Privacy Policy & Data protection

Document last reviewed: 24.05.2018

In this document we refer to the new General Data Protection Regulation (GDPR) established by the European Parliament and the Council of the European Union, which came into force on May 25, 2016, for the application and support to the Organic Law 15/ 1999 of December 13, known as LOPD (Personal Data Protection).

Any interested person can contact our privacy policy manager, at any time, with any questions or suggestions regarding data protection.

1. Basic information on data processing and its legal basis
1.1. This data protection declaration informs you about the type, scope and purpose of the processing of personal data within our websites, functions and contents (hereinafter collectively referred to as “website”). This privacy policy applies regardless of the domains, systems, platforms and devices (for example, desktop or mobile) on which the online offer runs.
1.2. For the terms used, such as “personal data” or its “treatment”, we refer to the definitions in article 4 of the RGPD.
1.3. The personal data of the users processed within the framework of the online offer includes usage data (type and version of the browser, operating system used, URL of the previously visited page, IP address of the accessing computer and time of the request) and information about the content (for example, entries in the application form).
1.4. The term “user” encompases all individuals utilizing our systems. These include our business partners, customers, interested parties and other visitors to our online services and offers. The terms used, such as “user”, should be understood as gender neutral.
1.5. We process users’ personal data only in accordance with the relevant data protection regulations. User data will only be processed if there is legal permission, if data processing is required by law or if the user has given their consent. We process personal data on the basis of our legitimate interests (ie interest in analyst, optimization and economic operation and security of our online offer within the meaning of Article 6, paragraph 1, letter f of the GDPR), in particular for the measurement of the scope, the creation of profiles for advertising and marketing purposes and the collection of access data and the use of third-party services.
1.6. We point out that the legal basis is founded on consent to processing for the compliance of our services and the execution of contractual measures, for processing for the compliance for our legal obligations or for processing for the protection of our legitimate interests (Art. 6, Paragraph 1, letter a and Art.7) of the RGPD.
1.7. What sources and data do we use? We process personal data of customers, suppliers, interested parties, applicants and employees. We process this data in the context of business relationships, application procedures or employment relationships. We also use data from publicly accessible sources that can be processed. The legal basis is the compliance of the (pre)contractual obligations, the legitimate interest, the legal regulation or the available consent of the interested person.

2. Security measures
2.1. We take organizational, contractual and technical security measures in accordance with the most advanced technology to ensure compliance with the provisions of data protection laws and thus protect the data we process against accidental or intentional manipulation, loss, destruction or access by unauthorized persons.
2.2. Security measures include in particular the encrypted transmission of data between your browser and our server.

3. Transmission of data to third parties and third party providers
3.1. The data will only be passed on to third parties within the framework of legal requirements. We only pass on user data to third parties if necessary, for example on the basis of Article 6, Paragraph 1, letter b of the RGPD for contractual purposes or based on legitimate interest in accordance with Article 6, Paragraph 1, letter f of the GDPR for the efficient and lucrative functionality of the business operations.
3.2. If we use subcontractors for the provision of our services, we will take the appropriate legal precautions, as well as the appropriate technical and organizational measures to ensure the protection of personal data in accordance with the relevant legal provisions.
3.3. If, in the context of this privacy policy, content, tools or other means of other providers (hereinafter jointly referred to as “third-party providers”) are used, these will only be transferred to countries with an adequate level of data protection and to countries within the scope of the GDPR.

4. Online application
If we proactively receive applicants’ data by post or email, technical and organizational measures ensure that their personal data will be treated confidentially within legal requirements. After completing the application process, the data will be deleted unless you agree that it will be stored for a longer period of time. Deletion takes place after four months (due to meeting deadlines for possible claims under the AGG).

