Pirsonal’s Privacy Policy and Data Processing Addendum

DATA CONTROLLER: The company “Pirsonal Digital, S.L.” (hereinafter, “Pirsonal”), with CIF: B-87946588, and located at Calle Alejandro Dumas 17 – Oficinas, 29004 Malaga, Spain., and with contact email: help@Pirsonal.com, informs the users of its Internet portal,  (hereinafter, the “Users” and the “Portal”) about its policy on personal data protection (hereinafter, “Personal Data”) so that Users can freely and voluntarily decide whether they wish to provide Pirsonal with the Personal Data that may be required or obtained from the Users during their visit to the website, submission of resumes, subscription or registration in any of our informational newsletters, request for information about our platform and its functionalities, contracting new services/features/applications/Professional Services, Pirsonal profiles on social networks, activities, and promotions organized through our website.

Pirsonal reserves the right to modify this privacy policy to adapt it to legislative or jurisprudential changes, as well as industry practices. In such cases, Pirsonal will announce the changes introduced on this page with reasonable advance notice before their implementation. Certain functionalities offered on our Platform may contain specific conditions with particular provisions regarding Personal Data protection.

Pirsonal, as the Data Controller of its USERS’ personal data, and other affected/data subjects with whom it maintains a relationship, informs you that these data will be processed in accordance with the provisions of the Regulation (EU) 2016/679 of April 27, 2016 (GDPR) regarding the protection of natural persons with regard to the processing of personal data and the current LOPD-GDD 3/2018 of December 5 (LOPD-GDD) regarding the protection of personal data.

INFORMATION / DATA PROCESSED: Purely identifying data (first name + last name) and contact data if applicable (address, phone number, and email address), data necessary for certain contracts/participations in company web presentations, subscription to our corporate newsletter service, resumes received by email, data provided in webinars or presentation events, data provided on social media profiles owned by Pirsonal, training activities managed by the company.

DATA CONTROLLER:

  • Pirsonal Digital, S.L.
  • Tax Identification Number (CIF): B-87946588
  • Address: Calle Alejandro Dumas 17 – Oficinas, 29004 Malaga, Spain.
  • Contact Email: help@pirsonal.com
  • Designated Data Protection Officer Contact: dpo@pirsonal.com

PURPOSES OF INTENDED PROCESSING:

MAINTENANCE OF THE RELATIONSHIP with Clients/Users, suppliers/partners, website visitors, employees, data processors, control and management of the relationship with employees and external collaborators, enrollments and terminations, management of the existing contractual relationship with collaborators, sponsors, and commercial relationship with suppliers, selection of Pirsonal staff, candidates in selection processes, followers on Pirsonal’s social media, users registered on our Website, participants in activities and events, including the possibility of training actions where Pirsonal manages or participates. In this regard, the planned operations to carry out the processing are:

WHAT PERSONAL DATA WE PROCESS: When filling out our contact form, or through the registration possibilities offered by any of our websites, through phone calls, chat, email, social media channels, and direct messaging tools.

  • Contact Forms and associated landing pages: https://pirsonal.com/contact
  • Digital service contracts and agreements
  • Any Pirsonal app that requires the user log in
  • Chat applications
  • Support forums

Depending on each case, you are allowed to provide, among others, the following personal data:

  • Your name and surname and contact details (address, telephone numbers, and email), and a space for free text.
  • Other contact details and preferences.
  • We also collect your data if you contact us through the Site, chat, direct messaging, social media platforms, or phone.
  • When you visit our website, we will collect your data if you fill out any of our data/contact forms, information request, or subscription to current or future newsletters.
  • When you do business with Pirsonal.
  • If personal data has been provided by users, it must be truthful, and any changes that occur must be notified to Pirsonal, being responsible in any case for the truthfulness and accuracy of the data provided at all times.
  • The interested party who provides their personal data to Pirsonal declares to be of legal age and is entirely responsible for such declaration.

Other processes:

  • SENDING OF ELECTRONIC COMMERCIAL COMMUNICATIONS by email, SMS, WhatsApp, social networks, or any other electronic or physical means, present or future, that enable commercial communications to be made. These communications will be made by the DATA CONTROLLER and related to the services/features provided by our Platform, new applications subject to separate hiring, maintenance and improvements in operation, promotional activities, or those of its collaborators or suppliers with whom it has reached any promotion agreement. In this case, third parties will never have access to personal data.
  • USER REQUESTED ACTIONS: Processing specific requests from our users, doubts, maintenance, or any request that, through the Pirsonal Website, is made by the user/customer through any of the contact forms made available to them, access to videos and presentations organized by/with the participation of Pirsonal.
  • PROCESSING REGISTRATIONS FOR PRESENTATIONS AND PROMOTIONAL ACTIVITIES in which Platform users want to participate. In this case, images or videos made of the participants/attendees individually during the development of the same, and always and when express and unequivocal consent has been obtained, may be published on the entity’s Website, on its social networks, in publications and corporate brochures, notice boards, and any other communication medium owned by the company, for the purpose of promoting such activities or events.
  • DATA STORED DURING YOUR VISIT: When you visit our website, our web servers generally store, among other data, information about the browser and operating system you use, the website from which you visit us, the pages you visit on our website, and the date of your visit. For security reasons – for example, to detect possible attacks on our website – the IP address assigned to you by your Internet service provider is also stored for a period of seven days. With the exception of the IP address, personal data is only stored if you provide us with such information, for example, as part of a registration, survey, request for a quote, user registration, commercial promotion. Pirsonal uses your personal data for the technical administration of the web pages, customer/user management, surveys on the use of our Platform and its features, and for marketing tasks, only to the extent necessary, and always informing the User and data subject beforehand.
  • NEWSLETTER SUBSCRIPTION: In the case of subscribing to any of our informational Newsletters, present or future, as informed, you give your consent to the use of your personal data for the sending of advertising or the performance of other marketing actions, these will be stored and used continuously for such uses, such as sending the aforementioned newsletters about our Platform and its features, through communication channels such as email or any other channel authorized by you. We may use your data to create and keep your user profile updated and thus be able to send you personalized information about advertising actions. Likewise, we can use the data you provide us to analyze and improve the effectiveness of the services of our website, advertising, marketing, market research, and sales activities.
  • SENDING OF CV BY CANDIDATES: In the event of sending a CV to the email of Pirsonal, or through the enabled web form, the applicant authorizes Pirsonal to analyze the documents sent to it, all content that is directly accessible through search engines (Google), profiles maintained on professional social networks, such as LinkedIn or similar, data obtained in access tests and information revealed in job interviews, with the aim of assessing their application and, if applicable, offering them a position. In case the candidate is not selected, Pirsonal may keep their CV stored to include it in future calls, unless the candidate expresses otherwise.

DATA RETENTION CRITERIA: The data provided, in general terms, will be kept as long as there is a mutual interest in maintaining the purpose of the processing and when it is no longer necessary for this purpose, it will be deleted with appropriate security measures to guarantee the pseudonymization of the data or their total destruction.

In view of this general rule, the following possible variations are proposed:

  • (i) Disaggregated Data: will be kept indefinitely,
  • (ii) User, company, and supplier data, etc. Pirsonal: retention period of 4 years (Article 66 and following of the General Tax Law), retention period of 6 years (Article 30 of the Commercial Code regarding accounting books and invoices)
  • (iii) Data provided for subscribing to our newsletter: from when the User gives consent until they withdraw it
  • (iv) Documentation of a labor nature or related to social security: 4 years (Article 21 of Royal Legislative Decree 5/2000, of August 4, which approves the consolidated text of the Law on Infractions and Penalties in the Social Order), (v) data provided by candidates through the submission of their resume: the resume may be kept for a maximum of two years for future selection processes unless the candidate states otherwise
  • (vi) Images obtained by the video surveillance systems installed in Pirsonal’s offices, for security, access control, and internal production control: 30 days, in accordance with the instruction of the AEPD.

DATA COMMUNICATION: Your personal data may be communicated to:

  • Companies, entities, and other organizations contracted for the provision of services, such as: hosting, marketing services, collaborators, related companies, market analysis, and information society services.
  • Partner or sponsoring companies with which Pirsonal has reached a collaboration or sponsorship agreement.
  • Companies or other organizations to which you have requested or accepted that we may share your personal data.
  • For certain internal activities/services of the company, subcontracting to third parties providing specific services is necessary. These subcontractors may be external providers both inside and outside the EU. Pirsonal guarantees that all subcontractors comply with the obligations and requirements assumed by Pirsonal in its Data Access Agreement; specifically, that their level of data protection meets the standard required by relevant data protection laws. If a jurisdiction is outside the EU and not on the European Commission’s approved list of satisfactory data protection levels under the GDPR, a specific agreement is established between Pirsonal and the subcontractor to ensure that all personal data is maintained according to the requirements of the applicable EU data protection laws.
  • The purpose of data communication to the aforementioned companies, which are composed of and integrated with the controller, will be the same as those previously announced, as companies in charge of processing by the controller.
  • Professional service providers, such as lawyers, attorneys, arbitrators, notaries, registrars, or other similar professionals involved in the internal operations of Pirsonal.
  • Public bodies, courts, regulators, and other administrative authorities, when we consider it necessary to comply with a legal or regulatory obligation, or otherwise to protect us from claims against us or third parties, or the safety of individuals, as well as to prevent or otherwise combat fraud or for security or protection reasons.

