DETAILED INFORMATION ON THE PROCESSING OF YOUR PERSONAL DATA IN COMPLIANCE WITH REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR).
How we use your data at Up Spain:
- Communications : Our blog will keep you informed about Up Spain’s latest news and provide updates regarding your business or service inquiries. You will also receive confirmation emails for completed transactions, as well as notifications of new or canceled Up Spain solutions.
- We will offer you advertisements directly or indirectly, both through our portal and through the Gourmetpay app.
When you visit or take action on any of our products, we will associate you with the content viewed or shared through your browser cookies, which you can disable or delete whenever you decide.
RESPONSIBLE
WHO IS RESPONSIBLE FOR PROCESSING YOUR DATA?
1. Contact details of the Data Controller
- Identity: Chèque Déjeuner España SAU (hereinafter “The Entity”) with the trade name Up SPAIN.
- CIF: A78887049.
- Registered: Commercial Registry of Madrid on November 7, 1988, volume no. 8973 General, 7817 of section 3 of the company book Folio 63 sheet 85306.
- Postal address: Calle de Juan Ignacio Luca de Tena, 14, 4th floor, 28027 Madrid.
- Telephone: 919 495 387
- Email: https://www.up-spain.com/contacto/
- Website: https://www.up-spain.com/
The Entity acts as the data controller and as a service provider to the members, users, affiliates and visitors of this website.
2. Contact details of the Data Controller
The organization has a Data Protection Officer. For any questions regarding data protection, please email [email protected] .
PURPOSE
FOR WHAT PURPOSE DO WE PROCESS YOUR PERSONAL DATA?
1. Extended description of the purposes of the processing
We process the information provided to us by interested parties in order to:
- Manage employee services.
- Commercial communications from group companies, for related services.
2. Automated decisions, profiles and applied logic
The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. The Entity may rely on its previous decisions regarding the suitability of different profiles, but these will never be the sole basis for the decision. Information is collected in compliance with current regulations. Under no circumstances will automated decisions be made based on profiling.
LEGAL BASIS
WHAT IS THE LEGAL BASIS FOR PROCESSING YOUR DATA?
1. Details of the legal basis for the processing, in cases of legal obligation, public interest or legitimate interest.
Given the two main purposes described above, we will now describe the legitimacy of the use of the treatment.
Purpose
- Purpose of managing the Services.
- Data subject consent: GDPR: 6.1. a) The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
- Performance of a contract: GDPR: 6.1.b) Processing necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract.
- Compliance with a legal obligation: GDPR: 6.1.c) Processing is necessary for compliance with a legal obligation to which the controller is subject.
- Commercial purpose of informational communications.
- Data subject consent: GDPR: 6.1. a) The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
- Legitimate interest: GDPR 6.1 f) processing is necessary for the purposes of the legitimate interests pursued by the controller.
The user guarantees that the personal data provided to the Entity is truthful and is responsible for communicating any changes to it, so that we can continue to offer you our best service. Information submitted to the Entity, through any of its channels, must be truthful and must not infringe upon the rights of third parties or violate current legislation.
2. Obligation or not to provide data and consequences of not doing so
The requested information is necessary to enter into a contract with the Entity. If all the required information cannot be obtained, a contractual relationship with the Entity cannot be established.
CONSERVATION
HOW LONG WILL WE KEEP YOUR DATA?
Data retention periods or criteria.
The data will be kept until the purpose for which it was processed has been fulfilled. Once this occurs, the data will be stored in a blocked state to address any potential legal or administrative requirements until the statute of limitations expires.
RECIPIENTS
TO WHOM IS YOUR DATA COMMUNICATED?
1. Recipients or categories of recipients.
- To the Entity for internal administrative purposes, including the processing of personal data of clients and users.
- Indicate the existence of Processors, whose legitimacy of the processing is the execution of a contract between the Processor and the Entity in order to carry out the purposes indicated above.
- Furthermore, if necessary or useful to achieve the purposes described above, we reserve the right to disclose or grant access to personal data to the following recipients, provided that it is authorized or constitutes a legal requirement:
- Public/governmental administrations, courts, competent authorities.
- Camarero App SL (GourmetPay brand. Up SPAIN Group), for the introduction of a new payment method.
- Establishments, for example: restaurants belonging to the affiliate network to provide information about the transaction that has taken place on their property by the will and part of the user.
- Parent company of the group in France Up-France.
- We undertake not to transfer personal data to third parties other than those mentioned above, except when the Interested Parties are informed or if required by laws and regulations applicable to them or by order of a court, government body, supervisor or regulator, including tax authorities.
2. Suitability decisions, guarantees, binding corporate rules or applicable specific situations.
No communications take place outside the European area.
RIGHTS
WHAT ARE YOUR RIGHTS WHEN YOU PROVIDE US WITH YOUR DATA?
1. How to exercise your rights of access, rectification, erasure and portability of your data, and the limitation or opposition to its processing.
The rights recognized by the GDPR are:
- Right to request access to personal data relating to the interested party.
- Right to request its rectification or deletion.
- Right to request the limitation of your treatment.
- Right to object to treatment.
- Right to data portability.
To exercise your rights, simply send an email to the address above, requesting your right and attaching your registration email and phone number to the email for identification purposes.
Optionally, you can refer the interested party to the competent Supervisory Authority for further information about their rights.
What are your rights when you provide us with your data?
- Anyone has the right to obtain confirmation as to whether or not the Entity is processing personal data concerning them.
