Lantek

Information about the personal data processing

At LANTEK SHEET METAL SOLUTIONS, S.L. we care about the personal data we process and about complying with current regulations on the protection of personal data, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter, GDPR).

Notwithstanding the foregoing, we take into account Recital 14 of the GDPR which establishes that “The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data. This Regulation does not cover the processing of personal data which concerns legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person”.

This implies that this regulation and the obligations and rights provided for will not be applicable to legal persons.

In any case, Lantek informs about the following issues regarding personal data processing:

Data controller: LANTEK SHEET METAL SOLUTIONS, S.L., whose details appear at the beginning of this document.

Data Protection Officer contact details: : to contact the Data Protection Officer please use the same address indicated at the beginning of this document or send an email to dpo@lantek.es.

Purpose of the processing: to manage the appropriate maintenance, development, fulfilment and monitoring of the current contractual relationship and of the services that it provides for.

Furthermore, identification and contact data will be used to carry out satisfaction surveys and to send, by electronic means or otherwise, technical, operational and/or commercial information about the products and services of Lantek as well as other companies of the Lantek Group.

Legitimation of processing: the legal basis for the processing of personal data is the performance of this contract and the provision of the required services.

In order to carry out satisfaction surveys and send commercial information of its own or of other companies of the Lantek Group, the legal basis will be the satisfaction of legitimate interests pursued by Lantek and/or third parties (other Lantek Group companies) as provided in the 6.1. f) of the GDPR. This will be without prejudice to the possibility of the data subject objecting to the sending of said commercial information.

Recipients of the data: the personal data will be communicated, where appropriate, to the tax authorities for compliance with legal and tax obligations, as well as to the financial entity through which Lantek manages payments of its products and services.

The data subject’s personal data may be communicated to other companies of the Lantek business group for internal administrative purposes. Likewise, as part of the legitimate interests pursued by Lantek and/or companies of the Lantek Group, the data subject’s data may be communicated to any of these in order to send commercial information similar to the products or services that the data subject has contracted.

Similarly, other services are used (for example, to conduct satisfaction surveys or to send technical or commercial information, among other things) which are provided by companies that act as data processors and are located outside the European Economic Area, specifically in United States.

However, in these cases we only hire companies that are covered by the EU-US Privacy Shield, therefore providing the same guarantees offered by this framework.

Data storage period: the periods for which Lantek will store the data subject’s data vary depending on the applicable regulations, indicated as follows:

  • 5 years: period corresponding to the statute of limitations on tax obligations.
  • Same period for the exercise of personal legal proceedings that do not have a specific statue of limitations.
  • 6 years: for books, correspondence, documentation and supporting documents concerning the business.

With regards to the sending of commercial information, personal identification and contact data will be kept until the data subject revokes their consent for said purpose.

Rights regarding the processing of data: the data subject can request access to their personal data, rectification, erasure, restriction of processing, objection or portability of personal data by sending a written request addressed to LANTEK SHEET METAL SOLUTIONS, S.L. Parque Tecnológico de Álava, calle Ferdinand Zeppelin, nº 2, Edificio Lantek - C.P. 01510 de Miñano (Álava), or by sending an email to info@lantek.es, accompanying in all cases a photocopy of their ID.

In any case, if the data subject considers that Lantek has not adequately processed their personal data or that it has not duly attended to the exercising of their data protection rights, they may submit a claim to the competent supervisory authority.

Possible intervention by Lantek as data processor

It is possible that, for the provision of certain services included for the duration or guarantee period contemplated in this contract, Lantek may have access to personal data for which the owner is the signing party (data controller for the purposes of this clause) of this contract (by way of example, but not limited to, customer, supplier, employee or business contact data).

Accordingly, in such cases Lantek will act as data processor, which is why, in compliance with the provisions of article 28.3 of the GDPR, such situations would be regulated by the following provisions:

1. Purpose of the data processing: by means of the present clauses Lantek is authorised, as data processor, to process on behalf of the data controller, any personal data required to provide the service which is the purpose of this contract.

According to the data controller’s request, the processing will consist in Lantek connecting remotely to the controller’s systems in order to manage customisation, reported technical incidents or, where appropriate, to customise the program or certain functionalities.

