We apply the following principles when processing personal data:

• Principle of legality: the processing of personal data always requires a legal basis.

• Principle of transparency: any interested party must be able to understand the processing of his or her personal data.

• Principle of purpose limitation: The purposes for which personal data are processed must be clearly identified in advance and defined at the time of collection. Consequently, personal data will be collected for specific, explicit, and legitimate purposes, and will not be further processed in a manner incompatible with those purposes.

• Data minimization principle: the personal data processed will be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.

• Principle of accuracy: personal data must be kept accurate, complete and up to date. Reasonable steps must be taken to delete, correct, supplement or update data that is inaccurate, incomplete or out of date.

• Principle of limited retention: personal data should be kept only for as long as is strictly necessary for the purpose of the processing or as permitted by other legal requirements.

• Integrity and confidentiality principle: when processing personal data, appropriate technical and organizational measures must be taken to protect the data adequately, in particular against unauthorized or unlawful processing, accidental loss or accidental destruction or damage.

Fortuny Legal processes personal data for the following purposes 

• Performance of a contract or for the application of pre-contractual measures, such as the processing of customer data on the basis of a contracted service or the processing of employee data on the basis of the employment contract.
• Compliance with a legal obligation, for example, the retention of data after termination of the relationship in compliance with tax legislation.
• Legitimate interests, such as sending advertising for our own services, such as the contracted services (unless an opt-out has been requested).
• Consent of the data subject, for example, to process images of customers or some special categories of personal data, e.g. concerning ethnic origin, religious beliefs or health, can only be processed with the explicit consent or legal authorisation of the data subject.

The protection of the rights and freedoms of individuals with regard to the processing of their personal data is a priority for Fortuny Legal. In order to guarantee this protection, the interested party has the following rights, among others:

• Information: the interested party will be informed, in an agile and transparent manner, of how their data will be processed. This applies regardless of whether the personal data is obtained directly from the data subject or collected by other entities (third party collection).
• Access: interested parties may request information or a copy of their stored and/or processed personal data at any time.
• Rectification: Data subjects may at any time request that inaccurate or incomplete personal data be corrected or supplemented, for example, if a name or address is incorrect.
• Deletion: Data subjects may request that their personal data be deleted. This right applies where it does not conflict with existing obligations or rights, such as retention obligations under applicable law.
• Restriction of processing:Data subjects may request that their personal data be restricted, for example if it is inaccurate.
• Objection: Data subjects may object at any time to the processing of their personal data for advertising purposes. For other purposes, such objection is possible under certain conditions, depending on the personal circumstances of the data subject. 

The interested party will receive all information relating to the processing of his personal data in clear and simple language. 

In the event of a personal data breach, the data subject will be informed of such incident, if the legal requirements corresponding to the risks to his or her rights and freedoms are met. 

The interested party is free to lodge a complaint with Fortuny Legal, with the data protection authority or with a court in order to exercise his/her rights and freedoms in relation to the processing of personal data.

Depending on the purposes for which the personal data is collected, the following people, without distinction, may have access to said information: (a) Fortuny Legal’s authorised personnel or its representatives acting on behalf of Fortuny Legal, in accordance with the applicable data protection laws; (b) regulatory authorities or other third parties, in accordance with the applicable laws; (c) third parties/processors (service providers who process information as data processors, under the instructions of Fortuny Legal). All this only after we have taken the necessary measures to ensure that we can share the said information and after we have concluded the corresponding processing contract, in accordance with data protection regulations.

Whenever personal data is processed by service providers or external collaborators on behalf of any of Fortuny Legal, appropriate measures will be taken to guarantee the protection of personal data during the processing.

 Fortuny Legal will not disclose your data to third parties without your express consent. However, due to the relationship with the interested party, we may communicate your data to (1) other companies and/or professionals with whom we may collaborate, provided that you have given us your consent to do so; (2) competent bodies and/or authorities in cases where there is a requirement and/or legal obligation to do so.

 In cases where it is necessary to transfer personal data to recipients located in countries that are not part of the EU or that do not guarantee a level of protection comparable to that derived from the RGPD, we will do so only in compliance with the legally established requirements and guarantees.

We take all appropriate technical and organizational measures to protect the processing of personal data. This includes measures to ensure the confidentiality, integrity and availability of personal data, including the recoverability of systems and services.

 For all processing operations, the risks to the rights and freedoms of data subjects are taken into account when selecting technical and organizational measures. Where the risks are high, the processing operations are subject to additional risk controls and measures.

 When processing personal data, the principle of data protection is observed by design and by default, for example through pseudonymization or minimization of personal data.

 Technical and organizational measures are regularly reviewed for effectiveness and adapted where necessary, taking into account the latest technological developments.

Fortuny Legal‘s Data Protection Officer will review and update this policy annually.

If you do not understand one or more aspects of this policy, or if you have any questions regarding this policy, please send an email to the Data Protection Officer at rgpd@fortunylegal.com.