Kantauri Ondare Museoa
Visits by appointment only

Legal information

Privacy policy

Information on data processing, legal bases and user rights.



Privacy Policy - MUSEO KANTAURI

OBJECTIVE AND SUBJECTIVE SCOPE
This Privacy Policy is intended to inform users of the conditions governing the collection and processing of personal data through the channels of MUSEO KANTAURI, including the website www.kantauriondaremuseoa.com, its sections, social media profiles, applications, tools and any other means through which personal information may be collected.
Declaration
Our organization respects and complies with the fundamental right to privacy. We proactively protect personal data.
Personal data belongs to each individual. When you provide it to our organization, you lend it to us, and our commitment is to process it lawfully, fairly and transparently, and above all, confidentially.
We process your data on an equal basis, without discrimination or distinction of any kind based on race, color, sex, language, religion, political opinion, national or social origin, economic position, birth or any other condition; and without distinction as to the legal or international status of the country or territory under whose jurisdiction you fall.
In our organization we provide you with access to and control over your personal data at all times. We want to be your trusted organization in privacy matters.
Data Controller
Javier Txapartegi Barinaga is the owner of the website, and our tax identification number is 15935492. The address is C/ Kantauri 5, 20750 Zumaia, Gipuzkoa, Spain.
Contact addresses
PRIVACY OFFICER
Name and surname: Javier Txapartegi Barinaga. Address: C/ Kantauri 5, 20750 Zumaia, Gipuzkoa, Spain. Telephone: +34 688 632 657. Email: info@kantauriondaremuseoa.com
Our records of processing activities
1. Data obtained on our website
The personal data collected on our website may be processed by MUSEO KANTAURI in accordance with the following provisions:
What personal data we process
MUSEO KANTAURI will process the following categories of data:
Identification data: name, surname, national identity document or foreigner identity number and image.
Contact details: address, landline telephone, mobile telephone and email address.
Personal characteristics data: nationality.
Bank details: account number, account holder and SEPA mandate.
Other data: data provided by the data subjects themselves in the open fields of the forms made available on the Website.
Browsing data.
Where we obtain your data
We may obtain your data by using technical procedures to capture technical and security data and data relating to your own activity when you carry out actions on our website or on a website owned by a business partner. In addition, where cookies and/or tracking scripts have been generated with your consent, they may monitor your activity on the internet.
Why we process your data
We may process your personal data because the processing of Website data is necessary to fulfil the purposes arising between the user and MUSEO KANTAURI. In this case, we will always have a legitimate interest in doing so.
However, the processing of your data for marketing purposes relating to MUSEO KANTAURI’s own goods and services and similar services for its customers will be based on consent. In the absence of consent, it may be carried out based on legitimate interest or where there is a prior contractual relationship or pre-contractual request.
The processing of data for statistical purposes will be based on legitimate interest, provided that the data is not disclosed to third parties in a non-anonymized form. If the data is disclosed to third parties or technologies of data processors are used that may use the data for themselves or for other third parties, the processing will necessarily be based on consent.
The sending of commercial communications from third-party entities with which MUSEO KANTAURI collaborates is based on the user’s consent.
We have tried to minimize the processing of personal data by applying the principle of data minimization.
The withdrawal of consent for any processing activity will not affect the lawfulness of the processing carried out previously.
To revoke consent or exercise rights, the User may contact MUSEO KANTAURI by sending a letter addressed to the Privacy Officer of MUSEO KANTAURI at the address indicated in our Legal Notice, or by sending an email to info@kantauriondaremuseoa.com.
What we process your data for
We may process the data for the following purposes:
a) To manage your contact requests with MUSEO KANTAURI through the channels made available for this purpose on the MUSEO KANTAURI websites.
b) To manage purchases made within the Website, including payment management and delivery of the order.
c) To contact the User to complete the order if they have saved their shopping cart or have saved products in their shopping cart without completing the payment process.
d) To manage the newsletter subscription made through the channel provided on the MUSEO KANTAURI websites.
e) To carry out analyses on the use of the Website and verify users’ preferences and behavior.
f) To manage the sending of commercial communications about MUSEO KANTAURI products and services, unless the user indicates otherwise by ticking the corresponding box or objects to such processing.
g) To send commercial communications, such as offers and promotions, to the user by electronic and/or conventional means regarding products and services of third-party companies with which MUSEO KANTAURI collaborates, provided that the user gives consent by ticking the corresponding box.
h) To manage the sending of satisfaction surveys based on the purchase of the MUSEO KANTAURI product or service, to improve our customers’ experience day by day.
i) The data will be kept for the time necessary to fulfil the purposes for which it was collected and during the limitation period for any legal actions that may arise from such processing. Notwithstanding the foregoing, the user may request to unsubscribe from MUSEO KANTAURI, object to the processing, revoke consent or request the deletion of their data.
