Privacy policy

Identification of the Data Controller

Data Controller: LAS MÉDULAS FOUNDATION

Tax ID: G-24390114

Registered office: Calle de Abajo, S/N – 24442 – Carucedo (León) – Spain

Contact telephone number: +34 987 420 701

Contact email address: informacion@fundacionlasmedulas.info

Information on the Foundation’s Data Protection Officer

The Foundation has a Data Protection Officer, whose main duties are to inform and advise the organisation on its obligations in terms of compliance with data protection regulations and to oversee such compliance. The Data Protection Officer shall also act as a point of contact with the organisation concerning matters regarding the processing of information containing personal data that it carries out in pursuit of its purposes. The contact details for the Officer are:

User information and consent

In accordance with the provisions of the European Data Protection Regulation (EU) 2016/679 and Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights, by accepting this privacy policy through the means provided on the website, users declare their express, free, informed and unequivocal consent for the personal data they may provide to the organisation – through the forms and the means and channels of communication that are made available or enabled on the website – to be incorporated into the files of the organisation.

The Data Controller informs the data subjects that, as prescribed by the applicable regulations in force, the corresponding technical and organisational security measures have been applied to the personal data processing activities carried out by the organisation for its own purposes, which were implemented after conducting the relevant risk analysis.

What personal data are collected?

Through the website we will only collect the identification and contact details pertaining to users and the data that are strictly necessary to be able to manage queries, suggestions, complaints and requests made through the forms and other means or channels of contact that are available on the website, as well as the personal data that are required in order to carry out and manage the procedures in place for users to interact with the organisation, as well as for the management and undertaking of the Foundation’s own purposes and activities.

Under no circumstances will we collect or record – through the website or any means of contact provided – information containing sensitive personal data or specially protected data. The personal data collected will be processed on the lawful basis specifically indicated in the corresponding section of this Privacy Policy.

For what purpose do we process the personal data collected?

The personal data collected by the organisation through the means of contact provided on the website will be processed for specific purposes in each case and in accordance with the following.

Data obtained through the forms and contact channels provided: the website provides means and channels of contact for making enquiries, requests for information or documents, suggestions, claims, complaints and, in general, for contacting the organisation. In this case, the telephone number or email address provided is used to respond to the matter in question and the purpose for which the data is processed is to respond to the requests received and to send the information or documentation requested by the user via the website, whereby only the data that is strictly necessary to respond to the user’s specific request is requested and collected.

Data related to the organisation’s undertakings in the performance of its duties and responsibilities: the website provides means and channels of contact for users to make use of the organisation’s services and which are related to the performance of its duties and responsibilities as a non-profit foundation. In this case, the data will be processed for the purpose of managing the queries made, facilitating and managing the procedures to be carried out with the organisation, enabling the modification of the data provided by users, communicating with users on matters of interest, including announcements of events and acts, and in general for the purpose of managing and carrying out the duties and responsibilities of the Foundation in accordance with what is indicated in the specific applicable regulations and in the organisation’s bylaws.

Data provided for the sending of commercial communications: in this case, the data provided by users will be used to manage the sending of advertising, commercial or promotional communications and information related to the services and activities of the organisation and which users have expressly requested or which they have expressly accepted in advance, as well as in order to facilitate the withdrawal of the consent previously granted, or their objection to the processing of their data for the aforementioned purposes.

Upon the provision of the services offered by the organisation through the website or events, acts or initiatives carried out or convened, personal data may at some time be requested from users via forms or other means or channels of contact, in which case the provisions of this Privacy Policy will always apply by default and in general with regard to the processing of information containing personal data that may be carried out by the Foundation as the Data Controller.

For how long will we keep the personal data that has been collected?

The personal data provided to the Foundation as the organisation responsible for the website will be processed generally for as long as it is needed to respond and attend to the requests made by the data subjects with regard to queries, suggestions, complaints and requests for information and during the specific legal limitation periods applicable in each case once the request has been dealt with or once the data subject requests the deletion of the data, and as long as the deletion of the data is not requested or the previously granted consent is not withdrawn in those cases in which the processing of the users’ data is based on the same, and during the specific legal limitation periods applicable in each case; the indefinite storage of the users’ data for historical and registration purposes may be justified in accordance with the applicable regulations and in the terms referred to in the reports and resolutions of the Spanish Data Protection Agency regarding the possibility of indefinite storage of personal data for this type of purposes. During the specific legal limitation periods applicable in each case, the data will be blocked and made available only to the competent public authorities and administrations, being deleted at the end of said periods.

