Privacy information
In conformance with General Data Protection Regulation 2016/679 of the European Parliament and Council of 27 April 2016, the purpose of this Privacy Policy is to notify how EJIE collects, processes and protects the personal data of individuals who interact with EJIE.
Controller:
- EJIE S.A.
- CIF A01022664
- Postal address: Avda. El Mediterráneo, 14, 01010 Vitoria-Gasteiz Araba/Álava
- Phone number: 945 017 300
- Exercise of rights regarding data protection: lopd-ejie@ejie.eus
- Communication of security incidents or personal data breaches: seguridadcorporativa@ejie.eus
Data Protection Officer:
The Data Protection Delegate is the person in charge of ensuring respect for people in the management of their personal information at EJIE and for compliance with data protection regulations. You can contact this figure through the email account dpo@ejie.eus.
The personal data collected comes directly from the information provided by the people the data regards.
The persons who provide their personal data to EJIE guarantee and will vouch for, as required, the accuracy, validity and authenticity of the personal data they provide and agree to keep that data up to date.
Commercial activities with potential clients
Data controller | EJIE, S.A. |
Purpose |
Handle the response to the request sent by the person through the channel for contacts and generating potential clients, as well as sending information about EJIE’s business activities. |
Legitimation |
GDPR: 6.1e) To perform a task carried out in the public interest or in the exercise of an official authority vested in the controller. |
Recipients |
No data communication is expected except in cases where it is required to fulfil legal obligations that EJIE S.A must fulfil. |
Data storage |
It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data. |
Rights | You may request access, rectification, deletion, portability, restriction of the processing of personal data or withdrawal of consent, as explained in the section "Rights of the data subject". |
Client relationship management
Data controller | EJIE, S.A. |
Purpose |
Support for the service subscription |
Legitimation |
GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party. GDPR: 6.1e) To perform a task carried out in the public interest or in the exercise of an official authority vested in the controller. |
Recipients |
No data communication is expected except in cases where it is required to fulfil legal obligations that EJIE S.A must fulfil. |
Data storage |
It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data. |
Rights | You may request access, rectification, deletion, portability, restriction of the processing of personal data or withdrawal of consent, as explained in the section "Rights of the data subject". |
Supplier contracting process
Data controller | EJIE, S.A. |
Purpose |
Processing of personal data concerning employees of companies applying to become suppliers in accordance with the internal procurement procedures and tendering process. Communication, notifications, and incidents associated with the process above and regarding pre-market consultations |
Legitimation |
GDPR: 6.1.c) Processing necessary for compliance with a legal obligation to which the controller is subject |
Recipients |
Basque Court of Public Accounts Administrative Body of Contractual Resources General Tax Office of the Basque Country Courts Anti-fraud Agency Management of the department of the Basque government or dependent public sector body of the Basque Country autonomous community that is in charge of services or provisioning for EJIE Management of Basque government services Management of heritage and procurement for the Basque government Basque authority for competition - CNMC Public prosecutor’s office State law enforcement bodies and forces, anti-fraud control unit Control auditors (account, quality, public function auditors, among others) REVASCON - Basque registry of contracts For persons seeking tenders and who have signed contracts with EJIE, the data is published in: Procurement platform of the Basque Country - Public sector procurement platform In regards to contact data for interlocutors collected in the preliminary market consultations, they will not be communicated to recipients. |
Data storage |
Data will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data, in accordance with law 9/2017 of 8 November for public sector contracts. |
Rights | You may request access, rectification, deletion, portability, restriction of the processing of personal data or withdrawal of consent, as explained in the section "Rights of the data subject". |
Management of personnel belonging to supplier companies
Data controller | EJIE, S.A. |
Purpose |
Processing personal data of people working in supplier companies that provide services to EJIE, and to process the creation and deletion of user accounts in the system for them in order to maintain control of physical access to the facilities and digital access to the information systems. Coordinating business activities (CBA) in regards to preventing risk in the workplace Managing communications for maintaining the contractual relationship |
Legitimation |
GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party. GDPR: 6.1.c) Processing necessary for compliance with a legal obligation to which the controller is subject. |
