PRIVACY POLICY

Euro-Funding Advisory Group, S.L. (hereinafter EURO-FUNDING), with registered office at Plaza de la Independencia 8, 2nd floor, 28001 Madrid (Spain), registered in the Register of Madrid (Spain) in Record Sheet 26.920, Section 8ª, folio 160, Page M-485130, with e-mail address info@euro-funding.com, hereby informs you of its privacy and personal data protection policy, in order to inform you of the processing of personal data carried out by Euro-Funding in accordance with the provisions of data protection and online privacy legislation:

  • GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data (General Data Protection Regulation).
  • LOPD: Spanish Organic Law 3/2018, of 5 December, regarding to data protection and guarantee of digital rights.
  • LSSI: Law 34/2002, of 11 July, about information society services and electronic commerce.
  1. SCOPE OF APPLICATION

This policy applies to the processing of personal data indicated below, carried out by the following companies (hereinafter referred to as EURO-FUNDING):

  • Euro-Funding Advisory Group, S.L. with Tax ID B85727188
  • Euro-Funding Environmental, S.L. with Tax ID B97228639
  • Euro-Funding Multilateral Projects, S.L. with Tax ID B87994596
  • Euro-Funding Local & Indirect Taxes, S.L. with Tax ID B85997625
  • Euro-Funding EU Projects, S.L. with Tax ID B84460252
  • Euro-Funding International, S. L. with Tax ID B84460252
  • Euro-Funding Cost Solutions, S.L. with Tax ID B87514063
  • Euro-Funding Poland, Spólka Z.O.O. with NIP 1080012306
  • Euro-Funding México S.A.P.I. de C.V. with R.F.C. EAG130520BB9
  1. PROCESSING OF PERSONAL DATA

Through the website, EURO-FUNDING carries out the following processing of personal data:

2.1 Browsing user (IP address)

  1. Purpose of processing: To manage access to the web server.
  2. Addressees: Competent authorities in case of security incidents.
  3. Processing period: The period technically necessary to manage your access. They are subsequently blocked and kept at the disposal of the authorities.
  4. Legitimacy: The legal basis that legitimises this processing is the need to provide the service of access to the web server.

2.2 Browser user (cookies)

  1. Purpose of processing: The purposes set out in the notice and in the cookies policy.
  2. Target group: Euro-Funding Group companies.
  3. Treatment period: Maximum 2 years.
  4. Legitimacy: The legal basis that legitimises this processing is the consent given through the cookie notice.

2.3 Contact form or mailboxes

  1. Purpose of processing: To manage your contact request and answer the questions raised.
  2. Recipients: The appropriate companies of the Euro-Funding Group, according to the nature and content of their application.
  3. Processing period: The period necessary to reply to your request. Subsequently, they will be kept for 5 years to deal with possible claims.
  4. Legitimacy: The legal basis for this processing is your consent, given when requesting contact.

2.4 Newsletter subscription and commercial communications

  1. Purpose of processing: To manage your request for registration in the newsletter and to send you commercial communications by e-mail about services, initiatives, events, conferences, publications, news, activities and calls in the sector of purchasing consultancy, tax, international cooperation, energy efficiency, real estate taxation, international taxation, sustainability, European funds, research, development, and innovation. The commercial communications are sent by means of a specific tool that includes links and tiny, transparent images that are associated with your e-mail address. Thus, when you download one of these images or access the links contained in the e-mail, Euro-Funding can know for statistical purposes whether the e-mail has been opened or whether a link has been accessed from the e-mail. You can prevent these uses by configuring your e-mail manager or programme to prevent the automated downloading of images, as well as by not accessing the links included in the e-mails you receive.
  2. Target group: Euro-Funding Group companies.
  3. Processing period: Indefinite until you withdraw your consent, object to future communications, or request your right to erasure.
  4. Legitimacy: The legal basis for this processing is your consent, given when you subscribe to these communications.

