Record of treatment activities

In all other cases, the data subject gave their consent to the processing of their personal data for one or more specific purposes (art. 6.1.a GDPR). In order to obtain this consent, the data subject will be informed separately from any purchase and sale agreement, general terms and conditions or service contract. This processing is carried out on browsing data collected from the website, apps, etc.

• Analysis of the opening of communications sent by ARAVEN GROUP.
• Analysis of user browsing through the websites, mobile applications and social profiles managed by the data controller.
• Analysis of behaviour in commercial telephone calls.

• For web analytics: Browser user agent string and IP address relationship, along with graphs and aggregate values on the browsing of all users for each page of the website.
• E-mail analytics: Browser user agent string and IP address relationship, along with graphs and aggregate values on the browsing of all users for each page of the website…
• Telephone analytics: Behaviour and reactions to commercial messages.

Particularly, in the case of e-mail analytics and in addition to the above, data will be obtained and analysed on the number of openings, time of opening, day of opening, forwarding, conversions (in the case of incorporating forms in e-mail), user clicks within internal links of the e-mail (with exits to: landing, website, direct mail to personal contact…), device from which it is opened, hardware, block and software, e-mail bounces, and unsubscribes.

• Twitter Inc
• LinkedIn
• Facebook.com

·         Users

·         Any other person

• Location
• Professional interests
• Education and curriculum vitae (past and present jobs)
• Age

• No data transfers are envisaged.

• Art. 21.1 of Spanish Law 34/2002, of 11 July, on Information Society and Electronic Commerce Services.
• Spanish Law 3/1991, of 10 January, on Unfair Competition.
• General Spanish Law 34/1998, of 11 November, on Advertising.

For persons who have contracted with the controller: processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, provided that such interests are not overridden by the interests or fundamental rights and freedoms of the data subject that require the protection of personal data, in particular where the data subject is a child (art. 6.1.f of the GDPR).

• Consultations and studies carried out by the data controller on different areas and subjects.
• To ascertain customer satisfaction and the market positioning of the companies responsible.

• Leads
• Customers and potential customers.

• Name and surname(s)
• E-mail address
• Mobile number
• Comments and opinions on the contents of the surveys.

·         Peer-to-peer audience platforms to which the data controller allows access to data for the sole purpose of displaying targeted advertising to other peer users.

• Sending of communications to customers: the data will be kept for this purpose for as long as the recipient of the messages reasonably expects to continue receiving advertising or promotional communications.
• Sending of communications upon request or express authorisation: the data will be kept for this purpose until the user withdraws their consent.

• Evaluation of the participants to prove that they meet the requirements set out in the rules
• Selection of the winner
• Awarding of prizes

• Participants in promotional activities, competitions or prize draws

• Name and surname(s)
• National ID (DNI)
• Physical address
• E-mail address
• Telephone number
• Content shared to participate in the promotional activity

• Tax Authority
• Banking institutions

• Entities collaborating in the management of competitions and raffles.

• Photo and video: in cases where it is so established, some personal data of the winners will be published, including their first and last names, location, relationship with the data controller, shared content and their image (photo or video) to ensure the transparency of the promotion, contest or prize draw.
• Sending of commercial communications: in those cases in which this is established, in order to participate in the promotional activity, the data subject must be the recipient of commercial advertising or promotional communications from the data controller. The consent for this processing will be obtained separately from that of the promotional activity.

For the case of recordings and broadcasts of attendees’ speeches at specific events: processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, provided that such interests are not overridden by the interests or fundamental rights and freedoms of the data subject that require the protection of personal data, in particular where the data subject is a child (art. 6.1.f of the General Data Protection Regulation).

Express consent for the other purposes, as set out in:

• The data subject gave their consent to the processing of their personal data for one or more specific purposes (art. 6.1.a of the General Data Protection Regulation)
• Spanish Organic Law 1/1982, of 5 May, on the civil protection of the right to honour, personal and family privacy and self-image, especially articles 2, 7 and 8 thereof
• Spanish Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights.

• Publication of brand promotion activities.
• Advertising or promotional purposes of the data controller.
• Publication on the pages and websites of the data controller and assigned to the media.
• Presence on social networks.

• Employees and external staff.
• Participants in competitions and prize draws organised by the data controller
• Other persons

• Image
• Voice
• Name and surname(s)
• Physical address
• E-mail address
• Telephone
• Link to the data controller
• Specific reason for the accepted processing

The proactive search for candidates and details about them in third-party databases is based on the legitimate interest of discovering them for positions or getting to know them better in order to know whether the position fits their profile (art. 6.1.f of the General Data Protection Regulation).

·         Professionals with public profiles.

• Identification data.
• Postal address.
• Telephone.
• Data on personal characteristics: Gender, nationality, age, date and place of birth.
• Academic and professional data: Qualifications, education and professional experience.

Selection and Recruitment Companies

In the event that the candidate is not selected, the controller may keep their CV for a maximum of two years in order to incorporate it in future calls for applications, unless the candidate indicates otherwise or expresses a wish to keep it for a longer period, until the candidate withdraws their consent.

