PRIVACY POLICY

Gastrònoms Chefs S.L (hereinafter the Entity) undertakes to adopt the necessary technical and organisational measures, according to the level of security appropriate to the risk of the data collected.

This privacy policy is adapted to current Spanish and European regulations regarding the protection of personal data on the internet. Specifically, it respects the following regulations:

• Regulation (EU)2016/679 of the European Parliament and of the Council, of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and the free circulation of this data (GDPR).
  
• Organic Law 3/2018 of 5 December, on Personal Data Protection and the guarantee of digital rights (LOPD-GDD).
  
• Royal Decree 1720/2007, of 21 December, which approves the Regulations for the Development of Organic Law 15/1999, of 13 December, on the protection of personal data.
  
• Law 34/2002, of 11 July, on information society services and e-commerce (LSSI-CE).

Below is detailed information on the confidentiality and personal data protection policy in compliance with the provisions of the aforementioned regulations.

Data of the Data Controller and contact details of the Data Protection Officer / Delegate (DPO/DPD):

• Identity: Gastrònoms Chefs SL
  
• Address / Postcode: C/Pla de l’Estany 11, 17486 Castelló d’Empúries
  
• Telephone: 972 15 63 19
  
• Email address: info@gastronoms.es
  
• DPO/DPD contact data: Customer service
  
• Data Protection Channel: https://gastronoms.es/

Processing and Purposes of the processing

The processing of the User’s personal data will be subject to the principles set out in article 5 GDPR.

The Entity will process the information provided to us by the data subjects for the following purposes:

• Manage your support, visit and meeting at our facilities, as well as the management and performance of the contracted services/products.
  
• Manage any type of suggestion or request regarding our professional services that data subjects may pose to us.
  
• Informative and commercial communications: processing of your data for the purpose of informing you about activities, articles of interest and general information related to our activity and the contracted services/products.
  
• Manage data provided by candidates for a job in their Curriculum Vitae (CV) for the purposes of the selection and recruitment process.

For the good outcome and development of their support and management of the aforementioned purposes, the owner consents to the processing of their data for the aforementioned purposes, all under the strictest compliance with the Data Protection regulations and the policy that we are explaining. They may exercise their rights at any time (see specific section).

Personal data categories.

The categories of data processed are solely identifying data. Under no circumstances are special categories of personal data processed within the meaning of art. 9 GDPR.

Data withholding criteria

• Management of services/products contracted with the Entity: the personal data provided in the contracts, offers and/or proposal of services, as well as those of the other people whose intervention is necessary, will be withheld for as long as the contracted services are in force. Upon finalising the provision of the contracted service(s), personal data will be maintained in cases where responsibilities may be derived with the Entity and/or in compliance with other regulatory frameworks that apply to the Entity or a binding regulation that requires that it be withheld. Personal data will be maintained in a way that allows for the identification and exercise of the Rights of those affected and under the technical legal and organisational measures that are necessary to guarantee its confidentiality and integrity.
  

• Curriculum Vitae Management: the Entity, as a rule, keeps a Curriculum Vitae for a maximum period of one year; once this period has expired, it will be automatically destroyed, in compliance with the principle of data quality.
  

• Others: the other data and information provided by the user by any means will be kept for as long as necessary to fulfil the purpose for which it was collected.

Legal capacity

The legal basis that enables the Entity to process the personal data of users, clients, potential clients by virtue of the following titles:

• The consent of the data subjects for the processing and management of any request for information or query about our services and products.
  

• The consent given by job candidates for selection and recruitment purposes.
  

• The framework for providing and/or contracting services/products with the Entity.
  

• The legitimate interest to send you informative, commercial communications and/or promotional offers related to the activity of the Entity and the contracted services/products via email or any other means.
  

• The User will have the right to withdraw their consent at any time. It will be just as easy to withdraw consent as it is to give it. As a general rule, withdrawal of consent will not condition the use of the WEBSITE. On occasions when the User must or can provide their data through forms to make queries, request information or for reasons related to the content of the WEBSITE, they will be informed if the completion of any of them is mandatory due to being essential for the correct undertaking of the operation carried out.

