ARTELIA 360 PLATFORM – PRIVACY POLICY

This Privacy Policy is effective on June 29th, 2020 - Last update: January 22nd, 2021

1. Foreword

The (EU) Regulation no. 2016/679 of the European Parliament and Council dated 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, referred to as the General Data Protection Regulation (hereafter the GDPR), lays down the legal framework applicable to the processing of personal data.

The GDPR strengthens the rights and obligations of controllers, subcontractors, data subjects (the individuals concerned) and recipients of such data.

In the framework of its business, the Artelia Group is required to process personal data.

To facilitate the understanding of this policy, it shall be made clear that:

- “Controller” refers to the natural person or legal entity that determines the purpose and the means of processing personal data. In the framework of this policy, the controller is Artelia Spain S.L.U. (hereafter referred to as “Artelia”), whose registered office is situated at Pº General Martínez Campos, 41 – 4th floor 28010 Madrid – Spain. Other Artelia Group subsidiaries apply this personal data protection policy when they act as controller.

- “Subcontractor” refers to any natural person or legal entity that processes personal data on behalf of the controller.

- “Data subject” or “third party” refers to any person that can be identified either directly or indirectly, and whose personal data are collected the controller. In the framework of this policy, the “data subjects” or “third parties” are:

- The various natural persons who are Artelia’s correspondents in its dealing with its clients, contacts and partners understood as being legal entities,

- Visitors to Artelia’s websites.

- “Recipient” refers to any natural person or legal entity to whom personal data are disclosed by Artelia. Data recipients can hence be either internal recipients or external recipients.

Article 12 of the GDPR requires that data subjects be informed of their rights in a concise, transparent, intelligible and easily accessible form.

2. Purpose

The purpose of this policy is to comply with Artelia’s duty to inform by virtue of the GDPR and to formalise the rights and obligations of the data subjects with respect to the processing of their personal data.

3. Scope

This personal data protection policy is to be applied when implementing the processing of personal data relating to all third parties of Artelia, which hence includes the natural persons who are its corresponds in its dealings with each of its clients, partners and contacts and visitors to its websites.

This policy only concerns processing activities for which Artelia acts as controller and hence is not applicable to processing activities that are not set up or exploited by Artelia (so-called “shadow IT” activities).

Personal data processing activities can be managed either directly by Artelia or by a subcontractor specifically appointed by Artelia.

This policy exists independently of any other document that may apply between Artelia and its clients, partners, contacts or job applicants

4. General principles

All processing activities performed at Artelia concerning the data of persons concerned by this policy relate to personal data collected by or for Artelia’s departments or processed in relation to its services and comply with the general principles of the GDPR.

A list of the personal data processing activities implemented is appended to this policy.

Any new instances of processing and any modification or deletion of an existing processing activity will be brought to the attention of the data subjects through a change in this policy.

5. Types of data collected

The types of data collected are specified in the appendix of this document.

6. Data sources

Data relating to data subjects are generally collected directly either from them or from clients, partners and contacts (direct collection).

In some specific cases, data may also be collected indirectly via other partners and/or suppliers of Artelia, in which case Artelia takes the utmost care to ensure that the data disclosed to it with regard to the processing activity concerned are pertinent and adequate (principle of minimisation).

7. Purposes and legal bases

Depending on the case, Artelia processes data chiefly for the following purposes:

- Managing relations with clients and partners (particularly contract monitoring, accounting, provision of services, invoicing, etc.).

- Managing relations with contacts

- Managing newsletters.

- Sending New Year greetings.

- Responding to public and private tender invitations.

These purposes have the following legal bases:

- Performance of a contract signed between Artelia and its client or partner.

- Artelia’s legitimate interest in holding data concerning its users and its contacts and in responding to requests submitted by visitors to its website via the contact form provided there.

For purposes outside the aforementioned bases and whenever necessary, Artelia will obtain the consent of the data subjects.

8. Recipients of the data – Authorization and accesibility

Artelia ensures that the data can only be accessed by authorised internal or external recipients

Internal Recipients

External Recipients

 

- Authorised personnel from departments in charge of handling relations with clients and partners and of prospecting for business, such as the marketing, communication and sales departments, departments involved in managing recruitment, administrative departments, logistics and IT departments and their supervisors

 

- Authorised staff members in departments responsible for oversight (internal auditing, etc.)

