Transparency portal

Privacy information

In conformance with General Data Protection Regulation 2016/679 of the European Parliament and Council of 27 April 2016, the purpose of this Privacy Policy is to notify how EJIE collects, processes and protects the personal data of individuals who interact with EJIE.

Controller:

  • EJIE S.A.
  • CIF A01022664
  • Postal address: Avda. El Mediterráneo, 14, 01010 Vitoria-Gasteiz Araba/Álava
  • Phone number: 945 017 300
  • Exercise of rights regarding data protection: lopd-ejie@ejie.eus
  • Communication of security incidents or personal data breaches: seguridadcorporativa@ejie.eus

Data Protection Officer:

The Data Protection Delegate is the person in charge of ensuring respect for people in the management of their personal information at EJIE and for compliance with data protection regulations. You can contact this figure through the email account dpo@ejie.eus.

The personal data collected comes directly from the information provided by the people the data regards.

The persons who provide their personal data to EJIE guarantee and will vouch for, as required, the accuracy, validity and authenticity of the personal data they provide and agree to keep that data up to date.

Commercial activities with potential clients

Data controller EJIE, S.A.
Purpose

Handle the response to the request sent by the person through the channel for contacts and generating potential clients, as well as sending information about EJIE’s business activities.

Legitimation

GDPR: 6.1e) To perform a task carried out in the public interest or in the exercise of an official authority vested in the controller.

Recipients

No data communication is expected except in cases where it is required to fulfil legal obligations that EJIE S.A must fulfil.

Data storage

It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data.

Rights You may request access, rectification, deletion, portability, restriction of the processing of personal data or withdrawal of consent, as explained in the section "Rights of the data subject".

 

Client relationship management

Data controller EJIE, S.A.
Purpose

Support for the service subscription
Complaint management
Satisfaction evaluation
Sending information about EJIE’s activities

Legitimation

GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party.

GDPR: 6.1e) To perform a task carried out in the public interest or in the exercise of an official authority vested in the controller.

Recipients

No data communication is expected except in cases where it is required to fulfil legal obligations that EJIE S.A must fulfil.

Data storage

It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data.

Rights You may request access, rectification, deletion, portability, restriction of the processing of personal data or withdrawal of consent, as explained in the section "Rights of the data subject".

 


Supplier contracting process

Data controller EJIE, S.A.
Purpose

Processing of personal data concerning employees of companies applying to become suppliers in accordance with the internal procurement procedures and tendering process. Communication, notifications, and incidents associated with the process above and regarding pre-market consultations

Legitimation

GDPR: 6.1.c)  Processing necessary for compliance with a legal obligation to which the controller is subject

Recipients

Basque Court of Public Accounts

Administrative Body of Contractual Resources

General Tax Office of the Basque Country

Courts

Anti-fraud Agency

Management of the department of the Basque government or dependent public sector body of the Basque Country autonomous community that is in charge of services or provisioning for EJIE

Management of Basque government services

Management of heritage and procurement for the Basque government

Basque authority for competition - CNMC

Public prosecutor’s office

State law enforcement bodies and forces, anti-fraud control unit

Control auditors (account, quality, public function auditors, among others)

REVASCON - Basque registry of contracts

For persons seeking tenders and who have signed contracts with EJIE, the data is published in:

Procurement platform of the Basque Country - Public sector procurement platform

In regards to contact data for interlocutors collected in the preliminary market consultations, they will not be communicated to recipients.

Data storage

Data will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data, in accordance with law 9/2017 of 8 November for public sector contracts.

Rights You may request access, rectification, deletion, portability, restriction of the processing of personal data or withdrawal of consent, as explained in the section "Rights of the data subject".

 

Management of personnel belonging to supplier companies

Data controller EJIE, S.A.
Purpose

Processing personal data of people working in supplier companies that provide services to EJIE, and to process the creation and deletion of user accounts in the system for them in order to maintain control of physical access to the facilities and digital access to the information systems. Coordinating business activities (CBA) in regards to preventing risk in the workplace Managing communications for maintaining the contractual relationship

Legitimation

GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party.

GDPR: 6.1.c) Processing necessary for compliance with a legal obligation to which the controller is subject.

