Privacy information

Handle the response to the request sent by the person through the channel for contacts and generating potential clients, as well as sending information about EJIE’s business activities.

GDPR: 6.1e) To perform a task carried out in the public interest or in the exercise of an official authority vested in the controller.

No data communication is expected except in cases where it is required to fulfil legal obligations that EJIE S.A must fulfil. The management of personal data involves international transfers of such data.

It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data.

Support for the service subscription
Complaint management
Satisfaction evaluation
Sending information about EJIE’s activities

GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party.

GDPR: 6.1e) To perform a task carried out in the public interest or in the exercise of an official authority vested in the controller.

No data communication is expected except in cases where it is required to fulfil legal obligations that EJIE S.A must fulfil. The management of personal data involves international transfers of such data.

It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data.

Processing of personal data concerning employees of companies applying to become suppliers in accordance with the internal procurement procedures and tendering process. Communication, notifications, and incidents associated with the process above and regarding pre-market consultations

GDPR: 6.1.c)  Processing necessary for compliance with a legal obligation to which the controller is subject

Basque Court of Public Accounts

Administrative Body of Contractual Resources

General Tax Office of the Basque Country

Courts

Anti-fraud Agency

Management of the department of the Basque government or dependent public sector body of the Basque Country autonomous community that is in charge of services or provisioning for EJIE

Management of Basque government services

Management of heritage and procurement for the Basque government

Basque authority for competition - CNMC

Public prosecutor’s office

State law enforcement bodies and forces, anti-fraud control unit

Control auditors (account, quality, public function auditors, among others)

REVASCON - Basque registry of contracts

For persons seeking tenders and who have signed contracts with EJIE, the data is published in:

Procurement platform of the Basque Country - Public sector procurement platform

In regards to contact data for interlocutors collected in the preliminary market consultations, they will not be communicated to recipients.

The management of personal data involves international transfers of such data.

Data will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data, in accordance with law 9/2017 of 8 November for public sector contracts.

Processing personal data of people working in supplier companies that provide services to EJIE, and to process the creation and deletion of user accounts in the system for them in order to maintain control of physical access to the facilities and digital access to the information systems. Coordinating business activities (CBA) in regards to preventing risk in the workplace Managing communications for maintaining the contractual relationship

GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party.

GDPR: 6.1.c) Processing necessary for compliance with a legal obligation to which the controller is subject.

Identifying and contact data may be communicated to the directorate of the department of the Basque government or corresponding dependent public sector body of the Basque Country autonomous community that may be necessary for the purposes of providing the services.The management of personal data involves international transfers of such data.

It will be kept for the duration of the contractual relationship and, when the relationship has ended, it will be kept for the prescriptive period established by the applicable legal provisions.

Personal data processed for CBA purposes will be kept for five years, based on the workplace risk prevention law.

Processing personal information regarding client government officials and legal representatives of suppliers for managing orders, contracts, and billing.

GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party.

GDPR: 6.1.c) Processing necessary for compliance with a legal obligation to which the controller is subject.

Álava regional government
Account auditors
Basque Court of Public Accounts

The management of personal data involves international transfers of such data.

Periods in accordance with legislative decree 2/2017 of 19 October by which the revised text of the economic control and accounting law of the Basque Country autonomous community law was approved, and decree 464/1995 that carries it out:

Documents recorded in accounting: Six years from the end of the economic period they are from.

Accounting books: 15 years.

Handling the personal information needed to process the economic and financial activities of the organisation  Accounting management and budget control Managing travel for professional purposes

GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party.

GDPR: 6.1.c) Processing necessary for compliance with a legal obligation to which the controller is subject.

General Social Security Treasury, Regional Government of Álava
Financial entities stated for every employee to pay salaries
Itzarri,
Account auditors
Basque Court of Public Accounts

The management of personal data involves international transfers of such data.

Documents recorded in accounting: Six years from the end of the economic period they are from.

Accounting books: 15 years Periods in accordance with legislative decree 2/2017 of 19 October by which the revised text of the economic control and accounting law of the Basque Country autonomous community law was approved, and decree 464/1995 that carries it out.

Processing of personal data concerning candidates for the purposes of staff recruitment and the filling of vacancies.

GDPR: 6.1.b) Processing necessary for the fulfilment of a contract to which the data subject is a party or for use at their request for pre-contractual purposes.

No data communication is expected except in cases where it is required to fulfil legal obligations that EJIE S.A must fulfil. The management of personal data involves international transfers of such data.

It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data.

Processing of personal data concerning internal calls for in-house staff to apply for vacant posts in the organisation.

GDPR: 6.1.b) Processing necessary for the fulfilment of a contract to which the data subject is a party or for use at their request for pre-contractual purposes.