2.5 Event registration

  1. Purpose of processing: To manage your registration, attendance, and participation in the various events in which you register and, unless you object, to provide you with commercial information from the Euro-Funding Group.
  2. Target audience: Companies of the Euro-Funding Group involved in holding the event. Likewise, your data are communicated to third parties for the management of your attendance at the event, such as entities managing the physical or virtual space for access control, which may be in the United States or other countries that do not guarantee an adequate level of data protection, which you will be informed of in the registration process. Eventually, other third parties such as sponsors or collaborating entities may request the transfer of your data; in this case it will be expressly indicated in the registration process.
  3. Processing period: The period necessary for the management of the event and the sending of invitations to receive commercial information from the Euro-Funding Group. Subsequently, the data is kept, duly blocked, for a period of 5 years after the end of the event to deal with possible claims.
  4. Legitimacy: The legal basis that legitimises this processing derived from the event is your consent, given when registering for the event. About the offer of commercial information from the Euro-Funding Group, the legal basis that legitimises the processing is the legitimate interest, as well as the previous existing relationship.

2.6 Social network users

  1. Purpose of processing: To manage relationships and contacts through social networks.
  2. Recipients: Your data will be the joint responsibility of the company managing the social network in question and the companies of the Euro-Funding Group involved in the management of the social network. The companies managing the social networks may be in the United States or other countries that do not guarantee an adequate level of data protection, which is accepted by the users of the social network.
  3. Processing period: Indefinite, until the decision is made to cancel the relationship with Euro-Funding through the social network in question. Euro-Funding does not extract data from the social network unless it is necessary for other planned processing and the interested parties have been informed (e.g. selection processes).
  4. Legitimacy: The legal basis that legitimises this processing derived from the event is your consent, given when registering for the event. Regarding to the offer of commercial information from the Euro-Funding Group, the legal basis that legitimises the processing is the legitimate interest, as well as the previous existing relationship.

2.7 Satisfaction assessments

  1. Purpose of processing: To carry out satisfaction assessments.
  2. Target group: Euro-Funding Group companies involved in the provision of the services analysed.
  3. Processing period: The period necessary for the management of the survey. Subsequently, the data is kept, duly blocked, for 5 years to deal with possible complaints.
  4. Legitimacy: When you proactively participate in satisfaction assessments, the legal basis for this processing is your consent. When you receive satisfaction evaluations from the Euro-Funding Group because you have received a service from the Group, the legal basis for this processing is the legitimate interest in knowing your satisfaction.

2.8 Representatives of customers, suppliers, potential partners, and other business contacts

  1. Purpose of processing: Management of the commercial and professional relationship. Your identification and professional contact data may come from third parties, such as the company where you work, online platforms for professional contacts or commercial information directories about companies. The personal data provided for the billing of the services contracted with our company will be used to manage the same and based on the provisions of Law 58/2003 of 17 December, General Taxation for the obligation to issue invoices for the delivery of goods and services. The data will be stored in our database from the date of issue until the legally established deadline.
  2. Contact Agenda: The personal data provided as a supplier of Euro-Funding, will be used to carry out the commercial management that you maintain with us. The legal basis is the commercial relationship. We do not transfer data to third parties unless legally obliged to do so. Your data will remain in our database for as long as the business relationship is maintained or for the period necessary to comply with legal obligations.
  3. Target audience: Euro-Funding Group companies involved in the business relationship.
  4. Processing period: The period necessary for commercial management. Subsequently, the data is kept, duly blocked, for 15 years to attend to possible liabilities, including criminal liabilities, arising from the processing.
  5. Legitimacy: When you proactively participate in satisfaction surveys, the legal basis for this processing is your consent. When you receive satisfaction surveys from the Euro-Funding Group because you have received a service from the Group, the legal basis for this processing is the legitimate interest in knowing your satisfaction.

2.9 Recruitment processes for labour personnel

  1. Purpose of processing: To manage your participation in current and future recruitment processes for Euro-Funding and the companies that make up the Euro-Funding Group. Your identification and curricular data may come from third parties, such as online employment platforms, recruitment agencies or temporary employment agencies.
  2. Target group: Companies in the Euro-Funding Group. Occasionally, depending on the position, it is necessary to communicate your data to clients or potential clients for the acceptance of a project.
  3. Processing period: 2 years, during which time you may be contacted to update your data and renew your consent.
  4. Legitimacy: The legal basis that legitimises this processing is your consent given when signing up for a selection process.

