Tenneco's Privacy Policy
This is the Privacy and Cookie Policy (‘Policy’) for this website/app which is run and provided by TENNECO AUTOMOTIVE EUROPE BVBA, number RPR Hasselt 0403684997, IZ Schurhovenveld 1420, 3800 Sint Truiden, Belgium (“Tenneco”), privacyoffice@tenneco.com (we, us and our).Tenneco uses reasonable measures to safeguard the personal information that you provide to us online. We understand the premium you place on the protection of your personal information on the Internet, and we want you to know what information we collect, how we safeguard it, and the choices you have about how your information may be used. We encourage you to read this Privacy Policy so that you understand how we use personal information provided to us through this website/app. This Policy describes what personal information we collect, how it is processed, for which purposes, and how you may exercise your rights to access, update, correct or erase your information.
Some sections of this Policy contain additional information particularly for our EU users. We included this information to comply with the requirements under the EU General Data Protection Regulation (GDPR).
Definition
Personal Information: means any information relating to a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, or an online identifier.
Processing: means any operation which is performed on Personal Information, such as collection, recording, organisation, structuring, storage, adaptation or any kind of disclosure or other use.
Information we ProcessIn order to provide our services to you, we need to Process data about you which may in some parts contain Personal Information; if so, we will do so only as permitted by applicable data protection law or with your consent. We will Process the following Personal Information:
Information voluntarily provided by youAlthough we do not require any form of registration or identification to use our website/app, some services require that you provide some Personal Information so that we can respond to you, evaluate your application, or engage in the requested service.We will Process information you voluntarily provided to us, such as:
Information (such as your name, user name and email address) that you provide to register as a user of our website’s discussion forum or our app;
Information (such as your name, user name and email address) that you provide to us to register as a supplier;
Information in connection with an account sign-in facility, your log-in and password details;
Communications you send to us, for example via e-mail or website/app communication forms;
Applications for employment with Tenneco.
For employment applications, we also require information pertaining to your job interests, employment history, and qualifications and other information required by law for us to hire you.
For our EU users: The legal basis for using your data is Art. 6 (1) 1 lit. b GDPR (potentially in connection with applicable national law).
Information automatically collected from youWhen you access our website/app, we may automatically collect additional information about you which will contain Personal Information only in limited cases and which is automatically recognised by our server, such as
Your IP address;
Device type, name and IDs;
Date and time of your requests;
Content of your requests;
Information on your browser version;
Screen resolution;
Information on your operating system, including language settings.
For our mobile app we will additionally collect
Location data
IMEI
IMSI
Cell phone number
We use such information only to assist us in providing an effective service (e.g. adapt our website or app to the needs of your end user device or to allow you to log in to our website or use our app), and to collect broad demographic information for anonymized, aggregate use.
For our EU users: The legal basis for the data processing is Art. 6 (1) 1 lit. f GDPR. We have a legitimate interest to analyse and improve the use of our website/app.
Uses made of your informationWe will Process the Personal Information you provide to:
Identify you when you sign-in to your account;
Enable us to provide you with the services and information offered through our website or app and which you request;
Provide your contact information and share your personal profile with other users of our website’s/app’s discussion forum;
Administer your user account with us;
Communicate with you;
To the extent you declared respective consent, send you emails or newsletters with information and offers about our products and services; you can object to such communications free of charge at any time by contacting us using the contact details at the end of this Policy.
For our EU users: Where you consented to the use of your personal data the legal basis is Art. 6 (1) 1 lit. a GDPR. The legal basis for the provision of services is Art. 6 (1) 1 lit. b GDPR. Besides, we have a legitimate interest to allow communication between users of the discussion forum as well as communication with us (Art. 6 (1) 1 lit. f GDPR).
Automated Decision MakingWe do not use your personal data for automated decision making which produces legal effects concerning you or similarly significantly affects you.
CookiesIf your computer browser is set to allow "cookies", then our site, like most sites on the Internet, installs cookies on your computer. This type of information allows us to identify new and returning visitors to the site, evaluate browsing habits on our site, and conduct market research activities so that we can continuously improve our services. It also allows us to track visitors who come to our Websites and allows you to bypass re-entering certain identifying information if you choose to enter certain sections of our site (such as signing up as a Supplier).
