Personal data that may be collected directly from the interested party shall be processed confidentially and used in the pertinent processing activity owned by GEROA PETNSIOAK E.P.S.V. DE EMPLEO (hereinafter, GEROA), with corporate headquarters at Paseo Lugaritz 27, bajo, 20018 San Sebastián-Donostia, Gipuzkoa (Spain).
Users may contact GEROA staff to answer questions related to processing their personal data, addressing the Data Protection Officer at the post address provided above or the email address email@example.com.
- Our current members, for whom we administer and manager contributions with the sole objective of complementing retirement, disability, or death pensions.
- Beneficiaries appointed by members.
- Users who browse our website www.geroa.eus who may or may not be members.
Purpose of processing your personal data - What do we do with your data?
GEROA only uses your personal data for the following purposes related to our activity:
For Worker members:
- To manage and administer their contributions, and then complement retirement, disability, or death pensions, in fulfilment of the contract entered into between GEROA and the companies for which they work.
- To establish a communication channel and keep them individually informed of the evolution of their equity based on GEROA's management, as well as their data on configuration of their complement, and to inform them of calculations on their future complement.
- To control the quality of the services provided in managing the communication between you and GEROA, which is done through your opinions and suggestions from web forms found in the private user area or by telephone call.
In the event of beneficiaries appointed by worker members:
- To manage payment of the complement for the death.
Regarding website users:
Types of data collected- Which personal data do we process?
The data we will process at GEROA are:
For worker members:
- Identifying information.
- Hired contingency.
- Contribution group.
- Benefit type.
- Financial data.
For member beneficiaries.
- Identifying information.
For website users
Origin of data - from whence do we obtain your personal data?
For worker members:
Our members' data are obtained from companies or organisations to which they belong, after entering into a membership contract with GEROA, as well as from the interested members themselves.
It is important to mention that the services that GEROA offers are not ordered or recorded through the website; only members, pursuant to the paragraph above, may access the site's forms.
Once a contract has been signed with GEROA to manage and administer worker contributions, the worker member and the company representative shall obtain a username and password to access private areas on the website "Worker Area" and "Company and Administrator Area," respectively, which house the data recording and updating forms.
For worker member beneficiaries
Data are obtained from the worker members themselves that appointed the individual as beneficiary, pursuant to the contract entered into and the hired contingency. When a minor is designated as beneficiary by the individuals who hold parental authority or legal representation, then they shall authorise GEROA to collect, use and process said data for the aforementioned purpose.
For website users
Personal data shall be automatically collected through the cookies that load when browsing our website.
Legitimacy of data processing- Why can we use your personal data?
For worker members:
The legal basis for processing the personal data of worker partners regarding management and administration of their contributions, communications to inform them of the evolution of their equity based on GEROA's management, as well as data on configuration of their complement and calculations on the future complement, and appointment and provision of their beneficiaries' data, is the execution of a contract wherein the interested party and his/her beneficiaries are a party, pursuant to article 6.1 letter b) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 with regard to the processing of personal data and the free movement of such data (GDPR).
In the event of opinions, suggestions, and recordings of voice calls to control the service's quality, the legal basis for processing is the controller's legitimate interest, pursuant to article 6.1, letter f) of the GDPR.
For worker member beneficiaries.
The legal basis for processing the data of beneficiaries is fulfilment of the contract of which the worker member and his/her beneficiaries are a party, as well as fulfilment of the obligations set forth in Law 5/2012 of 23 February, on Voluntary Social Security Entities and their Regulations, pursuant to article 6.1, letters b) and c) of the GDPR.
For website users
The legal basis for processing the data obtained through cookies is the webpage user's consent, pursuant to article 6.1, letter a) of the same regulation.
Storage periods - How long will we use your personal data?
For worker members
Pursuant to Decree 203/2015 of 27 October, approving Regulation of the Law 5/2012 of 23 February, on Voluntary Social Security Entities, historic records of all members and beneficiaries shall be permanently stored: contributions, benefits, voluntary cancellations, and distributions, and all of their dates, as well as their amounts.
These records include communications between you and GEROA related to requests to modify the services provided (especially personal data).
Other communications, including the user's opinions and suggestions, shall be stored for a maximum period of 2 years.
Finally, recorded telephone conversations shall be stored for a period of one month, unless necessary to store them due to a conflict or incident. In this case, they will be stored until a resolution is reached.
After the aforementioned periods have expired, the information is definitively deleted.
For worker member beneficiaries
Pursuant to Decree 203/2015 of 27 October, approving Regulation of the Law 5/2012 of 23 February, on Voluntary Social Security Entities, historic records of all members and beneficiaries must be permanently stored: contributions, benefits, voluntary cancellations, and distributions, and all of their dates, as well as their amounts.
Personal data provided through cookies shall be stored the time necessary to fulfil the purpose for which they collect the data, and to determine possible liabilities that may arise from said purpose, in addition to the periods established in regulations on archives and documentation.