 

 

- Subsidiaries from the Artelia group

 

- Official bodies, court officials and State officials, in the framework of their assignments

 

- Account auditors

 

- Subcontractors

 

Recipients of data subjects’ personal data at Artelia are bound by a duty of confidentiality.

Artelia decides which recipient will have access to which data in accordance with an authorisation policy.

Artelia is not liable under any circumstances for any harm of any nature resulting from unlawful access to personal data held by external recipients.

9. Storage period

The period for which the data are stored is defined by Artelia in light of the legal restrictions by which it is bound or, failing this, in accordance with its requirements.

On expiry of the storage periods defined by Artelia, the data are either deleted or kept after having been made anonymous, chiefly for statistical purposes. They may also be kept for the requirements of pre-litigation or litigation.

Data subjects are reminded that deletion and anonymisation are irreversible operations and that Artelia will be unable to restore the data concerned thereafter.

10. Right of confirmation and right of access

Data subjects have the right to ask Artelia for confirmation as to whether data pertaining to them are being processed.

Data subjects also have the right to access their data, the said right being contingent on compliance with the following rules:

- The request is made by the subject himself/herself and is accompanied by a copy of an up-to-date identity document;

- The request is submitted in writing to the following email addresses: gdpr@arteliagroup.com and support.artelia360@arteliagroup.com

Data subjects have the right to request a copy of their personal data being processed by Artelia. However, should they request additional copies, Artelia may require them to cover the cost of providing these copies.

If data subjects submit their request for a copy of their data electronically, the information requested will be supplied to them electronically in a commonly used form, unless otherwise requested.

Lastly, data subjects are hereby informed that this right of access cannot apply to information or data that are confidential or that cannot be disclosed by law.

The right of access must not be exercised in an abusive way, meaning in a regular manner with the sole purpose of disrupting the department concerned

11. Updating and rectification

Artelia complies with requests from data subjects to update their personal data:

- Automatically in the case of modification requests submitted online on entry fields which can be updated technically or legally;

- At the written request of the individual himself/herself, who must provide proof of identity.

12. Right to erasure

The data subjects’ right to erasure will not apply in cases where data is processed to comply with a legal obligation.

Outside this situation, data subjects are entitled to request the erasure of their data in the following limiting situations:

- The personal data are no longer necessary with regard to the purposes for which they were collected or processed in some other way

- When the data subject withdraws the consent upon which the processing activity is based and there is no other legal basis for this activity

- The data subject opposes a processing activity that is necessary with regard to the legitimate interests of Artelia but for which no compelling legitimate purpose exists

- The data subject opposes the processing of their personal data for prospecting purposes

- The personal data have been unlawfully processed

In accordance with personal data protection legislation, data subjects are hereby informed that this is an individual right that can only be exercised by the individual concerned with respect to their own information; for security reasons, the department concerned will therefore verify their identity in order to avoid disclosing any of their confidential information to someone other than them.

13. Right to limitation

Data subjects are hereby informed that this right is not intended to apply to the extent that Artelia is processing data in a lawful manner and that all personal data collected are required for the performance of its services.

14. Right of portability

Artelia grants the right to data portability in the specific case where data are disclosed by the data subjects themselves and for purposes based solely on the individual’s express consent. In this case the data will be disclosed in a commonly used, machine-readable structured format.

15. Automated individual decision

Artelia does not make automated individual decisions concerning data subjects.

16. Post mortem right

The data subjects are hereby informed that they have the right to give guidelines regarding the post-mortem storage, erasure and disclosure of their data. These specific guidelines are submitted and this right is exercised by sending an e-mail to the following addresses: gdpr@arteliagroup.com and support.artelia360@arteliagroup.com. The request shall be accompanied by a copy of a signed proof of identity

17. Mandatory or voluntary nature of responses

On each form used to collect personal data, data subjects are informed of responses that are mandatory by means of an asterisk. The other responses are voluntary.

Where responses are mandatory, Artelia explains the consequences of failing to provide one.

18. Usage right

The data subjects grant Artelia a right to use and process their personal data for the purposes listed in the appendix.

