Data Protection Policy

In compliance with General Data Protection Regulation (EU) 2016/679) of the European Parliament and of the Council of the 27^th of April 2016 (hereinafter GDPR), Arsys Internet S.L.U. (hereinafter Arsys) hereby presents this Policy regarding the processing and protection of personal data.

Details of the data controller:

ARSYS INTERNET, S.L.U.

Tax ID: B-85294916

Registered Office: C/ Madre de Dios nº 21, 26004 Logroño (La Rioja), España

E-mail: info@arsys.es

Contact details of the Data Protection Officer: delegadopd@arsys.es

Scope of application

This Policy shall be applicable to:

Those persons who visit the Arsys website - https://www.arsys.es (hereinafter, any reference to this will be in the understanding that it also includes the English, French and Portuguese versions thereof - https://www.arsys.net/, https://www.arsys.fr/ and https://www.arsys.pt respectively).
Those who voluntarily communicate with Arsys via email or chat and those who fill in any forms for the gathering of data, as published on the Arsys website.
Those who request information about the products and services of Arsys and those who participate in any of the company's commercial actions.
Those who form a contractual relationship with Arsys via the contracting of its products and services.
Those who use any of the other services on said website which involve sending data to Arsys or Arsys's accessing of data for the provision of its services.
Any other parties who, directly or indirectly, may have given their express consent for their data to be processed by Arsys for any of the purposes featured in this Policy.

The use of Arsys products and services requires the express acceptance of this policy.

Arsys hereby states that, excepting the existence of a legally constituted representation, no users and/or clients can use the identity of another person or send said person's personal data. Therefore the data they provide to Arsys must be the personal details corresponding to their own identity, as well as appropriate, pertinent, current, exact and truthful. In that regard, the user and/or client shall be the sole responsible party in the event that any direct or indirect damages are caused to third parties or to Arsys due to the use of the data of another person or of their own data when it is false, erroneous, not current, inappropriate or not pertinent. Likewise, any user and/or client who sends the personal data of a third party shall be responsible for obtaining the corresponding authorisation from the party involved and for the consequences if they do not.

Similarly, the user and/or client who sends personal data to Arsys thereby declares that they are of legal age according to that established in Spanish legislation and that they shall abstain from sending data to Arsys if they are not. Any data provided about a minor shall require the prior consent and authorisation from their parents, tutors or legal guardians, who shall be considered responsible for the data provided by the minors in their charge.

This Policy shall be subsidiarily applicable as regards the other personal data protection conditions that may be established especially and communicated, among other ways, via registration forms, contracts and/or the terms of particular services. This Policy is therefore complementary to those mentioned in matters not expressly provided for therein.

Purposes of the gathering and processing of personal data

In its capacity as data controller, Arsys hereby informs users of the existence of various processes and files which gather and store the personal data provided to the company.

The purposes of said personal data gathering and processing are as follows:

The "cookies" which Arsys uses for the browsing of its websites (https://www.arsys.es/, https://www.arsys.net, https://www.arsys.fr/ and https://www.arsys.pt) are stored on the user's terminal (computer or mobile device) and they gather information when said websites are visited. The purpose of this is to improve the websites' usability, to learn about users' browsing habits or needs so as to be able adapt to them, to show advertising related to the browsing behaviour of the website users and to obtain information for statistical purposes. In the case of existing Arsys clients, the information gathered with the cookies will also be used for identification purposes when accessing the different tools that Arsys makes available to them for the management of services.
In any case, users can configure their browser in such a way that some or all cookies are disabled or blocked. Not accepting these cookies does not imply a hindrance in the ability to access information on Arsys websites, although the use of some services may be limited. If you wish to retract consent once cookies have already been accepted, those that are stored on the user's machine must be deleted via the different browser options. In the case of cookies from third parties, the user will be able to eliminate them from the browser or from the alternative system that each of these third parties may offer. The links are available on the Cookies Policy of Arsys.

All the information about the cookies used by Arsys has been published in its Cookies Policy, which is available for consultation at https://www.arsys.net/legal/cookies.

