PRIVACY POLICY
The Privacy Policy forms part of the Legal Notice governing the website: www.surgival.com, together with the Cookie Policy.
The website www.surgival.com is owned by Surgival Co., S.A.U. and complies with the requirements of Law 34/2002 of 11 July on Information Society Services and Electronic Commerce, and current regulations on the protection of personal data and, in particular, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
Surgival Co., S.A.U. reserves the right to amend or adapt this Privacy Policy at any time. We therefore recommend that you review it each time you access the Website. If you have registered on the Website and access your account or profile, you will be informed upon access should there have been any substantial changes regarding the processing of your personal data.
Who is the DATA CONTROLLER?
Any data collected or voluntarily provided to us via the Website – whether through browsing the site or via contact forms, email or telephone – will be collected and processed by the Data Controller, whose details are set out below:
| Company Name: | Surgival Co. S.A.U. |
| CIF (Company Registration Number): | A46272712 |
| Postal Adress: | Parque tecnológico de Paterna, C/Leonardo Da Vinci, 12-14. 46980. Paterna (Valencia) |
| Phone: | +34 96 131 80 50 |
| Email: | surgival@surgival.com |
| URL: | www.surgival.com |
| Commercial Register: | VALENCIA |
If, for any reason, you wish to contact us regarding any matter relating to the processing of your personal data or privacy (via our Data Protection Officer), you may do so using any of the methods listed above.
When, why, who, how, for what purpose and for how long do we process your personal data?
When and why?
You can browse most of our web pages without providing any personal information, but in some cases this information is necessary to provide you with the electronic services you request.
If we need to collect personal data to provide the service, we will process the information in accordance with the policy set out in this document and the specific terms and conditions of the service in question (if any), which contain specific privacy statements regarding the use of the data and inform you of why, for what purpose, how, for how long we process your personal data and what security measures we implement.
Who collects your data?
The collection and processing of any personal data you may provide to us is carried out by our organisation or, where applicable, by its data processors. In the latter case, these processors are third parties who are contractually required to ensure their activities comply with the law and to implement appropriate security measures to protect such data.
Why?
The personal data we request from you, or which you provide whilst browsing our website, is used to manage, provide and improve the services you have requested.
For example, we will process your personal data to manage enquiries you send us, to manage your participation in recruitment processes, to send you electronic communications if you request them, and/or to compile statistics.
In this regard, we ask for your email address when you use our contact forms on the website. We only collect the sender’s personal data necessary to reply to you.
When you subscribe to our newsletters, we also ask for your email address so that we can provide the service; in any case, you can unsubscribe from the service whenever you wish, and we provide the means for you to do so.
How do we process your data?
We collect personal information only to the extent necessary to achieve a specific purpose. The information will not be used for any purpose incompatible with that described.
We only disclose information to third parties if it is necessary to fulfil the purpose of the service and only to those who need to know it. All this is done so that we can provide the service whilst treating your personal data with confidentiality and discretion, in accordance with current legislation.
In all cases, our organisation implements security measures to protect data against potential misuse or unauthorised access, alteration or loss.
How long do we keep your data?
We keep the data only for as long as is necessary to fulfil the purpose for which it was collected or for its subsequent processing. The data retention period will depend on the service, and the duration of the processing of personal data will be indicated for each service.
At the end of this document, we provide a table setting out the specific retention periods.
For what purposes will we process your personal data?
– Customers:
We process your personal data for the purposes of (i) managing your purchase or the service provided; (ii) maintaining the contractual and pre-contractual relationship for invoicing, preparing quotes and following up on them, as well as sending you information by electronic means regarding your enquiry; (iii) sending commercial communications by electronic means that may be of interest to you, provided that express authorisation has been given; (iv) we may create a commercial profile based on the information you provide in order to offer you products and services in line with your interests. No automated decisions will be made based on this profile.
– Suppliers:
We process your personal data for the purposes of (i) invoicing, (ii) maintaining business contact, and (iii) sending you information via electronic means about our products or services.
– Website or email contacts:
We process your personal data for the purposes of (i) responding to your enquiries and requests; (ii) managing the requested service or processing your order; (iii) sending you commercial information by electronic means that may be of interest to you, provided that express authorisation has been given; (iv) we may create a commercial profile based on the information you provide us with in order to offer you products and services in line with your interests. No automated decisions will be made based on this profile.