Recipients

No personal data is transferred to third parties, except as provided by law.

Applicability

Personal data is obtained directly from the data subjects and our collaborators. The categories of personal data that our collaborators provide us are the following:

• Identifying data.
  
• Postal or electronic addresses.
  
• Data provided and/or consented to by the data subjects themselves related to and necessary for the management and undertaking of the requested service/product.

Secrecy and security of personal data.

The owner undertakes to adopt the necessary technical and organisational measures, according to the level of security appropriate to the risk of the data collected, so that the security of the personal data is guaranteed, and accidental or illicit destruction, loss or alteration of the personal data transmitted, stored or otherwise processed, or unauthorised communication or access to such data, is avoided.

However, because it cannot guarantee the impregnability of the Internet or the total absence of hackers or others who fraudulently access personal data, the data controller undertakes to inform the user without any undue delay when there is a security breach of the personal data which is likely to entail a high risk to the rights or freedoms of natural persons. Following the provisions of article 4 GDPR, a personal data security breach is understood to be any security breach that causes the accidental or unlawful destruction, loss or alteration of the personal data transmitted, stored or otherwise processed, or the unauthorised communication or access to said data. Personal data will be treated as confidential by the data controller who undertakes to inform and guarantee through a legal or contractual obligation that said confidentiality is respected by its employees, associates and any person to whom the information is made accessible.

Rights

Right of Access, Rectification and Deletion: data subjects have the right to obtain confirmation as to whether the Entity is processing personal data that concerns them or not. Data subjects have the right to access their personal data, as well as to request the rectification of inaccurate data or request its deletion when, among other reasons, the data is no longer necessary for the purposes for which it was collected.

Right to Limitation and Opposition: in certain circumstances, data subjects may request the limitation of the processing of their data, in which case we will only keep it for the exercise or defence of claims. In particular circumstances and, for reasons related to their particular situation, data subjects may object to the processing of their data. The Entity will stop processing the data in this case, unless there are compelling legitimate reasons, or for the exercise or defence of possible claims.

These rights may be exercised in our Data Protection Channel, see specific section.

Data Protection Channel

The Entity has implemented a Communications and Complaints Channel where the relevant and necessary aspects regarding data protection are incorporated, considering the highest commitment, rigour and professionalism in terms of security, experience, independence and knowledge in the processing of the stipulated in article 24 of the LOPDGDD (Organic Law on Personal Data Protection and Guarantee of Digital Rights) for this type of channels.

The Data Protection Channel has been implemented through a web platform, developed and managed by an independent external expert, to provide and guarantee our previous commitments.

Through the Data Protection Channel, you may communicate and process the exercise of your Rights (see previous section) and communicate any evidence or knowledge you may have of possible security violations (breaches) and/or possible non-compliance or irregularities regarding the Data Protection regulations or this Entity policy.

The access data to the Data Protection Channel is detailed at the beginning of this policy.

Service and support

Data subjects may communicate to the Entity any questions about the processing of their personal data or interpretation of our policy, by contacting the data controller / Data Protection Officer (DC/DPO) at the address indicated at the beginning of this policy.

Complaint to the supervisory authority

In the event that the User believes that there is a problem or violation of current regulations in the way in which their personal data is being processed, they will have the right to effective judicial protection and to file a claim with a supervisory authority, in particular, in the State in which they have their habitual residence, place of work or place of the alleged infringement. In the case of Spain, the control authority is the Spanish Data Protection Agency (http://www.agpd.es).

Acceptance and changes to this privacy policy

It is necessary that the User has read and agrees with the conditions on personal data protection contained in this privacy policy, as well as that they accept the processing of their personal data so that the data controller can proceed to do so in the manner, during the deadlines and for the purposes indicated. Use of the website will imply acceptance of its privacy policy.

The owner reserves the right to amend their privacy policy, according to their own criteria, or motivated by a legislative, jurisprudential or doctrinal change of the Spanish Data Protection Agency. Changes or updates will be explicitly notified to the user.