With which recipients the user’s data will be shared
Your personal data will not be shared with third parties, except for:
Public Administrations and competent national and/or European authorities, in the cases provided for by law.
Our data processors, such as our accounting, financial and administrative advisers. Also, the banking institutions with which we collaborate, as well as those responsible for the maintenance of our equipment and computer systems and for information security.
International transfers
No international transfers are planned.
Our data processors have their data located in the European Union, and their data processing will always be carried out in compliance with legal obligations and in accordance with the purposes and legal bases indicated above. These providers will not process your data for their own purposes that have not been previously reported by MUSEO KANTAURI.
How we protect your data
In our processing activities we apply the following technical and organizational security measures:
Access control and access credentials. Encryption. Pseudonymization. SSL connection. Data minimization principle. Inclusion of confidentiality clauses. Proportionality principle. Restoration or backup systems. Contracts with processors and/or joint controllers.
How long we keep your personal data
We will keep your personal data for the minimum time necessary to fulfil the purpose of the processing. However, on some occasions we may store the data for the maximum period legally permitted so that we can provide evidence and traceability of the proper use and operation of our website.
What rights do you have?
Your personal data is YOURS. You lend it to us, and we store and process it because you want us to do so or, alternatively, because we have a contractual obligation, a legal obligation, a public interest to satisfy or a legitimate interest which in no case will prevail over your right to privacy. Consequently,
2. External services of the website
What personal data we process
We may use external services on our website. We do not record the activity arising from these services. These services provide us with information society services such as the font used on the website, cloud storage, consent registration, sliders, website creation templates, ecommerce services, APIs and other applications to convert currency, incorporate comments, and similar services.
The ticket purchase service is particularly important, as it uses third-party computer applications and connections with payment systems that capture personal data for security, fraud prevention, proof of purchase and consumer guarantees. These external services normally collect personal data such as IP address, browser connection data, device type, screen type, connection speed and, in some cases, data entered in forms. They may collect personal data from documents, files and images, and may store and process names, surnames, address, telephone number, card or identification number, emails and communications, and data collected in cache memory.
Where we obtain your data
We may obtain your data by using technical procedures to capture technical and security data and data relating to your own activity when you carry out actions on our website or on a website owned by a business partner. In addition, where cookies and/or tracking scripts have been generated with your consent, they may monitor your activity on the internet.
Why we process your data
Because our business partners provide services and have a legal interest in providing those services under technical security conditions, recording their use, improving their provision and statistically analyzing their use. The data collected may not be combined with other databases without a legitimizing basis of consent or a legal or contractual obligation. At present, we have no evidence that they carry out unlawful processing, and therefore their use is lawful.
What we process your data for
Our external services may process your data to establish technical security measures, record the use of services, improve their provision and statistically analyze their use. The data collected by these business partners is governed by the privacy policy of the linked service provider. We recommend that you read those policies and exercise your data protection rights with those providers where appropriate.
With whom we share your data
Your personal data is not shared with other third parties.
International transfers
No international transfers are planned.
How we protect your data
Access control and access credentials. Encryption. SSL connection. Data minimization principle. Inclusion of confidentiality clauses. Proportionality principle. Restoration or backup systems. Contracts with processors and/or joint controllers.
How long we keep your personal data
We will keep your personal data for the minimum time necessary to fulfil the purpose of the processing. However, on some occasions we may store the data for the maximum period legally permitted so that we can provide evidence and traceability of the proper use and operation of our website.