Recipients |
Identifying and contact data may be communicated to the directorate of the department of the Basque government or corresponding dependent public sector body of the Basque Country autonomous community that may be necessary for the purposes of providing the services. |
Data storage |
It will be kept for the duration of the contractual relationship and, when the relationship has ended, it will be kept for the prescriptive period established by the applicable legal provisions. Personal data processed for CBA purposes will be kept for five years, based on the workplace risk prevention law. |
Rights | You may request access, rectification, deletion, portability, restriction of the processing of personal data or withdrawal of consent, as explained in the section "Rights of the data subject". |
Administrative management of clients and suppliers
Data controller | EJIE, S.A. |
Purpose |
Processing personal information regarding client government officials and legal representatives of suppliers for managing orders, contracts, and billing. |
Legitimation |
GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party. GDPR: 6.1.c) Processing necessary for compliance with a legal obligation to which the controller is subject. |
Recipients |
Álava regional government |
Data storage |
Periods in accordance with legislative decree 2/2017 of 19 October by which the revised text of the economic control and accounting law of the Basque Country autonomous community law was approved, and decree 464/1995 that carries it out: Documents recorded in accounting: Six years from the end of the economic period they are from. Accounting books: 15 years. |
Rights | You may request access, rectification, deletion, portability, restriction of the processing of personal data or withdrawal of consent, as explained in the section "Rights of the data subject". |
Government
Data controller | EJIE, S.A. |
Purpose |
Handling the personal information needed to process the economic and financial activities of the organisation Accounting management and budget control Managing travel for professional purposes |
Legitimation |
GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party. GDPR: 6.1.c) Processing necessary for compliance with a legal obligation to which the controller is subject. |
Recipients |
General Social Security Treasury, Regional Government of Álava |
Data storage |
Documents recorded in accounting: Six years from the end of the economic period they are from. Accounting books: 15 years Periods in accordance with legislative decree 2/2017 of 19 October by which the revised text of the economic control and accounting law of the Basque Country autonomous community law was approved, and decree 464/1995 that carries it out. |
Rights | You may request access, rectification, deletion, portability, restriction of the processing of personal data or withdrawal of consent, as explained in the section "Rights of the data subject". |
External recruitment processes
Data controller | EJIE, S.A. |
Purpose |
Processing of personal data concerning candidates for the purposes of staff recruitment and the filling of vacancies. |
Legitimation |
GDPR: 6.1.b) Processing necessary for the fulfilment of a contract to which the data subject is a party or for use at their request for pre-contractual purposes. |
Recipients |
No data communication is expected except in cases where it is required to fulfil legal obligations that EJIE S.A must fulfil. |
Data storage |
It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data. |
Rights | You may request access, rectification, deletion, portability, restriction of the processing of personal data or withdrawal of consent, as explained in the section "Rights of the data subject". |
Internal recruitment processes
Data controller | EJIE, S.A. |
Purpose |
Processing of personal data concerning internal calls for in-house staff to apply for vacant posts in the organisation. |
Legitimation |
GDPR: 6.1.b) Processing necessary for the fulfilment of a contract to which the data subject is a party or for use at their request for pre-contractual purposes. |
Recipients |
No data communication is expected except in cases where it is required to fulfil legal obligations that EJIE S.A must fulfil. |
Data storage |
It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data. |
Rights | You may request access, rectification, deletion, portability, restriction of the processing of personal data or withdrawal of consent, as explained in the section "Rights of the data subject". |
Management of Human Resources
Data controller | EJIE, S.A. |
Purpose |
Processing of personal data required for the management of the employment relationship, preparation of payslips, social security and generation of different data; planning and control of hours worked: specifically the start and end of the work day (time-sheet), working days and tasks to be performed; staff training; linguistic profiles; instruction and training processes: monitoring incompatibilities Granting of permits, licences and authorisations. Disciplinary proceedings. Management of internal statistics. Relationship with staff representatives. Management of fixed and mobile telephone calls for professional use and costs incurred. |
Legitimation |
