1. Web analytics with statistical and functional purposes (Marketing Department).
2. Basic creation of profiles with publicity purposes (Commercial and Marketing Departments).
3. Mailing of commercial activity, publicity and promotional communications and sector assessment surveys or market studies. (Marketing and Commercial Departments)
4.Promotions: contests and raffles (Marketing and Commercial Departments)
5. Photo, video and voice recording aiming at personal brand improvement or commercial purposes (Marketing and Commercial Departments).
6. Job portal, for applicants and vacancies record for working at ARAVEN GROUP (Personnel Department).
7. Financial management, Collection and recovery (Financial and Administration Departments)
8.Staff (Personnel Department)
9.Suppliers and commercial partners (Financial and Administration Departments).
10. People’s rights support (Administration Department)
11. Complaints and suggestions (Quality Department).
12. Physical security at facilities. Access registration and control. (Administration Department)
13. Logical Security (Systems Department).
14. Video surveillance (Administration Department).
15. Complaints channel (Administration Department).
16. International Relations (Administration Department).
Updated 14/10/2022
The manager analyses people’s navigation and behaviour, aiming at knowing the use given to its tools and adapting them to the need, as well as at improving their communication, commercialization and people support activites.
Manager
ARAVEN GROUP, S.L.
Independent managers to analyse data obtained when opening and interacting with emails. Corresponsible for shared own communication channels (same web): ARAVEN, S.L. and GRUPO OM, S.L.
Legal basis
Up to the exent the performance of the agreement shows so: management is necessary for the perfomance of agreements in which this interested is a party or for the application of precontractual measures (art. 6.1.b in GDPR).
In the rest of cases the interested party gave consent for their data management for one or several specific purposes (art. 6.1.a. in GDPR). To obtain these consents, the interested will be informed separately from any purchase agreement, general terms or service agreement. This management will be done on navigation data obtained from the website as well as from apps, and so on.
Management purposes
In the event that analytical treatment is based on the contract performance, the required analytics for contract performance will be done: for example, it could be analysed the number of times that users have accessed to information, whether they download, the receipt that they have accessed to security communications sent by the manager, without any additional management due to this reason. In any other case, when prior acceptance by the interested party, the purpose of personal data analytical management will be:
Group
Users accessing to websites, mobile applications or socials profiles managed by the manager, as well as, those opening or responsing to communications sent by the manager.
Data categories
Specifically in the case of email analytics and in addition to the previously stated, data on openings number, opening time, opening date, resendings, conversions (in case of forms being included in the emails), users clicks on emails internal links (with links to: landing, webs, direct mailto to personal contacts…) device from which emails are opened, hardware, block and software, email bounces and unsuscriptions.
Receivers categories
Data communications are not considered.
Data management responsibles
Google LLC – Google Analytics – https://analytics.google.com/analytics/web/
International Transf.
Management responsible is Google Ireland and by second assignment Google LLC, 1600 Amphitheatre Parkway Mountain View, CA United States. Security measures: data protection agreement including standard terms through Google Workspace (before, GSuite). https://privacy.google.com/businesses/processorterms/
Elimination term
Data will be kept during the required term to meet the purpose for which they were obtained and to establish possible responsibilities derived from that purpose and data treatment.
Additional information
PIA (Private Impact Analysis) is not required in this management due to the managed data and the way in which the manager does it, according to what is stated in Article 35 of GDPR and in Article 28 of the GDPR.
Users tagging depending on their activity on the website, in venues and through advertising creativities aiming at sending them publicity and promotional content adjusted to their preferences.
Manager
Manager ARAVEN GROUP and corresponsible ARAVEN and GRUPO OM.
Legal basis
Users gave consent for their personal data management for one or several specific purposes (art. 6.1.a. in GDPR). To obtain these consents, the interested party will be informed separately from any purchase agreement, general terms or service agreement and will be obtained in the same way.
Management purposes
Users tagging depending on their activity on the website, in venues and through advertising creativities aiming at sending them publicity and promotional content adjusted to their preferences.
Group
Data category
Receivers category
Data assignments are not considered.
Data management responsibles
International Transf.
International transfers are not considered.
Elimination term
Until the interested party applies for unsubscription or their data elimination.
