This Privacy Policy describes, in a clear and understandable manner, how SOCIEDADE PARA O APROVEITAMENTO SOSTIBLE DE RECURSOS NATURAIS DE GALICIA RDG SA (hereinafter, Recursos de Galicia (RDG) or the Controller, in compliance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR) and Organic Law 3/2018 of 5 December on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD), guarantees transparency in the processing of data and makes this information available to the user.

1. WHO IS RESPONSIBLE FOR DATA PROCESSING?

The company SOCIEDADE PARA O APROVEITAMENTO SOSTIBLE DE RECURSOS NATURAIS DE GALICIA RDG, S.A., hereinafter Recursos de Galicia (RDG), with Tax ID number A56451016 and registered office at Rúa Letonia 2, is responsible for the processing of personal data. – Edificio Quercus IP, Local A0.1-A0.2, 15707 – Santiago de Compostela (A Coruña).

For questions related to data protection, please contact dpd@rdg.gal. You can also contact the general address administracion@rdg.gal.

WHY DO WE PROCESS YOUR PERSONAL DATA AND FOR WHAT PURPOSES?

Recursos de Galicia (RDG) processes personal data for specific and legitimate purposes, and always on an appropriate legal basis in accordance with Article 6 of the GDPR.

When a user requests a service, makes an enquiry, or proposes a project to us, we use their data to manage the request and respond effectively through the various communication channels used by the person. This data processing is based on the legitimate interest of Recursos de Galicia (RDG) and, where applicable, on the execution of contractual or pre-contractual measures.

Within the framework of our relationship with suppliers, we process the information necessary for registration as a supplier and for administrative and financial management. This processing is essential for formalising and executing contractual or pre-contractual relationships with each supplier.

When a person submits their application through ‘Work with us’, we process the data in their CV and the information provided in order to include it in our database of applications, assess their profile and manage the selection processes. This activity is based on the consent of the candidate and, during the course of the process, on the pre-contractual relationship and the legitimate interest of RDG in filling vacancies with suitable profiles.

With the aim of promoting corporate activity, we may process data obtained and used in communication activities, carried out directly or through third parties, resulting in the publication of news, interviews, videos and other digital content. This processing is carried out when we have the consent of the individuals concerned or when there is a legitimate interest, always respecting their rights.

Our presence on social media involves processing data generated by interaction with RDG’s official profiles. We manage messages, comments and queries, and analyse activity to improve communication, based on the consent given through each platform and RDG’s legitimate interest in maintaining its information channels.

Recursos de Galicia (RDG) has a responsible channel for reporting possible breaches of regulations or the code of ethics. When used, we process the data necessary to handle the communication, investigate the facts and, where appropriate, take action. This processing is based on compliance with legal obligations and the legitimate interest of the entity. You can obtain more information by accessing the Responsible Channel and consulting its data protection policy.

When browsing the website, we use technical and functional cookies that are essential for its proper functioning. We may also use analytical cookies to measure performance, analyse traffic and improve the user experience. The latter are only activated when the user gives their consent via the settings panel, except in cases where legitimate interest applies in accordance with applicable regulations and as indicated in the Cookies Policy.

To preserve the security of the website and systems, we process IP addresses and other technical data generated by the use of the service. This data is used to detect unauthorised access, prevent fraud, monitor the integrity of the infrastructure and manage incidents, based on the legitimate interest of Recursos de Galicia (RDG) and in compliance with legal security obligations.

1. WHO CAN ACCESS YOUR DATA?

Access to personal data is limited to Galicia Resources (RDG) staff who, due to their duties, need to process it in order to fulfil the purposes described. When it is necessary to use providers that offer support services—for example, web hosting and maintenance, communication tools, IT support, legal advice, or job vacancy advertising—the data may be processed by these entities under data processing agreements that guarantee confidentiality and security. In cases required by law, the information may be provided to the competent public authorities.

