Araven Group´s management activities record

Management categories

1. Web analytics with statistical and functional purposes (Marketing Department).

2. Basic creation of profiles with publicity purposes (Commercial and Marketing Departments).

3. Mailing of commercial activity, publicity and promotional communications and sector assessment surveys or market studies. (Marketing and Commercial Departments)

4.Promotions: contests and raffles (Marketing and Commercial Departments)

5. Photo, video and voice recording aiming at personal brand improvement or commercial purposes (Marketing and Commercial Departments).

6. Job portal, for applicants and vacancies record for working at ARAVEN GROUP (Personnel Department).

7. Financial management, Collection and recovery (Financial and Administration Departments)

8.Staff (Personnel Department)

9.Suppliers and commercial partners (Financial and Administration Departments).

10. People’s rights support (Administration Department)

11. Complaints and suggestions (Quality Department).

12. Physical security at facilities. Access registration and control. (Administration Department)

13. Logical Security (Systems Department).

14. Video surveillance (Administration Department).

15. Complaints channel (Administration Department).

16. International Relations (Administration Department).

Second Layers

Updated 14/10/2022

1. Web analytics with statistical and functional purposes.

The manager analyses people’s navigation and behaviour, aiming at knowing the use given to its tools and adapting them to the need, as well as at improving their communication, commercialization and people support activites.

Manager 

ARAVEN GROUP, S.L.

Independent managers to analyse data obtained when opening and interacting with emails. Corresponsible for shared own communication channels (same web): ARAVEN, S.L. and GRUPO OM, S.L.

Legal basis 

Up to the exent the performance of the agreement shows so: management is necessary for the perfomance of agreements in which this interested is a party or for the application of precontractual measures (art. 6.1.b in GDPR).

In the rest of cases the interested party gave consent for their data management for one or several specific purposes (art. 6.1.a. in GDPR). To obtain these consents, the interested will be informed separately from any purchase agreement, general terms or service agreement. This management will be done on navigation data obtained from the website as well as from apps, and so on.

Management purposes 

In the event that analytical treatment is based on the contract performance, the required analytics for contract performance will be done: for example, it could be analysed the number of times that users have accessed to information, whether they download, the receipt that they have accessed to security communications sent by the manager, without any additional management due to this reason. In any other case, when prior acceptance by the interested party, the purpose of personal data analytical management will be:

  • Analysis of opening of communications sent by ARAVEN GROUP.
  • Analysis of users navigation on websites, mobile applications and social profiles managed by the person in charge.
  • Analysis of behaviour in commercial phone calls.

Group 

Users accessing to websites, mobile applications or socials profiles managed by the manager, as well as, those opening or responsing to communications sent by the manager.

Data categories 

  • Analytics services providers add up data obtained in order to give the manager quantitative information on people’s navigation and behaviour, not being possible to identify specific persons.  Managed data are:
  • For web analytics: Navigators’ users agents chain and IP addresses list, together with graphs and total figures on all users’ navigations on each website.
  • Mail analytics: Navigators’ users agents chain and IP addresses list, together with graphs and total figures on all users’ navigations on each website.
  • Telephone analytics: Behaviour and reactions to commercial messages.

Specifically in the case of email analytics and in addition to the previously stated, data on openings number, opening time, opening date, resendings, conversions (in case of forms being included in the emails), users clicks on emails internal links (with links to: landing, webs, direct mailto to personal contacts…) device from which emails are opened, hardware, block and software, email bounces and unsuscriptions.

Receivers categories 

Data communications are not considered.

Data management responsibles 

Google LLC – Google Analytics – https://analytics.google.com/analytics/web/

International Transf.  

Management responsible is Google Ireland and by second assignment Google LLC, 1600 Amphitheatre Parkway Mountain View, CA United States. Security measures: data protection agreement including standard terms through Google Workspace (before, GSuite). https://privacy.google.com/businesses/processorterms/

  • Twitter Inc
  • LinkedIn
  • Facebook.com

Elimination term

Data will be kept during the required term to meet the purpose for which they were obtained and to establish possible responsibilities derived from that purpose and data treatment.