2.10 Selection processes for external collaborators, experts, and freelancers

  1. Purpose of processing: To manage your participation in current and future selection processes for external collaborators, experts and freelancers for Euro-Funding projects and the companies that make up the Euro-Funding Group in any country in the world. Your identification and curricular data may come from third parties, such as online platforms for professional contacts.
  2. Target group: Euro-Funding Group companies. Occasionally, depending on the position, it is necessary to communicate your data to European organisations and bodies, as well as clients or potential clients in any country in the world for the acceptance of a project.
  3. Treatment period: 7 years due to the requirements of European bodies.
  4. Legitimacy: The legal basis that legitimises this processing is your consent given when signing up for a selection process.

2.11 Data protection for minors

Euro-Funding never collect data from minors (18 years of age) without the authorisation of their parent or legal guardian. If someone under the age of 18 fills in the contact form or a form on the website and no such authorisation is provided, the application will be destroyed without any attention being paid to its content.

  1. DATA QUALITY

The user must keep his/her data permanently updated, and if it is not possible to update it on-line, he/she must inform Euro-Funding, as the party responsible for the processing, of any changes that may be pertinent at any given time.

Euro-Funding, cancels, deletes and/or blocks the data when they are incorrect, incomplete, or no longer necessary or relevant for their purpose, in accordance with the provisions of the legislation on data protection and once the appropriate legal deadlines for their processing have expired.

  1. SECURITY, TRANSPARENCY AND LAWFULNESS OF PROCESSING

Euro-Funding is clear about the data we collect and/or processes. We explain why we use it and for what purposes. We never process personal data in an unexpected, obscure, or abusive manner. We never collect personal data in an unlawful or obscure way.

Euro-Funding adopts all technical and organisational security measures in accordance with the nature of the data, to guarantee the security of personal data and to avoid its alteration, loss, unauthorised processing, or access.

If you provide Euro-Funding with personal data about third parties, prior you must inform the owner of the data of this fact, as well as of the provisions of this Privacy Policy.

We consider sensitive data are relating to health, sexuality, genetics, racial or ethnic origin, political opinions, religious convictions, trade union membership and biometric data aimed at identifying a data subject.

This privacy policy is only applicable to the website www.euro-funding.com. Euro-Funding doesn’t guarantee the privacy of third-party sites that link to or from this website.

Euro-Funding can modify this Policy at any time to keep it in line with current legislation on security and data protection.

  1. RIGHTS OF INTERESTED PARTIES

Data protection legislation guarantees Users the following rights:

  • Access: Allows the User to know what information is held, where it has been obtained from, to whom it has been provided and for what purposes it has been processed.
  • Rectification: Allows the User to rectify any erroneous or outdated data.
  • Deletion: Allows the User to stop the processing of their data.
  • Opposition: Allows the User to stop the use of their data for a specific purpose.
  • Limitation: Allows the User to restrict the processing of his/her data, but in such a way that they are kept for some subsequent purpose.
  • Portability: Allows the User to obtain a copy of his/her data in electronic format and, in certain circumstances, to request that it be communicated to another service provider. It is only applicable to computerised processing carried out with the consent of the User or for the performance of a contract.

The rights may be exercised before Euro-Funding, as well as the revocation of any consent given, by post to Plaza de la Independencia 8, planta 2, 28001 Madrid, Spain, or by e-mail to prodatos@euro-funding.com.

If we do not deal with your request in due time and form, you can complain to the Spanish Data Protection Agency as supervisory authority (www.aepd.es).

  1. PROCESSING OF PERSONAL DATA IN CONSULTING SERVICES

This point regulates the access of the PROCESSOR to the personal data under the responsibility of the CONTROLLER in a provision of Services, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, “GDPR”).

