Record of treatment activities

 

  1. ———————– PROCESSING CATEGORIES ——————–
    • Web analytics for statistical and functional purposes.
    • Basic profiling by the data controller for advertising purposes.
    • Commercial activity, sending of advertising and promotional communications and sector assessment surveys or market studies.
    • Promotions: competitions and prize draws.
    • Photography, video and voice recording for brand enhancement or commercial purposes.
    • Employment Portal, for candidates and provision of vacancies to work at SHOP AND ROLL ESPAÑA.
    • Financial Management. Collection and recovery.
    • Staff Management.
    • Suppliers and commercial and business partners.
    • Addressing people’s rights.
    • Queries and suggestions.
    • Physical security at the premises. Registration and control of access.
    • Logical security.
    • Video surveillance.
    • Whistleblowing Channel.
    • International Relations.

     

     

     

     ——————————— SECOND LAYERS ————————————

     

    Updated 02/07/2024

    1. Web analytics for statistical and functional purposes.

    The data controller analyses users’ browsing and behaviour in order to understand how its tools are used and to adapt them to their needs, as well as to improve its communication, marketing and customer service activities.

     

    Data controllersARAVEN GROUP, S.L. and co-controller SHOP AND ROLL ESPAÑA, for the analysis of data extracted when opening and interacting with e-mails.
    Legal basisInsofar as the execution of the contract justifies it: the processing is necessary for the execution of a contract to which the data subject is party or for the implementation at their request of pre-contractual measures (art. 6.1.b of the GDPR).

    In all other cases, the data subject gave their consent to the processing of their personal data for one or more specific purposes (art. 6.1.a GDPR). In order to obtain this consent, the data subject will be informed separately from any purchase and sale agreement, general terms and conditions or service contract. This processing is carried out on browsing data collected from the website, apps, etc.

    Purposes of the processingIn the event that the analytical processing is based on the execution of a contract, the analytics necessary for the execution of the contract will be performed: for example, the number of times each user has accessed the information or, if downloaded, the acknowledgement that they have accessed the information security communications sent to them by the data controller will be analysed, without any additional processing being carried out for this reason. In all other cases, where prior acceptance by the data subject is required, the purpose of the analytical processing of personal data will be:

    • Analysis of the opening of communications sent by ARAVEN GROUP.
    • Analysis of user browsing through the websites, mobile applications and social profiles managed by the data controller.
    • Analysis of behaviour in commercial telephone calls.
    GroupUsers who access websites, applications or social profiles managed by the data controller, as well as those who open or respond to communications sent by the data controller.
    Categories of dataThe analytics service providers aggregate the data they obtain to provide the data controller with quantitative information on the browsing and behaviour of people, without it being possible to identify the individual. The data processed are:

    • For web analytics: Browser user agent string and IP address relationship, along with graphs and aggregate values on the browsing of all users for each page of the website.
    • E-mail analytics: Browser user agent string and IP address relationship, along with graphs and aggregate values on the browsing of all users for each page of the website…
    • Telephone analytics: Behaviour and reactions to commercial messages.

    Particularly, in the case of e-mail analytics and in addition to the above, data will be obtained and analysed on the number of openings, time of opening, day of opening, forwarding, conversions (in the case of incorporating forms in e-mail), user clicks within internal links of the e-mail (with exits to: landing, website, direct mail to personal contact…), device from which it is opened, hardware, block and software, e-mail bounces, and unsubscribes.

    Target categoryNo data communications are envisaged.
    Data processors

     

    Google LLC – Google Analytics – https://analytics.google.com/analytics/web/
    International transfersThe processor is Google Ireland, and the sub-processor is Google LLC, 1600 Amphitheatre Parkway Mountain View, CA USA. Security measure: data protection agreement with standard clauses through Google Workspace (formerly GSuite). https://privacy.google.com/businesses/processorterms/

    • Twitter Inc
    • LinkedIn
    • Facebook.com
    Deletion periodThe data will be kept for the time necessary to comply with the purpose for which they were collected and to determine any possible liabilities that may derive from said purpose and from the processing of the data.
    Additional informationNo data protection impact assessment is required for this processing, for the data processed and as the data controller executes it, in accordance with the provisions of article 35 of the GDPR and article 28 of the Spanish Organic Data Protection Law (LOPD).