Recipients

Identifying and contact data may be communicated to the directorate of the department of the Basque government or corresponding dependent public sector body of the Basque Country autonomous community that may be necessary for the purposes of providing the services.

Data storage

It will be kept for the duration of the contractual relationship and, when the relationship has ended, it will be kept for the prescriptive period established by the applicable legal provisions.

Personal data processed for CBA purposes will be kept for five years, based on the workplace risk prevention law.

Rights You may request access, rectification, deletion, portability, restriction of the processing of personal data or withdrawal of consent, as explained in the section "Rights of the data subject".

 

Administrative management of clients and suppliers

Data controller EJIE, S.A.
Purpose

Processing personal information regarding client government officials and legal representatives of suppliers for managing orders, contracts, and billing.

Legitimation

GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party.

GDPR: 6.1.c) Processing necessary for compliance with a legal obligation to which the controller is subject.

Recipients

Álava regional government
Account auditors
Basque Court of Public Accounts

Data storage

Periods in accordance with legislative decree 2/2017 of 19 October by which the revised text of the economic control and accounting law of the Basque Country autonomous community law was approved, and decree 464/1995 that carries it out:

Documents recorded in accounting: Six years from the end of the economic period they are from.

Accounting books: 15 years.

Rights You may request access, rectification, deletion, portability, restriction of the processing of personal data or withdrawal of consent, as explained in the section "Rights of the data subject".

  

Government

Data controller EJIE, S.A.
Purpose

Handling the personal information needed to process the economic and financial activities of the organisation  Accounting management and budget control Managing travel for professional purposes

Legitimation

GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party.

GDPR: 6.1.c) Processing necessary for compliance with a legal obligation to which the controller is subject.

Recipients

General Social Security Treasury, Regional Government of Álava
Financial entities stated for every employee to pay salaries
Itzarri,
Account auditors
Basque Court of Public Accounts

Data storage

Documents recorded in accounting: Six years from the end of the economic period they are from.

Accounting books: 15 years Periods in accordance with legislative decree 2/2017 of 19 October by which the revised text of the economic control and accounting law of the Basque Country autonomous community law was approved, and decree 464/1995 that carries it out.

Rights You may request access, rectification, deletion, portability, restriction of the processing of personal data or withdrawal of consent, as explained in the section "Rights of the data subject".

 

External recruitment processes

Data controller EJIE, S.A.
Purpose

Processing of personal data concerning candidates for the purposes of staff recruitment and the filling of vacancies.

Legitimation

GDPR: 6.1.b) Processing necessary for the fulfilment of a contract to which the data subject is a party or for use at their request for pre-contractual purposes.

Recipients

No data communication is expected except in cases where it is required to fulfil legal obligations that EJIE S.A must fulfil.

Data storage

It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data.

Rights You may request access, rectification, deletion, portability, restriction of the processing of personal data or withdrawal of consent, as explained in the section "Rights of the data subject".

 

Internal recruitment processes

Data controller EJIE, S.A.
Purpose

Processing of personal data concerning internal calls for in-house staff to apply for vacant posts in the organisation.

Legitimation

GDPR: 6.1.b) Processing necessary for the fulfilment of a contract to which the data subject is a party or for use at their request for pre-contractual purposes.

Recipients

No data communication is expected except in cases where it is required to fulfil legal obligations that EJIE S.A must fulfil.

Data storage

It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data.

Rights You may request access, rectification, deletion, portability, restriction of the processing of personal data or withdrawal of consent, as explained in the section "Rights of the data subject".

 

Management of Human Resources

Data controller EJIE, S.A.
Purpose

Processing of personal data required for the management of the employment relationship, preparation of payslips, social security and generation of different data; planning and control of hours worked: specifically the start and end of the work day (time-sheet), working days and tasks to be performed; staff training; linguistic profiles; instruction and training processes: monitoring incompatibilities Granting of permits, licences and authorisations. Disciplinary proceedings. Management of internal statistics. Relationship with staff representatives. Management of fixed and mobile telephone calls for professional use and costs incurred.

Legitimation

GDPR: 6.1.b) Processing necessary for the fulfilment of a contract to which the data subject is a party or for use at their request for pre-contractual purposes.

