Controller

For the purposes of the GDPR, where personal data is processed only—

a)       for purposes for which it is required by an enactment to be processed, and

b)       by means by which it is required by an enactment to be processed,

the person on whom the obligation to process the data is imposed by the enactment (or, if different, one of the enactments) is the controller.

Personal Data

Any information relating to an identified or identifiable living individual

Identifiable living individual

Means a living individual who can be identified, directly or indirectly, in particular by reference to:

a)       an identifier such as a name, an identification number, location data or an online identifier, or

b)       one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

Data subject

Means the identified or identifiable living individual to whom personal data relates.

Processing

In relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as:

a)       collection, recording, organisation, structuring or storage,

b)       adaptation or alteration,

c)       retrieval, consultation or use,

d)       disclosure by transmission, dissemination or otherwise making available,

e)       alignment or combination, or

f)        restriction, erasure or destruction,

Purpose

Marketing

Company

ElephintPink

Address

C/ Victor de la Serna, nº1. 29602. Marbella, Málaga, Spain

Email

info@elephantpink.com

Purpose

Delivery

Company

Mail Boxes ETC.

Address

Email

Cookie Name

Provider

Expiry

Purpose

_ga

Google Analytics

2 years

It is used to distinguish users.

_gid

Google Analytics

24 hours

It is used to distinguish users.

_gat

Google Analytics

1 minute

Used to limit the percentage of requests.

AMP_TOKEN

Google Analytics

30 secs to 1 year

Includes a token that can be used to retrieve a client ID from the AMP Client ID service. Other possible values indicate disables, in-progress requests, or errors obtained when retrieving an ID from the AMP Client ID service.

_gac_<property-id>

Google Analytics

90 days

It includes campaign information relating to the user. If you have linked your Google Analytics and AdWords accounts, website conversion tags will read this cookie unless you disable it.

_hjSessionUser_{site_id}

Hotjar

365 days

•             Set when a user first lands on a page.

•             Persists the Hotjar User ID which is unique to that site. Hotjar does not track users across different sites.

•             Ensures data from subsequent visits to the same site are attributed to the same user ID.

•             JSON data type.

_hjid

Hotjar

365 days

•             This is an old cookie that we do not set anymore, but if a user has it unexpired in their browser, we will reuse its value and migrate to _hjSessionUser_{site_id}.

•             Set when a user first lands on a page.

•             Persists the Hotjar User ID which is unique to that site.

•             Ensures data from subsequent visits to the same site are attributed to the same user ID.

•             UUID data type.

_hjFirstSeen

Hotjar

30 minutes

•             Identifies a new user’s first session.

•             Used by Recording filters to identify new user sessions.

•             Boolean true/false data type.

_hjHasCachedUserAttributes

Hotjar

Session duration

•             Enables us to know whether the data set in _hjUserAttributes Local Storage item is up to date or not.

•             Boolean true/false data type.

_hjUserAttributesHash

Hotjar

2 minutes duration, extended every 30 seconds.

•             Enables us to know when any User Attribute has changed and needs to be updated.

•             Content hash data type.

_hjUserAttributes

Hotjar

No explicit expiration.

•             Stores User Attributes sent through the Hotjar Identify API.

•             Base64 encoded JSON data type.

hjViewportId

Hotjar

Session duration.

•             Stores user viewport details such as size and dimensions.

•             UUID data type.

hjActiveViewportIds

Hotjar

Stores an expirationTimestamp that is used to validate active viewports on script initialization

•             Stores user active viewports IDs.

•             .JSON data type.

Right to information

The data subject is entitled to receive the next information:

a)      the identity and the contact details of the controller;

b)      the legal basis on which, and the purposes for which, the controller processes personal data;

c)       the categories of personal data relating to the data subject that are being processed;

d)      the recipients or the categories of recipients of the personal data (if applicable);

e)      the right to lodge a complaint with the Commissioner and the contact details of the Commissioner;

f)        how to exercise data subject rights;

g)  any other information needed to secure that the personal data is processed fairly and transparently.

Right of access

The data subject is entitled to receive confirmation as to whether or not personal data concerning the individual is being processed, and where that is the case:

a)      communication, in intelligible form, of the personal data of which that individual is the data subject, and

b)      the purposes of and legal basis for the processing;

c)       the categories of personal data concerned;

d)      the recipients or categories of recipients to whom the personal data has been disclosed;

e)      the period for which the personal data is to be preserved;

f)        the existence of a data subject’s rights to rectification and erasure of personal data;

g)      the right to lodge a complaint with the Commissioner and the contact details of the Commissioner;

h)  any information about the origin of the personal data concerned.

Right not to be subject to automated decision-making

The controller may not take a decision significantly affecting a data subject that is based solely on automated processing of personal data relating to the data subject.

Right to intervene in automated decision-making

If the controller takes a decision significantly affecting a data subject that is based solely on automated processing of personal data relating to the data subject, the controller must as soon as reasonably practicably notify the data subject that such a decision has been made.

The data subject may, before the end of the period of 1 month beginning with receipt of the notification, request the controller:

a)      to reconsider the decision, or

b)      to take a new decision that is not based solely on automated processing.

If a request is made to the controller, it must, before the end of the period of 1 month beginning with receipt of the request:

a)      consider the request, including any information provided by the data subject that is relevant to it, and

b)      by notice in writing inform the data subject of the outcome of that consideration.

Right to information about decision-making

Where:

a)      the controller processes personal data relating to a data subject, and

b)      results produced by the processing are applied to the data subject,

the data subject is entitled to obtain from the controller, on request, knowledge of the reasoning underlying the processing.

