As you surely know, the entry into force of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 concerning the protection of personal data (hereinafter RGPD) and Organic Law 3/2018 of 5 December on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD), emphasizes the necessity to reinforce personal data protection and security levels.
We need to inform you that CARTONAJES VIR complies with all the requirements demanded by the above-mentioned legislation, and that all the data under our responsibility are treated in accordance with all legal requirements, and that we also keep the due security measures that guarantee their confidentiality.

However, given the new legislative developments, we believe it is appropriate to share our privacy policy with you and to request you to accept it:

Who is responsible for the processing of your data?

For what purpose do we process your personal data?
– Attending to your queries and requests: Management of response to queries, complaints or incidents, technical or corporate information requests, resources and / or activities.

– Contacting the interested party through the media provided (mail, postal address and/or telephone) in order to manage your queries -sent to us through the channels provided for this purpose-, to manage notices, and to coordinate the actions derived from the services that you request us through people related to CARTONAJES VIR and/or by related data processors for legitimized and/or consented purposes.

– Offer and Commercial Management of products, services and brands commercialized by CARTONAJES VIR. Contact to request commercial data so as to manage the products and services design and proposal.

– Processing and managing your placed orders (online distance selling included), processing payments (payment gateway management in online store included), shipping purchased products, and managing delivery.

– Internal use, operating, and administrative, economic and accounting management derived from business and/or contractual agreement.

– Contracting management and provision of services of the organization, and complying with contractual and regulatory requirements bound to the organization or operation requested.

– Sending business communications about products or services similar to the ones contracted by the customer with whom we had a prior contractual relationship, legitimized under LSSICE, Article 21.

– Processes and activities quality management, quality control of our products and services, along with evaluation of satisfaction/perception results, and company stakeholders’ performance.
– Evidence provision to account for campaigns, activities, promotions, contests, projects and subsidies in which the organization participates.

– Regulatory Compliance Management (applicable regulations in addition to mandatory internal regulations): Research, monitoring and auditing of the established controls related to crime prevention, being also possible to establish access controls to our facilities, in addition to other controls related to the use of the images captured by our video surveillance systems, with the purpose of investigating accidents and/or incidents that might occur, along with non-compliance with regulations, crime or illegal behavior.

– Profile analysis, insofar as you have unequivocally consented: In order to provide you with products and services according to your interests, and to enhance your user experience, we will create a ‘profile’ based on the information you provide. No automated decisions will be made on the basis of that profile.

– Financial and Credit Solvency Evaluation in pursuance of the confirmation of the economic feasibility of the requested operation, along with, if applicable, the communication and management associated with the claim of the agreed amount for the service provision.

– Statistical and historical aims that help us improve business strategies for our products and services.

Management and audit of our management systems, and regulatory compliance of processes and facilities of our organization.

– Managing the registration in workshops and events organized by CARTONAJES VIR.

– Managing the subscription to CARTONAJES VIR newsletter.

– Contacting and sending personal communications, invitations to events and gifts for customers, congratulating you on special dates, conducting quality and satisfaction surveys, together with informing you periodically of our new products, news and corporate information, information on publication of grants, contests, rates, offers, catalogs and promotions of pure products and services in order to evaluate our processes quality, and to provide offers of products and services of your interest by telephone, written or electronic means through the media provided, insofar you had allowed us.

– Consulting the advertising exclusion systems that could affect their performance, not processing the data of the affected people who have previously opposed to or refused it through the consultation of the advertising exclusion systems published by the competent supervisory authority.

– Associated management, with prior communication included, that could arise from the development of any operation of companies’ structural modification or the contribution or transfer of business or branch of business activity, as long as the treatments were necessary for the operation successful completion, and ensure, if appropriate, the service provision continuity.

– Including -in the whistleblower channel systems- the reported associated data (even anonymously) of the commission within the organization or in the actions of third parties contracting with it, of acts or behaviors that could be against the general or sectorial applicable regulations.

– Disseminating our best practices regarding our provided services and/or publishing and/or communicating graphic material that could incorporate the owner’s image and/or his staff’s in corporate media (i.e. but not limited to, web, social networks, newsletters, activity report, reports, media presence) and/or other public media (sectoral publications and/or reports in print media, TV, … ), as dissemination of the activity results, promotion and dissemination, campaign management, activities and events and/or as technical solvency accreditation or requests for justification evidence in bidding processes, technical bids, projects and grants in which CARTONAJES VIR participates insofar as it has unambiguously consented to it.

