We at ARPA understand that the use of your personal data requires your trust. We are bound to the highest standards of privacy and will only use your personal data for clearly identified purposes and in accordance with your data protection rights.
The confidentiality and integrity of your personal data is one of our main concerns.
1. GENERAL TERMS
1.1. COLLECTION AND PROCESSING OF USER DATA
The personal data collected and processed consists of information relating to name, email, address, although other personal data may be collected that may be necessary or convenient for the provision of services by ARPA.
After collecting the personal data, ARPA provides the User with detailed information on the nature of the data collected and on the purpose and treatment that will be carried out in relation to the personal data.
ARPA also collects and processes information on the device characteristics of its hardware and browser/software features, as well as information on the pages visited by the User within the website. This information may include your browser type, domain name, access times and the links through which you have accessed the site (“usability information”). We use this information only to improve the quality of your visit to our site.
1.2. SUBCONTRACTED ENTITIES
These subcontracted entities may not transmit User Data to other entities without ARPA’s prior written authorisation.
ARPA undertakes to subcontract only entities that offer maximum security in the execution of the appropriate technical and organisational measures, in order to guarantee the defence of user rights. All entities subcontracted by ARPA are bound to the latter by a written contract in which the object and duration of the processing, the nature and purpose of the processing, the type of personal data, the categories of data subjects and the rights and obligations of the parties are regulated.
After collecting the personal data, ARPA provides the User with information on the categories of subcontracted entities that, in the specific case, may carry out data processing on behalf of ARPA.
1.3. CHANNELS OF DATA COLLECTION
ARPA may collect data directly (i.e., directly from the User) or indirectly (i.e., through partner entities or third parties). The collection can be done through the following channels:
- Direct collection: in person, by telephone, by e-mail and through the website;
- Indirect collection: through partners or group companies and official entities.
2. GENERAL PRINCIPLES APPLICABLE TO THE PROCESSING OF USER DATA
In terms of general principles regarding the processing of personal data, the ARPA undertakes to ensure that the User Data it processes are:
- Object of processing in accordance with the law, fair and transparent in relation to the User;
- Collected for specified, objective and legitimate purposes and not further processed in a manner contrary to those purposes;
- Adequate, justified and limited to what is necessary in relation to the purposes for which they are treated;
- Accurate and updated where necessary, with all necessary measures being taken to ensure that data which are inaccurate, having regard to the purposes for which they are processed, are erased or corrected without delay;
- Kept in a form which permits identification of the user for no longer than is necessary for the purposes for which the data are processed;
- Processed in a manner which ensures its security, including protection against unauthorised or unlawful processing and against loss, destruction or unforeseen damage, with appropriate technical or organisational measures being taken;
- Data processing by ARPA is allowed and legal when at least one of the following situations occurs:
- The User has given, without any doubt, his/her consent to the processing of the User Data for one or more specific purposes;
- Processing is necessary for the conclusion of a contract to which the User is a party, or for pre-contractual procedures at the request of the User;
- Processing is necessary for the fulfilment of a legal obligation to which ARPA is subject;
- Processing is necessary for the defence of the fundamental interests of the User or another individual;
- Processing is necessary for the purposes of the legal interests pursued by ARPA or third parties (except where the interests or fundamental rights and freedoms of the User that require the protection of personal data prevail).
ARPA undertakes to ensure that User Data is only processed under the above-mentioned conditions and with respect for the above-mentioned principles.
Where User Data is processed by ARPA on the basis of the User’s consent, the User has the right to withdraw his/her consent at any time. Withdrawal of consent, however, shall not compromise the lawfulness of processing carried out by ARPA on the basis of consent previously given by the User.
The period of time for which data is stored and conserved varies according to the purpose for which the information is processed.
Indeed, there are legal requirements that require data to be kept for a minimum period of time. Therefore, and where there is no specific legal obligation, data will be stored and retained only for the minimum period necessary for the purposes for which they were collected or further processed, and at the end of which they will be deleted.