In such cases, we will ensure that your data is used for appropriate purposes in accordance with this Privacy Policy and the corresponding contracts or clauses for data processing will be signed, applying the same or similar security measures as those applied by Pirsonal.

We may also share your personal data with other affiliated/related companies, or with subsidiaries that provide ancillary services/features, with your consent when required by law, as well as with any third party that buys or to whom we transfer all or a substantial part of our assets and businesses. In the event that such sale or transfer occurs, we will make all reasonable efforts to try to ensure that the entity to which we transfer your personal data uses them in accordance with this Privacy Policy. These entities may act as data controllers, in accordance with their personal data protection policies, or as subcontractors, to perform tasks according to the instructions we give them.

The data will be processed on the legal basis of the explicit consent of the person providing them. This consent can be withdrawn at any time, although this will not affect the legality of the processing carried out previously. Providing the data is voluntary, although, if not provided, they cannot be processed for the indicated purposes. If third-party data is provided through this website, the person providing them assumes the responsibility of having obtained prior consent, informing them of everything provided for in Article 14 of the General Data Protection Regulation.

INTERNATIONAL DATA TRANSFERS:

On July 10, 2023, the European Commission adopted a new adequacy decision to enable international transfers of personal data between entities in the European Union (EU) and the United States (U.S.) under the EU-U.S. Data Privacy Framework. Following the ruling of the Court of Justice of the European Union (CJEU) on July 16, 2020, known as the Schrems II judgment, international transfers of personal data to the U.S. were challenged due to issues identified by the CJEU, related to U.S. surveillance practices and the lack of mechanisms for European citizens to address infringements of their rights.

With this adequacy decision, the European Commission recognizes that the U.S. provides a level of protection equivalent to that of the EU, but only when international transfers occur with entities certified under the new privacy framework, the EU-U.S. Data Privacy Framework.

Therefore, IN ACCORDANCE WITH THE ABOVE, personal data will circulate safely from the European Union to U.S. companies participating in the Framework, without the need for additional data protection guarantees.

Other international transfers to the U.S.: The safeguards adopted and the legislative changes that have occurred in the U.S. will facilitate the use of guarantees such as standard contractual clauses or binding corporate rules.

This does not exclude that an impact analysis will still be necessary for any transfer “Transfer Impact Assessment” carried out outside the EU-U.S. Data Privacy Framework. The adequacy decision ensures that data transmission between the EU and the U.S. is possible through a stable and reliable agreement that protects individuals and provides legal certainty for companies.

LEGAL BASIS FOR INFORMED PROCESSING:

As a general rule, prior to the processing of personal data, Pirsonal obtains express and unequivocal consent from the data subject through the incorporation of informed consent clauses in the different information collection systems, and based on the legitimate interest of the User.

If the consent of the data subject is not required, the legal basis for processing on which Pirsonal relies is the existence of a CONTRACT AS A USER OF OUR PLATFORM, ACCEPTANCE OF OUR TERMS OF USE, INFORMATION REQUESTS / MAINTENANCE TASKS, MAINTENANCE, REGISTRATION/USER SIGN-UP, data collection form of Pirsonal.

Notwithstanding the above, the legal bases are as follows:

  • When processing is necessary for the performance of a contract to which you are a party or the data are necessary in the context of a pre-contractual relationship.
  • When the use of your personal data is necessary for the satisfaction of our legitimate interests or those of the companies with whom we have shared your personal data.
  • When data processing is necessary to comply with the legislation/regulatory requirements of the sector, GDPR and LOPD-GDD regulations, and similar applicable regulations in force at any given time, including those related to the marketing of services by Pirsonal or third parties, consumer and user protection, retail trade regulation, and other applicable regulations.
  • In accordance with the provisions of the applicable Information Society Services (LSSI-CE) regulations, if there is a demonstrable prior relationship, the data may be used to send electronic commercial communications related to that specific activity, unless you object to this in the manner provided for.
  • When we believe it is necessary to process your personal data to comply with a legal or regulatory obligation, or a vital interest.
  • When we have your consent, for example, to collect technical information such as cookie data and similar technologies as described in: “Information on the Use of Cookies”.
  • The acceptance of a contractual relationship in the corresponding social network environment, and according to its Privacy policies in each case, when you visit any of our social profiles (Facebook, Instagram, LinkedIn, and YouTube).