What are cookies?Cookies are small text files placed on your computer by websites that you visit. These text files can be read by these websites and help to identify you when you return to a website. Cookies can be “persistent” or “session” cookies. While persistent cookies remain on your computer when you go offline, session cookies will be deleted as soon as you close your web browser.For our EU users: The legal basis for the use of cookies is Art. 6 (1) 1 lit. f GDPR. We have a legitimate interest in analysing the use of our website/app to improve our services and advertisement.
What cookies do we place on your computer and how can I avoid the cookie use?We use cookies only to a very limited extent:
Google AnalyticsFor statistical analyses we use a tool called “Google Analytics”, a web analytics service provided by Google, Inc., 1600 Amphitheater Parkway, Mountain View, CA 94043, USA (“Google”), to collect information about the use of this site.Google Analytics collects information such as how often our users visit this website, what content pages they visit when they do so, and events such as downloads and button clicks. We use the information we get from Google Analytics only to determine the most useful information you are looking for, and to improve and optimize this website. We do not combine the information collected through the use of Google Analytics with Personal Information. Although Google Analytics plants a permanent cookie on your web browser to identify you as a unique user the next time you visit this site, the cookie cannot be used by anyone but Google.The information generated by the cookie about your use of the website will be transmitted to and stored by Google on servers in the United States. Google Analytics collects only the IP address assigned to you on the date you visit this site, rather than your name or other identifying information. Google will use this information in order to evaluate your use of the website, to compile reports on website activities and to provide other services relating to website and internet use to us.Google is certified under the EU-US Privacy Shield and the Swiss-US Privacy Shield, thereby ensuring an appropriate level of data protection at Google in the United States. We have activated the IP-anonymisation within the Google Analytics service, and your IP address will be truncated within the area of Member States of the European Union or other parties to the Agreement on the European Economic Area. Only in exceptional cases the whole IP address will be first transferred to a Google server in the USA and truncated there. The IP-address your Browser conveys within the scope of Google Analytics will not be associated with any other data held by Google.You can prevent Google Analytics from recognizing you on return visits to this site by disabling their cookies on your browser through downloading and installing the following Browser-Plug-in:https://tools.google.com/dlpage/gaoptout?hl=en.
FlashtalkingWe use cookies only to a very limited extent:We use a tool called “Flashtalking”. It enables us to deliver ads suited to our user’s interests. The tool is provided by Flashtalking Inc, 1101 W Fulton Market, Suite 200, Chicago, Illinois 60607, USA.Flashtalking collects information on the websites the user visits and the user’s interaction with ads. In order to be able to identify the user’s computer, Flashtalking stores a cookie on your computer. Further, it stores user IPs on the Flashtalking servers. The cookies used by Flashtalking expire after two years.Flashtalking may combine your user information with other information gathered from other sources such as third parties or publicly accessible sources.Users have the ability to opt-out of our Flashtalking cookies via these links:http://www.youronlinechoices.com/https://www.networkadvertising.org/choiceshttp://www.flashtalking.com/uk/privacypolicy/Flashtalking will still deliver ads to users who have opted-out of cookie use. However, these ads will be generic and not targeted specifically at the user.
Use of our discussion forumOur forum can be accessed and read without registration. Anything you post on the discussion forum will be available to a broader public; you can delete your posts at any point in time. In order to provide content to the forum, you will have to register with your name, email address and password. You are not obliged to provide your real name but can use an alias.If you register for the forum we will Process your name, email address and password as well as all content provided to the forum for the purpose of the forum operation. You can delete your user account by emailing PrivacyOffice@tenneco.com. In case you decide to delete your user account, all your account data, including all communication will be deleted. Information posted by you into our discussion forum will remain visible, but any link to your person will be deleted. The unique username you selected during signup process will become available to other users upon deletion.For our EU users: The legal basis for using the data to enable the registration for the discussion forum is Art. 6 (1) 1 lit. b GDPR.
Information sharing
We may disclose your Personal Information to our affiliates to get you to the information you are looking for as streamlined as possible. For example, we will forward any inquiry to the legal entity within our group best suited to assist you. Our affiliates will only use your information to the extent necessary to perform their functions.For our EU users: Such data use is based on our legitimate interest to direct your request to the most appropriate entity within the Tenneco group (Art. 6 (1) 1 lit. f GDPR).
