As you will probably know, the coming into force of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on personal data protection (hereinafter GDPR) and Organic Law 3/2018, of 5 December on Personal data Protection and Guarantee of Digital Rights (hereinafter LOPDGDD) demonstrate the need to strengthen personal data security and protection.
We hereby inform you that COCOMM complies with all the requirements demanded by the aforementioned legislation and that all data under our responsibility has been processed in accordance with legal requirements while applying appropriate security measures to guarantee confidentiality.
Who is the data controller for your data?
CO-COMM SERVICIOS TELECOMUNICACIONES, S.L. (COCOMM) – C/ Serrano Galvache, 56 Edif. Abedul 4ª Pta, 28033 Madrid – España- email@example.com
Why do we process your personal data?
- To address your queries and requests: manage replies to queries, complaints or incidents, requests for technical information or information about the company, resources and activities.
- Contact the interested party through the means of communication provided (email, postal address or telephone) in order to manage the queries sent through the channels set up for this purpose, manage alerts and coordinate actions associated to the services requested by people associated to COCOMM or by those in charge of processing them for legitimate or agreed purposes.
- Offer and sales management of products and services.
- Internal use, carry out operations and administrative, financial and accounting management resulting from the relationship with the owner (sales or contractual relationship).
- Manage procurement and provision of the company’s services and fulfil contractual and regulatory requirements associated to the company or operation requested.
- Process and manage the orders placed (including online sales), process payment (including managing the online store payment gateway) and mange and send the products purchased.
- Manage contact with the interested party through the means of communication provided (email, postal address or telephone) in order to arrange meetings and visits, manage queries sent through the channels set up for this purpose, manage alerts, manage notifications about the service (send technical documentation (lighting studies, technical data sheets), administrative documentation, invoices, manage payment and collection), coordinate activities, request authorization to use facilities, resolve incidents and coordinate actions associated to the services requested by individuals associated to the company and by those in charge of processing contracted by the company for legitimate or the agreed purposes.
- Send marketing communications about products and services similar to those contracted by the customer with whom there is a previous contractual relationship, pursuant to article 21 of the LSSICE.
- Quality control of our products and services, quality management of processes and activities, and to evaluate the satisfaction or perception and performance results of the company’s stakeholders.
- Provide evidence to justify campaigns, activities, promotions, tenders, projects and subsidies in which the company participates.
- Manage Regulatory Compliance (applicable regulations and mandatory internal regulations). Investigate, monitor and audit the crime prevention controls implemented, being able to implement access controls to the facilities and controls associated to the use of the images captured by the video surveillance systems for the investigation of the accidents or incidents that could occur, and breaches of regulations, crimes or illegal behaviour.
- Evaluate Capital Solvency and Credit in order to confirm the financial viability of the operation requested and, where appropriate, the communication and management associated to claiming the service provision amounts agreed.
- Statistical and history purposes that allow us to improve the sales strategy of our products and services.
- Manage and audit management system and regulatory compliance of the company’s processes and facilities.
- Share our best practices for the services we have provided or publish or share graphic material that may include the image of the owner or of the personnel in charge of corporate media (for example, but not limited to, internet, social media, newsletters, annual report, articles, media appearances) or other public media (industry publications or reports in the print press, TV, etc.), such as the publication of the business results, promotion and distribution, campaign management, activities and events or as proof of technical solvency in the case of requests for proof of justification in bidding processes, technical offers, projects and subsidies in which related companies or the group participate, to the extent to which unequivocal consent has been given.
- Contact and send personal communications, invitations to events and gifts addressed to customers, congratulating them on special occasions, conduct quality and satisfaction surveys, and to periodically inform you about new products and services, news and corporate information, information on the publication of subsidies, contests, rates, offers, catalogues and promotions of the products and services of the company and of companies associated to COCOMM* in order to assess the quality of our processes and offer products and services of interest to you by telephone, in writing or via electronic means through the means of communication provided, to the extent to which unequivocal consent has been given.
- Contact the other associated* companies from the LED lighting, electrical and electronic products design, development, manufacturing and sales industries or official after-sales services, an updated list of which appears on the brand’s official website, in order to contact and send personal communications, invitations to events and gifts addressed to customers, conduct opinion surveys, and to periodically inform you about new products and services, news and corporate
- Manage registration for COCOMM seminars and events.