GDPR: art. 6.1.c). Processing necessary for compliance with a legal obligation applicable to the controller.

GDPR: art.6.1.e). Processing necessary for the fulfilment of a mission carried out in the public interest or in the exercising of public powers conferred on the data controller, in accordance with the applicable regulations:

·         General Spanish Law 58/2002, of 17 December, on Taxation.

·         General Spanish Law 38/1998, of 17 November, on Subsidies.

·         Spanish Law 35/2006, of 28 November, on Personal Income Tax and partially amending the laws on Corporate Income Tax, Non-Resident Income Tax and Wealth Tax.

·         Spanish Law 37/2002, of 28 December, on Value Added Tax.

• Workforce
• Suppliers
• Customers.

·         Telephone.

·         Postal and electronic address.

·         ID number.

·         Signature, electronic signature.

·         Economic, financial and insurance data.

·         Bank and business details.

·         Certificates issued by the Public Administration for data subjects.

·         State Tax Administration Agency

Collection and recovery management companies and offices

• The processing is necessary for the execution of a contract to which the data subject is party or for the implementation at their request of pre-contractual measures (art. 6.1.b of the GDPR)
• Workers’ Statue
• Spanish Royal Legislative Decree 1/2013, of 29 November, approving the consolidated text of the Spanish General Law on the rights of persons with disabilities and their social inclusion.

• Management of personal files.
• Timetable control.
• Control of incompatibilities.
• Promotion of the training of contracted staff and monitoring of their development.
• Management of pension plans through a third party.
• Promotion of the social action.
• Occupational risk prevention.
• Disciplinary regime.
• Management of actions to raise awareness and fight against sexual and gender-based harassment in any form.
• Productivity and performance analysis through evaluation surveys.
• Management of trade union activity.

·         Issuance and payment of the payroll, as well as all the products derived from it.

• E-mail address
• Address
• ID number
• Name and Surname(s)
• Telephone
• Academic and Professional
• Social Security/Mutual Benefit Fund No.
• Certificate of absence of criminal record
• Personal Characteristics
• Personal data: disability
• Bank details for salary payments.
• Family data.

·         Details of their professional development working for the controller: training received, courses, conferences, etc.

• Public administration with competence in the field
• Tax Agency
• Social Security
• Banking institutions
• Companies involved in surveys for the preparation of studies or rankings
• Insurance companies
• FUNDAE

• Economic-financial data:  bank details. Management of the commercial relationship.
• Coordination in the field of Occupational Risk Prevention.
• Management of actions to raise awareness and fight against sexual and gender-based harassment in any form.
• History of the business relationship and relationship with the controller.
• Analysis of quality and acceptance criteria through data obtained from assessment surveys.
• Performance evaluation through surveys and forms.
• Payment of invoices for external staff, as well as all products derived from it.

·         Details of the position: entity or body and position held.

• E-mail address
• Address
• Bank account number for processing payments
• Applicable civil liability insurance
• Details of current tax and social security payments.
• Registered office, Tax ID number (for legal entities)

·         State Tax Administration Agency

• Insurance companies

Not envisaged

·         Data relating to the corresponding exercise request.

Not envisaged

·         Data that can be incorporated into the query.

Not envisaged

Processing necessary for reasons of essential public interest as determined by law. Art. 9.2.g) of the GDPR.

• Workers
• Accompanying persons
• Guests
• Suppliers
• Customers

·         Professional data: company and position.

·         Reason for the visit.

·         Public Prosecutor’s Office.

·         Judicial Bodies.

Not envisaged

• the browsing behaviour of users through the website and the different social profiles in order to prevent and block logical attacks.
• the content and attachments of both content hosting services and e-mail services.

In both cases, part of the processing is carried out by the data controller directly or on its behalf. However, most of the processing is carried out by third parties to whom the service has been contracted under which they perform processing for this purpose, but according to their own criteria of choice of purposes and means.

·         Browser user agent string.

Forensic and information security management companies.

Processing necessary for reasons of essential public interest as determined by law. Art. 9.2.g) of the GDPR.  Spanish Law 5/2014, of 4 April, on Private Security.

·         Judicial Bodies.

·         Public Prosecutor’s Office.

·         Collaborators

·         Persons affected in Suppliers/Customers.

·         Managers of the entities.

·         Other

·         Other personal data contained in the reports or obtained during the investigation.

·         State Security Forces and Corps, with prior judicial authorisation and in the exercise of their judicial police functions.

·         Judges and courts under the terms defined by procedural legislation.

In these cases, before making the data available to third parties, it ensures that these authorities request and access the data in accordance with the Laws.

The information will be kept duly blocked for the additional periods necessary for the limitation of possible legal liabilities.

In specific cases, the data subject gave their consent to the processing of their personal data for one or more specific purposes (art. 6.1.a GDPR).

·         Economic-financial data: bank details.

(a) the data subject has explicitly consented to the proposed transfer, having been informed of the possible risks to them of such transfers due to the absence of an adequacy finding and appropriate guarantees;

(b) the transfer is necessary for the execution of a contract between the data subject and the controller or for the execution of pre-contractual measures taken at the request of the data subject.