Additional information
PIA (Private Impact Analysis) is not required in this management due to the managed data and the way in which the manager does it, according to what is stated in Article 35 of GDPR and in Article 28 of the GDPR.
Mailing of personalised messages with publicity or promotional content.
As well, surveys and polls are done to different groups included in their managements to write reports on different fields and subjects, including their positioning in the market; to know customers’ satisfaction. Finally, dealing with surveys, on certain occasions it is required to know participants data, so as to link information to them, notwithstanding that in most cases information can be made anonimous by means, among other techniques, of data addition.
Manager
Responsable ARAVEN GROUP y corresponsables ARAVEN y GRUPO OM.
Legal Basis
The interested party gave their consent for personal data management for one several specific purposes (Art 6.1.a of GDPR).
For those who have dealt with the manager: management is necessary to meet legitimate interests pursued by data manager or by any third party, as long as fundamental rights, freedoms or interests of the interested party requiring personal data protection do not prevail, specially when the interested party is a child. (Art 6.1.f in GDPR).
Management purposes
Group
Customers and those people interested in the activities and information about manager’s activities, products and services or about the contents created, published or promoted by the manager.
Leads
Clients and potential clients.
Data categories
Receivers categories
Personal data assignments are not considered.
Data management responsibles
Sales representatives: Whenever commercial purposes recommend to do so due to the interested party location and the opportunities managers can offer in the background, data will be allowed to be communicated to sales representatives (who will work as managers) with whom the manager has established and keeps security measures suitable to the risk level for personal data by management responsibles’ contracts and on which periodical audits and inspections will be done.
Affinity audiences platforms (Facebook Audience Insights; LinkedIn Lookalike Audience for Ad Targeting; y Google Custom Affinity Audiences) those who the manager allows data access with the only purpose of showing segmented publicity to other similar users.
International Transf.
International transfers to data managers are considered.
Elimination term
Communication mailing to customers: data will be kept for this purpose while receivers have reasonable expectations of keeping receiving publicity or promotional communications.
Sending communications at request or expressed authorisation: Data will be kept until users withdraw their consent.
Additional information
PIA (Private Impact Analysis) is not required in this management due to the managed data and the way in which the manager does it, according to what is stated in Article 35 of GDPR and in Article 28 of the GDPR.
The manager promotes its activities by means of raffles and other random combination games with publicity or promotional contents, as well as by means of other non-random actions such as direct gifts or contests with a jury. This management activity is related, according to what is stated in the rules, with the activities of taking photos and videos and using them, as well as commercial, publicity and promotional communications.
Manager
Manager ARAVEN GROUP and corresponsibles ARAVEN and GRUPO OM.
Legal basis
The interested party gave their consent for personal data management for one several specific purposes (Art 6.1.a of GDPR).
Management purposes
Group
Participants in promotion activities, contests or raffles.
Data Category
Receivers category
Management responsibles
Collaborating entities in contests and raffles management.
International Transf.
Personal data international transfers are not considered.
Elimination term
Data will be kept during the required term to meet the purpose for which they were obtained and to establish possible responsibilities derived from that purpose and data treatment.
Additional information
PIA (Private Impact Analysis) is not required in this management due to the managed data and the way in which the manager does it, according to what is stated in Article 35 of GDPR and in Article 28 of the GDPR. Other management activities linked (access to them for further information):
Photo and video: When it is stated, some winners’ personal data will be published, included their names and surnames, town, relation with the manager, shared content and their image (photo or video) to ensure the transparency of the promotion, contest or raffle.
Commercial communications mailing: In cases in which it is stated, to participate in the activity the interested party will have to be a receiver of commercial or promotional communications from the manager. Consent for this data will be obtained separately from the promotional activity.
Taking photos or recording images and or voice for (1) promotion activities and (2) manager’s publicity or promotional purposes
Manager
Manager ARAVEN GROUP and corresponsibles ARAVEN and GRUPO OM.
Legal basis
For Group’s company staff: related to their card, their certifications and other specific cases, and for lecturers in events and conferences, management is necessary to execute a contract in which the interested is a party or for the application of their demand of precontractual measures (art 6.1.b of GDPR).
For recordings and broadcasting of the interventions of attendants to specific events: management is necessary to meet legitimate interests pursued by data manager or by any third party, as long as fundamental rights, freedoms or interests of the interested party requiring personal data protection do not prevail, specially when the interested party is a child. (Art 6.1.f in GDPR).
