Privacy policy - Personal data treatment

This section provides details of the company responsible for processing your data through this domain, where the website is hosted, and where data is collected and processed via cookies, forms (contact, purchase, and similar).

If you wish to obtain more information on data protection or exercise any of your rights, you can contact our Data Protection Officer at: dpo@360padelgroup.com.

This section presents a table outlining the purposes of data processing on the website and the associated files, for which PN is responsible:

[We kindly ask users/data subjects to review the basic information in general and, specifically, this table that outlines the purpose of the data you provide and the files where they may be stored, before accepting the privacy policy (clicking the acceptance box).]

The new regulatory framework requires that data subjects are informed about the period for which their data will be stored by the data controller (PN) via the channel being used (the website). In other words, how long will the data be kept by the data controller (PN)?

We will now inform you about this, and to that effect, we present the following table:

[i How long data is kept is established on the basis (1) of a PN criterion, associated to use said data and the company's interest, (2) criteria established by a legal basis that obliges PN to keep it (another law that requires it to be kept) and (3) other associated statistical or historical reports that may be of interest to the company (group) at a strategic level. Once they have fulfilled the purpose of their use, PN may, according to the conditions expressed in points 1,2 and 3, cancel (remove from production) or delete them].

* Note: access to data by third parties necessary for the provision of services or requests is not considered a data transfer. It is established that such third parties, especially collaborators, will use the data solely for providing the service, and any use of the data for other purposes must be done in compliance with their information rights and express consent (on their part).

Currently, PN does not transfer or disclose data to third parties located outside the European Union.

To fulfil one of the key aspects of the regulatory framework (effective from May 2018), namely the rights granted to individuals (data subjects), we present the different rights and include downloadable ‘ad hoc’ templates for this purpose.

1. Access

Download Model

[i Note: The right of access allows a data subject, such as yourself, to know what information the company holds about you.]

2. Rectification

Download Model

[i Note: The right to rectification allows a data subject to correct any inaccurate or outdated information held about them, for example, if your information is incorrect or needs updating.]

3. Deletion

Download Model

[i Note: The right of deletion allows a data subject to request the deletion of any information/data held by the company that they no longer wish to be used.]

4. Data Portability

Download Model

[i Note: This right applies from 25 May 2018. It allows the data subject to receive their data in a commonly used format (e.g., Excel) and transfer it to an authorised third party. To exercise this right, the data subject must: (a) prove they are the data subject, (b) identify the third-party recipient of the data, (c) provide clear authorisation for the portability (transfer of data). ]

5. Objection to Processing

Download Model

[i Note: The right of objection allows a data subject to oppose the use of their data for specific purposes (e.g., not wishing to receive marketing information).]

6. Right to withdraw consent

[i Note: The right to withdraw consent allows a data subject to oppose the use of their data for the purposes for which they gave consent or were processed on a legitimate basis. If you no longer want your data to be used for certain purposes (e.g., for marketing communications), you can withdraw your consent.]

Download Model

[i Note: This right will be applied as of May 25, 2018]

7. Right to Know the Source of the Data

[i Note: The right allows a data subject to know the origin of their data.]

Download Model

[i Note: This right applies from 25 May 2018]

Generally, the data collected via this website is obtained directly from the individual concerned. If you provide data about third parties, you must have their authorisation, consent , or legal capacity to do so.

We have developed this section with the web user in mind, with two main goals:

1. Since each form on the website may have a specific purpose associated with it, and for which we consider that we are legitimate to process the data (since you, the user, voluntarily provide the data), it is important to clearly outline each purpose.
2. This section will be updated over time as new forms or functionalities are introduced.

In general, the website may include the following types of forms for data collection, according to this table:

As an expression of responsibility for data protection and in compliance with the new regulatory framework (General Data Protection Regulation), PN is committed to complying with Spanish data protection legislation. These sections are part of an internal guide and/or code applicable to PN, based on principles recognised by the Spanish Government and the Spanish Data Protection Agency (AEPD).

Data protection is one of the foundations of a commercial or trust relationship and the image of PN. Through this section, we aim to outline the necessary conditions for collecting and processing data. This section aims to inform users about the criteria, values, and efforts made by PN to establish an adequate level of data protection and processing required by the European Data Protection Directive and various national regulations for proper processing.

These guidelines are part of an internal code that applies to PN and all companies (data processors) and their employees.

Any company that PN may require to comply with these general or specific guidelines on data protection and processing, either for collaboration or for performing any activity involving data processing (including formalising a relationship between the data processor through an "ad hoc" contract for the service they will provide to PN), will be considered a dependent company according to this guide.