No data communication is expected except in cases where it is required to fulfil legal obligations that EJIE S.A must fulfil. The management of personal data involves international transfers of such data.

It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data.

Processing of personal data required for the management of the employment relationship, preparation of payslips, social security and generation of different data; planning and control of hours worked: specifically the start and end of the work day (time-sheet), working days and tasks to be performed; staff training; linguistic profiles; instruction and training processes: monitoring incompatibilities Granting of permits, licences and authorisations. Disciplinary proceedings. Management of internal statistics. Relationship with staff representatives. Management of fixed and mobile telephone calls for professional use and costs incurred.

GDPR: 6.1.b) Processing necessary for the fulfilment of a contract to which the data subject is a party or for use at their request for pre-contractual purposes.

GDPR: 6.1.c) Processing necessary for compliance with a legal obligation to which the controller is subject. 

Special data categories: GDPR: 9.2.b) Processing is necessary to fulfil obligations and exercise specific rights of the controller or interested party in sphere of labour law.

General Social Security Treasury

Job Inspection and Social Security

Álava regional government

Financial entities stated for every employee to pay their salary

Insurance Company

EJIE Company Committee

The management of personal data involves international transfers of such data.

The data will be kept while the contractual relationship is in force and, when it ends, for the periods of time prescribed for responsibilities in legislative royal decree 5/2000 of 4 august, and the other legal provisions that are applicable.

Time-sheets will be kept for four years from the date they are collected.

Processing of personal data relating to the registration and management of social benefits and personal loans applied for and granted to employees to acquire a home or vehicle, or for their own or their children’s studies, medical assistance and to care for disabled or dependent family members, in conformance with article 24 and 27 of the EJIE collective bargaining agreement.

GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party.

Special data categories: GDPR: 9.2.b) Processing is necessary to fulfil obligations and exercise specific rights of the controller or interested party in sphere of labour law.

Álava regional government

Financial entities stated for every employee to pay the loan

EJIE Company Committee

The management of personal data does not involve the international transfer of such data.

It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data.

Processing of personal data necessary for financing external language courses for staff in accordance with article 28 of the EJIE collective bargaining agreement

GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party.

Financial entities stated for every employee to pay the social assistance. The management of personal data does not involve the international transfer of such data.

It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data.

Processing of personal data necessary for voluntary training and commitment to learning in the Basque language training plan and the development of linguistic profiles.
Management of training plans offered by the entity for staff.
Registration, management, control and monitoring of participation in training activities organised by EJIE.
Recording of training sessions for internal use and dissemination.

GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party.

Personal identification data will be communicated, where appropriate, to entities that manage training grants:
FUNDAE
LANBIDE
HABE

The management of personal data involves international transfers of such data.

It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data.

Recordings of training sessions will be kept for a maximum time of 3 years from the collection date.

Recording of training sessions for internal use and dissemination.

GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party.

Personal identification data will be communicated, where appropriate, to entities that manage training grants:
FUNDAE
LANDIBE

The management of personal data involves international transfers of such data.

It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data.

Recordings of training sessions will be kept for a maximum time of 3 years from the collection date.

Processing of personal data necessary for staff performance reviews needed for internal promotions and the training plan.

GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party.

No data communication is expected except in cases where it is required to fulfil legal obligations that EJIE S.A must fulfil. The management of personal data involves international transfers of such data.

It will be kept for as long as necessary to execute and carry out the labour relationship until it ends and to determine potential liabilities that may arise from that purpose and processing the data.

Processing of personal data concerning the prevention of occupational hazards and other protocols related to the workplace, the investigation of accidents and incidents, activation of prevention mechanisms and measures, preparation of assessments, preventive measures and elimination of risks.
Occupational health and safety risk assessment reports.
Records of regular checks on the working conditions of staff.
Records of the implementation of staff health checks (Health Surveillance).
Records of information and training provided to staff on OHS.
Implementation of the occupational risk prevention plan: risk assessment and planning of preventive activities, information and training for workers.
Adoption of health and safety measures.
Permanent monitoring of risk prevention

GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party.

GDPR: 6.1.c) Processing necessary for compliance with a legal obligation to which the controller is subject.

Special data categories: GDPR: 9.2.b) Processing is necessary to fulfil obligations and exercise specific rights of the controller or interested party in sphere of labour law.

Awarded company that provides workplace risk prevention services in regards to health monitoring

Mutual insurance companies that collaborate with social security

The management of personal data involves international transfers of such data.

Data shall be kept for a period of 5 years in accordance with the Law on the Prevention of Occupational Risks.

Health data storage period in accordance with the terms established by regulations.

Processing of personal data of employees participating in the health improvement and injury and illness prevention programme.

GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party.

No data communication is expected except in cases where it is required to fulfil legal obligations that EJIE S.A must fulfil.The management of personal data involves international transfers of such data.