     

    1. Basic profiling by the data controller for advertising purposes

    Tagging of users according to their activity on the website, in the different companies of the Group and through advertising creativities in order to send them advertising and promotional content adapted to their preferences.

     

    Data controllerThe data controller is ARAVEN GROUP, S.L. and the co-controller is SHOP AND ROLL ESPAÑA.
    Legal basisThe data subject gave their consent to the processing of their personal data for one or more specific purposes (art. 6.1.a GDPR). In order to obtain this consent, the data subject will be informed separately from any purchase and sale agreement, general terms and conditions or service contract, and it will be obtained in the same way.
    Purposes of the processingTagging of users according to their activity on the website, on the sites and through advertising creativities in order to send them advertising and promotional content adapted to their preferences.
    Group·         Lead (people who can potentially become customers)

    ·         Users

    ·         Any other person

    Categories of data
    • Location
    • Professional interests
    • Education and curriculum vitae (past and present jobs)
    • Age
    Target category
    • No data transfers are envisaged.
    Data processors
    International transfersNo international transfers are envisaged.
    Deletion periodUntil the data subject requests the cancellation or deletion of their data.
    Additional informationNot required for this processing, for the data processed and as the data controller executes it, in accordance with the provisions of article 35 of the GDPR and article 28 of the Spanish Organic Data Protection Law (LOPD).

     

    1. Commercial activity, sending of advertising and promotional communications and assessment surveys or market studies.

    Sending of personalised messages with advertising and promotional content.

    Likewise, surveys and consultations are carried out with different groups included in their processing in order to draw up reports on different areas and subjects, including their positioning in the market; to find out customer satisfaction.

     

    Data controllerThe data controller is ARAVEN GROUP, and the co-controller is SHOP AND ROLL ESPAÑA.
    Legal basisThe data subject gave their consent to the processing of their personal data for one or more specific purposes (art. 6.1.a GDPR):

    • Art. 21.1 of Spanish Law 34/2002, of 11 July, on Information Society and Electronic Commerce Services.
    • Spanish Law 3/1991, of 10 January, on Unfair Competition.
    • General Spanish Law 34/1998, of 11 November, on Advertising.

    For persons who have contracted with the controller: processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, provided that such interests are not overridden by the interests or fundamental rights and freedoms of the data subject that require the protection of personal data, in particular where the data subject is a child (art. 6.1.f of the GDPR).

    Purposes of the processing·         Sending of advertising or promotional communications by electronic, postal and telephone means.

    • Consultations and studies carried out by the data controller on different areas and subjects.
    • To ascertain customer satisfaction and the market positioning of the companies responsible.
    GroupCustomers and persons interested in the activities and information about the activities, products and services of the data controller or the content it creates, publishes or promotes:

    • Leads
    • Customers and potential customers.
    Categories of data
    • Name and surname(s)
    • E-mail address
    • Mobile number
    • Comments and opinions on the contents of the surveys.
    Category of recipientsNo personal data transfers are envisaged.
    Data processors

     

     

     

    ·         Commercial agents: Where commercial purposes make it advisable due to the location of the data subject and the opportunities that the controller may offer them in their environment, data may be disclosed to commercial agents (acting as processors) with whom the controller has established and maintains security measures appropriate to the level of risk to personal data through processor contracts and on whom the controller conducts regular audits and inspections.

    ·         Peer-to-peer audience platforms to which the data controller allows access to data for the sole purpose of displaying targeted advertising to other peer users.

    International transfers Not envisaged.
    Deletion period
    • Sending of communications to customers: the data will be kept for this purpose for as long as the recipient of the messages reasonably expects to continue receiving advertising or promotional communications.
    • Sending of communications upon request or express authorisation: the data will be kept for this purpose until the user withdraws their consent.
    Additional informationNo data protection impact assessment is required for this processing, for the data processed and as the data controller executes it, in accordance with the provisions of article 35 of the GDPR and article 28 of the Spanish Organic Data Protection Law (LOPD).

