DATA PROTECTION POLICY The Management / Governing Body of Consorcio Cultural Albacete (hereinafter, the data controller) assumes the highest responsibility and commitment to the establishment, implementation and maintenance of this Data Protection Policy, ensuring the continuous improvement of the data controller with the aim of achieving excellence in relation to compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119/1, 04-05-2016), and Spanish legislation on the protection of personal data (Organic Law, specific sectoral legislation and its implementing regulations). The Data Protection Policy of Consorcio Cultural Albacete rests on the principle of proactive responsibility (accountability), according to which the data controller is responsible for complying with the regulatory and case-law framework that governs said Policy and is able to demonstrate this to the competent supervisory authorities. In this regard, the data controller will be guided by the following principles, which must serve all its staff as a guide and frame of reference in the processing of personal data:
- Data protection by design: the data controller shall apply, both when determining the means of processing and at the time of the processing itself, appropriate technical and organizational measures, such as pseudonymisation, designed to effectively implement data protection principles, such as data minimisation, and to integrate the necessary safeguards into the processing.
- Data protection by default: the data controller shall apply appropriate technical and organizational measures to ensure that, by default, only personal data necessary for each of the specific purposes of the processing are processed.
- Data protection throughout the information life cycle: the measures that ensure the protection of personal data shall be applicable throughout the entire life cycle of the information.
- Lawfulness, fairness and transparency: personal data shall be processed lawfully, fairly and transparently in relation to the data subject.
- Purpose limitation: personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes.
- Data minimisation: personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
- Accuracy: personal data shall be accurate and, where necessary, kept up to date; every reasonable step shall be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
- Storage limitation: personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes of the processing of personal data.
- Integrity and confidentiality: personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, by using appropriate technical or organizational measures.
- Information and training: one of the keys to ensuring the protection of personal data is the training and information provided to the staff involved in processing. Throughout the information life cycle, all personnel with access to the data shall be properly trained and informed of their obligations regarding compliance with data protection regulations.
The Data Protection Policy of Consorcio Cultural Albacete is communicated to all staff of the data controller and made available to all interested parties. Consequently, this Data Protection Policy involves all staff of the data controller, who must be aware of it and adopt it as their own, each member being responsible for applying it and verifying the data protection rules applicable to their activity, as well as identifying and contributing improvement opportunities they deem appropriate with the aim of achieving excellence in compliance. This Policy will be reviewed by the Management / Governing Body of v, as many times as deemed necessary, to adapt at all times to the provisions in force on the protection of personal data.
- NAME / COMPANY NAME: Consorcio Cultural Albacete
- CIF / NIF: P5200301I
- ADDRESS: Paseo de la Libertad 5, 02002 Albacete
- TELEPHONE: 967 193 630
- EMAIL ADDRESS: marketing@festivalcircoalbacete.com
- WEBSITE: https://festivalcircoalbacete.com/
In compliance with the General Data Protection Regulation (GDPR), the personal data you send us through any of the forms on the website will be processed under the category “Website users and subscribers”. In this regard, our company undertakes to implement the technical and organizational measures necessary to guarantee the security established in the current legal framework.
- Purpose of data processing
The information provided may be varied: first and last name, email address, postal address, telephone number, IP address…. At the moment this information is provided, the user gives consent for its collection, use, management and storage on https://festivalcircoalbacete.com/ as described in the Privacy Policy and the Legal Notice. You may contact us at any time, in any way. At https://festivalcircoalbacete.com/ we enable different ways of collecting personal information through forms. If you fall into any of the following groups, please consult the corresponding information:
a) Contact from the website or by email.
What data do we collect through the website? We may process data anonymously such as your IP address, duration of your visit to the website, geographic origin, operating system or browser you use, all anonymously. If you provide data in the contact form, you will be identified so that we can contact you if necessary.
- Manage your queries or requests for information
- Audit improvements improvements on the Website, regarding our services to improve our service catalogue.
Acceptance and consent of the data subject: In those cases where a form must be completed and a “click” made on the send button in order to submit a request, doing so necessarily implies that you have been informed and have expressly given your consent to the content of the clause attached to said form or to the acceptance of the privacy policy. All our forms include the * symbol for mandatory data. If you do not provide those fields, or do not check the privacy policy acceptance checkbox, the information cannot be sent.
- b) Contact via subscription or newsletter forms.
What data do we collect through the website? We will store only your email in our database and we will send you emails periodically until you request unsubscribing, or we stop sending emails. You will always have the option to unsubscribe in any communication.
