X-twitter Facebook
Monday – Friday 8:00AM – 2:00PM / 3:00PM – 5:00PM

ventas@hicid.es

+34 964 200 122

Privacy policy

  • Purpose of the Privacy Policy
  • Definitions
  • Identity of the Data Controller
  • Applicable Laws and Regulations
  • Principles Applicable to the Processing of Personal Data
  • Data Processing Activities Carried Out
  • Necessary and Updated Information
  • Personal Data of Minors
  • Technical and Organizational Security Measures
  • Rights of Data Subjects
  • Complaints before the Supervisory Authority
  • Acceptance and Changes to the Privacy Policy
1.- PURPOSE OF THE PRIVACY POLICY

This “Privacy and Data Protection Policy” aims to inform about the conditions governing the collection and processing of personal data by Tram Castellón, making every effort to safeguard the fundamental rights, honor, and freedoms of individuals whose personal data is processed, in compliance with the current regulations and laws governing Personal Data Protection within the European Union and the Spanish Member State, and specifically those set out in the “Processing Activities” section of this Privacy Policy.

Therefore, this Privacy and Data Protection Policy informs users of the Website https://tramcastellon.com about all relevant details regarding how these processes are carried out, the purposes for which they are conducted, which other entities may have access to their data, and what rights users have.

2.- DEFINITIONS

“Personal data”: Any information relating to an identified or identifiable natural person (“the Website user”); an identifiable natural person is one whose identity can be determined, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.

“Processing”: Any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.

“Restriction of processing”: The marking of stored personal data with the aim of limiting their processing in the future.

“Profiling”: Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, particularly to analyze or predict aspects concerning work performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

“Pseudonymization”: The processing of personal data in such a manner that the data can no longer be attributed to a specific data subject without the use of additional information, provided that such information is kept separately and subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

“Filing system”: Any structured set of personal data accessible according to specific criteria, whether centralized, decentralized, or dispersed on a functional or geographical basis.

“Controller”: The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of processing personal data; where the purposes and means of processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

“Processor”: A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.

“Recipient”: A natural or legal person, public authority, agency, or another body to which personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.

“Third party”: A natural or legal person, public authority, agency, or body other than the data subject, controller, processor, and persons authorized to process personal data under the direct authority of the controller or processor.

“Consent of the data subject”: Any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which they signify agreement to the processing of personal data relating to them.

“Personal data breach”: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

“Genetic data”: Personal data relating to inherited or acquired genetic characteristics of a natural person which provide unique information about the physiology or health of that person.

“Biometric data”: Personal data resulting from specific technical processing relating to physical, physiological, or behavioral characteristics of a natural person allowing or confirming unique identification.

“Data concerning health”: Personal data related to the physical or mental health of a natural person, including healthcare services, revealing information about their health status.

“Main establishment”:
a) Regarding a controller with establishments in more than one Member State, the place of its central administration in the Union, unless decisions regarding processing purposes and means are taken in another establishment in the Union;
b) Regarding a processor with establishments in more than one Member State, the place of its central administration in the Union.

“Representative”: A natural or legal person established in the Union designated in writing by the controller or processor pursuant to Article 27 GDPR.

“Enterprise”: A natural or legal person engaged in an economic activity, regardless of its legal form.

“Supervisory authority”: An independent public authority established by a Member State pursuant to Article 51 GDPR. In Spain, this is the Spanish Data Protection Agency.

“Cross-border processing”:
a) Processing carried out in the context of activities of establishments in more than one Member State; or
b) Processing affecting or likely to substantially affect data subjects in more than one Member State.

“Information society service”: Any service normally provided for remuneration, at a distance, by electronic means, and at the individual request of a recipient.

3.- IDENTITY OF THE DATA CONTROLLER

The Data Controller is the natural or legal person, public or private entity, or administrative body that determines the purposes and means of processing personal data.