GDPR: 6.1.c) Processing necessary for compliance with a legal obligation to which the controller is subject. 

Special data categories: GDPR: 9.2.b) Processing is necessary to fulfil obligations and exercise specific rights of the controller or interested party in sphere of labour law.

Recipients

General Social Security Treasury

Job Inspection and Social Security

Álava regional government

Financial entities stated for every employee to pay their salary

Insurance Company

EJIE Company Committee

Data storage

The data will be kept while the contractual relationship is in force and, when it ends, for the periods of time prescribed for responsibilities in legislative royal decree 5/2000 of 4 august, and the other legal provisions that are applicable.

Time-sheets will be kept for four years from the date they are collected.

Rights You may request access, rectification, deletion, portability, restriction of the processing of personal data or withdrawal of consent, as explained in the section "Rights of the data subject".

 

Managing social benefits and personal loans

Data controller EJIE, S.A.
Purpose

Processing of personal data relating to the registration and management of social benefits and personal loans applied for and granted to employees to acquire a home or vehicle, or for their own or their children’s studies, medical assistance and to care for disabled or dependent family members, in conformance with article 24 and 27 of the EJIE collective bargaining agreement.

Legitimation

GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party.

Special data categories: GDPR: 9.2.b) Processing is necessary to fulfil obligations and exercise specific rights of the controller or interested party in sphere of labour law.

Recipients

Álava regional government

Financial entities stated for every employee to pay the loan

EJIE Company Committee

Data storage

It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data.

Rights You may request access, rectification, deletion, portability, restriction of the processing of personal data or withdrawal of consent, as explained in the section "Rights of the data subject".

 

Management of language grants

Data controller EJIE, S.A.
Purpose

Processing of personal data necessary for financing external language courses for staff in accordance with article 28 of the EJIE collective bargaining agreement

Legitimation

GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party.

Recipients

Financial entities stated for every employee to pay the social assistance.

Data storage

It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data.

Rights You may request access, rectification, deletion, portability, restriction of the processing of personal data or withdrawal of consent, as explained in the section "Rights of the data subject".

 

Training plan management

Data privacy clause for internal staff providing or receiving training:

Data controller EJIE, S.A.
Purpose

Processing of personal data necessary for voluntary training and commitment to learning in the Basque language training plan and the development of linguistic profiles.
Management of training plans offered by the entity for staff.
Registration, management, control and monitoring of participation in training activities organised by EJIE.
Recording of training sessions for internal use and dissemination.

Legitimation

GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party.

Recipients

Personal identification data will be communicated, where appropriate, to entities that manage training grants:
FUNDAE
LANBIDE
HABE

Data storage

It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data.

Recordings of training sessions will be kept for a maximum time of 3 years from the collection date.

Rights You may request access, rectification, deletion, portability, restriction of the processing of personal data or withdrawal of consent, as explained in the section "Rights of the data subject".

 

Training plan management

Data privacy clause for external teaching staff:

Data controller EJIE, S.A.
Purpose

Recording of training sessions for internal use and dissemination.

Legitimation

GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party.

Recipients

Personal identification data will be communicated, where appropriate, to entities that manage training grants:
FUNDAE
LANDIBE

Data storage

It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data.

Recordings of training sessions will be kept for a maximum time of 3 years from the collection date.

Rights You may request access, rectification, deletion, portability, restriction of the processing of personal data or withdrawal of consent, as explained in the section "Rights of the data subject".

 

Performance review

Data controller EJIE, S.A.
Purpose

Processing of personal data necessary for staff performance reviews needed for internal promotions and the training plan.

Legitimation

GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party.

Recipients

No data communication is expected except in cases where it is required to fulfil legal obligations that EJIE S.A must fulfil.

Data storage

It will be kept for as long as necessary to execute and carry out the labour relationship until it ends and to determine potential liabilities that may arise from that purpose and processing the data.

Rights You may request access, rectification, deletion, portability, restriction of the processing of personal data or withdrawal of consent, as explained in the section "Rights of the data subject".