EXERCISE OF GDPR RIGHTS:

Pirsonal provides information on the exercise of rights as a data subject or data owner:

Right of access: you have the right to obtain from the company confirmation as to whether or not personal data concerning you are being processed. Pirsonal, if applicable, will provide a copy of the personal data being processed.

Right of rectification: you have the right to obtain without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you will have the right to have incomplete personal data completed, including by means of an additional statement.

Right of erasure: you have the right to obtain without undue delay the deletion of inaccurate personal data concerning you. Pirsonal will be obliged to delete such personal data without undue delay when one of the following circumstances applies:

  1. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  2. you withdraw the consent on which the processing is based and there is no other legal ground for the processing;
  3. you object to the processing and there are no overriding legitimate grounds for the processing;
  4. your data have been unlawfully processed;
  5. your data must be erased for compliance with a legal obligation;
  6. or if your personal data have been collected in relation to the offer of information society services to children (under the age of 16).

Right to restriction of processing: when the processing of your personal data has been restricted at your request, such data may only be processed, with the exception of storage, with your consent or for the establishment, exercise or defense of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest. You have the right to obtain restriction of processing of your personal data when one of the following applies:

  1. When you contest the accuracy of the personal data, for a period enabling Pirsonal to verify the accuracy of the personal data;
  2. the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
  3. Pirsonal no longer needs the personal data for the purposes of the processing, but you require them for the establishment, exercise or defense of legal claims;
  4. When you have objected to processing pending the verification whether the legitimate grounds of Pirsonal override yours.

Right to data portability: you have the right to receive the personal data concerning you in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from Pirsonal, where:

  1. the processing is based on your consent, and
  2. the processing is carried out by automated means.

Right to object: you have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on public interest or legitimate interests of the controller. Where personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing. If you object to processing for direct marketing purposes, the personal data will no longer be processed for such purposes.

We remind you that whenever the legal basis for the processing of your data is your consent, you have the right to withdraw that consent at any time and in any case, and as easily as you gave it.

You also have the right to lodge a complaint with the respective supervisory authority, usually the Spanish Data Protection Agency. For more information, you can visit their website at the following link www.aepd.es

Finally, you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

CONTACT DETAILS TO EXERCISE YOUR RIGHTS: Pirsonal, in accordance with the Regulation (EU) 2016/679 of April 27, 2016 (GDPR), and the recent LOPD-GDD 3/2018 of December 5, has an appointed internal responsible person and a designated Data Protection Officer (DPO) for Data Protection management, whose contact details are provided below:

CONTACT DETAILS TO EXERCISE YOUR RIGHTS:

By postal mail: You can send your request to the following postal address:

  • Address: Calle Alejandro Dumas 17 – Oficinas, 29004 Malaga, Spain.

Online:

  • Email Address: You can submit the document to: dpo@pirsonal.com

In both cases, you must:

  • Provide sufficient data and information to address the request. For this purpose, you may use the form templates provided by the Spanish Data Protection Agency https://www.aepd.es/es/derechos-y-deberes/conoce-tus-derechos
  • Sign the form by hand or, if applicable and if you have a recognized digital certificate, sign it electronically.
  • If acting on behalf of a third party, you must provide a document proving the representation of the data subject.
  • Send the form and documents proving your identity by any of the aforementioned means.
  • Note.- In case of reasonable doubt about the identity of the applicant, the data subject, and/or their representative, a copy of the DNI, Passport, NIE, or equivalent identification document may be required.

ADDITIONAL INFORMATION FOR YOUR REQUEST:

Pirsonal will analyze whether the request is in accordance with the law or not. It will communicate the decision made to the petitioner, proceeding accordingly: if it is favorable, it will take appropriate measures according to the exercised right; if it is unfavorable, it will indicate the legally provided appeal system. In case the requests are manifestly unfounded or excessive (e.g., repetitive), Pirsonal may: (i) Charge a fee proportional to the administrative costs incurred (ii) Refuse to act.

If a user/data subject believes there is a problem with the way Pirsonal is handling their data, they can address their complaints to Pirsonal at the address indicated above, or through the Spanish Control Authority, in this case, the AEPD: www.aepd.es

MANDATORY OR OPTIONAL NATURE OF THE PROVIDED INFORMATION:

The data collected through any of the contact forms enabled on this Website, or even for the provision of information, or those provided by the Users on the occasion of their participation in activities/events developed by Pirsonal, will be incorporated, depending on their purpose, into the Internal Processing Activities Register (Article 30 of the Regulation (EU) 2016/679 of April 27, 2016). The Processing Activities Register is available to the Control Authority.

