Introduction

This Privacy Policy has been developed in compliance with the provisions of the Organic Law on Personal Data Protection in force, as well as Regulation 2016/679 of the European Parliament and Council of April 27, 2016, concerning the protection of natural persons with regard to the processing of personal data and the free movement of such data (hereinafter, the GDPR).

The purpose of this Privacy Policy is to inform data subjects whose personal data is being collected about specific aspects of how their data will be processed, including the purposes of the processing, contact information for exercising their rights, data retention periods, and security measures, among other things.

Data Controller

Regarding data protection, Crea un Huerto must be considered the Data Controller in relation to the files/processes identified in this policy, specifically in the section Data Processing.

The following details identify the owner of this website:

Data Controller: Crea un Huerto

Email Address: info@creaunhuerto.com

Data Processing

Personal data that may be requested will only include the information strictly necessary to identify and address the request made by the data subject (the “interested party”). This information will be processed in a fair, lawful, and transparent manner. Furthermore, the personal data will be collected for specific, legitimate purposes and will not be processed further in a manner incompatible with those purposes.

The data collected will be adequate, relevant, and not excessive in relation to the purposes for which it was collected and will be updated as necessary.

The data subject will be informed, prior to the collection of their data, about the general aspects regulated in this policy so that they can give their express, precise, and unequivocal consent to the processing of their data, according to the following details.

Purposes of Processing

The specific purposes for each data processing activity are outlined in the information clauses included in each data collection method (web forms, paper forms, recorded messages, signage, and information notices).

However, the personal data of the data subject will be processed exclusively for the purpose of providing an effective response and addressing the requests made by the user, as specified alongside the respective option, service, form, or data collection system used by the data subject.

Legitimacy

As a general rule, prior to processing personal data, Crea un Huerto obtains the express and unequivocal consent of the data subject, through the inclusion of informed consent clauses in the various data collection systems.

However, if the consent of the data subject is not required, the legal basis for the processing on which Crea un Huerto relies is the existence of a specific law or regulation that authorizes or requires the processing of the data subject’s personal data.

Recipients

As a general rule, Crea un Huerto does not share or communicate data to third parties, except where required by law. However, if necessary, such data transfers will be communicated to the data subject through the informed consent clauses included in the various data collection methods.

Source of Data

As a general rule, personal data is always collected directly from the data subject. However, in certain exceptions, data may be collected through third parties, entities, or services other than the data subject. In such cases, this will be communicated to the data subject through the informed consent clauses in the various data collection methods and within a reasonable time frame, once the data has been collected, and no later than one month.

Data Retention Periods

The information collected from the data subject will be retained as long as necessary to fulfill the purpose for which the personal data was collected. Once the purpose has been fulfilled, the data will be deleted. This deletion will result in the blocking of the data, which will only be kept available to public authorities, judges, and courts to attend to possible responsibilities arising from the processing, for the applicable statute of limitations period. After this period, the information will be destroyed.

For your reference, the following are the legal retention periods for various types of documents:

Document	Retention Period	Legal Reference
Labor-related or social security documents	4 years	Article 21 of Royal Legislative Decree 5/2000, August 4
Accounting and fiscal documents for commercial purposes	6 years	Article 30 of the Commercial Code
Accounting and fiscal documents for tax purposes	4 years	Articles 66-70 of the General Tax Law
Access control to buildings	1 month	Instruction 1/1996 of the AEPD
Video surveillance	1 month	Instruction 1/2006 of the AEPD, Organic Law 4/1997

Video surveillance

Regarding browsing data that may be processed through the website, in cases where data subject to regulations is collected, it is recommended to consult the Cookie Policy published on our website.

Rights of Data Subjects

Data protection regulations grant a series of rights to data subjects, users of the website, or users of the social media profiles of Crea un Huerto.

The rights available to data subjects are as follows:

• Right of Access: The right to obtain information on whether their data is being processed, the purpose of the processing, the categories of data processed, the recipients or categories of recipients, the retention period, and the source of the data.
• Right of Rectification: The right to rectify inaccurate or incomplete personal data.
• Right of Erasure: The right to request the deletion of data in the following cases:
  • When the data is no longer necessary for the purposes for which it was collected
  • When the data subject withdraws their consent
  • When the data subject objects to the processing
  • When it must be deleted to comply with a legal obligation
  • When the data was collected through a service based on Article 8(1) of the European Data Protection Regulation.
• Right to Object: The right to object to a specific processing activity based on the consent of the data subject.
• Right to Restriction: The right to restrict the processing of data when any of the following occurs:
  • When the data subject contests the accuracy of their personal data, for a period that allows the controller to verify the accuracy of the data.
  • When the processing is unlawful and the data subject objects to the deletion of the data.
  • When the controller no longer needs the data for its original purposes, but the data subject requires it for the formulation, exercise, or defense of claims.
  • When the data subject objects to the processing while it is verified whether the controller’s legitimate reasons outweigh the data subject’s interests.
• Right to Portability: The right to obtain the data in a structured, commonly used, and machine-readable format, and to transmit it to another data controller when:
  • The processing is based on consent
  • The processing is carried out by automated means
• Right to Lodge a Complaint: The right to file a complaint with the competent supervisory authority.

Data subjects may exercise the above rights by writing to Crea un Huerto at the following address: info@creaunhuerto.com indicating the right they wish to exercise in the subject line.

Crea un Huerto will address the request as soon as possible and in accordance with the timeframes established by data protection regulations.

Security

Crea un Huerto implements the necessary security measures, in accordance with Article 32 of the GDPR. In this regard, taking into account the state of the technology, the application costs, the nature, scope, context, and purposes of the processing, as well as the risks of varying probability and severity for the rights and freedoms of individuals, Crea un Huerto has implemented appropriate technical and organizational measures to ensure a level of security appropriate to the existing risk.

In any case, Crea un Huerto has established sufficient mechanisms to:

1. Ensure the confidentiality, integrity, availability, and resilience of processing systems and services.
2. Restore the availability and access to personal data quickly in the event of a physical or technical incident.
3. Regularly verify, evaluate, and assess the effectiveness of the technical and organizational measures implemented to ensure the security of the processing.
4. Pseudonymize and encrypt personal data, where applicable.