Yhe Personal Data Protection Policy of the company Integrative Myco-Medicine Association (IMMA)In compliance with current regulations on data protection, Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, the General Data Protection Regulation (GDPR) and Organic Law on Data Protection and Guarantee of Digital Rights (PPDGDRL, Organic Law 3/2018 of December 5), we inform you of our Personal Data Protection Policy, regarding the processing of personal data, as detailed below.
Responsibility for the processing of personal data
The person responsible for the treatment is the legal person that determines the purposes and means of the processing of personal data. In other words, the controller decides how and for what purposes personal data is processed.
For the purposes of this Data Protection Policy, the following entities are joint controllers of personal data:
- Identity: WORLD WIDE ORGANIC FUNGI S.L. – NIF: B-27.816.446
- Address: c/ López Mora, 10, 1º, Pta I
- Contact phone number: +34 615 247 369
- Contact email: firstname.lastname@example.org
- Identity: HIFAS DA TERRA – NIF: B36409290
- Address: Portamuiños 7, Bora 36154, Pontevedra
- Contact phone number: +34 986 861 087
- Contact email: email@example.com
What personal data do we process and how do we protect it?
Personal data is any information about an identified or identifiable natural person.
Our organisation undertakes to treat with total confidentiality and to apply the appropriate security measures, of a physical, technical and organisational nature, for the protection of your personal data.
You guarantee and respond, in any case, to the veracity, accuracy, validity and authenticity of the personal data provided and undertake to keep these duly updated.
- Data processing of “Contacts and potential clients”
1. What type of personal data do we process?
Identification data: first name, last name, address, phone number, email address, profession and country/region.
2. For what purpose do we process your personal data?
We treat the personal data that you provide us in the contact form for the management of business contact data and potential clients.
We will also use your data, if you expressly authorise it, so that we can contact you to offer you advice from one of our experts.
The purpose of advertising and commercial prospecting has also been provided, for which the express consent of the interested party is requested.
The personal data provided will be kept as long as the opposition to the treatment is not communicated. If you decide to cancel your personal data, it will be removed from our contact database.
3. What is the legitimacy for the processing of your data?
The legal basis for the processing of your data is the express consent that is requested.
4. To which recipients will your data be communicated?
Your personal data will not be transferred to any other entity.
Nor have international transfers of personal data been foreseen.
5. What are your rights when you provide us with your data?
In accordance with GDPR and other applicable regulations on data protection, you have a series of rights in relation to the processing of your personal data. The exercise of these rights will be free for you, except in cases in which manifestly unfounded or excessive requests are made, especially repetitive requests.
These rights are as follows:
- Right to information: You have the right to be informed in a concise, transparent, intelligible and easily accessible manner, with clear and simple language, about the use and processing of your personal data.
- Right of access: You have the right to ask us at any time to confirm whether we are treating your personal data, to provide you with access to this data and to the information about your treatment and to obtain a copy of said data. The copy of your personal data that we provide you with will be free of charge, although the request for additional copies may be subject to a reasonable charge based on administrative costs. For our part, we may ask you to prove your identity or require more information that is necessary to manage your request.
- Right of rectification: You have the right to request the rectification of inaccurate, outdated or incomplete personal data concerning you. You may also request that incomplete personal data be completed, including through an additional statement.
- Right of deletion: You have the right to request the deletion of your personal data when, among other reasons, the data is no longer necessary for the purposes for which it was collected. However, this right is not absolute, so that our organisation may continue to keep this data duly blocked in the cases provided for by the applicable regulations.
- Right to limit processing: You have the right to request that we limit the processing of your personal data, which means that we can continue to store it, but not continue to process it if any of the following conditions are met:
- that you contest the accuracy of the data, for a period that allows the controller to verify the accuracy of the data;
- the treatment is unlawful and you oppose the deletion of the data and request instead the limitation of its use;
- Our entity no longer needs the data for the purposes of the treatment, but you need it for the formulation, exercise or defense of claims;
- You have opposed the treatment, while it is verified if the legitimate reasons of our entity prevail over yours.
- Right to data portability: You have the right to have your data transmitted to another data controller in a structured, commonly used and machine-readable format. This right applies when the processing of your personal data is based on consent or the execution of a contract and such processing is carried out by automated means.
- Right of opposition: This right allows you to oppose the processing of your personal data, including profiling. We will not be able to attend to your right only when we process your data in the event that we prove legitimate reasons for the treatment or for the formulation, exercise or defense of claims.
- Right not to submit to automated decisions, including profiling: This right allows you not to be the subject of a decision based solely on automated processing, including profiling, that produce -said decisions- legal effects or affect you in a similar way. Unless said decision is necessary for the conclusion or performance of a contract, is authorised by law or is based on consent.
- Right to withdraw consent: In cases where we have obtained your consent for the processing of your personal data in relation to certain activities (for example, in order to send you commercial communications), you may withdraw it at any time. In this way, we will stop carrying out that specific activity for which you had previously consented, unless there is another reason that justifies the continuity of the processing of your data for these purposes, in which case, we will notify you of this situation.
- Right to file a claim with a control authority: You have the right to file a claim with the:
- Spanish Agency for Data Protection, C / Jorge Juan, 6, 28001 Madrid, 901 100 099 – 912 663 517 (www.agpd.es ), or at the electronic address: https://sedeagpd.gob.es/sede-electronica-web/vistas/formQuejasSugerencia/seleccionarQuejaSugerencia.jsf Infomation Commissioner’s Office (ICO): The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. (https://ico.org.uk/)
You can exercise the aforementioned rights, by sending us a communication to the physical address or to the electronic address indicated at the beginning of this document, with an accompanying document proving your identity and providing the necessary details required to process your request.
