DETAILED INFORMATION WEBSITE PRIVACY POLICY

http://marmadot.com

Version of October 10, 2023

INDEX

Purpose of the Privacy Policy
Definitions
Identity of the Data Controller
Applicable laws and regulations
Principles applicable to the processing of personal data
Data processing activities carried out
Necessary and updated information
Personal data of minors
Technical and organizational security measures
Rights of interested parties
Claims before the Control Authority
Acceptance and changes to the Privacy Policy

1.- OBJECTIVE OF THE PRIVACY POLICY

TThe following “Privacy Policy and Data Protection” aims to inform users about the conditions governing the collection and processing of personal data by Marmadot Web Development Studio (Kalantarov Georgy Y0666271K). We make every effort to safeguard the fundamental rights, honor, and freedoms of the individuals whose personal data we process, in compliance with the regulations and laws that regulate the protection of personal data according to the European Union and the Spanish Member State, as outlined in the “Data Processing Activities” section of this Privacy Policy.

Therefore, in this Privacy and Data Protection Policy, users of the website http://marmadot.com are informed about all relevant details regarding how these processes are carried out, their purposes, which other entities may have access to their data, and what rights the users have.

2.- DEFINITIONS

«Personal data»: Any information about an identified or identifiable natural person (“the Website user”); an identifiable natural person is considered to be a person whose identity can be determined, directly or indirectly, in particular by an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

«Processing»: Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment, or combination, restriction, erasure, or destruction.

«Restriction of processing»: The marking of personal data with the aim of limiting their processing in the future.

«Profiling»: Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

«Pseudonymization»: The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

«File»: Any structured set of personal data which is accessible according to specific criteria, whether centralized, decentralized, or distributed on a functional or geographical basis.

«Controller» or «responsible»: The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

«Processor» or «Processor»: A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.

«Recipient»: A natural or legal person, public authority, agency, or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law are not regarded as recipients; the processing of that data by those public authorities complies with the applicable data protection rules according to the purposes of the processing.

«Third party»: a natural or legal person, public authority, agency, or body other than the data subject, the data controller, the data processor, and the persons who, under the direct authority of the data controller or data processor, are authorized to process personal data.

«Data subject’s consent»: means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

«Breach of personal data security»: refers to any security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data that is transmitted, stored, or otherwise processed.

«Genetic data»: personal data relating to the inherited or acquired genetic characteristics of a natural person that provide unique information about the physiology or health of that person, obtained in particular from the analysis of a biological sample of that person.

«Biometric data»: personal data obtained from specific technical processing, relating to the physical, physiological or behavioral characteristics of a natural person that allow or confirm the unique identification of said person, such as facial images or fingerprint data.

«Health data»: personal data relating to the physical or mental health of a natural person, including the provision of health care services, that reveal information about their state of health.

«Main establishment»: a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless decisions on the purposes and means of processing are taken at another establishment of the controller in the Union. Union and the latter establishment has the power to enforce such decisions, in which case the establishment that has adopted such decisions will be considered the main establishment; b) in the case of a processor with establishments in more than one Member State, the place of its central administration in the Union or, if this is not the case, the establishment of the processor in the Union in which the processing is carried out. main processing activities in the context of the activities of an establishment of the processor to the extent that the processor is subject to specific obligations under this Regulation.

«Representative»: natural or legal person established in the Union who, having been designated in writing by the controller or processor pursuant to Article 27 of the GDPR, represents the controller or processor with regard to their respective obligations under this Regulation .

«Company»: a natural or legal person engaged in an economic activity, regardless of its legal form, including companies or associations that regularly carry out an economic activity.

«Supervisory authority»: The independent public authority established by a Member State in accordance with Article 51 of the GDPR. In the case of Spain, it is the Spanish Data Protection Agency.

«Cross-border processing»: a) the processing of personal data carried out in the context of the activities of establishments in more than one Member State of a controller or processor in the Union, where the controller or processor is established in more than one Member State, or b) the processing of personal data carried out in the context of the activities of a single establishment of a controller or processor in the Union, but which substantially affects or is likely to substantially affect data subjects in more than one Member State.

«Information society service»: means any information society service, that is, any service normally provided for remuneration, remotely, electronically and at the individual request of a service recipient.

3.- DATA CONTROLLER IDENTITY

The Data Controller is the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by the European Union law or the Spanish Member State law.

In the context of the aspects outlined in this Data Protection Policy, the identity and contact details of the Data Controller are as follows:

Marmadot Web Development Studio (Kalantarov Georgy Y0666271K)

Av.Central 22 ap.37, 12594, Oropesa del Mar (Castellón), España

Email: privacy@marmadot.com
Phone: 642264291

4.-APPLICABLE LAWS AND REGULATIONS

This Privacy and Data Protection Policy is developed based on the following data protection laws and regulations:

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, known as GDPR.
Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of digital rights, known as LOPD/GDD.
Law 34/2002, of July 11, on Information Society Services and Electronic Commerce, known as LSSICE.