However, all enhanced data resulting from processing and analysis by Artelia remain the exclusive property of Artelia (usage analysis, statistics, etc.).

19. Subcontracting

Artelia hereby informs the data subjects that it may appoint any subcontractor of its choice in the context of processing their personal data.

In such a case, Artelia will ensure that the subcontractor fulfils its obligations with respect to the GDPR.

Artelia undertakes to sign a written contract with all of its subcontractors and imposes the same personal data protection obligations on its subcontractors that it imposes on itself. Furthermore, Artelia reserves the right to carry out an audit of its subcontractors to ensure that they are complying with the provisions of the GDPR.

 

20. Security

It is Artelia’s responsibility to define and implement the physical or logical technical security measures that it deems appropriate to prevent the destruction, loss, alteration or unauthorised disclosure of data in an accidental or unlawful manner.

These measures mainly include:

- Data access authorisation management

- Internal safeguarding measures

- Identification processes

- Implementation of safety audits

- Adoption of an information system security policy

- Adoption of business continuity/disaster recovery plans, if appropriate

- Implementation of a security protocol or security solutions

21. Data breach

In the event of a personal data breach, Artelia undertakes to notify the competent supervisory authority under the conditions outlined by the GDPR.

If the said breach exposes data subjects to serious risk, Artelia:

- Will notify the data subjects

- Will provide the data subjects with appropriate information and recommendations

22. GDPR lead

Artelia has appointed a GDPR lead, who is the single contact person for matters pertaining to personal data protection.

This person can be contacted at the following email addresses: gdpr@arteliagroup.com and support.artelia360@arteliagroup.com.

Artelia will notify the GDPR lead beforehand if personal data in its possession undergo further processing.

If data subjects wish to obtain specific information or ask a specific question they can contact the GDPR lead, who will respond to their requests within a reasonable period of time.

23. Record of processing activities

In its capacity as controller, Artelia undertakes to maintain an up-to-date record of all the processing activities it performs.

This record is a document or application listing all of the processing activities carried out by Artelia in its capacity as controller.

Artelia undertakes to provide the supervisory authority, on first request, with the information enabling the said authority to verify that its data processing activities comply with the applicable data protection legislation.

24. Right to lodge a complaint with the competent supervisory authority

Individuals whose personal data are processed are hereby informed of their right to lodge a complaint with a supervisory authority if they believe that this processing activity is taking place in a manner that does not comply with the GDPR.

The contact details of the supervisory authority are given in the appendix to this policy.

25. Policy amendments

This policy may be modified or adjusted at any time in the event of changes in legislation or case law, decisions or recommendations issued by the supervisory authority, or changes in custom.

Data subjects will be notified of any new version of this policy by any means defined by Artelia, particularly via its website.

26. Further information

Anyone requiring additional information may contact the GDPR lead at the following email addresses: gdpr@arteliagroup.com and support.artelia360@arteliagroup.com.

Anyone requiring more general information on the topic of personal data protection can consult the website of the supervisory authority named in the appendix.

 

Appendix 1. List of processing activities

Processing activities

Details

 

Contact details of Artelia’s correspondents

in its dealings with clients and partners

 

Processing of the personal data of Artelia’s correspondent(s) in its dealings with its various clients and partners via its CRM database in order to maintain business relations with these parties (sign contracts, organize meetings, etc.).

 

 

Visitors to Artelia’s websites

 

Processing of the personal data of visitors to Artelia’s websites: gathering of their connection data and processing of their personal data if they fill in the contact form.

 

 

Appendix 2. Types of data collected

Types of data

Details

 

Non-technical data

 

- Identity and identification (surname, first name)

- Contact details (e-mail address, company)

 

 

Technical data

 

- Identification data (IP address)

- Connection data (particularly logins)

 

 

Appendix 3. Cookie Policy

This Cookie Policy explains how cookies and similar technologies (collectively, “Cookie(s)”) are used when you visit our Site. A “Site” includes our websites, emails, and other applications owned and operated by Artelia Spain S.L.U. (hereafter “Artelia”, the “Company”, “our”, or “us”) as well as any other services that display this Cookie Policy. This policy explains what these technologies are and why they are used, as well as your right to control their use.

