Privacy policy

1. Data controller's identity

Data controller: NASERTIC (Navarra de Servicios y Tecnologías, S.A.U.)

Mailing address: C/ Orcoyen s/n, 31011, Pamplona (Navarra).

Tax ID No. (NIF): A31098064.

Phone: +34 848 420 500

Data Protection Delegate Contact: dpd@nasertic.es

2. Data processing

The information provided hereinbelow details the data processing included in this privacy policy, indicating both the legal basis of the General Data Protection Regulation (hereinafter, GDPR) and the specific retention period of the data (to which we must add the time necessary to comply with legal obligations and address the possible responsibilities that may arise for the Controller in relation to the fulfillment of the purpose for which the data was collected). In cases where a specific communication of data exists, it will be indicated in processing (without prejudice to the general ones indicated in the corresponding section 1.3). In the event that you are requested at any time to provide authorization for the processing of your data, for a purpose that requires your consent, the refusal to grant said authorization (or any subsequent withdrawal thereof) will not have consequences for you in any case. Nor will your opposition to the processing of your data for purposes based on legitimate interest (for example, the use of your data as a customer for the sending of commercial communications) have any kind of consequence.

1) Information requests or queries.

Processing and purpose: We will use your data to respond to your information requests, queries, or complaints, with the management and scope that they require, as well as for the preparation of service and/or collaboration proposals.

Legal basis: 6.1.a) GDPR. The data subject consented to the processing; 6.1.b) GDPR. The processing is necessary for the application, at the request of the interested party, of pre-contractual measures.

Origin: Data provided directly by the interested party through the contact channels enabled.

Groups: Web users, senders of messages received, potential customers, representatives of organizations.

Data types: Identifiers and contact details; where appropriate, professional data and the content of the query made.

Storage period: During the time necessary to attend and manage your request and/or claim.

2) Provision of services.

Processing and purpose: We will use your data to manage the services that you or the organization you represent have contracted with us, including administrative management and derivative collection, as well as any legal obligations that may apply.

Legal basis:6.1.b) GDPR. Processing is necessary for the performance of a contract to which the data subject is a party. 6.1.c) GDPR. Compliance with a legal obligation applicable to the Controller.

Origin: Data provided by the interested party or by the organization which the party represents within the framework of the contracting and execution of the service.

Groups: Customers and representatives.

Data types: Identifiers and contact details; professional data; administrative and, where appropriate, billing data.

Storage period: As long as the relationship and/or service lasts.

3) Classification based on the analysis of your browsing habits

Processing and purpose: We will process the data you generate as a result of your visit and/or interaction on our websites to classify you and present you with content of interest.

Legal basis: 6.1.a) GDPR. Express consent of the data subject.

Origin: Data generated by user navigation and, where appropriate, preferences

Groups: Web users.

Data types: Browsing data, behavior, and interests inferred according to cookie preferences.

Storage period: As long as you do not object and the Data Controller is entitled to process it.

Specific communications and transfers: Web analytics service called "Google Analytics" provided by Google (Google Ireland Limited): according to the terms and conditions of the provider, which involves international data transfers outside the EU economic area and, according to the provider's statement, they comply with the applicable legal framework through the Standard Contractual Clauses established by the European Commission.

4) Newsletter and commercial communications

Processing and purpose: When you request or consent, we will use your data to send you commercial communications about our services and measurement of the opening and links of the communication.

Legal basis: 6.1.a) GDPR. Express consent of the data subject.

Origin: Data provided by the interested party in the subscription form and, where appropriate, data derived from the communication activity.

Groups: Subscribers.

Data types: Identifiers and contact; potentially opening/activity metrics linked to the shipping solution.

Storage period: As long as you do not withdraw your consent and oppose the processing.

Specific communications and transfers: Mailchimp as a technological solution for sending and managing newsletters, which according to the report involves international transfer to the United States with formalization of Standard Contractual Clauses.

5) Manage your participation in visits and events.

Processing and purpose: If you want to register as a participant, we will process your data to manage your participation and register you. In the case of visits, both institutional or business visits are included, but also those organized by educational centers.

Legal basis: 6.1.b) GDPR. The processing is necessary for the execution of a contract in which the interested party participates (conditions of participation/registration).

Origin: Data provided by the person interested in registering, in visits organized by external entities (e.g. schools), data provided by the person responsible for the group, where appropriate.

Groups: Participants and visitors.

Data types: Identifiers and contact details; where appropriate, professional and logistical organization data strictly when necessary.

Storage period: As long as the contractual relationship remains in force and the Data Controller is authorized for processing.

Specific communications and transfers: To the facility's security services provider, to the extent necessary for the purpose of security and access control.

6) Image at events with public access

Processing and purpose: At events with public access, capturing and using your image to illustrate news or reviews about the event.

Legal basis: 6.1.a) GDPR. Express consent of the data subject.

Origin: Images obtained directly during the event.

Groups: Persons in attendance.

Data types: Image (and, where appropriate, voice).

Storage period: As long as you do not object to the processing of your data.

Specific communications and transfers: Publication and sharing in the Data Controller's corporate channels such as, for example, website, social networks, and newsletters.

