INDEX
1. Objective of the Privacy Policy
2. Definitions
3. Identity of the Data Controller
4. Applicable laws and regulations
5. Principles applicable to the processing of personal data
6. Data Processing activities carried out
7. Necessary and updated information
8 Personal data of minors
9. Technical and organizational security measures
10. Rights of interested parties
11. Claims before the Control Authority
12. Acceptance and changes to the Privacy Policy
1.- PURPOSE OF THE PRIVACY POLICY
The purpose of this “Privacy and Data Protection Policy” is to make known the conditions that govern the collection and
processing of personal data by GRUPO ALIMENTARIO COPESE SL. , making the maximum effort to ensure the
fundamental rights, honor and freedoms of the people whose personal data is processed, compliance with the regulations and
laws in force that regulate the Protection of Personal Data according to the European Union and the Spanish Member State and, specifically, those
expressed in the “Processing Activities” section of this Privacy Policy.
Therefore, in this Privacy and Data Protection Policy, users of the Website https://www.holafood.es/ are informed
of all the details of their interest regarding how these processes are carried out, for what purposes. , that other entities could
have access to your data and what the rights of users are.
2.- DEFINITIONS
« Personal data »: Any information about an identified or identifiable natural person (“the Website user”); An identifiable natural person is
any person whose identity can be determined, directly or indirectly, in particular by means of an
identifier, such as a name, an identification number, location data, an online identifier or one or more
elements specific to identity. physical, physiological, genetic, mental, economic, cultural or social of said person.
” Processing “: any operation or set of operations carried out on personal data or sets of personal data,
whether by automated procedures or not, such as collection, registration, organization, structuring, conservation, adaptation or
modification, extraction, consultation, use, communication by transmission, dissemination or any other form of enabling access,
collation or interconnection, limitation, deletion or destruction.
« Limitation of processing »: the marking of stored personal data in order to limit their processing in the
future.
” Profiling “: any form of automated processing of personal data consisting of using personal data
to evaluate certain personal aspects of a natural person, in particular to analyze or predict aspects relating to
professional performance, economic situation, health, personal preferences, interests , reliability, behavior, location or
movements of said natural person.
” Pseudonymization “: the processing of personal data in such a way that they can no longer be attributed to a data subject without the use of
additional information, provided that such additional information is kept separately and is subject to technical and organizational measures
to ensure that the personal data are not attribute to an identified or identifiable natural person.
” File “: any structured set of personal data, accessible according to specific criteria, whether centralized,
decentralized or distributed functionally or geographically.
” Controller ” or “controller” : the natural or legal person, public authority, service or other body that, alone
or jointly with others, determines the purposes and means of the processing; whether Union or Member State law determines the
purposes and means of processing, the controller or the specific criteria for its appointment may be established by
Union or Member State law.
« Processor » or « processor »: the natural or legal person, public authority, service or other body that processes
personal data on behalf of the controller.
« Recipient »: the natural or legal person, public authority, service or other body to which personal data is communicated,
whether or not it is a third party. However, public authorities that may receive personal data
in the framework of a specific investigation in accordance with Union or Member State law shall not be considered recipients; The processing of
such data by those public authorities shall be in accordance with the data protection rules applicable to the purposes of the
processing.
” Third party “: natural or legal person, public authority, service or body other than the data subject, the controller, the processor and persons authorized to process personal data under the direct authority of the
controller or processor.
” Consent of the interested party “: any free, specific, informed and unambiguous expression of will by which the interested party
accepts, whether by means of a declaration or a clear affirmative action, the processing of personal data concerning him or her.
“ Personal data security breach ” means any security breach resulting in the
accidental or unlawful destruction, loss or alteration of personal data transmitted, stored or otherwise processed, or unauthorized communication or access
to such data;
” Genetic data “: personal data relating to the inherited or acquired genetic characteristics of a natural person that
provide unique information about the physiology or health of that person, obtained in particular from the analysis of a
biological sample of that person.
