In compliance with the provisions of Article 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter, GDPR) and Article 11 of Organic Law 3/2018, of 5 December 2018, on the protection of personal data and guarantee of digital rights, we inform you of the following:
The User must carefully read this Privacy Policy, drafted in clear and accessible language to facilitate its understanding, with the aim of allowing the User to determine freely, informedly and voluntarily whether they wish to provide their personal data or that of third parties to SONNEIL (hereinafter the Entity).
The Entity will process the personal data that the User provides to us for the following purposes and during the retention periods indicated below:
Managing the provision and execution of the contracted services and/or products, as well as the preparation, monitoring and management of contracts, offers and service proposals, including the data of individuals whose involvement is necessary for this purpose. The legal basis for this processing is the performance of a contract or the application of pre-contractual measures at the request of the data subject. In this case, we will retain the personal data for the duration of the contractual or pre-contractual relationship and, once it has ended, for the legally required periods to address any liabilities arising from it.
Managing and handling communications, and any type of request, suggestion, claim or petition submitted by informants/users through the Internal Information System, in accordance with Law 2/2023, of 20 February, regulating the protection of persons who report regulatory infringements and the fight against corruption. These communications may entail their management and, where applicable, referral to the department responsible for their proper handling and compliance with the applicable regulatory framework. The legal basis for this processing is compliance with legal obligations applicable to the Entity. Data relating to the information received and to internal investigations will be retained for the period necessary and proportionate for the purpose of complying with the Whistleblower Protection Law, in no case exceeding a period of ten years. Three months after their receipt, the communications will be deleted, except where retention is necessary to demonstrate and provide evidence of the existence and operation of the System and/or based on other regulatory compliance requirements to which the information is linked, with the informant's identity being anonymised in a separate area with appropriate security measures.
Sending informative communications about products or services similar to those already contracted by the Client. The legal basis for this processing is the Entity's legitimate interest, within the framework of a prior contractual relationship and provided that such communications relate to the Entity's own products or services similar to those initially contracted, in all cases guaranteeing the possibility of opting out in each communication. In the case of electronic communications, this processing is based on the provisions of Article 21.2 of Law 34/2002, on information society services and electronic commerce (hereinafter, LSSI). The personal data will be retained for as long as the right to object is not exercised or unsubscription from receiving such communications is not requested.
Within the framework of managing labour relations, the Entity may process personal data of workers, candidates or associated personnel for the following purposes:
The legal basis for these processing operations is, depending on the specific nature of each processing operation, the performance of the employment contract (Art. 6.1.b GDPR), compliance with legal obligations (Art. 6.1.c GDPR), the Entity's legitimate interest (Art. 6.1.f GDPR) or the consent of the data subject (Art. 6.1.a GDPR), in cases where this is necessary. The personal data will be retained for the duration of the employment relationship and, once it has ended, for the legally required periods to address any liabilities.
Sending commercial communications, newsletters or mailings, where such communications are not covered by a prior contractual relationship under the terms indicated above. The legal basis for this processing is the consent of the data subject, given freely, specifically, in an informed manner and unambiguously. The personal data will be retained for as long as the consent given is not withdrawn or unsubscription from receiving such communications is not requested.
Managing the receipt and evaluation of applications, CVs and selection processes, including unsolicited applications submitted through the website or the contact email address, as well as their consideration for current or future vacancies that match the candidate's profile. The legal basis for this processing is the consent of the data subject, expressed by submitting their application. The personal data will be retained until consent is withdrawn and, in any case, for a maximum period of one year from receipt of the curriculum vitae.
Ensuring the security of people, property and facilities through video surveillance systems. The legal basis for this processing of personal data is the Entity's legitimate interest in preserving the security of its facilities, people and property. The images will generally be retained for a maximum period of 30 days from the time they are captured, except where they must be retained for longer in order to provide evidence of the commission of acts that infringe the integrity of people, property or facilities, or to comply with a legal obligation.
Managing the professional relationship with suppliers, collaborators and third parties, including the maintenance of the commercial, administrative, accounting and billing relationship arising from the services contracted by the Entity. The legal basis for this processing is the performance of the contract and compliance with the legal obligations applicable to the Entity. The personal data will be retained for the time necessary to manage the contractual relationship and, subsequently, for the legally required periods.
Managing and controlling the Entity's internal regulatory compliance mechanisms, policies and procedures, including internal control actions, and the prevention, detection and investigation of breaches of regulations or internal policies. The legal basis for this processing is compliance with legal obligations and, where applicable, the public interest or the Entity's legitimate interest in ensuring regulatory compliance and the integrity of its organisation. The personal data will be retained for the time strictly necessary for the processing, investigation and closing of the actions and, subsequently, for the legally required periods.
Managing requests to exercise data protection rights received through the channel made available by the Entity for this purpose. The legal basis for this processing is compliance with a legal obligation applicable to the data controller. The personal data will be retained for the time necessary to process and resolve the request and, subsequently, for the legally required periods to demonstrate that it was properly handled.
Managing and handling information or communications relating to the prevention of and action against harassment, violence or particularly serious conduct, in particular that affecting groups requiring special protection, including, where applicable, trans people, LGBTI people and minors, as well as processing such internal actions as may, where appropriate, be necessary. The legal basis for this processing is compliance with legal obligations, essential public interest and, where applicable, the formulation, exercise or defence of claims, depending on the specific nature of the communication and the data processed. The personal data will be retained for the time strictly necessary for the processing of the communication, the investigation and the adoption of appropriate measures and, subsequently, for the legally required periods. Where such communications are channelled through the Internal Information System, the periods provided for in Law 2/2023, of 20 February, will apply.
