity: Internal Whistleblowing System and Whistleblower Protection

    Legal Basis

    • Art. 6(1)(c) GDPR: Processing is necessary for compliance with a legal obligation applicable to the controller: 

  • Law 2/2023 of 20 February, regulating the protection of people reporting regulatory infringements and combating corruption.  

    • Art. 31(2) FADP/LPD: Justification based on the organisation’s overriding private interest.
    • Art. 31(1) FADP/LPD: Justification based on a legal obligation.

    Purpose

    • Management of the whistleblowing channel established by the organisation in accordance with the procedure referred to in Art. 9 of Law 2/2023.   

    Categories of Data Subjects

    • Reporting people, affected individuals, and third parties whose personal data are necessary for the management of the procedure referred to in Art. 9 of Law 2/2023.

    Categories of Personal Data

    • Name, telephone number, and any other data included in the report.  

    Data Disclosures

    • Competent public authorities, judicial bodies, public prosecutor’s office, external Data Protection Officer (DPO), Whistleblower Software ApS.   

    International Transfers

    • YES. A transfer exists pursuant to Art. 16(1) FADP/LPD, deemed lawful on the basis of an adequacy decision.    

    Retention Period

    • Data shall be retained for as long as necessary to fulfil the purpose for which they were collected and to determine any liabilities arising therefrom (maximum 10 years).

    1.7. Processing Activity: Handling Data Subject Rights Requests

    Legal Basis

    • Art. 6(1)(c) GDPR: Processing is necessary for compliance with a legal obligation applicable to the controller: 

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR). 

  • Organic Law 3/2018 of 5 December (LOPDGDD).

    • Art. 31(1) FADP/LPD: Justification based on a legal obligation (Arts. 25-29 FADP/LPD)

    Purpose

    • Handling requests submitted by data subjects in the exercise of the rights established under the GDPR.    

    Categories of Data Subjects

    • Natural persons submitting requests to the organisation (employees, corporate contact persons, training participants, etc).  

    Categories of Personal Data

    • Full name, email address, and any other data required for correct identification of the data subject.   

    Data Disclosures

    • Competent public authorities, external Data Protection Officer (DPO), Microsoft EU Zone. 

    International Transfers

    • YES. Art. 16(1) FADP/LPD (adequate level of protection – Spain/EU).     

    Retention Period

    • Data shall be retained for as long as necessary to fulfil the purpose for which they were collected and to determine any liabilities arising therefrom (minimum 3 years).

    1.8. Processing Activity: Shareholders and Inventors

    Legal Basis

    • Art. 6(1)(c) GDPR: Processing is necessary for compliance with a legal obligation applicable to the controller: 

  • Royal Legislative Decree 1/2010 of 2 July, approving the consolidated text of the Corporate Enterprises Act.  

    • Art. 31(1) FADP/LPD (legal obligation) and Art. 31(2)(a) FADP/LPD (corporate relationship).

    Purpose

    • Managing the relationship with shareholders and investors, performing corporate secretarial functions, and disseminating information in their capacity as shareholders and investors. Managing the convening, holding, and reporting of the General Shareholders’ Meeting.     

    Categories of Data Subjects

    • Shareholders and legal representatives of investing entities.    

    Categories of Personal Data

    • Identification and contact data, as well as other information such as shareholder reference number, securities accounts or classification code, and details of any power of attorney.   

    Data Disclosures

    • Competent public or private authorities, Microsoft EU Zone.

    International Transfers

    • YES. Destination: Spain (management) / EU or USA. (Software)

  • Legal Basis: Art. 16(1) FADP/LPD.

    • Retention Period

    • Data shall be retained for as long as necessary to fulfil the purpose for which they were collected and to determine any liabilities arising therefrom (minimum 1 year).  

    2. Security Measures

    The organisation has implemented appropriate technical and organisational measures for all the processing activities described herein, in order to ensure a level of security appropriate to the risk, as specified in the Risk Analysis and other data protection, information security, and privacy documents adapted to the GDPR. Mandatory security controls have been adopted, including those required by the National Security Framework (ENS) at medium category level and ISO 27001 certification.