- Manage subscriptions to the COCOMM bulletin.
- International transfer of your data to the extent to which it is strictly necessary to comply with the management of a project in a country outside the EU or due to the location of the processing systems of processing management applications (we hereby inform you that part of the brand’s information processing systems may be hosted in countries outside the EU).
- Recording of images or audio using devices (mobile phones, telephones, audio systems, video, reproduction devices, etc.) is strictly prohibited on COCOMM facilities, unless expressly authorised and formalised by management. Only the devices expressly authorised by the company’s management are permitted. The company may make video recordings at the facilities in order to improve performance, productivity, study methods and times and security and fire-fighting measures, notwithstanding the content of the next paragraph on the security of the facilities and control of compliance with labour obligations.
- Manage Visits and Video Surveillance of the Facilities and security and regulatory compliance on them, investigate possible incidents or accidents, manage associated insurance and manage cautions or sanctions for breaching safety regulations.
- Check the advertising exclusion systems that may affect performance, excluding from processing the data of those affected who have expressed their opposition or rejected processing by checking the advertising exclusion systems published by the competent control authority.
- Associated management, including prior communication, which could derive from the development of any structural modification operation of companies or the contribution or transfer of business or branch of business activity, provided that the processing is necessary for the success of the operation and guarantees, where appropriate, continuity in the provision of services.
- Include in the complaints channel any data associated with the publication (even anonymously) of the commission within the company or in the actions of third parties contracted, of acts or behaviour that may be in breach of applicable general or industries regulations.
- Control working hours and presence or attendance and monitoring through access registration, video surveillance and confirmation of performance of duties both in the company’s facilities and in third parties’ facilities in which the interested party performs duties associated to providing services to COCOMM (surveillance and control to verify compliance by the supplier or collaborator with contractual obligations).
- Evidence of the Regulatory Compliance of the Company for a third party that requires it. Transfer data on the interested party that is required by third parties in order to comply with business coordination activities, prove regulatory compliance of the company and the internal regulations of the third party or for managing access to facilities. In the cases in which the interested party unequivocally consents, the data or documents required by the third party that are not explicitly included in regulatory or legal obligations but are included in the internal regulations of the third party may be transferred, to the extent to which unequivocal consent has been given.
- Verify employee compliance with their obligations and duties in accordance with article 20.3 of the Spanish Statute of Employee Rights, which authorises the employer to adopt surveillance and control measures for this purpose (controls related to the use of images captured by video surveillance systems for investigating accidents or incidents that may occur, as well as breaches of employment regulations, crimes or illegal behaviour).
- Health and safety management (occupational risk prevention and security surveillance) and compliance evaluation.
- If you have consented, for the purposes described in the additional consent that you have unequivocally provided us through formal means or by checking the boxes included in the data protection clauses in the form or base document that regulates the relationship with COCOMM, depending on the contact channel.
To the extent to which you have submitted your CV, the uses and purposes for which we process your data are:
- Internal use for recruitment processes, to add you to the job pool and for offering and managing possible job offers or collaboration that may be generated.
- Manage assessment of the skills of job candidates and people in the recruitment process or internal promotion processes.
- Use related to developing the application and including it in the job pool of companies associated to COCOMM * for offering and managing possible job offers or collaboration that may be generated, to the extent to which unequivocal consent has been given. To the extent not permitted by this purpose, we cannot receive your application to the extent that candidate management is carried out through the aforementioned job pool.
- Use your CV in the technical offer for projects in which your incorporation is evaluated, if you have given your unequivocal consent.
- Manage Regulatory Compliance (applicable regulations and mandatory internal regulations). Investigate, monitor and audit the crime prevention controls implemented, being able to implement access controls to the facilities, information systems and print out documentation for all personal data under the responsibility of the company and, therefore, for all the information systems of the company, and controls associated to the use of the images captured by the video surveillance systems for the investigation of the accidents or incidents that could occur, and breaches of work regulations, crimes or illegal behaviour.
