Privacy Policy

RESPONSIBLE FOR THE TREATMENT
The Data Controller is Nuum UK LTD

Privacy Principles
From Nuum UK LTD we are committed to working continuously to ensure privacy in the processing of your personal data and to offer you at all times
the most complete and clear information we can. Please read this section carefully before providing us with your personal data.
If you are under the age of fourteen, we ask that you do not provide us with your data without the consent of your parents.
In this section we inform you about how we process the data of people who are connected to our organization. Starting from our principles:
– We do not request personal information, unless it is necessary to provide you with the requested services.
– We never share personal information with anyone, except to comply with the law, or have your express permission.
– We will never use your personal data for purposes other than those expressed in this privacy policy.
– Your data will always be treated with a level of protection appropriate to data protection legislation and we will not subject it to automated decisions.
We have drafted this privacy policy taking into account the requirements of current data protection legislation:
– Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals (RGPD).
– Organic Law 3/2018, of 5 December, on the protection of personal data and the guarantee of digital rights (LOPD).
– Royal Decree 1720/2007, of 21 December (RLOPD).
This privacy statement was drawn up on December 6, 2018.
Due to the modification of the processing criteria, in order to facilitate understanding or to adapt it to current legislation, it is possible that we modify this privacy policy.
We will update the date so you can check its validity.

Treatments we perform
TREATMENT OF EMPLOYEES
Legal basis: RGPD: 6.1.b) Treatment necessary for the execution of a contract of which the interested party is a party or for the application of pre-contractual measures at his request.
GDPR: 6.1.c) Processing necessary to fulfill a legal obligation applicable to the controller.
Royal Legislative Decree 2/2015, of 23 October, approving the revised text of the Law on the Workers’ Statute.
Purpose of the processing: – Management of contract personnel.
– Personal file. Time control. Training. Pension plans. Prevention of occupational risks.
– Issue of staff payslips.
– Management of trade union activities.
Collective: employees
Data categories: – Name and surname, DNI / CIF / identification document, personnel registration number, social security / mutuality number, address, signature and telephone number.
– Particular categories of data: health data (absence due to illness, accidents at work and degree of disability, excluding diagnosis), trade union membership, for the sole purpose of
payment of union dues (if applicable), union representative (if applicable), proof of participation by yourself and third parties.
– Data on personal characteristics: sex, marital status, nationality, age, date and place of birth and family data. Family situation data: registration and withdrawal dates, licenses, permits and authorizations.
– Academic and professional data: qualifications, training and professional experience.
– Details of employment and administrative career. Incompatibility.
– Attendance check data: date / time of entry and exit, reason for absence.
– Economic-financial data: economic data of payslips, credits, loans, guarantees, tax deductions, wage decreases corresponding to the previous job position (if applicable),
judicial withholdings (if applicable), other withholdings (if applicable). Banking data.
Categories of Recipients: – Body responsible for the management of professional risks.
– General Treasury of Social Security.
– Unions.
– Financial entities.
– State Agency for Tax Administration.
– Major contractors to whom we provide services as subcontractors.
International transfers: There are no international data transfers.
Cancellation period: they will be kept for the time necessary to fulfill the purpose for which they were collected and to determine the possible responsibilities that may arise from
said purposes and data processing.
The economic data of this processing activity will be stored in accordance with Law 58/2003, of December 17, General Taxes.
Security measures: adapted to the requirements of Regulation (EU) 2016/679, General Data Protection Regulation.

PROCESSING OF CONTACTS
Legal basis: consent of the interested party
Purpose of the processing: to respond to your request, send you information and follow up on your request.
Collective: contacts, customers, suppliers
Data categories: name and surname, telephone, email address
Categories of Recipients: There are no data transfers to third parties.
International transfers: There are no international data transfers.
Cancellation period: the contact data will be kept for an indefinite period, or until the interested party requests their cancellation.
Security measures: adapted to the requirements of Regulation (EU) 2016/679, General Data Protection Regulation.

TREATMENT OF PERSONAL RIGHTS OF ATTENTION (ARCO)
Legal basis: GDPR: 6.1.c) Processing necessary to fulfill a legal obligation applicable to the controller.
General data protection regulation.
Purpose of Processing: To respond to requests relating to the exercise of the rights provided for by the General Data Protection Regulation.
Collective: subjects who request it (employees, customers, suppliers, contacts)
Data categories: name and surname, address, signature and telephone number.
Categories of recipients: can be communicated to the Supervisory Authority (Spanish Data Protection Agency) in the framework of an investigation for the protection of rights initiated by the
interested.
International transfers: There are no international data transfers.
Cancellation period: they will be kept for a period of five years from the time of the request.
Security measures: adapted to the requirements of Regulation (EU) 2016/679, General Data Protection Regulation.