Interested parties can obtain additional information on their rights on the website of the Spanish Agency for Data Protection, www.agpd.es.
In conformity with article 23 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (PPDGDRL), we inform you that you can restrict unwanted advertising by voluntarily registering your data for free with an advertising exclusion file. Currently the Robinson List is the only such file in Spain, which is managed by the Spanish Association of Digital Economy (ADIGITAL).
The Robinson List should be consulted by those who are going to carry out an advertising campaign in order to exclude the registered persons from it. However, even if you have signed up for the Robinson List, merchants can send you advertisements for their products or services if you are a customer or if you have given your consent.
By signing up for the Robinson List, you can choose the means or channel of communication through which you do not wish to receive advertising (postal mail, telephone calls, email or other means). You should bear in mind that registration for the Robinson List is effective as of the third month from the date on which you register your data, so it is possible that you may continue to receive some commercial communication within that period.
You can consult the advertising exclusion systems on the website of the Spanish Agency for Data Protection: https://www.aepd.es/areas/publicidad/index.html.
Finally, if you wish to register for the Robinson List, you can do so through this link: https://www.listarobinson.es/
Joint responsibility agreement
- In accordance with the provisions of article 26 of the General Data Protection Regulation (hereinafter GDPR), the above signatories jointly determine the purposes and means of processing, so they must be considered JOINT CONTROLLERS of such data as indicated in the first clause.
- That the co-signers of this agreement form a group of companies interested in the commercialisation of myco-medicinal products and the dissemination of information about their properties, including therapeutic properties, for which a joint management of processing personal data is advisable.
- In order to comply with the Personal Data Protection regulations, all parties agree to sign this Mutual Agreement of Joint Controllers for processing Personal Data, in accordance with the following:
1. PURPOSE OF THIS AGREEMENT
The purpose of this agreement is to properly define the functions and respective relationships of the joint controllers in relation to the interested parties, and in relation to the following PROCESSING OF PERSONAL DATA over which they are considered joint controllers:
- NEWSLETTER treatment activity
- CONTACT DATA processing activity
- Treatment activity of THOSE INTERESTED IN TREATMENTS
2. MAIN FUNCTIONS AND RELATIONSHIPS OF THE CO-RESPONSIBLE PARTIES
The company WORLD WIDE ORGANIC FUNGI S.L., will act as the point of contact for the interested parties to exercise their rights of access, rectification, limitation, deletion, opposition, portability and any other actions with regard to access to their personal data recognised in the GDPR.
Consequently, it will be said company that must comply with the duty of providing information to the interested parties (arts. 13 and 14 of the GDPR), having to inform them at a first level, which acts as co-responsible for their treatment of the personal data, and allowing the interested party to consult this agreement on a second level of information or second layer, which will be published on the group’s website.
Regardless of the establishment of a single point of contact for the exercise of rights, the interested parties may exercise their rights against any of those responsible for the treatment.
The processing will have the same purposes, legal basis, recipients for all co-controllers, as well as the same rights will be granted to all interested parties, regardless of the joint controller.
The modification of any treatment activity of the joint controllers will require the common agreement of all of them, according to the rules that govern the decisions of the business group.
Each joint controller must comply with the obligations established by the GDPR for a data controller, and must, among others, carry out the following actions:
- Keep a record of treatment activities.
- Guarantee that the persons authorised to process personal data undertake, expressly and in writing, to respect confidentiality and to comply with the corresponding security measures, of which they must be duly informed.
- Maintain the documentation proving compliance with the obligations of the GDPR.
- Guarantee the necessary training in the protection of personal data of the persons authorised to process personal data.
- Respond to the exercise of rights by the interested parties.
- Notification to the rest of the joint controllers of data security violations without undue delay, and in any case before the maximum period of 36 hours, and through email or any other means that certifies the receipt of the communication, for jointly and coordinated proceed to communicate it to the AEPD.
- Jointly coordinate the performance of impact assessments related to data protection, when appropriate.
- Jointly coordinate the conduct of prior consultations with the supervisory authority, when appropriate.
- In accordance with the provisions of art. 32 of the GDPR, you must implement mechanisms to:
- Guarantee the confidentiality, integrity, availability and permanent resilience of the treatment systems and services.
- Restore availability and access to personal data quickly, in the event of a physical or technical incident.
- Verify, evaluate and assess, on a regular basis, the effectiveness of the technical and organisational measures implemented to guarantee the security of the treatment.
- Pseudonymize and encrypt personal data, if applicable.
In relation to the possible responsibilities that may arise with respect to the damages caused to the interested parties, the co-responsible party will demonstrate his lack of guilt regarding the damage caused, in accordance with the provisions of art. 82.3 of the GDPR.
The co-controller who has paid a penalty or compensation for damages may claim from the other co-controllers the proportional part based on the responsibilities assumed by each person responsible. In this sense, it is established that the assumption of responsibilities in this agreement is proportional for each joint controller to the number of total joint controllers.
In any case, the interested party may claim compensation from any of the joint controllers, who must answer for the entirety regardless of whether they can subsequently request the other joint controllers for the proportional part based on the responsibility assumed.
4. COMPLEMENTARY INFORMATION
The interested parties will find all the complementary information in the place described in the first information layer, which will preferably be on the group’s website.
This agreement has an indefinite period.
6. CONFLICT RESOLUTION
Conflicts that may arise under this agreement will be resolved jointly and in the majority by the joint controllers.
In any case, any joint controller may subsequently initiate the corresponding legal actions before the competent jurisdiction against the rest of the joint controllers.
For these purposes, the Courts and Tribunals of Pontevedra (SPAIN) are deemed competent.