« Biometric data »: personal data obtained from specific technical processing, relating to the physical,
physiological or behavioral characteristics of a natural person that allow or confirm the unique identification of said person, such as
facial images or fingerprint data.
” Health-related data ” means personal data relating to the physical or mental health of a natural person, including the provision of
health care services, which reveal information about your health status.
” Principal establishment “: a) in the case of a controller with establishments in more than one
Member State, the place of its central administration in the Union, unless decisions on the purposes and means of processing are
made in another establishment of the controller in the Union and the latter establishment has the power to enforce such
decisions, in which case the establishment that has taken such decisions will be considered the main establishment; b) in the case
of a processor with establishments in more than one Member State, the place of its central administration in
the Union or, if this is not the case, the establishment of the processor in the Union in which the processing is carried out. main processing activities
in the context of the activities of an establishment of the processor to the extent that the processor is subject to
specific obligations under this Regulation.
” Representative ” means a natural or legal person established in the Union who, having been designated in writing by the controller or processor
in accordance with Article 27 of the GDPR, represents the controller or processor with regard to their
respective obligations in under this Regulation.
” Company “: a natural or legal person engaged in an economic activity, regardless of its legal form, including
companies or associations that regularly carry out an economic activity.
” Supervisory authority ” means the independent public authority established by a Member State in accordance with the provisions of
Article 51 of the GDPR. In the case of Spain it is the Spanish Data Protection Agency.
” Cross-border processing “: a) the processing of personal data carried out in the context of the activities of establishments
in more than one Member State of a controller or processor in the Union, if the controller or processor is
established in more than a Member State, or b) the processing of personal data carried out in the context of the activities of a
single establishment of a controller or processor in the Union, but which substantially affects or is likely
to substantially affect data subjects in more than one Member state.
” Information society service ” means any information society service, that is, any service provided
normally in exchange for remuneration, remotely, electronically and at the individual request of a recipient of services.
3.- IDENTITY OF THE CONTROLLER OF THE TREATMENT
The Controller of Data Processing is that natural or legal person, public or private in nature, or administrative body,
which alone or jointly with others determines the purposes and means of the processing of personal data; in the event that the purposes and
means of the processing are determined by the Law of the European Union or the Spanish Member State.
In the aspects expressed in this Privacy and Data Protection Policy, the identity and contact information of the
Data Controllers are:
COPESE FOOD GROUP SL. (B40275653)
Address: C/ Eduardo Capa Sacristan, 1- Polígono Industrial Las Salinas. 40480, Coca (Segovia), Spain
Contact: 921 586 335 – [email protected]
AGROPECUARIA ENTREPINOS, SL (B67910505)
Address: Eduardo Capa Sacristán, 3 Polígono Industrial Las Salinas. 40480, Coca (Segovia), Spain
Contact: 921586335 – [email protected]
COMERCIAL PECUARIA SEGOVIANA SL (B-40004210)
Address: Camino de la Moraleja, 5. 40480, Coca (Segovia), Spain
Contact: 921586335 – [email protected]
Eresma Elaborados SL (B10633394)
Address: C/ Eduardo Capa Sacristan, 1- Polígono Industrial Las Salinas.. 40480, Coca (Segovia), Spain
Contact: 921 586 335 – [email protected]
HOLA FOOD SL (B40277709)
Address: Paraje Largas del Cerrillo, s/n. 40150, Villacastin (Segovia), Spain
Contact: 921586335 – [email protected]
4.- APPLICABLE LAWS AND REGULATIONS
This Privacy and Data Protection Policy is developed based on the following data protection regulations and laws:
- Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016, on the protection of
natural persons with regard to the processing of personal data and the free circulation of these data. Hereinafter GDPR. - Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights. Hereinafter
LOPD/GDD. - Law 34/2002, of July 11, on Information Society Services and Electronic Commerce. Hereinafter LSSICE.