It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data.

Processing personal information related with the communication and investigation of allegedly irregular activities by employees while performing their functions or possible situations of workplace harassment, sexual harassment or gender based harassment.

GDPR: 6.1.c)  Processing necessary for compliance with a legal obligation to which the controller is subject.

Special categories of data: GDPR: 9.2g) Processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

Where appropriate, data shall be disclosed to the Courts and Tribunals, Law Enforcement Agencies or other public administrations authorised to deal with the type of complaint lodged.The management of personal data involves international transfers of such data.

Personal data of the person informing of the situation and of the employees or third parties shall only be kept for the time necessary to process the complaint.

In any case, three months after having informed of the situation and/or concluding the investigation thereof, all data shall be deleted unless disciplinary proceedings against an employee are pending or the purpose of keeping the data is to leave evidence as to the functioning of the method for the prevention of the commission of offences on the part of the legal person. Communications that have not been followed up on will only appear anonymously.

(i) Access control for own and external staff
(ii) Access control for visitors
(iii) Managing the evacuation of the building and internal safety to ensure the protection of company property
(iv) For visitor only: Subscribe the safety directives and confidentiality agreement for visitors and behaviour of visitors in the facilities during emergency situations

(i) and (iv) GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party.

(ii) and (iii) GDPR: 6.1f) Processing is necessary to meet legitimate interests sought by the controller.

Where appropriate, law enforcement agencies, courts and tribunals will be notified. The management of personal data does not involve the international transfer of such data.

The data collected in the access register, from own and external staff, will be kept for one month from the date of collection, except when they have to be kept to accredit the commission of acts that threaten the integrity of persons, goods or installations.

The visit data collected in the pre-registration form will be kept for 5 years from the date of collection in order to determine the possible responsibilities that may arise from the purposes of data processing. In the event that the visit does not take place, it will be kept for one month from the date of collection.

Monitoring staff who enter internal protected and restricted areas to ensure the protection of company property.

GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party.

GDPR: 6.1.f) Processing is necessary to meet legitimate interests sought by the controller.

Where appropriate, a photocopy of the ID will be sent to the corresponding directorate of the Basque government to control access to the DPC.

Where appropriate, law enforcement agencies, courts and tribunals will be notified. The management of personal data does not involve the international transfer of such data.

One month from the date of their capture, except when they have to be kept to prove the commission of acts against the integrity of persons, property or installations.

Monitoring staff who have keys to EJIE locations

GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party.

GDPR: 6.1.f) Processing is necessary to meet legitimate interests sought by the controller.

No data communication is expected except in cases where it is required to fulfil legal obligations that EJIE S.A must fulfil. The management of personal data does not involve the international transfer of such data.

It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data.

Processing of personal data obtained by video surveillance systems to guarantee the security of EJIE's personnel, assets and facilities.

GDPR: 6.1e) Processing is necessary for the controller to perform a task carried out in the public interest.

Where appropriate, law enforcement agencies, courts and tribunals will be notified. The management of personal data does not involve the international transfer of such data.

The images obtained will be kept for a period of one month from the date they are collected, except
when they must be saved to accredit acts committed against the integrity of people, property or facilities.

Processing of personal data relating to public relations concerning transparency in the application of regulations on access to public information.

GDPR: 6.1.c)  Processing necessary for compliance with a legal obligation to which the controller is subject.

The personal data will be published on the transparency section of the EJIE website.

No other communication of data is foreseen, unless it is required to comply with legal obligations that EJIE S.A. must fulfil.The management of personal data involves international transfers of such data.

It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data.

Processing personal information regarding people who are members of governing bodies and managing their actions, tenders, and meeting minutes.

GDPR: 6.1.c)  Processing necessary for compliance with a legal obligation to which the controller is subject.

Notaries
Account auditors

The management of personal data involves international transfers of such data.

It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data.

Processing personal information associated with legal advice and legal defence tasks Managing legal or administrative proceedings.

GDPR: 6.1.c) Processing necessary for compliance with a legal obligation to which the controller is subject, in accordance with procedural and substantive laws associated with administrative, labour, administrative or criminal claims.

Special categories of data: GDPR: 9.2g) Processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

Vice-chancellor of the Legal Regime of the Basque Government. The management of personal data involves international transfers of such data.

It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data.

Managing rights regarding data protection exercised regarding processing EJIE was responsible for.

GDPR: 6.1.c)  Processing necessary for compliance with a legal obligation to which the controller is subject.

Basque Data Protection Authority. The management of personal data involves international transfers of such data.

It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data.

Management, assessment and reporting of data security incidents and breaches.

GDPR: 6.1.c)  Processing necessary for compliance with a legal obligation to which the controller is subject.