     

     

     

    1. Promotions: competitions and prize draws

    The data controller promotes its activities through prize draws, raffles and other random combination games for advertising or promotional purposes, as well as through other non-random actions such as direct giveaways and juried competitions. As indicated in the terms and conditions, this processing activity is related to the activities of taking and using photographs and videos, as well as sending commercial advertising and promotional communications.

     

    Data controllerThe data controller is ARAVEN GROUP, and the co-controller is SHOP AND ROLL ESPAÑA.
    Legal basisThe data subject gave their consent to the processing of their personal data for one or more specific purposes (art. 6.1.a GDPR).
    Purposes of the processing
    • Evaluation of the participants to prove that they meet the requirements set out in the rules
    • Selection of the winner
    • Awarding of prizes
    Group
    • Participants in promotional activities, competitions or prize draws
    Categories of data
    • Name and surname(s)
    • National ID (DNI)
    • Physical address
    • E-mail address
    • Telephone number
    • Content shared to participate in the promotional activity
    Target category
    • Tax Authority
    • Banking institutions
    Data processors
    • Entities collaborating in the management of competitions and raffles.
    International transfersNo international personal data transfers are envisaged
    Deletion periodThe data will be kept for the time necessary to comply with the purpose for which they were collected and to determine any possible liabilities that may derive from said purpose and from the processing of the data.
    Additional informationNo data protection impact assessment is required for this processing, for the data processed and as the data controller executes it, in accordance with the provisions of article 35 of the GDPR and article 28 of the Spanish Organic Data Protection Law (LOPD). Other related processing activities (see them for more information):

    • Photo and video: in cases where it is so established, some personal data of the winners will be published, including their first and last names, location, relationship with the data controller, shared content and their image (photo or video) to ensure the transparency of the promotion, contest or prize draw.
    • Sending of commercial communications: in those cases in which this is established, in order to participate in the promotional activity, the data subject must be the recipient of commercial advertising or promotional communications from the data controller. The consent for this processing will be obtained separately from that of the promotional activity.

     

    1. Photography, video and voice recording for personal brand enhancement or commercial purposes.

    Photography and image and/or voice recording for (1) promotional activities and (2) advertising or promotional purposes of the data controller.

     

    Data controllerThe data controller is ARAVEN GROUP, and the co-controller is SHOP AND ROLL ESPAÑA.
    Legal basisIn the case of staff of Group companies: in connection with the management of their file, accreditations or other specific cases, and in the case of speakers at events and congresses, processing is necessary for the performance of a contract to which the data subject is a party or for the implementation of pre-contractual measures at the request of the data subject (art. 6.1.b of the General Data Protection Regulation).

     

    For the case of recordings and broadcasts of attendees’ speeches at specific events: processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, provided that such interests are not overridden by the interests or fundamental rights and freedoms of the data subject that require the protection of personal data, in particular where the data subject is a child (art. 6.1.f of the General Data Protection Regulation).

     

    Express consent for the other purposes, as set out in:

    • The data subject gave their consent to the processing of their personal data for one or more specific purposes (art. 6.1.a of the General Data Protection Regulation)
    • Spanish Organic Law 1/1982, of 5 May, on the civil protection of the right to honour, personal and family privacy and self-image, especially articles 2, 7 and 8 thereof
    • Spanish Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights.
    Purposes of the processingTaking photographs and recording images and voice for:

    • Publication of brand promotion activities.
    • Advertising or promotional purposes of the data controller.
    • Publication on the pages and websites of the data controller and assigned to the media.
    • Presence on social networks.
    Group
    • Employees and external staff.
    • Participants in competitions and prize draws organised by the data controller
    • Other persons
    Categories of data
    • Image
    • Voice
    • Name and surname(s)
    • Physical address
    • E-mail address
    • Telephone
    • Link to the data controller
    • Specific reason for the accepted processing
    Target categoryThe data will be published on the pages and websites of the controller and disclosed to the media, where consent has been obtained from the data subject for such processing or, as the case may be, where it is necessary for the execution of a contract to which the data subject is a party or where the aforementioned legitimate interest of the controller has to be satisfied. In the case of publication on social networks, the terms and conditions of use thereof may apply.
    Data processorsCompanies and agencies for content management, editing and delivery of audiovisual material.
    International transfersNo international personal data transfers are envisaged.
    Deletion periodThe data will be kept for the time necessary to comply with the purpose for which they were collected and to determine any possible liabilities that may derive from said purpose and from the processing of the data. In all other cases, the processing of personal data will continue until the user withdraws their consent.
    Additional informationNo data protection impact assessment is required for this processing, for the data processed and as the data controller executes it, in accordance with the provisions of article 35 of the GDPR and article 28 of the Spanish Organic Data Protection Law (LOPD).

     

     

    1. Employee Portal.

    Provision of vacancies and selection of staff, both employees and external.

     

    Data controllerThe data controller is ARAVEN GROUP, and the co-controller is SHOP AND ROLL ESPAÑA.
    Legal basisThe processing is necessary for the execution of a contract to which the data subject is party or for the implementation at their request of pre-contractual measures (art. 6.1.b of the GDPR). Background checks on the data subject will be based on compliance with a legal obligation applicable to the controller (art. 6.1.c of the General Data Protection Regulation).

    The proactive search for candidates and details about them in third-party databases is based on the legitimate interest of discovering them for positions or getting to know them better in order to know whether the position fits their profile (art. 6.1.f of the General Data Protection Regulation).

    Purposes of the processingAnalysis and matching of the professional background of candidates. Analysis of the candidate’s personality when this is decisive for the envisaged tasks (e.g., teaching). The controller will analyse the documents submitted by the candidate, all content that is public and directly accessible through search engines, the profiles held on professional social networks, the data obtained in the entrance tests and the information revealed in the job interview, with the aim of assessing their candidacy and being able, if necessary, to offer them a position. This analysis may be conducted in order to discover and assess candidates you need for certain positions or assignments.
    Group·         Participants in selection processes.

    ·         Professionals with public profiles.

    Categories of data
    • Identification data.
    • Postal address.
    • Telephone.
    • Data on personal characteristics: Gender, nationality, age, date and place of birth.
    • Academic and professional data: Qualifications, education and professional experience.
    Target categoryCompanies at or with which the employee has worked, in order to check the data and verify their veracity.
    Data processors 

    Selection and Recruitment Companies

     

    International transfersNo international personal data transfers are envisaged.
    Deletion periodThe data will be kept for the time necessary to comply with the purpose for which they were collected and to determine any possible liabilities that may derive from said purpose and from the processing of the data.

    In the event that the candidate is not selected, the controller may keep their CV for a maximum of two years in order to incorporate it in future calls for applications, unless the candidate indicates otherwise or expresses a wish to keep it for a longer period, until the candidate withdraws their consent.

    Additional informationNo data protection impact assessment is required for this processing, for the data processed and as the data controller executes it, in accordance with the provisions of article 35 of the GDPR and article 28 of the Spanish Organic Data Protection Law (LOPD).

     

    1. Financial Management. Collection and recovery

    The controller manages payments, collections, recoveries and, where appropriate, any activity related to financial and/or economic activities.

     

    Data controllerThe data controller is ARAVEN GROUP, and the co-controller is SHOP AND ROLL ESPAÑA.
    Legal basisGDPR: art. 6.1.b) Processing necessary for the execution of a contract to which the data subject is party or for the implementation at their request of pre-contractual measures.

    GDPR: art. 6.1.c). Processing necessary for compliance with a legal obligation applicable to the controller.

    GDPR: art.6.1.e). Processing necessary for the fulfilment of a mission carried out in the public interest or in the exercising of public powers conferred on the data controller, in accordance with the applicable regulations:

    ·         General Spanish Law 58/2002, of 17 December, on Taxation.

    ·         General Spanish Law 38/1998, of 17 November, on Subsidies.

    ·         Spanish Law 35/2006, of 28 November, on Personal Income Tax and partially amending the laws on Corporate Income Tax, Non-Resident Income Tax and Wealth Tax.