The Users, by marking the corresponding boxes and entering data in the different fields, marked with an asterisk (*) in the contact form or presented in download/hiring forms, expressly and freely and unequivocally accept that their data are necessary to meet their request, by Pirsonal, with the inclusion of data in the remaining fields being voluntary. The User guarantees that the personal data provided are true and is responsible for communicating any changes to them.

Pirsonal informs and expressly guarantees users that their personal data will not be transferred under any circumstances to third parties and that, whenever it intends to make any transfer of data in the future, it will previously request the express, informed, and unequivocal consent from the Users, informing them about the transferee’s data and the purpose of the transfer. All data requested through the website are mandatory, as they are necessary for providing an optimal service to the User. If all data are not provided, it is not guaranteed that the information and services provided will be completely adapted to their needs.

SECURITY MEASURES:

In accordance with the provisions of the current regulations on personal data protection, and in particular in the Regulation (EU) 2016/679 of April 27, 2016, and the LOPD-GDD 3/2018 for the processing of personal data under its responsibility, and expressly with the principles described in Article 5 of the GDPR, whereby they are processed lawfully, fairly, and transparently in relation to the data subject and are adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.

In any case, Pirsonal has implemented sufficient mechanisms to:

  1. Ensure the permanent confidentiality, integrity, availability, and resilience of the processing systems and services.
  2. Restore the availability and access to personal data quickly, in case of a physical or technical incident.
  3. Regularly verify, assess, and evaluate the effectiveness of the technical and organizational measures implemented to ensure the security of the processing.
  4. Pseudonymize and encrypt personal data, if applicable.

Pirsonal guarantees that it has implemented appropriate technical and organizational policies to apply the security measures established by GDPR 679/2016 and LOPD-GDD 3/2018 to protect the rights and freedoms of Users and has provided them with adequate information so that they can exercise them. Pirsonal has installed all technical means and measures at its disposal to prevent the loss, misuse, alteration, unauthorized access, and theft of Personal Data provided by the owner to Pirsonal. However, the User must be aware that Internet security measures are not impregnable.

Personal data incorporated into the Internal Treatment Activities Register will be treated with the utmost confidentiality and security. The Owner may send commercial information related to NEWS AND UPDATES ABOUT OUR PLATFORM AND ITS FEATURES, in which case, the sender undertakes to indicate its advertising purpose when sending, and to coordinate a simple, clear, and free system in case you wish to stop receiving them.

The Services/features of the Pirsonal Platform contained on the website are exclusively intended for adults. In the event that Pirsonal offers any application, product, or promotional activity, event, contest, or similar, in which the collection of Personal Data of minors may occur, Pirsonal will always request parental consent for minors to access them and their Personal Data may be subject to automated processing as provided in this notice on the Data Protection Policy.

As previously informed, the collection and automated processing of Personal Data are intended to maintain the contractual relationship, if any, established with Pirsonal, the management, administration, AND MAINTENANCE of the User’s Platform account, requests for information that the User decides to raise, registration/contracting of new features, or use the adaptation of such services to the preferences and tastes of Users, the study of the use of services by Users, the design of new applications, features, packages, sending technical information updates, sending, by traditional and electronic means, technical, operational, and commercial information about the Pirsonal Platform.

USE OF PUBLIC PROFILES ON DIFFERENT SOCIAL NETWORKS:

Pirsonal has a profile on the main Internet social networks, being known in all cases as responsible for processing the data of its followers, fans, subscribers, commentators, and other user profiles (hereinafter, followers). The processing that Pirsonal will carry out with this data will be, at most, what the social network allows for corporate profiles.

Pirsonal may inform its followers through any means allowed by the social network about its news, activities, and events. In no case will Pirsonal extract data from social networks unless the user’s consent is obtained expressly and punctually for this purpose. When, due to the nature of social networks themselves, the effective exercise of the follower’s rights depends on the modification of their personal profile, Pirsonal will help and advise them to this end to the best of its ability.

What purposes will we process your personal data for?

  • Respond to your queries, requests, or petitions.
  • Manage the requested service, respond to your request, or process your petition.
  • Interact with you and within a follower community.

Detail of profiles on Social Networks:

Pirsonal PROFILES ON SOCIAL NETWORKS:

  • Pirsonal on LinkedIn: https://www.linkedin.com/company/pirsonal
  • Pirsonal on Facebook: https://www.facebook.com/profile.php?id=100054452952667
  • Pirsonal on Instagram: https://www.instagram.com/pirsonal
  • Pirsonal on “X”: https://x.com/pirsonal
  • Pirsonal on YouTube: https://youtube.com/@pirsonal

What is the legitimacy for the processing of your data?