We may disclose anonymous aggregate statistics about users of the website/app in order to describe our services to prospective partners, advertisers and other reputable third parties and for other lawful purposes, but these statistics will include no Personal Information.
We may disclose your Personal Information to contractors who assist us in providing the services we offer through the website/app. Our contractors will only use your Personal Information to the extent necessary to perform their functions and will be contractually bound to process your Personal Information only on our behalf and in compliance with our requests.
In the event that we undergo re-organisation or are sold to a third party, any Personal Information we hold about you may be transferred to that re-organised entity or third party in compliance with applicable law.
We may disclose your Personal Information if legally entitled or required to do so (for example if required by law or by a court order). This includes situations where Tenneco may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements, for fraud prevention or investigation, identifying or addressing policy violations, and to enforce our legal rights.
Some of the recipients mentioned above reside outside the European Economic Area (“EEA”). For further information about cross border transfer in general and transfers outside of the EEA see Section H.
Cross border data transfersWithin the scope of our information sharing activities set out above, your Personal Information may be transferred to other countries which may have different data protection standards than your country of residence. Please note that data processed in a foreign country may be subject to foreign laws and accessible to foreign governments, courts, law enforcement, and regulatory agencies. However, we will endeavour to take reasonable measures to keep up an adequate level of data protection also when sharing your Personal Information with such countries.In the case of a transfer from a country within the EEA to a country outside of the EEA, this transfer is safeguarded by the EU-US Privacy Shield and EU Model Clauses. You can find further information about the aforementioned safeguards under https://www.privacyshield.gov/ and https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en.
Third Party Content
YouTubeWe use the “YouTube” service in order to provide videos on our website/app. In order to provide you with respective videos and give you the opportunity to give these videos a like, your browser will directly communicate with YouTube, LLC, San Bruno, USA. We do not have any influence on YouTube LLC’s data processing activities; please check YouTube LLC’s privacy policy for further information: https://www.google.com/intl/en/policies/privacy.For our EU users: The legal basis is Art. 6 (1) 1 lit. f GDPR. We have a legitimate interest to improve the attractiveness of our website by implementing different media.
Social PluginsWe have implemented Social Plugins from social networks so that you can share anything of interest to you with your friends and connections. Our website/app contains social plugins to external social networking sites such as facebook.com (“Facebook”), instagram.com (“Instagram”) and twitter.com ("Twitter"). Facebook is operated by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA. Instagram is operated by Instagram, LLC, 1601 Willow Rd. Menlo Park, CA 94025, USA. Twitter is operated by Twitter Inc., 795 Folsom St., Suite 600, San Francisco, CA 94107, USA. Where you visit our website or use our app, your device will set up a direct connection to the Facebook, Instagram and Twitter servers. In the process the Facebook, Instagram and Twitter servers recognise that you use our website/app. If you are a member of Facebook, Instagram and/or Twitter, these sites may assign this information to your personal user account. By interaction with one of the plug-ins, e.g. by clicking the 'like' button and/or the Instagram or Twitter button this information will be sent via your device directly to the respective service where it will be stored on your respective personal user accounts.You can find further information within the privacy policies of Facebook (http://www.facebook.com/about/privacy/), Instagram (https://www.instagram.com/legal/privacy/) and Twitter (http://twitter.com/privacy).For our EU users: The legal basis is Art. 6 (1) 1 lit. f GDPR. We have a legitimate interest to allow for distribution of our services on social networks and ensure an attractive presentation and simplification of the use of our online offerings.
Links to third party websitesThis website/app may contain links to third party websites that are owned or operated by companies that are not affiliated with Tenneco. We are not responsible for the content and the data collection on respective third party websites and our Website Privacy Statement does not apply to your use of any such linked sites that are not owned or operated by Tenneco; please check the privacy policy of respective websites for information of respective websites’ data processing activities.