To do this, Lantek’s connection will be carried out through remote connection programs, whether its own, those of third parties or even those belonging to the data controller, always upon the controller’s request and with its authorisation. In such cases, Lantek will not incorporate any data into its systems or media, distinct from those of the data controller.

However, it is possible that the correct solution for the customisation or technical incident in question requires a special analysis, which could require the data controller to provide Lantek with the affected database via the Lantek website’s private area, in which case Lantek will incorporate it into its systems, distinct from those of the data controller, will include it in its Record of Processing Activities and will adopt the corresponding security measures.

In either case, the processing to be carried out by Lantek on the data accessed as a result of the provision of the contracted service will be: recording, structuring, consultation, analysis and, where appropriate, return of data to the data controller with its subsequent destruction.

2. Identification of the affected information: in order to be able to provide the services to fulfil the purpose of this contract, the data controller provides Lantek, the data processor, with the identification and professional data stored in the corresponding sections of the program that is the subject of this contract, pertaining mainly to customer, supplier, employee and business contact data.

3. Duration: the duration of this type of data processing will be what is contemplated in this contract or in its warranty period.

Once this contract ends, the procedure set forth in section "r" of this clause will be followed.

4. Obligations of the data processor: The data processor and all its staff undertakes to:

  • Use the personal data being processed, or the data collected for inclusion, only for the purpose of this contract. In no case may it use the data for its own purposes or for purposes other than those contemplated in this contract.
  • Process the data according to the instructions of the data controller.
    If the data processor considers any of the instructions to be in breach of the GDPR or any other data protection provision of the Union or its Member States, the data processor shall immediately inform the data controller.
    If any of the data controller’s instructions are not clear to the data processor regarding the way it should act with respect to the personal data to which it has access, before proceeding with any data processing, the data processor should contact the data controller to clarify the aforementioned instruction.
  • Keep, in writing, a record of processing activity categories carried out on behalf of the data controller, containing:
    • The name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller's or the processor's representative, and the data protection officer.
    • The categories of processing carried out on behalf of each controller.
    • Where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1) of the GDPR, the documentation of suitable safeguards.
    • A general description of the technical and organisational security measures related to:
      • The pseudonymisation and encryption of personal data.
      • The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
      • The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
      • A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
        In order to be able to verify that the data processor provides sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of General Data Protection Regulation and ensure the protection of the rights of the data subject, the data controller may require Lantek to provide a certificate of the security measures implemented in relation to the processing of data for which it is responsible.
    • Not communicate the data to third parties, unless it has express authorisation from the data controller, in legally admissible cases.
      The data processor may communicate the data to other data processors of the data controller, when instructed to by the data controller. In this case, the data controller will identify, previously and in writing, the entity (company name, Tax Number and address) to which the data must be sent, the data to be sent and the security measures to be applied to proceed with this transfer, after analysing the risk regarding the aforementioned transfer and the type of personal data being sent.
      If the data processor has to transfer personal data to a third country or to an international organisation, by virtue of the applicable Union or Member State law, it will inform the data controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
      Regarding the international transfer of data, the data processor must notify the data controller and provide written evidence of compliance with the requirements of the current regulations on data protection before proceeding with such transfer, ensuring that the entity that receives the data will implement the same security measures and will comply with all the requirements demanded by the General Data Protection Regulation.
    • Subcontracting. Not subcontract any of the services provided for in this contract that involve personal data processing, except for the auxiliary services necessary for the normal operation of the services of the data processor.
      If it is necessary to subcontract any processing, this will be previously communicated in writing to the data controller, with advance notice of 15 days, indicating the type of processing that will be subcontracted and clearly and unambiguously identifying the subcontractor and its contact information (at least the company name, Tax Number, address and corporate purpose). The subcontracting may be carried out if the data controller does not oppose it within the established period.