5. Cookies
The websites www.bpa-spain.com and luxvillas-spain.com and the Internet-based services (www.bpa-spain.com and subdomains and luxvillas-spain.com and subdomains) of B GROTH Asset Management S.L use cookies. Cookies are text files that are stored on a computer system through an Internet browser.
Many websites and servers use cookies. Many cookies contain a so-called cookie ID. A cookie ID is a unique identifier of the cookie. It consists of a string of characters through which internet pages and servers can be assigned to the specific Internet browser in which the cookie was stored. This allows visited internet pages and servers to distinguish the individual browser of the person concerned from other Internet browsers that contain other cookies. A particular internet browser can be recognized and identified by its unique cookie ID.
The use of cookies allows us to offer users of this website more user-friendly services that would not be possible without cookies.
By means of a cookie, the information and offers on our website can be optimized for the user. Cookies allow us, as already mentioned, to recognize the users of our website. The purpose of this acknowledgment is to make it easier for users to use our website. For example, the user of a website that uses cookies does not have to re-enter their access data each time they visit the website, since this is assumed by the website and the cookie stored in the user’s computer system. Another example is the cookie of a shopping basket in the online store. The online store remembers the items that a customer has placed in the virtual shopping cart through a cookie.
The interested party can prevent the installation of cookies on our website at any time by means of the appropriate configuration of the internet browser used and, therefore, permanently oppose the installation of cookies. Furthermore, already established cookies can be deleted at any time through an internet browser or other software programs. This is possible in all common internet browsers. If the interested party deactivates the installation of cookies in the Internet browser used, it is possible that not all the functions of our Internet site can be used in their entirety.

6. Third party services
6.1. Google Workforce and Google Cloud

To make our communication infrastructure, we use the services of Google Inc. (“Google”), especially Google Workforce, described at https://workspace.google.com/intl/de/terms/dpa_terms.html, and Google Cloud, described at https://cloud.google.com/terms/services. Due to the EU General Data Protection Regulation (GDPR), which will come into force on May 25, 2018, Google has updated version 2.0 of the appendix for data processing (6th third-party service provider) in October 2017 .
Google not only uses the EU-US Privacy Shield, an agreement between the US government and the EU on data protection, but also standard contractual clauses to ensure that the requirements of the Directive of data protection of the EU in terms of adequacy and security are met.

6.2. Google Analytics

6.2.1. This website uses the Google Analytics service which is provided by Google Inc. (“Google”) to analyze website usage by users, i.e: the interest in the analysis, optimization and economic operation of our online offer within the meaning of Art. 6. Paragraph. 1, Letter F of the GDPR.Google uses cookies. The information generated by the cookie is usually sent to a Google server in the USA and stored there.
6.2.2. Google uses the collected information to create an evaluation of website use and website activity and provides services associated with the internet use.
6.2.3. IP anonymization is used on this website. The IP address of the user is shortened within the member states of the EU and the European Economic Area to eliminate the personal reference of the user’s IP address. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there.
6.2.4. The IP address transmitted by the user’s browser is not merged with other Google data. Users can prevent the storage of cookies by configuring their browser software accordingly; they can also prevent Google from collecting the data generated by the cookie and relating to their use of the website and the processing of this data by Google by downloading and installing the browser plug-in available at this link: https://tools.google.com/dlpage/gaoptout?hl=en
6.2.5. For more information about Google’s use of tata and the options for setting an objection, please visit the Google website: Google’s use of data when you use our partners websites or applications, use of data for advertising purposes, management of the information Google uses to show you advertising.

6.3 Google Maps

Our website uses integrated maps to create directions from the Google Maps service provided by Google Inc. 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. By using this website, you consent to the collection, processing and use of automatically collected data and data provided by you by Google, one of its agents or third parties.

7. Social media
B GROTH Asset Management S.L offers the possibility to follow the company’s update related to social media presence, usually through a “Follow us” button.

7.1 LinkedIn

Our online offering uses functions of the LinkedIn network. LinkedIn is an Internet-based social network that enables users to connect with existing business contacts and make new business contacts.
LinkedIn is operated by LinkedIn Corporation, 2029 Stierlin Court Mountain View, CA 94043, USA. Privacy issues outside the U.S. are the responsibility of LinkedIn Ireland, Privacy Policy Issues, Wilton Plaza, Wilton Place, Dublin 2, Ireland.
Whenever a LinkedIn Plug-In component (LinkedIn Plug-In) is installed on our website, this component causes the browser used by the person in question to download a corresponding representation of the LinkedIn component, if clicked consciously and proactively.

