GENERAL PRIVACY POLICY

At Common Lands Network, we are committed to protecting your privacy. We want to be transparent about the data that we compile, how we use it and the rights that you have to control your data. Our registered users share their identity, interact with their network of contacts, exchange information, experiences and knowledge, post and view content, acquire and develop skills and find opportunities for collaboration. The content and data of a large part of this website are available to individuals who are not registered users.
Through our platform, you can provide information about your activities and contact data to the general public and to people interested in the commons in particular. We want this information to be used freely to promote and promulgate your activity, creating opportunities for collaboration. All users, whether registered or not, can share whatever they choose to post on our platform, including personal data or information about communities, associations and other types of entities that voluntarily decide to include their data on our platform to give visibility to and disseminate their activity and establish collaboration networks.

1. User information, natural persons.

Common Lands Network, as the data Controller processing the personal data of the users (natural persons) informs you that your data will be processed in accordance with the provisions in Regulation (EU) 2016/679 of 27 April 2016 (RGPD) on the protection of natural persons and Organic Law 3/2018 of 5 December (LOPD-GDD) on the processing of personal data and the free circulation of such information.

For what purposes do we process personal data?

At Common Lands Network, we process the data of the persons concerned to manage and develop communications (user contact, resolution of queries, etc.), to facilitate contact between users, as well as to handle requested services and develop the aims of the website.
Managing and registering user requests: we give the user access to their account so that they can manage their data and use the website. When an account is created, data are requested from you, like your identification data, email and postal mail addresses, mobile phone number, social networks, webpages, address, the sector in which you work, your logo or photograph, and you will be asked to describe your activity. Some of these data are optional and do not have to be provided in order to register.
Regarding the publication of data of a personal nature that our website can share on social networks, under no circumstances will data beyond that used to respond to your queries or suggestions be processed, and the privacy policy is that of the entities responsible for these sites. We are not responsible for the personal information that each user may post. However, we review the posts to verify that the content reflects our idea of a participatory platform.
Once your account is created, you will have access to your profile where you can upload photographs, presentations, events, audio or post news related to your activity, all of which will be visible to both web users and visitors. When you publicly share an article or post (for example, an image, a video or an article), everyone can see it and share it again anywhere. Registered users, visitors and other people will be able to find and see the content that you have publicly shared, including your name (and your photograph if you have provided one).
Through the website, you will be able to search the other profiles of registered users in order to contact and collaborate with them.

What type of data do we process?

In addition to the different means of collection cited, as well as the different stated processing purposes, you are informed that the types of data that we can process in our information system are:

  • Identification data
  • Electronic mail addresses
  • Postal mail addresses, if you decide to include them
  • Images, if you decide to include them
  • Telephone numbers, if you decide to include them
  • Recordings

Content posting and uploading

We compile your personal data when you upload the information on our website, when you complete a form, upload a photograph or post an event or audio. You do not need to post or upload all your personal data, only that required to register, although if you do not do so, it may limit your ability to interact through the website.

How long do you keep my data?

Personal data will be kept as long as their erasure is not requested, or while there is some measure or legal requirement for their conservation.
When the data cease to be necessary for the purposes for which they were collected, they will be erased, ensuring their confidentiality.

What are the legal grounds for the processing of your data?

The processing of your personal information is based on the following legal grounds: The legal basis for processing your personal data is the informed consent that, when applicable, you provided to be processed by the website, and any other processing necessarily implied by the collection of your personal data, for which a clear affirmative action on the part of the interested party is an essential requirement.
You are informed that the personal data requested at the time of registering on this webpage are those strictly necessary to formalize and manage your participation on the website such that, in the event that they are not provided, you will not be able to share or post any type of information with other registered users or visitors. In any case, this primary purpose is not subject to consent for the processing of data that are not necessary for the main activity.

Who are the data recipients?

The data entered will be freely accessible to all registered users and visitors. Data is transferred internationally to all EU and non-EU countries, and the registered user gives their explicit consent to this international data transfer when they register on the website.

What are your rights when you provide us with and/or we process your data?

As an interested party, you can at any time request the exercise of any of the following rights related to the protection of data:

  • Access your data: You have the right to access your data to know what personal data we are processing that concern you.
  • Request the rectification or erasure of data: In certain circumstances, you have the right to rectify those personal data that you consider inaccurate and that concern you and that are processed by entities, as well as the right to request that your data be erased when, among other reasons, the data cease to be necessary for the purposes for which they were collected.
  • Request the right to limit the processing of your data: In certain circumstances, you will have the right to request that we limit the processing of your data, in which case you are informed that we will only keep the data covered by your request to limit processing necessary for the exercise or defence of claims.
  • Regarding the portability of your data: In certain circumstances, you will have the right to receive the personal data that concern you and that you provided us in a structured format for common use that can be processed by a computer, as well as be transmitted to another data processing controller by our organization.
  • Oppose the processing of your data: In certain circumstances and for reasons related to your particular situation, you will have the right to oppose the processing of your data, in which case we will cease to process them, except when we must continue on compelling legitimate grounds or for the exercise or defence of possible claims.
  • The right to lodge an appeal to the supervisory authority if you are not satisfied with the exercise of your rights, in this case, the Spanish Data Protection Agency: http://www.aepd.es

You are informed that you can exercise your rights over your personal data in either of the following ways:

  • Using the postal mail address: R/ O Pazo 15, 36164 Pontevedra
  • Using the email address: hola@icomunales.org