      The subcontractor, which will also be considered a data processor, is also obliged to comply with the obligations established in this document and the instructions given by the data controller. It is the responsibility of the initial data processor to regulate the new relationship so that the new data processor is subject to the same conditions (instructions, obligations, security measures, etc.) and to the same formal requirements as itself, with regards to the appropriate processing of personal data and the safeguarding of the rights of the people affected. In the event of non-compliance by the sub-processor, the initial data processor will remain fully liable to the data controller for compliance with the obligations.
    • Maintain the duty of secrecy with respect to personal data to which it has had access in virtue of this contract, even after the end of its purpose.
    • Guarantee that the persons authorised to process personal data undertake, expressly and in writing, to respect confidentiality and to comply with the corresponding security measures, of which they must be informed accordingly.
    • Make available to the data controller the documentation proving compliance with the obligation established in the previous section.
    • Guarantee the necessary personal data protection training for those authorised to process personal data.
    • Assist the data controller in responding to the exercising of the rights:
      • Of access, to rectification, to erasure and to object.
      • To restriction of processing.
      • To data portability.
      • Not to be subject to a decision based on automated individual decision-making (including profiling).
        When the affected persons exercise the rights of access, to rectification, to erasure and to object, to restriction of processing, to data portability and not to be subject to a decision based on automated individual decision-making, before the data processor, the latter must communicate this by email to the address that the data controller indicates.
        This communication must be made immediately and in no case later than the working day following the reception of the request, together with, where appropriate, other information that may be relevant to resolve the request.
    • Right of information. It is the responsibility of the data controller to provide the right to information at the time of collecting the data.
    • Notification of personal data breaches. The data processor will notify the data controller without undue delay, and in any case within a maximum of 24 hours, and through the e-mail address indicated by the data controller, of any personal data breaches of which it becomes aware, together with all the relevant information for documenting and communicating the incident.
      Notification will not be necessary when it is unlikely that such a breach constitutes a risk to the rights and freedoms of natural persons.
      Where available, at least the following information will be provided:
      • Description of the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned.
      • The name and contact details of the data protection officer or other contact point where more information can be obtained.
      • Description of the likely consequences of the personal data breach.
      • Description of the measures taken or proposed to be taken to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
    • Where, and in so far as it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
      It is the responsibility of the data processor to communicate the personal data breach to the data subjects concerned as soon as possible, when it is likely that the breach poses a high risk to the rights and freedoms of natural persons.
      This communication must be done in clear and plain language and must, at least:
      • Explain the nature of the data breach.
      • Indicate the name and contact details of the data protection officer or other contact point where more information can be obtained.
      • Describe the likely consequences of the personal data breach.
      • Describe the measures taken or proposed to be taken by the data controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
    • Give support to the data controller in carrying out a data protection impact assessment, where appropriate.
    • Give support to the data controller in carrying out the prior consultations with the supervisory authority, where appropriate.
    • Make available to the data controller all the information necessary to demonstrate compliance with its obligations, and for audits or inspections carried out by the data controller or by another auditor authorised thereof.
    • Carry out an assessment of the risks for the personal data posed by the processing that Lantek will carry out on behalf of the data controller and implement the appropriate technical and organisational security measures to guarantee a level of security appropriate to the risk.
      In all cases, mechanisms must be implemented to:
      • Ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
      • Restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
      • Regularly test, assess and evaluate the effectiveness of technical and organisational measures implemented to ensure the security of the processing.
      • Pseudonymise and encrypt personal data, whenever possible.
    • Designate a data protection officer and communicate their identity and contact information to the data controller.
    • End use of the data. Destroy the personal data and, where applicable, the media on which it is stored, once the provision of the service is over.
      However, if the data controller provides Lantek with personal data to carry out any customisation, resolve any technical incident or any other intervention, the latter will return it once it has been resolved.
      This is without prejudice to Lantek being able to keep a copy, with the data duly blocked, for as long as it is subject to obligations deriving from the provision of the service.

5. Obligations of the data controller: the Customer must:

  • Deliver the data referred to in section "2. Identification of the affected information” to the data processor.
  • Carry out a personal data protection impact assessment for the processing operations to be carried out by the data processor.
  • Carry out the corresponding prior consultations.
  • Ensure, prior to and throughout the processing, the data processor’s compliance with the GDPR.
  • Supervise the processing, including the carrying out of inspections and audits.