The terms under which we process your personal data are set out below:
Who is the data controller for your data?
- Identity: FUNDACIÓN TATIANA PÉREZ DE GUZMÁN EL BUENO with Tax ID number (CIF) G-86444346 (the Foundation), owner of the Palacio de los Golfines de Abajo.
- Address: Paseo General Martínez Campos 25, 28010, Madrid
- Telephone: (+34) 914 44 33 41
- Email: firstname.lastname@example.org
Why do we process your personal data?
We process the personal data you provide for the following purposes:
- To process requests for information, suggestions and complaints we receive from you using any of our forms of contact; to contact the sender of the information; and to respond to requests and queries and for subsequent monitoring. Providing data for this purpose is voluntary. However, failure to provide data will prevent us from responding to the request, query or complaint. Therefore, you will need to provide your personal data so we can deal with your requests.
- To send information, including using digital channels. We send such communications to inform users about the Foundation’s events, activities, invitations, conferences and presentations in relation to its activities and those of the Palacio de los Golfines. The authorisation is voluntary. Refusal would only result in the user not receiving marketing offers about our products or services.
- If you purchase tickets or products from our online store, data is processed to manage the customer relationship and for billing and collection for services. If you purchase tickets with discounts for being over 65, being a student or having a degree of disability, we may request documents to demonstrate compliance with these conditions, such as student cards, ID cards, etc. We do not store such information. This data must be supplied by our customers, as otherwise it will be impossible to fulfil the contract or purchase discounted tickets.
- To manage registrations for conferences, events, performances and other activities organised by the Foundation. Authorisation to process data for such purposes is voluntary. Refusal will only result in it being impossible to manage such registrations.
- If you become one of our friends or followers on social media, we will process your data to keep you informed about our activities and promotions through these channels. Providing data for this purpose is voluntary. However, if you do not do so, you cannot be a friend or follower on that social network. We process identification data for this purpose.
For how long will we process your data?
We will retain your data only for as long as is necessary: to fulfil the purpose for which it was collected; to comply with any legal obligations imposed on us; and to meet any liabilities arising from fulfilment of the purpose for which the data was collected.
Data for management of customer relationships and billing and payment for services will be kept for such purposes for as long as the contract remains in effect. Once the relationship ends, data may be retained for the time required under applicable legislation and until any liabilities deriving from the contract expire.
Data for sending marketing communications about our products and services will be retained indefinitely, until you ask us to delete them or tell us you wish to stop receiving such communications.
Data processed to deal with requests, queries and complaints will be retained for as long as necessary to deal with the issue, until it is considered closed. The data will then be kept as a record of the communication for a period of one year, unless you ask for them to be deleted at an earlier date.
The data processed to manage registration for conferences, events, performances and other activities organised by the Foundation will be retained for the duration of the activity. The data will then be kept as a record for a period of two years, unless you ask for them to be deleted before this.
Data submitted via social media will be stored for as long as you remain one of our friends or followers on the platform.
What is the legal basis for processing your data?
If you purchase tickets or products from our store, we will process your data on the legal basis of the contractual or pre-contractual relationship.
Prospective offers of products and services are based on the consent of the interested party. This consent can be revoked at any time. This will have no consequences other than you no longer receiving advertising. It does not affect any earlier data processing.
Processing of personal data for the purpose of responding to requests for information, enquiries and complaints is based on the consent of the data subject. You may withdraw this consent at any time without this affecting the legality of the processing previously carried out.
The legal basis for the processing of data used to manage registration for conferences, events, performances and other activities organised by the Foundation is the consent of the interested party. You may withdraw your consent at any time without this affecting the legality of earlier data processing.
The data provided via social media is processed on the legal basis of your consent, which you can withdraw at any time. This does not affect the legality of the processing previously carried out.
The categories of data processed are those requested in each case by the form or contract through which you provide us with your data, and on access to our facilities to verify that you meet the special entry requirements for the purchase of discounted tickets.
Who will your data be passed on to?
Your data will be communicated to the following:
- Competent public administration bodies, including judges and courts, in the cases provided for in law and for the purposes defined therein.
- The financial entities responsible for administering collections and payments.
- Courier companies to manage product deliveries.