YOU CAN
Request access to your personal data whenever you want to know the data stored, its categories, its legal basis and the purpose of the processing, the processing activities carried out, whether we have sold, assigned, transferred, rented or shared it, who the recipients are, and what our data sources are. The information included in the Records of Processing Activities provides you with much of this data, including the recipients of your data during the last twelve months. You may also request from the Data Controller explanations of the Privacy Policy or privacy notice, and any essential information about our storage and processing of your personal data.
Tell us that the data we hold is incorrectly recorded or contains errors and therefore request its modification and rectification.
Request that we no longer carry out processing by objecting or withdrawing your consent and even request that we delete the data. You may ask us for a copy of the data we hold and take it with you or transfer it to another organization.
Restrict our storage and processing so that we do not process any of your data, or data of a sensitive or special category; and so that we do not carry out profiling, database combination, massive processing or processing used for automated decision-making, and so that we limit your monitoring, including geolocation.
Expressly prohibit us from advertising to you and from transferring, sharing, renting or selling your data.
Always remember that, if you exercise your privacy rights as a user, consumer, employee or job applicant, you may never be discriminated against, retaliated against or prevented by the owner of a website and/or its Data Controller from accessing or remaining on it or from being supplied with products and services.
How do you exercise these rights?
Some of these rights may be exercised directly, such as the rights of access, modification, objection, portability and erasure. If you wish to withdraw your consent, we will execute this immediately. You may also write to us and tell us which data is inaccurate and must be rectified.
You may request the personal data in our records of processing activities by email or by post addressed to the Privacy Officer, indicating which right you are exercising and what you are requesting. We undertake to respond to you and comply with your rights within the period established by law. If we do not deal with your rights, you may lodge a complaint with the supervisory authority that corresponds to you, either at your habitual residence, your place of work or the place of the alleged infringement. We provide below the address of the authority corresponding to our residence. If there is no authority in your place of residence, we provide the authority of the web editor’s registered address:
SUPERVISORY AUTHORITY
Country: Spain. Supervisory Authority: Spanish Data Protection Agency (AEPD). Address: C/ Jorge Juan, 6, 28001 Madrid. Telephone: (+34) 91 266 35 17. Email: internacional@aepd.es. Website: https://www.aepd.es/
If, in the implementation of our privacy and data protection policy, we cause you damage, you may bring an individual claim, and perhaps a collective claim, before the ordinary courts of your jurisdiction.
International transfers
We do not carry out international data transfers. However, when we respond to your emails or send you files to the cloud or to a server or service that you have contracted, you may unknowingly be sharing your personal data and authorizing Google (Gmail), Microsoft (Skype, Hotmail, Outlook), Facebook (WhatsApp), Telegram and other providers and their business partners to read and store such data. We recommend that you review their privacy policies.
Protection of children and young people
Our website is aimed at all audiences.
If you are a parent or guardian, or an educator, and you know that we have collected and stored data relating to minors, please contact us so that we may delete it.
Incidents and security breaches
We are not infallible. As part of our proactive responsibility, we adopt all reasonably necessary technical and organizational security measures to secure your information. However, the internet and the world of electronic communications are cyber-risk environments, and a human or computer coding error, or simply an attack, unauthorized access, theft or unauthorized disclosure, whether or not sought or caused by hackers, may cause incidents and security breaches.
In such cases, you should know that we are obliged to keep an incident record in which we record the place, date and time the incident was detected, the type of attack, its origin, what the security breach consists of and which systems, data and equipment have been affected. We are obliged to resolve incidents and security breaches and to record the solutions implemented in the register.
If the incidents constitute a security breach that puts your rights and freedoms at risk, affects your sensitive or special-category personal data, may facilitate identity theft, or entail a risk of fraud, reputational damage or loss of confidentiality of your specially protected data, we are obliged to notify the Supervisory Authorities. If this occurs, we will notify them within the legal period of the nature of the security breach, the affected data subjects, the data and categories of data affected, the security measures implemented to resolve the incident and the measures adopted to reduce risks for those affected. However, if the data affected by the security breach were encrypted or if we reasonably conclude that there is no risk, we will not have this notification obligation. Nor will we have it if we make a public communication warning those affected so that they may adopt their own preventive measures.