– Managing Visits and Facilities Video Surveillance, along with security and regulatory compliance therein, investigating possible incidents or accidents, managing associated insurance and managing warnings or fines for non-compliance with safety regulations.

– Time and/or attendance control and monitoring through registering access, video surveillance and confirming functional performance, both in the company’s facilities and also in third parties’ facilities in which, the interested party had conducted service provision functions for CARTONAJES VIR (control and surveillance to verify the supplier/collaborator compliance of their contractual obligations).

– Highlighting the Company’s Regulatory Compliance to a third party that requires it: Communicating to third parties the data relating to the concerned person that are required by themselves in pursuance of complying with the business activities coordination, to evidence compliance with the organization rules and with the third-party internal regulations and / or for managing access to facilities. In those where the interested party unambiguously consents, the information/documentation communication required by the third party that has not been explicitly included in the established legal or regulatory obligations, but appears in the internal regulations of the third party, could be implemented, as far as the interested party has consented to it.

– Verifying that our workers do comply with their duties and labor obligations according to article 20.3 of the Workers’ Statute, which entitles employers to use surveillance and other control measures to this end (controls concerning the use of images captured by video surveillance systems for the research of accidents and/or incidents that could take place, along with labor standards breaches, crime or illegal behavior).

– Managing health and safety (occupational hazard prevention and safety surveillance), and compliance assessment.

– And if you have previously accepted, for the described purposes in the additional consents that you have unambiguously provided us through formal means and/or by checking the boxes enabled in the data protection clauses enabled in the form or base document which has regulated your relationship with CARTONAJES VIR, depending on the contact channel.

As far as you have provided us with your CV, the possible use and purposes for which we treat your data are:

– Internal use for recruitment processes for work positions, to be incorporated into our job pool, and also for supplying and managing possible collaboration or job offers that could be implemented.

– Candidates’ skills evaluation management and/or internal promotion to job positions.

– Using them for developing the application and its incorporation into the Job Exchange of the associated companies under the trade name CARTONAJES VIR* for supplying and managing possible job offers or partnerships that could be implemented, only in case you have unambiguously consented. Insofar as you had not consented to this end, we would not be able to receive your application inasmuch as managing candidates is performed through the above-mentioned job exchange.

– Using your CV in the technical offer to projects in which your incorporation is considered, only if you have unambiguously consented.

– Regulatory Compliance Management (applicable regulations along with our mandatory internal regulation): Research, crime prevention control monitoring and auditing, possibility of establishing access controls to facilities, information systems and document printing of all personal data under the company’s responsibility and, therefore, for all the information systems of our entity, as well as other controls related to the use of images that have been captured by our video surveillance systems in order to investigate accidents and/or incidents that could take place, in addition to labor standard breach, crime or unlawful behavior.

– Contacting with the interested party management, through the provided communication means (mail and/or telephone) so we can manage notices and coordinate actions for our recruitment process management. This can be done by people related to the associated companies under the trade name of CARTONAJES VIR* and/or by third parties to whom we might hire our candidates’ recruitment processes for job vacancies or job positions.

– The completion of tests and/or certificates of competence that could be required for staff recruitment purposes, that will be optional, will be assumed as the user express consent to the inclusion of the provided data, along with, ultimately, their assessment, in the Job Pool databases of the companies associated under the trade name of CARTONAJES VIR*, and their automated processing for the intent of performing the recruiting. As a result of accessing the facilities that may require the completion of such tests and / or certificates of competence, we might perform treatments related to our facilities security by access recording and / or video surveillance systems.

– Facilities Visits and Video Surveillance management, along with security and regulatory compliance therein, investigating possible incidents or accidents, associated insurance management and management of warnings or penalties for safety standards breach.

(*) You can consult the updated list of brands, products and services related to CARTONAJES VIR at

How long do we keep your data?

– The data provided will be kept either as long as the processing lawfulness relationship lasts, or until you request them to be deleted after we have formalized in writing the termination of our relationship with you, except when the data controller must retain them for claim formulation, exercise or defense, or to protect another natural or legal person rights, and/or for legal obligation reasons.

