Legal notice

energHius protects and guarantees the fundamental right to data protection and is particularly committed to safeguarding individual privacy. Data processing is carried out in accordance with Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and Organic Law 3/2018 of 5 December on the Protection of Personal Data and Guarantee of Digital Rights. Therefore, this processing adheres to the principles of lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, confidentiality, and accountability.

In any case, energHius will maintain a dynamic understanding of this issue to adapt to any new developments, whether in regulations, case law, decisions of supervisory authorities, or practices in this field. This may necessitate modifications to this privacy and data protection policy, which will be announced in advance.

Data Controller

The general responsibility for data processing lies with energHius, whose registered address for these purposes is (add address). The telephone number is XXX XXX XXX. Informal online contact can be established through our contact page.

Specific requests should be made through this same contact page.

Legal Basis for Processing

The primary legal basis for the processing carried out by energHius is the necessity for the performance of contracts, compliance with specific legal requirements, or the performance of a task carried out in the public interest or in the exercise of official authority. All these conditions are in accordance with Article 6.1 of the European Regulation.

Origin, Use, and Retention of Data

Personal data originates from the data subjects themselves, obtained through various means, such as applications, forms, and digital or analog questionnaires. For these purposes, the expression of consent will be freely given, specific, informed, and unambiguous.

The processing of special categories of data will be carried out taking into account the specific data protection measures set forth in Article 9 of the European Regulation.

Personal data may be exceptionally transferred under university exchange and academic collaboration programs, and also to public administrations with educational responsibilities. In all cases, transfers will comply with the provisions of Articles 44 et seq. of the European Regulation. Data is also transferred to data processors and in cases of legal obligations, in accordance with the regulations.

Data may also be used for statistical purposes or for incident management and, preferably pseudonymized, for research purposes.

The personal data provided will be kept for the period necessary to fulfill the purpose for which it was collected, or for the time required to comply with legal obligations. Once the purpose has been fulfilled, the data will be blocked until the applicable limitation periods have expired.

Rights

Data subjects have the rights to transparency in information, access to their personal data, rectification of inaccurate data, erasure of data where possible, restriction of processing, data portability, objection, the right not to be subject to a decision based solely on automated processing that significantly affects them, the right to withdraw consent at any time, and the right to lodge a complaint with the Spanish Data Protection Agency. These rights may be exercised with the data controller, after the applicant has identified themselves through our contact page.

In addition, data subjects also have the rights that provide access to the administrative and judicial remedies provided for in the legal system for this purpose.

Security

energHius, from a proactive standpoint, adopts all the necessary technical and organizational measures to guarantee data processing and the privacy of individuals. It thus assumes a full commitment to guaranteeing fundamental rights, which includes data protection by design and by default.

Thus, these security measures, in accordance with Article 32 of the European Regulation, will include the pseudonymization and encryption of personal data; the ability to guarantee the confidentiality, integrity, availability, and ongoing resilience of processing systems and services; the ability to restore the availability of and access to personal data quickly in the event of an incident; and a process for regularly verifying, assessing, and evaluating the effectiveness of technical and organizational measures.

These measures comply with legally established obligations and are based on the state of the art, the costs of implementation, and the nature, context, and purposes of the processing. Likewise, the specific risks of severity and likelihood that each type of processing poses to the rights and freedoms of individuals must be taken into account.

Security and personal data breaches will be reported to the supervisory authority and, where applicable, to the data subjects, pursuant to Article 34 of the European Regulation.