We may change this Cookie Policy at any time. Please take a look at the date of effectiveness at the top of this page to see when this document was last revised. Any change in this Cookie Policy will become effective when we make the revised Privacy Policy available on or through the Site.

If you have any question, please contact us by email at support.artelia360@arteliagroup.com, or write to us at the following address: Pº General Martínez Campos, 41 – 4th floor 28010 Madrid – Spain.

1. What is a cookie?

A cookie is a small text file (often including a unique identifier), that is sent to a user’s browser from a website's computers and stored on a user’s computer's hard drive or on a tablet or mobile device (collectively, “Computer”). A Cookie stores a small amount of data on your Computer about your visit to the Site.

We place and access Cookies on your Computer; these Cookies are known as “first-party Cookies.” Cookies may also be placed and accessed by some third-party companies, which are known as “third-party Cookies” and are described below. Some Cookies are "session Cookies," which means that they are temporary Cookies that are only stored on your device while you are visiting our Site. Other Cookies are "persistent Cookies," which means that they are stored on your device for a period of time after you leave our Site.

You can choose whether to accept Cookies by changing the settings on your browser. However, if you disable this function (or keep this function disabled, as set by default by certain browsers), your experience on the Site may be diminished and some features may not work as intended.

2. What cookies do we use?

Below we list the different types of Cookies that are used on the Site that you are visiting.

To the extent any personal information is collected through first-party Cookies, our Privacy Policy applies and complements this Cookie Policy. Personal information collected through a third-party Cookie is subject to the privacy policy of that third party, and not our Privacy Policy.

Essential Cookies

Essential Cookies enable you to navigate the Site and to use its services and features. Without these necessary Cookies, the Site will not perform as smoothly for you as we would like it to and we may not be able to provide the Site or certain services or features.

Cookie

Description

Duration

Privacy Policy

csrftoken

Technical cookie needed for the correct performance of the Site

1 year

Artelia 360

sessionid

Technical cookie needed for the correct performance of the Site. Session cookie.

During session

Artelia 360

Consent

Google Maps Cookie. It’s used for the Google map in the contact page.

20 years

Gstatic.com

Preference Cookies

Preference Cookies collect information about your choices and preferences, and allow us to remember language or other local settings and customize the Site accordingly. Currently no cookies of this kind are being used.

Analytics Cookies

Analytics Cookies collect information about your use of the Site, and enable us to improve the way it works. For example, Analytics Cookies show us which are the most frequently visited pages on the Site, help us record any difficulties you have with the Site, and show us whether our advertising is effective or not. Analytics Cookies allow us to see the overall patterns of usage on the Site, rather than the usage of a single person. We use information from Analytics Cookies to analyze the Site traffic, but we do not examine this information for individually identifying information.

Cookie

Description

Duration

Privacy Policy

_ga

Google Analytics. This cookie is used to distinguish users.

3 months

Google.com

_gat_gtag_UA_

157417106_1

Google Analytics. Compiles information regarding how users make use of the Site.

1 minute

Google.com

_gid

Google Analytics. This cookie is used to distinguish users.

24 hours

Google.com

3. How do I manage Cookies?

You can change your Cookie settings. To opt-out of all third party Cookies, please follow the instructions for your browser.

You may refuse or accept Cookies from the Site or any other website at any time by activating settings on your browser. Most browsers automatically accept Cookies, but you can usually modify your browser setting to decline Cookies if you prefer. If you choose to decline Cookies, you may not be able to sign in or use other interactive features of our Site that depend on Cookies. Information about the procedure to follow in order to enable or disable Cookies can be found at their respective support websites.

Please be aware that if Cookies are disabled, not all features of the Site may operate as intended.

To opt-out of participating in Google Analytics data follow the Instructions:

https://tools.google.com/dlpage/gaoptout

 

Appendix 4. Contact details of the supervisory authority

AEPD - Agencia Española de Protección de Datos

Website: https://www.aepd.es

Address: C/ Jorge Juan, 6 – 28001 – Madrid (SPAIN)

Telephone: 901 100 099 / 91 266 35 17

Online office: https://sedeagpd.gob.es/sede-electronica-web/