– In any case, at the end of our relationship with you, your Data will be duly blocked, as mandated in the current data protection regulations.

– Accounting and Tax Documentation – For Tax Purposes: The accounting books and other mandatory books and records according to the applicable tax regulations (income tax, VAT, IS, etc.), along with other documentary supports justifying those book recorded entries (including computer programs and files and any other supporting documents with fiscal significance), must be kept, at least, during the statute of limitations for Tax Offenses – General Tax Law and Penal Code, Statute of limitations infringements of 10 years.

– Accounting and Tax Documentation – For Mercantile purposes: Books, correspondence, documentation and other justifications concerning your business – Commercial Code – 6 years.

– Solvency Files: Data referring to definite, due and payable and not claimed debts-LOPD- 5 years.

– Occupational Risk Prevention Documentation – Documentation on workers’ information and training. Occupational accidents or professional diseases files – Law on Social Order Infractions and Penalties – 5 years.

– Solvency files: Data referring to definite, due and payable and unclaimed debts (Art. 20 of LOPDGDD) – only as long as the non-compliance persists, with a five-year maximum limit from the due date of the monetary, financial or credit obligation – 5 years.

– The video surveillance systems captured images and sounds shall be deleted within a maximum period of one month from their capture, except if they must be kept to prove the commission of acts that might threaten the integrity of people, goods or facilities (in which case, the images shall be made available to the competent authority within a maximum period of 72 hours from the time the existence of the recording is known), or are related to serious or very serious criminal or administrative offenses in matters of public security, to an ongoing police investigation or to an open judicial or administrative proceeding (Instruction 1/2006, of November 8, of the AEPD, on the processing of personal data for surveillance purposes through camera or video camera systems and Art. 22 LOPDGDD) – 30 days.

– All the Data included in automated processing created to control building access – Instruction 1/1996 AEPD on automated files established for the purpose of controlling building access – 30 days.

– The data processed in relation to the legal guarantee will be kept during the legal guarantee and after its expiration, for a period of time in which there could be a judicial or administrative claim in relation to the legal guarantee.

– The data processed with the purpose of sending business communications will be kept until you revoke your given consent.

– The complaint claimant data, and the employees and third parties’ data shall be kept in the complaints system so as to decide on the accuracy of initiating an investigation about the reported facts, and also subsequently as evidence of the prevention model operation of the crime commission by the legal entity, in accordance with the provisions of Article 24 of the LOPDGDD.

– The data concerning candidates that provided their CV shall be kept for 2 calendar years from its receipt date (except for those cases that the candidate results selected, in which case, they will become part of the contracting company HR data processing), along with the legally provided periods for the exercise or prescription of any liability action for breach of contract by the person concerned or by the Company.

– Therefore, data will be kept for as long as our business relationship remains in force, based on the retention periods established by the above-mentioned current regulations, along with the legal or contractual periods established for the exercise or prescription of any liability action for breach of contract by the interested party or the Company (the Civil Code establishes a period of 5 years to be able to perform an action for civil liability, period that must be calculated from the date on which compliance with the obligation can be demanded).

What is the legal basis for processing your data?

– The legal basis for processing your data is the fulfillment of the request you made us. The requested data are necessary for its correct provision.

– For the execution of a contract, request, offer, order and/or business contract, the data provided shall be communicated to the Brand responsible person so as to accurately address, where appropriate, the products and services guarantees and responsibilities provided by it.

– Complying with a legal obligation: administrative, commercial, tax, fiscal, accounting, civil and financial regulations, current legislation on labor, occupational risk prevention (business activities coordination) and social security and consumer and user protection legislation, along with the inherent regulations to the contracted operation and those related with the sector.

– Satisfying the Controller legitimate interest: Data processing as parties of a business relationship and/or contract, needed for its maintenance or fulfillment, data transmission within business groups for internal administrative purposes, direct marketing, fraud prevention, legitimate interest cases in which the controller might be an injured party, and it made necessary the processing and communication of the data of the defaulting party to third parties in order to manage regulatory compliance and the data controller interests defense, video surveillance purposes as a legitimate interest of our company for the protection of its assets, the legitimate interest of direct marketing enabled by the LSSICE (sending business communications about products or services similar to those contracted by the customer with whom there was a previous contractual relationship), and also legitimate interest cases of specific processing contemplated in the LOPDGDD: Article 19. Contact processing and individual entrepreneur data; Article 20. Credit information systems; Article 21. Processing related to the performance of certain commercial transactions (corporate restructuring or business transfers); Article 22. Processing for video-surveillance purposes; Article 23 Advertising exclusion systems; Article 24 Internal complaint information systems).