The data protection and processing code includes the principles of security, confidentiality, and consent (information) derived from the European Directive and the European Commission for Data Protection and the Spanish legal framework, according to the resources, means, and capabilities of PN.

PN is responsible for ensuring compliance with the data protection and processing code and the legal obligations framed within the Spanish legal system. If you, as a user/data subject, have reasons to believe that legal obligations conflict with what is stated in this privacy policy and the sections mentioned, you may inform the Data Protection Officer of the Group (contact details are provided in the "Basic Information" section).

1. Honesty and legitimacy

During the collection and processing of personal data through PN's websites, PN will ensure that the personal rights of data subjects are upheld.

Personal data must be collected by the principles of consent (express and unequivocal when there is no legitimate basis) and information, and processed fairly and lawfully.

2. Specific purpose use

Personal data can only be processed in relation to the purpose for which it was originally collected. For this reason, informative clauses have been established in forms or similar (unequivocal/explicit consent boxes). Subsequent modification of the purpose(s) will only be possible under specific conditions and requires objective justification or sufficient evidence.

3. Transparency

The data owner must be informed about the use of their data. As a general rule, personal data collected through this website is always collected directly from the individuals concerned. Whenever personal data is collected, the data subject must be in a position to personally recognise the following aspects, or be informed about them:

• The identity of the data controller collecting the data/li>
• The purpose of processing the data
• Potential third parties or categories of third parties to whom the data may be transferred, if applicable.

For this reason, it is recommended to read the privacy policy. Especially the block "Basic Information" where the previous points are contained, and accept the same through a functionality so arranged in some of the forms.

[i Note: This information is included in section (1) of the General Information block. We advise users / holders of data that, before accepting the privacy policy, perform an approach to said information, and specifically to the point associated with the purpose of using the data.]

4. Avoid and reduce the collection and processing of data

PN, according to this block and new regulatory framework, before proceeding to the collection and subsequent processing of personal data will study the set of data necessary, and to what extent are relevant to meet the intended purpose.

To achieve this end, risk analysis and impact evaluation reports (IEI) will be carried out, whenever possible to achieve the intended purpose, and the costs are reasonable in relation to the purpose. Personal data will not be collected and processed for preventive purposes for possible future uses, unless required or permitted by current legislation at the time.

5. Deletion

PN will erase the personal data, associated with the data collected and processed in this website, which are not necessary after the expiration of the prescribed storage periods or as permitted by law, according to the data and the registered file. If, in an individual case, there are indications of a need for protection or historical interest in these data, the storage period of these data will be extended until the legal need for protection has been clarified, or until PN has assessed the relevance historical data for inclusion in the file.

6. Accuracy and current data

PN will keep the personal data as you have communicated and according to your resources and the subsequent communications that you can make in this regard, and will be updated whenever necessary or known.

[i Note: For this purpose, forms associated to this situation have been established, data update / modification, and a Data Protection Delegate has been designated, as well as a responsible / alternative contact.]

7. Confidentiality and data security

The personal data of PN are subject to an obligation of confidentiality. That is, they will be treated confidentially by their human resources (employees) and will be protected by appropriate organizational and technical measures against access by unauthorized persons, illegal treatment or illegal transfer to third parties, as well as against casual loss, modification or destruction.

[i Note: To comply with the principle of confidentiality, commitments have been established in this regard for employees and contracts of treatment / confidentiality managers for third parties (service providers).]

It is legal to collect, process and use personal data only if one of the requirements of legality described in what will be established below is met. One of the legality requirements must also be met if you wish to change the purpose of the collection, processing and use of personal data in relation to the original objective.

1. Data processing for a contractual relationship

The personal data of the interested party, the cuestomer and / or the website user can be treated for the preparation, realization or cancellation of a contract or request. This also includes the attention of the contractual user / customer, as long as it is related to the object of the contract.

Before the formalization of a contract - that is, in the pre-eminently informative phase of the contract - the processing of personal data to prepare offers, to prepare requests for products or services or to fulfill other wishes of the client is permitted. interested in order to reach the conclusion of the business relationship. It is allowed to contact potential clients or users, according to circumstances, during the pre-information phase, using the data that they have communicated or be able to offer similar products or services or that may be of interest due to the profile of potential client / user. . If applicable, the restrictions mentioned by the interested party (data holder) should be taken into account.

2. Data processing for a contractual relationship

If the interested party goes to a PN company requesting information (for example, request to send informative material about a product, act or service), the processing of their data is allowed to fulfill this desire.