– Social media contacts:
We process your personal data for the purpose of (i) responding to your enquiries and requests, (ii) managing the requested service, responding to your request or processing your order, and (iii) interacting with you and building a community of followers.
– Job applicants:
We process your personal data for the purpose of (i) including you in recruitment selection processes, (ii) inviting you to job interviews and assessing your application, (iii) sharing your CV with group companies, partners or related entities for the sole purpose of involving you in their selection processes, provided you have given us your consent.
– Participants in our competitions
We process your personal data for the purpose of managing your participation in the competitions we organise, as well as publicising the competition winners and the awards ceremony.
Winners may be photographed or filmed and their images may be published in any media, on our website or in other media. Consequently, participants’ images may be captured, recorded and/or reproduced as an incidental part of the main activity.
– Website users:
When you browse our website, we collect information about your browser, your device and details of your use of our website, as well as any information you provide to us whilst using our website. We may record your IP address (the device’s internet access identification number, which enables devices, systems and servers to recognise and communicate with one another) in an anonymised or aggregated form.
The purpose of processing is (i) to gain practical insight into how users use our website so that we can improve it; (ii) to carry out statistical analyses to help us improve our business strategy; (iii) to perform website performance analytics; and (iv) for technical security and system diagnostics.
The data we collect is not linked to a specific user and will be stored in our databases.
The aforementioned data, as well as any personal data you may provide, is stored via cookies collected in a pseudonymised format and is subject to the right to object to the processing of this personal data, as detailed in the Cookie Policy.
You can consult the Cookie Policy in the relevant section.
Your browsing information may be stored via Google Analytics; therefore, we refer you to Google’s Privacy Policy, as Google collects and processes such information. http://www.google.com/intl/en/policies/privacy/
Similarly, our website may provide access to the Google Maps service, which may have access to your location, provided you allow it, in order to provide you with more specific information regarding the distance and/or routes to our offices. In this regard, we refer you to the privacy policy used by Google Maps to understand the use and processing of such data: http://www.google.com/intl/en/policies/privacy/
In order to provide information or services of interest based on the User’s location, we may access data relating to the geolocation of the User’s device in cases where the User’s settings for this purpose allow it.
The Portal may offer features for sharing content via third-party applications, such as Facebook or Twitter. These applications may collect and process information relating to the User’s browsing activity on various websites. Any personal information collected through these applications may be used by third-party users of the same. Your interactions are subject to the privacy policies of the companies providing the applications.
The Portal may host blogs, forums, and other social media applications or services for the purpose of facilitating the exchange of knowledge and content. Any personal information provided by the user may be shared with other users of that service, over whom we have no control.
– CCTV:
We would also like to inform you that we have a CCTV system in place, the purpose of which is to ensure the safety of people, property and premises. Current legislation permits the processing of personal data on the basis of legitimate interest; therefore, your image may be recorded simply by entering our premises.
This data may be disclosed to the State Security Forces and bodies should it be necessary. The images will be retained for a maximum period of one (1) month from the date of capture.
What is the legal basis for processing your data?
– Customers:
The legal basis for processing your data is (i) the performance of a contract and the maintenance of the contractual relationship, and (ii) your consent, which is requested for the sending of product and service offers via electronic means; under no circumstances will the withdrawal of this consent affect the performance of the contract.
– Suppliers:
The legal basis for the processing of your data is (i) the performance of a contract to which the data subject is a party or for the implementation of pre-contractual measures.
– Website or email contacts:
The legal basis for the processing of your data is (i) the data subject’s consent.
In cases where a form must be completed and the ‘send’ button clicked to make a request, doing so will necessarily imply that you have been informed and have expressly consented to the content of the clause attached to that form or accepted the privacy policy.
All our forms include a tick box that must be ticked to access the services offered.
The purposes of the processing will be as follows:
a) To manage enquiries or requests for information that you send us via the Website, email or telephone.
b) To send communications, special promotions, news or offers that may be of interest to you or that you request, including via electronic means. As this is a secondary purpose to the main one, you must tick the box provided for this purpose.
The personal data you provide to us in this way will not be disclosed to third parties; Surgival Co., S.A.U. will respond directly to this type of enquiry.
– Social media contacts:
The legal basis for the processing of your data is your acceptance of the contractual relationship with the relevant social media provider, as expressed when you register on their platform and in accordance with their privacy policies, which are external to us.
