Privacy Policy

According to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR), fully applicable as of May 25, 2018according to its Article 99.2, states that the protection of the rights and freedoms of natural persons with regard to the processing of personal data requires the adoption of appropriate technical and organizational measures in order to ensure compliance with the requirements of that Regulation. In order to be able to demonstrate compliance with the Regulation, the controller must adopt internal policies and implement measures that comply in particular with the principles of data protection by design and by default.

Principles that we comply with with the data provided by users of the www.mesassport.com website.

Mesas Sport S.L will act in accordance with the General Data Protection Regulation fully applicable as of May 25, 2018. These personal data will come from emails sent to the email made available for this purpose on the website or from data sent derived from filling out the contact form. The data will be collected in one or more files in order to be able to respond to your requests. Principles for processing personal data:

  • Principle of “lawfulness, transparency and fairness“, which means that the data must be processed in a lawful, fair and transparent manner for the data subject.
  • Purpose limitation” principle, which implies, on the one hand, the obligation that data be processed for one or more specified, explicit and legitimate purposes and, on the other hand, that data collected for specified, explicit and legitimate purposes may not be further processed in a manner incompatible with those purposes:
    • Manage and facilitate the use of the Web, access to services and solve their queries, as well as support any questions, problems or complaints that may arise with the use of the Web.
    • Sending electronic communications provided that you have given your consent to do so and giving you the possibility to revoke such consent at any time.
  • Principle of “data minimization“, i.e. we only request data that is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
  • The data, according to the “accuracy principle”, must be accurate and, if necessary, updated, and all reasonable steps must be taken to ensure that inaccurate data is rectified or deleted in relation to the purposes for which it was collected.
  • The principle of “limitation of the retention period” is related to that of minimization. Just as only data that are adequate, relevant and necessary for a purpose may be processed, the retention of such data must be limited in time to the achievement of the purposes pursued by the processing. Once these purposes have been achieved, the data will be erased or, at least, stripped of any element allowing the data subjects to be identified.

They shall be kept for the term established by law, as long as there is a mutual interest in maintaining the purpose of the processing and when it is no longer necessary for such purpose, as long as the contractual relationship is maintained, as long as their deletion is not requested by the data subject and they should not be deleted because they are necessary for the fulfillment of a legal obligation or for the formulation, exercise and defense of claims. They will be deleted with appropriate security measures to ensure the pseudonymization of the data or their total destruction. If the User revokes his/her consent or exercises the rights of cancellation or suppression, his/her personal data will be kept blocked at the disposal of the Administration of Justice during the legally established periods in order to attend to possible liabilities arising from the processing of such data. Subsequently, they will be deleted with appropriate security measures to ensure the pseudonymization of the data or their total destruction. Principle of “integrity and confidentiality”. Basically, data are processed with the obligation to act proactively with the aim of protecting the data being handled against any risk that threatens their security. Personal data may be transferred to:

  • Providers of computer maintenance and web hosting services.
  • Public Administrations and the Administration of Justice.

Article 30 of the RGPD regulates the so-called “Register of processing activities” , which replaces the registration of files (in force under the previous LOPD 15/1999) and establishes that each controller and, if applicable, the processor, shall keep a register of the processing activities carried out under its responsibility. This register must contain the following information, in addition to the information detailed in the previous paragraph:

  • The name and contact details of the data protection officer: the company Mesas Sport itself.
  • Mesas Sport SL declares to have taken all the technical and organizational security measures at its disposal in order to prevent the loss, misuse, alteration, unauthorized access or theft of the data you provide.

Legitimacy for the processing of personal data

Mesas Sport is legitimized to carry out the processing of personal data on the basis that:

  • The user has voluntarily and expressly provided his/her personal data to use the contact form located at:

https://mesassport.com/contacto/

Risk analysis and adoption of security measures

Both technical and organizational measures are taken to ensure the confidentiality, integrity and availability of personal data. Article 32 of the GDPR states that the appropriate technical and organizational measures to ensure the level of security appropriate to the risk are defined on the basis of the state of the art, the costs of implementation, and the nature, scope, context and purposes of the processing, as well as the risks of varying likelihood and severity to the rights and freedoms of individuals. No static security measures are established, so that Mesas Sport will determine those security measures that are necessary to ensure the confidentiality, integrity and availability of personal data. In short, the first thing will be the risk assessment, once the risk is assessed, the security measures aimed at reducing or eliminating risks to the processing of data are determined. In relation to security measures, in the First Additional Provision of the Organic Law 3/2018, it is stated that those responsible listed in Article 77.1 of the aforementioned organic law must apply to the processing of personal data the security measures that correspond to those provided for in the National Security Scheme. Among others, the SSL Protocol allows us to encrypt our website connections to protect the privacy of our users, preventing them from accessing information such as their name, address, etc.

Security breaches

Regulation (EU) 2016/679, General Data Protection Regulation establishes in its Articles 33 and 34 the obligation for organizations (public and private) acting as data controllers to notify the competent Supervisory Authority of security breaches that may cause damage and harm on individuals and, if such damage is serious, to communicate the breach to the individuals whose data has been affected so that they can take their own measures. The deadline for notifying the Control Authority is 72 hours after the organization becomes aware of the breach.

Exercise your rights

Data protection regulations allow you to exercise your rights of access, rectification, opposition, erasure (“right to be forgotten”), limitation of processing, portability and not to be subject to individualized decisions before the data controller, Mesas Sport.

These rights are characterized by the following:

  • It is free of charge
  • If the requests are manifestly unfounded or excessive (e.g. repetitive nature), the person in charge may:
    • Charge a fee proportional to the administrative costs incurred.
    • Refusal to act
  • Requests must be answered within one month, although, taking into account the complexity and number of requests, the deadline may be extended for a further two months.
  • The data controller is obliged to inform you about the means to exercise these rights. These means must be accessible and this right cannot be denied simply because he chooses another means.
  • If the request is submitted by electronic means, the information shall be provided by electronic means whenever possible, unless the interested party requests otherwise.
  • If the person responsible does not comply with the request, he/she shall inform, within one month at the latest, of the reasons for his/her inaction and the possibility to complain to a Control Authority.
  • You may exercise your rights directly or through your legal representative or volunteer.
  • It is possible that the person in charge may be the one to attend to your request on behalf of the person in charge if both have so established in the contract or legal act that binds them.

Data of minors

Mesas Sport will not collect or process personal data from children under the age of 16 without full compliance with the requirements set forth in the applicable GDPR regulations.

Intellectual Property

Access to this website does not grant users any rights or ownership of the intellectual property rights of the elements and materials that make it up.

Privacy Policy Mesas Sport S.L