In the event that an email is sent to Arsys or if personal data is sent via any other means, such as a contact form, the purpose of the gathering and processing of said data by Arsys is to address queries and information requests made regarding the Arsys's products and services.
If an email is sent to Arsys regarding its job offers, said data shall be processed so that the user can participate in the staff selection procedures.
In the case of the forms that interested parties fill in order to participate in any of Arsys's commercial actions, the purpose will be to enable said participation, as well as the sending of commercial and publicity messages about the company's services. This is unless the interested party manifests their opposition to this at the time when their data is gathered. Notwithstanding the foregoing, the interested party can modify their decision at any time, as many times as they wish, via the means provided for said purpose by Arsys.
In the contracting of the services offered by Arsys, Arsys will only gather the personal data that is necessary to establish the contractual relationship and to enable the provision of the services and the remuneration thereof by the client. In this case, the data will be gathered and processed for the following purposes:
- The main purpose will consist of the maintenance of the contractual relationship that is established with the client, in accordance with the nature and characteristics of the contracted services. Arsys will contact the client via the email address, telephone number or any other means indicated by said party.
- For the sending of documentation and information related to the contracted services, as well as for the sending of commercial and publicity messages about said services and similar products from Arsys. This shall be done via post, email, telephone, SMS or any other means indicated by the client, unless the latter expressly manifests their opposition to this at the time of the contracting. Independently of whether the client has chosen to receive or not receive commercial information from Arsys, said client can modify their decision at any time, as many times as they want, through the specific section available for this purpose in their Client Area.
- For the maintenance of historic registers of the commercial relationships for the legally established times.
- In cases in which Arsys must access and/or process the personal data for which the client may have the status of data controller or data processor, Arsys will process said data in its capacity as the data controller for processing in accordance with Article 28 of the GDPR and in accordance with that indicated in the section titled "Arsys as data processor"included in this Policy.
- In accordance with that established in Law 25/2007 of the 18^th of October on the conservation of data relating to electronic communications and public communications networks, the user is hereby notified that Arsys shall proceed to retain and conserve certain traffic data generated during the course of communications, and when appropriate, communicate it to the legitimate authorities, provided that the legal circumstances set forth in the above Law apply.
- For all other purposes that are expressly established in the Specific Conditions that are applicable to the corresponding product or service contracted by the client, when the latter expressly accepts said purposes.

Storage period of the personal data

Arsys shall store the personal data for the period of time that is strictly necessary for compliance with the previously detailed purposes. Arsys may keep the above data duly blocked during the period in which any responsibilities may be derived from the company's relationship to the Client.

In the case of data that is kept due to Law 25/2007 of the 18^th of October on the conservation of data related to electronic communications and public communications networks, the data storage period shall be that detailed in said law.

Recipients of personal data

The recipients of the personal data collected by Arsys will be the following:

Arsys's own employees in compliance with their duties.
The suppliers of Arsys who are involved in the provision of services, in the event that this is necessary for said provision.
The companies who are members of the Group of Companies of which Arsys is part, with this being understood in the sense of Article 42 of the Code of Commerce, and whose activity is the commercialisation of services of an identical or analogous nature to those offered by Arsys. These services may include online presence services, managed hosting, cloud computing and advanced solutions in technological infrastructure.
Legal or administrative bodies, as well as State Security Forces and Bodies, in the event that Arsys is required by current legislation to provide said parties with information related to its clients and services.
Any other parties who, due to the nature of the service, must access the data provided for said service, as detailed in the Specific Conditions that apply to the corresponding product or service contracted by the client, when this is expressly accepted by the latter.

Users' rights and the exercise thereof

Users can, at any time, exercise the following rights recognised under the GDPR:

The right of access.
Users have the right to obtain, from Arsys, information about whether the company is processing personal data which concerns them, to access said data and to obtain information about the type of processing that is occurring.
The right to obtain a copy of their personal data.
The right to rectification.
Users have the right to require Arsys to rectify their personal data in the event that it is inexact or incomplete.
The right to erasure.
Users have the right to have their data deleted when it is no longer necessary for the purpose for which it was provided or when the other legally established circumstances occur.

The right to restrinction of processing.
Users have the right to request a limitation on the processing of their personal data, in such a way that it is not subject to the same processing operations that would correspond in each case, under the suppositions established in Art. 18 of the GDPR.
The right to data portability.
Users have the right to receive the personal data that concerns them in a structured format, as long as said data concerns that user exclusively and was provided by the same user.

Users can exercise the aforementioned rights in the following ways:

If they are Arsys clients, users can check and modify their personal data at any time via the "My Data" section in the "Client Area" tool, which is accessed by signing in on the https://www.arsys.es/ website.
They can also send a message via the "Contact" section of said tool, indicating the right they wish to exercise.
Whether or not they are Arsys clients, users can exercise their rights by sending a message via email to info@arsys.es or by sending a written request, accompanied by a copy of their ID card or a copy of a legally valid document which accredits their identity, to Arsys Internet S.L.U. C/ Madre de Dios nº 21, 26004 Logroño (La Rioja), Spain, marked for the attention of the Commercial Information Department and specifying the right they wish to exercise.

In cases of manifestly unfounded or excessively repetitive requests, Arsys reserves the right to charge a fee for the subsequent administrative costs or the right to refuse to act in response to said requests, in accordance with that established in Art. 12.5 of the GDPR.