Express consent for any other purposes, as it is stated in:
Management purposes
Photo taking and images and voice recording for:
Group
Data categories
Receivers category
Data will be published on manager’s websietes and given to media when consent for these managements has been obtained from the interested party, or when it is necessary for hte execution of contracts in which the interested is a party or manager’s legitimate interest mentioned before must be met. In case of publication on social media, their use terms and conditions may be applied.
No other personal data assigments are considered.
Management responsibles
Agencies of content management, edition and delivery of audiovisual materials.
Transf. Internacional
Personal data international transfers are not considered.
Elimination term
Data will be kept during the required term to meet the purpose for which they were obtained and to establish possible responsibilities derived from that purpose and data treatment. In any other cases, data management will be kept until users withdraw their consent. If data had been published on third-parties’ websites or on external media to the manager, the exercise of rights may have as a reponse the impossibility to effectively eliminate data.
Additional information
PIA (Private Impact Analysis) is not required in this management due to the managed data and the way in which the manager does it, according to what is stated in Article 35 of GDPR and in Article 28 of the GDPR.
Vacancies record and selection of labour staff as well as outsourced.
Manager
Manager ARAVEN GROUP
Legal basis
Management is necessary for the execution of contracts in which the interested is a party or for the application on their demand of precontractual measures (art. 6.1.b of GDPR). Interested parties’ records will be based on the fulfilment of legal obligations aplicable to management responsible. (art. 6.1.c. of GDPR).
Proactive search for candidates and for their details on third parties’ databases is based on the legitimate interest of finding them in order to know whether they are suitable for the post (art. 6.1.f. of the GDPR).
Workers’ Statute
Royal Legislative Decree of 1/2013, of November 29, on which the Consolidated Text of the General Act of disabled people’s rights and their social inclusion.
Group
Management purposes
Analysis and checking of candidates’ professional records when this is crucial to the stablished tasks (e.g. teaching). The manager will analyse documents sent by the candidate, any public content and directly accessible by means of search engines; profiles on professional social media, data obtained from access tests and information revealed during the job interviews, aiming at assessing their application and being able to offer a job if it is the case. This analysis will possibly be done to find and assess candidates for specific jobs or tasks.
Data Categories
Receivers category
Companies where or with which the employer had worked in order to check data and their veracity.
Management responsible
Selection and recruitment agencies.
International Transf.
Personal data international transfers are not considered.
Elimination term
Data will be kept during the required term to meet the purpose for which they were obtained and to establish possible responsibilities derived from that purpose and data treatment.
In the event of candidates not being selected, the manager can keep their CVs two years the longest to add it to future calls, unless candidates say the opposite or express their desire of it being kept for longer, untir they withdraw their consent.
Additional Information
PIA (Private Impact Analysis) is not required in this management due to the managed data and the way in which the manager does it, according to what is stated in Article 35 of GDPR and in Article 28 of the GDPR.
Job portal (for candidates) is one of the services given by the Personnel Department
The manager deals with payments, collections, recoveries and, if it is the case, anything related to financial and/or economic activities.
Manager
Manager ARAVEN GROUP
Legal basis
Management purpose
Necessary management of personal data in order to carry out payments, collections, recoveries, refunds if the case, and so on. Registration and checking of data related to VAT Income tax, Treasure and social security memberships, bank certificates, etc.
Group
Data Categories
Receivers category
Management responsibles.
Collections and recoveries management companies and agencies.
International Transf.
Personal data international transfers are not considered.
Elimination term
Data will be kept during the required term to meet the purpose for which they were obtained and to establish possible responsibilities derived from that purpose and data treatment. Depending on the cases data can be kept during these terms:
Additional Information
PIA (Private Impact Analysis) is not required in this management due to the managed data and the way in which the manager does it, according to what is stated in Article 35 of GDPR and in Article 28 of the GDPR.
Management activity related to management of Group’s staff labour contracts, including management of their training and other activities of the labour relation.
Manager
Manager ARAVEN GROUP
Legal basis
Labour or commercial relation has the following legitimation basis:
Management Purposes
Upkeeping of labour relationship with staff
Group
Staff
Data Categories
Receivers Categories
Management responsibles
International Transf.
Personal data international transfers are not considered.