– Work with us:
Should you provide us with your CV, whether via the Website, email or in person at the registered office or any branch of Surgival Co., S.A.U., we will incorporate it into our database. The CV will be stored for a period of 1 year, after which, if we have not contacted you, it will be deleted.
The legal basis for the processing is the express consent given by the data subject for the processing of the data contained in the CV when submitting it and ticking the box provided for that purpose.
The purpose of the processing is to include you in current and future recruitment processes at Surgival Co., S.A.U. or any entity belonging to the business group.
In the event that the data subject is ultimately hired as an employee by Surgival Co., S.A.U. or any of the entities belonging to the business group, their data will be incorporated into a database owned by the company, for the purpose of internally managing the employee-employer relationship.
– Newsletter Subscription:
The Website offers the option to subscribe to the Surgival Co., S.A.U. newsletter. To do so, you must provide us with an email address to which the newsletter will be sent.
This information will be stored in a database belonging to Surgival Co., S.A.U., where it will remain until the data subject requests to unsubscribe or, where applicable, Surgival Co., S.A.U. ceases to send the newsletter.
The legal basis for the processing of this personal data is the express consent given by all interested parties who subscribe to this service by ticking the box provided for that purpose.
Email data will be processed and stored solely for the purpose of managing the sending of the newsletter to users who request it.
– Participants in our contests
The legal basis for the processing of your data is your consent when you enter the contest and accept the privacy policy and the contest rules.
The personal data collected will not be disclosed to third parties.
– Website users:
The legal basis for processing your data is our (i) legitimate interest in understanding how our users navigate the site so that we can tailor our content to their interests and improve our relationship with them; as well as (ii) your consent by browsing our website and accepting the terms of use regarding cookies.
To whom will your data be communicated?
Your data will not be disclosed to third parties outside the scope of the service we provide, unless required by law. Specifically, it will be communicated to the Spanish Tax Agency and to banks and financial institutions for the purpose of collecting payment for the service provided or product purchased.
Your data may also be shared with our service providers where necessary for the performance of the contract. In such cases, the data processor has contractually undertaken to use the data solely for the purpose justifying the processing and to maintain appropriate security measures.
What security measures do we apply?
You can rest assured that we have adopted appropriate technical and organisational measures to guarantee the confidentiality, integrity and availability of your personal data during processing, specifically those that prevent the loss, misuse, alteration, unauthorised access and theft of personal data.
What are your rights when you provide us with your data?
You may exercise your rights of access, rectification, erasure, portability, restriction or objection to the processing of your data, including the right to withdraw your consent, as detailed below:
Right of access: You may ask us whether we are processing your data and how.
Right to rectification: You may ask us to update your personal data if it is incorrect, and to delete it if you wish.
Right to restriction of processing: In this case, we will only retain your data for the purpose of exercising or defending legal claims.
Right to object: Following your request to object to the processing, we will cease processing your data in the manner you specify, unless there are compelling legitimate grounds or the processing is necessary for the exercise or defence of potential legal claims.
Right to data portability: Should you wish for your data to be processed by another company, we will facilitate the transfer of your data to the new data controller.
Right to erasure: You may request that we delete your data when it is no longer necessary for processing, you withdraw your consent, the processing is unlawful, or there is a legal obligation to do so. We will assess the case and apply the law.
If you require further information regarding your rights under the law and how to exercise them, we recommend that you contact the Spanish Data Protection Agency, which is the supervisory authority for data protection matters.
You may contact the Data Protection Officer prior to lodging a complaint against the data controller with the Spanish Data Protection Agency.
Should we fail to address the exercise of your rights, you may lodge a complaint with the Spanish Data Protection Agency.
We have forms available for the exercise of rights, which can be requested via the email address mentioned above; you may also use those provided by the Spanish Data Protection Agency or by third parties. These forms must be electronically signed or accompanied by a photocopy of your ID card. If you act through a representative, the request must similarly be accompanied by a copy of their ID card or an electronic signature.
The forms must be submitted in person or sent by post or email to the addresses listed in the “Data Controller” section.
The maximum time limit for a response is one month from receipt of your request.
How long will we retain your data?
Personal data will be retained for as long as you remain connected with us.
Once this relationship ends, the personal data processed for each of the stated purposes will be retained for the periods provided for by law. Where no such legal period exists, the data will be retained until the data subject requests its erasure or revokes the consent given, or for the period during which a judge or court may require it, taking into account the limitation period for legal proceedings.