5.- PRINCIPLES APPLICABLE TO THE PROCESSING OF PERSONAL DATA

The personal data collected and processed through this website will be treated in accordance with the following principles:

Principle of legality, fairness, and transparency: Any processing of personal data carried out through this Website will be lawful and fair, making it entirely clear to the user when their personal data is being collected, used, accessed, or processed. Information regarding the processes performed will be conveyed beforehand, in an easily accessible and understandable manner, using simple and clear language.
Purpose limitation principle: All data will be collected for specific, explicit and legitimate purposes, and will not be subsequently processed in a manner incompatible with the purposes for which they were collected.
Principle of data minimization: The collected data will be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
Principle of accuracy: The data will be accurate and, if necessary, updated, taking all reasonable measures to promptly delete or rectify personal data that is inaccurate with respect to the purposes for which they are processed.
Principle of limitation of storage period: The data will be kept in a form that allows the identification of data subjects for no longer than is necessary for the purposes of the processing of personal data.
Principle of integrity and confidentiality: The data will be processed in a way that ensures appropriate security of personal data, including protection against unauthorized or unlawful processing, and against accidental loss or damage, through the application of appropriate technical and organizational measures.
Principle of proactive responsibility: The entity that owns the Website will be responsible for complying with the principles set out in this section and will be able to demonstrate it.

6.- DATA PROCESSING ACTIVITIES

Below are the data processing activities carried out through the website, specifying each of the following sections:

Activity: Name of the data processing activity
Purposes: Each of the uses and treatments carried out with the collected data
Legal basis: The legal basis legitimizing the data processing
Data processed: Type of data processed
Source: Where the data is obtained
Retention: Period during which the data is kept
Recipients: Individuals or third-party entities to whom the data is provided
International transfers: Cross-border transfers of data outside the European Union

6.1 MAIN TREATMENT ACTIVITIES

These are those data processing activities whose purposes are necessary and essential for the provision of services.

6.2 OPTIONAL TREATMENT ACTIVITIES (if the user has marked their acceptance)

These are those personal data processing activities whose purposes are not essential for the provision of the service and which are only carried out if the user has marked YES in the consent to carry out these activities.

Website Inquiries
Legal bases	Explicit consent of the interested party
Purposes	Response to queries received through the electronic form on the website
Data categories and groups	Web contacts (Identifying data)
Data provenance	The interested party himself or his legal representative
Recipient category	They are not planned
International transfer	They are not planned
Conservation period	For a period of 1 year from the last confirmation of interest

7.- NECESSARY AND UPDATED INFORMATION

All fields that appear marked with an asterisk (*) in the Website forms must be completed, so that the omission of any of them could make it impossible for you to be provided with the requested services or information.

You must provide true information, so that the information provided is always up to date and does not contain errors, you must communicate to the Data Controller as soon as possible, the modifications and rectifications of your personal data that occur via email. to the address: privacy@marmadot.com

Likewise, by “clicking” on the “I accept” button (or equivalent) incorporated in the aforementioned forms, you declare that the information and data that you have provided in them are accurate and truthful, as well as that you understand and accept this Privacy Policy. Privacy.

8.- DATA OF MINORS

In compliance with the provisions of article 8 of the RGPD and article 7 of the LOPD/GDD, only those over 14 years of age may grant their consent for the processing of their personal data legally by Marmadot Web Development Studio (Kalantarov Georgy Y0666271K)

Therefore, minors under 14 years of age may not use the services available through the Website without the prior authorization of their parents, guardians or legal representatives, who will be solely responsible for all acts carried out through the Website by the minors. minors in their care, including the completion of the electronic forms with the personal data of said minors and the marking, where appropriate, of the boxes that accompany them.

9.- TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

The Data Controller adopts the necessary organizational and technical measures to guarantee the security and privacy of your data, and prevent its alteration, loss, unauthorized treatment, or access, depending on the state of the technology, the nature of the data stored, and the risks. to which they are exposed.

Among others, the following measures stand out:

Ensure the ongoing confidentiality, integrity, availability, and resilience of treatment systems and services.
Restore availability and access to personal data quickly, in the event of a physical or technical incident.
Verify, evaluate, and assess, on a regular basis, the effectiveness of the technical and organizational measures implemented to guarantee the security of the treatment.
Pseudonymize and encrypt personal data, if it is sensitive data.