Elimination term
Data will be kept during the required term to meet the purpose for which they were obtained and to establish possible responsibilities derived from that purpose and data treatment. Depending on the cases data can be kept during these terms:
Additional Information
PIA (Private Impact Analysis) is not required in this management due to the managed data and the way in which the manager does it, according to what is stated in Article 35 of GDPR and in Article 28 of the GDPR.
The manager hires proffesionals, providers, collaborating entities and commercial and business partners for different actions. To do so, the manager must contact professionals or natural persons developing their activities and/or represent the companies that sell their products or provide services.
Manager
Manager ARAVEN GROUP
Legal basis
Management is necessary for the perfomance of agreements in which this interested is a party or for the application of precontractual measures (art. 6.1.b in GDPR).
Management is necessary to meet legitimate interests pursued by data manager or by any third party and fundamental rights, freedoms or interests of the interested party do not prevail. (Art 6.1.f in GDPR).
Management purposes
Group
Service providers or vendors and, if these are legal persons, the physical contact persons.
Data categories
Receivers Categories
Management Responsibles
Not considered
International Transf.
Personal data international transfers are not considered.
Elimination term
Data will be kept during the required term to meet the purpose for which they were obtained and to establish possible responsibilities derived from that purpose and data treatment. Depending on the cases data can be kept during these terms:
Additional Information
PIA (Private Impact Analysis) is not required in this management due to the managed data and the way in which the manager does it, according to what is stated in Article 35 of GDPR and in Article 28 of the GDPR.
Deal with applications for exercise of rights stated in the GDPR
Manager
ARAVEN GROUP
Legal basis
Management is necessary fo the fulfilment of a legal obligation applicable to management responsible (art. 6.1.c GDPR). Specifically to receive, deal with and response to application for rights of those interested (GDPR Chapter III).
Management purpose
Receiving, dealing with and responsing to application for rights of those interested (GDPR Chapter III).
Group
Any person.
Data categories
Name and surnames, ID card, address, telephone number, kind of relationship with the manager and signature.
Related data to the application for the corresponding exercise
Receivers categories
Assignments are not considered.
Management responsibles
Not considered
International Transfer.
Personal data international transfers are not considered.
Elimination term
Data will be kept during the required term to meet the purpose for which they were obtained and to establish possible responsibilities derived from that purpose and data treatment.
Additional information
PIA (Private Impact Analysis) is not required in this management due to the managed data and the way in which the manager does it, according to what is stated in Article 35 of GDPR and in Article 28 of the GDPR.
Registration and management of enquiries made to Group’s companies about entities activities.
Manager
ARAVEN GROUP, ARAVEN and GRUPO OM
Legal basis
Users gave consent for their personal data management for one or several specific purposes (art. 6.1.a. in GDPR).
Management Purposes
Registration and management of enquiries on manager’s activities.
Group
Any person.
Data categories
Receivers category
Not considered
Management responsibles
Not considered
International Transfer.
Personal data international transfers are not considered.
Elimination term
Data will be kept during the required term to meet the purpose for which they were obtained and to establish possible responsibilities derived from that purpose and data treatment.
Additional Information
PIA (Private Impact Analysis) is not required in this management due to the managed data and the way in which the manager does it, according to what is stated in Article 35 of GDPR and in Article 28 of the GDPR.
To ensure people, goods ans facilities’ security on physical and electronic spaces. Visitors registration and control with the only purpose of ensuring security.
Manager
ARAVEN GROUP
Legal basis
The purpose of physical security as well as of the registration and access control is to ensure people, goods and facilities’ security on physical and electronic spaces. .
Group
Any natural person coming to managers’ facilities or activities.
Data Categories
Receivers categories
Management responsible
Not considered
Interntional Transf.
Personal data international transfers are not considered.
Elimination term
Thirty days at most, starting from the day of collection.
Additional information
PIA (Private Impact Analysis) is not required in this management due to the managed data and the way in which the manager does it, according to what is stated in Article 35 of GDPR and in Article 28 of the GDPR.
The manager analyses users’ behaviour when navigating on the website and the different social profiles aiming at preventing and blocking logical attacks.