  • For more information about Facebook, click here
  • For more information about LinkedIn, click here
  • For more information about Instagram, click here
  • For more information about YouTube, click here
  • For more information about “X”, click here

Acceptance of a contractual relationship within the corresponding social network environment, and in accordance with its Privacy policies:

In all cases, Pirsonal is known as responsible for the processing of the data of its followers, fans, subscribers, commentators, and other user profiles (hereinafter, followers). The processing that Pirsonal will carry out with this data will be, at most, what the social network allows for corporate profiles. Therefore, Pirsonal may inform its followers through any means that the social network allows about its news and activities. In no case will Pirsonal extract data from social networks unless the user’s consent for it is obtained punctually and expressly. When, due to the nature of social networks themselves, the effective exercise of the follower’s rights is subject to the modification of their personal profile, Pirsonal will assist and advise them to that end to the extent of its possibilities.

RIGHT TO INFORMATION:

Upon request, Pirsonal will immediately communicate in writing, in accordance with applicable law, whether we have stored any of your personal data, and what these are. If you are registered as a user, we offer you the possibility to personally consult your data and, if necessary, proceed with their deletion, modification, and/or updating.

DESCRIPTION OF MEASURES ADOPTED BY Pirsonal DERIVED FROM THE GDPR:

Our Users/clients and suppliers of Pirsonal are informed that, in accordance with the GDPR and LOPD-GDD regulations applicable to the company’s activities, the measures adopted to achieve an optimal level of compliance are detailed:

  • Develop a record of processing activities in accordance with Article 30 of the GDPR.
  • Identify the legal bases for data processing, in accordance with Articles 6 and 9 of the GDPR.
  • Audit the channels for entering information and internal forms/documents and inform the data subjects about the processing of their data, in accordance with Articles 13 and 14 of the GDPR.
  • Address the rights of data subjects, regarding their rights of access, rectification, erasure, restriction of processing, data portability (Article 20 of the GDPR), objection, and automated decision-making, establishing a direct channel of attention: dpo@Pirsonal.com
  • Audit and request compliance guarantees from the company’s data processors, and sign a data processing agreement in accordance with Article 28 of the GDPR. Pirsonal facilitates the process by making available through our DPO: 1) document of compliance guarantees and detail of the measures adopted, 2) model contract for access to Pirsonal data.
  • Conduct a risk analysis and, if necessary, an impact assessment; to facilitate compliance with these obligations, you can consult the AEPD website: https://www.aepd.es/es/prensa-y-comunicacion/notas-de-prensa/la-aepd-publica-un-modelo-de-informe-para-ayudar-las-empresas.
  • Pirsonal, as a company responsible and committed to regulatory compliance, recommends to its customers, users, and interested parties the subscription to the alerts newsletters of INCIBE (www.incibe.es) OSI (www.osi.es) and CERT (www.incibe-cert.es).

    Links to subscribe to the different portals mentioned will allow you to be aware in advance of possible threats and incidents:

  • Existence of an internal protocol for notifying security breaches; data security breaches to the data protection authorities (Article 33 of the GDPR) and to the data subjects whose data have been compromised (Article 34 of the GDPR). To this end, in the event of any incident that poses a risk to the rights and freedoms of those affected, Pirsonal will notify the CLIENT/User as soon as possible, and will assist them in making such notifications.
  • The company has officially appointed a Data Protection Officer through the register enabled for this purpose at the AEPD (www.aepd.es) in accordance with Articles 37, 38, and 39 of the GDPR. Pirsonal provides the following contact email for the designated DPO for data protection/exercise of rights to CUSTOMERS/users and interested parties: dpo@pirsonal.com
  • Pirsonal, in compliance with current regulations, also informs you of your right to file a complaint/request more information with the supervisory authority (www.aepd.es)

INTERNATIONAL DATA TRANSFERS:

On July 10, 2023, the European Commission adopted a new adequacy decision to enable international transfers of personal data between entities in the European Union (EU) and the United States (US) under the EU-U.S. Data Privacy Framework. Following the Court of Justice of the European Union (CJEU) ruling of July 16, 2020, known as the Schrems II ruling, international transfers of personal data to the US were challenged due to issues identified by the CJEU related to US surveillance practices and the lack of mechanisms for European citizens to address infringements on their rights.

With this adequacy decision, the European Commission recognizes that the US guarantees a level of protection equivalent to that offered by the EU, but only when international transfers occur with entities certified under the new privacy framework, the EU-U.S. Data Privacy Framework.

Therefore, IN ACCORDANCE WITH THE ABOVE, personal data will circulate safely from the European Union to US companies participating in the Framework, without the need to establish additional data protection safeguards.

