We will process your personal data in order to guarantee an optimum level of compliance with the legal obligations in force, to which UNE is subject, as well as to cooperate with legal or administrative authorities when necessary.
3. DATA WE PROCESS
By way of a non-limiting example, the data processed by AENOR within the framework of the relationship with the data subject and determined by the purposes for which consent has been given are included in the following categories:
- Private contact and identity data. (Name and surname, address, email, landline or mobile phone number, national ID document number or similar document, IP address).
- Data relating to employment and the organisation. (company, department, position, responsibilities, functions).
- Data relating to professional and training circumstances (career, position data, employment period, tasks, activities, studies, qualifications and assessments).
- Economic data for invoicing management (bank account).
- Data on consumption habits.
- Allergy data and other health-related data.
- Data relating to photos and videos featuring personal images. When attending activities and events organised by UNE, the data subject may be photographed or recorded on video. Said photographs and videos are used by UNE to report on these events, and have no commercial purposes whatsoever.
4. CONSERVATION OF THE DATA
In compliance with the principle of limiting the storage period, data collected will be processed solely and exclusively for the necessary time and for the purposes for which it was collected at any given time. Data storage will be deemed justified when:
- A legal and/or administrative standard requires that the data be stored for a specific period.
- It is necessary to satisfy the contractual relationship.
- The data will be used for archival and/or statistical purposes.
- It could cause damage to the legitimate interests of the data holder or third parties.
- It is necessary to guarantee the traceability and tracking of a client's certificate.
- The storage period is specifically defined in the certification scheme subject to audit.
- Due to the scheme, regulatory and legal compliance aspects are audited, with the storage period being specified in the reference legislation.
- It is necessary to certify AENOR's compliance with the requirements of UNE EN-ISO 17021-1, which are applicable to organisations that audit and certify management systems.
- The data and documentation serve as a supporting document for an activity or service rendered, during the limitation periods of civil, criminal, administrative or other actions that may arise from the activity or service provided. In this case, AENOR will keep the data blocked until the storage deadline expires.
- A longer storage period has been agreed upon by the interested parties.
5. CATEGORIES OF RECIPIENTS
Needed to provide the service
AENOR may occasionally use trusted service providers, who may have access to personal data to provide the engaged services. Personal data may also to communicated to banks as necessary in order to provide, invoice and collect payment for services.
Communication of data between AENOR group companies and the SPANISH ASSOCIATION FOR STANDARDISATION (UNE)
Communications between group companies will be based on the legitimate interest of AENOR.
Compliance with a legal obligation
AENOR may also communicate your personal information to third parties that have been duly authorised by law in order to comply with legislation or at the request of an administrative or judicial authority.
A Customer's personal data will only be shared with third parties if the data subject has been notified and given their express consent to share said information.
6.INTERNATIONAL DATA TRANSFERS
Occasionally, personal data may be transferred, stored and processed in a country that does not provide an adequate level of protection of personal data under European Union legislation.
AENOR always verifies the existence of adequate guarantees in accordance with the applicable legal requirements in order to ensure that private data is adequately protected, whether based on the standard contractual clauses approved by the European Commission, or through its relationship with suppliers that have approved Binding Corporate Standards pursuant to Article 47 of the GDPR.
7. HOW DO WE PROTECT YOUR PERSONAL DATA?
AENOR is committed to keeping your Personal Data secure, and takes all reasonable precautions to do so. We implement all the necessary technical and organizational measures in accordance with this Personal Data Protection Policy and applicable laws and regulations to protect your Personal Data against unauthorized access, modification or disclosure. We demand and contractually oblige our service providers and collaborators to apply a level of security suitable for proper data protection.
8. RIGHTS OF THE DATA SUBJECT
In accordance with applicable regulations, AENOR informs the customer or user that they have the following rights under the applicable regulations:
Access: this enables the data owner to obtain confirmation of whether or not AENOR is processing personal data that concerns them and, if it is, to obtain a copy of the personal data being processed.
Correction: this allows you to correct errors and amend data if it is inaccurate or incomplete.
Deletion: this means that data can be deleted and no longer processed by AENOR, unless there is a legal obligation to retain it and/or other legitimate reasons for AENOR to process it. For example, if personal data is no longer needed for the purposes for which it was collected, the customer may request that we delete this data without undue delay.
Limitation: under the conditions established by law, this allows data processing to be halted in such a way that it cannot be processed in the future by AENOR, which will only keep it to file or defend claims.
Objection: under certain circumstances and for reasons related to their specific situation, data subjects may object to their data being processed. Thereafter, AENOR will no longer process data, unless required to do so for overriding legal reasons or to file or defend potential claims. Similarly, the interested party is entitled not to be subject to decisions based solely on automated processing, including profiling, which has legal effects on the subject or similar significant effects thereon.
Portability: this enables the data subject to receive their personal data in a structured, commonly-used, machine-readable format and to send it directly to another data controller.
AENOR guarantees that the measures needed to ensure that these rights can be exercised will be adopted free of charge, In order to exercise said rights, you need to identify yourselfproperly and communicate with us via the following channels:
- By sending an email containing the information indicated in the previous section to the following address: :
- By sending a letter indicating which right they wish to access to: C/Génova nº6, 28004 Madrid, for the attention of the AENOR Legal Advisory Department.
Similarly, and especially when the data subject believes that they have not been able to exercise their rights to their full satisfaction, they may file a complaint with the supervisory authority in their country.
The supervisory authorities of the European countries where AENOR operates are:
Agencia Española de Protección de Datos [Spanish Data Protection Authority]
Garante per la protezione dei dati personali
Comissão Nacional de Potecção de Dados
ADDITIONAL DATA PROTECTION INFORMATION ON TEMPORARY TEMPERATURE CHECKS WHEN ACCESSING AENOR FACILITIES
AENOR makes available to its customers, suppliers, collaborators and employees, in a clear and understandable format, all the additional data protection information regarding temporary temperature checks when accessing its facilities and work centres (hereinafter, "Additional Information").
This Additional Information will always be available to data subjects for as long as AENOR conducts temperature checks at the entrances to its facilities. For any questions or comments about this Additional Information, please contact our Data Protection Officer by email at firstname.lastname@example.org email@example.com.
HOW IS THE DATA ON TEMPERATURE CHECKS PROCESSED?
The main purpose of implementing temporary temperature checks at the entrances to AENOR's facilities is to take the appropriate protection measures to allow, or, where applicable, deny access to people who have a fever (this being one of the main symptoms of individuals who are infected with COVID-19), in order to prevent the spread of the pandemic and to protect the health of both AENOR staff and collaborators, and its clients and vendors.
In order to guarantee the privacy and data protection rights of all its employees, collaborators, clients and vendors, AENOR will not collect any personal data during the temperature checks, regardless of the result of the body temperature reading. Therefore, in no case will AENOR store, record or retain any personal information as a result of the temperature checks that are administered at the entry points to AENOR's facilities and work centres.
CHANGES TO THIS ADDITIONAL INFORMATION
This Additional Information may vary over time due to possible changes in the criteria followed by the supervisory authority responsible for data protection matters. AENOR thus reserves the right to edit this Additional Information in order to adapt it to these criteria, as well as to new health measures or laws.
Madrid, 18 August 2020.