- Manage contact with the interested party through the means of communication provided (email, postal address or telephone) in order to manage notifications and coordinate recruitment process activities by the people related to companies associated to the business name of COCOMM* or third parties that contract them for candidate recruitment for open positions or jobs.
- Carry out aptitude tests or certificates that may be required for recruitment purposes, which will be optional; it will be understood as an expression of the user’s consent for the inclusion of the data provided, and for their possible assessment, in the database of the job pool of companies associated with COCOMM * and its automated processing in order to carry out that selection. As a consequence of accessing the facilities that may be required to conduct the aptitude tests or certificates, data associated with the security of the facilities may be processed through access registration or video surveillance systems.
- Manage Visits and Video Surveillance of the Facilities and security and regulatory compliance in them, investigate possible incidents or accidents, manage associated insurance and manage cautions or sanctions for breaching safety regulations.
How long do we keep your data?
The data provided will be kept as long as it is still legal to process it, the interested party does not request it be deleted at the end of the relationship with the interested party, except storage for the formulating, exercises or defending claims from the data controller or with a view to protecting the rights of another natural or legal person or for reasons of legal obligation.
In any case, at the end of the relationship, the interested party’s data will be duly blocked, according to the provisions of current data protection regulations.
- Accounting and Tax Documents – For Tax purposes. The accounting books and other mandatory record books according to the applicable tax regulations (income tax, VAT, corporate tax, etc.) and any documentary support that justifies the entries in the books (including computer programs and files and any other supporting document of significance for tax purposes) must be kept, at least, during the statute of limitations for Tax Crimes – General Tax Law and Penal Code, Prescription of infractions 10 years.
- Accounting and Tax Documents – For Commercial purposes. Books, correspondence, documentation and justification concerning your business – Code of Commerce- 6 years.
- Solvency Files. Data referring to certain, past due and enforceable and unclaimed debts (Art. 20 of LOPDGDD) – as long as the breach persists, with a maximum limit of five years from the expiry date of the monetary, financial or credit obligation – 5 years.
- Occupational Risk Prevention Documents – Documents about employee information and training Records of occupational accidents or occupational diseases – Law on Violations and Sanctions in the Social Order – 5 years.
- The images and sounds captured by video surveillance systems shall be deleted within a maximum period of one month from their capture, except when they have to be kept to prove the commitment of acts that violate the integrity of people, property or facilities (in which case , the images will be made available to the competent authority within a maximum of 72 hours of knowing that the recording exists), or are related to serious or very serious criminal or administrative offenses in matters of public safety, with an ongoing police investigation or with an open legal or administrative procedure (Instruction 1/2006, of 8 November, of the Spanish Data Protection Agency, on personal data processing for surveillance purposes through camera or video camera systems and Art.22 LOPDGDD) – 30 days.
- The data included in the automated processing created to control access to buildings – Instruction 1/1996 Spanish Data Protection Agency on automated files created to control access to buildings – 30 days.
- Data processed in relation to the legal guarantee shall be kept whilst the legal guarantee is valid and after it has expired, during the period that there may be a legal or administrative claim in relation to the legal guarantee.
- The data of whoever files a complaint and of employees and third parties is kept in the complaints system to decide on the suitability of opening an investigation into the reported events and afterwards, as evidence of the functioning of the commission’s model for preventing crimes by legal persons, in accordance with the provisions of article 24 of the LOPDGDD.
- The data processed for referral of commercial communications shall be kept until the consent granted is revoked.
- Data associated to candidates who submit their CV shall be kept during the calendar year associated with the date it was received (except in cases where the candidate is successful, in which case, it will be added to the data processing of the personnel department in the hiring company) and the legally defined deadlines for exercising or prescribing any liability action for breach of contract by the interested party or the company.
Therefore, the data shall be stored whilst the commercial relationship is in force, based on the storage periods set out in the current regulations mentioned above, and the legally defined deadlines for exercising or prescribing any liability action for breach of contract by the interested party or the company (the Spanish Civil Code states 5 years to be able to carry out a civil liability action, this period starting on the date on which fulfilment of the obligation may be required).
What is the lawful basis for processing your data?
- The legal basis for processing your data is fulfilling the request you send us. The data requested is necessary to correctly fulfil the request.