5.- PRINCIPLES APPLICABLE TO THE PROCESSING OF PERSONAL DATA
The personal data collected and processed through this Website will be treated in accordance with the following principles:
- Principle of legality, loyalty and transparency: All personal data processing carried out through this Website will be lawful
and fair, being completely clear to the user when the personal data that concerns them are being collected, used, consulted or processed
. The information regarding the treatments carried out will be transmitted in advance, easily
accessible and easy to understand, in simple and clear language. - Purpose limitation principle: All data will be collected for specific, explicit and legitimate purposes, and will not
be subsequently processed in a manner incompatible with the purposes for which they were collected.
Data minimization principle: The data collected will be adequate, relevant and limited to what is necessary in relation
to the purposes for which they are processed. - Principle of accuracy : The data will be accurate and, if necessary, updated, taking all reasonable measures
to promptly delete or rectify personal data that are inaccurate with respect to the purposes for which they are
processed. - Principle of limitation of the conservation period : The data will be maintained in a way that allows the identification of the
interested parties for no longer than necessary for the purposes of the processing of personal data.
Principle of integrity and confidentiality: Data will be treated in a manner that ensures adequate security of
personal data, including protection against unauthorized or unlawful processing and against accidental loss or damage,
through the application of appropriate technical and organizational measures. - Principle of proactive responsibility: The entity that owns the Website will be responsible for compliance with the principles
set out in this section and will be able to demonstrate it.
6.- DATA PROCESSING ACTIVITIES
The data processing activities carried out through the website are detailed below, specifying each of the
following sections:
- Activity: Name of the data processing activity
- Purposes: Each of the uses and treatments carried out with the data collected
- Legal basis : The legal basis that legitimizes the processing of data
- Processed data: Typology of processed data
- Origin: Where the data is obtained from
- Retention : Period during which data is kept
- Recipients: Persons or third parties to whom the data is provided
- International transfers: Cross-border shipments of data outside the European Union
6.1 MAIN PROCESSING ACTIVITIES
These are those data processing activities whose purposes are necessary and essential for the provision of services
.
| COMPLAINTS CHANNEL | |
| Legal bases | (Art. 24 LOPD/GDD) Creation and maintenance of information systems for internal complaints and communication to legal entities; (Art. 27 LOPD/GDD) Data processing related to infractions and administrative sanctions carried out by competent legal bodies |
| Purposes | Management of the internal complaints channel; Management of the internal information channel in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 regarding the protection of natural persons with regard to the processing of personal data and the free movement of these data and which repeals Directive 95/46/EC (General Data Protection Regulation), and Law 2/2023, of February 20, regulating the protection of people who report regulatory and combat infractions against corruption. |
Data categories and groups | Employees (Identifying data; Employment details) |
| Data provenance | The interested party himself or his legal representative |
| Recipient category | They are not planned |
| International transfer | They are not planned |
Conservation period | While the file remains in processing |
Security measures | Classification and confidentiality of information. The information received from the whistleblowing channel must be strictly confidential, respecting the anonymity of the whistleblower where appropriate. Confidentiality. that must operate in the facts, and confidentiality in the parties. The information must be classified according to the impact that its loss, dissemination, unauthorized access , destruction or alteration would cause, applying integrity and availability criteria. In this way, we can determine what information we should encrypt, who can use it, and who is responsible for its security. The Extraordinary Government Meeting JGEXT03/23 held on June 8, and as established by “Law 2/2023, of February 20, regulating the protection of people who report regulatory infractions and the fight against corruption, in its article 8 Responsible for the internal information system”, IT WAS AGREED that the Dean of the corporation will always be the person designated as RESPONSIBLE FOR THE INTERNAL INFORMATION SYSTEM |
6.2 OPTIONAL TREATMENT ACTIVITIES (if the user has marked their acceptance)
These are those personal data processing activities whose purposes are not essential for the provision of the service
and which are only carried out if the user has marked YES in the consent to carry out these activities.