Basque Data Protection Authority
The Centre’s incident response teams National Cryptography (CCN-CERT)
Law enforcement agencies
Cyberzaintza

The management of personal data involves international transfers of such data.

It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data.

Contact information for people who EJIE staff have relationships with Managing the content of communications, and maintaining commercial or contractual relationships.

GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party.

GDPR: 6.1e) Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

No data communication is expected except in cases where it is required to fulfil legal obligations that EJIE S.A must fulfil. The management of personal data involves international transfers of such data.

It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data.

Use of multimedia content for internal use and dissemination.

Images and videos that may contain the name, surname, face (image) and/or voice of employees and third-parties may only be used for internal use and dissemination, i.e., the corporate intranet, internal events and presentations, or other analogous uses.

GDPR: 6.1.f) Processing is necessary to meet legitimate interests sought by the controller.

No data communication is expected except in cases where it is required to fulfil legal obligations that EJIE S.A must fulfil. The management of personal data involves international transfers of such data.

The data will be kept until the interested party expresses their opposition to the processing.

Use of multimedia content for external use and dissemination.

Images and videos that may contain the name, surname, face (image) and/or voice of employees and third-parties may be used for external use, for example the EJIE website, events and presentations, corporate social networks or other analogous uses.

GDPR: 6.1.a) The data subject has given consent to the processing of his or her personal data for one or more specific purposes

In certain cases, the data will be published on the EJIE website, at events and on EJIE social networks. The management of personal data involves international transfers of such data.

Data shall be kept until the data subject withdraws their consent to such processing.

Centralised document management that let users use digital signatures.

GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party.

No data communication is expected except in cases where it is required to fulfil legal obligations that EJIE S.A must fulfil. The management of personal data does not involve the international transfer of such data.

It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data.

Sending non-commercial communications like, for example, Christmas greetings or bank holiday greetings, among other things. Managing sending invitations and registration for events organised by EJIE, or third-parties, in which EJIE participates

GDPR: 6.1.f) Processing is necessary to meet legitimate interests sought by the controller.

In certain cases, personal data belonging to entities that promote events EJIE participates in may be communicated.

No other communication of data is foreseen, unless it is required to comply with legal obligations that EJIE S.A. must fulfil. The management of personal data involves international transfers of such data.

The data will be kept until the interested party expresses their opposition to the processing.

Processing personal information regarding the collective of interested parties who participate in drafting specifications and fill out and sign the corresponding appendices in the framework of EU Next Generation project management.

GDPR: 6.1.c)  Processing necessary for compliance with a legal obligation to which the controller is subject.

Ministry of Taxes and Public Functions, through the MINERVA and CoFFEE-MRR platform

Ministry of Economy, Commerce and Business, through the HRS platform

Bodies of the European Union for the purposes of audits and monitoring government and European funds, when applicable

Personal data regarding internal staff may be communicated to the directorate of services of the department of public governance and self-governance for auditing purposes. The management of personal data involves international transfers of such data.

Documents are kept for five years after the payment of the salary or of the transaction if there was no payment, or for three years in accordance with article 132 of the financial regulations.

Processing of personal data concerning the reporting and investigation of abnormal cases or queries regarding possible breaches of the organisation's internal regulations about the code of conduct and code of ethics of the organisation.

GDPR: 6.1.c)  Processing necessary for compliance with a legal obligation to which the controller is subject.

Special categories of data: GDPR: 9.2.g) Processing is necessary for reasons of substantial public interest, on the legal basis of the Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject

Where appropriate, data shall be disclosed to the Courts and Tribunals, Law Enforcement Agencies or other public administrations authorised to deal with the type of complaint lodged. The management of personal data involves international transfers of such data.

Personal data of the person informing of the situation and of the employees or third parties shall only be kept for the time necessary to process the complaint.

In any case, three months after having informed of the situation and/or concluding the investigation thereof, all data shall be deleted unless disciplinary proceedings against an employee are pending or the purpose of keeping the data is to leave evidence as to the functioning of the method for the prevention of the commission of offences on the part of the legal person. Communications that have not been followed up on will only appear anonymously.

Processing information to manage user creation and deletion in order to maintain logical access control for EJIE information systems and acceptance of the security policies.

GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party.

GDPR: 6.1f) Processing is necessary to meet legitimate interests sought by the controller.

No data communication is expected except in cases where it is required to fulfil legal obligations that EJIE S.A must fulfil. The management of personal data involves international transfers of such data.

It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data.

Attention in medical consultation to EJIE personnel.

GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party.

The following data communications are foreseen:

Awarded company providing the health care service: Medicina de Diagnóstico y Control, Intermediación, S.A. (MEDYCSA). The management of personal data does not involve the international transfer of such data

It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data.