– Security and legitimate interest cases in which the data controller could be an injured party, and the non-compliant party data processing and communication to third parties is necessary in order to manage regulatory compliance and the data controller interest defense.

– Art. 20.3 and 4 Royal Legislative Decree 1/1995, of March 24, in which the Workers’ Statute Law (ET) revised text is approved: The employer may adopt the measures they deem most appropriate for monitoring, and control to verify compliance by the worker of their obligations and job duties, keeping in the employer’s adoption and implementation the due consideration for the worker’s human dignity and taking into account the actual capacity of disabled workers, if any.

– For the data of those candidates who provide their curriculum, the basis of legitimacy of the treatment shall be the fulfillment of their request to be incorporated into the interested party employment pool through the candidate’s self-candidacy by submitting their CV through the company and/or related companies contact channels for the selection of candidates for vacancies or jobs, as well as to satisfy the Responsible party legitimate interest: video surveillance purposes as a legitimate interest of the company in the protection of its assets, fraud prevention and assumptions of legitimate interest in which the controller could be an injured party and the processing and communication of the data in the event of non-compliance to third parties in order to manage regulatory compliance and the controller’s interests defense.

– The data subject consent that has been provided to us unequivocally through formal means and/or by checking the boxes provided for this purpose in the data protection clauses provided in the basic document that has regulated the commercial relationship based on the contact channel.

To which consignees can your data be communicated?

– Companies or people directly contracted by the Data Controller for the service provision related to processing purposes: Entities subcontracted to execute the works/services object of the contract with the client, Distributors, collaborators, Commercial collaborators, Companies related to the our products transport management, Advertising/Marketing Agencies, Legal Consultancy, Tax Consultancy, Accounting Consultancy, Collection Management and Credit Insurance Entities, Management, Accounting and/or Regulatory Compliance Auditors, IT Maintenance.

– Governing Bodies: Board and Shareholders.

– Brand Responsible for the purposes derived from the contractual relationship (provided products and services guarantees and responsibilities) and in case you have consented, for the purposes described in the additional consents.

– Insurance Agents and Insurance Companies: Insurance underwritten by the company in case of incidents.

– Credit evaluation entities so as to evaluate the interested party creditworthiness in case of payment methods or financing conditions that require it.

– AFCO (Corrugated Cardboard Manufacturers’ Association): Delinquency Register.

– Public Administration Agencies or Bodies with competence in the matters covered by processing purposes: AEAT (Spanish Tax Agency).

– Financial Institutions: Bill direct debiting and/or bill collection management and other ways of payment.

– Security Forces and Corps: To the extent that it was required, a right of access justified in the investigation of a regulatory breach.

– Compliance Complaints Channel (Complaints about regulation violations and conduct code are forwarded to the Compliance Unit): Access to the data contained in these systems shall be limited exclusively to those who, whether or not they are part of the entity, perform the functions of internal control and compliance, or to the persons in charge of the processing that could be appointed for this end. However, accessing to it by other persons, or even communicating it to third parties, shall be lawful if it is needed to adopt disciplinary measures or to process the legal proceedings that, as the case may be, could result appropriate. Workers’ Representatives/Safety and Health Coordination, External Auditors: In compliance with R.D. 171/2004 – Accreditation delivery of risks by Coordination of Business Activities.

– Insurance Companies: In case of claim, incident or accident, insurance companies shall be allowed to investigate the event in order to delimit the scope and coverage of the insurance premium contracted by the data controller.

– For those candidates who had submitted their CV, the possible recipients could also be companies associated with the trade name CARTONAJES VIR*, companies or people directly hired by the Data Controller to provide services related to treatment purposes: TEA’s and third parties to whom the candidate recruitment processes for vacancies or jobs in companies associated with the trade name of CARTONAJES VIR* are contracted.

Under what guarantees are your data communicated?

– Data communication to third parties is only provided to entities that can prove the provision of a Personal Data Protection System in accordance with current legislation.