    ·         Spanish Law 37/2002, of 28 December, on Value Added Tax.

    Purposes of the processingNecessary management of personal data in order to make payments, collections, recoveries and, where appropriate, refunds, etc. Registration and verification of data relating to VAT, Personal Income Tax, registrations with the Tax Authorities and Social Security, bank certificates, etc.
    Group
    • Workforce
    • Suppliers
    • Customers.
    Categories of data·         Name, surname(s).

    ·         Telephone.

    ·         Postal and electronic address.

    ·         ID number.

    ·         Signature, electronic signature.

    ·         Economic, financial and insurance data.

    ·         Bank and business details.

    ·         Certificates issued by the Public Administration for data subjects.

    Target category·         Financial institutions.

    ·         State Tax Administration Agency

    Data processors 

    Collection and recovery management companies and offices

     

    International transfersNo international personal data transfers are envisaged.
    Deletion periodThe data will be kept for the time necessary to comply with the purpose for which they were collected and to determine any possible liabilities that may derive from said purpose and from the processing of the data. Depending on the case, they may be kept for the periods established in the various applicable standards.
    Additional informationNo data protection impact assessment is required for this processing, for the data processed and as the data controller executes it, in accordance with the provisions of article 35 of the GDPR and article 28 of the Spanish Organic Data Protection Law (LOPD).

     

    1. Staff Management.

    Processing activity related to the management of employment contracts for SHOP AND ROLL staff, including the management of training for them and other activities inherent to the employment relationship.

     

    Data controllerARAVEN GROUP and the co-controller is SHOP AND ROLL ESPAÑA.
    Legal basisThe management of the employment or commercial relationship has the following legal bases:

    • The processing is necessary for the execution of a contract to which the data subject is party or for the implementation at their request of pre-contractual measures (art. 6.1.b of the GDPR)
    • Workers’ Statue
    • Spanish Royal Legislative Decree 1/2013, of 29 November, approving the consolidated text of the Spanish General Law on the rights of persons with disabilities and their social inclusion.
    Purposes of the processingManagement of the employment relationship with the contracted staff:

    • Management of personal files.
    • Timetable control.
    • Control of incompatibilities.
    • Promotion of the training of contracted staff and monitoring of their development.
    • Management of pension plans through a third party.
    • Promotion of the social action.
    • Occupational risk prevention.
    • Disciplinary regime.
    • Management of actions to raise awareness and fight against sexual and gender-based harassment in any form.
    • Productivity and performance analysis through evaluation surveys.
    • Management of trade union activity.

    ·         Issuance and payment of the payroll, as well as all the products derived from it.

    Group·         Contracted staff
    Categories of data
    • E-mail address
    • Address
    • ID number
    • Name and Surname(s)
    • Telephone
    • Academic and Professional
    • Social Security/Mutual Benefit Fund No.
    • Certificate of absence of criminal record
    • Personal Characteristics
    • Personal data: disability
    • Bank details for salary payments.
    • Family data.

    ·         Details of their professional development working for the controller: training received, courses, conferences, etc.

    Target category
    • Public administration with competence in the field
    • Tax Agency
    • Social Security
    • Banking institutions
    • Companies involved in surveys for the preparation of studies or rankings
    • Insurance companies
    • FUNDAE
    Data processors
    International transfersNo international personal data transfers are envisaged.
    Deletion periodThe data will be kept for the time necessary to comply with the purpose for which they were collected and to determine any possible liabilities that may derive from said purpose and from the processing of the data. At the end of the contract, the retention periods will be, depending on the type of personal data, in accordance with the applicable regulations.
    Additional informationNo data protection impact assessment is required for this processing, for the data processed and as the data controller executes it, in accordance with the provisions of article 35 of the GDPR and article 28 of the Spanish Organic Data Protection Law (LOPD).

     

    1. Suppliers, collaborating companies and commercial and business partners

    The controller hires professionals, suppliers, collaborating companies and commercial and business partners for different actions. To do so, they must contact the professionals or natural persons who perform their activities and/or represent the companies that sell products or provide services to them.