For the purposes of this document, the CONTROLLER shall be considered the data controller and the PROCESSOR shall be considered the data processor in accordance with the provisions of articles 28 and 29 of the RGPD.

The processing of personal data entrusted to the CONTROLLER consists of collecting, structuring, storing, and consulting the personal data under the responsibility of the CONTROLLER.

For the execution of the contracted services, the PROCESSOR may process the following types of personal data:

  • Identification and contact details.
  • Job details, professional data.
  • Commercial information.
  • Economic, financial.
  • Others to be specified in the Offer.

6.1 Definitions

Specific data protection terms are interpreted in accordance with Art. 4 of the GDPR.

6.2 Duty of privacy

The PROCESSOR undertakes to keep the information classified as confidential provided by the CONTROLLER in connection with the provision of services confidential.

Any information to which the PROCESSOR has access by virtue of the Service is considered confidential information, in particular the information and personal data under the responsibility of the CONTROLLER which he/she has accessed or accesses during the execution of the Service.

Information or data in the public domain that is in the possession of the PROCESSOR prior to the commencement of the provision of services and has been obtained by lawful means in accordance with the law is not confidential.

The PROCESSOR is responsible for ensuring that its staff, collaborators, managers and, in general, all persons under its responsibility who have access to confidential information and personal data under the responsibility of the CONTROLLER, respect the confidentiality of the information, as well as the obligations relating to the processing of personal data, even after the end of their relationship with the PROCESSOR. Therefore, the PROCESSOR will make all necessary warnings and sign all necessary documents with such persons, to ensure compliance with such obligations.

The PROCESSOR keeps at the disposal of the CONTROLLER the documentation accrediting compliance with the obligation established in the previous paragraph.

6.3 Obligations of the processor

The PROCESSOR undertakes the following obligations:

  • Access personal data under the responsibility of the CONTROLLER only when it is essential for the proper performance of the services for which it has been contracted.
  • Processing the data in accordance with the instructions received from the CONTROLLER.
  • If the processing includes the collection of personal data on behalf of and for the account of the CONTROLLER, the PROCESSOR must follow the procedures and instructions received from the CONTROLLER, especially regarding to the duty to inform and, where appropriate, obtain the consent of the data subjects.
  • If the PROCESSOR considers that any of the CONTROLLER’s instructions infringe the GDPR or any other data protection provisions of the Union or the Member States, it shall immediately inform the CONTROLLER.
  • Not to destine, apply or use the personal data under the responsibility of the CONTROLLER for purposes other than those indicated in this contract or in any other way that implies a breach of the instructions of the CONTROLLER.
  • Assume the condition of CONTROLLER if the data is used for any purpose other than the fulfilment of the object of the contract or is communicated or used in breach of the stipulations of the contract or the obligations of the regulations in force, being liable for any infringements personally incurred.
  • Not to allow access to the personal data under the responsibility of the CONTROLLER to any employee under his responsibility who does not have a need to know them for the provision of the contracted services.
  • Not to disclose, transfer, assign or otherwise communicate the personal data under the responsibility of the CONTROLLER, either verbally or in writing, by electronic means, paper, or computer access, not even for storage, to any third party, unless there is prior authorisation or instruction from the CONTROLLER.
  • If obliged to do so by art. 30 of the GDPR, the PROCESSOR shall keep a record of all categories of processing activities carried out on behalf of the CONTROLLER, containing the information required by art. 30.2 of the GDPR.
  • Ensure the necessary training in personal data protection for persons authorised to process personal data.
  • Support the CONTROLLER in carrying out data protection impact assessments, where appropriate.
  • Support the CONTROLLER in carrying out prior consultations with the Supervisory Authority, where appropriate.
  • Make available to the CONTROLLER all information necessary to demonstrate compliance with its obligations, as well as for audits or inspections carried out by the CONTROLLER or another auditor authorised by the CONTROLLER.
  • Adopt and apply the security measures stipulated in this contract, in accordance with the provisions of art. 32 of the RGPD, which guarantee the security of the personal data under the responsibility of the CONTROLLER and prevent its alteration, loss, unauthorised processing or access, considering the state of technology, the nature of the data stored and the risks to which they are exposed, whether from human action or from the physical or natural environment.
  • If obliged to do so by art. 37.1 of the RGPD, designate a data protection officer and communicate his/her identity and contact details to the CONTROLLER, as well as comply with all the provisions of arts. 37, 38 and 39 of the RGPD.
  • Respect all the obligations that may correspond to it as data processor in accordance with the GDPR, or any other complementary provision or regulation that may be equally applicable.
  • If the PROCESSOR is required by applicable Union or Member State law to transfer or allow access to personal data under the responsibility of the CONTROLLER to a third party, the PROCESSOR must inform the CONTROLLER of this legal requirement in advance, unless prohibited for reasons of public interest.