- Interested parties have the right to access their personal data, as well as to request the rectification of inaccurate data or, where appropriate, to request its deletion when, among other reasons, the data is no longer necessary for the purposes for which it was collected.
- In certain circumstances, interested parties may request the limitation of the processing of their data, in which case we will only retain them for the exercise or defense of claims.
- In certain circumstances and for reasons related to their particular situation, data subjects may object to the processing of their data. The Entity will cease processing the data, except for compelling legitimate grounds, or for the establishment, exercise, or defense of legal claims.
The Entity’s privacy policy ensures, in any case, that the Holder can exercise their rights of access, rectification, cancellation and opposition by writing to the Entity, at the address indicated above and in the legally provided manner.
GDPR RIGHTS AND WHAT YOUR RIGHTS CONSIST OF
- ACCESS
You have the right to be informed of the following:- The purposes of the processing, categories of personal data being processed, and any possible data communications and their recipients.
- If possible, the retention period for your data. If not, the criteria used to determine this period.
- Regarding the right to request the rectification or erasure of data, the limitation of processing, or to oppose it.
- The right to lodge a complaint with the Supervisory Authority.
- If an international data transfer occurs, receive information on the appropriate safeguards.
- Regarding the existence of automated decisions (including profiling), the logic applied, and the consequences of this processing.
- RECTIFICATION
You have the right, in addition to rectifying inaccurate data, to have incomplete personal data completed, including by means of an additional statement. - ERASURE (THE “RIGHT TO BE FORGOTTEN”):
With this right you can request:- The erasure of personal data without undue delay when any of the circumstances described apply. For example, unlawful processing of data, or when the purpose for which the data was collected or processed no longer exists.
- However, a number of exceptions are regulated in which this right will not apply. For example, when the right to freedom of expression and information must prevail.
- LIMITATION OF PROCESSING
This right allows you to:- Request the controller to suspend data processing when: The accuracy of the data is contested, while the controller verifies said accuracy. The data subject has exercised their right to object to data processing, while it is verified whether the controller’s legitimate grounds override those of the data subject.
- Request the controller to retain your personal data when: The data processing is unlawful and the data subject opposes the erasure of their data and requests instead the restriction of its use. The controller no longer needs the data for the purposes of the processing but the data subject needs them for the establishment, exercise or defense of legal claims.
- DATA PORTABILITY
You may receive your personal data in a structured, commonly used, and machine-readable format and transmit it to another data controller, provided this is technically feasible. Furthermore, the Data Subject expressly authorizes the transfer of their personal data for data communication purposes in the event of a portability request, in order to carry out such operations. - OBJECTION
You may exercise your right to object to the processing of your personal data: When, for reasons related to your personal situation, the processing of your data must cease unless a legitimate interest is demonstrated, or it is necessary for the exercise or defense of legal claims.
When the processing is for direct marketing purposes. - RIGHT NOT TO BE SUBJECT TO INDIVIDUALIZED DECISIONS
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.- The above does not apply when: It is necessary for entering into or performing a contract. It is permitted by EU or Member State law, with appropriate safeguards in place to protect the rights and freedoms of the data subject. The data subject has given explicit consent.
2. Right to withdraw consent.
You can always opt out of receiving monthly information by email. If you do not consent to the primary data processing, we will be unable to establish a relationship with you.
3.- Right to file a complaint with the Supervisory Authority.
Application to file a claim for protection of rights before the Supervisory Authority .
SOURCES. ORIGIN
HOW DID WE OBTAIN YOUR DATA? AND HOW DO WE USE YOUR DATA?
1. Detailed information on the origin of the data, including whether it comes from publicly accessible sources.
To achieve the purposes described above, we collect or receive personal data:
- Directly from the companies that hire us. For example: When a client is registered, they provide us with employee data for the management of their services.
- Indirectly from other external sources.
- Related companies and other services: We may receive information about you through our subsidiary Camarero App. SL
- We would also like to inform you that you are not required to provide us with personal data that we do not need to register your account or process payments if you register as a restaurant.
2. How we use your data.
- Communications:
If users of these products are required to provide their email address to access certain services, they may indicate that they do not wish to receive any communications from the Entity, provided that such communications are not strictly related to the purpose for which the service was requested, such as confirmation emails, information about completed transactions, or notifications confirming the activation or cancellation of services.
We also wish to inform you that we may contact you by telephone, in addition to email. - Advertising
- Communications:
We want to clarify that we may show you ads directly or indirectly, both on our digital products (website and app) and elsewhere, depending on your cookie settings.
When you visit or interact with any of our products, we will associate you with the content you viewed or shared through your browser cookies, which you can disable or delete at any time.
3. Categories of data processed
“Personal data” includes any information that allows a natural person to be identified directly (e.g. name, surname) or indirectly (e.g. ID card).
The categories of data processed are:
- Identification data: names, addresses, telephone numbers.
- Identification codes or keys issued by public bodies, e.g. passport, ID card and their validity periods.
- Personal characteristics, e.g., postal or email addresses.
- Employment information.
- Economic data of the services provided.
- Information about cookies, e.g., cookies and similar technologies on websites and apps (see also our Cookie Policy).
- Call recording.
No specially protected data is being processed.
SECURITY MEASURES
The Entity has adopted the necessary technical and organizational measures to guarantee the security and integrity of the data, as well as to prevent its alteration, loss, unauthorized processing or access.