With regard to information containing personal data associated with contracts, commercial agreements or pacts formalised by the organisation, once the contractual or commercial relationship that may have been formalised has ended, the deletion of the data has been requested, or the previously granted consent has been withdrawn, the specific limitation periods provided for in the applicable legislation shall apply in each case, with a generic period of five years for personal claims without a special period, six years for invoices and the organisation’s accounting records, and ten years in relation to the provisions of the Law for the Prevention of Money Laundering and Terrorist Financing (art.25). During the above-mentioned limitation periods, the data will be blocked and made available only to the competent public authorities and administrations, and at the end of these periods the data will be deleted.

What is the lawful basis that allows us to process the data collected?

The lawful basis that allows us to process the personal data collected via the website with regard to the use of forms or means of contact that may be enabled for making enquiries, claims, sending complaints, suggestions and requests for information or documents, submitting job applications and sending CVs, or contacting the organisation through the means indicated on the website, is based on the express and informed consent of the data subjects or their representative, which is collected and granted in accordance with the conditions indicated in art. 7 of the European Data Protection Regulation, and according to which data subjects have the right to withdraw such consent at any time by using the means of contact indicated on the website.

The organisation informs that the data requested through the forms and/or the means of contact indicated on the website are those that are strictly necessary to deal with the query, claim, complaint, request or specific question put forth by the data subjects, and that data minimisation criteria will be applied by default.

The main lawful basis in the case of user data provided by users through the means and channels of contact indicated on the website and which are related to the undertaking of the organisation’s own purposes will be the fulfilment of legal obligations applicable to the Foundation as Data Controller (art. 6.1 c) GDPR) and that the processing of the data is necessary for the performance of a task carried out in the public interest (art. 6.1. e) GDPR). The lawful basis for the processing of data will be the express and informed consent of users in relation to services and activities that involve the processing of their personal data and that require their authorisation, and mainly in relation to the sending and dissemination of commercial and promotional communications about services and activities that may be of interest to them.

In the case of personal data collected in connection with the formalisation of commercial agreements, contracts or pacts to which the organisation is a party, the lawful basis shall be based on the execution of a commercial agreement or contract between the parties and on the adoption of pre-contractual measures.

In the case of personal data collected as a result of the interaction of users through the official profiles that the organisation may have on social networks and the comments made by said users on those networks in relation to the Foundation’s activities and services, the lawful basis will be based on the express and informed consent of the data subject.
In the case of sending commercial communications to users, the lawful basis for the processing of their data will be based on the express and informed consent of the data subjects, collected and granted in accordance with the conditions indicated in art. 7 of the European Data Protection Regulation, according to which the data subjects have the right to withdraw this previously granted consent at any time.

Quality of the data provided

The organisation advises users that, unless there is a sufficiently accredited legal representation, no user may use the identity of another person and communicate personal data of third parties. Therefore, users of the website must bear in mind that they may only communicate their own personal data and that these should be correct, appropriate, exact, up-to-date and true.

Users shall be liable for any direct or indirect damages caused to third parties or to the organisation resulting from the use of personal data pertaining to another party, or from the use of their own personal data if they are false, erroneous, incorrect, inappropriate or outdated.

Users who provide the organisation with personal data pertaining to third parties must have the informed consent of the third party in accordance with this Privacy Policy, and shall be liable to the organisation and to the third party, exonerating the Foundation from any liability in this regard.

What rights can be exercised by those who provide us with their data?

In accordance with the provisions of the European Data Protection Regulation (EU) 2016/679 and Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights, data subjects have the right to obtain confirmation as to whether or not the Foundation is processing personal data concerning them, as well as to exercise the rights recognised in relation to personal data.

More specifically, data subjects are entitled to:

  • Request access to personal data concerning them.
  • Request the rectification or erasure of their data.
  • Request the cancellation of their data.
  • Request the restriction of data processing.
  • Object to the processing of their data.
  • Request data portability.

In the event that data subjects have given their consent for a specific purpose, they shall have the right to withdraw their previously granted consent at any time, without this affecting the lawfulness of the processing operations carried out on the basis of the consent given prior to its withdrawal.