6.4 Obligations of the controller

The CONTROLLER declares and states, for the appropriate legal purposes, that:

  1. If the processing includes the collection of personal data in the name and on behalf of the CONTROLLER, it must establish the procedures corresponding to the collection of the data, especially regarding to the duty of information and, where appropriate, obtaining the consent of the data subjects, guaranteeing that these instructions comply with all the legal and regulatory prescriptions required by current data protection legislation.
  2. If the processing does not involve the collection of personal data in the name and on behalf of the CONTROLLER, the personal data to which the PROCESSOR has access by virtue of the Offer have been obtained and processed in compliance with all legal and regulatory prescriptions required by current data protection regulations.
  3. It complies with all its data protection obligations as data controller and is aware that the terms of this Agreement in no way alter or replace the obligations and responsibilities attributable to the CONTROLLER as data controller.
  4. Supervise the processing and compliance with data protection regulations by the PROCESSOR.

6.5 Security measures and security breaches

Considering the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing, as well as risks of varying likelihood and severity to the rights and freedoms of natural persons, the PROCESSOR may implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, which may include, among others:

  1. Pseudonymisation and encryption of personal data.
  2. The ability to ensure the continued confidentiality, integrity, availability and resilience of processing systems and services, as well as the availability of and access to personal data in a timely manner in the event of a physical or technical incident.
  3. A process of regular verification, evaluation, and assessment of the effectiveness of technical and organisational measures to ensure the security of processing.
  4. A catalogue of security measures recognised in information security regulations or standards that elaborates on the following information security domains to the extent applicable:
  5. Information security policies
  6. Organisation of information security
  7. Human resources security
  8. Asset management
  9. Access control
  10. Cryptography
  11. Physical and environmental security
  12. Security of operations
  13. Communications security
  14. Acquisition, development, and maintenance of information systems
  15. Relations with suppliers
  16. Information security incident management
  17. Information security aspects of business continuity management
  18. Regulatory compliance

In assessing the adequacy of the level of security, the PROCESSOR considers the risks presented by the processing of data, in particular because of accidental or unlawful destruction, loss or alteration of personal data transmitted, stored, or otherwise processed, or unauthorised disclosure of or access to such data.

The PROCESSOR allows and contributes to the performance of audits, including inspections, by the CONTROLLER or another auditor authorised by the CONTROLLER.

Likewise, in the event of modification of the regulations in force on data protection or other related regulations applicable to the processing that is the object of this Contract, the PROCESSOR guarantees the implementation and maintenance of any other security measures that may be required, without this implying a modification of the terms of this Contract.

In the event of a breach of security of personal data in the information systems used by the PROCESSOR for the provision of the services covered by this Agreement, the PROCESSOR must notify the CONTROLLER, without undue delay, and in any case within a maximum period of 24 hours, of any breaches of security of personal data under its responsibility of which it becomes aware, together with all relevant information for the documentation and communication of the incident in accordance with the provisions of art. 33.3 of the RGPD.

In such a case, it is the responsibility of the CONTROLLER to communicate data security breaches to the Data Protection Authority and/or to the data subjects in accordance with the provisions of the regulations in force.