More information about LinkedIn plug-ins.
In the course of this technical procedure, LinkedIn is informed which specific subpage of our website is visited by the person concerned.
In the event that the user is simultaneously logged into LinkedIn, each time the user visits our website and for the entire duration of their stay on our website, LinkedIn will recognize which specific sub-page of our website the user visits. This information is collected by the LinkedIn component and assigned by LinkedIn to the respective LinkedIn account of the person concerned. If the person in question clicks on a LinkedIn button integrated into our website, LinkedIn assigns this information to the personal LinkedIn user account of the person in question and stores this personal data.
LinkedIn receives information via the LinkedIn component that the person in question has visited our website each time the person in question is logged into LinkedIn at the same time as accessing our website; this happens regardless of whether the person in question clicks on the LinkedIn component or not. If such transmission of this information to LinkedIn is not desired by the user, that can be prevented by logging out of his or her LinkedIn account before accessing our website.
LinkedIn offers the possibility to unsubscribe from e-mail messages, SMS messages and targeted advertisements, as well as to manage the settings of the e-mails, SMS messages and targeted advertisements.

7.2 YouTube

The website and other internet pages provided by B GROTH Asset Management S.L use embedded videos from the YouTube platform. YouTube is an Internet video portal that allows video publishers to publish video clips and other users to view, rate and comment on them free of charge. YouTube allows the publication of all types of videos, so that full-length movies and TV shows as well as music videos, trailers or videos made by users themselves can be accessed through the Internet portal.
YouTube is operated by YouTube, LLC, 901 Cherry Ave, San Bruno, CA 94066, USA. YouTube, LLC is a subsidiary of Google Inc, 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.

Each time a user accesses a page which contains an integrated data controller with a YouTube component (YouTube video), the respective YouTube component automatically prompts the browser used by the user to download a representation of the corresponding YouTube component. In the course of this procedure, both YouTube and Google are informed of the specific subpage of the website that was visited.

If the user is also logged in on Youtube website at the same time, YouTube recognizes which specific subpage of our website the person visited or used. This information is collected by YouTube and Google and assigned to the respective YouTube account of that particular user.

YouTube and Google receive information via the YouTube component that the user visited our website each time the person visited the website regardless of whether that user clicks on a YouTube video or not as long as the user is simultaneously logged in their YouTube account. If such transmission of this information to YouTube and Google is not desired, this can be prevented by logging out of the user’s Youtube account before accessing our website.

The data protection regulations provide information on the collection, processing and use of personal data by YouTube and Google.

8. Users rights
8.1. Right of confirmation

Under the European legislator, all users have the right to request and confirm whether personal data concerning them is being processed. If you wish to exercise this right please get in contact with us at any time.

8.2. Right of information

Any person affected by the processing of personal data shall have the right, recognized by the European legislator, to obtain, at any time, information about the personal data concerning them and a copy of such information. In addition, the European legislator has granted the user the request of the following information:

• The purposes of the processing;
• The categories of personal data processed;
• The recipients or categories of recipients to whom the personal data has been or continue to be disclosed;
• The expected duration of the storage of the personal data or, if not possible, the criteria for determining such duration;
• The existence of a right to rectification or erasure of personal data concerning the user;
• The existence of a right to appeal to a supervisory authority;
• If the personal data is not collected from the user, all available information of the origin of the data;

The existence of an automated decision-making process, including profiling in accordance with Article 22(1) and (4) of the GDPR and of meaningful information providing the scope and expected effects of user’s data processing;
In addition, the user has the right to access information on whether the personal data has been transferred to a third party or to an international organization. In this case, the user has the right to obtain information on the data processed.
If you wish to exercise any of the above rights, please get in contact with us.

8.3. Rights of correction

Any user who has their data processed, shall have the right granted by European legislator to request the immediate correction of inaccurate personal data concerning them. In addition, the user has the right to request that any incomplete personal data to be supplemented, including by means of a supplementary declaration. If you wish to exercise your right of correction, please get in contact with us.

8.4. Right to erasure (right to be forgotten)

Any user who has their data processed shall have the right, recognized by the European legislator to request the administrator of this website the immediate erasure of personal data related to them, provided that one of the following grounds applies and to the extent that the processing is not necessary:
The personal data has been collected or otherwise processed for purposes for which they are no longer necessary;
The user withdraws the consent on which the processing was based on Article 6(1)(a) of the GDPR or Article 9(2)(a) of the GDPR and there is no longer legal basis for the processing.
The user objects to the processing of Article 21(1) of the GDPR and there are no compelling legitimate grounds for the processing of the user’s objections to the processing of Article 21(2) of the GDPR.
The personal data has been unlawfully processed.