3. USE AND PURPOSES OF USER DATA PROCESSING
In general terms, ARPA uses the User Data for the following purposes:
- User contact management;
- Informing Users, who have requested it, of new products and services made available on the site, special offers and campaigns, up-to-date information on ARPA’s activity. And, in general, for ARPA marketing purposes and through any means of communication, including electronic support;
- Allow access to restricted areas of the Website, in accordance with previously established terms;
- Ensuring that the Site meets the needs of the User, by developing and publishing content as adapted as possible to the requests and type of User, by improving the search capabilities and functionalities of the Site and by obtaining associated or statistical information regarding the type of User profile (analysis of consumption profiles);
- Provision of Services, and other services, such as newsletters, opinion surveys, or other information or products requested or purchased by the User;
- Sending satisfaction questionnaires;
- ARPA may combine Usability Information with anonymous demographic information for research purposes, and may use the result of such combination to provide more relevant content on the Site. In certain restricted areas of the Site, ARPA may combine Personal Data with Usability Information to provide the User with more personalized content.
User Data collected by ARPA is not shared with third parties without the User’s consent, with the exception of the situations referred to in the following paragraph. However, in the event that the User contracts services with ARPA that are provided by other entities responsible for processing personal data, the User Data may be consulted or accessed by these entities, to the extent that this is necessary for the provision of the said services and the User shall be informed thereof.
4. TECHNICAL, ORGANISATIONAL AND SECURITY MEASURES IMPLEMENTED
To ensure the security of User Data and the maximum confidentiality, ARPA treats the information you provide us in an absolutely confidential manner, in accordance with its internal security and confidentiality policies and procedures, which are periodically updated according to needs, as well as the terms and conditions legally established.
Depending on the nature, scope, context and purposes of the data processing, as well as the risks arising from the processing for the rights and freedoms of the User, ARPA undertakes to apply, both at the time of defining the means of processing and at the time of processing itself, the necessary and appropriate technical and organisational measures for the protection of User Data and compliance with legal requirements.
It also undertakes to ensure that, by default, only data that is necessary for each specific purpose of processing is processed and that such data are not made available without human intervention to an indeterminate number of persons.
Communication between the user’s device and ARPA is carried out through secure channels and communications using the HTTPS protocol and the SSL security standard.
Nevertheless, in terms of general measures, ARPA adopts the following:
- Regular audits to identify the competence of the technical and organizational measures implemented;
- Awareness raising and training of personnel involved in data processing operations;
- Pseudonymisation and codification of personal data;
- Mechanisms capable of ensuring the permanent confidentiality, availability and resilience of information systems;
- Mechanisms to ensure the re-establishment of information systems and access to personal data in a timely manner in the event of a physical or technical incident.
5. TRANSFER OF DATA OUTSIDE THE EUROPEAN UNION
The Site does not transfer your personal data to recipients in countries outside the European Union.
When you visit our site, a small text file (Cookie) is created and saved on your computer disk, therefore, by browsing the Site you are accepting the installation of this text file on your device. This file will allow you to easily and quickly access the Site, as well as customize it according to your preferences.
By browsing our Site you are allowing the collection and storage of small text files called cookies, which contain information and are downloaded to your computer or other devices through a server. These text files will allow a more personalized and efficient browsing experience. Each time you visit the Site, your Internet browser sends these cookies back to the Site, allowing you to recognize and memorize the identity of Users and their preferences for use.
7. RIGHTS OF USERS (DATA SUBJECTS)
7.1. RIGHT TO INFORMATION
7.1.1 Information provided to the User by ARPA (when data is collected directly from the User):
- The identity and contacts of ARPA and the controller;
- The contacts of the Data Protection Officer;
- The purposes of the processing for which the personal data is intended, as well as, if applicable, the legal reasons for the processing;
- If the processing of the data is based on legitimate interests of ARPA or of a third party, indication of such interests;
- If applicable, the recipients or categories of recipients of the personal data;
- If applicable, an indication of whether personal data will be transferred to a third country or to an international organisation, and whether there is an adequacy finding adopted by the Commission or reference to appropriate or adequate transfer safeguards;
- The storage period of the personal data;
- The right to request ARPA to allow personal data, as well as their correction, deletion or limitation, the right to object to the processing and the right to accessibility of the data;
- If the processing of the data is based on the consent of the User, the right to withdraw it at any time, without compromising the legality of the processing carried out on the basis of the consent previously given;
- The right to lodge a complaint with the CNPD or other supervisory authority;
- Indication of whether or not the disclosure of personal data constitutes a legal or contractual obligation, or a necessary requirement for entering into a contract, as well as whether the data subject is obliged to provide the personal data and the possible consequences of not providing such data;
- Where applicable, the existence of automatic decisions including profiling and information concerning the basic concept as well as the scale and expected consequences of such processing for the data subject.