SecurityWe have reasonable state of the art security measures and appropriate technical, administrative and physical safeguards in place to protect against the loss, misuse and alteration of Personal Information under our control. For example, our security and privacy policies are periodically reviewed and enhanced as necessary and only authorised personnel have access to Personal Information. In addition, we take steps to ensure that our safeguards take into account new security threats as they continue to evolve. Whilst we cannot ensure or guarantee that loss, misuse or alteration of information will never occur, we use all reasonable efforts to prevent it.You should bear in mind that submission of information over the internet is never entirely secure. We cannot guarantee the security of information you submit via our website/app whilst it is in transit over the internet and any such submission is at your own risk.
Data retentionWe strive to keep our Processing activities with respect to your Personal Information as limited as possible. Your Personal Information will be retained only for as long as we need it to fulfil the purpose for which we have collected it and, if applicable, as long as required by statutory retention requirements.
MinorsTenneco’s websites are not directed to children under the age of 13. We do not seek, or knowingly collect, information from children under the age of 13. Tenneco abides by the Children's Online Privacy Protection Act (COPPA) in the United States, and respects similar state laws and laws of other countries that protect the privacy of children. Should a child whom we know to be under 13 provide Personal Information to us, we will use that information only to respond directly to that child to inform him or her that we must have parental consent before receiving information about him or her.
Additional rights for EU usersUnder the legislation applicable to you, you may be entitled to exercise some or all of the following rights:
require (i) information whether your Personal Information is retained and (ii) access to and/or duplicates of your Personal Information retained, including the purposes of the Processing, the categories of Personal Information concerned, and the data recipients as well as potential retention periods;
request rectification, removal or restriction of your Personal Information, e.g. because (i) it is incomplete or inaccurate, (ii) it is no longer needed for the purposes for which it was collected, or (iii) the consent on which the Processing was based has been withdrawn;
refuse to provide and – without impact to data Processing activities that have taken place before such withdrawal – withdraw your consent to Processing of your Personal Information at any time;
object at any time that your personal data will be used for direct marketing purposes, or - based on grounds relating to your particular situation - that your personal data shall be subject to data processing for other purposes;
receive data that you have provided to us surrendered to you or to a third party in a standard, machine-readable format. If you require the direct transfer of data to another controller, this will be done to the extent technically feasible.
take legal actions in relation to any potential breach of your rights regarding the Processing of your Personal Information, as well as to lodge complaints before the competent data protection regulators.
You may (i) exercise the rights referred to above or (ii) pose any questions or (iii) make any complaints regarding our data processing by contacting us under the contact details set out below.
Contacting usPlease submit any questions, concerns or comments you have about this Privacy Policy or any requests concerning your Personal Information by email to PrivacyOffice@tenneco.com. You may also write to us at one of the addresses provided on our Website through the Contact Us link.
Amendments to this PolicyWe reserve the right to change this Policy from time to time by updating our website/app respectively. If so, any changes will apply to Personal Information collected after the effective date of the policy change, and not to information already collected. We encourage you to review our Privacy Policy periodically. Please visit the website and launch the app regularly and check our respectively current privacy policy. This Privacy Policy becomes effective as of 25 May 2018.
Arsys's Privacy Policy
DATA PROTECTION POLICY
Ref.: PPDE_310518
In compliance with General Data Protection Regulation (EU) 2016/679) of the European Parliament and of the Council of the 27th of April 2016 (hereinafter GDPR), Arsys Internet S.L.U. (hereinafter Arsys) hereby presents this Policy regarding the processing and protection of personal data.
Details of the data controller:
ARSYS INTERNET, S.L.U.
Tax ID: B-85294916
Registered Office: C/ Chile, 54 26007 Logroño (La Rioja)
E-mail: info@arsys.es
Contact details of the Data Protection Officer: delegadopd@arsys.es
Scope of application
This Policy shall be applicable to:
Those persons who visit the Arsys website - www.arsys.es (hereinafter, any reference to this will be in the understanding that it also includes the English and Portuguese versions thereof - arsys.net and www.arsys.pt respectively).
Those who voluntarily communicate with Arsys via email or chat and those who fill in any forms for the gathering of data, as published on the Arsys website.
Those who request information about the products and services of Arsys and those who participate in any of the company's commercial actions.
Those who form a contractual relationship with Arsys via the contracting of its products and services.
Those who use any of the other services on said website which involve sending data to Arsys or Arsys's accessing of data for the provision of its services.