Manager
ARAVEN GROUP
Legal basis
Management is necessary to meet legitimate interests pursued by data manager or by any third party, as long as fundamental rights, freedoms or interests of the interested party requiring personal data protection do not prevail. Specifically these legitimate interests consist in preventing not allowed access, destruction or alteration of data or systems and preventing access to be blocked or third-parties to do non-authorised managements
Management purpose
To analyse users’ behaviour when navigating on the website and the different social profiles aiming at preventing and blocking logical attacks.
the content and attachments, in the hosting services as well as in the electronic mails.
In both cases one part of the management is directly done by the manager or by assignment. However, most of the data management is done by third parties to whom the service under which they do the management has been contracted, but following their own criteria on means and purposes.
Group
Receivers categories
Not considered. If it is the case, courts and security forces.
Management responsibles
Phorensic companies and information security management companies.
International Transf.
It is considered to do international transfers to management responsibles (to indicate, at least, those able to do international transferences, as well as the country) or the mentioned assigment receivers: Google LLC (United States).
Elimination term
Data are kept while they are necessary to ensure the management purpose.
Additional information
PIA (Private Impact Analysis) is not required in this management due to the managed data and the way in which the manager does it, according to what is stated in Article 35 of GDPR and in Article 28 of the GDPR.
Note: reCaptcha implementation forces to include on the website an explicit warning informing users about these managements. reCaptcha website states exactly what is compulsory to indicate.
Perimeter video surveillance and of the accesses to facilities or premises aiming at ensuring people, goods and facilities’ security in the venues.
Manager
ARAVEN, S.L. and GRUPO OM
Legal basis
Group
Natural persons going to any of the Group companies’ facilities.
Data category
Image and/or photo
Receivers category
Management responsible
Security companies.
International Transf.
Personal data international transfers are not considered.
Elimination data
Before 30 days after collection
Additional Information
PIA (Private Impact Analysis) is not required in this management due to the managed data and the way in which the manager does it, according to what is stated in Article 35 of GDPR and in Article 28 of the GDPR.
Implementation and access to a Complaints channel as stated by application regulations.
Manager
Independent Managers: ARAVEN GROUP, ARAVEN and GRUPO OM
Legal basis
Management is necessary to meet legitimate interests pursued by data manager or by any third party, (Art 6.1.f in GDPR) and, if the case is so, to fulfil a legal obligation applicable to management responsible (art. 6.1.c) GDPR
Management purpose
Management of a complaints channel, as stated by internal policy and rule compliance manuals and prevention of criminal risks to ARAVEN GROUP.
Group
Data categories
Receivers categories
In these cases, before giving data to third parties, it is ensured that those authorities request and access to data in accordance with regulation.
Management responsibles
Not considered
International Transf.
Personal data international transfers are not considered.
Elimination data
Data will be kept as long as it is necessary to deal with complaints and do the required investigations. As well, to carry out the actions or to make the necessary decisions regarding each claim meeting the corresponding legal obligations.
Information will be kept appropriately blocked for the necessary additional periods to prescribe eventual legal liabilities.
Additional information
Technical, organisational and operational measures of security and data protection are applied in accordance to Directive 2019/1937
Managements to be done in the cases of activities abroad.
Manager
ARAVEN GROUP
Legal basis
Management is necessary for the perfomance of agreements in which this interested is a party or for the application of precontractual measures (art. 6.1.b in GDPR).
In specific cases, The interested party gave their consent for personal data management for one several specific purposes (Art 6.1.a of GDPR).
Management purposes
Gestión, Administración y control de actividades realizadas en otros países, sean de la UE u otros diferentes, así como en otros organismos internacionales. Management, administration and control of activities done in other countries, belonging to the EU or not, as well as in other international organisations.
Group
Group companies’ staff
Data categories
Management responsibles
Travel agencies and movement organisations and visa obtention businesses.
International Transf.
International data transferences are considered in the cases stated in the art. 49.1 GDPR:
a) The interested party has explicitly given their consent to suggestedd transference due to the lack of and adequation decision and of suitable guarantees;
b) transference is necessary to execute a contract between the interested party and the management responsible or to the execution of precontractual measures to be taken on demand of the interested party.
Elimination term
Data will be kept meanwhile the legal relation between the interested party and ARAVEN lasts,
Additional information
PIA (Private Impact Analysis) is not required in this management due to the managed data and the way in which the manager does it, according to what is stated in Article 35 of GDPR and in Article 28 of the GDPR.