This policy sets out how Grupo GNO companies process the personal data they gather in the course of their financial and business transactions mainly with customers and suppliers. These companies are the parent company GNO CORPORATE S.L.U. and its subsidiaries MOME INVESTMENTS S.L.U., IMP REAL STATE S.L.U. and GCR PLASTIC SOLUTIONS GROUP S.L.U. and its related undertakings (GESTORA CATALANA DE RESIDUOS, S.L.U, AM COMPUESTOS EUROPA S.L.U, TPC POLYMERS EUROPA S.L.U., VC CHEMICALS LOGISTICS S.L.U, ENVICO RESEARCH S.L.U, GCR GROUP INTERNATIONAL S.L.U., GCR SUSTAINABLE LOGISTICS S.L.U., EUROPEAN GREEN POLYMERS S.L.U., GREEN PLASTICS EUROPE S.L.U. and REAL SUSTAINABILITY S.L.U).
I. Who is the controller?
The controller for the personal data is the GNO group company who enters into a business or financial relationship with potential customers, customers and suppliers as stated in the business proposal or in the service or supply contract.
Data subjects may email the controller at [email protected] if they have any enquiries or requests concerning personal data protection.
Grupo GNO undertakes to ensure that all processing by group companies of their customers’ and suppliers’ personal data complies with data protection regulations.
II. What type of data do we process?
The personal data that GNO group companies process concerning their customers and suppliers are:
- Identifying information (e.g. name and surname, sex, date and place of birth, nationality, passport or ID card number).
- Contact information (e.g. postal address, email address and landline and mobile phone numbers).
- Professional information (e.g. position and company name).
- Financial information (e.g. bank details).
- Image and data related to access to our facilities.
Under no circumstances do we process specially protected data.
All of the abovementioned data may be provided directly by you by submitting a business proposal, contract offer, etc. or by your company by giving us the documentation and other information required to perform the purpose of the contractual relationship between the parties. You or your company are required to report any changes in your data.
III. What do we process your personal data for?
We process your data for the purpose of managing a number of activities resulting from specific procedures performed in sales, after-sales service, supplier management, quality of services, etc. Hence we may use your data to undertake one or more of the following actions as part of our business relationship:
- Administrative, sales, tax and accounting/invoicing management.
- Receivables management.
- Managing requests for information.
- Handling complaints/suggestions.
- Providing, extending and enhancing the quality of the services rendered or asked for by the counterparty in the course of the contractual relationship.
- Designing new services related to the previous ones.
We will also process your data to:
- Conduct satisfaction surveys, market research, etc. so that we can provide you with the most appropriate offers and the best possible service quality, etc.
- Send product and service offers to potential customers and our customers which may be of interest to them.
- Undertake any other loyalty actions.
IV. Lawful basis for our processing
The lawful basis for our personal data processing is firstly the duty of the Grupo GNO contracting company to comply with its statutory obligations pursuant to Article 6(1)(c) GDPR, and secondly the performance of the contract to which the customer or supplier whose personal data are processed is a party pursuant to Article 6(1)(b) GDPR. Furthermore, the lawful basis for processing may sometimes be fulfilling legitimate interests pursued by Grupo GNO companies pursuant to Article 6(1)(f) GDPR or the express consent of the data subjects pursuant to Article 6(1)(a) GDPR.
V. Who do we share your data with?
Authorised personnel of the Grupo GNO contracting company may access the personal data of potential customers, customers and suppliers. Authorised personnel of GNO CORPORATE S.L.U., as parent company of Grupo GNO, may also have access to them from time to time.
In the case of GCR PLASTIC SOLUTIONS S.L.U. (hereinafter referred to as “GPS”) and its related undertakings, authorised personnel from GPS’s sales, development, finance and IT departments handle the processing of the personal data of customers, potential customers and suppliers of GPS and its related undertakings. These data are stored in a database to which both GPS and its related undertakings have access.
Personal data may also be disclosed to third parties such as IT service providers, database providers, cloud service providers, logistics companies, administrative management agencies, external consultants and lawyers. In such a case, we will ensure that the third party with access to your personal data complies with data protection regulations when performing the processing. Your personal data may also be disclosed to government authorities and courts when required by law or for the purpose of legal proceedings.
VI. How long do we keep the data?
The personal data of individuals related to potential customers, customers and suppliers which Grupo GNO companies compile through contact and/or information gathering forms will be retained until the data subject requests their erasure. The data provided by our customers and suppliers will be retained for as long as the business relationship between the parties is maintained, in all cases in compliance with the minimum statutory retention periods based on the subject matter.
Grupo GNO companies will in any event keep your personal data for such period of time as is reasonably necessary in view of our needs to address any issues that may arise or resolve problems, implement improvements and comply with applicable statutory requirements.
VII. Security measures
Grupo GNO companies are committed to protecting personal data and privacy and therefore process your data in the strictest confidence at all times and comply with the binding obligation of secrecy with respect to them. To this end, they have in place the technical and organisational measures required to protect the security of your data and prevent their alteration, loss, or unauthorised processing or access. The controller will inform anyone who has access to the data of their security obligations (non-disclosure, confidentiality and privacy) and their duty to maintain secrecy.
VIII. Your rights
Data protection regulations recognise the data subject’s right to access their data and obtain a copy of them, the right of rectification, the right of erasure, the right to restrict processing, the right to object to the processing of their data and the right to the portability of the data they supply (Article 15 et seq. GDPR).
To exercise your rights, you can email us at [email protected]. We will provide you with information on action taken on your request without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. We will inform you of any such extension within one month of receipt of your request together with the reasons for the delay.
Finally, you have the right to lodge a complaint with the Spanish Data Protection Agency (www.aepd.es/es).