Supervisor authority

Users and/or clients can contact the corresponding local supervisor authority if they believe that the processing of their personal data was not carried out in accordance with current legislation.

The data protection supervisor authority in Spain is the Spanish Data Protection Agency, whose contact details are available on their website: http://www.agpd.es/portalwebAGPD/CanalDelCiudadano/contacteciudadano/index-ides-idphp.php.

International data transfers

In terms of those Arsys products and services which require the realisation of international transfers to enable the provision thereof, said circumstance shall be featured in the Specific Conditions which apply to the corresponding product or service contracted by the client and it shall be expressly accepted by the latter prior to the realisation of the international transfer.

Arsys as data processor

In accordance with Article 28 of the GDPR and its amendments, Arsys shall process the personal data for which the client is the data controller or data processor, when this is necessary for the proper provision of the contracted services. In this case, Arsys shall act as data processor, in accordance with the terms indicated below:

Arsys shall only process the data in accordance with the instructions of the clientdata controller or data processor, not using it for any other purpose than that stated in this Data Protection Policy and/or in the contractual conditions that may be applicable.
After having completed the provision of the services which lead to the processing of the personal data, said personal data shall be destroyed, in addition to any other supports or documents which contain any personal data or any other type of information generated for and/or in the provision of the services featured in the corresponding Conditions. Notwithstanding the foregoing, Arsys may keep the above data duly blocked during the period in which any responsibilities regarding its relationship to the Client may be derived.
In the event that Arsys uses the data for another purpose or communicates or uses it in breach of this Data Protection Policy and/or of the corresponding Service Conditions, it shall also be considered as data controller.
Arsys shall be responsible, under article 28 of the GDPR, for maintaining due professional secrecy regarding the personal data it needs to access and/or process for the purpose of complying with the applicable Terms of Service in each case, both during and after their termination. It also agrees to use this information solely for the purpose specified in each case, and to demand the same level of commitment from any person within their organisation who participates in any phase of the processing of the personal data which is the responsibility of the client.
In accordance with the provisions of GDPR, the following rules will apply regarding the form and modes of access to data for the provision of services:

In the event that Arsys must access the data processing resources located in the premises of the client, the latter shall be responsible for establishing and implementing the security policy and measures and for communicating them to Arsys, who agrees to respect them and demand they are complied with by persons in its organisation participating in the provision of the services.
When Arsys remotely accesses the data processing resources which are the responsibility of the client, the latter shall be responsible for establishing and implementing the security policies and measures in their remote processing systems, and Arsys shall be responsible for establishing and implementing the security policy and measures in its own local systems.
When the service is provided by Arsys on its own premises, the company shall record the circumstances relating to the data processing in its Record of Processing Activities under the terms required by the GDPR, including the security measures corresponding to said processing.

Arsys's access and/or processing of data, notwithstanding the legal provisions or specific current regulations which may be applicable to each case or those which Arsys adopts under its own initiative, shall be subject to the required security measures needed to:
- Guarantee the permanent confidentiality, integrity, availability and endurance of the processing systems and services.
- Quickly restore availability and access to the personal data in the event of a physical or technical incident.
- Regularly verify, evaluate and assess the effectiveness of the technical and organisational measures that are implemented to guarantee the security of the processing.
- Pseudonymise and encrypt the personal data, as applicable.
The client authorises Arsys, in its capacity as data processor, to outsource (on behalf of the client) the services for the storage and custody of data backup copies and security copies to third parties in the cases deemed necessary to enable the provision of the contracted services, in any event respecting the obligations imposed under the GDPR and its implementation regulations. The client can, at any time, contact Arsys to find out the identity of the entities outsourced for the provision of the indicated services and said entities shall act in accordance with the terms established in this document and after Arsys has formalised a data processing contract in accordance with Art. 28.4 of the GDPR.
The client authorises Arsys to carry out the actions indicated below, as long as they are necessary for the execution of the service provision. Said authorisation is limited to the action(s) that each provision of services requires and shall have a maximum duration that is linked to the validity of the applicable contractual Terms:
- The processing of personal data on mobile devices shall only be carried out by users or profiles of users assigned for the provision of services.
- The processing of personal data on premises other than those of the client or Arsys shall only be carried out by users or profiles of users assigned for the provision of services.
- The receiving and sending of supports and documents containing personal data, including that included in and/or attached to emails, outside the premises under the control of the client responsible for the processing.
- The execution of the data recovery procedures that Arsys may be obliged to carry out.
Arsys shall not be held responsible for any breaches of obligations derived from the GDPR or the corresponding regulations in matters of data protection when this is done by the user and/or client responsible for the processing in the part corresponding to their activities and related to the execution of the contract or commercial relations with Arsys. Each party shall face the responsibility derived from their own breach of contractual obligations and the regulation itself.