The advertising and loyalty measures of customers / users require compliance with other legal requirements. The processing of personal data for advertising or market research and opinion purposes is permitted if this treatment is compatible with the purpose for which it was collected or express consent has been obtained.

The affected / data subjects (users) will be informed about the use of their data (see block of "Basic Information", purpose of use). If data is collected exclusively for advertising measures, the communication thereof, by the affected party, will always be voluntary.

If the interested party rejects the use of their data for advertising purposes, their data should not be used for this purpose and will be blocked accordingly (use of "robinson list").

3. Consent with data processing

It is possible to carry out the data processing if the interested parties have given their consent. Before requesting their consent, the interested party will be informed in accordance with section 4.3 of this block on the protection and data processing guidelines. For reasons of plausibility, the declaration of consent must always be collected in writing or electronically (acceptance of conditions in the form). Under certain conditions, such as telephone counseling, verbal consent may be granted. The consent granted will be documented.

4. Data processing due to legal permission

The processing of personal data is also legal if there are legal provisions that require, presuppose or authorize this treatment. The type and extent of data processing must be necessary for the treatment authorized by legislation, and must be carried out in accordance with these provisions.

5. Data processing due to a legitimate interest

Personal data may also be processed if necessary to safeguard a legitimate PN interest. In general, legitimate interests can be of a legal nature (for example, to execute outstanding debts) or economic (for example, to avoid contract disturbances).

The processing of personal data by reason of a legitimate interest is not permitted if there are in some particular cases indications that the protection of the legitimate interests of the interested party predominates over the interest of the responsible body in the processing of the data. The legitimacy of these interests will be examined before each data processing.

In this regard, you should understand that PN has made an effort to establish a criterion and a basis that allows it to have legitimacy about the purpose of using the data, based on the profile of the owner. This criterion is based on the fact that the company can develop its activity in order to remain in time, maintain or expand its workforce and obtain a legitimate benefit.

6. Processing of data subject to special protection

Personal data subject to special protection (health, sexual orientation, political ideas and the like) can only be treated if it is mandatory by law, or if the interested party has given their express consent. In general, PN does not collect or treat this type of data.

For the rest, the processing of these data may also be allowed if this is necessary so that the responsible body can exercise their rights, claim them or defend them against the interested party. If there is an intention to process data subject to special protection, the PN Data Protection Delegate will be informed in advance.

7. User and Internet data

Whenever personal data are collected, processed or used on the website or on integrated platforms, the interested parties will be informed about this aspect in notices about data protection and, where appropriate, about cookies. The notices about the protection and processing of data about cookies must be integrated so that they are available continuously, and that the interested party can easily recognize them and access them immediately.

If the possibility of accessing personal data in a restricted area (subject to registration) of web pages or Apps is offered, the identification and authentication of the interested party will be configured in such a way that an adequate level of protection of this access is achieved.

In case of data transfer to a recipient or to a third party located in a third state, the recipient must guarantee a level of data protection appropriate to the terms of this guide and regulatory framework for data protection of the Spanish State.

There is a case of data processing on request if a contractor is assigned the processing of personal data, without transferring responsibility for the corresponding process / commercial relationship. In these cases, a data processing agreement must be taken on request, both with the external contractor and between PN. The company (PN) that grants the order retains full responsibility for the correct implementation of the data processing. The contractor is authorized to process personal data only within the framework of the contractor's instructions.

When granting the order, the following prescriptions must be observed; the department that grants the order must ensure compliance:

1. Select the contractor (in charge of treatment) according to their suitability to guarantee the necessary technical and administrative protection measures.
2. The order must be formally granted. The instructions for the data processing and the responsibility of the contractor and the contractor must be documented in the order.
3. The standard contracts made available by Delegate of Data Protection for the different departments with capacity for this purpose will be taken into account.
4. Before the beginning of the data processing, the contractor must verify the fulfillment of the obligations by the contractor. The contractor must document compliance with data security requirements, especially by submitting an appropriate certificate. Depending on the risk of data processing, it may be necessary to repeat the control periodically during the term of the contract.
5. If the processing of the data is entrusted to a company located abroad, the applicable national requirements for the transfer of personal data to companies abroad must be complied with. In particular, only the processing of personal data of the European Union Space to a third state can be entrusted if the contractor can document a level of data protection comparable to the Spanish State regulations on data protection.

They are established as suitable instruments to give scope to what has been previously referenced:

1. An agreement of the clauses of the standard contract established by the Spanish Data Protection Agency for the processing of data by order in third states with the contractor and, where appropriate, with the subcontractors.
2. The participation of the contractor in a certification system recognized by the Spanish Agency for Data Protection to create a reasonable level of data protection.
3. The recognition by state control bodies responsible for binding rules of the contractor's company to create an adequate level of data protection.