For each type of data processing, we provide a specific period, which you can consult in the table below:
· Customers:
| Invoices |
4 years (limitation period), Article 66 of Law 58/2003, the General Tax Law. 10 years (limitation period), Law 34/2015 of 21 September, partially amending Law 58/2003, General Tax Law (Art. 66 bis). Administrative checks and investigations. |
| Contracts | 5 years |
|
Documents and records of tax significance |
General Tax Law, Articles 66 to 70 4 previous financial years |
|
Obligated parties under the Money Laundering Prevention Act, documentation proving compliance with MLP obligations |
Law 10/2010, Article 25 10 years |
· Human Resources:
| Payroll records, TC1, TC2, etc. | 10 years (Organic Law 7/2012) |
| CVs |
Until the end of the recruitment process, and for up to a further year unless the data subject withdraws their consent or requests erasure. |
|
Documents relating to severance pay. Contracts. Data on temporary workers. Employee file. |
Law on Offences and Penalties in the Social Order (RD 8/2000): Art. 21 4 years |
|
Daily record of working hours. |
RD Law 8/2019 4 years |
|
Documentation or computer records proving compliance with occupational health and safety regulations. Documentation required for the obligation to pay Social Security contributions. |
RDL 5/2000 Art. 4 5 years |
|
Digital tachograph: transfers and copies of data stored in the memory. |
Royal Decree 125/2017 of 24 February. 1 year |
· Marketing:
| Databases or website visitors. | For the duration of the processing |
· Access control and video surveillance:
|
Visitor registration |
AEPD Instruction 1/1996 |
|
Video surveillance. In the case of an educational establishment. (Installation in common areas of the school for the protection of minors). |
Art. 22.3 Organic Law 3/2018 of 5 December on the Protection of Personal Data and the Guarantee of Digital Rights 30 days AEPD Legal Report 475/2014 10 days |
· Accounting:
|
Accounting books and documents. Shareholders’ and board of directors’ resolutions, company articles of association, minutes, rules of procedure of the board of directors and delegated committees. Financial statements, audit reports. Registers and documents relating to grants. |
Commercial Code, Art. 30: 6 years |
· Tax:
|
Limitation period for the verification of tax bases and deductions. |
10 years, Law 34/2015 of 21 September, partially amending Law 58/2003, the General Tax Law (Art. 66bis) |
|
Accounting books and other mandatory records (personal income tax, VAT, corporation tax, etc.), as well as the supporting documents justifying the entries recorded in the books. Management of the company’s administration, rights and obligations relating to the payment of taxes. Administration of dividend payments and tax withholdings. |
4 years, Articles 66 to 70, General Tax Law |
· Health and safety:
|
Employees’ medical records. |
5 years |
· Environment:
|
Information on hazardous or substantially hazardous substances. |
10 years |
|
Documents relating to environmental permits For the duration of the activity. |
3 years after the activity ceases 10 years (statute of limitations for offences) |
|
Records on recycling or waste disposal. |
3 years |
|
For grants for clean-up operations, documents relating to rights and obligations, receipts and payments must be retained. |
4 years |
|
Accident reports. |
5 years |
· Insurance:
| Insurance policies |
6 years (general rule) 2 years (property damage) 5 years (personal injury) 10 years (life) |
· Purchasing:
| Records of all deliveries of goods or provision of services, intra-Community acquisitions, imports and exports for VAT purposes. | 10 years |
· Legal:
|
Intellectual and Industrial Property documents. Contracts and agreements. |
5 years |
|
Permits, licences, certificates |
6 years from the expiry date of the permit, licence or certificate. 10 years (criminal limitation period) |
|
Confidentiality and non-competition agreements. |
Always for the duration of the obligation or confidentiality |
· Data protection regulations:
|
Records and documents proving compliance with data protection requirements (audits, reports, data processor contracts, etc.) |
For the duration of data processing and for a further 3 years |
|
Documentation proving that requests to exercise data subjects’ rights have been dealt with |
For 3 years following the request |
|
Logs/records of access to information systems |
2 years |
|
If processing is based on the data subject’s consent, proof of consent |
For the duration of data processing and for a further 3 years |
· Complaint channel:
|
Internal complaints Compliance programme (corporate criminal liability) |
LOPDGDD 3/2018, Art. 24.4 3 months, unless the purpose of retention is to provide evidence of the functioning of the legal person’s model for the prevention of criminal offences. |
· Money laundering:
|
Obligated entities shall retain, for a minimum period of ten years, the documentation formalising compliance with the obligations established in this Act. In any event, the filing system of the obliged entities must ensure the proper management and availability of the documentation, both for the purposes of internal control and for responding in a timely and appropriate manner to requests from the authorities. |