GDPR: 6.1.b) Processing necessary for the fulfilment of a contract to which the data subject is a party or for use at their request for pre-contractual purposes. GDPR: 6.1.c) Processing necessary for compliance with a legal obligation to which the controller is subject. Special data categories: GDPR: 9.2.b) Processing is necessary to fulfil obligations and exercise specific rights of the controller or interested party in sphere of labour law. |
Recipients |
General Social Security Treasury Job Inspection and Social Security Álava regional government Financial entities stated for every employee to pay their salary Insurance Company EJIE Company Committee |
Data storage |
The data will be kept while the contractual relationship is in force and, when it ends, for the periods of time prescribed for responsibilities in legislative royal decree 5/2000 of 4 august, and the other legal provisions that are applicable. Time-sheets will be kept for four years from the date they are collected. |
Rights | You may request access, rectification, deletion, portability, restriction of the processing of personal data or withdrawal of consent, as explained in the section "Rights of the data subject". |
Managing social benefits and personal loans
Data controller | EJIE, S.A. |
Purpose |
Processing of personal data relating to the registration and management of social benefits and personal loans applied for and granted to employees to acquire a home or vehicle, or for their own or their children’s studies, medical assistance and to care for disabled or dependent family members, in conformance with article 24 and 27 of the EJIE collective bargaining agreement. |
Legitimation |
GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party. Special data categories: GDPR: 9.2.b) Processing is necessary to fulfil obligations and exercise specific rights of the controller or interested party in sphere of labour law. |
Recipients |
Álava regional government Financial entities stated for every employee to pay the loan EJIE Company Committee |
Data storage |
It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data. |
Rights | You may request access, rectification, deletion, portability, restriction of the processing of personal data or withdrawal of consent, as explained in the section "Rights of the data subject". |
Management of language grants
Data controller | EJIE, S.A. |
Purpose |
Processing of personal data necessary for financing external language courses for staff in accordance with article 28 of the EJIE collective bargaining agreement |
Legitimation |
GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party. |
Recipients |
Financial entities stated for every employee to pay the social assistance. |
Data storage |
It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data. |
Rights | You may request access, rectification, deletion, portability, restriction of the processing of personal data or withdrawal of consent, as explained in the section "Rights of the data subject". |
Training plan management
Data privacy clause for internal staff providing or receiving training:
Data controller | EJIE, S.A. |
Purpose |
Processing of personal data necessary for voluntary training and commitment to learning in the Basque language training plan and the development of linguistic profiles. |
Legitimation |
GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party. |
Recipients |
Personal identification data will be communicated, where appropriate, to entities that manage training grants: |
Data storage |
It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data. Recordings of training sessions will be kept for a maximum time of 3 years from the collection date. |
Rights | You may request access, rectification, deletion, portability, restriction of the processing of personal data or withdrawal of consent, as explained in the section "Rights of the data subject". |
Training plan management
Data privacy clause for external teaching staff:
Data controller | EJIE, S.A. |
Purpose |
Recording of training sessions for internal use and dissemination. |
Legitimation |
GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party. |
Recipients |
Personal identification data will be communicated, where appropriate, to entities that manage training grants: |
Data storage |
It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data. Recordings of training sessions will be kept for a maximum time of 3 years from the collection date. |
Rights | You may request access, rectification, deletion, portability, restriction of the processing of personal data or withdrawal of consent, as explained in the section "Rights of the data subject". |
Performance review
Data controller | EJIE, S.A. |
Purpose |
Processing of personal data necessary for staff performance reviews needed for internal promotions and the training plan. |
Legitimation |
GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party. |
Recipients |
No data communication is expected except in cases where it is required to fulfil legal obligations that EJIE S.A must fulfil. |
Data storage |
It will be kept for as long as necessary to execute and carry out the labour relationship until it ends and to determine potential liabilities that may arise from that purpose and processing the data. |
Rights | You may request access, rectification, deletion, portability, restriction of the processing of personal data or withdrawal of consent, as explained in the section "Rights of the data subject". |