- The execution of a contract, request, offer, order or commercial contract, for which the data provided will be transferred to the brand data controller in order to successfully attend, where appropriate, to the guarantees and responsibilities of the products and services supplied.
- Fulfil a legal obligation. Administrative, commercial, tax, fiscal, accounting, civil and financial regulations, current legislation on labour issues, occupational risk prevention (coordination of business activities) and social security and consumer and user protection law and the regulations inherent to the operation contracted and associated with the industry.
- Meet a legitimate interest of the data controller. Data processing as part of a commercial relationship or contract, which is necessary for maintenance or compliance purposes, data transfer within business groups for internal administrative purposes, direct marketing, fraud prevention, cases of legitimate interest in which the data controller could be an injured party and it is necessary to process and transfer the data of the noncompliant party to third parties in order to manage regulatory compliance and defend the interests of the data controller, video surveillance purposes as a legitimate interest of the company to protect its assets, the legitimate interest of direct marketing permitted by the LSSICE (sending marketing information about products or services similar to those purchased by the customer with whom there is a prior contractual relationship), and cases of legitimate interest of specific processing set out in the LOPDGDD Article 19 on Processing of contact and individual employer data; Article 20 on Credit information systems; Article 21 on Processing related to certain commercial operations (company restructuring or business transfers) Article 22 on Processing for video surveillance purposes; Article 23 on Advertising exclusion systems; Article 24 on Information systems for internal complaints).
- Security and cases of legitimate interest in which the data controller could be an injured party and it is necessary to process and transfer the data of the noncompliant party to third parties in order to manage regulatory compliance and defend the interests of the data controller.
- Article 20.3 and 4 Royal Legislative Decree 1/1995, of 24 March, which approves the revised text of the Spanish Statute of Employee Rights Law (ET): The employer may adopt the surveillance and control measures deemed most appropriate to verify employee compliance with their work obligations and duties, considering, during such adoption and application, their human dignity and taking into account the real capacity of employees with a disability, if applicable.
- In the case of data of candidates who submit their CV, the lawful basis for processing is to fulfil the request of the interested party to be added to the job pool through the self-application of the candidate by submitting their CV through one of the company’s contact channels or recruitment companies hired to recruit candidates for vacancies or jobs, and to meet a legitimate interest of the data controller; video surveillance purposes as a legitimate interest of the company to protect its assets, fraud prevention, cases of legitimate interest in which the data controller could be an injured party and it is necessary to process and transfer the data of the noncompliant party to third parties in order to manage regulatory compliance and defend the interests of the data controller.
- Consent of the interested party unequivocally provided through formal means or by checking the boxes included in the data protection clauses in the base document that regulates the commercial relationship, depending on the contact channel.
What recipients can your data be transferred to?
- Companies or people directly contracted by the data controller to provide services associated with the processing purposes: Customers who contract services, Entities Subcontracted to do the work or provide the services included in the customer contract, Distributors, collaborators and other associated or group companies, Commercial collaborators, Companies related to managing transportation of our products, Advertising / Marketing, Legal Advice, Tax Advice, Accounting Advice, Collection Management and Credit Insurance Entities, Management or Regulatory Compliance Auditors.
- Companies associated with COCOMM*, to the extent to which consent has been given.
- Brand data controller for the purposes derived from the contractual relationship (guarantees and responsibilities of the specified article and of the products and services it supplies) and, if you have consented, for the purposes described in the additional consent.
- Companies or persons directly contracted by the data controller to provide the services related to video surveillance processing purposes: video surveillance system maintenance and security companies and the owner of the premises, for the legitimate interest of protecting the assets under their ownership.
- Insurance Agents and Insurance Companies: Insurance policies taken out by the company in case of incidents.
- Solvency assessment entities in order to evaluate the creditworthiness of the interested party for forms of payment or financing conditions that require it.
- Public Administration bodies authorised in the matters included in the processing purposes: Spanish Tax Agency.
- Financial entities: Direct debit of bills or payment collection management and other means of payment.
- Security Forces: To the extent that a justified right of access is required in the investigation of a regulatory breach.
- Complaints Channel Compliance (Complaints about breach of regulations and code of conduct are transferred to the Regulatory Compliance Unit).
