This is the data protection policy of GBS Estudio Legal. It refers to data processing in the exercise of its activities of legal Advice and Swervices, as a Law firm, in compliance with the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016).
Who is responsible for the processing of personal data?
The party responsible for the processing of personal data is GBS Estudio Legal (hereinafter GBS), with CIF (Tax Identification Code) B62448154, headquartered at Carrer Doctor August Pi i Sunyer nº 12, 1, 7, Barcelona-08034, telephone number 934396845, e-mail firstname.lastname@example.org.
Who is the Data Protection Officer?
The Data Protection Officer (Delegado de Protección de Datos – DPD) is the person who supervises the data protection policy compliance of GBS, ensuring that personal data are properly treated and the rights of the people are protected. Among its functions, it should address any questions, suggestions, complaints or claims from people whose data are treated. You can contact the Data Protection Officer by writing to Carrer Doctor August Pi i Sunyer nº 12, 1, 7, Barcelona-08034, e-mail email@example.com.
Why do we process data?
At GBS we process personal data for the following purposes.
Answering the inquiries of people who contact us through the contact forms on our website. We only use them for this purpose.
Our telephone service for people who contact us through this mean. In order to offer more quality of service, our calls can be recorded. We warn anyone who communicates with us by telephone of such practice.
We receive CVs from persons interested in working with us and manage the personal data generated by their participation in our recruitment processes, in order to analyse the suitability of the candidates’ profile based on vacant or new positions. Our criterion is to maintain, for not more than one year, the data of people who are not hired, in case a new vacancy or a new post is created in the short term. However, in the latter case, we immediately delete the data if the interested party requests so.
We register new customers and additional data that may be generated as a result of the commercial relationship with customers. While contracting our services, sensitive information is requested, among which, banking info (current account or credit card number) that will be communicated to banking entities that manage our billing process (they can only be used for this purpose). The commercial relationship and the provision of services entails other treatments, such as incorporating data for accounting, billing or tax administration purposes. Hiring our products and services involves personal data processing in the sense indicated in this section.
Information about our legal services.
While there is a contractual relationship with its customers, GBS uses their contact data to communicate its own information, which may circumstantially include references to our services, whether they are general in nature or refer more specifically to the characteristics and needs of the customer.
Other information on legal services.
With the express authorization of our customers, once the contractual relationship is finalized, contact data is maintained in order to send advertising related to our services or products, general or specific information depending on the characteristics of the customer. This information is sent to those who, despite not being a customer, ask us or accept it by filling out our forms.
Management of data from our suppliers.
We record and process the data of the suppliers from whom we purchase services or goods. That can be data from people who work as freelancers as well as data from corporate representatives. We obtain sensitive data to maintain a commercial relationship; we only use it for this purpose and we make proper use of this relationship.
Our website users.
Other data channels.
We also obtain data through our relationships and other channels such as receiving emails or through our profiles on social networks. In all cases, this data is intended only for the express purposes that justify the data collection and treatment.
What is the legal legitimacy for our data treatment?
Our data processing has different legal purposes, depending on the nature of each treatment.
Compliance with a previous contractual relationship. The data of potential customers or suppliers with whom we have a relationship prior to the execution of a contract, such as the preparation or the study of budgets. In addition, the processing of data from people who have sent us their CVs or who participate in our recruitment processes.
Compliance with a contractual relationship. This is the case of relationships with our subscribers, customers and suppliers and all actions and uses that these relationships lead to.
Compliance with legal obligations. Data communications to the tax administration are established by regulations governing commercial relations. It may be the case of having to communicate data to administration and judicial authorities or to security agencies, also in compliance with legal norms that require collaboration with these public organisations.
Based on consent. When we send information about our products or services, we process the contact details of the recipients upon their authorisation or express consent. The browsing data we can obtain through cookies is obtained with the consent of the person who visits our website, which consent can be withdrawn at any time by uninstalling these cookies.
Legitimate interest. Our legitimate interest also justifies the processing of data that we obtain from contact forms.
Who is the data communicated to?
As a general requirement, we only communicate data to public administrations or authorities and always in compliance with legal obligations. Upon the issuance of invoices to customers, the data can be communicated to banking establishments. In case of managing the insurances ofour clients, we communicate their data to the insurance companies with which the contract is established. In cases justified by law, we will communicate the data to security agencies or to competent judicial authorities. Conversely, in case consent has been given, the data may be communicated to other companies for the purposes indicated above. Data transfers are not made outside the European Union (international transfer).
In another sense, for certain tasks we obtain the services of companies or people who bring us their experience and expertise. Sometimes these external companies must access personal data under our responsibility. In fact, this is not a data transfer but a commission for treatment. We only hire services from companies that can ensure compliance with data protection regulations. We execute confidentiality agreements with these companies and their actions are monitored. This may be the case of data storage services, IT support services or legal, accounting or tax advisory services.
How long do we keep the data for?
We comply with the legal obligation to limit the period of data preservation to a maximum. Hence, this data is only preserved for a strictly necessary time. In certain cases, such as the data that appears in accounting and billing documents, the tax regulations oblige us to preserve them until we have responsibilities in this matter. In the case of consent-based data of the person concerned, these data are preserved until such person withdraws consent. The images obtained by video surveillance cameras are kept for a maximum of one month, although in the case of incidents that justify it, they will be kept for the time necessary to facilitate the actions of the security agents or judicial authorities.
What rights do people have in relation to the data we process?
In accordance with the General Data Protection Regulation, the people, whose data we process, are entitled to:
Know if their data are processed. Anyone has the right to know if we process their data, regardless of whether there has been a prior relationship.
Be informed of the collection of their data. When personal data are obtained from any interested party, they must be clearly informed of the purposes to which they will be assigned, who will be responsible for the data processing and the other aspects arising from this treatment.
Access. A very comprehensive right that includes knowing accurately what personal data are being processed, what is the purpose for which they are treated, communications that will be made to other people (if applicable) or the right to obtain a copy or to know the estimated preservation period.
Request its rectification. They have the right to rectify inaccurate data that is subject to our treatment.
Request its deletion. In certain circumstances, any interested party can request the deletion of their data when, among other reasons, they are no longer necessary for the purposes for which they were collected and that justified the data treatment.
Request data processing limitation. In certain circumstances, the right to request data processing limitation is recognised. In this case, they will no longer be treated and will only be kept for the enforcement or defence of claims, in accordance with the General Data Protection Regulation.
Portability. In the cases provided for in the GDPR, the right to obtain personal data in a machine-readable format is recognised. They can only be transmitted to another data protection officer if the interested party decides so.
Object to data processing. A person can provide reasons related to their specific situation, reasons that will justify the non-processing of their data in case such processing may cause losses, except for legitimate reasons or the enforcement or defence of claims.
Non-receipt of commercial information. We will immediately stop sending commercial information to people who have previously given us such authorisation, in case they unsubscribe to our mailing lists.
How can rights be enforced or defended?
The rights that we have just described can be enforced by submitting a written request to GBS Estudio legal, Carrer Doctor August Pi i Sunyer nº 12, 1, 7, Barcelona-08034, or by e-mail to firstname.lastname@example.org , always indicating “Personal data protection”.
If a satisfactory response has not been given regarding the enforcement of rights, it is possible to file a claim with the Spanish Data Protection Agency, through the forms or other channels accessible from its website www.agpd.es.
In all cases, whether to submit claims, request clarifications or make suggestions, you can contact our Data Protection Officer by sending an email to email@example.com.