2. User information for the community, association, company or other type of entity

Communities, entities, companies or other organizations that upload data to the Common Lands Network platform assume full responsibility with regard to third parties in relation to the legality and rights of intellectual property, propriety rights, authorship or any other rights to the content incorporated into the platform, with Common Lands being a mere service provider for the user to store the information for which the user is solely responsible, acting in this case as the data processor, regulated according to the provisions in Article 28 of the GDPR. The data entered on the platform by system users are the property of the registered user who is using our platform, and thus also the data processor. At Common Lands Network, as data processors, we undertake to:

  • - Only use the personal data being processed or collected for inclusion for the mandated purpose. In no case can they be used for our own purposes.
  • - Process the data according to the instructions of the data controller. If the data processor believes that any of the instructions infringe upon the GDPR or any other provision related to the protection of data of a personal nature, the data processor will immediately inform the data controller.
  • - To provide a general description of the technical and organizational security measures related to:
  • - The pseudonymization and encryption of personal data;
  • - Guaranteeing the permanent resilience, availability, integrity and confidentiality of the processing services and systems;
  • - Restoring the availability and access to personal data quickly in the case of physical or technical incidents; and
  • - Regularly assessing, evaluating and verifying the efficiency of the technical and organizational measures to guarantee processing security.
  • - Not to transmit data to third parties, except with the express authorization of the data controller, in legally admissible cases. It must be specified that, upon registering, you expressly consent to the international transfer of data and the public dissemination of all data, with the exception of the password, voluntarily entered on the platform for the exclusive purpose of disseminating the content incorporated into it. The data processor can transmit the data to other data processors under the same data controller, in accordance with the instructions of the controller. In this case, the controller will identify, with prior written notification, the entity to which the data are to be transmitted, which data will be transmitted and the security measures to be applied for the transmission. If the processor must transfer personal data to a third country or international organization, by virtue of European Union or applicable member state law, they will inform the controller of this legal requirement beforehand, except when such law prohibits this for important reasons of public interest.
  • Maintain the duty of secrecy with respect to all personal data among those who have had access to them by virtue of their commission, even after the purpose has been fulfilled.
  • Guarantee that the individuals authorized to process personal data undertake, expressly and in writing, to respect confidentiality and comply with the corresponding security measures, of which they have been properly informed.
  • Provide the data controller with the supporting documentation showing compliance with the obligation established in the previous section.
  • Guarantee the necessary training of the individuals authorized to process personal data in relation to the processing of data of a personal nature.
  • Assist the data processing controller in responding to the exercise of the rights of access, rectification, erasure, opposition, limitation of processing, portability of data and not being subject to automated individualized decisions (including the creation of profiles). When the individuals concerned exercise the rights of access, rectification, erasure, opposition, limitation of processing, portability of data and not being subject to automated individualized decisions with the data processor, the latter must communicate this to the data controller. The communication must be immediate and in no case extend beyond one working day after the reception of the request and be accompanied by, where applicable, any other information that may be relevant to resolve the query.
  • Ensure the right to information: the data processor at the time of data collection must provide the information related to any data processing that is going to be done. The language and format in which the information will be provided must be agreed upon with the data controller before data begins to be collected.
  • Provide notification of any security violations related to the data:
    the data processor will notify the data controller, without undue delay and in any case within a maximum period of 48 hours, of any security violations related to the personal data under their responsibility of which they have knowledge, accompanied by all relevant information to document and communicate the incident. Notification will not be necessary when it is unlikely that said security violation constitutes a risk to the rights and freedoms of natural persons.
  • Provide the data controller with assistance in evaluating the impact related to data protection, where applicable.
  • Provide the data controller with assistance in making prior consultations with the supervisory authority, where applicable.
  • Provide the data controller with all the necessary information to demonstrate compliance with their obligations, as well as to carry out the audits or inspections made by the controller or another auditor authorized by the controller.
  • Implement the following security measures (whenever feasible and technically possible):
    Guarantee the permanent resilience, availability, integrity and confidentiality of the processing services and systems.
    Restore the availability and access to personal data quickly in the case of a physical or technical incident.
    Regularly assess, evaluate and verify the efficiency of the technical and organizational measures to guarantee processing security.
    Pseudonymize and encrypt personal data, or where applicable, the measures indicated below.
    • - Storage for passwords on secure supports
    • - A tool to detect and block Spam
    • - A tool to prevent viruses and webpage attacks
    • - Submissions of passwords via email to clients using encrypted emails
  • Data destination:
    Return data of a personal nature to the data controller and, if applicable, any supports, once the service is no longer provided. This return must involve the complete erasure of the existing data on the computer equipment used by the data processor. However, the processor may preserve one copy, with the data duly blocked, while service provision responsibilities may still arise.

3. THE COMPULSORY OR OPTIONAL NATURE OF THE INFORMATION PROVIDED BY THE USER

By checking the corresponding boxes and entering the data in the fields of the contact form or in the download forms, users expressly, freely and unequivocally accept that their data are necessary to process their request by the provider, with the inclusion of data in the remaining fields being voluntary.
The user guarantees that the data provided are truthful, accurate, complete and up to date, and is responsible for any damages, direct or indirect, that may arise as a result of a breach of that obligation.
In the event that the user provides data that belong to a third party, the user guarantees that he or she has informed said third party of all the contents of this privacy policy and obtained their consent to supply us with their data for the processing purposes concerned prior to providing the third-party data.
In the event that all the data are not provided, there can be no guarantee that the information and services supplied will completely suit your needs.