1. Objective of the Privacy Policy
This “Privacy and Data Protection Policy” aims to inform about the conditions governing the collection and processing of personal data by MM Medical Flowers SL, making the maximum effort to protect the fundamental rights, honor, and freedoms of the individuals whose personal data are processed, complying with the regulations and laws in force that regulate the Protection of Personal Data according to the European Union and the Spanish Member State, particularly those expressed in the “Data Processing Activities” section of this Privacy Policy.
Therefore, in this Privacy and Data Protection Policy, the Website users www.medicalflowers.es are informed of all details of interest regarding how these processes are carried out, for what purposes, which other entities might have access to their data, and what the users’ rights are.
2. Definitions
“Personal data”: Any information about an identified or identifiable natural person (“the Website user”); a natural person shall be considered identifiable if their identity can be determined directly or indirectly, particularly by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more elements specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.
“Processing”: Any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
“Restriction of processing”: The marking of stored personal data with the aim of limiting their processing in the future.
“Profiling”: Any form of automated processing of personal data consisting of using personal data to evaluate certain personal aspects of a natural person, particularly to analyze or predict aspects related to job performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements of that natural person.
“Pseudonymization”: The processing of personal data in such a way that they can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
“File”: Any structured set of personal data accessible according to specific criteria, whether centralized, decentralized, or dispersed on a functional or geographical basis.
“Controller” or “controller of processing”: The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
“Processor” or “processor of processing”: The natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.
“Recipient”: A natural or legal person, public authority, agency, or another body to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of such data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.
“Third party”: A natural or legal person, public authority, agency, or body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorized to process personal data.
“Data subject’s consent”: Any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them.
“Personal data breach”: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
“Genetic data”: Personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or health of that person, obtained in particular from the analysis of a biological sample from the natural person in question.
“Biometric data”: Personal data resulting from specific technical processing relating to the physical, physiological, or behavioral characteristics of a natural person which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.
“Data concerning health”: Personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about the health status of that person.
“Main establishment”: (a) As regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions shall be considered to be the main establishment; (b) as regards a processor with establishments in more than one Member State, the place of its central administration in the Union or, if it has no central administration in the Union, the establishment of the processor in the Union where the main processing activities take place in the context of the activities of an establishment of the processor, in so far as the processor is subject to specific obligations under this Regulation.
“Representative”: A natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27 of the GDPR, represents the controller or processor with regard to their respective obligations under this Regulation.
“Enterprise”: A natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity.
“Supervisory authority”: An independent public authority established by a Member State pursuant to Article 51 of the GDPR. In the case of Spain, this is the Spanish Data Protection Agency.
“Cross-border processing”: Either (a) the processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or (b) the processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.
“Information society service”: A service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.
3. Identity of the Data Controller
The Data Controller is the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. In cases where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
In the aspects expressed in this Privacy and Data Protection Policy, the identity and contact details of the Data Controller are:
Website Owner: | MM Medical Flowers SL – CIF B42749093 |
Address: | C/ Cañada del Pilar, 9 21440 Lepe Huelva |
Contact: | Tel. +34 691464947 – Email: admon@ medicalflowers.es www.medicalflowers.es |
Activity: | Agricultural |
4. Applicable Laws and Regulations
This Privacy and Data Protection Policy is developed based on the following data protection regulations and laws:
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. Hereinafter GDPR.
- Organic Law 3/2018 of 5 December on the Protection of Personal Data and Guarantee of Digital Rights. Hereinafter LOPD/GDD.
- Law 34/2002 of 11 July on Information Society Services and Electronic Commerce. Hereinafter LSSICE.
5. Principles Applicable to the Processing of Personal Data
The personal data collected and processed through this Website will be treated according to the following principles:
- Principle of lawfulness, fairness, and transparency: All processing of personal data carried out through this Website will be lawful and fair, remaining entirely clear to the user when personal data concerning them are collected, used, consulted, or processed. Information related to the processing will be provided beforehand, in an easily accessible and easy-to-understand manner, in simple and clear language.
- Principle of purpose limitation: All data will be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
- Principle of data minimization: The data collected will be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
- Principle of accuracy: The data will be accurate and, where necessary, kept up to date. Every reasonable step will be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
- Principle of storage limitation: Data will be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
- Principle of integrity and confidentiality: Data will be processed in a manner that ensures appropriate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.
- Principle of accountability: The entity owning the Website will be responsible for compliance with the principles set out in this section and will be able to demonstrate it.
6. Data Processing Activities
MAIN DATA PROCESSING ACTIVITIES
These are data processing activities whose purposes are necessary and essential for providing the services.
Management of Website Users
Controller: MM Medical Flowers SL Purpose: Management of information requests. Legitimacy: Explicit consent. Retention: 1 year after the last contact of interest. Recipients: We do not share your data unless legally required. International transfers: None planned. Source: The data subject. Rights: You have the right to access, rectify, delete, limit, or object to the processing, to data portability, not to be subject to automated decisions, to withdraw your consent, and to file complaints with the supervisory authority (Spanish Data Protection Agency).
7. Necessary and Updated Information
All fields marked with an asterisk (*) in the forms on the Website are mandatory, so omitting any of them may make it impossible to provide the requested services or information.
You must provide truthful information so that the information provided is always up-to-date and free from errors. You must notify the Data Controller as soon as possible of any changes and corrections to your personal data via an email to: admon@medicalflowers.es
By clicking the “Accept” button (or equivalent) incorporated in the forms, you declare that the information and data provided are accurate and truthful, as well as that you understand and accept this Privacy Policy.
8. Data of Minors
In compliance with Article 8 of the GDPR and Article 7 of the LOPD/GDD, only those over 14 years of age can legally consent to the processing of their personal data by MM Medical Flowers SL.
Therefore, minors under 14 years of age cannot use the services available through the Website without prior authorization from their parents, guardians, or legal representatives, who will be solely responsible for all acts carried out through the Website by the minors in their charge, including the completion of forms with the personal data of such minors and the marking of any accompanying checkboxes.
9. Technical and Organizational Security Measures
The Data Controller adopts the necessary technical and organizational measures to ensure the security and privacy of your data, to avoid its alteration, loss, processing, or unauthorized access, depending on the state of technology, the nature of the stored data, and the risks to which they are exposed.
Among others, the following measures are highlighted:
- Ensuring the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.
- Restoring the availability and access to personal data quickly in the event of a physical or technical incident.
- Regularly verifying, evaluating, and assessing the effectiveness of technical and organizational measures to ensure the security of processing.
- Pseudonymizing and encrypting personal data, where necessary and when dealing with sensitive data.
10. Rights of Data Subjects
The current data protection regulations protect the user in several rights regarding the use of their data. Each of these rights is personal and non-transferable, meaning they can only be exercised by the owner of the data after verifying their identity.
Below are the rights of Website users:
- Right of access: The right of the Website user to obtain confirmation as to whether or not the Data Controller is processing their personal data, and if so, to obtain information about their specific personal data and the processing that the Data Controller has carried out or is carrying out, as well as, among other things, the information available about the origin of those data and the recipients of the communications made or planned for them.
- Right to rectification: The right of the Website user to have inaccurate personal data corrected or completed when it is incomplete, considering the purposes of the processing.
- Right to erasure: Also known as the “right to be forgotten,” it is the right of the Website user, provided that the current legislation does not establish otherwise, to obtain the deletion of their personal data when these are no longer necessary for the purposes for which they were collected or processed; the user has withdrawn their consent to the processing and there is no other legal ground for processing; the user objects to the processing and there is no other legitimate reason to continue with it; the personal data has been processed unlawfully; the personal data has been obtained from a direct offer of information society services to a minor under 14 years of age. In addition to deleting the data, the Data Controller, taking into account the technology available and the cost of its application, shall take reasonable steps to inform other controllers that are processing the personal data of the data subject’s request for the deletion of any links to those personal data.
- Right to restriction of processing: The right of the Website user to limit the processing of their personal data. The Website user has the right to obtain the restriction of processing when they contest the accuracy of their personal data; the processing is unlawful; the Data Controller no longer needs the personal data, but the user needs them to make claims; and when the Website user has objected to the processing.
- Right to data portability: In cases where processing is carried out by automated means, the Website user has the right to receive from the Data Controller their personal data in a structured, commonly used, and machine-readable format and to transmit them to another controller. Where technically possible, the Data Controller shall transmit the data directly to that other controller.
- Right to object: The right of the Website user to not have their personal data processed or to cease processing them by the Data Controller.
- Right not to be subject to automated decision-making and/or profiling: The right of the Website user not to be subject to a decision based solely on automated processing, including profiling, except when current legislation establishes otherwise.
- Right to withdraw consent: The right of the Website user to withdraw their consent at any time for the processing of their data.
The Website user can exercise any of these rights by contacting the Data Controller, with prior identification of the user, using the following contact information:
Website Owner: | MM Medical Flowers SL – CIF B42749093 |
Address: | C/ Cañada del Pilar, 9 21440 Lepe · Huelva |
Contact: | Tel. +34 691464947 – Email: admon@ medicalflowers.es www.medicalflowers.es |
Activity: | Agricultural |
11. Right to Lodge a Complaint with the Supervisory Authority
The user is informed of their right to lodge a complaint with the Spanish Data Protection Agency if they consider that an infringement of data protection legislation has occurred concerning the processing of their personal data.
Contact information for the supervisory authority:
Spanish Data Protection Agency
Email: info@aepd.es
Phone: 912663517
Website: https://www.aepd.es
Address: C/. Jorge Juan 6, 28001 Madrid, Spain
12. Acceptance and Changes in the Privacy Policy
It is necessary that the Website user has read and agrees with the conditions on the protection of data contained in this Privacy Policy, as well as accepts the processing of their personal data so that the Data Controller can proceed with it in the manner, during the periods, and for the purposes indicated.
The Data Controller reserves the right to modify this Privacy Policy according to its own criteria or motivated by a legislative, jurisprudential, or doctrinal change of the Spanish Data Protection Agency. Changes or updates made to this Privacy Policy that affect the purposes, retention periods, data transfers to third parties, international data transfers, as well as any user’s rights, will be communicated explicitly to the user.