Regarding the matters described in this Data Protection Policy, the identity and contact details of the Data Controller are:

La Hispano del Cid, S.A. – Tax ID (NIF/DNI): A12007555

Camino Caminás, 133-Cruce Camino viejo del mar.
12003, Castellón (Castellón), Spain

Email: hicid@hicid.com
Phone: +34 964 200 122

The Website user may exercise any of the rights mentioned by contacting the Data Controller and identifying themselves using the following contact information:

Controller: La Hispano del Cid, S.A.
Address: Camino Caminás, 133-Cruce Cami Vell de la Mar
Email: hicid@hicid.com
Website: https://hicid.com

4.- APPLICABLE LAWS AND REGULATIONS

This Privacy and Data Protection Policy has been developed in accordance with the following data protection laws and regulations:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR).
  • Organic Law 3/2018 of 5 December on Personal Data Protection and Guarantee of Digital Rights (LOPD/GDD).
  • Law 34/2002 of 11 July on Information Society Services and Electronic Commerce (LSSICE).
5.- PRINCIPLES APPLICABLE TO THE PROCESSING OF PERSONAL DATA

The personal data collected and processed through this Website shall be processed according to the following principles:

  • Lawfulness, fairness, and transparency: All personal data processing carried out through this Website shall be lawful and transparent.
  • Purpose limitation: Data shall be collected for specified, explicit, and legitimate purposes.
  • Data minimization: Data collected shall be adequate, relevant, and limited to what is necessary.
  • Accuracy: Data shall be accurate and kept up to date where necessary.
  • Storage limitation: Data shall be kept no longer than necessary.
  • Integrity and confidentiality: Data shall be processed securely through appropriate technical and organizational measures.
  • Accountability: The Website owner shall be responsible for compliance with these principles and able to demonstrate it.
6.- DATA PROCESSING ACTIVITIES

Below are the data processing activities carried out through the Website, specifying:

  • Activity
  • Purposes
  • Legal basis
  • Data processed
  • Source of the data
  • Retention period
  • Recipients
  • International transfers
6.1 MAIN DATA PROCESSING ACTIVITIES

These are processing activities whose purposes are necessary and essential for providing services.

Customers

Legal basis:
(Art. 6.1.b GDPR) Existence of a contractual or pre-contractual relationship.

Purposes:
Customer contact and commercial activities.

Categories of data:
Identification data; Economic, financial, and insurance data; Goods and services transactions.

Source:
The data subject or their legal representative.

Recipients:
Tax Administration; Banks and savings institutions.

International transfers:
Not planned.

Retention period:
6 years from the last confirmation of interest. Article 30 of the Commercial Code.

Complaint Forms

Legal basis:
(Art. 6.1.b GDPR) Contractual relationship.
(Art. 6.1.c GDPR) Compliance with legal obligations.

Purposes:
Management of complaint forms.

Categories of data:
Identification data.

Source:
The data subject or legal representative.

Recipients:
Public administration competent in the matter.

International transfers:
Not planned.

Retention period:
1 year from the last confirmation of interest.

Employment

Legal basis:
(Art. 6.1.b GDPR) Contractual or pre-contractual relationship.

Purposes:
Attendance control; Training; Payroll and employment contract management; Occupational risk prevention; Employment supervision.

Categories of data:
Identification data; Academic and professional data; Personal characteristics; Economic and insurance data; Employment details.

Source:
The data subject or legal representative.

Recipients:
Social Security authorities; Tax Administration; Banks; Public administration.

International transfers:
Not planned.

Retention period:
5 years from the last confirmation of interest.

Suppliers

Legal basis:
(Art. 6.1.b GDPR) Contractual or pre-contractual relationship.

Purposes:
Supplier/customer management, accounting, tax, and administrative management.

Categories of data:
Identification data; Economic, financial, and insurance data; Goods and services transactions.

Source:
The data subject or legal representative.

Recipients:
Tax Administration; Banks and savings institutions.

International transfers:
Not planned.