     

    Data controllerThe data controller is ARAVEN GROUP, and the co-controller is SHOP AND ROLL ESPAÑA.
    Legal basisThe processing is necessary for the execution of a contract to which the data subject is party or for the implementation at their request of pre-contractual measures (art. 6.1.b of the GDPR). The processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party and do not override the interests and fundamental rights and freedoms stipulated in (art. 6.1.f of the GDPR).
    Purposes of the processing·         Registration and management of contact details of suppliers and commercial and business partners.

    • Economic-financial data:  bank details. Management of the commercial relationship.
    • Coordination in the field of Occupational Risk Prevention.
    • Management of actions to raise awareness and fight against sexual and gender-based harassment in any form.
    • History of the business relationship and relationship with the controller.
    • Analysis of quality and acceptance criteria through data obtained from assessment surveys.
    • Performance evaluation through surveys and forms.
    • Payment of invoices for external staff, as well as all products derived from it.
    GroupService providers or vendors and, if they are legal entities, the physical contact persons.
    Categories of data·         Identification data

    ·         Details of the position: entity or body and position held.

    • E-mail address
    • Address
    • Bank account number for processing payments
    • Applicable civil liability insurance
    • Details of current tax and social security payments.
    • Registered office, Tax ID number (for legal entities)
    Target category·         Financial institutions

    ·         State Tax Administration Agency

    • Insurance companies
    Data processors 

    Not envisaged

     

    International transfersNo international personal data transfers are envisaged.
    Deletion periodThe data will be kept for the time necessary to comply with the purpose for which they were collected and to determine any possible liabilities that may derive from said purpose and from the processing of the data.
    Additional informationNo data protection impact assessment is required for this processing, for the data processed and as the data controller executes it, in accordance with the provisions of article 35 of the GDPR and article 28 of the Spanish Organic Data Protection Law (LOPD).

     

     

    1. Addressing people’s rights

    Dealing with requests to exercise the rights established in the GDPR.

     

    Data controllerARAVEN GROUP and the co-controller is SHOP AND ROLL ESPAÑA.
    Legal basisThe processing is necessary for compliance with a legal obligation applicable to the controller (art. 6.1.C of the GDPR). Specifically, in order to receive, manage and respond to requests for the data subject’s rights (Chapter III of the GDPR).
    Purposes of the processingTo receive, manage and respond to requests for the data subject’s rights (Chapter III of the GDPR).
    GroupAny person
    Categories of data·         Identification data: name and surname(s), ID, address, telephone number, type of relationship with the controller, and signature.

    ·         Data relating to the corresponding exercise request.

    Target categoryNo transfers are envisaged.
    Data processors 

    Not envisaged

     

    International transfersNo international personal data transfers are envisaged.
    Deletion periodThey will be kept for the time necessary to resolve complaints and to determine any possible liabilities that may arise from this purpose and from the processing of the data.
    Additional dataNo data protection impact assessment is required for this processing, for the data processed and as the data controller executes it, in accordance with the provisions of article 35 of the GDPR and article 28 of the Spanish Organic Data Protection Law (LOPD).

     

    1. Queries in person, by telephone or electronically. Complaints and/or suggestions.

    Registration and management of queries made to Group companies regarding the activities of the entities.

     

    Data controllerARAVEN GROUP and the co-controller is SHOP AND ROLL ESPAÑA.
    Legal basisThe data subject gave their consent to the processing of their personal data for one or more specific purposes (art. 6.1.a GDPR).
    Purposes of the processingRegistration and management of queries about the controller’s activities.
    GroupAny person
    Categories of data·         Identification data: name, surname(s), address, e-mail address and telephone number.

    ·         Data that can be incorporated into the query.

    Target categoryNot envisaged.
    Data processors 

    Not envisaged

     

    International transfersNo international personal data transfers are envisaged.
    Deletion periodThey will be kept for the time necessary to process and respond to the query and to determine any possible liabilities that may arise from this purpose and from the processing of the data.
    Additional dataNo data protection impact assessment is required for this processing, for the data processed and as the data controller executes it, in accordance with the provisions of article 35 of the GDPR and article 28 of the Spanish Organic Data Protection Law (LOPD).