What are your rights?

– You are entitled to know, by requesting confirmation, if we are processing your personal data or not.
– Interested parties have the right to access their personal data, also to request the rectification of inaccurate data or, if appropriate, to request their deletion when, among other reasons, the data are no longer needed for the purposes for which they were collected. It is not possible to exercise the right of rectification in the case of video-surveillance processing since, due to the data nature -images taken from reality that reflect an objective fact-, it would be exercising a right of impossible content.

– In given circumstances, the interested parties may request a limitation of their data processing, in which case we will only keep them for claiming exercise or defense.

– In given circumstances and for reasons related to their particular situation, data subjects may object to their data processing, in which case the Data Controller will stop processing their data, except for compelling legitimate reasons, or for possible claim exercise or defense.

– Under the right to portability, data subjects have the right to obtain their personal data in a structured, commonly-used and machine-readable format, and to transmit them to another data controller.

– If you have given consent for a specific purpose, you have the right to withdraw your consent at any time, without affecting the lawfulness of the processing based on your consent prior to its withdrawal.

Where should you go to exercise your rights?

– If you wish to exercise your rights, please refer to the channel established for the exercise of rights by the data controller: so we can respond to your request in a managed way.

What is the required information to exercise your rights?

In order to exercise your rights, we need to verify your identity and the specific request you are making, so we must request you the following information:

– Documented information (writing/email) of the request in which the petition is specified.

– Proof of identity as the owner of the data being exercised. Interested party first and last name, a copy of their ID card, and/or the person representing they, along with the document proving such representation (legal representative, if applicable).

In the event of exercise of rights related to data of deceased persons, copy of:

– Family Book or Civil Registry in which the relationship of kinship or de facto relationship with the deceased is recorded and/or,

– Will in which the applicant is declared as heir and/or,

– Express designation of the applicant person or institution, by the deceased, and/or

– Documentation accrediting the deceased legal representation of the deceased.

– In the event of exercising rectification and/or deletion rights: applicant’s responsible statement in which they prove to have the consent of the other people related to the deceased by family or by factual reasons, and also their heirs to perform such request.

– When the data controller has reasonable doubts regarding the identity of the natural person making the request, they may request the provision of additional information as needed to confirm the data subject identity.

– Address for notification purposes, date and applicant’s signature (if in written), or first and last name (in case of e-mail), or application validation with personal password to authenticate your identity in the communication channel private area).

– When exercising their rectification right as recognized in article 16 of the RGPD, the data subject must indicate in their request to which data they refer and the corrections that must be made. The request must be accompanied, as needed, with documentary evidence of the inaccuracy or incompleteness of the data that are being processed.

– Likewise, as we process a large amount of data related to the data subject and they exercise their right of access but not specifying whether it refers to all their data or just part of them, the data controller may require, before providing them the requested information, that the data subject must specify which are the referred data or processing activities.

What is the general procedure for exercising your rights?

Once we have received the required information, we will proceed to answer your request according to CARTONAJES VIR general procedures for exercising your rights:

– The controller will provide the data subject with information related to their actions based on a request pursuant to Articles 15 to 22 (Data Subject Rights) and, in any case, within one month of receiving their request.

– This period could be extended two more months if needed, considering the amount and complexity of the requests.

– The person in charge shall inform the interested party of any of those extensions within one month of receiving their request, and stating clearly its delay reasons.

– If the data subject submits their request by electronic means, their information shall be provided by electronic means, if possible, unless the data subject requests it to be provided in a different way.

– If the controller’s processing systems allow it, the right of access could be provided through a remote, direct and secure access system to personal data that guarantees, on a permanent basis, access to its entirety. For that purpose, the data controller shall communicate the manner in which the data subject can access such system, will be sufficient to consider the request to exercise the right as granted. However, the data subject may request from the Data Controller the information referred to in Article 15.1 of the GDPR that is not included in the remote access system.

– If the data controller does not comply with the data subject’s request, it shall inform the data subject without delay, and no later than one month after receipt of the request, of the reasons for its failure to act and of the possibility of lodging a complaint with a supervisory authority and of taking legal action.

– The information we provide will be free of charge, except for a reasonable fee for administrative expenses. If the affected party instead of choosing the offered means, chooses any other implying a disproportionate cost, their request will be considered excessive, so that the affected party will assume the excessive expenses that his choice entails. In this case, only the satisfaction of the right of access without undue delay shall be enforceable against the data controller.