Recipients to whom we may send your data- With whom do we share your personal data?
As far as sharing your data is concerned, you are hereby expressly informed that data shall not be transferred to third parties unless there is a legal obligation to do so.
To carry out GEROA's activities, access may be given to data-processing suppliers who, under all circumstances, shall not process your personal data for their own purposes.
As follows, more details are provided on processing:
For worker members and their beneficiaries
The data provided to us may be transferred to pertinent Public Administrations and Bodies, such as the Provincial Tax Treasury, the Provincial Council of Guipúzcoa and the Government of the Basque Country, by legal obligation.
Regarding processing orders, GEROA has established contractual relationships with suppliers located in the European Union, for services including messenger service, documentation management and IT resource management.
It has also subcontracted the services of a marketing automation platform (Mailchimp) to data processors (The Rocket Science Group LLC d/b/a MailChimp), located outside the European Union (in USA).
Regarding the guarantees included in said international data transfer, the supplier uses the Privacy Shield and maintains active certification.
Some of the data collected by the cookies will be transferred to Google Analytics, which acts as Data Controller, insofar as it uses the information for its own purposes, such as developing new services, measuring the effectiveness of advertising, protecting users from fraud and abuse and personalising content and ads that appear on Google or on websites and applications of its partners. Your IP address will be anonymised, so it shall not be collected by Google.
Finally, Google Analytics uses the Privacy Shields established in the USA and Switzerland, with both maintaining active certifications.
In general, GEROA has subcontracted hosting, support and maintenance services for the systems supporting personal data processing to processors located in the European Union
For supplier companies located outside the EU that have some sort of access to personal data to provide some ancillary service, we shall select them by ensuring that they have established sufficient guarantees to maintain European data protection requirements.
GEROA shall take the technical and organisational measures necessary to ensure the security of personal data and prevent their alteration, loss or unauthorised processing or access, bearing in mind the state of technology, the type of the data stored and the risks to which they are exposed, either from human action or the physical or natural environment.
Rights of the Interested Party
This section is applicable to worker members, their beneficiaries and website users.
They are hereby informed that they may exercise the rights granted to them by applicable personal data protection regulations, which are:
- Right of access: users shall have the right to obtain confirmation from GEROA whether it is processing their personal data and, if so, the right to access the personal data and the following information: the purposes of the processing; the categories of personal data in question; recipients with whom their personal data is or will be shared, including international transfers; the storage period of their personal data; the existence of their rights; the right to file a complaint with a control authority; when the personal data were not obtained from the interested party, all information available on the source; and, whether automated decisions are made, including drawing up profiles.
Right of rectification: users may request that GEROA rectify their personal data if inaccurate or incomplete.
A worker member may modify their personal data, as well as their beneficiaries' personal data, with the web form in the private area.
- Right to object: the user may object to the processing of his/her data based on a mission of public interest or in the controller's legitimate interest.
Right to restrict processing: they may request restriction of processing when:
- a) his or her data is inaccurate, during a period that allows GEROA to verify their accuracy;
- b) The user believes the processing is illicit and objects to the erasure of personal data and requests restriction of use instead;
- c) GEROA no longer needs the personal data for the purposes of processing, but the user needs them to prepare, exercise or defend against claims;
- d) You have objected to processing, while verifying if GEROA's legitimate grounds prevail over your own.
Right to erasure: you may request that GEROA erase your personal data, and we shall be obliged to erase them without delay when:
- a) the personal data are no longer necessary for the purposes for which they were collected or processed otherwise;
- b) you withdraw your consent (when the legal basis is said consent, and the processing is not based on another legal ground).
- c) you object to processing (see right to object);
- d) the personal data have been illicitly processed;
- e) the personal data must be erased to comply with a legal obligation applicable to GEROA
- a) To exercise the right to freedom of expression and information;
- b) To comply with a legal obligation that requires processing data imposed by European Union or Member State law applicable to the data controller, or to fulfil a mission conducted in the public interest or in exercising public powers granted to the controller;
- c) For reasons of public interest in public health;
- d) For archiving purposes in the public interest, scientific or historic research purposes, or statistical purposes;
- e) To prepare, exercise or defend against claims.
- Right to portability: you may receive the personal data you provided, or third parties provided in your name in a digital, structured format, and transfer them to another entity, provided that processing is automated.
If you wish to exercise any of the aforementioned rights, you must send a written and signed request, along with a photocopy of your National ID card or any other document proving your identity, to the Data Protection Officer at the post address indicated above, or to this email address: firstname.lastname@example.org
Additionally, the interested party is hereby informed that he or she may address the competent Control Authority (the Spanish Data Protection Agency) to file any claim he or she deems appropriate. If you would like more information on the rights you may exercise, and to request forms to exercise your rights, you may visit the Spanish Data Protection Agency's website: www.aepd.es.