Right to object to processing

A data subject is entitled at any time, by notice given to the controller, to require the controller:

c)       not to process personal data relating to the data subject, or

d)      not to process such data for a specified purpose or in a specified manner,

on the ground that, for specified reasons relating to the situation of the data subject, the processing in question is an unwarranted interference with the interests or rights of the data subject.

Rights to rectification and erasure

If a court is satisfied on the application of a data subject that personal data relating to the data subject is inaccurate, the court may order the controller to rectify that data without undue delay.

Right to access

The organisation must inform about:

The purposes of the treatment, categories of personal data that are processed and the possible data communications and their recipients.

If possible, the period of conservation of your data. If not, the criteria to determine this term.

The right to request the rectification or suppression of the data, the limitation to the treatment, or to oppose it.

The right to file a claim with the Control Authority.

If an international data transfer occurs, receive information on the appropriate guarantees.

The existence of automated decisions (including profiles), the applied logic and consequences of this treatment.

Rectification

Interested parties can request:

The rectification of inaccurate data and complete incomplete personal data, even with an additional declaration.

Suppression / Deletion

Interested parties can request:

The suppression of personal data without due delay when any of the cases contemplated concur. For example, illicit treatment of data, or when the purpose that motivated the treatment or collection.

However, a series of exceptions are regulated in which this right will not apply. For example, when the right to freedom of expression and information should prevail.

Limitation of the treatment

Interested parties can request the person in charge to suspend the processing of data when:

The accuracy of the data is contested, while the accuracy is verified by the person responsible.

The interested party has exercised his right of opposition to the processing of data, while verifying if the legitimate reasons of the responsible party prevail over the interested party.

Ask the person responsible to keep your personal data when:

The data processing is illegal, and the interested party opposes the deletion of their data and requests instead the limitation of its use.

The person in charge no longer needs the data for the purposes of the treatment, but the interested party does need them for the formulation, exercise or defence of claims.

Data Portability

Interested parties can:

Receive the personal data provided in a structured format, of common use and mechanical reading, and be able to transmit them to another responsible, whenever technically possible.

Opposition

Interested parties can oppose to the personal data treatment:

When for reasons related to your personal situation, the processing of your data must cease unless a legitimate interest is proven or is necessary for the exercise or defence of claims.

When the treatment is focused on direct marketing.

Not to be object of individualised decision

Interested parties have the right not to be the subject of a decision based solely on automated processing, including profiling, which produces legal effects or affects them.

Exceptions:

When it is necessary for the conclusion or execution of a contract.

When it is allowed by the Law of the EU or the Member States, with adequate measures to safeguard the rights and freedoms of the owner of the data.

When there is explicit consent of the owner of the data.

Right of access

Any person may ask the controller whether personal data concerning him/her are being processed.

The data subject shall be provided with the information necessary to enable him/her to assert his/her rights under this law and to ensure the transparency of the processing. In all cases, the data subject shall be provided with the following information

a)      the identity and contact details of the controller;

b)      the personal data processed as such

c)       the purpose of the processing

d)      the duration of the storage of the personal data or, if this is not possible, the criteria for determining the duration;

e)      the information available on the origin of the personal data, insofar as these data have not been collected from the data subject;

f)        where applicable, the existence of an automated individual decision and the rationale on which the decision is based; and

g)      where applicable, the recipients or categories of recipients to whom the personal data are disclosed.

Right of rectification

Any person processing personal data must ensure their accuracy. He shall take all appropriate steps to rectify, erase or destroy data which are inaccurate or incomplete in relation to the purposes for which they are collected or processed.

Right to erasure, “the right to be forgotten”.

Personal Data is destroyed or rendered anonymous as soon as it is no longer necessary for the purposes of processing.

This is the right to have inaccurate, inadequate, irrelevant or excessive personal data erased at the request of the data subject.

This right is not absolute and is limited in four cases: an overriding interest (public or private) in keeping the information, in case of freedom of information (public figures), in case of scientific research and if there is a legal obligation to keep the data (archives).

Right to data portability

The data subject may request the controller to provide him or her with personal data concerning him or her which it has communicated to him or her in a commonly used electronic format if the following conditions are met:

a)      the controller processes the personal data by automated means;

b)      the personal data are processed with the data subject’s consent or in direct connection with the conclusion or performance of a contract between the data subject and the controller.

The data subject may also request the controller to transfer his or her personal data to another controller, provided that the conditions of paragraph 1 are met and that this does not adversely affect the data subject.

Limitation of the treatment

Any person concerned by the collection and processing of personal data has the right to obtain from the controller, at any time and as soon as possible, the restriction of processing where one of the following circumstances exists

a)      the data subject contests the accuracy of the data (in this case, the processing shall be restricted for the time necessary for the controller to verify the accuracy of the data)

b)      the processing is unlawful and the data subject prefers the restriction of the use of the data rather than their erasure

c)       the controller no longer needs the data for processing purposes, but the data may still be needed by the data subject in the context of legal proceedings

d)      the data subject has exercised his or her right to object to the data being processed

Opposition

The data subject may request the “prohibition of a specific processing of personal data” and the “prohibition of a specific communication of personal data to third parties”. It is limited by any overriding interest (public or private) of the controller.

Right not to be subject to automated individual decisions

There are three rules concerning automated decisions: a duty of information in case of an automated individual decision (on the existence of an exclusively automated individual decision and the logic on which this decision is based) and the possibility for the decision to be reviewed by a human being upon request (Art. 21 nLPD), as well as a specific right of access (Art. 25, para. 2 f nLPD).