The erasure of personal data is necessary in order to comply with a legal obligation under the European Union law or the law of the Member States to which administration of this website is subject to.
Personal data has been collected in connection with information society services offered in accordance with Art. 8 Paragraph 1 of GDPR. If one of the aforementioned reasons applies, and a user wishes to have the personal data stored by the B GROTH Assets Management S.L erased, they may contact, at any time the administrators of the website. They will arrange the request for erasure.

If the personal data has been made public by B GROTH Asset Management S.L, the company is obliged to erase the personal data of the user in accordance with Article 17, Paragraph 1 of GDPR and must take appropriate measures to remove any personal data of the individual user.

8.5. Right of data portability

Any user shall have the right recognized by the European legislator to receive personal data concerning him or her provided by the data subject to a controller in a structured, current, and machine-readable form. He or she shall also have the right to transmit such data to another controller without hindrance from the controller to whom the personal data have been provided, provided that the processing is based on the consent provided for in Article 6(1)(a) of the GDPR or Article 9(2), (a) of the GDPR, or on a contract pursuant to Article 6(1)(b) of the GDPR, and that the processing is carried out by automated procedures, unless it is necessary for the performance of a task carried out in the public interest or in the exercise of public authority vested in the controller.
In addition, in exercising his or her right to data portability under Article 20(1) of the GDPR, the data subject has the right to obtain that personal data be transferred directly by a controller to another controller, provided that this is technically feasible and does not affect the rights and freedoms of other individuals.
The data subject may contact an employee of the B GROTH Asset Management S.L at any time to assert the right to data portability.

8.6. Right to object

1. Any data subject affected by the processing of personal data shall have the right to object at any time to the processing of personal data concerning him or her in accordance with Article 6(1)(e) or (f) of the GDPR, on grounds relating to their particular situation. This also applies to profiling based on these provisions.
The B GROTH Asset Management S.L shall no longer process the personal data in the event of the objection, unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or if the processing is intended to assert, exercise or defend legal claims.

If the B GROTH Asset Management S.L processes personal data for direct marketing purposes, the data subject has the right to object at any time to processing of personal data for such advertising purposes. This also applies to profiling insofar as it is connected to such direct marketing. If the data subject objects to the B GROTH Asset Management S.L to the processing for direct marketing purposes, the B GROTH Asset Management S.L will no longer process the personal data for these purposes.

In addition, the data subject has the right to object to processing of personal data concerning him or her for scientific or historical research purposes, or for statistical purposes at the B GROTH Asset Management S.L pursuant to Article 89(1) of the GDPR, on grounds relating to his or her particular situation, unless the processing is necessary for the performance of a task carried out for reasons which are connected with his or her particular situation, unless the processing is necessary for the performance of a task carried out in the public interest.

In order to exercise the right to object, the data subject may directly contact a B GROTH Asset Management S.L employee. The data subject may also freely exercise his or her right to object to the use of information society services by means of automated procedures using technical specifications, notwithstanding the provisions of Directive 2002/58/EC.

8.7. Automated decisions in individual cases, including profiling

1. Any person to whom personal data relate shall have the right, recognized by the European legislator of directives and regulations, not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects against him or her or significantly and similarly affects him or her, provided that the decision is not: (1) necessary for the conclusion or performance of a contract between the data subject and the controller, or (2) admissible under Union or Member State law to which the controller is subject and such law contains appropriate measures to safeguard the rights, freedoms and legitimate interests of the data subject, or (3) with the data subject’s express consent.

2. Where the decision (1) is necessary for the conclusion or performance of a contract between the data subject and the controller or (2) is taken with the data subject’s explicit consent, the B GROTH Asset Management S.L shall take appropriate measures to safeguard the data subject’s rights, freedoms and legitimate interests, including at least the right to obtain the intervention of a controller, to state his or her own position and to contest the decision.
If the data subject wishes to assert rights concerning automated decisions, he or she may, at any time, contact an employee of the controller.

8.8. Right to withdraw the consent pursuant to the Data Protection Act
Any data subject affected by the processing of personal data has the right granted by the European legislator of directives and regulations to withdraw the consent to the processing of personal data at any time.
If the data subject wishes to exercise the right to withdraw the consent, he or she may, at any time, contact an employee of the controller.

9. Changes to the Data Protection Statement
We reserve the right to change the data protection declaration in order to adapt it to changing legal situations, or to changes in the service and data processing. However, this only applies to statements on data processing. If user consent is required or if individual components of the data protection declaration contain provisions of a contractual relationship with users, changes will only be made with the consent of the users.