– The data controller may refuse to act on the request, but shall bear the burden of proving the manifestly unfounded or excessive nature of the request. For the purposes set forth in Article 12.5 of the GDPR, exercising your access right more than once during a six-month period shall be considered repetitive, unless there is legitimate cause to do so.

– While performing the exercise of rectification or deletion, your data will be blocked: The data blocking basically consists of their identification and reservation, adopting technical and organizational measures, to prevent their processing, including their visualization, except for making your data available to judges and courts, the Public Prosecutor’s Office or a competent Public Administration, particularly data protection authorities, for demanding possible responsibilities derived from their processing and only for their prescription period. Once this period has elapsed, your data will be destroyed. Blocked data may not be processed for any purpose other than that indicated above. (art. 16 RGPD and art.32 LOPDGDD).

– When the deletion derives from exercising your objection rights pursuant to article 21.2 of the RGPD, the Data Controller may keep the data subject identification data as needed to prevent future processing for direct marketing purposes. In case you do not want your data to be processed for the purpose of sending business communications, we refer you to the existing advertising opt-out systems, in accordance with the information published by the competent supervisory authority (AEPD) on its website

– When personal data processing is limited, it must be clearly stated in the information systems of the Data Controller.

– Upon the existence of an enforceable, due and payable debt, the debtor will be sent a communication, at the time of requesting payment, informing them about the possibility of including them in those systems (organization’s delinquency treatments), with indication of those in which they participate (collection management entities for the relevant claim management…. ) in case the debt is not resolved within a maximum period of 15 days from the notification of the insolvency, you will be informed about the possibility of exercising the rights established in articles 15 to 22 of the RGPD within thirty days from the notification of the debt to the system, remaining blocked your data during that period.

– People related to the deceased either by family or by de facto reasons, as well as their heirs, may contact the data controller or the data processor in order to request access to their personal data and, if appropriate, their rectification or erasure. As an exception, the people referred to in the preceding paragraph may not access the data of the deceased, nor request their rectification or erasure, when the deceased had expressly prohibited it or when so is established by law. That prohibition shall not affect the heirs’ right to access the data of the deceased’s estate.

– In order to comply with current regulation on video surveillance Inst. 1/2006 of the AEPD, we inform you that the recordings conservation period is 1 month, so we will not be able to meet any request formalized in later periods. Likewise, to avoid affecting third parties’ rights, in the case of an access request, we will issue a certificate in which, as accurately as possible and without affecting the third parties’ rights, specifying the data in which they have been processed. E.g., “Your image was recorded in our systems on the ___ day of the month of the year _ between _ hours and _ hours. In particular, the system records your access to and exit from the building.

Which complaint procedures are available?

– If you consider that the exercise of your rights has not been fully satisfactory, you may file a complaint with the national supervisory authority by contacting the Spanish Data Protection Agency, C/ Jorge Juan, 6 – 28001 Madrid.

How did we obtain your data? Through:

– The interested party themselves or their legal representative, through the communication sent and/or through professional social networks.

– Business partners, those responsible for marketed brands, events, trade fairs and organized conferences in which the organization participates, legitimate business databases, professional social networks, search engines and internet databases, as well as third parties with which the data controller maintains a business relationship or service provision and for which they must have your personal data in order to process the requested service or to fulfill our contractual commitments and tax and accounting obligations associated with the service under contract and/or for verification of regulatory compliance under our company responsibility.

– For the data of those candidates who have provided their curriculum, the possible origin of their data could be, in addition to the interested party, temporary employment companies, entities with which some agreements have been established for recruiting commitment internships or training programs, professional social networks and/or third parties to whom the candidate selection processes for vacancies or jobs of companies related to the trade name CARTONAJES VIR* are contracted.

What data categories do we process?

– The data structure we process does not include data related to criminal convictions and offenses, or specially protected data, unless the concerned person is the beneficiary of a special condition that must be considered for the service provision and / or for the management of the grant that can be processed (e.g. situation of disability), and provide documentation to prove it, along with those cases in which the holder has special conditions and must provide documentation that incorporates such information so that it can be accredited or justified to that condition fulfillment.