In the event that the User Data are not collected directly by ARPA from the User, in addition to the information referred to above, the User shall also be informed of the categories of personal data being processed and of the origin of the data and, where applicable, whether they are from publicly available sources.
Should ARPA wish to further process the User Data for a purpose other than that for which the data was collected, prior to such processing, ARPA shall provide the User with information on that purpose and any other information of interest, as referred to above.
7.2 Procedures and measures implemented to comply with the right to information.
The information referred to in 7.1 shall be provided in writing (including by electronic means) by ARPA to the User prior to the processing of the personal data in question. Under the terms of the applicable law, ARPA is not obliged to provide the User with the information mentioned in 7.1 when and to the extent that the User is already aware of it.
The information is provided by ARPA at no cost.
8. RIGHT OF ACCESS TO PERSONAL DATA
ARPA guarantees the means for the User to consult his/her Personal Data. The User has the right to obtain confirmation from ARPA as to whether or not personal data concerning them is being processed and, if so, the right to access their personal data and the following information:
- The purposes for which the data is processed;
- The categories of personal data in question;
- The recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients established in third countries or belonging to international organisations;
- The storage period of the personal data;
- The right to request ARPA to correct, delete or limit the processing of personal data, or the right to prevent such processing;
- The right to lodge a complaint with the CNPD or other supervisory authority;
- If the data have not been collected from the User, the information available on the origin of such data;
- The existence of automated decisions, including profiling, and information concerning the underlying logic, as well as the importance and expected consequences of such processing for the data subject;
- The right to be informed of the appropriate safeguards associated with the transfer of data to third countries or international organisations.
Upon request, ARPA shall provide the User, free of charge, with a copy of the User Data being processed. The provision of other copies requested by the User may entail administrative costs.
9. RIGHT TO RECTIFY PERSONAL DATA
The User has the right to request, at any time, the rectification of his/her Personal Data, as well as the right to have his/her incomplete personal data completed, including by means of an additional declaration.
In the event of the rectification of the data, ARPA shall notify each recipient to whom the data has been transmitted of the respective rectification, unless such communication is considered impossible or involves a disproportionate effort for ARPA.
10. RIGHT TO THE ERASURE OF PERSONAL DATA (“RIGHT TO BE FORGOTTEN”)
The User has the right to have his/her data deleted by ARPA when one of the following reasons applies:
- User Data is no longer required for the purpose for which it was collected or processed;
- The User withdraws the consent on which the data processing is based and there is no other legal basis for such processing;
- The user opposes the processing under the right to object and there are no overriding legitimate interests justifying the processing;
- If the User Data are processed unlawfully;
- If the User Data must be erased in order to fulfil a legal obligation to which ARPA is subject;
- Under the applicable legal terms, ARPA is not under any obligation to erase User Data to the extent that the processing proves necessary for the fulfilment of a legal obligation to which ARPA is subject or for the purpose of asserting, exercising or defending a right of ARPA in legal proceedings.
In the event of the deletion of data, ARPA shall communicate to each recipient/entity to whom the data have been transmitted their deletion, unless such communication proves impossible or involves a disproportionate effort for ARPA.
When ARPA has made User Data publicly available and is obliged to delete them under the right to such deletion, ARPA undertakes to ensure that reasonable measures, including technical measures, taking into account the technology available and the costs of its implementation, are taken to inform those responsible for the actual processing of the personal data that the User has requested them to delete links to such personal data as well as copies or reproductions thereof.