Prevention of occupational hazards
Data controller | EJIE, S.A. |
Purpose |
Processing of personal data concerning the prevention of occupational hazards and other protocols related to the workplace, the investigation of accidents and incidents, activation of prevention mechanisms and measures, preparation of assessments, preventive measures and elimination of risks. |
Legitimation |
GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party. GDPR: 6.1.c) Processing necessary for compliance with a legal obligation to which the controller is subject. Special data categories: GDPR: 9.2.b) Processing is necessary to fulfil obligations and exercise specific rights of the controller or interested party in sphere of labour law. |
Recipients |
Awarded company that provides workplace risk prevention services in regards to health monitoring Mutual insurance companies that collaborate with social security |
Data storage |
Data shall be kept for a period of 5 years in accordance with the Law on the Prevention of Occupational Risks. Health data storage period in accordance with the terms established by regulations. |
Rights | You may request access, rectification, deletion, portability, restriction of the processing of personal data or withdrawal of consent, as explained in the section "Rights of the data subject". |
Active health programme
Data controller | EJIE, S.A. |
Purpose |
Processing of personal data of employees participating in the health improvement and injury and illness prevention programme. |
Legitimation |
GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party. |
Recipients |
No data communication is expected except in cases where it is required to fulfil legal obligations that EJIE S.A must fulfil. |
Data storage |
It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data. |
Rights | You may request access, rectification, deletion, portability, restriction of the processing of personal data or withdrawal of consent, as explained in the section "Rights of the data subject". |
Management of conflict resolution procedures and harassment protocols
Data controller | EJIE, S.A. |
Purpose |
Processing personal information related with the communication and investigation of allegedly irregular activities by employees while performing their functions or possible situations of workplace harassment, sexual harassment or gender based harassment. |
Legitimation |
GDPR: 6.1.c) Processing necessary for compliance with a legal obligation to which the controller is subject. Special categories of data: GDPR: 9.2g) Processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject. |
Recipients |
Where appropriate, data shall be disclosed to the Courts and Tribunals, Law Enforcement Agencies or other public administrations authorised to deal with the type of complaint lodged. |
Data storage |
Personal data of the person informing of the situation and of the employees or third parties shall only be kept for the time necessary to process the complaint. In any case, three months after having informed of the situation and/or concluding the investigation thereof, all data shall be deleted unless disciplinary proceedings against an employee are pending or the purpose of keeping the data is to leave evidence as to the functioning of the method for the prevention of the commission of offences on the part of the legal person. Communications that have not been followed up on will only appear anonymously. |
Rights | You may request access, rectification, deletion, portability, restriction of the processing of personal data or withdrawal of consent, as explained in the section "Rights of the data subject". |
Recording and controlling physical access to the buildings
Data controller | EJIE, S.A. |
Purpose |
(i) Access control for own and external staff |
Legitimation |
(i) and (iv) GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party. (ii) and (iii) GDPR: 6.1f) Processing is necessary to meet legitimate interests sought by the controller. |
Recipients |
Where appropriate, law enforcement agencies, courts and tribunals will be notified. |
Data storage |
The data collected in the access register, from own and external staff, will be kept for one month from the date of collection, except when they have to be kept to accredit the commission of acts that threaten the integrity of persons, goods or installations. The visit data collected in the prior access registration form will be kept for the time necessary to fulfil the purpose for which they were collected and to determine the possible responsibilities that may arise from this purpose and from the processing of the data. In the event that the visit does not take place, they will be kept for one month from the date on which they were collected. |
Rights | You may request access, rectification, deletion, portability, restriction of the processing of personal data or withdrawal of consent, as explained in the section "Rights of the data subject". |
Recording and controlling physical access to warehouses and the DPC
Data controller | EJIE, S.A. |
Purpose |
Monitoring staff who enter internal protected and restricted areas to ensure the protection of company property. |
Legitimation |
GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party. GDPR: 6.1.f) Processing is necessary to meet legitimate interests sought by the controller. |