If data subjects consider that we have not processed their personal data in accordance with the aforementioned benchmark regulations, and if they believe that we have not satisfied their request to exercise their rights, they may contact the Foundation’s Data Protection Officer at info@autranconsultores.com or, if they so wish, they can file a complaint directly with the Spanish Data Protection Agency as the national supervisory authority at its address at Calle Jorge Juan, 6 – 28001 – Madrid, Spain, or via the contact channels indicated on the institution’s website (www.aepd.es), including the online headquarters at https://sedeagpd.gob.es/sede-electronica-web/

In order to exercise all the aforementioned rights, data subjects may use the contact addresses indicated above to request the application form provided by the organisation for this purpose in compliance with its legal obligations. When submitting the form, data subjects must also provide a copy of their ID card or of an equivalent document proving their identity and that of their representative, if applicable. The exercise of one’s rights is free of charge, and the request may be delivered by hand to the staff of the organisation, or sent by post or email to the contact addresses indicated.

The Data Controller informs data subjects that it has established and implemented specific protocols and measures for compliance with the data protection regulations of Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation) and Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights.

User rights in relation to commercial communications

Users who have expressly and previously authorised the sending of commercial, advertising or promotional communications via email, SMS or any other equivalent or similar electronic means of contact will have the right to object to the processing of their personal data for commercial or promotional purposes, as well as the right to withdraw the consent previously granted for this purpose, by simply notifying the organisation in this regard and sending an email to informacion@fundacionlasmedulas.info

To which recipients could the personal data collected be communicated?

The personal data provided by users of the website will only be processed in general terms by the staff currently hired at any given time and by the authorised members of the organisations that make up the Board of Trustees of the Foundation, who will be required to make a confidentiality commitment and comply with the duty of secrecy with regard to the personal data to which they may have access in the performance of their duties for the organisation.

In general, data will only be transferred to third parties with the express authorisation of the data subjects themselves, in cases of legal obligation, and in the cases provided for in the bylaws of the organisation and related to the undertaking of the Foundation’s own duties, as in the case of transfers of data to Public Authorities and Administrations in the exercise of their powers, to State Security Forces and Corps, and to the Courts and Tribunals.

Data may also be transferred when this is necessary to enable the performance of the organisation’s own services and activities and/or the services contracted from external suppliers, including banks and financial institutions for the management of collections and payments, and suppliers who have the status of data processors, and always in this case within the framework provided for in the data processor contract formalised between the Foundation and the contracted processors. The organisation undertakes in all cases to inform data subjects of the need to make extraordinary transfers of data to third parties in order to manage the undertaking of its own purposes so that data subjects may express their consent to the transfer of data as a prerequisite for this to be carried out.

In the case of international data transfers arising from the organisation’s use of tools, applications, software or service providers, these shall be carried out under the protection of the international conventions in force at any given time, standard contractual clauses and binding corporate rules that ensure that North American and non-EU software companies comply with European data protection policies on privacy, secrecy and data security.

Secrecy and data security

The organisation undertakes to use and process users’ personal data appropriately, respecting their confidentiality, and to use the data in accordance with the specific purposes of said processing, as well as to comply with its obligation to safeguard the data and to adopt all the security measures in place to prevent alteration, loss, unauthorised processing or access, and all in accordance with the provisions of current data protection regulations.

This website features an SSL certificate, a security protocol that ensures data is transmitted securely and without alteration. In other words, the data transmission between the server and the website user, including feedback, is fully encrypted.

The organisation cannot guarantee the absolute impregnability of the Internet network and therefore the violation of data as a result of fraudulent access by third parties.

With regard to the confidentiality of data processing, the organisation shall ensure that any person who is authorised by it to process user data, including staff, members of the organisations that make up the Board of Trustees, and the organisation’s collaborators and suppliers who are considered data processors, are subject to the corresponding obligation of confidentiality, whether legal or contractual.

In the event of a security incident, once the organisation becomes aware of it, it shall notify users without undue delay and provide timely information related to the security incident and in any case upon reasonable request by users.

Accuracy and veracity of the data

Users are solely responsible for the truthfulness and accuracy of the personal data they submit and provide through the website https://visitlasmedulas.com/en/, exonerating the company from any liability in this regard. Users guarantee and are responsible, in any case, for the accuracy, veracity, validity and authenticity of the personal data provided, and undertake to keep them duly updated. Users agree to provide complete and correct information through the contact channels provided on the website.

Changes to the privacy policy

The organisation reserves the right to modify this privacy policy in order to adapt it to new legislation or jurisprudence, as well as to industry practices. In such cases, changes will be announced on the website well in advance of their implementation.

Privacy Policy updated on 19 December 2023

Web project co-financed by:

Las Médulas Foundation collaborators: