Privacy Policy Web

1. Basic information on data protection

2. Applicable regulations

This Privacy Policy is adapted to the Spanish and European regulations in force on personal data protection and information society services. In particular, it complies with the following regulations:

• Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data —GDPR—.
• Organic Law 3/2018, of 5 December, on Personal Data Protection and the guarantee of digital rights —LOPDGDD—.
• Law 34/2002, of 11 July, on Information Society Services and Electronic Commerce —LSSI-CE—.

3. Data controller

The controller responsible for the processing of personal data collected through this website is:

• Corporate name: MUXUNAV S.L.
• Tax ID No.: B31975543
• Address: C/ Otxagain, 30, 31699 Olloki, Navarra
• Email address: info@muxunav.com
• Phone: 948 596 983
• Website: www.muxunav.com

4. Data Protection Officer

MUXUNAV S.L. has appointed a Data Protection Officer. Their details are:

• Data Protection Officer: Consulting & Strategy GFM S.L.
• DPO contact details: dpo@gfmservicios.com

Data subjects may contact the Data Protection Officer for matters related to the processing of their personal data, the exercise of rights or any question concerning this Privacy Policy.

5. Purposes of processing

The data controller shall process the data collected and managed through this website in order to facilitate and fulfil the commitments and services established through the website between the data controller and the user, as well as to maintain the relationship established through the forms completed by the user or to handle a request or enquiry.

In particular, data may be processed for the following purposes:

• to respond to enquiries made through forms, email, telephone or other contact channels;
• to manage requests for appointments, information, quotations, services or communications related to the activity of MUXUNAV S.L.;
• to facilitate and fulfil the commitments and services established through the website;
• to maintain the relationship established with the user, customer, supplier, collaborator or professional contact;
• to comply with legal, tax, accounting or administrative obligations or requirements from competent authorities;
• to maintain the security, availability and proper operation of the website;
• to manage, where applicable, authorised informational or commercial communications;
• to manage cookies, privacy preferences and, where applicable, measurement of website use in accordance with the Cookie Policy.

At the time personal data is obtained, the user shall be informed of the specific purpose or purposes of the processing for which the personal data will be used; that is, the use or uses that will be made of the information collected.

6. Record of processing activities and applicable principles

In accordance with the GDPR and the LOPDGDD, unless the exception provided for in Article 30.5 of the GDPR applies, MUXUNAV S.L. maintains a record of processing activities which specifies, according to their purposes, the processing activities carried out by the data controller and the other circumstances established in the GDPR.

The processing of personal data shall be subject to the following principles set out in the GDPR and the LOPDGDD:

• Principle of lawfulness, fairness and transparency: the user’s consent shall be required whenever necessary, after providing fully transparent information on the purposes for which the personal data is collected.
• Principle of purpose limitation: personal data shall be collected for specified, explicit and legitimate purposes.
• Principle of data minimisation: the personal data collected shall be limited to what is strictly necessary in relation to the purposes for which it is processed.
• Principle of accuracy: personal data must be accurate and kept up to date at all times.
• Principle of storage limitation: personal data shall only be kept in a form that permits identification of the user for as long as necessary for the purposes of its processing.
• Principle of integrity and confidentiality: personal data shall be processed in a manner that ensures its security and confidentiality.
• Principle of accountability: the data controller shall be responsible for ensuring that the above principles are complied with.

7. Legal basis for processing

The processing of personal data shall be lawful, in accordance with Article 6 of the GDPR, on the following legal bases:

1. Consent of the data subject —Article 6.1.a of the GDPR—: for accepting processing activities whose purpose is not necessary for the operation of the website or for the provision of the requested services or enquiries made.
2. Performance of a contract —Article 6.1.b of the GDPR—: for processing activities related to the provision of a service or the contracting of a product or service.
3. Legitimate interest of the controller —Article 6.1.f of the GDPR—: for processing activities related to the operation of the website, as well as those arising from the development of the controller’s own activity.
4. Compliance with legal obligations —Article 6.1.c of the GDPR—: where processing is necessary to comply with legal obligations applicable to MUXUNAV S.L.

In cases where the processing of personal data is based on the consent of the data subject, the data controller undertakes to obtain free, express, voluntary and unequivocal consent. Likewise, the user shall have the right to withdraw their consent at any time and as easily as it was given. As a general rule, withdrawal of consent shall not affect the use of the website.

When the user must or may provide their data through forms to make enquiries, request information or for reasons related to the content of the website, they shall be informed where completion of any of them is mandatory because it is essential for the proper development of the operation carried out.

8. Categories of data, source and retention

The categories of data processed on this website are mainly identification and contact data. In certain cases, other personal data may be processed, such as date of birth or sex, where necessary for the corresponding purpose.

Through forms or contact channels, mainly identification and contact data are requested. In addition, due to the technical operation of the website, certain technical or browsing data may be processed.

• Identification data: name, surname or other data necessary to identify the person making contact.
• Contact data: phone number, email, address or other means voluntarily provided.
• Other personal data where applicable: date of birth, sex or other data necessary for the specific purpose of the processing.
• Data included in communications: information contained in forms, messages, requests, emails or communications sent by the user.
• Technical data: IP address, browser, device, operating system, access date and time, server logs and data necessary for the security and operation of the website.
• Browsing data: information obtained through cookies or similar technologies, where applicable and in accordance with the Cookie Policy.

Under no circumstances shall special categories of personal data be processed in accordance with Article 9 of the GDPR, unless a specific processing activity requires it and the consent of the data subject is obtained under the terms provided for by the applicable regulations.

Personal data processed through this website shall come from the data subject themselves or from their legal representative.

The personal data processed shall be retained for the legally established periods and, in any case, for as long as liabilities may arise for the data controller. In cases where the user has given their consent, the data shall be retained until they request erasure or withdraw such consent.

Specially protected data, unnecessary information or personal documentation that is not relevant to the enquiry, request or appointment made must not be sent. If unnecessary information is received, it may be deleted or processed only to the extent strictly necessary to manage the communication.

9. Mandatory nature of the data

Fields marked as mandatory in forms are necessary in order to handle the request, manage the communication, process an appointment or provide the requested service. If such data is not provided, MUXUNAV S.L. may not be able to respond correctly or process the request.

The user guarantees the authenticity and up-to-date nature of all data communicated and shall be solely responsible for any false or inaccurate statements made.

10. Recipients of personal data

Personal data processed on this website shall be shared with those persons and/or entities related to MUXUNAV S.L. that are necessary for the provision of the services offered through it, such as IT companies, banks and savings banks.

Likewise, data may be shared with law enforcement authorities and judicial authorities when required by them.

In addition, the following categories of recipients or providers may access personal data, to the extent necessary to provide their services:

• web hosting, technical maintenance and IT support providers;
• email and communications providers;
• form, website management, security, cookie or analytics tools;
• Data Protection Officer and privacy consulting services;
• tax advisers, administrative advisers, lawyers, consultants or other external professionals;
• financial institutions, where necessary for financial or contractual management;
• public administrations, courts, tribunals or competent bodies where there is a legal obligation.

Providers acting as processors must process the data in accordance with the instructions of MUXUNAV S.L., applying confidentiality, security and compliance guarantees in accordance with the applicable regulations.

11. International transfers

Some technology providers used by the website or by MUXUNAV S.L. may provide services through infrastructures located outside the European Economic Area or be linked to international groups.

Where international data transfers take place, they shall be carried out in accordance with the safeguards provided for by the applicable regulations, such as adequacy decisions, standard contractual clauses, supplementary measures or other legally valid mechanisms.

The data subject may request additional information about the safeguards applied by writing to info@muxunav.com or to the Data Protection Officer at dpo@gfmservicios.com.

12. Data relating to minors

In accordance with Articles 8 of the GDPR and 7 of the LOPDGDD, only persons over 14 years of age may lawfully give their consent to the processing of their personal data where the legal basis is consent.

If the person is under 14 years of age, the consent of their legal representatives shall be required for processing, and such processing shall only be considered lawful to the extent that those representatives have authorised it.

If MUXUNAV S.L. detects that it has received personal data from a minor without the necessary authorisation, it may proceed to delete it where appropriate.

13. Security measures and confidentiality

The data controller undertakes to adopt the necessary technical and organisational measures, according to the level of security appropriate to the risk of the data collected, so as to ensure the security of personal data and prevent the accidental or unlawful destruction, loss or alteration of personal data transmitted, stored or otherwise processed, or the unauthorised disclosure of or access to such data.

The website has an SSL —Secure Socket Layer— certificate, which ensures that personal data is transmitted securely and confidentially, as the transmission of data between the server and the user, and vice versa, is fully encrypted.

However, because the data controller cannot guarantee the invulnerability of the Internet or the total absence of hackers or other third parties fraudulently accessing personal data, MUXUNAV S.L. undertakes to notify the user without undue delay when a personal data breach occurs that is likely to result in a high risk to the rights and freedoms of natural persons.

In accordance with Article 4 of the GDPR, a personal data breach means any breach of security leading to the accidental or unlawful destruction, loss or alteration of personal data transmitted, stored or otherwise processed, or to the unauthorised disclosure of or access to such data.

Personal data shall be treated as confidential by the data controller, who undertakes to inform and ensure, by means of a legal or contractual obligation, that such confidentiality is respected by its employees, associates, collaborators, providers and any person to whom the information is made accessible.