     

    1. Physical security at the facilities. Registration and control of access

    To ensure the security of people, goods and installations in physical and electronic spaces.

    Registration and control of visits for the sole purpose of guaranteeing security.

     

    Data controllerSHOP AND ROLL ESPAÑA.
    Legal basisThe processing is necessary for the fulfilment of a mission carried out in the public interest or in the exercising of public powers conferred on the data controller. (art. 6.1.e of the GDPR).

    Processing necessary for reasons of essential public interest as determined by law. Art. 9.2.g) of the GDPR.

    Purposes of the processingThe purpose of both physical security and registration and control of access is to guarantee the security of people, goods and installations in physical and electronic spaces.
    GroupAny natural person who visits the facilities or activities of the controller:

    • Workers
    • Accompanying persons
    • Guests
    • Suppliers
    • Customers
    Categories of data·         Identification data: name and surname(s), ID number, physical and e-mail address, telephone number

    ·         Professional data: company and position.

    ·         Reason for the visit.

    Target category·         State Security Forces and Corps.

    ·         Public Prosecutor’s Office.

    ·         Judicial Bodies.

    Data processors 

    Not envisaged

     

    International transfersNo international personal data transfers are envisaged.
    Deletion periodMaximum 30 days from the date of collection.
    Additional informationNo data protection impact assessment is required for this processing, for the data processed and as the data controller executes it, in accordance with the provisions of article 35 of the GDPR and article 28 of the Spanish Organic Data Protection Law (LOPD).
    1. Logical security

    The data controller analyses the browsing behaviour of users through the website and the different social profiles in order to prevent and block logical attacks.

     

    Data controllerARAVEN GROUP and the co-controller is SHOP AND ROLL ESPAÑA.
    Legal basisThe processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party and do not override the interests and fundamental rights and freedoms stipulated in (art. 6.1.f of the GDPR). In particular, these legitimate interests consist of preventing unauthorised access to or destruction or alteration of the data and systems, as well as preventing access to the data and systems from being blocked or other unauthorised processing by third parties.
    Purposes of the processingTo analyse:

    • the browsing behaviour of users through the website and the different social profiles in order to prevent and block logical attacks.
    • the content and attachments of both content hosting services and e-mail services.

    In both cases, part of the processing is carried out by the data controller directly or on its behalf. However, most of the processing is carried out by third parties to whom the service has been contracted under which they perform processing for this purpose, but according to their own criteria of choice of purposes and means.

    GroupUsers accessing websites or social profiles managed by the controller.
    Categories of data·         IP addresses.

    ·         Browser user agent string.

    Target categoryNot envisaged. If applicable, Courts and Tribunals and State Security Forces and Corps.
    Data processors 

    Forensic and information security management companies.

     

    International transfersInternational transfers are envisaged to the data processors (indicate, at least, those which could carry out international transfers, together with the country) or recipients of transfers indicated: Google LLC (United States).
    Deletion periodThey are kept for as long as necessary to ensure the purpose of the processing.
    Additional informationNo data protection impact assessment is required for this processing, for the data processed and as the data controller executes it, in accordance with the provisions of article 35 of the GDPR and article 28 of the Spanish Organic Data Protection Law (LOPD).

     

    1. Video surveillance

    Video surveillance of the perimeter and accesses to the facilities or premises in order to guarantee the security of persons, goods and installations in the buildings.

     

     

    Data controllerSHOP AND ROLL ESPAÑA.
    Legal basisProcessing necessary for the fulfilment of a mission carried out in the public interest or in the exercising of public powers. Art. 6.1.e) of the GDPR.

    Processing necessary for reasons of essential public interest as determined by law. Art. 9.2.g) of the GDPR.  Spanish Law 5/2014, of 4 April, on Private Security.

    Purposes of the processingTo ensure the security of people, goods and installations. Compliance with employment and/or contractual obligations.
    GroupNatural persons who visit the facilities of any of the Group’s companies.
    Categories of data·         Image and/or photograph.
    Target category·         State Security Forces and Corps.