All interested parties, data holders, you as user, can enforce the rights specified below. The responsible body must immediately process the claim of rights, and the interested parties should not be discriminated against in any way for asserting their rights.

1. The interested party may demand information about the personal data stored about him, about his origin and about the intended use.
2. If personal data are transferred to third parties, the identity of the recipient or the categories of recipients will also be reported.
3. If the personal data are incorrect, or incomplete, the interested party may demand its correction or addition.
4. The interested party may object to the processing of their personal data for the purpose of publicity, or within the framework of market and opinion studies. In this case, the data will be blocked to prevent its being used for this purpose.
5. The interested parties have the right to demand that their data to be deleted if the legal basis for the processing of the data has lapsed or has expired. The same applies in the case that the reason for the data processing has been prescribed, either for the time elapsed or for other reasons. The periods of mandatory conservation of certain documents and the legitimate rights that oppose the deletion or allow cancellation will be taken into account.
6. The interested parties have a basic right of opposition against the processing of their personal data, which will be taken into account whenever it is found that their interest in the protection of their personal data predominates because of their personal situation on the interest in the treatment of the data. This right does not apply if there is a legal regulation that prescribes the treatment of the data.

Personal data are subject to the principle of confidentiality. It is established for the employees that the collection, processing and use of data cannot occur:

(A) Without knowledge (this is directly related to the right to information)

(B) Without authorization (this concept has a direct interest in obtaining express and / or unambiguous consent).

It is considered illegal any data processing performed by an employee or third party without constituting its role in accordance with their work and without being authorized to do so. PN establishes supervisory procedures so that employees only have access to personal data when necessary and within the framework of the need for their tasks or functions. Derived from the above, PN performs an allocation and precise division of roles and privileges, as well as the implementation and updating within the framework of authorization concepts.

Employees or third parties (in charge of processing) can not use personal data for particular or economic uses, deliver them to unauthorized third parties or allow third parties access in another way. Department managers will inform their employees and will present a specific commitment, at the beginning of an employment relationship, about the obligation to observe the confidentiality of the data. This obligation will persist after the employment relationship ends.

Compliance with the data protection guidelines of this guide and current data protection laws is controlled through periodic audits and other controls. The realization will be promoted by the Delegate in Data Protection (DPD), Coordinators and Responsible (by department) of the company with control rights and / or external auditors in charge.

The results of the controls (situation controls, impact evaluation studies, audits and the like) of the data protection will be monitored by DPD. The same will transfer and inform the PN Surveillance Committee about relevant results in the framework of the corresponding information obligations.

The results of the data protection controls will be made available to the competent authorities on data protection if they request it. The competent authorities on data protection can also carry out their own controls to comply with this rule in accordance with the authorizations contemplated in the legislation.

All PN employees have the capacity and channels to communicate their superiors, their coordinator or the Data Protection Delegate (DPD) about incidents or breaches of the recommendations, guidelines or guidelines of this guide for the protection and treatment of data. The coordinator (responsible for a department) must inform the DPD, in general, and specifically, if the following cases occur:

• Receipt or illegal delivery of personal data to, or by, third parties
• Unauthorized access of third parties to personal data
• Loss of personal data. In this scenario, the communication will be carried out with the greatest speed to Responsible or DPD (management of incidents against information security), in order to be able to comply with the legal obligations of information of this type of incidents.

The Delegate for Data Protection (DPD) is an internal figure, who enjoys autonomy, who watches over the observance of national data protection requirements. It is responsible for the guidelines related to the data protection and treatment, and monitors compliance.

The Delegate for Data Protection is appointed by the PN Surveillance Committee (Administrator). The departments (their coordinators) and Centers (responsible) of PN are obliged to what the DPD establishes at all times. The specific exceptions to this rule should be agreed with the DPD. The coordinator and responsible persons must inform the DPD diligently about the risks of protection and data processing in specific areas of their activity (department or center) as a valid interlocutor.

Any interested party may contact the DPD at any time, to communicate suggestions, process inquiries, request information or submit complaints regarding the protection of personal data and the security of this data.

Those responsible for the Departments or Work Centers must take into consideration the decisions of the DPD in relation to incidents or breaches of the data protection regulations. Consultations of authorities will always be communicated to the DPD. The DPD and its collaborators are available according to the information provided in point 1.2 of BASIC INFORMATION (see 1.2 Delegate on Data Protection.