Legal texts

Privacy policy

Introduction

This Privacy Policy has been drawn up in accordance with the provisions of the Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD), and Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR..  

This Privacy Policy sets out how the owner of this website collects, uses and protects the personal data of users of this website and its associated services.

Data Controller

Data Controller: COMPAÑÍA DE TRANVÍAS DE LA CORUÑA S.A.  

Address: CARRETERA FUERTES, 4, 15011, A CORUÑA (A CORUÑA) SPAIN
email: correo@tranviascoruna.com

Data Protection Officer

ASESORES Y CONSULTORES EN PROTECCIÓN DE DATOS S.L. (ACPD)

email: info@acpd.es

Tel: +34 942042117

Data processing

Where appropriate, the personal data requested shall be limited to those strictly necessary to identify and process the request made by the data subject (hereinafter, the ”data subject”). Personal data shall be collected for specified, explicit and legitimate purposes and shall not be further processed in a manner incompatible with those purposes.

The data collected from each data subject shall be adequate, relevant and not excessive in relation to the purposes applicable for each case, and shall be updated whenever necessary.

 

Processing purposes

 

The specific purposes for each processing activity are set out in the information clauses included in each data collection method (online forms, paper forms, verbal communications, notices and posters).

Notwithstanding the above, personal data shall be processed solely for the sole purpose of effectively responding to and handling users’ requests and enquiries, as specified next to the relevant option, service, form or data collection method used by the data subject.

 

Legitimation

 

As a general rule, and prior to processing any personal data, the Data Controller obtains the specific and unequivocal consent of the data subjects by means of informed consent clauses clearly displayed within the various data collection systems.

Notwithstanding the above, where the consent of the data subject is not required, the legal basis for the processing shall be the existence of a law or specific regulation authorising or requiring the processing of the data subject’s personal data in order to comply with a legal or contractual obligation.

 

Recipients

 

The Data Controller shall not transfer or disclose personal data to third parties, except where legally required. However, where such transfers or disclosures are necessary (for example, to service providers involved in the provision of services), the data subject shall be informed in advance by means of the informed consent clauses included in the various personal data collection methods.

 

Origin

 

As a general rule, personal data are collected directly from the data subject. However, in certain exceptional circumstances, data may be collected through third parties, organisations or services other than the data subject. In such cases, the data subject shall be duly informed through the informed consent clauses included in the various data collection methods and within a reasonable period following the collection of the data, which shall in no event exceed one month.

 

Data retention periods

 

The information collected from the data subject shall be retained for as long as necessary to fulfil the purpose for which the personal data were collected. Once that purpose has been fulfilled, the data shall be blocked and retained only for the legally required period in order to address any potential liabilities arising from the processing. Upon expiry of such period, the information shall be securely deleted.

 

Data subject rights

 

Data protection regulations grant data subjects, data owners, and users of the Data Controller’s website or social media channels a number of rights.

The rights protecting data subjects are listed below:

Right of access: The right to obtain information as to whether personal data concerning the data subject are being processed, and, where that is the case, access to such data and information regarding the purposes of the processing, the categories of data concerned, the recipients or categories of recipients, the retention periods and the origin of the data.

Right of rectification: The right to obtain the rectification of inaccurate or incomplete personal data.

Right of erasure: The right to obtain the erasure of personal data in the following circumstances:

  • When the data are no longer necessary for the purpose for which they were collected.
  • When the data subject withdraws consent.
  • When the data subject objects to the processing.
  • When erasure is required in order to comply with a legal obligation.
  • When the data have been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR.

Right to object: The right to object to specific processing activities based on the consent of the data subject.

Right of restriction of processing: The right to obtain the restriction of processing in any of the following circumstances:

  • Where the data subject contests the accuracy of the personal data, for a period enabling the entity to verify the accuracy of the data.
  • Where the processing is unlawful and the data subject opposes the erasure of the personal data.
  • Where the entity no longer requires the data for the purposes for which they were collected, but the data are required by the data subject for the establishment, exercise or defence of legal claims.
  • Where the data subject has objected to processing pending verification of whether the legitimate grounds of the entity override those of the data subject.

Right to data portability: The right to receive personal data in a structured, commonly used and machine-readable format and to transmit those data to another data controller where:

  • The processing is based on consent;
  • The processing is carried out by automated means.

– Right to lodge a complaint with the competent supervisory authority (the Spanish Data Protection Agency) via www.aepd.es where the data subject considers that the processing does not comply with the applicable regulations.

Data subjects may exercise the aforementioned rights by writing to the Data Controller at the following address: correo@tranviascoruna.com, stating in the subject line the right they wish to exercise.

The Data Controller shall respond to the request as soon as possible, taking into account the time limits established by data protection regulations.

 

Security

 

The security measures adopted by the Data Controller comply with legal requirements pursuant to Article 32 of the GDPR.

Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the processing, as well as the varying likelihood and severity of the risks to the rights and freedoms of natural persons, the Data Controller has implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

In any event, sufficient mechanisms are implemented to:

  • Guarantee the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
  • Protect against unauthorised access, alteration or loss.
  • Restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident.
  • Regularly test, assess and evaluate the effectiveness of the technical and organisational measures implemented to ensure secure processing.
  • Pseudonymise and encrypt personal data where appropriate.

 

Browsing data and hosted information

 

The categories of data processed through web forms are:

  • Identification and contact data: first name and surname, email address and telephone number.

When visiting our website, browsing data may be collected. For further information, users are advised to consult the Cookies Policy.

Electronic commercial communications

 

In accordance with Law 34/2002 of 11 July on Information Society Services and Electronic Commerce (LSSI-CE), the Data Controller shall not send advertising or promotional communications by email or any other equivalent electronic means unless these have been previously requested or expressly authorised by the recipients.

Where there is a prior contractual, legal or service relationship with the user, the Data Controller is authorised to send commercial communications relating to products or services similar to those initially contracted by the customer.

If the user wishes to unsubscribe from receiving such communications, they may do so by sending a request by email to the following address: correo@tranviascoruna.com.

 

Changes to this Policy

 

We may update this Policy to reflect changes in legislation or in our services. Any modifications shall be published on our website together with the date of the latest update.

 

Applicable law

 

This Policy shall be governed by Spanish law, and any disputes relating thereto shall be resolved in accordance with such law.