- Employee Representatives/Health and Safety Coordination, External Auditors: To comply with Royal Decree 171/2004 – Accreditation entails risks through Coordination of Business Activities.
- Insurance Companies: In the event of a claim, incident or accident, it is provided to insurance companies to investigate the event in order to define the scope and cover of the insurance taken out by the data controller.
- In the case of data from candidates who submit their CV, the possible recipients could also be companies related to COCOMM *, companies or people directly hired by the data controller to provide the services associated to the processing purposes; Temporary staffing agencies and third parties hired for the recruitment of candidates for vacancies or jobs in companies associated with COCOMM *.
- Complaints Channel Compliance (Complaints about breach of regulations and code of conduct are transferred to the Regulatory Compliance Unit). Access to data stored on these systems will be limited exclusively to those who, whether they are a member of the entity or not, perform internal control and compliance functions, or to those in charge of processing appointed for this purpose. However, access by other individuals, or even transfer to third parties, shall be lawful when it is necessary in order to take disciplinary measures or to process legal procedures, where appropriate.
- Other: International transfer of your data to the extent to which it is strictly necessary to comply with the management of a project in a country outside the EU (Entities associated to import and export of goods; Agents, logistics, Customs, etc.) or due to the location of the processing systems of processing management applications (we hereby inform you that part of the brand’s information processing systems may be hosted in countries outside the EU. We recommend reading the brand’s privacy policies).
Under what guarantees is data transferred?
Data transfer to third parties is done to entities that prove they have a Personal Data Protection System that meets current legislation.
The standard contract clauses approved by the data protection control bodies are signed with the organisations to which international data transfers can be made.
What are your rights?
You have the right to obtain confirmation of whether or not we are processing personal data that concerns you.
Interested parties have the right to access their personal data, and to request rectification of inaccurate data or, where appropriate, request it be deleted when the data is no longer necessary for the purposes for which it was collected, and other reasons. The right of rectification may not be exercised in the case of video surveillance processing, as given the nature of the data – images taken from reality that reflect an objective fact – it would be the exercise of a right of impossible content.
In certain circumstances, interested parties may request restriction of the processing of their data, in which case we shall only keep them for exercising or defending claims.
Under certain circumstances and for reasons related to their specific situation, interested parties may oppose processing of their data, in which case the data controller will stop processing the data, except for compelling legitimate reasons, or for exercising or defending possible claims.
By virtue of the right to portability, interested parties have the right to obtain the personal data concerning them in a commonly-used, machine-readable, structured format and to transfer it to another data controller.
If you have given consent for any specific purpose, you have the right to withdraw consent at any time, without affecting the legality of the processing based on the consent prior to its withdrawal.
Who to contact to exercise your rights?
If you wish to exercise your rights, please go to the channel set up for this purpose by the data controller: firstname.lastname@example.org, so that we can give a managed response to your request.
What information is required to exercise your rights?
To exercise your rights, we need to prove your identity and your specific request, to do which we request the following information:
- Documented information (handwritten/email) in which the request is specified.
- Proof of identity as the owner of the data for which you wish to exercise your rights (Name, surname of the interested party and photocopy of the ID of the interested party or the person representing them, and the document proving such representation (legal representative, if applicable).
- If exercising right associated to the data of a deceased person. Copy of:
- Family Register or Civil Register which states the family or domestic partner relationship with the deceased and/or,
- Will declaring the requestor as the heir and/or,
- Express appointment of the requesting person or institution by the deceased and/or,
- Document that proves legal representation of the deceased.
- In the case of exercising the rights to rectify or erase, responsible declaration of the requestor proving that they have the agreement of the rest of the people associated to the deceased for family or domestic partner reasons and their heirs to carry out the request.
- When the data controller has reasonable doubt in relation to the identity of the natural person making the request, they may request any additional information necessary to confirm the identity of the interested party.
- Address for the purposes of notifications, date and signature of the requestor (in case of hand written requests), or full name and surname (in case of email), or validation of the request in the private area of the communication channel with their personal identity authentication password.
- When exercising the right to rectification recognised in article 16 of the GDPR, the affected party must specify the data in question and the correction to be made in the request. Supporting documentation must be included, when necessary, in order to prove the inaccuracy or incompleteness of the data being processed.