2. INTERNATIONAL TRANSFERS

As a general rule, RDG does not transfer data outside the European Economic Area. If, exceptionally, an international transfer is essential in order to provide a service, adequate safeguards will be put in place to protect the information, in accordance with Articles 44 et seq. of the GDPR.

3. HOW LONG DO WE KEEP YOUR DATA?

We only keep data for as long as necessary to fulfil the purpose for which it was collected and, subsequently, for the periods required by law. Once the retention periods have expired, the data is deleted or anonymised using secure measures.

Applications are kept for up to two years from receipt, unless the person withdraws their consent beforehand.

Data processed under a contractual relationship will be retained for the period necessary to fulfil that relationship, as well as for the additional time required to satisfy legal obligations and for as long as enforceable liabilities may arise.

Data processed on the basis of legitimate interest will be retained until the purpose for which it was processed has been fulfilled.

The data collected and necessary for handling communications made through the Responsible Channel are kept in accordance with the periods indicated therein, three months if the facts have not been proven and, otherwise, for as long as necessary. For more information, please consult the Responsible Channel Privacy Policy.

In the case of technical records associated with security and IP addresses, these are kept for the period strictly necessary for security purposes and, in general, for no longer than twelve months, unless there is a greater obligation to do so. Cookies are kept for the periods indicated in the Cookies Policy.

4. PERSONAL RIGHTS

• As the holder of the rights recognised in data protection regulations, you may:
• access your information to find out what data we process and under what conditions.
• rectify inaccurate or incomplete data so that it is up to date and accurate
• request the deletion of your data when it is no longer necessary, when you withdraw your consent or when there is another legal reason that allows it; if it is not possible to delete it due to legal requirements, we will block it and keep it only to meet our responsibilities.
• request the restriction of processing when you contest the accuracy of the data, when the processing is unlawful but you prefer us to restrict its use rather than delete it, when we no longer need the data but you need it for the establishment, exercise or defence of legal claims, or when you have objected to the processing and that request is pending resolution.
• object to the processing of your data when the processing is based on legitimate interest, unless there are compelling legitimate grounds or it is necessary for the defence of claims.
• if the processing is carried out by automated means and is based on your consent or on a contract, you may exercise the right to portability, which allows you to receive the data in a structured, commonly used and machine-readable format and, where technically feasible, request its direct transmission to another controller.
• withdraw your consent for any processing that depends on it;
• lodge a complaint with the Spanish Data Protection Agency (AEPD) if you believe that your rights have been violated.

To exercise these rights, you must send a request accompanied by a document proving your identity to dpd@rdg.gal or by post to the address of Recursos de Galicia (RDG) indicated in this policy. We will respond to your request as quickly as possible and within the legal deadlines.

5. MANDATORY OR OPTIONAL NATURE OF THE INFORMATION

Some fields on the website forms may be marked with an asterisk if they are necessary to process the request, except in cases where all fields are mandatory, in which case they will not be marked individually. If the mandatory data is not provided, we may not be able to provide the requested service or respond adequately. The user declares that the information provided is accurate and truthful, and undertakes to notify us of any necessary updates.

6. PROFILES AND AUTOMATED DECISIONS

Recursos de Galicia (RDG) does not make decisions based solely on automated processing that produces legal effects or significantly affects you in a similar way. If at any time it is necessary to create profiles to improve the quality of the service, we will communicate this transparently and apply measures to safeguard your rights.

7. SAFETY MEASURES

We implement technical and organisational measures designed to maintain the confidentiality, integrity and availability of information. Among other things, we use access controls, encryption where appropriate, intrusion prevention and detection systems, internal security policies, staff training and incident management procedures. We review these measures periodically to adapt them to technological developments and existing risks.

8. POLICY UPDATES

Recursos de Galicia (RDG) may modify this policy to adapt it to regulatory changes, the criteria of the supervisory authorities, or variations in the processing it carries out.