 

Prevention of occupational hazards

Data controller EJIE, S.A.
Purpose

Processing of personal data concerning the prevention of occupational hazards and other protocols related to the workplace, the investigation of accidents and incidents, activation of prevention mechanisms and measures, preparation of assessments, preventive measures and elimination of risks.
Occupational health and safety risk assessment reports.
Records of regular checks on the working conditions of staff.
Records of the implementation of staff health checks (Health Surveillance).
Records of information and training provided to staff on OHS.
Implementation of the occupational risk prevention plan: risk assessment and planning of preventive activities, information and training for workers.
Adoption of health and safety measures.
Permanent monitoring of risk prevention

Legitimation

GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party.

GDPR: 6.1.c) Processing necessary for compliance with a legal obligation to which the controller is subject.

Special data categories: GDPR: 9.2.b) Processing is necessary to fulfil obligations and exercise specific rights of the controller or interested party in sphere of labour law.

Recipients

Awarded company that provides workplace risk prevention services in regards to health monitoring

Mutual insurance companies that collaborate with social security

Data storage

Data shall be kept for a period of 5 years in accordance with the Law on the Prevention of Occupational Risks.

Health data storage period in accordance with the terms established by regulations.

Rights You may request access, rectification, deletion, portability, restriction of the processing of personal data or withdrawal of consent, as explained in the section "Rights of the data subject".

 

Active health programme

Data controller EJIE, S.A.
Purpose

Processing of personal data of employees participating in the health improvement and injury and illness prevention programme.

Legitimation

GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party.

Recipients

No data communication is expected except in cases where it is required to fulfil legal obligations that EJIE S.A must fulfil.

Data storage

It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data.

Rights You may request access, rectification, deletion, portability, restriction of the processing of personal data or withdrawal of consent, as explained in the section "Rights of the data subject".

 

Management of conflict resolution procedures and harassment protocols

Data controller EJIE, S.A.
Purpose

Processing personal information related with the communication and investigation of allegedly irregular activities by employees while performing their functions or possible situations of workplace harassment, sexual harassment or gender based harassment.

Legitimation

GDPR: 6.1.c)  Processing necessary for compliance with a legal obligation to which the controller is subject.

Special categories of data: GDPR: 9.2g) Processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

Recipients

Where appropriate, data shall be disclosed to the Courts and Tribunals, Law Enforcement Agencies or other public administrations authorised to deal with the type of complaint lodged.

Data storage

Personal data of the person informing of the situation and of the employees or third parties shall only be kept for the time necessary to process the complaint.

In any case, three months after having informed of the situation and/or concluding the investigation thereof, all data shall be deleted unless disciplinary proceedings against an employee are pending or the purpose of keeping the data is to leave evidence as to the functioning of the method for the prevention of the commission of offences on the part of the legal person. Communications that have not been followed up on will only appear anonymously.

Rights You may request access, rectification, deletion, portability, restriction of the processing of personal data or withdrawal of consent, as explained in the section "Rights of the data subject".

 

Recording and controlling physical access to the buildings

Data controller EJIE, S.A.
Purpose

(i) Access control for own and external staff
(ii) Access control for visitors
(iii) Managing the evacuation of the building and internal safety to ensure the protection of company property
(iv) Subscribe the safety directives and confidentiality agreement for visitors and behaviour of visitors in the facilities during emergency situations

Legitimation

(i) and (iv) GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party.

(ii) and (iii) GDPR: 6.1f) Processing is necessary to meet legitimate interests sought by the controller.

Recipients

Where appropriate, law enforcement agencies, courts and tribunals will be notified.

Data storage

The data collected in the access register, from own and external staff, will be kept for one month from the date of collection, except when they have to be kept to accredit the commission of acts that threaten the integrity of persons, goods or installations.

The visit data collected in the prior access registration form will be kept for the time necessary to fulfil the purpose for which they were collected and to determine the possible responsibilities that may arise from this purpose and from the processing of the data. In the event that the visit does not take place, they will be kept for one month from the date on which they were collected.

Rights You may request access, rectification, deletion, portability, restriction of the processing of personal data or withdrawal of consent, as explained in the section "Rights of the data subject".