Any other parties who, directly or indirectly, may have given their express consent for their data to be processed by Arsys for any of the purposes featured in this Policy.
The use of Arsys products and services requires the express acceptance of this policy.
Arsys hereby states that, excepting the existence of a legally constituted representation, no users and/or clients can use the identity of another person or send said person's personal data. Therefore the data they provide to Arsys must be the personal details corresponding to their own identity, as well as appropriate, pertinent, current, exact and truthful. In that regard, the user and/or client shall be the sole responsible party in the event that any direct or indirect damages are caused to third parties or to Arsys due to the use of the data of another person or of their own data when it is false, erroneous, not current, inappropriate or not pertinent. Likewise, any user and/or client who sends the personal data of a third party shall be responsible for obtaining the corresponding authorisation from the party involved and for the consequences if they do not.
Similarly, the user and/or client who sends personal data to Arsys thereby declares that they are of legal age according to that established in Spanish legislation and that they shall abstain from sending data to Arsys if they are not. Any data provided about a minor shall require the prior consent and authorisation from their parents, tutors or legal guardians, who shall be considered responsible for the data provided by the minors in their charge.
This Policy shall be subsidiarily applicable as regards the other personal data protection conditions that may be established especially and communicated, among other ways, via registration forms, contracts and/or the terms of particular services. This Policy is therefore complementary to those mentioned in matters not expressly provided for therein.
Purposes of the gathering and processing of personal data
In its capacity as data controller, Arsys hereby informs users of the existence of various processes and files which gather and store the personal data provided to the company.
The purposes of said personal data gathering and processing are as follows:
The "cookies" which Arsys uses for the browsing of its websites (arsys.es, www.arsys.net and www.arsys.pt) are stored on the user's terminal (computer or mobile device) and they gather information when said websites are visited. The purpose of this is to improve the websites' usability, to learn about users' browsing habits or needs so as to be able adapt to them, and to obtain information for statistical purposes. In the case of existing Arsys clients, the information gathered with the cookies will also be used for identification purposes when accessing the different tools that Arsys makes available to them for the management of services.
In any case, users can configure their browser in such a way that some or all cookies are disabled or blocked. Not accepting these cookies does not imply a hindrance in the ability to access information on Arsys websites, although the use of some services may be limited. If you wish to retract consent once cookies have already been accepted, those that are stored on the user's machine must be deleted via the different browser options.All the information about the cookies used by Arsys has been published in its Cookies Policy, which is available for consultation at https://www.Arsys.es/legal/cookies.
In the event that an email is sent to Arsys or if personal data is sent via any other means, such as a contact form, the purpose of the gathering and processing of said data by Arsys is to address queries and information requests made regarding the Arsys’s products and services.
If an email is sent to Arsys regarding its job offers, said data shall be processed so that the user can participate in the staff selection procedures.
In the case of the forms that interested parties fill in order to participate in any of Arsys's commercial actions, the purpose will be to enable said participation, as well as the sending of commercial and publicity messages about the company's services. This is unless the interested party manifests their opposition to this at the time when their data is gathered. Notwithstanding the foregoing, the interested party can modify their decision at any time, as many times as they wish, via the means provided for said purpose by Arsys.
In the contracting of the services offered by Arsys, Arsys will only gather the personal data that is necessary to establish the contractual relationship and to enable the provision of the services and the remuneration thereof by the client. In this case, the data will be gathered and processed for the following purposes:
The main purpose will consist of the maintenance of the contractual relationship that is established with the client, in accordance with the nature and characteristics of the contracted services. Arsys will contact the client via the email address, telephone number or any other means indicated by said party.
For the sending of documentation and information related to the contracted services, as well as for the sending of commercial and publicity messages about said services and similar products from Arsys. This shall be done via post, email, telephone, SMS or any other means indicated by the client, unless the latter expressly manifests their opposition to this at the time of the contracting. Independently of whether the client has chosen to receive or not receive commercial information from Arsys, said client can modify their decision at any time, as many times as they want, through the specific section available for this purpose in their Client Area.
For the maintenance of historic registers of the commercial relationships for the legally established times.