- Manage the requested service and commercial information provided we have your express authorization.
Acceptance and consent of the data subject: In cases where you subscribe, it will be necessary to check a checkbox and click the send button. This will necessarily imply that you have been informed and have expressly given your consent to receive the newsletter. If you do not check the privacy policy acceptance checkbox, the information cannot be sent.
c) Contact through blog comments: for a user to leave comments on your website’s blog posts, the user is required to register in a form where the following personal data are requested: Name, email and website.
d) Contact via file download request form: we request first name, last name and email account to manage registration.
e) Management of communication with customers:
¿What data do we process if you are a customer?
- Data collected through electronic means concerning your request.
- Data necessary for preparing quotations and handling the commercial communications required regarding your request.
- Data to manage the administrative, communication and logistics services carried out by the Controller.
- Billing data and declaration of the appropriate taxes..
- Data to carry out the various corresponding transactions.
f) Management of communication with suppliers
What data do we use as a service provider?
- Data provided by electronic means concerning your request.
- Commercial or event information by electronic means, provided there is express authorization.
- Data to manage the administrative, communication and logistics services carried out by the Controller.
- Billing data necessary for the contractual relationship.
- Data to carry out the corresponding transactions.
- Data for billing and declaration of the appropriate taxes.
The legal basis is the acceptance of a contractual relationship, or failing that your consent when contacting us or offering us your products by any means.
- f) Contacts generated through social networks
What data do we use from social networks?
- Respond to your queries, requests or petitions.
- Manage the requested service, respond to your request, or process your petition.
- Engage with you and create a community of followers.
The acceptance of a contractual relationship within the environment of the relevant social network, and in accordance with its Privacy Policies:
- Facebook: http://www.facebook.com/policy.php?ref=pf
- Instagram: https://help.instagram.com/155833707900388
- Twitter: http://twitter.com/privacy
- Linkedin: http://www.linkedin.com/legal/privacy-policy?trk=hb_ft_priv
- Google + : http://www.google.com/intl/es/policies/privacy/
How long will we keep personal data? We can only consult or delete your data in a restricted manner as we have a specific profile. We will process them for as long as you allow us to follow you, be friends or click “like”, “follow” or similar buttons. Any rectification of your data or restriction of information or publications must be made through the configuration of your profile or user on the social network itself. 2.1 Data retention Personal data provided will be kept during the business relationship and will be maintained as long as the user does not request their deletion. We have adopted an optimal level of protection for the Personal Data we handle and have installed all means and technical measures at our disposal according to the state of the art to prevent the loss, misuse, alteration, unauthorized access and theft of Personal Data. 2.2 Disclosure of personal data Under no circumstances will personal data be shared with other companies except in cases strictly necessary to comply with the law or in those for which the users’ express authorization is obtained.
- Legal basis for data processing
Express consent is the legal basis for processing user data, requiring, where appropriate, clicking on the user’s checkboxes. We will request express consent when contacting us or leaving comments on our website. The commercial offer of products or services is also based on consent; however, the withdrawal of such consent does not condition the execution of the subscription. The contracting of products and services is also governed by the terms and conditions of the commercial policy.
- Security and confidentiality
At https://festivalcircoalbacete.com/ we do not transfer, sell or rent our users’ personal data to third parties, now or in the future. Should we need to collaborate with other companies, express consent will be required, explaining the reason. In addition, security standards will always be met to safeguard the data. We guarantee the use and processing of the data in full respect of confidentiality and for the intended purpose, as well as their storage by adopting the necessary measures to prevent alteration, loss, processing or unauthorized access, in accordance with current data protection regulations. However, we cannot guarantee data breaches resulting from fraudulent use by third parties.
- Rights regarding personal data
In the processing of personal data you have the right to the following: To access the personal data relating to the user:
- Request any modification or erasure
- Request that their processing be restricted
- Object to the processing of personal data
- Request data portability
Right to withdraw consent at any time, without affecting the lawfulness of processing based on consent prior to its withdrawal; You may request access to personal data, request the rectification of inaccurate data or, where appropriate, request their erasure when they are no longer necessary for the purposes for which they were collected. In some cases, data subjects may request the restriction of the processing of their personal data. In this way, we will only keep them for the exercise or defence of claims. At Consorcio Cultural Albacete we will stop processing the data when the user expressly objects to such purpose, except in cases where compelling legitimate grounds, or the exercise or defence of possible claims, require it. In addition, you will also have the right to request the portability of personal data. To request any of these rights, you must make a written request to our address, together with a photocopy of your ID document, so that we can identify you. In our entity’s offices we have specific forms to request these rights and we offer our help in completing them. If the user considers that the Regulation has been infringed, they will have the right to judicial protection and to lodge a complaint with the Spanish Data Protection Agency, the competent authority. To learn more about your data protection rights, you can consult the website of the Spanish Data Protection Agency (www.agpd.es). Do we process cookies? If we use cookies other than those that are necessary, you can consult the cookie policy at the corresponding link from the home page of our website. How long are we going to keep your personal data?