| WEB PAGE | |
| Legal bases (Art. 6.1.a RGPD) | Consent of the interested party |
| Purposes. | Contact and commercial activities with clients; Cookies not necessary; Management and responses to queries received through the website contact form; Processing of personal data from the use of a website |
| Data categories and groups Web contacts | (Identifying data) |
| Data provenance | The interested party himself or his legal representative |
| Recipient category | They are not planned |
| International transfer | They are not planned |
| Conservation period | For a period of 1 year from the last confirmation of interest |
| COMMERCIAL COMMUNICATIONS | |
| Legal bases | Explicit consent of the interested party |
| Purposes | Marketing, advertising and commercial prospecting |
| Data categories and groups | (Identi|cative data). Suppliers (Identifying data). Potential ( Identi|cative data ) |
| Data provenance | The interested party himself or his legal representative |
| Recipient category | NUZOA SALUD ANIMAL SAU (CIF: A40024093); |
| International transfer | They are not planned |
| Conservation period | As long as its deletion is not requested by the interested party |
7.- NECESSARY AND UPDATED INFORMATION
All the fields that appear marked with an asterisk (*) in the Website forms will be mandatory to complete,
in such a way that the omission of any of them could make it impossible for you to be provided with the requested services or
information.
You must provide true information, so that the information provided is always up to date and does not contain errors, you must
inform the Data Controller as soon as possible of the modifications and rectifications of your personal data
that occur through by email to the address: [email protected].
Likewise, by “clicking” on the “I accept” button (or equivalent) incorporated in the aforementioned forms, you declare that the information and data
that you have provided in them are accurate and truthful, as well as that you understand and accept this Privacy Policy. Privacy.
8.- DATA OF MINORS
In compliance with the provisions of article 8 of the RGPD and article 7 of the LOPD/GDD, only those over 14 years of age
may grant their consent for the processing of their personal data in a manner lithic by GRUPO ALIMENTARIO COPESE SL. .
Therefore, minors under 14 years of age may not use the services available through the Website without the prior authorization
of their parents, guardians or legal representatives, who will be solely responsible for all acts carried out through the
Website by the minors. minors in their care, including the completion of the electronic forms with the personal data of
said minors and the marking, where appropriate, of the boxes that accompany them.
9.- TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES
The Data Controller adopts the necessary organizational and technical measures to guarantee the security and privacy of
your data, prevent its alteration, loss, treatment or unauthorized access, depending on the state of the technology, the nature of
the data stored and the risks to which they are exposed.
Among others, the following measures stand out:
- Guarantee the permanent confidentiality, integrity, availability and resilience of treatment systems and services.
- Restore availability and access to personal data quickly, in the event of a physical or technical incident.
- Evaluate and assess, on a regular basis, the effectiveness of the technical and organizational measures implemented to guarantee the
security of the treatment. - Verify.
- Pseudonymize and encrypt personal data, if it is sensitive data.
On the other hand, the Data Controller has made the decision to manage the information systems according to the
following principles:
- Principle of regulatory compliance: All information systems will comply with the regulations of legal
regulatory and sectoral application that affect the security of information, especially those related to the protection of
personal data, system security, data, communications and electronic services. - Risk management principle: Risks will be minimized to acceptable levels and a balance between
security controls and the nature of the information will be sought. Security objectives must be established, reviewed and consistent with
information security aspects. - Principle of awareness and training: Training, awareness programs and awareness campaigns will be articulated
for all users with access to information, regarding information security.
Principle of proportionality: The implementation of controls that mitigate asset security risks will be carried out
seeking a balance between security measures, nature and information and risk. - Principle of responsibility: All members of the Data Controller will be responsible for their conduct regarding
the security of the information, complying with the established standards and controls. - Principle of continuous improvement: The degree of effectiveness of the security controls implemented
in the organization will be reviewed on a recurring basis to increase the ability to adapt to the constant evolution of risk and the technological environment.
10.- RIGHTS OF INTERESTED PARTIES
The current data protection regulations protect the user with a series of rights in relation to the use given to their data.