11. RIGHT TO LIMITATION OF PROCESSING OF PERSONAL DATA
The User has the right to obtain from ARPA the limitation of the processing of the User Data if one of the following situations applies (the limitation consists of inserting a mark in the personal data stored with the aim of limiting their processing in the future):
- If you contest the accuracy of the personal data, for a period that allows ARPA to verify its accuracy;
- If the processing is unlawful and the User opposes the erasure of the data, requesting instead the limitation of its use;
- If ARPA no longer needs the User Data for the purposes of processing, but such data is requested by the User for the purposes of declaration, exercise or defence of a right in a legal proceeding;
- If the User has objected to the processing until it is established that ARPA’s legitimate reasons prevail over those of the User.
Where User Data are subject to limitation, they may, with the exception of storage, only be processed with the consent of the User or for the purposes of asserting, exercising or defending a right in a legal proceeding, of defending the rights of another natural or legal person, or for reasons of public interest legally provided for.
The User who has obtained the limitation of the processing of his/her data in the above cases shall be informed by ARPA before the limitation of processing is lifted.
In the event of a limitation of processing, ARPA shall notify each recipient to whom the data have been transmitted of the limitation unless such notification proves impossible or involves a disproportionate effort on the part of ARPA.
12. RIGHT OF PORTABILITY OF PERSONAL DATA
The User shall have the right to receive personal data concerning him/her that he/she has provided to ARPA, in a structured, commonly used and automatically readable format, and the right to transmit such data to another controller, if so requested:
- The processing is based on consent or a contract to which the User is a party, and;
- The processing is carried out by automated means.
The right of portability does not include inferred data or derived data, i.e. personal data that are generated by ARPA as a consequence or result of the analysis of the data being processed.
The User has the right to have his or her personal data transmitted directly between those responsible for the processing, whenever this is technically possible.
13. RIGHT TO OBJECT TO PROCESSING
The User shall have the right to object at any time, on grounds relating to his/her particular situation, to the processing of personal data concerning him/her based on the exercise of legitimate interests pursued by ARPA, or when the processing is carried out for purposes other than those for which the personal data were collected, including the definition of profiles, or when the personal data are processed for statistical purposes.
ARPA shall finalise the processing of User Data, unless it provides urgent and legitimate reasons for such processing that take precedence over the interests, rights and freedoms of the User, or for the purposes of declaration, exercise or defence of ARPA right in a legal proceeding.
Where User Data are processed for the purposes of direct marketing, the User shall have the right to object at any time to the processing of data concerning him/her for the purposes of such marketing, which shall include profiling insofar as it relates to direct marketing. Should the User object to the processing of his/her data for the purposes of direct marketing, ARPA shall cease processing the data for this purpose.
The User also has the right not to be subject to any decision taken solely on the basis of automated processing, including profiling, that produces effects in his/her legal sphere or significantly affects him/her in a similar way, unless the decision:
- Is necessary for the conclusion or performance of a contract between the User and ARPA;
- Is authorised by legislation to which ARPA is subject, or;
- It is based on the explicit consent of the User.
14. PROCEDURES FOR THE EXERCISE OF RIGHTS BY THE USER
The right of access, the right of rectification, the right of elimination, the right to limitation, the right of portability and the right to object may be exercised by the User by contacting ARPA Data Protection Officer at firstname.lastname@example.org.
ARPA will reply in writing (including by electronic means) to the User’s request within a maximum period of one month from receipt of the request, except in cases of particular complexity, in which this period may be extended to two months.
If the requests made by the user are manifestly unjustified or excessive, in particular due to their repetitive nature, ARPA reserves the right to charge administrative costs or refuse to comply with the request.
15. VIOLATIONS OF PERSONAL DATA
In the event of a data breach and to the extent that such breach is likely to involve a high risk to the rights and freedoms of the User, ARPA undertakes to report the personal data breach to the User concerned within 72 hours of becoming aware of the incident.
In legal terms, communication to the User is not required in the following cases:
If ARPA has applied appropriate protection measures, both technical and organisational, and these measures have been applied to the personal data affected by the personal data breach, especially measures that render the personal data incomprehensible to any person not authorised to access such data, such as encryption;
If ARPA has taken subsequent measures to ensure that the high risk to the rights and freedoms of the User is no longer likely to materialise, or;
If communicating to the User involves a disproportionate effort for ARPA. In such a case, ARPA will make a public communication or take a similar action through which the User will be informed.
16. FINAL PART
17. APPLICABLE LAW AND JURISDICTION