Additional information 

PIA (Private Impact Analysis)  is not required in this management due to the managed data and the way in which the manager does it, according to what is stated in Article 35 of GDPR and in Article 28 of the GDPR.

2. Basic creation of profiles  by the manager with publicity purposes 

Users tagging depending on their activity on the website, in venues and through advertising creativities aiming at sending them publicity and promotional content adjusted to their preferences.

Manager

Manager ARAVEN GROUP and corresponsible ARAVEN and GRUPO OM.

Legal basis

Users gave consent for their personal data management for one or several specific purposes (art. 6.1.a. in GDPR). To obtain these consents, the interested party will be informed separately from any purchase agreement, general terms or service agreement and will be obtained in the same way.

Management purposes

Users tagging depending on their activity on the website, in venues and through advertising creativities aiming at sending them publicity and promotional content adjusted to their preferences.

Group 

  • Lead (people who could potentially become customers)
  • Users
  • Any other people

Data category 

  • Location
  • Professional interests
  • Education and career  (former and current jobs)
  • Age

Receivers category 

Data assignments are not considered.

Data management responsibles 

International Transf. 

International transfers are not considered.

Elimination term 

Until the interested party applies for unsubscription or their data elimination.

Additional information

PIA (Private Impact Analysis)  is not required in this management due to the managed data and the way in which the manager does it, according to what is stated in Article 35 of GDPR and in Article 28 of the GDPR.

3. Commercial activity, mailing of publicity and promotional communications; assessment surveys or market studies

Mailing of personalised messages with publicity or promotional content.

As well, surveys and polls are done to different groups included in their managements to write reports on different fields and subjects, including their positioning in the market; to know customers’ satisfaction. Finally, dealing with surveys, on certain occasions it is required to know participants data, so as to link information to them, notwithstanding that in most cases information can be made anonimous by means, among other techniques, of data addition.

Manager 

Responsable ARAVEN GROUP y corresponsables ARAVEN y GRUPO OM.

Legal Basis

The interested party gave their consent for personal data management for one several specific purposes (Art 6.1.a of GDPR).

  • Art.21.1 of the  Act 34/2002, of July 11, on services of information and electronic commerce society.
  • Act 3/1991, of January 10, on Unfair Competition.
  • Act 34/1988, of November 11, General act on Publicity.

For those who have dealt with the manager: management is necessary to meet legitimate interests pursued by data manager or by any third party, as long as fundamental rights, freedoms or interests of the interested party requiring personal data protection do not prevail, specially when the interested party is a child. (Art 6.1.f in GDPR).

Management purposes 

  • Sending publicity or promotional content, via email, post, or phone.
  • Consultancy or studies made by the manager on different fields and subjects.
  • Knowing customers’ satisfaction and market positioning of responsible companies.

Group

Customers and those people interested in the activities and information about manager’s activities, products and services or about the contents created, published or promoted by the manager.

Leads
Clients and potential clients.

Data categories 

  • Name and surname
  • Email
  • Mobile phone number
  • Comments and opinions on surveys contents

Receivers categories 

Personal data assignments are not considered.

Data management responsibles 

Sales representatives: Whenever commercial purposes recommend to do so due to the interested party location and the opportunities managers can offer in the background, data will be allowed to be communicated to sales representatives (who will work as managers) with whom the manager has established and keeps security measures suitable to the risk level for personal data by management responsibles’ contracts and on which periodical audits and inspections will be done.
Affinity audiences platforms (Facebook Audience Insights; LinkedIn Lookalike Audience for Ad Targeting; y Google Custom Affinity Audiences) those who the manager allows data access with the only purpose of showing segmented publicity to other similar users.

International Transf. 

International transfers to data managers are considered.

Elimination term 

Communication mailing to customers: data will be kept for this purpose while receivers have reasonable expectations of keeping receiving publicity or promotional communications.
Sending communications at request or expressed authorisation: Data will be kept until users withdraw their consent.

