Privacy policy
Introduction
This Privacy Policy has been developed taking into account the provisions of the current Organic Law on the Protection of Personal Data, as well as Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 regarding the protection of natural persons concerning the processing of personal data and the free movement of such data, hereinafter the GDPR.
This Privacy Policy aims to inform the data subjects, from whom information is being requested, of specific aspects regarding the processing of their data, including, among other things, the purposes of processing, contact details to exercise their rights, data retention periods, and security measures.
Data Controller
For data protection purposes, the Stämpfli Foundation shall be considered the Data Controller concerning the files/processing identified in this policy, specifically in the “Data Processing” section.
The identifying details of the owner of this website are as follows:
Data Controller: Stämpfli Foundation
Email address: fundaciostampfli@orange.fr
Data Processing
The personal data requested, if applicable, will consist solely of those strictly necessary to identify and process the request made by the data subject, hereinafter the “interested party.” This information will be processed fairly, lawfully, and transparently concerning the data subject. In addition, personal data will be collected for specific, explicit, and legitimate purposes and will not be further processed in a manner incompatible with those purposes.
The data collected from each data subject will be adequate, relevant, and not excessive in relation to the purposes for each case and will be updated whenever necessary.
The data subject will be informed, prior to the collection of their data, of the general aspects regulated in this policy to allow them to provide express, specific, and unequivocal consent for the processing of their data, in accordance with the following points.
Purposes of Processing
The explicit purposes for which each processing activity is carried out are set out in the information clauses incorporated into each data collection channel (web forms, paper forms, announcements or notices, and information notes).
However, the personal data of the data subject will be processed exclusively to provide an effective response and attend to the requests made by the user, as specified along with the option, service, form, or data collection system used by the data subject.
Legal Basis
As a general rule, prior to processing personal data, the Stämpfli Foundation obtains the express and unequivocal consent of the data subject through the inclusion of informed consent clauses in the various data collection systems.
However, if the data subject’s consent is not required, the legal basis for processing relied upon is the existence of a specific law or regulation authorizing or requiring the processing of the data subject’s data.
Recipients
As a general rule, the Stämpfli Foundation does not transfer or disclose data to third parties, except when legally required. However, if necessary, such transfers or disclosures will be communicated to the data subject through the informed consent clauses included in the different data collection channels.
Origin of Data
As a general rule, personal data is always collected directly from the data subject. However, in certain exceptions, data may be collected through third parties, entities, or services other than the data subject. In this regard, this fact will be communicated to the data subject through the informed consent clauses in the different data collection channels and within a reasonable period, once the data is obtained, and no later than one month.
Data Retention Periods
The information requested from the data subject will be retained as long as necessary to fulfill the purpose for which the personal data was collected. Once the purpose is fulfilled, the data will be deleted. This deletion will result in the data being blocked, retaining it only at the disposal of public authorities, judges, and courts, to address any potential liabilities arising from the processing. After the statutory period has expired, the information will be destroyed.
For informational purposes, the legal retention periods for different types of information are as follows:
| DOCUMENT | DEADLINE | LEGAL REFERENCE |
| Employment-related or social security-related documentation | 4 years | Article 21 of Royal Legislative Decree 5/2000 of 4 August, approving the revised text of the Law on Offenses and Sanctions in the Social Order |
| Accounting and tax documentation for commercial purposes | 6 years | Article 30 of the Commercial Code |
| Accounting and tax documentation for tax purposes | 4 years | Articles 66 to 70 of the General Tax Law |
| Access control to buildings | 1 month | Instruction 1/1996 of the AEPD |
| Video surveillance | 1 month | Instruction 1/2006 of the AEPD, Organic Law 4/1997 |
Browsing Data
Regarding browsing data that may be processed through the website, if data subject to regulation is collected, it is recommended to consult the Cookie Policy published on our website.
Data Subject Rights
Data protection regulations grant a series of rights to data subjects or data owners, users of the website, or users of the Stämpfli Foundation’s social media profiles.
These rights are as follows:
- Right of access: the right to obtain information on whether your personal data is being processed, the purpose of the processing, the categories of data being processed, the recipients or categories of recipients, the retention period, and the source of the data.
- Right of rectification: the right to obtain the rectification of inaccurate or incomplete personal data.
- Right to erasure: the right to have data deleted in the following cases:
- When the data is no longer necessary for the purpose for which it was collected.
- When the data subject withdraws consent.
- When the data subject objects to the processing.
- When deletion is required to comply with a legal obligation.
- When the data was obtained through an information society service based on Article 8(1) of the European Data Protection Regulation.
- Right to object: the right to object to a specific processing based on the consent of the data subject.
- Right to restriction: the right to restrict the processing of data in the following cases:
- When the data subject contests the accuracy of the personal data, for a period allowing the company to verify its accuracy.
- When the processing is unlawful and the data subject opposes the deletion of the data.
- When the company no longer needs the data for the purposes for which it was collected, but the data subject needs it for the establishment, exercise, or defense of claims.
- When the data subject has objected to processing while it is being verified whether the legitimate grounds of the company prevail over those of the data subject.
- Right to portability: the right to obtain the data in a structured, commonly used, machine-readable format, and to transmit it to another data controller when:
- Processing is based on consent.
- Processing is based on consent.
- Right to lodge a complaint with the competent supervisory authority.
Interested parties may exercise the indicated rights by contacting Stämpfli Foundation, by writing to the following address: fundaciostampfli@orange.fr indicating in the Affairs line the right you wish to exercise.
In this sense, Stämpfli Foundation will respond to your request as soon as possible and taking into account the deadlines provided for in the regulations on data protection.
Security
The security measures adopted by the Stämpfli Foundation comply with Article 32 of the GDPR. Taking into account the state of the art, implementation costs, the nature, scope, context, and purposes of processing, as well as the likelihood and severity of risks to the rights and freedoms of natural persons, the Foundation has implemented appropriate technical and organizational measures to ensure a level of security proportional to the existing risk.
In any case, the Stämpfli Foundation has implemented sufficient mechanisms to:
- Ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.
- Quickly restore availability and access to personal data in the event of a physical or technical incident.
- Regularly verify, assess, and evaluate the effectiveness of technical and organizational measures implemented to ensure processing security.
- Pseudonymize and encrypt personal data, where appropriate.