Each and every one of such rights are individual and non-transferable, that is, they can only be exercised by the owner
of the data, after verification of his or her identity.
Below are the rights of users of the Website:
- Right of access: It is the right that the user of the Website has to obtain confirmation of whether
or not the Data Controller is processing their personal data and, if so, obtain information about their specific personal data
and the processing that the Data Controller of the Treatment carried out or carried out, as well as, among other things, the information
available on the origin of said data and the recipients of the communications made or provided for therein. - Right to rectification: This is the right that the user of the Website has to have their personal data modified that turns out to
be inaccurate or, taking into account the purposes of the treatment, incomplete. - Right to deletion: It is usually known as the “right to be forgotten”, and it is the right that the user of the Website has, provided that
current legislation does not establish otherwise, to obtain the deletion of their personal data when they are no longer
necessary for the users. purposes for which they were collected or processed; The User has withdrawn his or her consent to the treatment and
this does not have another legal basis; the User opposes the treatment and there is no other legitimate reason to continue with it
; the personal data have been processed unlawfully; The personal data have been obtained as a result of a
direct offer of information society services to a minor under 14 years of age. In addition to deleting the data, the Controller
, taking into account the available technology and the cost of its application, will adopt reasonable measures to inform
other possible controllers who are processing the personal data of the interested party’s request to delete
any link to those personal data. - Right to limit data: It is the right of the Website User to limit the processing of their personal data. The
User of the Website has the right to obtain the limitation of processing when he challenges the accuracy of his personal data;
the treatment is illicit; The Data Controller no longer needs the personal data, but the User needs it to
make claims; and when the Website User has opposed the treatment. - Right to data portability: In those cases where the processing is carried out by automated means, the
Website User will have the right to receive from the Data Controller their personal data in a structured,
commonly used and machine-readable format, and to transmit them to another person responsible for the treatment. Whenever technically possible, the
Data Controller will directly transmit the data to that other Data Controller. - Right to object: It is the User’s right to have their personal data not processed or to have
their processing stopped by the Data Controller. - Right not to be subject to automated decisions and/or profiling: The right of the Website User not to
be subject to an individualized decision based solely on the automated processing of their personal data, including
profiling, existing unless Current legislation establishes otherwise.
Right to revoke consent: It is the right of the Website User to withdraw, at any time, the consent
given for the processing of their data.
The user of the Website can exercise any of the aforementioned rights by contacting the Data Controller and prior
identification of the User using the following contact information:
- Responsible: GRUPO ALIMENTARIO COPESE SL.
- Address: C/ Eduardo Capa Sacristan, 1- Polígono Industrial Las Salinas. 40480, Coca (Segovia), Spain
- Telephone: 921 586 335
- E-mail: [email protected]
- Website: https://www.holafood.es/
11.- RIGHT TO COMPLAIN BEFORE THE CONTROL AUTHORITY
The user is informed of their right to file a claim with the Spanish Data Protection Agency if they consider that
a violation of data protection legislation has been committed with respect to the processing. of your personal data.
Contact information for the supervisory authority:
- Spanish Data Protection Agency
- Email: [email protected]
- Telephone: 912663517
- Website: https://www.aepd.es
- Address: C/. Jorge Juan, 6. 28001, Madrid (Madrid), Spain
12.- ACCEPTANCE AND CHANGES IN THE PRIVACY POLICY
It is necessary that the user of the Website has read and agrees with the data protection conditions contained in this
Privacy Policy, as well as accepts the processing of their personal data so that the Responsible for the Treatment can
proceed with it in the manner, deadlines and purposes indicated.
The Data Controller reserves the right to modify this Privacy Policy, according to its own criteria, or
motivated by a legislative, jurisprudential or doctrinal change of the Spanish Data Protection Agency. The changes or
updates made to this Privacy Policy that affect the purposes, conservation periods, transfers of data to
third parties, international data transfers, as well as any rights of the Website User, will be explicitly communicated
to the user.