14. Rights of data subjects

The user may exercise the following rights recognised in the GDPR and the LOPDGDD before the data controller:

• Right of access: the right to obtain confirmation as to whether or not the data controller is processing their personal data and, where this is the case, to obtain information about their specific personal data and the processing carried out or planned, as well as the source of such data and the recipients of the communications made or planned.
• Right to rectification: the right to have their personal data amended where it is inaccurate or, taking into account the purposes of processing, incomplete.
• Right to erasure or right to be forgotten: the right, provided that current legislation does not establish otherwise, to obtain the erasure of their personal data when it is no longer necessary for the purposes for which it was collected or processed; when the user has withdrawn their consent and the processing has no other legal basis; when they object to the processing and there is no overriding legitimate ground to continue; when the data has been unlawfully processed; when it must be erased to comply with a legal obligation; or when it has been obtained as a result of a direct offer of information society services to a person under 14 years of age.
• Right to restriction of processing: the right to restrict the processing of their personal data where they contest the accuracy of their data; the processing is unlawful; the controller no longer needs the personal data, but the user needs it for the establishment, exercise or defence of claims; or where they have objected to processing.
• Right to data portability: where processing is carried out by automated means, the right to receive from the data controller their personal data in a structured, commonly used and machine-readable format, and to transmit it to another controller. Whenever technically possible, the data controller shall transmit the data directly to that other controller.
• Right to object: the right to prevent the processing of their personal data from being carried out or to have such processing cease in the cases provided for by the applicable regulations.
• Right not to be subject to a decision based solely on automated processing, including profiling: the right not to be subject to an individual decision based solely on automated processing of their personal data, including profiling, unless current legislation establishes otherwise.

In addition to erasing the data, the data controller, taking into account the available technology and the cost of implementation, shall adopt reasonable measures to inform controllers that are processing the personal data of the request to erase any links to such personal data, where appropriate in accordance with the applicable regulations.

15. How to exercise your rights

The user may exercise their rights through the controller’s website, using the form enabled for this purpose, duly proving their identity.

They may also exercise their rights by sending a communication addressed to MUXUNAV S.L. through the following channels:

• Email: info@muxunav.com
• DPO: dpo@gfmservicios.com
• Postal address: C/ Otxagain, 30, 31699 Olloki, Navarra

The request must clearly indicate the right the person wishes to exercise and allow the applicant to be properly identified. Where necessary, MUXUNAV S.L. may request additional information to verify identity and prevent improper access to third-party data.

If their rights are not addressed or they consider that they have been infringed, they may send a communication to the Data Protection Officer of the data controller, as well as lodge a complaint with the competent supervisory authority.

16. Automated decision-making and profiling

MUXUNAV S.L. does not make decisions based solely on automated processing that produce legal effects concerning the data subject or similarly significantly affect them.

If processing of this kind were incorporated in the future, clear prior information would be provided and the safeguards required by data protection regulations would be applied.

17. Commercial communications

MUXUNAV S.L. shall not send unsolicited electronic commercial communications unless there is a valid legal basis, such as the prior consent of the data subject or a prior relationship under the terms permitted by the applicable regulations.

If informational or commercial communications are received, the recipient may request to unsubscribe or object to the processing through the means indicated in the communication itself or by writing to info@muxunav.com.

18. Complaints before the supervisory authority

If the data subject considers that the processing of their personal data does not comply with current regulations or that their rights have not been properly addressed, they may lodge a complaint with the competent supervisory authority.

The supervisory authority in Spain is the Spanish Data Protection Agency:
www.aepd.es.

19. Links to third-party websites

The website may include hyperlinks or links that allow access to websites of third parties other than the website owner and which, therefore, are not operated by MUXUNAV S.L.

The owners of such websites shall have their own data protection policies, cookie policies, legal terms and privacy practices, and shall in each case be responsible for their own files and privacy practices.

MUXUNAV S.L. shall not be liable for the content, privacy practices, security or terms applicable on third-party websites.

20. Cookies and similar technologies

The website may use technical cookies necessary for its operation and, if configured and accepted, analytics cookies, preference cookies or other similar technologies.

Complete information about cookies, purposes, providers, duration and how to configure or withdraw consent is set out in the Cookie Policy.

21. Acceptance and changes to this policy

The user must have read the conditions regarding personal data protection contained in this Privacy Policy, and must accept the processing of their personal data so that the data controller may proceed with it in the manner, for the periods and for the purposes indicated.

The data controller reserves the right to modify its Privacy Policy, according to its own criteria or as a result of a legislative, case-law or doctrinal change by the Spanish Data Protection Agency.

Changes or updates to this Privacy Policy shall not be explicitly notified to the user. Users are advised to consult this page periodically in order to keep informed of the latest changes or updates.

22. Privacy contact

For any questions about this Privacy Policy or about the processing of personal data, you may contact:

• MUXUNAV S.L.: info@muxunav.com
• Data Protection Officer: dpo@gfmservicios.com
• Phone: 948 596 983
• Address: C/ Otxagain, 30, 31699 Olloki, Navarra