- Likewise, when we process a large amounts of data related to the affected person and they exercise their right to access without specifying whether it refers to all or part of the data, the data controller may ask the affected person to specify the data or processing activities in question before providing the information.
What is the general procedure for exercising your rights?
After receiving the information required, we will respond to your request in accordance with COCOMM’s general procedure for exercising rights:
The data controller will provide the interested party with information on their actions based on a request in accordance with articles 15 to 22 (Rights of the interested party), and, in any case, within one month from receiving the request.
This period may be extended by another two months, if necessary, bearing in mind the complexity and number of requests.
The data controller will inform the interested party of any extensions within one month of receiving the request, specifying the reasons for the extension.
When the interested party sends the request via electronic means, the information will be provided via electronic means whenever possible, unless the interested party requests a different method.
When the data controller’s processing systems allow it, the right to access may be provided through a system of remote, direct and secure access to personal data that permanently guarantees access to its entirety. For this purpose, notification from the data controller to the affected party on how to access said system will be enough to consider the request to exercise the right to be considered addressed. However, the interested party may request the information on the issues set out in article 15.1 of the GDPR not included in the remote access system from the data controller.
If the data controller does not act on the request of the interested party, they will inform them without delay, and at the latest one month after receiving the request, of the reasons for this failure to act and of the possibility of filing a complaint with a control authority and of taking legal action.
The information will be provided free of charge, except for a reasonable fee for administrative costs. When the affected party chooses a different means to the one offered, which results in disproportionate costs, the request will be considered excessive and the affected party shall cover the excess cost that their choice involves. In this case, the data controller shall only be required to satisfy the right to access without undue delay.
The data controller may refuse to act on the request, although they will bear the burden of proving the manifestly unfounded or excessive nature of the request. For the purposes set out in article 12.5 of the GDPR, exercising the right to access on more than one occasion during a period of six months may be considered repetitive, unless there is legitimate cause for it.
In the cases in which the right to rectify or erase is justified, your data will be blocked: Data blocking consists of identifying and reserving the data, adopting technical and organisational measures to prevent it from being processed, including viewing, except for making the data available to the judges and courts, the Public Prosecutor’s Office or the Competent Public Administrations, in particular data protection authorities, for possible responsibilities derived from the processing and only for the limitation period of the latter. After this period ends, the data will be destroyed. Blocked data may not be processed for any purpose other than the purpose specified above (article 16 GDPR and article 32 LOPDGDD).
When data is erased as a result of exercising the right to oppose, in accordance with article 21.2 of the GDPR, the data controller may store the necessary identity data of the affected party in order to prevent future processing for direct marketing purposes. In the cases in which you do not want your data to be processed for sending marketing communications, we refer you to the existing advertising exclusion systems, in accordance with the information published by the competent control authority (AEPD) in its electronic headquarters www.aepd.es
In cases in which personal data processing is limited, this shall clearly be stated in the information systems of the data controller.
In the case of a certain, overdue and enforceable debt, notification is sent to the debtor at the time of requesting payment about the possibility of inclusion in said systems (default processing in the company), specifying those who intervene (collection management entities for managing the corresponding claim, etc.). If the debt is not settled within 15 days of receiving the insolvency notification, you will be informed about the possibility of exercising the rights set out in articles 15 to 22 of the GDPR within thirty days of notification of the debt being sent to the system, the data remaining blocked during that period.
Individuals associated to the deceased for family or domestic partner reasons and their heirs may contact the data controller in order to request access to their personal data and, where appropriate, rectify or erase it. As an exception, the people referred to in the previous paragraph may not access the data of the deceased, or request it be rectified or erased, if the deceased has expressly prohibited it or it is prohibited by law. This prohibition shall not affect the right of the heirs to access data on the assets of the deceased.
In order to comply with current regulations on video surveillance Inst 1/2006 of the AEPD, we hereby inform you that the storage period for the recordings is 1 month from capture, and therefore, we will not be able to respond to formalised requests in later periods. Likewise, to avoid affecting the rights of third parties, in the case of requests for access, we shall issue a certificate specifying, with the greatest possible accuracy and without affecting the rights of third parties, the data that has been the subject to processing. E.g. “Your image was recorded by our systems on day/month/ year between time and time. Specifically, the system recorded you accessing and leaving the facilities.”