In cases in which Arsys must access and/or process the personal data for which the client may have the status of data controller or data processor, Arsys will process said data in its capacity as the data controller for processing in accordance with Article 28 of the GDPR and in accordance with that indicated in the section titled "Arsys as data processor”included in this Policy.
In accordance with that established in Law 25/2007 of the 18th of October on the conservation of data relating to electronic communications and public communications networks, the user is hereby notified that Arsys shall proceed to retain and conserve certain traffic data generated during the course of communications, and when appropriate, communicate it to the legitimate authorities, provided that the legal circumstances set forth in the above Law apply.
For all other purposes that are expressly established in the Specific Conditions that are applicable to the corresponding product or service contracted by the client, when the latter expressly accepts said purposes.
Storage period of the personal data
Arsys shall store the personal data for the period of time that is strictly necessary for compliance with the previously detailed purposes. Arsys may keep the above data duly blocked during the period in which any responsibilities may be derived from the company's relationship to the Client.
In the case of data that is kept due to Law 25/2007 of the 18th of October on the conservation of data related to electronic communications and public communications networks, the data storage period shall be that detailed in said law.
Recipients of personal data
The recipients of the personal data collected by Arsys will be the following:
Arsys's own employees in compliance with their duties.
The suppliers of Arsys who are involved in the provision of services, in the event that this is necessary for said provision.
The companies who are members of the Group of Companies of which Arsys is part, with this being understood in the sense of Article 42 of the Code of Commerce, and whose activity is the commercialisation of services of an identical or analogous nature to those offered by Arsys. These services may include online presence services, managed hosting, cloud computing and advanced solutions in technological infrastructure.
Legal or administrative bodies, as well as State Security Forces and Bodies, in the event that Arsys is required by current legislation to provide said parties with information related to its clients and services.
Any other parties who, due to the nature of the service, must access the data provided for said service, as detailed in the Specific Conditions that apply to the corresponding product or service contracted by the client, when this is expressly accepted by the latter.
Users' rights and the exercise thereof
Users can, at any time, exercise the following rights recognised under the GDPR:
The right of access.
Users have the right to obtain, from Arsys, information about whether the company is processing personal data which concerns them, to access said data and to obtain information about the type of processing that is occurring.
The right to obtain a copy of their personal data.
The right to rectification.
Users have the right to require Arsys to rectify their personal data in the event that it is inexact or incomplete.
The right to erasure.
Users have the right to have their data deleted when it is no longer necessary for the purpose for which it was provided or when the other legally established circumstances occur.
The right to restrinction of processing.
Users have the right to request a limitation on the processing of their personal data, in such a way that it is not subject to the same processing operations that would correspond in each case, under the suppositions established in Art. 18 of the GDPR.
The right to data portability.
Users have the right to receive the personal data that concerns them in a structured format, as long as said data concerns that user exclusively and was provided by the same user.
Users can exercise the aforementioned rights in the following ways:
If they are Arsys clients, users can check and modify their personal data at any time via the "My Data" section in the "Client Area" tool, which is accessed by signing in on the arsys.es website.
They can also send a message via the "Contact" section of said tool, indicating the right they wish to exercise.
Whether or not they are Arsys clients, users can exercise their rights by sending a message via email to info@arsys.es or by sending a written request, accompanied by a copy of their ID card or a copy of a legally valid document which accredits their identity, to Arsys Internet S.L.U. C/ Chile no. 54, 26007, Logroño (La Rioja), Spain, marked for the attention of the Commercial Information Department and specifying the right they wish to exercise.
In cases of manifestly unfounded or excessively repetitive requests, Arsys reserves the right to charge a fee for the subsequent administrative costs or the right to refuse to act in response to said requests, in accordance with that established in Art. 12.5 of the GDPR.
Supervisor authority
Users and/or clients can contact the corresponding local supervisor authority if they believe that the processing of their personal data was not carried out in accordance with current legislation.
The data protection supervisor authority in Spain is the Spanish Data Protection Agency, whose contact details are available on their website: http://www.agpd.es/portalwebAGPD/CanalDelCiudadano/contacteciudadano/index-ides-idphp.php.
International data transfers
In terms of those Arsys products and services which require the realisation of international transfers to enable the provision thereof, said circumstance shall be featured in the Specific Conditions which apply to the corresponding product or service contracted by the client and it shall be expressly accepted by the latter prior to the realisation of the international transfer.