PROCESSES FOR SELECTION OF CANDIDATE TREATMENT (HR)
Legal basis: RGPD: 6.1.b) Treatment necessary for the execution of a contract of which the interested party is a party or for the application of pre-contractual measures at his request.
Purpose of the processing: selection of personnel and provision of assignments.
Collective: candidates presented to the procedures for the provision of jobs.
Data categories: – Name and surname, DNI / CIF / identification document, personnel registration number, address, signature and telephone number.
– Data on personal characteristics: sex, marital status, nationality, age, date and place of birth and family data.
– Academic and professional data: qualifications, training and professional experience.
– Details of the work.
Categories of Recipients: There are no data transfers to third parties.
International transfers: There are no international data transfers.
Cancellation period: they will be kept for the time necessary to fulfill the purpose for which they were collected and to determine the possible responsibilities that may arise from
said purposes and data processing.
Security measures: adapted to the requirements of Regulation (EU) 2016/679, General Data Protection Regulation

PROCESSING BY THE SUPPLIER
Legal basis: RGPD: 6.1.b) Treatment necessary for the execution of a contract of which the interested party is a party or for the application of pre-contractual measures at his request.
GDPR: 6.1.c) Processing necessary to fulfill a legal obligation applicable to the controller.
Royal Legislative Decree 2/2015, of 23 October, approving the revised text of the Law on the Workers’ Statute.
Law 58/2003, of December 17, General Taxes.
Purpose of the processing: – Acquisition of products and / or services that we need for the development of our business.
– Control of subcontractors, if applicable.
Collective: – Suppliers.
– Workers of our suppliers.
Data categories: – Name and surname, DNI / NIF / identification document, address, signature and telephone number.
– Detailed data on employment: job position. Workplace safety training.
– Economic, financial and insurance data: bank details.
Categories of recipients: – Financial entities. (Payment of bills)
– State Agency for Tax Administration.
International transfers: There are no international data transfers.
Cancellation period: they will be kept for the time necessary to fulfill the purpose for which they were collected and to determine the possible responsibilities that may arise from
this purpose and the processing of data, pursuant to Law 58/2003, of 17 December, General Taxes,
Security measures: adapted to the requirements of Regulation (EU) 2016/679, General Data Protection Regulation.

CUSTOMER TREATMENT.
Legal basis: RGPD: 6.1.a) The interested party has given consent to the processing of their personal data for one or more specific purposes.
GDPR: 6.1.b) Treatment necessary for the execution of a contract of which the interested party is a party or for the application of pre-contractual measures at his request.
GDPR: 6.1.c) Treatment necessary to fulfill a legal obligation applicable to the controller.
Royal Legislative Decree 2/2015, of 23 October, approving the revised text of the Law on the Workers’ Statute.
Law 58/2003, of December 17, General Taxes.
Purpose of processing: Supply of our products / services
Collective: customers
Data categories: – Name and surname, DNI / NIF / identification document, address, signature and telephone number.
– Economic, financial and insurance data: Banking data. Categories of recipients: – Financial institutions.
– State Agency for Tax Administration.
International transfers: There are no international data transfers.
Cancellation period: they will be kept for the time necessary to fulfill the purpose for which they were collected and to determine any responsibilities that may derive from this purpose and from the processing of data, pursuant to Law 58/2003, of 17 December , General fees, security measures: adapted to the requirements of Regulation (EU) 2016/679, General Data Protection Regulation.

YOUR RIGHTS
You have the right to request a copy of your personal data, to rectify inaccurate data or to complete it if it is incomplete or, if applicable, to delete it, when it is no longer necessary to
the purposes for which they were collected.
You also have the right to restrict the processing of your personal data and to obtain your personal data in a structured and readable format.
You can object to the processing of your personal data in certain circumstances (in particular, when we do not have to process it to comply with a contractual or other legal requirement,
or when the object of the processing is direct marketing).
After you have given us your consent, you can withdraw it at any time. At that point we will stop processing your data or, if applicable, we will stop doing it for that purpose in
concrete. If you decide to withdraw your consent, this will not affect the processing that took place while your consent was in effect.
These rights can be limited; For example, if we had to disclose another person’s data to fulfill your request, or if you ask us to delete certain records that we are
obliged to maintain by a legal obligation or a legitimate interest, such as the exercise of defense against claims. Or even in those cases where the right to
freedom of expression and information.
You can contact us by any of the means indicated in the Data Processor section of this privacy policy by providing a copy of a document demonstrating your
identity (usually the DNI).
Another of your rights is not to be the subject of a decision based solely on automated processing, including profiling that produces legal effects or that concerns you.

In the face of any violation of your rights, such as, for example, that we have not responded to your request, you have the right to lodge a complaint with the Supervisory Authority in this regard.
Data protection. It can be the one in your country (if you live outside Spain) or the Spanish Data Protection Agency (if you live in Spain).
Additional information
Data processing outside the European Economic Area.
For the indicated treatments we can use the services of the following providers outside the European Economic Area, but by virtue of the Privacy Shield agreement, approved by
data protection authority of the European Union.
Facebook / Instagram (FB Messenger): More information:
https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC
Google (Drive / Mail …): Further information:
https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI
Links to Third Party Websites.
Our website may, on occasion, contain links to other websites. It is your responsibility to ensure that you read the data protection policy and legal conditions that are
apply to every site.
Third party data.
If you provide us with third-party data, you assume the responsibility to inform them in advance as set out in Article 14 of the GDPR.