– Identifying and contacting data, such as, but not limited to: first and last name, telephone or e-mail, business information data, economic, financial and/or payment terms data; other data types: some of our company staff contact data: those involved or related to the contract/request service object, along with those related and/or provided with the Consultation, Request for technical or corporate information, Resources and/or Activities, Complaints or Incidents that you formulate, as well as the personal data of third parties that you might have provided us with.

– Business data, contacting people for administrative and operational management -related to the contract/project execution-, and workers who shall perform the contracted work in terms of coordination of business activities related to occupational hazard prevention. For those workers who shall perform the contracted work in terms of coordination of business activities related to occupational hazard prevention; Licenses or approvals, in the case of workers who will perform the contracted work in terms of coordination of business activities related to occupational hazard prevention; Business information and approval data; Economic, financial data and/or collection conditions; Goods and services provided by the affected party, Financial transactions; Other data: First and last Name, and their legal representative NIF, company staff involved or related to the contract/order project object contacting details.

– For the data of those candidates who have provided their CV, the data processed structure would be, but not limited to, identifying and contacting data (address, contact telephone number and contact e-mail); Academic and professional data related to training, qualifications and professional experience; Personal data associated with marital status, family data, date and place of birth, age, sex, nationality; Work permit; Employment status data; Other data (professional aspirations, leisure and hobbies). To the extent that the candidate reports a disability condition, certificates attesting to it may be required.

How are your personal data stored in a safe way?

– Regarding your personal data processing, we inform you:
The Data Controller will take all the measures needed to store your personal data in a private and safe way. Only CARTONAJES VIR authorized staff, and authorized personnel of third parties directly contracted by the Data Controller for providing services related to processing purposes, or CARTONAJES VIR authorized staff (who have a legal and contractual obligation to keep all information safe) have access to your personal data. All CARTONAJES VIR staff that have access to your personal data are previously required to agree to respect the data controller Privacy Policy and the data protection regulations, and all employees of Third Parties who have access to your personal data are previously required to sign confidentiality commitments under the terms established in the current legislation. In addition, we contractually reinforce that third party companies that have access to your personal data must keep them safe. To ensure that all your personal data are protected, CARTONAJES VIR has an IT security environment and takes the necessary measures to prevent unauthorized access.

CARTONAJES VIR has entered into an agreement to ensure that we will treat your personal data in a correct way and in accordance with applicable data protection regulations. These agreements reflect the respective roles and responsibilities in relation to you, and which entity is in the best position to meet your needs. These agreements do not affect your rights under data protection law. For more information about these agreements, please do not hesitate to contact us.

The service provision object of our contract may involve physical access by CARTONAJES VIR staff to premises or facilities to store personal data for whose treatment the client is responsible. In this sense, CARTONAJES VIR has signed -with its staff- clauses that forbid access to all types of confidential information and, in particular, to the personal data that belong to the client, unless the service contemplated in its scope the processing of personal data, in which case, CARTONAJES VIR would act as responsible for processing them, establishing in such case the relevant contract in accordance with current legislation on data protection that would include among other aspects the object, duration, nature, purpose, category of the data to be processed, security measures, obligations and rights of the processor, organizational and technical security measures to ensure confidentiality during the process, as well as the agreements adopted between client and processor in relation to the transmission of security breaches and/or right exercising. The non-formalization of the personal data processing service in a contract by the client, presupposes that CARTONAJES VIR has no associated responsibility as a data processor.

Notwithstanding the above, in the event that the client becomes aware of any confidential information for the purpose of service provision, the client undertakes to keep it secret, not to disclose or publish it, either directly or through third parties or companies, or to make it available to third parties. This confidentiality obligation is indefinite, subsisting even at the end of the contract for any reason. CARTONAJES VIR undertakes to communicate and enforce this confidentiality obligation established to the staff in its charge and hired on its behalf.