Third-party companies acting as our suppliers may have access to your data to provide their services, although no data transfers are involved in this. These suppliers have access to your data in accordance with our instructions and must not use them for any other purpose. They do so in the strictest confidence and on the basis of a contract in which they undertake to comply with the requirements of applicable data protection regulations.
What are your rights when you provide us with your data?
Everyone has the right to receive confirmation of whether we are processing personal data relating to them. Data subjects have the right of access to their personal data as well as the right to request the rectification of inaccurate data and, where appropriate, the erasure of such data in certain situations, e.g. when the data is no longer necessary for the purposes for which it was collected.
Under the conditions provided for in the General Data Protection Regulation, data subjects may request restriction of the processing of their data or its portability. In this case, we will only retain the data for the purpose of asserting or defending claims.
Data subjects may, in certain circumstances, object to the processing of their data for reasons relating to their particular situation. If you have given your consent for a specific purpose, you have the right to withdraw that consent at any time, without this affecting the legality of the processing based on your consent prior to its withdrawal. In such cases, we will stop processing the data or stop processing the data for that specific purpose, as applicable, unless there are overriding legitimate grounds or for the purpose of asserting or defending claims.
Under data protection laws, you may object to decisions based solely on automated processing of your data.
Regarding such rights:
- There is no charge for exercising these rights, except in the case of demonstrably unfounded or unreasonable claims (e.g. those of a recurring nature), where a fee equal to the administrative costs incurred may be charged or action may be refused.
- Your rights can be exercised directly or through a legal representative or a volunteer.
- Your request must be answered within one month, although this may be extended by a further two months depending on the complexity of the issue and number of requests.
- We are obliged to inform you of the means of exercising these rights, which must be accessible. We must not deny you the right to exercise these rights simply because you have chosen another means. Unless you indicate otherwise, if the request is submitted electronically, the information will be provided electronically as far as possible.
- If, for whatever reason, your request is not acted upon, we will inform you within one month of the reasons for this and of the possibility of lodging a complaint with a supervisory authority.
Links to the application form for each of these rights are provided below to help you exercise these rights:
- Form for exercising the right of access
- Form for exercising the right of rectification
- Form for exercising the right of objection
- Form for exercising the right to erasure (“right to be forgotten”)
- Form for exercising the right to restriction of processing
- Form for exercising the right of portability
All of these rights may be exercised through the contact methods set out at the beginning of this clause.
You must prove your identity by attaching a photocopy or a scanned copy of your identity card (DNI) or an equivalent document, or a document certifying a representation if the right is exercised by a representative.
All of these rights may be exercised through the methods for contacting us set out at the beginning of this clause.
In the event of any breach of your rights, particularly if you have not obtained satisfaction in the exercise of your rights, you may lodge a complaint with the Spanish Data Protection Authority (contact details at www.aepd.es) or any other competent supervisory authority. You can also contact these agencies to learn more about your rights.
How do we protect your personal data?
We are committed to protecting the personal data we process. We use reliable and effective physical, organisational and technical measures, controls and procedures to maintain the integrity and security of your data and to protect your privacy.
All employees with access to personal data have received training and are aware of their responsibilities in connection with the processing of your data.
Our contracts with our suppliers include clauses obliging them to maintain the confidentiality of the personal data to which they have access in the context of the contract and to implement the necessary technical and organisational security measures to ensure the confidentiality, integrity, availability and long-term resilience of the systems and services for processing personal data.
All of these security measures are examined on a regular basis to verify that they are adequate and effective.
However, absolute security cannot be guaranteed and no security system is impenetrable. Therefore, if information in our possession and control is compromised as a result of a security breach, we will take appropriate steps to investigate the incident, notify the supervisory authority and, if necessary, inform users who may have been affected so that they can take appropriate action.
What is your responsibility as the data subject?
By providing us with personal information, the person doing so warrants that they are over 14 years of age and that the information provided is true, accurate, complete and up to date.
For these purposes, the data subject is responsible for the accuracy of the data and must keep it up to date so that it corresponds to their current situation. They shall be liable for any incorrect or inaccurate data they provide and for any damage that may arise directly or indirectly as a result.
If you provide data for third parties, you assume responsibility for informing them in advance of all the provisions of Article 14 of the General Data Protection Regulation under the conditions laid down in that provision.