Recipients |
Where appropriate, a photocopy of the ID will be sent to the corresponding directorate of the Basque government to control access to the DPC. Where appropriate, law enforcement agencies, courts and tribunals will be notified. |
Data storage |
One month from the date of their capture, except when they have to be kept to prove the commission of acts against the integrity of persons, property or installations. |
Rights | You may request access, rectification, deletion, portability, restriction of the processing of personal data or withdrawal of consent, as explained in the section "Rights of the data subject". |
Recording and controlling keys to EJIE locations
Data controller | EJIE, S.A. |
Purpose |
Monitoring staff who have keys to EJIE locations |
Legitimation |
GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party. GDPR: 6.1.f) Processing is necessary to meet legitimate interests sought by the controller. |
Recipients |
No data communication is expected except in cases where it is required to fulfil legal obligations that EJIE S.A must fulfil. |
Data storage |
It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data. |
Rights | You may request access, rectification, deletion, portability, restriction of the processing of personal data or withdrawal of consent, as explained in the section "Rights of the data subject". |
Video surveillance management
Data controller | EJIE, S.A. |
Purpose |
Processing of personal data obtained by video surveillance systems to guarantee the security of EJIE's personnel, assets and facilities. |
Legitimation |
GDPR: 6.1e) Processing is necessary for the controller to perform a task carried out in the public interest. |
Recipients |
Where appropriate, law enforcement agencies, courts and tribunals will be notified. |
Data storage |
The images obtained will be kept for a period of one month from the date they are collected, except |
Rights | You may request access, rectification, deletion, portability, restriction of the processing of personal data or withdrawal of consent, as explained in the section "Rights of the data subject". |
Transparency
Data controller | EJIE, S.A. |
Purpose |
Processing of personal data relating to public relations concerning transparency in the application of regulations on access to public information. |
Legitimation |
GDPR: 6.1.c) Processing necessary for compliance with a legal obligation to which the controller is subject. |
Recipients |
The personal data will be published on the transparency section of the EJIE website. No other communication of data is foreseen, unless it is required to comply with legal obligations that EJIE S.A. must fulfil. |
Data storage |
It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data. |
Rights | You may request access, rectification, deletion, portability, restriction of the processing of personal data or withdrawal of consent, as explained in the section "Rights of the data subject". |
Board of Directors
Data controller | EJIE, S.A. |
Purpose |
Processing personal information regarding people who are members of governing bodies and managing their actions, tenders, and meeting minutes. |
Legitimation |
GDPR: 6.1.c) Processing necessary for compliance with a legal obligation to which the controller is subject. |
Recipients |
Notaries |
Data storage |
It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data. |
Rights | You may request access, rectification, deletion, portability, restriction of the processing of personal data or withdrawal of consent, as explained in the section "Rights of the data subject". |
Legal Advice
Data controller | EJIE, S.A. |
Purpose |
Processing personal information associated with legal advice and legal defence tasks Managing legal or administrative proceedings. |
Legitimation |
GDPR: 6.1.c) Processing necessary for compliance with a legal obligation to which the controller is subject, in accordance with procedural and substantive laws associated with administrative, labour, administrative or criminal claims. Special categories of data: GDPR: 9.2g) Processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject. |
Recipients |
Vice-chancellor of the Legal Regime of the Basque Government |
Data storage |
It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data. |
Rights | You may request access, rectification, deletion, portability, restriction of the processing of personal data or withdrawal of consent, as explained in the section "Rights of the data subject". |
Exercising rights associated with data protection
Data controller | EJIE, S.A. |
Purpose |
Managing rights regarding data protection exercised regarding processing EJIE was responsible for. |
Legitimation |
GDPR: 6.1.c) Processing necessary for compliance with a legal obligation to which the controller is subject. |
Recipients |
Basque Data Protection Authority |
Data storage |
It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data. |
Rights | You may request access, rectification, deletion, portability, restriction of the processing of personal data or withdrawal of consent, as explained in the section "Rights of the data subject". |
Management of incidents and security breaches
Data controller | EJIE, S.A. |
Purpose |
Management, assessment and reporting of data security incidents and breaches. |
Legitimation |
GDPR: 6.1.c) Processing necessary for compliance with a legal obligation to which the controller is subject. |