On the other hand, the Data Controller has made the decision to manage the information systems according to the following principles:

Principle of regulatory compliance: All information systems will comply with the regulations of legal regulatory and sectoral applications that affect the security of information, especially those related to the protection of personal data, system security, data, communications, and electronic services.
Risk management principle: Risks will be minimized to acceptable levels and a balance between security controls and the nature of the information will be sought. Security objectives must be established, reviewed and consistent with information security aspects.
Principle of awareness and training: Training, awareness programs and awareness campaigns will be articulated for all users with access to information, regarding information security.
Principle of proportionality: The implementation of controls that mitigate asset security risks will be carried out seeking a balance between security measures, nature and information and risk.
Principle of responsibility: All members of the Data Controller will be responsible for their conduct regarding the security of the information, complying with the established standards and controls.
Principle of continuous improvement: The degree of effectiveness of the security controls implemented in the organization will be reviewed on a recurring basis to increase the ability to adapt to the constant evolution of risk and the technological environment.

10.- RIGHTS OF INTERESTED PARTIES

Current data protection regulations protect the user with a series of rights in relation to the use given to their data. Each and every one of such rights are individual and non-transferable, that is, they can only be exercised by the owner of the data, after verification of his or her identity.

Below are the rights of users of the Website:

Right of access: It is the right of the Website user to obtain confirmation from the Data Controller whether or not their personal data is being processed, and if so, to obtain information about their specific personal data and the processing carried out by the Data Controller, as well as, among other things, information available about the origin of such data and the recipients of the communications made or planned regarding it.
Right to rectification: It is the right of the Website user to have their personal data modified if it turns out to be inaccurate or, taking into account the purposes of the processing, incomplete.
Right to erasure: Commonly known as the “right to be forgotten,” this is the right of the Website user, as long as current legislation does not establish otherwise, to obtain the erasure of their personal data when it is no longer necessary for the purposes for which it was collected or processed; the user has withdrawn their consent to the processing and there is no other legal basis; the user objects to the processing and there are no legitimate grounds for continuing; the personal data has been processed unlawfully; the personal data has been obtained as a result of a direct offer of information society services to a child under 14 years of age. In addition to deleting the data, the Data Controller, taking into account the available technology and the cost of implementation, will take reasonable measures to inform other possible Data Controllers that are processing the personal data of the data subject of the request for erasure of any links to that personal data.
Right to limit data: It is the right of the Website user to limit the processing of their personal data. The Website user has the right to obtain the limitation of processing when they challenge the accuracy of their personal data; the processing is unlawful; the Data Controller no longer needs the personal data, but the user needs it to make claims; and when the Website user has objected to the processing.
Right to data portability: In cases where processing is carried out by automated means, the Website user shall have the right to receive their personal data from the Data Controller in a structured, commonly used, machine-readable format and to transmit it to another Data Controller. Where technically feasible, the Data Controller will transmit the data directly to another Data Controller.
Right of objection: It is the right of the user not to have their personal data processed or to have the processing of such data stopped by the Data Controller.
Right not to be subject to automated decisions and/or profiling: It is the right of the Website user not to be subject to an individualized decision based solely on automated processing of their personal data, including profiling, unless current legislation provides otherwise.
Right to withdraw consent: It is the right of the Website user to withdraw, at any time, the consent given for the processing of their data.

The user of the Website can exercise any of the aforementioned rights by contacting the Data Controller and prior identification of the User using the following contact information:

Responsible: Marmadot Web Development Studio (Kalantarov Georgy Y0666271K)
Address: Av.Central 22 ap.37, 12594, Oropesa del Mar (Castellón), Spain
Telephone: 642264291
Email: privacy@marmadot.com
Website: http://marmadot.com

11.- RIGHT TO COMPLAIN BEFORE THE CONTROL AUTHORITY

The user is informed of their right to file a claim with the Spanish Data Protection Agency if they consider that a violation of data protection legislation has been committed with respect to the processing of their personal data.

Contact information for the supervisory authority:

Spanish Data Protection Agency

Email: info@aepd.es

Telephone: 912663517

Website: https://www.aepd.es

Address: C/. Jorge Juan, 6. 28001, Madrid (Madrid), Spain

12.- ACCEPTANCE AND CHANGES IN THE PRIVACY POLICY

It is necessary that the user of the Website has read and agrees with the data protection conditions contained in this Privacy Policy, as well as accepts the processing of their personal data so that the Data Controller can proceed with it in the manner, indicated deadlines and purposes.

The Data Controller reserves the right to modify this Privacy Policy, according to its own criteria, or motivated by a legislative, jurisprudential or doctrinal change of the Spanish Data Protection Agency. The changes or updates made to this Privacy Policy that affect the purposes, conservation periods, transfers of data to third parties, international data transfers, as well as any rights of the Website User, will be explicitly communicated to the user.

Version October 10, 2023