Other international transfers to the US: Both the safeguards adopted and the legislative changes that have taken place in the US will facilitate the use of safeguards such as standard contractual clauses or binding corporate rules.

This does not exclude that an impact assessment will still be necessary for any transfer “Transfer Impact Assessment” carried out outside the EU-U.S. Data Privacy Framework. The adequacy decision ensures that the transmission of data between the EU and the US is possible through a stable and reliable agreement that protects individuals and provides legal certainty to companies.

Related Regulations:

If you wish to obtain more information about the regulations that protect and establish your rights, we provide you with the regulations that have inspired this privacy policy and are relevant to you:

CONTACT: If you need any clarification regarding this Privacy Policy, have any questions or complaints, or wish to exercise your rights, please contact our Customer/User Service Department, our designated DPO through the data shown below, indicating in the subject line: “Data Protection”

  • Address: Calle Alejandro Dumas 17 – Oficinas, 29004 Malaga, Spain.
  • Email: dpo@pirsonal.com

PIRSONAL’S DATA PROCESSING ADDENDUM

This Data Processing Addendum (“DPA”) amends the Agreement between Pirsonal and Customer and sets out the obligations of both parties with respect to the Processing of Customer Personal Data in connection with the Agreement. Unless otherwise defined herein, any capitalized terms shall have the meanings given to them in the Agreement.

  1. DEFINED TERMS. The following terms shall have the following meanings in this DPA:

1.1.“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

1.2.“Agreement” or “Contract” means the underlying agreement or contract between Pirsonal and the Customer for the provision of the Services that references and incorporates this DPA;

​​1.3.“Applicable Data Protection Law” means data privacy and cybersecurity laws to the extent applicable to the relevant party’s Processing of Customer Personal Data;

1.4.“Authorized Affiliate” means any of Customer’s Affiliate(s) which (a) is subject to Applicable Data Protection Law, and (b) is permitted to use the Services pursuant to the Agreement between Customer and Pirsonal but has not signed its own Agreement or Order Form with Pirsonal and is, therefore, not a “Customer” as defined under this DPA.

1.5.“Customer” or “Client” means the legal entity which has directly entered into the Agreement for Services with Pirsonal or its Affiliates;

1.6.“Customer Personal Data” means the Personal Data that Customer or its Authorized Affiliate provides under the Agreement for Pirsonal to Process on behalf of Customer in connection with the Services. Customer Personal Data does not include information that is (i) deidentified, anonymized, aggregated, publicly available information, or business contact data (unless the Applicable Data Protection Law otherwise considers such information as Personal Data), (ii) Usage Statistics; or (iii) any information that the Applicable Data Protection Law specifically states does not constitute Personal Data;

1.7.“Data Security Addendum” shall mean either (a) Pirsonal’s Information Security System Policy found here https://pirsonal.com/information-security-system-policy/, or (b) if applicable, a negotiated data security addendum that is incorporated into the Agreement by the parties, in each case as it may now or hereafter be amended;

1.8.“Security Breach” shall have the meaning ascribed to it in Pirsonal’s Information Security System Policy;

1.9.“Services” means the products or services provided by Pirsonal to Customer pursuant to the Agreement.

1.10.“Standard Contractual Clauses” means those model clauses approved pursuant to Applicable Data Protection Law that legitimizes the transfer of Personal Data across borders, including the Standard Contractual Clauses approved by the European Commission which can be found here;

1.11.“Subprocessor” means a subcontractor providing Services where such subcontractor Processes Customer Personal Data.

1.12.“Pirsonal” means the named Pirsonal entity that has entered into the Agreement for Services with Customer;

1.13.“Usage Statistics”, “Consulting Services”, “Strategy Consulting”, “Customer Success Plan”  means information that is generated by or on behalf of Pirsonal and that is derived by or through the use of the Services;

1.14.“Controller” also referred to as “Business”, “Processor” also referred to as “Service Provider”, “Data Subject” also referred to as “Consumer”, “Personal Data” also referred to as “Personal Information”, “Process” or “Processing”, and “Sell” or “Selling” (or any of their analogous terms) shall all have the meanings set out in the relevant Applicable Data Protection Law.

