Privacy policy

16 September 2024

Privacy Notice

Qurv Technologies SL

Our goal

For Qurv Technologies SL the protection and security of personal data are essential. Therefore,
it is part of our nature to comply with all legal provisions when collecting and processing
personal data. These requirements include, specifically, the EU General Data Protection
Regulation and all applicable data protection legislation.
This privacy notice describes the principles and measures that Qurv Technologies SL applies to
protect the rights and freedoms of individuals regarding the processing of personal data.

Our data processing principles

When processing personal data, we apply the following principles:

  • Lawfulness: The processing of personal data always requires a legal basis.
  • Transparency: All data subjects must be able to understand the processing of their per-
    sonal data.
  • Purpose limitation: The purposes for which the personal data are processed must be
    clearly identified in advance and defined when collecting data.
  • Data minimization: The processing of personal data shall be limited to the appropriate
    factual, relevant and necessary measures for the purpose of the processing.
  • Accurate and kept up to date: Personal data must be properly and completely stored and
    kept up to date. Appropriate measures must be taken to delete, rectify, complement or
    update data that are inaccurate, incomplete or out of date.
  • Storage limitation: Personal data should only be stored as long as is necessary for the
    purpose of the processing or as long as other legal regulations may allow.
  • Integrity and confidentiality: When processing personal data, adequate technical and
    organizational measures must be taken to appropriately protect the data, in particular
    against unauthorized or unlawful processing, accidental loss and accidental destruction
    or damage.
    As part of our corporate responsibility, we document the processing of personal data in order to
    prove compliance with the aforementioned principles.

Lawful basis for processing

Any processing of personal data when there is no legal basis for it is prohibited. Qurv
Technologies SL processes personal data for the following legal reasons:

  • Performance of a contract or to take steps prior to entering into a contract, for example,
    processing of customers’ data on the basis of a contracted service or processing of
    employees’ data on the basis of an employment contract.
  • Compliance with a legal obligation, e.g., retention of data after the end of a contractual
    relationship in compliance with tax law.
  • Legitimate interests, e.g. advertising of one’ s own products similar to those previously
    ordered (provided that no advertising exemption has been requested).
  • Consent of the data subject, e.g. for profiling or processing of health-related data.

Certain special categories of personal data, for example, on ethnic origin or religious beliefs, or in
relation to health, may only be processed with explicit consent or legal authorization.

Rights of data subjects

The protection of the rights and freedoms of natural persons regarding the processing of their
personal data is a key priority for Qurv Technologies SL. In order to guarantee such protection,
the data subjects have the following rights, among others:

  • Information: Data subjects will be informed promptly and in a transparent manner about
    how their data will be processed. It applies whether personal data are obtained directly
    from the data subject or collected by other entities.
  • Access: Data subjects may at any time request information about their stored and/or
    processed personal data, as well as a copy of their stored and/or processed personal data.
  • Rectification: Data subjects may at any time request the rectification of inaccurate
    personal data and have incomplete personal data to be completed, e.g. if a name or
    address is incorrect.
  • Erasure: Data subjects may request the erasure of their personal data. This right shall not
    apply when conflicting with other existing obligations or rights, e.g. storage obligation
    under the applicable law.
  • Restriction of processing: Data subjects shall have the right to obtain from the controller
    the restriction of processing. e.g. if their personal data are inaccurate.
  • Right to object: The data subject shall have the right to object at any time to the
    processing of personal data for marketing purposes. For other purposes, the right to
    object is possible under certain conditions, depending on the case.
  • Automated individual decision-making on a case-by-case basis: In the context of
    efficient business transactions, data subjects are only subject to an automated decision on
    a case-by-case basis if it is legal, e.g. regarding the performance of a contract. Data
    subjects will be informed about the relevant automated processing.

The data subject will receive all information related to the processing of his/her personal data in
a clear and plain language.

In the event of a personal data breach, the data subjects will be informed of such incident if the
legal requirements, concerning the risks to their rights and freedoms, are met.

The interested party is entitled to file a claim before Qurv Technologies SL, file a complaint with
a supervisory authority or a Court in order to exercise their rights and freedoms regarding the
processing of personal data. This notice does not affect the legal rights and/or claims of interested
parties.

Processing by third parties and disclosure of data.

If personal data are processed by service providers or external partners on behalf of Qurv
Technologies SL, appropriate measures must be taken regarding the processing of personal data
(depending on the area of activity), for example:

  • Processing of personal data by third parties: If a service provider is requested to process
    personal data, an agreement shall be concluded with that service provider only if such
    service provider provides appropriate technical and organizational measures to protect
    personal data. This also includes access to data regarding service and maintenance
    operations.
  • Outsourcing: When there is an outsourcing of tasks, other than the processing of
    personal data, for the exercise of which the third party decides on the purposes and
    means of personal data processing, data protection agreements (similar to data processor
    agreements) shall be concluded with such party, establishing appropriate technical and
    organizational measures comparable to those provided in data processor agreements.
  • Non-disclosure Agreement: If there are cases where personal data may have to be
    disclosed on a limited basis, a non-disclosure agreement must be concluded with the
    provider for security reasons.
    Personal data may only be processed or accessed from outside of the EU if appropriate safeguards
    are put in place to ensure the security of the processing, for example by using standard
    contractual clauses.

Data security, impact assessment and technological design

We apply all appropriate technical and organizational measures to protect personal data. These
include, in particular, measures to ensure the confidentiality, integrity and availability of per-
sonal data, including the resilience of systems and services.

In all processing operations, the risks to the rights and freedoms of data subjects are taken into
account when selecting technical and organizational measures. In case of high risks, processing
will be subject to additional controls of both risks and measures.

When processing personal data, the principle of data protection by design and by default is al-
ways taken into account, e.g. by pseudonymization or minimization of personal data.

Technical and organizational measures are periodically reviewed in terms of effectiveness and
they are adjusted as necessary, taking into account the state of the art. The same applies to tech-
nical and organizational measures involving service providers or external partners.

Data protection responsibility and organization

Qurv Technologies SL is responsible for implementing data protection regulations. Management
is responsible for establishing the necessary pre-requisites regarding the implementation of data
protection regulations by the employees of each respective department, whether they work on
site or off site.