Recipients |
Basque Data Protection Authority |
Data storage |
It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data. |
Rights | You may request access, rectification, deletion, portability, restriction of the processing of personal data or withdrawal of consent, as explained in the section "Rights of the data subject". |
Contact agenda
Data controller | EJIE, S.A. |
Purpose |
Contact information for people who EJIE staff have relationships with Managing the content of communications, and maintaining commercial or contractual relationships. |
Legitimation |
GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party. GDPR: 6.1e) Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. |
Recipients |
No data communication is expected except in cases where it is required to fulfil legal obligations that EJIE S.A must fulfil. |
Data storage |
It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data. |
Rights | You may request access, rectification, deletion, portability, restriction of the processing of personal data or withdrawal of consent, as explained in the section "Rights of the data subject". |
Common repository of digital media for internal dissemination
Data controller | EJIE, S.A. |
Purpose |
Use of multimedia content for internal use and dissemination. Images and videos that may contain the name, surname, face (image) and/or voice of employees and third-parties may only be used for internal use and dissemination, i.e., the corporate intranet, internal events and presentations, or other analogous uses. |
Legitimation |
GDPR: 6.1.f) Processing is necessary to meet legitimate interests sought by the controller. |
Recipients |
No data communication is expected except in cases where it is required to fulfil legal obligations that EJIE S.A must fulfil. |
Data storage |
The data will be kept until the interested party expresses their opposition to the processing. |
Rights | You may request access, rectification, deletion, portability, restriction of the processing of personal data or withdrawal of consent, as explained in the section "Rights of the data subject". |
Common repository of digital media for external dissemination
Data controller | EJIE, S.A. |
Purpose |
Use of multimedia content for external use and dissemination. Images and videos that may contain the name, surname, face (image) and/or voice of employees and third-parties may be used for external use, for example the EJIE website, events and presentations, corporate social networks or other analogous uses. |
Legitimation |
GDPR: 6.1.a) The data subject has given consent to the processing of his or her personal data for one or more specific purposes |
Recipients |
In certain cases, the data will be published on the EJIE website, at events and on EJIE social networks. |
Data storage |
Data shall be kept until the data subject withdraws their consent to such processing. |
Rights | You may request access, rectification, deletion, portability, restriction of the processing of personal data or withdrawal of consent, as explained in the section "Rights of the data subject". |
Electronic signature - Izenbox
Data controller | EJIE, S.A. |
Purpose |
Centralised document management that let users use digital signatures. |
Legitimation |
GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party. |
Recipients |
No data communication is expected except in cases where it is required to fulfil legal obligations that EJIE S.A must fulfil. |
Data storage |
It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data. |
Rights | You may request access, rectification, deletion, portability, restriction of the processing of personal data or withdrawal of consent, as explained in the section "Rights of the data subject". |
Sending communications
Data controller | EJIE, S.A. |
Purpose |
Sending non-commercial communications like, for example, Christmas greetings or bank holiday greetings, among other things. Managing sending invitations and registration for events organised by EJIE, or third-parties, in which EJIE participates |
Legitimation |
GDPR: 6.1.f) Processing is necessary to meet legitimate interests sought by the controller. |
Recipients |
In certain cases, personal data belonging to entities that promote events EJIE participates in may be communicated. No other communication of data is foreseen, unless it is required to comply with legal obligations that EJIE S.A. must fulfil. |
Data storage |
The data will be kept until the interested party expresses their opposition to the processing. |
Rights | You may request access, rectification, deletion, portability, restriction of the processing of personal data or withdrawal of consent, as explained in the section "Rights of the data subject". |
Managing EU Next Generation projects
Data controller | EJIE, S.A. |
Purpose |
Processing personal information regarding the collective of interested parties who participate in drafting specifications and fill out and sign the corresponding appendices in the framework of EU Next Generation project management. |
Legitimation |
GDPR: 6.1.c) Processing necessary for compliance with a legal obligation to which the controller is subject. |
Recipients |