  1. PROCESSING OF CUSTOMER PERSONAL DATA AND PARTIES’ OBLIGATIONS

2.1. Compliance with Laws. Each party agrees to comply with its own obligations under Applicable Data Protection Laws.

2.2. Parties’ Obligations. With respect to the Processing of Customer Personal Data in connection with the Services, the parties agree that:

2.2.1. Customer is the Controller of Customer Personal Data and, consequently, Pirsonal is a Processor thereof;

2.2.2. Each party will (i) inform the other if, in its reasonable opinion, an instruction infringes on its own obligations under Applicable Data Protection Law or other laws and (ii) upon reasonable request, provide assistance required under Applicable Data Protection Law with respect to data protection impact assessments, consulting with relevant data protection authorities, and/or making available relevant information necessary to demonstrate compliance with Applicable Data Protection Law;

2.2.3. Without limiting Section 2.1, Customer represents and warrants that it has obtained all consents for and rights to, and has provided all necessary notices to Data Subjects with respect to, the Customer Personal Data as required for the same to be Processed as contemplated by the Agreement; and

2.2.4. Except as required under Applicable Data Protection Law, Customer acknowledges and agrees that Pirsonal is under no duty to independently collect consent from or provide notice to any Data Subjects or to investigate the completeness, accuracy, or sufficiency of any specific Customer instruction or Customer Personal Data.

  1. OBLIGATIONS OF PIRSONAL. Pirsonal will take steps to ensure that:

3.1. Limitations on Processing. It only Processes the Customer Personal Data hereunder in alignment with Customer’s instructions, including those set forth in the Agreement;

3.2. Personnel. Its personnel (including staff, agents, and Subprocessors) who handle Customer Personal Data are subject to a duty of confidentiality;

3.3. Security. It maintains and implements appropriate technical and organizational measures designed to protect Customer Personal Data against unauthorized destruction, loss, alteration, disclosure thereof, or access thereto. The parties agree that the security measures set forth on Pirsonal’s Information Security System Policy are in scope and fulfill the obligations of this Section;

3.4. Access Requests. It will provide reasonable cooperation to Customer or a Data Subject to fulfil a Data Subject’s request to access, correct, delete, or cease processing of data. To the extent Pirsonal receives a request, correspondence, enquiry, or complaint from a regulator that directly relates to Customer Personal Data, then (to the extent permissible) it will promptly refer the same to Customer for handling;

3.5. Breach Notification. It will report a Security Breach as required and following Pirsonal’s Information Security System Policy, including that to the extent known, shall provide relevant information and reasonable cooperation so that Customer can fulfil its own obligations as Controller. The obligations herein shall not apply to incidents that are caused by Customer or Customer’s users;

3.6. Deletion and Retention. Upon request, it will delete the Customer Personal Data in its (or its Subprocessors’) possession, except to the extent that Pirsonal is required to retain such data by law or its data retention policies (in which case Pirsonal shall isolate and protect such Customer Personal Data from further active Processing except to the extent required by law);

3.7. Subprocessors. It will maintain, where required by Applicable Data Protection Law, an online listing of Pirsonal Subprocessors set forth on its webpages here or in notices provided from time to time; impose written data protection terms on any Subprocessor that are no less restrictive than the terms of this DPA; remain primarily liable for an acts or omissions of its Subprocessor in the same manner as for its own acts or omissions under the Agreement; due to security protocols, Pirsonal does not publicly disclose a list of services utilized for platform storage. Customers can obtain this information through private channels upon request.

3.8. Audits. It will allow for and contribute to audits conducted by Customer, or an external auditor selected by Customer per Pirsonal’s Information Security System Policy. At Customer’s expense and to the extent a more extensive audit is granted by Pirsonal, then the parties agree to negotiate, in good faith, a statement of work that outlines the scope and time frames of the audit.

4. DATA TRANSFERS. Customer (or its agents) or Pirsonal will only transfer (including any onward transfers) Customer Personal Data as permitted by Applicable Data Protection Law. If Applicable Data Protection Law requires the participation of Pirsonal to legitimize the transfer, such as the execution of Standard Contractual Clauses, then Customer shall notify Pirsonal and the parties will cooperate in good faith to implement the required transfer mechanism. If Customer becomes aware of any data localization laws that require Pirsonal, as a Processor to Customer, to keep a primary or the sole copy of the Customer Personal Data in a certain country, Customer shall notify Pirsonal and the parties shall cooperate in good faith to determine how to appropriately comply with such requirements.

5. LANGUAGE. The DPA is executed in English and/or Spanish versions. The Parties agree that in the event of any conflict between the Spanish and English versions, the English version shall prevail. Other documents, such as Pirsonal’s Information Security System Policy, are exclusively available in Spanish. The parties acknowledge that in the case of any discrepancies, the Spanish version will take precedence.

6.GENERAL. All other terms and conditions of the Agreement remain in full force and effect. In the event of any inconsistencies between this DPA and the Agreement, this DPA shall prevail as it relates to the Processing of Customer Personal Data only.