    ·         Judicial Bodies.

    ·         Public Prosecutor’s Office.

    Data processorsSecurity Companies

     

    International transfersNo international personal data transfers are envisaged.
    Deletion periodWithin 30 days of their collection.
    Additional informationNo data protection impact assessment is required for this processing, for the data processed and as the data controller executes it, in accordance with the provisions of article 35 of the GDPR and article 28 of the Spanish Organic Data Protection Law (LOPD).

     

    1. Whistleblowing Channel

    Implementation of and access to a Whistleblowing Channel in accordance with the applicable regulations.

     

    Data controllerThe data controller is ARAVEN GROUP, and the co-controller is SHOP AND ROLL ESPAÑA.
    Legal basisProcessing necessary for the purposes of the legitimate interests pursued by the controller or by a third party (art. 6.1.f) GDPR) and, where applicable, for compliance with a legal obligation applicable to the controller (art. 6.1.c) GDPR).
    Purposes of the processingManagement of a whistleblowing channel, in accordance with the provisions of the Internal Policy and Manuals on Regulatory Compliance and Avoidance of Criminal Risks for ARAVEN GROUP.
    Group·         Employees

    ·         Collaborators

    ·         Persons affected in Suppliers/Customers.

    ·         Managers of the entities.

    ·         Other

    Categories of data·         Identification data: ID number, name and surname(s), postal address, e-mail address and telephone number. (In the case of anonymous reports, this data may be collected during the internal investigation)

    ·         Other personal data contained in the reports or obtained during the investigation.

    Target category·         Spanish Data Protection Agency in inspection processes in application of Spanish Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights.

    ·         State Security Forces and Corps, with prior judicial authorisation and in the exercise of their judicial police functions.

    ·         Judges and courts under the terms defined by procedural legislation.

    In these cases, before making the data available to third parties, it ensures that these authorities request and access the data in accordance with the Laws.

    Data processorsNot envisaged

     

    International transfersNo international personal data transfers are envisaged.
    Deletion periodThe data will be kept for the time necessary to deal with and manage the reports and to conduct the necessary investigations. It is also kept for the purpose of carrying out or making the necessary decisions in relation to each report, in compliance with the corresponding legal obligations.

    The information will be kept duly blocked for the additional periods necessary for the limitation of possible legal liabilities.

    Additional informationThe technical, organisational and operational data security and data protection measures are applied in accordance with Directive (EU) 2019/1937.

     

    1. International Relations.

    Processing carried out in the event of activities performed outside Spain.

     

    Data controllerARAVEN GROUP and the co-controller is SHOP AND ROLL ESPAÑA.
    Legal basisThe processing is necessary for the execution of a contract to which the data subject is party or for the implementation at their request of pre-contractual measures (art. 6.1.b GDPR).

    In specific cases, the data subject gave their consent to the processing of their personal data for one or more specific purposes (art. 6.1.a GDPR).

    Purposes of the processingManagement, administration and control of activities performed in other countries, whether in the EU or elsewhere, as well as in other international organisations.
    Group·         Employees of the Group’s companies.

     

    Categories of data·         Identification data: name, surname(s), postal address and e-mail address.

    ·         Economic-financial data: bank details.

     

    Data processorsTravel agencies and companies that organise transfers and obtain visas.

     

    International transfersInternational data transfers are envisaged in the cases set forth in article 49.1 of the GDPR:

    (a) the data subject has explicitly consented to the proposed transfer, having been informed of the possible risks to them of such transfers due to the absence of an adequacy finding and appropriate guarantees;

    (b) the transfer is necessary for the execution of a contract between the data subject and the controller or for the execution of pre-contractual measures taken at the request of the data subject.

    Deletion period– The data will be kept for the duration of the legal relationship between the data subject and ARAVEN.
    Additional informationNo data protection impact assessment is required for this processing, for the data processed and as the data controller executes it, in accordance with the provisions of article 35 of the GDPR and article 28 of the Spanish Organic Data Protection Law (LOPD).

     

email