10 years Article 25 of Law 10/2010 of 28 April on the prevention of money laundering and the financing of terrorism. |
· Medical History:
|
Healthcare centres are required to retain clinical records in conditions that ensure their proper maintenance and security, though not necessarily in their original format, in order to provide appropriate patient care for the period appropriate to each case and, as a minimum, for five years from the date of discharge following each course of treatment. Clinical records shall also be retained for legal purposes in accordance with current legislation. It shall also be retained where there are epidemiological, research or organisational and operational reasons relating to the National Health System. It shall be processed in such a way as to avoid, as far as possible, the identification of the persons concerned. To ensure the future use of medical records, particularly for care purposes, they shall be retained for the minimum period established in the basic state regulations, counted from the date of discharge for each care process or from the patient’s death. |
5 years (minimum) Article 17 of Law 41/2002 of 14 November on patient autonomy and rights and obligations regarding clinical information and documentation. Law 10/2014 of 29 December of the Valencian Autonomous Community (Health) |
· Traffic data relating to internet connections, emails and landline and mobile phone calls:
|
User identifier, IP address (source/destination), telephone number, IMSI and IMEI (source/destination), date and time of the communication (start/end), identification of the type of service or communication used (voice, data, SMS or MMS, etc.) |
1 year Article 5 of Law 25/2007 of 18 October on the retention of data relating to electronic communications and public communications networks. |
· Audit of accounts:
|
Auditors and audit firms shall retain and safeguard, for a period of five years from the date of the audit report, the documentation relating to each audit of accounts carried out by them, including the auditor’s working papers constituting the evidence and supporting the conclusions set out in the report. |
5 years Article 24 of Royal Decree-Law 1/2011 of 1 July, approving the consolidated text of the Audit Act. |
· Building access control:
|
Data contained in automated files created to control access to buildings must be deleted one month after collection. |
1 month Rule 5 of Instruction 1/1996 of 1 March of the Data Protection Agency on automated files established for the purpose of controlling access to buildings. |
· Documents in lawyers’ files:
|
As the actions that may be brought to hold a lawyer personally liable for professional negligence are of a personal nature and no specific limitation period is specified, the limitation period for such actions has been five years since 7 October 2015; therefore, completed files must be retained for at least that period (unless the limitation period is interrupted). |
5 years Art. 1964.2 of the Civil Code, as amended by Law 42/2015 of 5 October, reforming the Civil Procedure Act. |
· Register books and guest registers for hotel establishments:
|
Guest registers shall be compiled into register books containing a minimum of 100 pages and a maximum of 500. These register books must be kept for three years and made available to the police and security forces, after which they must be disposed of in such a way as to prevent access to the personal information contained therein. The register includes details of children under 14; the form is signed by the child aged 14 or over, or by the accompanying adult if the child is under 14. The details to be requested include: landline number, mobile number, email address, number of guests, relationship to the guest, and whether the establishment has an internet connection. The data also includes payment details: type (cash, credit card, payment platform, bank transfer, etc.), identification of the payment method (card type and number, bank account IBAN, mobile payment solution, others), holder of the payment method, card expiry date, and date of payment. |
3 years Ministerial Order INT/1922/2003 of 3 July on guest registers and check-in records for guests at accommodation establishments and similar venues. 3 years Data from the computerised register must be retained for a period of three years from the end of the contracted service or provision (non-commercial accommodation is exempt from the register requirement but must still be reported) Royal Decree 933/2021, ‘Documentary registration and reporting obligations of natural or legal persons engaged in accommodation and motor vehicle hire activities.’ Updates Order INT/1922/2003, including new forms of accommodation activities: short-term tourist accommodation, online portals. |
· Driver assessment centres:
|
The centre must retain for a period of ten years the content of the reports issued, including the opinions of the practitioners, doctors and psychologists who took part in the assessment, any supplementary reports that may have been submitted and, in the case referred to in Article 3(2), the documents provided by the person concerned. |
10 years Article 15.5 of Royal Decree 170/2010 of 19 February, approving the Regulations on examination centres for verifying the psychophysical aptitudes of drivers. |