Retention period:
6 years from the last confirmation of interest.

Tram Users

Legal basis:
(Art. 6.1.b GDPR) Contractual or pre-contractual relationship.

Purposes:
Fraud prevention; documentation is requested from users to prevent fraud in discounted travel passes.

Categories of data:
Identification data.

Source:
The data subject or legal representative.

Recipients:
None planned.

International transfers:
Not planned.

Retention period:
1 year from the last confirmation of interest.

6.2 OPTIONAL DATA PROCESSING ACTIVITIES

(if the user has given consent)

These processing activities are not essential for providing the service and are only carried out if the user has consented.

Job Bank

Legal basis:
(Art. 6.1.a GDPR) Consent of the data subject.

Purposes:
Personnel recruitment.

Categories of data:
Identification data; Academic and professional data; Employment details; Social circumstances.

Source:
The data subject or legal representative.

Recipients:
None planned.

International transfers:
Not planned.

Retention period:
2 years from the last confirmation of interest.

7.- NECESSARY AND UPDATED INFORMATION

All fields marked with an asterisk (*) in the Website forms are mandatory. Failure to complete them may make it impossible to provide the requested services or information.

You must provide truthful information and notify the Data Controller as soon as possible of any changes or corrections to your personal data by email to: admistracion@tramcastellon.com.

By clicking the “Accept” button (or equivalent), you declare that the information provided is accurate and truthful and that you understand and accept this Privacy Policy.

8.- DATA OF MINORS

In accordance with Article 8 GDPR and Article 7 LOPD/GDD, only individuals over 14 years old may lawfully consent to the processing of their personal data by Tram Castellón.

Therefore, minors under 14 years old may not use the services available through the Website without prior authorization from their parents, guardians, or legal representatives.

9.- TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

The Data Controller adopts the necessary technical and organizational measures to ensure the security and confidentiality of personal data and prevent unauthorized access, alteration, loss, or processing.

Measures include:

  • Ensuring confidentiality, integrity, availability, and resilience of processing systems.
  • Restoring availability and access to personal data quickly in the event of an incident.
  • Regularly testing and evaluating security measures.
  • Pseudonymization and encryption of sensitive data where applicable.

The Data Controller also manages information systems according to principles including:

  • Regulatory compliance
  • Risk management
  • Awareness and training
  • Proportionality
  • Responsibility
  • Continuous improvement
10.- RIGHTS OF DATA SUBJECTS

Current data protection legislation grants users several rights regarding their personal data:

  • Right of access
  • Right to rectification
  • Right to erasure (“right to be forgotten”)
  • Right to restriction of processing
  • Right to data portability
  • Right to object
  • Right not to be subject to automated decisions and profiling
  • Right to withdraw consent

Users may exercise these rights by contacting:

Controller: Via Reservada, S.A.
Address: C/ Carcagente, 1. 12005, Castellón (Castellón), Spain
Email: admistracion@tramcastellon.com
Website: https://tramcastellon.com

11.- RIGHT TO LODGE A COMPLAINT WITH THE SUPERVISORY AUTHORITY

Users are informed of their right to lodge a complaint with the Spanish Data Protection Agency if they believe that data protection legislation has been violated.

Spanish Data Protection Agency (AEPD)
Email: info@aepd.es
Phone: 900293183
Website: https://www.aepd.es
Address: C/. Jorge Juan, 6. 28001, Madrid (Madrid), Spain

12.- ACCEPTANCE AND CHANGES TO THE PRIVACY POLICY

The Website user must have read and agreed to the data protection conditions contained in this Privacy Policy and accepted the processing of their personal data.

The Data Controller reserves the right to modify this Privacy Policy according to its own criteria or due to legislative, jurisprudential, or doctrinal changes issued by the Spanish Data Protection Agency.

Changes or updates affecting purposes, retention periods, transfers, international data transfers, or any rights of the Website user shall be explicitly communicated to users.

Scroll to Top