– Regarding the video surveillance systems with which the facilities under the responsibility of CARTONAJES VIR are equipped, we must inform you that CARTONAJES VIR, S.A. takes all the measures needed to keep private and safe your personal data, and will attend in any case to the provisions of Law 5/2014, of April 4, on Private Security and its implemented provisions. In this sense, we establish and inform you of the following security measures:

– INFORMATION DUTY: You are informed about the existence of cameras and image recording, in order to comply with the information duty provided for in Article 12 of the RGPD through an informative device in a sufficiently visible place identifying the existence of the treatment, the identity of the responsible person, and the possibility of exercising the rights provided for in Articles 15 to 22 of the RGPD. A connection code or internet address to this information may also be included in the informative device. In any case, S.A. keeps at the disposal of those affected, the information referred to in the above-mentioned regulation in the Privacy Policy referenced in the above-mentioned device. In case that the flagrant commission of an illegal act has been captured, the information duty will be understood to be fulfilled when there is at least the informative video surveillance device.

– CAMERAS LOCATION: S.A. will only capture images of the public road to the extent that it is essential for the purpose of preserving security. Under no circumstances shall S.A. install sound recording or video surveillance systems in places intended for workers’ or public employees’ rest or recreation, such as changing rooms, toilets, canteens and the like.

– SOUND RECORDING: S.A. will only perform sound recordings when the risks to the safety of our facilities, goods and people derived from the activity carried out in the work center become relevant, and always respecting the principles of proportionality, minimum intervention and guarantees.

– MONITORS LOCATION: The monitors where the camera images are displayed are located in a restricted access area so that they are not accessible to unauthorized third parties.

– PRESERVATION: The images/sounds captured by video surveillance systems shall be deleted within a maximum period of one month from their capture, except when they had to be kept to accredit the commission of acts that threaten the integrity of people, property or facilities (in which case, the images shall be made available to the competent authority within a maximum period of 72 hours from the very time the existence of the recording became known), or are related to serious or very serious criminal or administrative offenses in matters of public security, to an ongoing police investigation or to an open judicial or administrative proceeding (Instruction 1/2006, of November 8, of the AEPD, on the processing of personal data for surveillance purposes through camera or video camera systems and Art. 22 LOPDGDD) – 30 days.


– LABOR CONTROL: Treatment will be carried out in order to exercise workers’ control functions provided for in Article 20.3 of the Workers’ Statute within its legal framework and with the limits inherent to it. To the extent that the cameras can be used for labor control purposes, as provided for in Article 20.3 of the Workers’ Statute, all workers and their representatives are informed about the present control measures established by the employer with the express indication of the labor control purposes of the camera captured images, as indicated in the inclusion notification clause, and in this privacy policy.


– IMAGES ACCESS RIGHTS: In order to comply with the interested parties access rights, a recent photograph and the National Identity Card of the interested party will be requested, as well as details of the date and time to which the access right refers. The interested party shall not be provided with direct access to the images of the cameras -in which images of third parties are shown. To avoid affecting the rights of third parties, in the case of an access request, we will issue a certificate in which, as precisely as possible and without affecting the rights of third parties, we specify the data that have been processed. E.g., “Your image was recorded in our systems on the ___ day of the month of the year between _ hours and _ hours. Specifically, the system records your access to and exit from the facility”.


Changes in Privacy Policy

CARTONAJES VIR reserves the right to make, at any time, as many modifications, variations, deletions or cancellations in the contents and in the form of presentation thereof as it deems appropriate, and we therefore recommend that you consult our privacy policy whenever it deems appropriate. If you do not agree with any of the changes, you can exercise your rights according to the procedure described by sending an email to


– With the acceptance and/or validation of the process that serves as the basis for the formalization of your relationship with CARTONAJES VIR, as well as, if applicable, with the access to the facilities subject to video surveillance, you expressly consent to the processing of data in accordance with the provisions of the clause and additional information on data protection, as well as informing and having the consent of third parties from whom you provide us with personal data for such processing. If you have checked the corresponding consent box, the legal basis for such purposes is your consent, which you may withdraw at any time.

– In this sense, you declare to have been informed, to consent, as well as to inform and to have the consent of third parties from whom you provide us with personal data for such processing. In cases where you represent a minor under 14 years of age or a person with legal incapacity, you responsibly declare to have the parental authority or guardianship of the minor or the corresponding legal representation, whose justification may be required by the Data Controller in order to legitimize the consent accepted.

– Likewise, and to the extent that as a result of their relationship CARTONAJES VIR may have access to personal data and/or confidential information, they are obliged to maintain absolute confidentiality and discretion on the information obtained about the activities, interested parties and entities related to CARTONAJES VIR, especially with regard to Personal Data, even after the end of their relationship with the organization.