 

Recording and controlling physical access to warehouses and the DPC

Data controller EJIE, S.A.
Purpose

Monitoring staff who enter internal protected and restricted areas to ensure the protection of company property.

Legitimation

GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party.

GDPR: 6.1.f) Processing is necessary to meet legitimate interests sought by the controller.

Recipients

Where appropriate, a photocopy of the ID will be sent to the corresponding directorate of the Basque government to control access to the DPC.

Where appropriate, law enforcement agencies, courts and tribunals will be notified.

Data storage

One month from the date of their capture, except when they have to be kept to prove the commission of acts against the integrity of persons, property or installations.

Rights You may request access, rectification, deletion, portability, restriction of the processing of personal data or withdrawal of consent, as explained in the section "Rights of the data subject".

 

Recording and controlling keys to EJIE locations

Data controller EJIE, S.A.
Purpose

Monitoring staff who have keys to EJIE locations

Legitimation

GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party.

GDPR: 6.1.f) Processing is necessary to meet legitimate interests sought by the controller.

Recipients

No data communication is expected except in cases where it is required to fulfil legal obligations that EJIE S.A must fulfil.

Data storage

It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data.

Rights You may request access, rectification, deletion, portability, restriction of the processing of personal data or withdrawal of consent, as explained in the section "Rights of the data subject".

 

Video surveillance management

Data controller EJIE, S.A.
Purpose

Processing of personal data obtained by video surveillance systems to guarantee the security of EJIE's personnel, assets and facilities.

Legitimation

GDPR: 6.1e) Processing is necessary for the controller to perform a task carried out in the public interest.

Recipients

Where appropriate, law enforcement agencies, courts and tribunals will be notified.

Data storage

The images obtained will be kept for a period of one month from the date they are collected, except
when they must be saved to accredit acts committed against the integrity of people, property or facilities.

Rights You may request access, rectification, deletion, portability, restriction of the processing of personal data or withdrawal of consent, as explained in the section "Rights of the data subject".

 

Transparency

Data controller EJIE, S.A.
Purpose

Processing of personal data relating to public relations concerning transparency in the application of regulations on access to public information.

Legitimation

GDPR: 6.1.c)  Processing necessary for compliance with a legal obligation to which the controller is subject.

Recipients

The personal data will be published on the transparency section of the EJIE website.

No other communication of data is foreseen, unless it is required to comply with legal obligations that EJIE S.A. must fulfil.

Data storage

It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data.

Rights You may request access, rectification, deletion, portability, restriction of the processing of personal data or withdrawal of consent, as explained in the section "Rights of the data subject".

 

Board of Directors

Data controller EJIE, S.A.
Purpose

Processing personal information regarding people who are members of governing bodies and managing their actions, tenders, and meeting minutes.

Legitimation

GDPR: 6.1.c)  Processing necessary for compliance with a legal obligation to which the controller is subject.

Recipients

Notaries
Account auditors

Data storage

It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data.

Rights You may request access, rectification, deletion, portability, restriction of the processing of personal data or withdrawal of consent, as explained in the section "Rights of the data subject".

 

Legal Advice 

Data controller EJIE, S.A.
Purpose

Processing personal information associated with legal advice and legal defence tasks Managing legal or administrative proceedings.

Legitimation

GDPR: 6.1.c) Processing necessary for compliance with a legal obligation to which the controller is subject, in accordance with procedural and substantive laws associated with administrative, labour, administrative or criminal claims.

Special categories of data: GDPR: 9.2g) Processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

Recipients

Vice-chancellor of the Legal Regime of the Basque Government

Data storage

It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data.

Rights You may request access, rectification, deletion, portability, restriction of the processing of personal data or withdrawal of consent, as explained in the section "Rights of the data subject".

 

Exercising rights associated with data protection

Data controller EJIE, S.A.
Purpose

Managing rights regarding data protection exercised regarding processing EJIE was responsible for.

Legitimation

GDPR: 6.1.c)  Processing necessary for compliance with a legal obligation to which the controller is subject.

Recipients

Basque Data Protection Authority

Data storage

It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data.

Rights You may request access, rectification, deletion, portability, restriction of the processing of personal data or withdrawal of consent, as explained in the section "Rights of the data subject".