Additional information

PIA (Private Impact Analysis)  is not required in this management due to the managed data and the way in which the manager does it, according to what is stated in Article 35 of GDPR and in Article 28 of the GDPR.

4. Promotions: contests and raffles

The manager promotes its activities by means of raffles and other random combination games with publicity or promotional contents, as well as by means of other non-random actions such as direct gifts or contests with a jury. This management activity is related, according to what is stated in the rules, with the activities of taking photos and videos and using them, as well as commercial, publicity and promotional communications.

Manager 

Manager ARAVEN GROUP and corresponsibles ARAVEN and GRUPO OM.

Legal basis 

The interested party gave their consent for personal data management for one several specific purposes (Art 6.1.a of GDPR).

Management purposes 

  • Participants checking to verify they meet requirements stated in the rules
  • Winners selection
  • Prize giving

Group 

Participants in promotion activities, contests or raffles.

Data Category 

  • Name and surname
  • ID Card
  • Address
  • Email address
  • Phone number
  • Content to be shared to take part in the promotional activity

Receivers category 

  • Tax authorities
  • Banks

Management responsibles 

Collaborating entities in contests and raffles management.

International Transf. 

Personal data international transfers are not considered.

Elimination term 

Data will be kept during the required term to meet the purpose for which they were obtained and to establish possible responsibilities derived from that purpose and data treatment.

Additional information 

PIA (Private Impact Analysis)  is not required in this management due to the managed data and the way in which the manager does it, according to what is stated in Article 35 of GDPR and in Article 28 of the GDPR. Other management activities linked (access to them for further information):

Photo and video: When it is stated, some winners’ personal data will be published, included their names and surnames, town, relation with the manager, shared content and their image (photo or video) to ensure the transparency of the promotion, contest or raffle.
Commercial communications mailing:  In cases in which it is stated, to participate in the activity the interested party will have to be a receiver of commercial  or promotional communications from the manager. Consent for this data will be obtained separately from the promotional activity.

5.Photo, video and voice recording aiming at personal brand improvement or commercial purposes. 

Taking photos or recording images and or voice for (1) promotion activities and (2) manager’s publicity or promotional purposes

Manager 

Manager ARAVEN GROUP and corresponsibles ARAVEN and GRUPO OM.

Legal basis 

For Group’s company staff: related to their card, their certifications and other specific cases, and for lecturers in events and conferences, management is necessary to execute a contract in which the interested is a party or for the application of their demand of precontractual measures (art 6.1.b of GDPR).

For recordings and broadcasting of the interventions of attendants to specific events: management is necessary to meet legitimate interests pursued by data manager or by any third party, as long as fundamental rights, freedoms or interests of the interested party requiring personal data protection do not prevail, specially when the interested party is a child. (Art 6.1.f in GDPR).

Express consent for any other purposes, as it is stated in:

  • The interested party gave their consent for personal data management for one several specific purposes (Art 6.1.a of GDPR).
  • Fundamental Law 1/1982, of May 5, on civilian protection of right ot honour, to personal and family privacy and to reputation, specially articles 2,7 and 8
  • Fundamental Law, of December 6, of Personal Data protection and guarantee to digital rights.

Management purposes 

Photo taking and images and voice recording for:

  • Publishing brands promotion activities.
  • Manager’s publicity or promotional purposes.
  • Publishing on manager’s websites and given to media.
  • Publishing on social media.

Group 

  • Staff and external people.
  • Participants in contests and raffles organized by the manager
  • Other people.

Data categories

  • Image
  • Voice
  • Name and surnames
  • Address
  • Email adress
  • Phone number
  • Relationship with the manager.
  • Specific reason for agreed management

Receivers category 

Data will be published on manager’s websietes and given to media when consent for these managements has been obtained  from the interested party, or when it is necessary for hte execution of contracts in which the interested is a party or manager’s legitimate interest mentioned before must be met. In case of publication on social media, their use terms and conditions may be applied.

No other personal data assigments are considered.

Management responsibles 

Agencies of content management, edition and delivery of audiovisual materials.

Transf. Internacional 

Personal data international transfers are not considered.