6.6 Destination of the data at the end of the contractual relationship

Once the contractual relationship agreed between the CONTROLLER and the PROCESSOR has been fulfilled or terminated, the PROCESSOR must ask the CONTROLLER for precise instructions on the destination of the personal data under his responsibility, the latter being able to choose between their return, transfer to another service provider or complete destruction, if there is no legal provision requiring the data to be kept, in which case they cannot be destroyed.

The PROCESSOR may keep, duly blocked, the personal data under the responsibility of the CONTROLLER, if liabilities may arise from its relationship with the CONTROLLER.

6.7 Rights against the data processor

The PROCESSOR must inform the CONTROLLER of any request to exercise the right of access, rectification, erasure and objection, limitation of processing, data portability and the right not to be subject to automated individualised decisions, made by a data subject whose data have been processed by the PROCESSOR to fulfil the object of this contract, so that it may be resolved within the time limits established by the law in force.

The transfer of the request to the CONTROLLER must be made as quickly as possible and in no case later than the working day following the day of receipt of the request, together, where appropriate, with other information that may be relevant to resolve the request.

Likewise, the PROCESSOR must process any instructions regarding rights of access, rectification, erasure and objection, limitation of processing, data portability and the right not to be subject to automated individualised decisions, which it receives through the CONTROLLER, as quickly as possible, and always within a maximum period of two (2) working days from receipt of the request, confirming in writing both the receipt of the request and the execution of the task entrusted.

6.8 Reciprocal duty to provide information

The Parties apprise the representatives that their personal data are included in files under the responsibility of each party, the purpose of which is the maintenance of their contractual relations, it being essential for them to provide their identification data, the capacity of representation they hold, their ID card number or equivalent document and their signature.

Furthermore, the Parties guarantee to comply with the duty of information with respect to their employees whose personal data are communicated between the Parties for the maintenance and performance of the contractual relationship.

The legal basis that legitimises the processing of data subjects’ data is the necessity for the conclusion and execution of the service.

The data collected will be kept for fifteen years for the purpose of meeting any possible liabilities arising from the relationship.

Those affected can exercise their rights of access, rectification, cancellation/deletion, opposition, limitation, and portability before the corresponding party by means of written communication to the registered address at the beginning of this document, providing a photocopy of their ID card or equivalent document and identifying the right requested. Likewise, if you consider that your right to the protection of personal data has been violated, you may file a complaint with the Spanish Data Protection Agency (www.aepd.es).

6.9 Subcontracting

The PROCESSOR cannot subcontract any of the services involving the processing of personal data, except for the auxiliary services necessary for the normal operation of the services, including the participation of the other EURO-FUNDING entities. However, the CONTROLLER allows subcontracting to all the following entities:

  • EURO-FUNDING ADVISORY GROUP, S.L.
  • EURO-FUNDING LOCAL & INDIRECT TAXES, S.L.
  • EURO-FUNDING ENVIRONMENTAL, S.L.
  • EURO-FUNDING INTERNATIONAL, S.L.
  • EURO-FUNDING EU PROJECTS, S.L.
  • EURO-FUNDING COST SOLUTIONS, S.L.
  • EURO-FUNDING MULTILATERAL PROJECTS, S.L.

Notwithstanding the above, if the PROCESSOR needs to subcontract all or part of the services involving the processing of personal data, it must give prior written notice to the CONTROLLER, one month in advance, indicating the processing it intends to subcontract and clearly and unequivocally identifying the subcontracting company and its contact details. The subcontracting may be carried out if the CONTROLLER doesn’t express its opposition within the established period.

The sub-processor, who also has the status of processor, is also obligated to comply with the responsibilities established in this document by the PROCESSOR and the instructions issued by the CONTROLLER.

The PROCESSOR is responsible to require the sub-processor to fulfil with the same obligations assumed by him/her in this document.

The PROCESSOR remains fully responsible to the CONTROLLER for the fulfilment of the obligations.

The PROCESSOR must inform the CONTROLLER of any changes in the addition or replacement of other sub-processors one month in advance, thus giving the CONTROLLER the opportunity to object the changes.