 

Management of incidents and security breaches

Data controller EJIE, S.A.
Purpose

Management, assessment and reporting of data security incidents and breaches.

Legitimation

GDPR: 6.1.c)  Processing necessary for compliance with a legal obligation to which the controller is subject.

Recipients

Basque Data Protection Authority
The Centre’s incident response teams National Cryptography (CCN-CERT)
Law enforcement agencies
Cyberzaintza

Data storage

It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data.

Rights You may request access, rectification, deletion, portability, restriction of the processing of personal data or withdrawal of consent, as explained in the section "Rights of the data subject".

 

Contact agenda

Data controller EJIE, S.A.
Purpose

Contact information for people who EJIE staff have relationships with Managing the content of communications, and maintaining commercial or contractual relationships.

Legitimation

GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party.

GDPR: 6.1e) Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Recipients

No data communication is expected except in cases where it is required to fulfil legal obligations that EJIE S.A must fulfil.

Data storage

It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data.

Rights You may request access, rectification, deletion, portability, restriction of the processing of personal data or withdrawal of consent, as explained in the section "Rights of the data subject".

 

Common repository of digital media for internal dissemination

Data controller EJIE, S.A.
Purpose

Use of multimedia content for internal use and dissemination.

Images and videos that may contain the name, surname, face (image) and/or voice of employees and third-parties may only be used for internal use and dissemination, i.e., the corporate intranet, internal events and presentations, or other analogous uses.

Legitimation

GDPR: 6.1.f) Processing is necessary to meet legitimate interests sought by the controller.

Recipients

No data communication is expected except in cases where it is required to fulfil legal obligations that EJIE S.A must fulfil.

Data storage

The data will be kept until the interested party expresses their opposition to the processing.

Rights You may request access, rectification, deletion, portability, restriction of the processing of personal data or withdrawal of consent, as explained in the section "Rights of the data subject".

 

Common repository of digital media for external dissemination

Data controller EJIE, S.A.
Purpose

Use of multimedia content for external use and dissemination.

Images and videos that may contain the name, surname, face (image) and/or voice of employees and third-parties may be used for external use, for example the EJIE website, events and presentations, corporate social networks or other analogous uses.

Legitimation

GDPR: 6.1.a) The data subject has given consent to the processing of his or her personal data for one or more specific purposes

Recipients

In certain cases, the data will be published on the EJIE website, at events and on EJIE social networks.

Data storage

Data shall be kept until the data subject withdraws their consent to such processing.

Rights You may request access, rectification, deletion, portability, restriction of the processing of personal data or withdrawal of consent, as explained in the section "Rights of the data subject".

 

Electronic signature - Izenbox

Data controller EJIE, S.A.
Purpose

Centralised document management that let users use digital signatures.

Legitimation

GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party.

Recipients

No data communication is expected except in cases where it is required to fulfil legal obligations that EJIE S.A must fulfil.

Data storage

It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data.

Rights You may request access, rectification, deletion, portability, restriction of the processing of personal data or withdrawal of consent, as explained in the section "Rights of the data subject".

 

Sending communications

Data controller EJIE, S.A.
Purpose

Sending non-commercial communications like, for example, Christmas greetings or bank holiday greetings, among other things. Managing sending invitations and registration for events organised by EJIE, or third-parties, in which EJIE participates

Legitimation

GDPR: 6.1.f) Processing is necessary to meet legitimate interests sought by the controller.

Recipients

In certain cases, personal data belonging to entities that promote events EJIE participates in may be communicated.

No other communication of data is foreseen, unless it is required to comply with legal obligations that EJIE S.A. must fulfil.

Data storage

The data will be kept until the interested party expresses their opposition to the processing.

Rights You may request access, rectification, deletion, portability, restriction of the processing of personal data or withdrawal of consent, as explained in the section "Rights of the data subject".

 

Managing EU Next Generation projects

Data controller EJIE, S.A.
Purpose

Processing personal information regarding the collective of interested parties who participate in drafting specifications and fill out and sign the corresponding appendices in the framework of EU Next Generation project management.

Legitimation

GDPR: 6.1.c)  Processing necessary for compliance with a legal obligation to which the controller is subject.