Elimination term 

Data will be kept during the required term to meet the purpose for which they were obtained and to establish possible responsibilities derived from that purpose and data treatment.  In any other cases, data management will be kept until users withdraw their consent. If data had been published on third-parties’ websites or on external media to the manager, the exercise of rights may have as a reponse the impossibility to effectively eliminate data.

Additional information 

PIA (Private Impact Analysis)  is not required in this management due to the managed data and the way in which the manager does it, according to what is stated in Article 35 of GDPR and in Article 28 of the GDPR.

6. Job portal 

Vacancies record and selection of labour staff as well as outsourced.

Manager 

Manager ARAVEN GROUP

Legal basis 

Management is necessary for the execution of contracts in which the interested is a party or for the application on their demand of precontractual measures (art. 6.1.b of GDPR). Interested parties’ records will be based on the fulfilment of legal obligations aplicable to management responsible. (art. 6.1.c. of GDPR).

Proactive search for candidates and for their details on third parties’ databases is based on the legitimate interest of finding them in order to know whether they are suitable for the post (art. 6.1.f. of the GDPR).

Workers’ Statute
Royal Legislative Decree of 1/2013, of November 29, on which the Consolidated Text of the General Act of disabled people’s rights and their social inclusion.

Group 

  • Candidates in hiring processes.
  • Professionals with public profiles.

Management purposes 

Analysis and checking of candidates’ professional records when this is crucial to the stablished tasks (e.g. teaching). The manager will analyse documents sent by the candidate, any public content and directly accessible by means of search engines; profiles on professional social media, data obtained from access tests and  information revealed during the job interviews, aiming at assessing their application and being able to offer a job if it is the case. This analysis will possibly be done to find and assess candidates for specific jobs or tasks.

Data Categories 

  • Identification data: Name and surnames.
  • ID Card, Foreigner’s Identity Number or Identification document
  • Social Security Number
  • Address
  • Signature, electronic signature
  • Phone number
  • Personal characteristics data: Gender, nationality, age, date and place of birth.
  • Education and career data: Qualifications and job experience
  • Data special categories: disabilities.

Receivers category 

Companies where or with which the employer had worked in order to check data and their veracity.

Management responsible 

Selection and recruitment agencies.

International Transf. 

Personal data international transfers are not considered.

Elimination term 

Data will be kept during the required term to meet the purpose for which they were obtained and to establish possible responsibilities derived from that purpose and data treatment.

In the event of candidates not being selected, the manager can keep their CVs two years the longest to add it to future calls, unless candidates say the opposite or express their desire of it being kept for longer, untir they withdraw their consent.

Additional Information 

PIA (Private Impact Analysis)  is not required in this management due to the managed data and the way in which the manager does it, according to what is stated in Article 35 of GDPR and in Article 28 of the GDPR.

Job portal (for candidates) is one of the services given by the Personnel Department

7. Financial management. Collection and recovery

The manager deals with payments, collections, recoveries and, if it is the case, anything related to financial and/or economic activities.

Manager 

Manager ARAVEN GROUP

Legal basis 

  • GDPR: art. 6.1.b.) Management necessary for the execution of contracts in which the interested is a party or for the application of precontractual measures
  • GDPR: art. 6.1.b). Management necessary for the fulfilment of a legal obligation aplicable to the management responsible.
  • GDPR: art.6.1.e). Management necessary for the achievement of a mission done for public interest or in the exercise of public powers transferred to management responsible in accordance to apliccable regulation:
    • Act 58/2003, of December 17, General Tax.
    • Act 38/2003, of November 17, General on subsidies.
    • Act 35/2006, of November 28, of Income tax and of the partial modification of  Acts on Corporation Tax, on Non-residents income and on Estate
    • Act 37/1992, of December 28, on Value Added Tax

Management purpose 

Necessary management of personal data in order to carry out payments, collections, recoveries, refunds if the case, and so on. Registration and checking of data related to VAT Income tax, Treasure and social security memberships, bank certificates, etc.