Complying with the legal obligations applicable to the Entity in commercial, tax, accounting, administrative, anti-money laundering, employment, data protection or any other matters that may be required. The legal basis for this processing is compliance with a legal obligation. The personal data will be retained for the periods provided for in the applicable regulations in each case.
Likewise, the Entity may process personal data for any other purposes necessary for compliance with legal obligations or specific regulatory requirements applicable to its activity.
The personal data processed generally comes from the data subject themselves. However, in certain cases, the data may come from third parties with whom the data subject has a relationship, such as client companies, collaborating entities or suppliers, as well as from publicly accessible sources, where legally appropriate. In such cases, the data subject will be informed in accordance with the terms established in Article 14 of the GDPR.
The Entity may communicate the data subject's personal data to the following recipients, where necessary depending on the purpose of the processing and on the legal basis applicable in each case:
As a general rule, no international transfers of personal data are envisaged. However, in the event of using technology service providers that may involve the processing of data outside the European Economic Area, such transfers will be carried out in full compliance with the provisions of Articles 44 et seq. of the GDPR, through the adoption of appropriate safeguards, such as the signing of standard contractual clauses approved by the European Commission or other valid mechanisms in accordance with current regulations.
To ensure transparency in the processing of your personal data, we inform you of the rights granted to you by Data Protection regulations. Below, we detail each of these rights and how you can exercise them in relation to the personal data we hold.
You may exercise and process your Rights and report any indication or knowledge you may have of possible security breaches, cyberattacks and/or possible breaches or irregularities relating to Data Protection regulations through the channel/email address made available by the Entity for this purpose: www.corporate-line.com/cnormativo-sonneil / dpdexterno@bonetconsulting.com
In the event of disagreements with the Entity regarding the processing of your data, you have the right to lodge a complaint with the relevant Data Protection Supervisory Authority. In Spain, this Authority is the Spanish Data Protection Agency (www.aepd.es).
The Entity may request additional information to confirm the identity of the applicant where there are reasonable doubts about it and will respond to the request within a maximum period of one month from its receipt, this period being extendable in cases of particular complexity.
The Entity has implemented an Internal Information System (SIIF), which is configured as a fundamental pillar for the supervision, control and prevention of regulatory compliance, embodying the highest commitment, rigour and professionalism in matters of security, confidentiality, data protection, expertise, independence and knowledge in the handling of the communications received.
The internal information channels integrated into the System have been implemented using technical tools that meet all the requirements necessary to provide and guarantee our above commitments. Likewise, the SIIF guarantees the basic principles of anonymity, proper recording, retention and non-alteration, prevention of conflicts of interest, protection of the informant and prevention of retaliation.
Through this System, every informant must report in good faith any indication, suspicion or evidence of possible regulatory breaches, crimes, unethical behaviour and, in general, non-compliance with the Entity's protocols, rules and codes of conduct.
Access to the SIIF has been made available in a separate section of our website.
Within the framework of the Internal Information System (SIIF), the Entity will process personal data for the purpose of managing and handling the communications received, as well as analysing, verifying and investigating the facts reported, adopting, where appropriate, the corrective, disciplinary or legal measures that may apply.
This processing is carried out in compliance with the legal obligations established in Law 2/2023, of 20 February, regulating the protection of persons who report regulatory infringements and the fight against corruption, as well as, where applicable, on the basis of the Entity's legitimate interest in preventing and detecting unlawful conduct or conduct contrary to internal regulations.
Within the framework of these actions, the following categories of personal data may be processed:
The personal data may come from the informant (whether identified or anonymous), from the affected persons or from third parties participating in the investigation.
The Entity guarantees the confidentiality of the informant's identity, as well as that of any third party mentioned in the communication and of the affected persons. Access to the data will be restricted exclusively to authorised personnel involved in the management and investigation of the communications.
Likewise, any form of retaliation, discrimination or unfavourable treatment against the informant or against those who collaborate in the investigation is expressly prohibited, in accordance with the terms provided for in Law 2/2023.
The exercise of data protection rights may be limited where necessary to preserve the confidentiality of the informant's identity, prevent obstruction of the investigation or ensure the proper conduct of the actions, in accordance with the terms provided for in the applicable regulations.
The Entity will process personal data applying appropriate technical, legal, organisational and security measures, in order to guarantee the confidentiality and integrity of the information it manages in accordance with the provisions of current regulations.
As a specific concept complementary to the above, the Entity applies cybersecurity measures to prevent and manage possible attacks and fraud by cybercriminals that threaten the privacy and protection of the data that our Entity processes and accesses in the course of its activities and operations.
In this regard, we wish to warn that in the face of possible risk situations arising from communications whose content and/or format raise doubts as to their authenticity, we recommend disregarding them and contacting the Entity through the contact details indicated in this Privacy Policy.
Likewise, any request you receive that appears to originate from our Entity regarding changes to payment methods, requests for data or contact persons, or for confidential (non-public) information, bank and/or credit card details and/or other official data, must not be acted upon without direct confirmation from our Entity through another alternative means.
We appreciate and need your cooperation in reporting any notification relating to this type of request and other possible cyberattack risk situations in which our Entity could be used, as well as any possible security risk of which you may become aware.
Data subjects may contact the Entity with any queries about the processing of their personal data or the interpretation of our Policy, by contacting the Data Protection and Privacy Officer through the email addresses indicated at the beginning of this Policy.
The Entity reserves the right to modify and/or update the information on data protection, when necessary for proper compliance with the regulations on this matter. If any modification is made, the new text will be published in this same section of the website.