Recipients

Ministry of Taxes and Public Functions, through the MINERVA and CoFFEE-MRR platform

Ministry of Economy, Commerce and Business, through the HRS platform

Bodies of the European Union for the purposes of audits and monitoring government and European funds, when applicable

Personal data regarding internal staff may be communicated to the directorate of services of the department of public governance and self-governance for auditing purposes.

Data storage

Documents are kept for five years after the payment of the salary or of the transaction if there was no payment, or for three years in accordance with article 132 of the financial regulations.

Rights You can request access, rectification, deletion, portability, limitation of the processing of personal data or to oppose the processing, as explained in the "Rights of the interested party" section.

 

Code of Conduct

Data controller EJIE, S.A.
Purpose

Processing of personal data concerning the reporting and investigation of abnormal cases or queries regarding possible breaches of the organisation's internal regulations about the code of conduct and code of ethics of the organisation.

Legitimation

GDPR: 6.1.c)  Processing necessary for compliance with a legal obligation to which the controller is subject.

Special categories of data: GDPR: 9.2.g) Processing is necessary for reasons of substantial public interest, on the legal basis of the Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject

Recipients

Where appropriate, data shall be disclosed to the Courts and Tribunals, Law Enforcement Agencies or other public administrations authorised to deal with the type of complaint lodged.

Data storage

Personal data of the person informing of the situation and of the employees or third parties shall only be kept for the time necessary to process the complaint.

In any case, three months after having informed of the situation and/or concluding the investigation thereof, all data shall be deleted unless disciplinary proceedings against an employee are pending or the purpose of keeping the data is to leave evidence as to the functioning of the method for the prevention of the commission of offences on the part of the legal person. Communications that have not been followed up on will only appear anonymously.

Rights You may request access, rectification, deletion, portability, restriction of the processing of personal data or withdrawal of consent, as explained in the section "Rights of the data subject".

 

Managing access to EJIE systems by staff from supplier companies of convergent entities

Data controller EJIE, S.A.
Purpose

Processing information to manage user creation and deletion in order to maintain logical access control for EJIE information systems and acceptance of the security policies.

Legitimation

GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party.

GDPR: 6.1f) Processing is necessary to meet legitimate interests sought by the controller.

Recipients

No data communication is expected except in cases where it is required to fulfil legal obligations that EJIE S.A must fulfil.

Data storage

It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data.

Rights You may request access, rectification, deletion, portability, restriction of the processing of personal data or withdrawal of consent, as explained in the section "Rights of the data subject".

EJIE provides interested persons the possibility to exercise the following rights in regards to processing their personal data:

  • The right to request access to their personal data
  • The right to request rectification of personal data
  • The right to request the deletion of personal data
  • The right to request the restriction of their processing
  • The right to object to the processing
  • The right to portability of personal data
  • The right to withdraw the consent given
  • Right not to be subject to automated individual decisions

Every person has the right to obtain confirmation about whether EJIE processes personal data concerning them. Interested persons may access their personal data and they may request correction of imprecise data or, as may apply, they may request removal of the data when, among other causes, the data is no longer necessary for the purposes it was collected for.

Under certain circumstances, interested persons may request the restriction of the processing of their data, in which event it will only be conserved for exercising or defending against complaints.

Under certain circumstances, and for reasons related with their individual situation, interested persons may object to the processing of their data. In this event, EJIE will cease processing the data, except for compelling reasons or exercising the right to defend against potential complaints.

If consent has been granted for a specific purpose, the interested person has the right to withdraw their consent at any time without effect upon the lawfulness of any processing based on consent prior to withdrawal.

EJIE may be contacted in writing at the address below for that purpose:

  • Attention Security Officer
  • Avenida del Mediterráneo 14
  • 01010 Vitoria-Gasteiz, Spain

or you may send an email to lopd-ejie@ejie.eus

If, after having made a request to exercise your rights, you are not satisfied with the response received, you may file a complaint with the Basque Data Protection Authority via its website www.avpd.euskadi.eus., or a prior complaint with the EJIE Data Protection Officer via the e-mail address dpo@ejie.eus.