What complaints channels are in place?
If you believe that your rights have not been properly addressed, you can file a complaint with the supervisory authority by addressing the Spanish Data Protection Agency, C / Jorge Juan, 6 – 28001 Madrid
How did we obtain your data?
- The interested party or their legal representative, through the communication sent or through professional social media.
- Distributors, collaborators and other companies associated with COCOMM *, companies in the group of the Brands sold belonging to the LED lighting, electrical and electronic products design, development, manufacturing and sales industries, events, trade fairs, industry conferences organised and those in which the company participates, public information associated with tenders, legitimate sales databases, professional social media, search engines and online databases, and third parties with which the data controller maintains a business or service provision relationship and which require your personal data to process the requested service or to comply with our contractual commitments and tax and accounting obligations associated with the service contracted or to verify regulatory compliance under the responsibility of the company. Distributors, collaborators and other companies under the commercial name of COCOMM, companies in the group of the Brands sold belonging to the LED lighting, electrical and electronic products design, development, manufacturing and sales industries, events, trade fairs, industry conferences organised and those in which the company participates, public information associated with tenders, legitimate sales databases, professional social media, search engines and online databases, and third parties with which the data controller maintains a business or service provision relationship and which require your personal data to process the requested service or to comply with our contractual commitments and tax and accounting obligations associated with the service contracted or to verify regulatory compliance under the responsibility of the company.
- In the case of data of candidates who submit their CV, the possible origin of the data could be, in addition to the interested party, temporary work agencies, entities with which internship agreements or training programs with a commitment to hire have been agreed, professional social media or third parties to which the recruitment of candidates for vacancies or jobs in companies associated with the commercial name of COCOMM* is outsourced.
What type of data do we process?
- The data structure that we process does not contain data associated to convictions and criminal offences, nor specially protected data, unless the interested party is the beneficiary of a special condition that must be considered during the service provision or in the management of the subsidy that may be processed (e.g. a disability) and provide documentation that proves it, as well as cases in which the owner has special conditions and has to provide documentation that includes this information in order to accredit or justify fulfilment of the condition.
- Identity and contact data, for example, but not limited to: name, surname, telephone number or email address, Sales information data, Economic, financial or payment conditions data; other types of data, contact details of people in the company involved or related to the service included in the contract or request, and those related or provided with the Consultation, Request for technical or corporate information, Resources or Activities , Claims or Incidents submitted and the personal data of third parties that you may provide.
- Commercial data, contact persons for administrative and operations management associated with the implementation of the contract or project and employees who will carry out the contracted work as regards coordination of business activities associated with occupational risk prevention. In the case of employees who are going to carry out the contracted work as regards coordination of business activities associated with the occupational risk prevention; Permits or certifications, in the case of employees who are going to carry out the contracted work as regards coordination of business activities associated with occupational risk prevention; Commercial information and certification data; Economic, financial or payment conditions data; Goods and services supplied by the affected party, Financial transactions; Other types of data (specify): Name, surname and tax ID of the legal representative, contact details of people in the company involved or associated to the project included in the contract or order.
- In the case of the data of candidates who submit their CV, the structure of the data processed is for example, but not limited to, identity and contact details (address, contact telephone number and contact email address); Academic and professional data associated to training, qualifications and career; Personal data associated with marital status, family details, date and place of birth, age, sex, nationality; Work permit; Job status data; Other data (Professional goals, Leisure and hobbies). If the candidate reports a disability, the certificates proving this may be required.
How is your data stored securely?
COCOMM has entered into agreements to ensure that we process your personal data properly and in accordance with applicable data protection laws. These agreements reflect our respective roles and responsibilities in relation to you and reflect which entity is in the best position to meet your needs. These agreements do not affect your rights under data protection law. For more information about these agreements, please do not hesitate to contact us.