Arsys as data processor
In accordance with Article 28 of the GDPR and its amendments, Arsys shall process the personal data for which the client is the data controller or data processor, when this is necessary for the proper provision of the contracted services. In this case, Arsys shall act as data processor, in accordance with the terms indicated below:
Arsys shall only process the data in accordance with the instructions of the clientdata controller or data processor, not using it for any other purpose than that stated in this Data Protection Policy and/or in the contractual conditions that may be applicable.
After having completed the provision of the services which lead to the processing of the personal data, said personal data shall be destroyed, in addition to any other supports or documents which contain any personal data or any other type of information generated for and/or in the provision of the services featured in the corresponding Conditions. Notwithstanding the foregoing, Arsys may keep the above data duly blocked during the period in which any responsibilities regarding its relationship to the Client may be derived.
In the event that Arsys uses the data for another purpose or communicates or uses it in breach of this Data Protection Policy and/or of the corresponding Service Conditions, it shall also be considered as data controller.
Arsys shall be responsible, under article 28 of the GDPR, for maintaining due professional secrecy regarding the personal data it needs to access and/or process for the purpose of complying with the applicable Terms of Service in each case, both during and after their termination. It also agrees to use this information solely for the purpose specified in each case, and to demand the same level of commitment from any person within their organisation who participates in any phase of the processing of the personal data which is the responsibility of the client.
In accordance with the provisions of GDPR, the following rules will apply regarding the form and modes of access to data for the provision of services:
In the event that Arsys must access the data processing resources located in the premises of the client, the latter shall be responsible for establishing and implementing the security policy and measures and for communicating them to Arsys, who agrees to respect them and demand they are complied with by persons in its organisation participating in the provision of the services.
When Arsys remotely accesses the data processing resources which are the responsibility of the client, the latter shall be responsible for establishing and implementing the security policies and measures in their remote processing systems, and Arsys shall be responsible for establishing and implementing the security policy and measures in its own local systems.
When the service is provided by Arsys on its own premises, the company shall record the circumstances relating to the data processing in its Record of Processing Activities under the terms required by the GDPR, including the security measures corresponding to said processing.
Arsys's access and/or processing of data, notwithstanding the legal provisions or specific current regulations which may be applicable to each case or those which Arsys adopts under its own initiative, shall be subject to the required security measures needed to:
Guarantee the permanent confidentiality, integrity, availability and endurance of the processing systems and services.
Quickly restore availability and access to the personal data in the event of a physical or technical incident.
Regularly verify, evaluate and assess the effectiveness of the technical and organisational measures that are implemented to guarantee the security of the processing.
Pseudonymise and encrypt the personal data, as applicable.
The client authorises Arsys, in its capacity as data processor, to outsource (on behalf of the client) the services for the storage and custody of data backup copies and security copies to third parties in the cases deemed necessary to enable the provision of the contracted services, in any event respecting the obligations imposed under the GDPR and its implementation regulations. The client can, at any time, contact Arsys to find out the identity of the entities outsourced for the provision of the indicated services and said entities shall act in accordance with the terms established in this document and after Arsys has formalised a data processing contract in accordance with Art. 28.4 of the GDPR.
The client authorises Arsys to carry out the actions indicated below, as long as they are necessary for the execution of the service provision. Said authorisation is limited to the action(s) that each provision of services requires and shall have a maximum duration that is linked to the validity of the applicable contractual Terms:
The processing of personal data on mobile devices shall only be carried out by users or profiles of users assigned for the provision of services.
The processing of personal data on premises other than those of the client or Arsys shall only be carried out by users or profiles of users assigned for the provision of services.
The receiving and sending of supports and documents containing personal data, including that included in and/or attached to emails, outside the premises under the control of the client responsible for the processing.
The execution of the data recovery procedures that Arsys may be obliged to carry out.
Arsys shall not be held responsible for any breaches of obligations derived from the GDPR or the corresponding regulations in matters of data protection when this is done by the user and/or client responsible for the processing in the part corresponding to their activities and related to the execution of the contract or commercial relations with Arsys. Each party shall face the responsibility derived from their own breach of contractual obligations and the regulation itself.
Show privacy policy