Ministry of Taxes and Public Functions, through the MINERVA and CoFFEE-MRR platform Ministry of Economy, Commerce and Business, through the HRS platform Bodies of the European Union for the purposes of audits and monitoring government and European funds, when applicable Personal data regarding internal staff may be communicated to the directorate of services of the department of public governance and self-governance for auditing purposes. |
Data storage |
Documents are kept for five years after the payment of the salary or of the transaction if there was no payment, or for three years in accordance with article 132 of the financial regulations. |
Rights | You can request access, rectification, deletion, portability, limitation of the processing of personal data or to oppose the processing, as explained in the "Rights of the interested party" section. |
Code of Conduct
Data controller | EJIE, S.A. |
Purpose |
Processing of personal data concerning the reporting and investigation of abnormal cases or queries regarding possible breaches of the organisation's internal regulations about the code of conduct and code of ethics of the organisation. |
Legitimation |
GDPR: 6.1.c) Processing necessary for compliance with a legal obligation to which the controller is subject. Special categories of data: GDPR: 9.2.g) Processing is necessary for reasons of substantial public interest, on the legal basis of the Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject |
Recipients |
Where appropriate, data shall be disclosed to the Courts and Tribunals, Law Enforcement Agencies or other public administrations authorised to deal with the type of complaint lodged. |
Data storage |
Personal data of the person informing of the situation and of the employees or third parties shall only be kept for the time necessary to process the complaint. In any case, three months after having informed of the situation and/or concluding the investigation thereof, all data shall be deleted unless disciplinary proceedings against an employee are pending or the purpose of keeping the data is to leave evidence as to the functioning of the method for the prevention of the commission of offences on the part of the legal person. Communications that have not been followed up on will only appear anonymously. |
Rights | You may request access, rectification, deletion, portability, restriction of the processing of personal data or withdrawal of consent, as explained in the section "Rights of the data subject". |
Managing access to EJIE systems by staff from supplier companies of convergent entities
Data controller | EJIE, S.A. |
Purpose |
Processing information to manage user creation and deletion in order to maintain logical access control for EJIE information systems and acceptance of the security policies. |
Legitimation |
GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party. GDPR: 6.1f) Processing is necessary to meet legitimate interests sought by the controller. |
Recipients |
No data communication is expected except in cases where it is required to fulfil legal obligations that EJIE S.A must fulfil. |
Data storage |
It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data. |
Rights | You may request access, rectification, deletion, portability, restriction of the processing of personal data or withdrawal of consent, as explained in the section "Rights of the data subject". |
EJIE provides interested persons the possibility to exercise the following rights in regards to processing their personal data:
- The right to request access to their personal data
- The right to request rectification of personal data
- The right to request the deletion of personal data
- The right to request the restriction of their processing
- The right to object to the processing
- The right to portability of personal data
- The right to withdraw the consent given
- Right not to be subject to automated individual decisions
Every person has the right to obtain confirmation about whether EJIE processes personal data concerning them. Interested persons may access their personal data and they may request correction of imprecise data or, as may apply, they may request removal of the data when, among other causes, the data is no longer necessary for the purposes it was collected for.
Under certain circumstances, interested persons may request the restriction of the processing of their data, in which event it will only be conserved for exercising or defending against complaints.
Under certain circumstances, and for reasons related with their individual situation, interested persons may object to the processing of their data. In this event, EJIE will cease processing the data, except for compelling reasons or exercising the right to defend against potential complaints.
If consent has been granted for a specific purpose, the interested person has the right to withdraw their consent at any time without effect upon the lawfulness of any processing based on consent prior to withdrawal.
EJIE may be contacted in writing at the address below for that purpose:
- Attention Security Officer
- Avenida del Mediterráneo 14
- 01010 Vitoria-Gasteiz, Spain
or you may send an email to lopd-ejie@ejie.eus
If, after having made a request to exercise your rights, you are not satisfied with the response received, you may file a complaint with the Basque Data Protection Authority via its website www.avpd.euskadi.eus., or a prior complaint with the EJIE Data Protection Officer via the e-mail address dpo@ejie.eus.