- Personal data will be kept for as long as you remain linked with us.
- Once you are no longer linked, the personal data processed for each purpose will be kept for the legally established periods, including the period in which a judge or court may require them in accordance with the statute of limitations for legal actions.
- The data processed will be kept for as long as the aforementioned legal periods do not expire, if there is a legal obligation to retain them, or if there is no such legal period, until the data subject requests their deletion or revokes the consent granted.
- We will keep all information and communications related to your request or the provision of our service, for as long as the guarantees of the products or services last, to handle possible claims.
- For each processing operation or data type, we provide a specific period, which you can consult in the following table:
| File | Document | Retention |
| Clients | Invoices | 10 years |
| Forms and coupons | 15 years | |
| Contracts | 5 years | |
| Human Resources | Payslips, TC1, TC2, etc. | 10 years |
| CVs | Until the end of the selection process, and 1 more year with your consent | |
| Dismissal compensation documents. Contracts. Data of temporary workers. | 4 years | |
| Employee file. | Up to 5 years after leaving. | |
| Maketing | Databases or website visitors. | For as long as the processing lasts. |
| Suppliers | Invoices | 10 years |
| Contracts | 5 years | |
| Access control and video surveillance | Visitor list | 30 days |
| Videos | 3 years destruction | |
| Accounting | Accounting books and documents. Shareholder and board of directors agreements, company bylaws, minutes, board regulations and delegated committees. Financial statements, audit reports Records and documents related to grants | 6 years |
| Tax | Management of the company, rights and obligations relating to the payment of taxes. Management of dividend payments and tax withholdings. | 10 years |
| Information on intra-group transfer pricing | 18 years 8 years for intra-group transactions under pricing agreements | |
| Health and Safety | Workers’ medical records | 5 years |
| Environment | Information on chemical or substantially hazardous substances | 10 years |
| Documents relating to environmental permits while the activity is carried out. | 3 years after the end of the activity 10 years | |
| Records on recycling or waste disposal | 3 years | |
| Grants for clean-up operations must keep documents of rights and obligations, receipts and payments. | 4 years | |
| Accident reports | 5 years | |
| Insurance | Insurance policies | 6 years 2 years 5 years 10 years |
| Purchasing | Record of all deliveries of goods or provision of services, intra-Community acquisitions, imports and exports for VAT purposes. | 5 years |
| Legal | Industrial and Intellectual Property documents. Contracts and agreements. | 5 years |
| Permits, licences, certificates | 6 years from the expiry date of the permit, licence or certificate. 10 years (criminal limitation) | |
| Non-disclosure and non-competition agreements | Always the term of the obligation or of the confidentiality | |
| LOPD | Processing of personal data, if different from the processing notified to the AEPD | 3 years |
| Personal data of employees stored on the networks, computers and communication equipment used by them, access controls and internal management/administration systems | 5 years |
- Consent and acceptance
Thus, the user accepts having been correctly informed about the use and processing of their personal data and the conditions for their protection, giving consent for Consorcio Cultural Albacete to use them under the terms set out in this privacy policy. At https://festivalcircoalbacete.com/ we are opposed to practices considered spam, so we will never send commercial emails that have not been expressly authorized by the user or previously requested, in compliance with Law 34/2002 on Information Society Services and Electronic Commerce. In any form on our website the user is offered the possibility to give express consent to receive our newsletter, regardless of the information previously requested. Therefore, in each of the forms on the website, the user has the possibility to give their express consent to receive the newsletter, regardless of the commercial information specifically requested. In accordance with the LSSICE, we undertake not to send commercial communications unless they are duly identified.
- Changes to the policy
We reserve the right to modify and adapt this privacy policy in order to adapt it to future legislative or case-law developments. Should this occur, we will duly announce the changes in advance so that users are properly informed.