Group

  • Staff
  • Providers
  • Clients

Data Categories 

  • Name, surnames
  • Phone number
  • Address and electronic address
  • ID Card / Tax Identification Number
  • Signature / electronic signature
  • Economic, financial and insurance data
  • Banking and corporate data
  • Certificates issued by Public Administration to the interested parties.

Receivers category 

  • Banks and financial entities
  • Tax Administration State Agency

Management responsibles.

Collections and recoveries management companies and agencies.

International Transf. 

Personal data international transfers are not considered.

Elimination term 

Data will be kept during the required term to meet the purpose for which they were obtained and to establish possible responsibilities derived from that purpose and data treatment. Depending on the cases data can be kept during these terms:

  • 4 years in accordance to the Act on Breaches, Fines and Social Order for obligations of filiation, memberships/leaves, contributions, salary payments (art.66); and in accordance to the General Tax Act to accountancy books, invoices, etc.
  • 5 years in accordance of the Civil Code (art. 1964) for private actions without specific deadline.
  • 6 years in accordance of the Commercial Code on accountancy books, invoices, etc.
  • 10 years in accordance of the Act on Prevention of Money Laundering and Terrorism Funding (art. 25).

Additional Information 

PIA (Private Impact Analysis)  is not required in this management due to the managed data and the way in which the manager does it, according to what is stated in Article 35 of GDPR and in Article 28 of the GDPR.

8. Personnel Management. 

Management activity related to management of Group’s staff labour contracts, including management of their training and other activities of the labour relation.

Manager 

Manager ARAVEN GROUP

Legal basis 

Labour or commercial relation has the following legitimation basis:

  • Management is necessary for the execution of contracts in which the interested is a party or for the application on their demand of precontractual measures (art. 6.1.b of GDPR)
  • Workers’ Statute
  • Royal Legislative Decree of 1/2013, of November 29, on which the Consolidated Text of the General Act of disabled people’s rights and their social inclusion.

Management Purposes 

Upkeeping of labour relationship with staff

  • Personal record management
  • Time checking
  • Incompatibilities control
  • Boost of staff training and control of its development.
  • Pension plans management by means of a third-party.
  • Social Initiative boost.
  • Labour risk prevention
  • Discipline rules
  • Management of action to raise awareness and fight against sexual or gender harassment in any way.
  • Productivity and performance analysis by means of assessment surveys
  • Unions’ activity management
  • Boost of activities in forums, conferences and round tables.
  • Issue and payment of payrolls, as well as of all the products derived from them

Group

Staff

Data Categories 

  • Email
  • Addres
  • Tax Identification Number / ID Card
  • Name and surnames
  • Phone
  • Educational and Professional
  • Social Security Number / Mutual Insurance Company
  • Criminal record certificate
  • Personal characteristics
  • Personal data: disabilities
  • Bank data for the payment of salaries
  • Family Data (contact data of close people or relatives to deal with emergencies)
  • Details about their professional development working for the manager: training, courses, conferences, etc…

Receivers Categories 

  • Public Administration involved in this subject
  • Tax Office
  • Social Security
  • Banks
  • Surveying companies for studies or rankings elaboration.
  • Insurance companies
  • FUNDAE

Management responsibles 

International Transf.

Personal data international transfers are not considered.

Elimination term 

Data will be kept during the required term to meet the purpose for which they were obtained and to establish possible responsibilities derived from that purpose and data treatment. Depending on the cases data can be kept during these terms:

  • 4 years in accordance to the Act on Breaches, Fines and Social Order for obligations of filiation, memberships/leaves,
  • contributions, salary payments (art.66); and in accordance to the General Tax Act to accountancy books, invoices, etc.
  • 5 years in accordance of the Civil Code (art. 1964) for private actions without specific deadline.
  • 6 years in accordance of the Commercial Code on accountancy books, invoices, etc.

Additional Information 

PIA (Private Impact Analysis)  is not required in this management due to the managed data and the way in which the manager does it, according to what is stated in Article 35 of GDPR and in Article 28 of the GDPR.

9.Suppliers, collaborating entities and commercial and business partners  

The manager hires proffesionals, providers, collaborating entities and commercial and business partners for different actions. To do so, the manager must contact professionals or natural persons developing their activities and/or represent the companies that sell their products or provide services.

Manager

Manager ARAVEN GROUP

Legal basis 

Management is necessary for the perfomance of agreements in which this interested is a party or for the application of precontractual measures (art. 6.1.b in GDPR).

Management is necessary to meet legitimate interests pursued by data manager or by any third party and fundamental rights, freedoms or interests of the interested party do not prevail. (Art 6.1.f in GDPR).

Management purposes  

  • Commercial and business partners and supplier contact data registration and management
  • Economic and financial data: banking data, commercial relationship management
  • Labour risk prevention coordination
  • Management of initiatives to raise awareness and fight against social and gender harassment in any way.
  • Record of commercial relation and relationship with the manager
  • Quality and acceptance criterio analysis from data obtained from assessment surveys.
  • Evaluación del desempeño mediante encuestas y formularios. Performance assessment by means of surveys and forms
  • Outsourced staff invoice payments as well as of any derived products

Group

Service providers or vendors and, if these are legal persons, the physical contact persons.

Data categories 

  • Identification data:  Name and surnames, ID Card, address, phone number, photo and signature
  • Post details: entity or organisation and held position.
  • Email address
  • Address
  • Signature (by hand, digital or electronic)
  • Image / Voice
  • ID Card
  • Name and surnames
  • Phone number
  • Académicos y Profesionales. Educational and Professional
  • Personal characteristics.
  • Bank account number to do payments
  • Applicable civil liability insurances
  • Certificate of being up to date of payments to Treasury and Social Security,
  • Registered Office, Tax Identification Code (for legal entities).

Receivers Categories 

  • Financial Entities
  • Tax Administration State Office
  • Insurance Entities

Management Responsibles 

Not considered

International Transf. 

Personal data international transfers are not considered.

Elimination term 

Data will be kept during the required term to meet the purpose for which they were obtained and to establish possible responsibilities derived from that purpose and data treatment. Depending on the cases data can be kept during these terms:

  • 4 years in accordance to the Act on Breaches, Fines and Social Order for obligations of filiation, memberships/leaves,
  • contributions, salary payments (art.66); and in accordance to the General Tax Act to accountancy books, invoices, etc.
  • 5 years in accordance of the Civil Code (art. 1964) for private actions without specific deadline.
  • 6 years in accordance of the Commercial Code on accountancy books, invoices, etc.
  • 10 years in accordance of the Act on Prevention of Money Laundering and Terrorism Funding (art. 25).

Additional Information 

PIA (Private Impact Analysis)  is not required in this management due to the managed data and the way in which the manager does it, according to what is stated in Article 35 of GDPR and in Article 28 of the GDPR.

10.People’s rights support 

Deal with applications for exercise of rights stated in the GDPR

Manager

ARAVEN GROUP

Legal basis 

Management is necessary fo the fulfilment of a legal obligation applicable to management responsible (art. 6.1.c GDPR). Specifically to receive, deal with and response to application for rights of those interested (GDPR Chapter III).

Management purpose 

Receiving, dealing with and responsing to application for rights of those interested (GDPR Chapter III).

Group

Any person.

Data categories 

Name and surnames, ID card, address, telephone number, kind of relationship with the manager and signature.
Related data to the application for the corresponding exercise

Receivers categories 

Assignments are not considered.

Management responsibles 

Not considered

International Transfer. 

Personal data international transfers are not considered.

Elimination term

Data will be kept during the required term to meet the purpose for which they were obtained and to establish possible responsibilities derived from that purpose and data treatment.

Additional information 

PIA (Private Impact Analysis)  is not required in this management due to the managed data and the way in which the manager does it, according to what is stated in Article 35 of GDPR and in Article 28 of the GDPR.

11.Face to face, on the phone or by electronical means enquiries. Complaints and/or suggestions  

Registration and management of enquiries made to Group’s companies about entities activities.

Manager

ARAVEN GROUP, ARAVEN and  GRUPO OM

Legal basis

Users gave consent for their personal data management for one or several specific purposes (art. 6.1.a. in GDPR).

Management Purposes  

Registration and management of enquiries on manager’s activities.

Group

Any person.

Data categories 

  • Identification data: name, surnames, address, email and phone number
  • Data to be added to the enquiry.

Receivers category 

Not considered

Management responsibles 

Not considered

International Transfer. 

Personal data international transfers are not considered.

Elimination term 

Data will be kept during the required term to meet the purpose for which they were obtained and to establish possible responsibilities derived from that purpose and data treatment.

Additional Information

PIA (Private Impact Analysis)  is not required in this management due to the managed data and the way in which the manager does it, according to what is stated in Article 35 of GDPR and in Article 28 of the GDPR.

12.Seguridad física en las instalaciones. Registro y control de accesos Physical security at facilities. Access registration and control 

To ensure people, goods ans facilities’ security on physical and electronic spaces. Visitors registration and control with the only purpose of ensuring security.

Manager

ARAVEN GROUP

Legal basis

  • Management necessary for the achievement of a mission done for public interest or in the exercise of public powers transferred to management responsible (art. 6.1.e in GDPR).
  • Management necessary due to essential public interest reasons established by Regulation. Art 9.2.g GDPR.
  • Management purposes

The purpose of physical security as well as of the registration and access control is to ensure people, goods and facilities’ security on physical and electronic spaces.  .

Group 

Any natural person coming to managers’ facilities or activities.

  • Workers
  • Companions
  • Guests
  • Providers
  • Clients

Data Categories 

  • Identification data: name and surnames, ID card, address, email address, phone number
  • Professional data company and position.
  • Reason for visit.

Receivers categories 

  • Security forces
  • Prosecutor’s Office
  • Courts

Management responsible

Not considered

Interntional Transf. 

Personal data international transfers are not considered.

Elimination term 

Thirty days at most, starting from the day of collection.

Additional information 

PIA (Private Impact Analysis)  is not required in this management due to the managed data and the way in which the manager does it, according to what is stated in Article 35 of GDPR and in Article 28 of the GDPR.

13.Logical security 

The manager analyses users’ behaviour when navigating on the website and the different social profiles aiming at preventing and blocking logical attacks.

Manager

ARAVEN GROUP

Legal basis

Management is necessary to meet legitimate interests pursued by data manager or by any third party, as long as fundamental rights, freedoms or interests of the interested party requiring personal data protection do not prevail. Specifically these legitimate interests consist in preventing not allowed access, destruction or alteration of data or systems and preventing access to be blocked or third-parties to do non-authorised managements

Management purpose 

To analyse users’ behaviour when navigating on the website and the different social profiles aiming at preventing and blocking logical attacks.
the content and attachments, in the hosting services as well as in the electronic mails.

In both cases one part of the management is directly done by the manager or by assignment. However, most of the data management is done by third parties to whom the service under which they do the management has been contracted, but following their own criteria on means and purposes.

Group

  • Users accessing to websites or social profiles managed by the manager.
  • Data categories
  • IP addresses.
  • Navigator users’ agents chain.

Receivers categories 

Not considered. If it is the case, courts and security forces.

Management responsibles 

Phorensic companies and information security management companies.

International Transf.

It is considered to do international transfers to management responsibles (to indicate, at least, those able to do international transferences, as well as the country) or the mentioned assigment receivers: Google LLC (United States).

Elimination term 

Data are kept while they are necessary to ensure the management purpose.

Additional information 

PIA (Private Impact Analysis)  is not required in this management due to the managed data and the way in which the manager does it, according to what is stated in Article 35 of GDPR and in Article 28 of the GDPR.

Note: reCaptcha implementation forces to include on the website an explicit warning informing users about these managements. reCaptcha website states exactly what is compulsory to indicate.

14.Video surveillance

Perimeter video surveillance and of the accesses to facilities or premises aiming at ensuring people, goods and facilities’ security in the venues.

Manager

ARAVEN, S.L. and GRUPO OM

Legal basis

  • Management necessary for the achievement of a mission done for public interest or in the exercise of public powers Art. 6.1.e) GDPR
  • Management necessary due to essential public interest stated by law. Art. 9.2.g) GDPR- Act 5/2014 on Private Security.
  • Management purposes
  • Ensuring people, goods and facilities’ security.
  • Labour and/or contract obligations fulfiment.

Group

Natural persons going to any of the Group companies’ facilities.

Data category 

Image and/or photo

Receivers category 

  • Security forces
  • Prosecutor’s Office
  • Courts

Management responsible 

Security companies.

International Transf. 

Personal data international transfers are not considered.

Elimination data 

Before 30 days after collection

Additional Information 

PIA (Private Impact Analysis)  is not required in this management due to the managed data and the way in which the manager does it, according to what is stated in Article 35 of GDPR and in Article 28 of the GDPR.

15.Complaints channel 

Implementation and access to a Complaints channel as stated by application regulations.

Manager

Independent Managers: ARAVEN GROUP, ARAVEN and GRUPO OM

Legal basis

Management is necessary to meet legitimate interests pursued by data manager or by any third party, (Art 6.1.f in GDPR) and, if the case is so, to fulfil a legal obligation applicable to management responsible  (art. 6.1.c) GDPR

Management purpose 

Management of a complaints channel, as stated by internal policy and rule compliance manuals and prevention of criminal risks to ARAVEN GROUP.

Group

  • Workers
  • Collaborators
  • Affected people in providers/clients
  • Entities’ managers
  • Others.

Data categories 

  • Identification data: ID Card, name and surnames, address, email address, and phone number. (In case of anonimous claim, these data could be obtain durin the internal investigation).
  • Other personal data included in claims or obtained during the investigation.

Receivers categories  

  • Data Protection Spanish Agency in checking processes in accordance to Fundamental Law 3/2018, on Personal Data protection and guarantee of digital rights.
  • Security forces, prior judge order and in their role of criminal police.
  • Courts under terms established by procedural regulation.

In these cases, before giving data to third parties, it is ensured that those authorities request and access to data in accordance with regulation.

Management responsibles 

Not considered

International Transf.  

Personal data international transfers are not considered.

Elimination data 

Data will be kept as long as it is necessary to deal with complaints and do the required investigations. As well, to carry out the actions or to make the necessary decisions regarding each claim meeting the corresponding legal obligations.

Information will be kept appropriately blocked for the necessary additional periods to prescribe eventual legal liabilities.

Additional information 

Technical, organisational and operational measures of security and data protection are applied in accordance to Directive 2019/1937

16. International relations 

Managements to be done in the cases of activities abroad.

Manager

ARAVEN GROUP

Legal basis

Management is necessary for the perfomance of agreements in which this interested is a party or for the application of precontractual measures (art. 6.1.b in GDPR).

In specific cases, The interested party gave their consent for personal data management for one several specific purposes (Art 6.1.a of GDPR).

Management purposes 

Gestión, Administración y control de actividades realizadas en otros países, sean de la UE u otros diferentes, así como en otros organismos internacionales.  Management, administration and control of activities done in other countries, belonging to the EU or not, as well as in other international organisations.

Group

Group companies’ staff

Data categories 

  • Identification data:  Name and surnames, address and email address.
  • Economic and financial data: banking data
  • Receivers categories

Management responsibles

Travel agencies and movement organisations and visa obtention businesses.

International Transf.

International data transferences are considered in the cases stated in the art. 49.1 GDPR:

a) The interested party has explicitly given their consent to suggestedd transference due to the lack of and adequation decision and of suitable guarantees;

b) transference is necessary to execute a contract between the interested party and the management responsible or to the execution of precontractual measures to be taken on demand of the interested party.

Elimination term 

Data will be kept meanwhile the legal relation between the interested party and ARAVEN lasts,

Additional information 

PIA (Private Impact Analysis)  is not required in this management due to the managed data and the way in which the manager does it, according to what is stated in Article 35 of GDPR and in Article 28 of the GDPR.

email