7) HR – Job Board

Processing and purpose: If you sign up for an offer from the Data Controller and/or send us your CV, we will process your data to cover possible vacancies, collaborations, internships, or scholarships.

Legal basis: 6.1.a) GDPR. The data subject consented to the processing.

Origin: Data provided by the candidate via form or CV submission.

Groups: Applicants.

Data types: Identifiers and contact details, CV, training, professional experience.

Storage period: Two years.

Specific communications and transfers: CPEN for the management of applications.

8) HR – Applications selection process

Processing and purpose: When you apply for a specific position, your application will be analyzed with said position in mind and, where appropriate, if you fit the profile, we will contact you.

Legal basis: 6.1.b) GDPR. The processing is necessary for the application, at the request of the interested party, of pre-contractual measures.

Origin: Data provided by the candidate and data generated during the application process.

Groups: Applicants.

Data types: Identifiers and contact details, CV, evaluation data linked to the process.

Storage period: The time that the process lasts and an additional period until the extinction of any responsibility or obligation of the Data Controller.

Specific communications and transfers: CPEN for the management of applications and the selection process.

9) Video surveillance.

Processing and purpose: Safety of persons, property, and facilities.

Legal basis: 6.1.e) GDPR. Fulfillment of a mission in the public interest.

Origin: Images captured by the Data Controller's video surveillance systems.

Groups: Personnel, visitors, and third parties accessing the facilities.

Data types: Image.

Storage period: Maximum of one month.

Specific communications and transfers: The security company in charge of the security service.

10) Attention to the exercise of the rights of the interested parties.

Processing and purpose: If you exercise any of your rights, we will use the data you provide to evaluate your request and respond.

Legal basis: 6.1.c) GDPR. Compliance with a legal obligation applicable to the Data Controller, based on the rights recognized by the GDPR and by national regulations.

Origin: Data provided by the data subject when exercising the right and internal data essential for its processing.

Groups: Applicant stakeholders.

Data types: Identifiers and, where appropriate, data necessary to prove identity and manage the request.

Storage period: As long as it is necessary to attend to the exercise of rights communicated to the Data Controller.

11) Information systems (reporting channels).

Processing and purpose: Manage the procedure provided for by Law 2/2023 and the book-record of information received and internal investigations derived.

Legal basis: 6.1.c) GDPR. Legal obligation derived from Law 2/2023.

Origin: Data provided by the informant and data generated during the internal investigation.

Groups: Informants, affected persons, and, where appropriate, related third parties.

Data types: Identifiers if provided, information on reported facts and associated documentation.

Storage period: They will be kept for the time necessary to fulfill the purpose and to determine possible derived responsibilities.

Specific communications and transfers: To the supplier of the on-demand channel tool if the system was outsourced (not nominally detailed in the report).

3. Loan recipients. International data transfers.

Here are the situations for which it may be necessary to disclose your data to third parties:

Website hosting. The data hosted on our website will be communicated to the company that provides us with the web hosting service.
Microsoft 0365 and Teams – Mail, data hosting, and video conferencing services. These services are provided by Microsoft, for which a processing contract has been signed. Indicate that Microsoft is adhering to the "EU-US Data Privacy Framework (EU-US DPF)" that allows international data transfers.
CPEN Group: NASERTIC (Navarra de Servicios y Tecnologías, S.A.U.) is part of CORPORACIÓN PÚBLICA EMPRESARIAL DE NAVARRA, created under Law 8/2009, of June 18, Corporación Pública Empresarial de Navarra, S.L. (CPEN) on November 4, 2009, with the mission of being the single instrument for the planning and rationalization of a substantial part of the heritage of the Chartered Community of Navarra. In compliance with the applicable legal framework, data communications may be made within the group, both to CPEN and to other group organizations. You can access the list of companies that make up this group here.

Except as indicated in the previous paragraphs, with the exception of legal obligations, your data will not be communicated or transferred to any third party without your express consent. In any case, some communications and/or data transfers to third parties may be imposed by certain regulations or to meet obligations with government offices, the public prosecutor's office, and judges, courts, and state security forces and corps.

4. Rights

With regard to the personal data collected for processing, you have the possibility of exercising your rights of access, rectification, deletion, and portability. Likewise, in certain circumstances, you will have the right to request the limitation or opposition of the processing of your data, in which case the Data Controller will cease its processing and will only save it in the event that there is any regulatory obligation that imposes it or until the prescription of the actions that may occur. For any query or exercise of your rights, you can contact us through any of the contact channels indicated in the heading of this data protection policy in accordance with the provisions of the applicable regulations.

Finally, you may also address the supervisory authority when you consider it appropriate to lodge a claim (for example, in the country where you have your habitual residence, your place of work or in which you consider that the alleged infringement has occurred). For the appropriate purposes, we inform you that in Spain the supervisory authority is the Spanish Data Protection Agency, and you can exercise your rights through the forms that this entity has enabled for this purpose and that are available on its website. If you want more information about the aforementioned rights, we invite you to continue reading or visit the infographic prepared by the Spanish Data Protection Agency.