- In relation to personal data that COCOMM could access as a result of the services contracted, we hereby inform that the provision of the services included in the contract may involve physical access by COCOMM personnel to premises or facilities that may store personal data of which the customer is the data controller. In this respect, COCOMM has signed clauses with its personnel that prohibit access to all types of confidential information and, specifically, to personal data belonging to the customer, unless the service includes personal data processing in its scope. In this case, COCOMM would act as the data controller, drawing up the corresponding contract in accordance with current data protection regulations, which would include, among other aspects, the purpose, duration, nature, category of the data being processed, security measures, obligations and rights of the data controller, organisational and technical security measures to guarantee confidentiality during the process, as well as the agreements signed between the customer and manager in relation to transfer of security breaches or exercise of rights. If the customer fails to formalise personal data processing in a contract, COCOMM shall not have any liability associated with the processing of said data. Notwithstanding the above, if you are provided with any type of confidential information in order to provide the service, you undertake to keep it secret, not disclose or publish it, either directly or through third parties, or make it available to third parties. This confidentiality obligation is indefinite, continuing at the end of the contract for any reason. COCOMM undertakes to inform its personnel and subcontracted personnel and ensure that they comply with the confidentially obligations set out.
However, in the event that it becomes aware of any type of confidential information for the purpose of providing the service, it undertakes to keep it secret, not to disclose it or publish it, either directly or through third parties or companies, or to make it available to third parties. This obligation of confidentiality is of an indefinite nature, subsisting at the end of the contract for any reason. COCOMM undertakes to communicate and enforce the obligations of confidentiality to the personnel under its charge and contracted on its behalf.
- As regards the video surveillance systems installed in facilities under the responsibility of COCOMM, we hereby inform you that COCOMM takes all the necessary measures to keep your personal data private and secure and will comply in any case with the provisions of Act 5 / 2014, of 4 April, on Private Security and its implementation provisions. In this respect, we inform you of the following security measures:
- LOCATION OF THE CAMERAS. COCOMM only captures images of public property to the extent that it is essential for security protection purposes. In no case does COCOMM install sound recording or video surveillance systems in places intended for rest or recreation for employees or public employees, such as changing rooms, toilets, dining rooms and similar.
- SOUND RECORDING. COCOMM will only carry out the sound recording when the risks to the security of the facilities, goods and people derived from the activity carried out in the workplace are significant and always respecting the principle of proportionality, that of minimum intervention and guarantees.
- LOCATION OF MONITORS. The monitors used to view the camera images are located in a place with restricted access, so that they are not accessible to unauthorised third parties.
- STORAGE: The images and sounds captured by video surveillance systems will be deleted within a maximum period of one month from their capture, except when they have to be kept to prove the commitment of acts that violate the integrity of people, property or facilities (in which case , the images will be made available to the competent authority within a maximum of 72 hours of knowing that the recording exists), or are related to serious or very serious criminal or administrative offences in matters of public safety, with an ongoing police investigation or with an open legal or administrative procedure (Instruction 1/2006, of 8 November, of the Spanish Data Protection Agency, on personal data processing for surveillance purposes through camera or video camera systems and Art.22 LOPDGDD) – 30 days.
- RIGHT TO ACCESS THE IMAGES: To comply with the right to access of the interested parties, a recent photograph and the national identity document of the interested party will be requested, as well as the date and time to which the right of access refers. The interested party will not be given direct access to the camera images in which images of third parties appear. To avoid affecting the rights of third parties, in the case of requests for access, we shall issue a certificate specifying, with the greatest possible accuracy and without affecting the rights of third parties, the data that has been the subject to processing. E.g. “Your image was recorded by our systems on day/month/ year between time and time. Specifically, the system recorded you accessing and leaving the facilities.”
By accepting or validating the process that is the basis for formalising your relationship with COCOMM, you expressly consent to data processing of data in accordance with the provisions of the clause and additional information on data protection, and have informed and have the consent of third parties who provide us with personal data for this processing. If you have checked the corresponding consent box, the legal basis for these purposes is your consent, which you can withdraw at any time.
Likewise, and to the extent that as a result of the relationship COCOMM may access personal data or confidential information, it undertakes to maintain absolute confidentiality and discretion over the information obtained about the activities, interested parties and entities associated to COCOMM, especially with regard to personal data, even after the conclusion of your relationship with the company.
(*) You can read the updated list of activities and companies associated to COCOMM in the Legal Notice.