Social media
We use social media:
Facebook, a social network of Meta Platforms, Inc., 1601 Willow Road, Menlo Park, CA 94025, USA. The main page is https://www.facebook.com/ and its privacy policy can be read at https://www.facebook.com/privacy/explanation. Contact telephone: +1 (650) 543-4800. Meta Platforms Ireland Limited has its registered office at 4 Grand Canal Square, Grand Canal Harbour, Dublin, Ireland.
Instagram, a social network of Meta Platforms, Inc., 1601 Willow Road, Menlo Park, CA 94025, USA. The main page is https://www.facebook.com/ and its privacy policy can be read at https://www.facebook.com/privacy/explanation. Contact telephone: +1 (650) 543-4800. Meta Platforms Ireland Limited has its registered office at 4 Grand Canal Square, Grand Canal Harbour, Dublin, Ireland.
WhatsApp, a social network of Meta Platforms, Inc., 1601 Willow Road, Menlo Park, CA 94025, USA. The main page is https://www.facebook.com/ and its privacy policy can be read at https://www.facebook.com/privacy/explanation. Contact telephone: +1 (650) 543-4800. Meta Platforms Ireland Limited has its registered office at 4 Grand Canal Square, Grand Canal Harbour, Dublin, Ireland.
YouTube, a social network/video platform of the Google/Alphabet group. Service provider: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. In the EEA and Switzerland, legal contact is also channelled through Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland. Legal support email: legal@support.youtube.com. Contact form: https://support.google.com/youtube/answer/6154232?hl=en. Google/YouTube Privacy Policy: https://policies.google.com/privacy?hl=en
TikTok, a short-video social network of the ByteDance group. In Europe/EEA, the service is provided through the applicable entities indicated in its terms and privacy policy; representative/contact entity in Europe according to the country and contracted service. Privacy form: https://www.tiktok.com/legal/report/privacy. Privacy Policy: https://www.tiktok.com/legal/page/row/privacy-policy/en. EEA Terms: https://www.tiktok.com/legal/page/eea/terms-of-service/en
The legal basis is contractual relationships and express consent with the Social Network. You share your data voluntarily and publicly, or through your guardian or legal representative, on our social network account or in public and visible media, audiovisual networks and channels, and through data voluntarily shared by means of forms, surveys and competitions organized by our organization, employees, commercial representatives or marketing agencies.
The data you share will be recorded and stored by the social network and will identify you, your browser, computer and related devices. All the information you share may be captured by third parties, and SOCIAL NETWORKS will process it for advertising profiling and segmentation, combining it with their own or third-party databases to create new databases of potential customers profiled for the sale or offer of segmented products and services. Your personal data may be transferred internationally. SOCIAL NETWORKS may also monitor your activity while you remain on their network.
Processing by SOCIAL NETWORKS is especially invasive. They carry out: 1) TRACKING, the tracking and monitoring of natural persons, their IPs, geolocation, actions, etc.; 2) PROFILING, segmentation or profiling for personalized and behavioral advertising; 3) BEHAVIOURAL ALGORITHMS, data processing with behavioral, segmentation and profiling algorithms; 4) USE OF ARTIFICIAL INTELLIGENCE, for reading, storing and extracting data for subsequent profiling, segmentation and behavioral analysis; 5) MASS PROCESSING, mass data processing; 6) BIG DATA, analysis, extraction and application of behavioral and statistical algorithms to large databases; and 7) INTERNATIONAL TRANSFERS.
This is a HIGH-RISK DATA environment, with DIFFICULTY OF DESTRUCTION.
In our sections, we will process your data to answer and handle queries, requests, suggestions and comments; manage company social media; create a community of people; promote our products and services; carry out affiliation and membership programmes; provide offers and discounts; extract information from social media for user segmentation and profiling for marketing; discover trends; carry out actions and measurements of our branding and reputation level; and provide users with value from our brand, services or products.
The security level of the social network is high, as they have established access control and passwords, cloud storage in a secure environment, restoration or backup systems, information security systems and firewalls, and activated intrusion detection.
The data subject may exercise the rights of access, rectification, erasure, objection, restriction and portability, without limitation or exception. In addition, the data subject may withdraw the consent given at any time and directly delete the information provided to the social network. You may also object to the automated processing of your data.
Contact us if you have any questions
We have made every effort to keep our explanations brief and easy to understand. However, if the user wants additional information or has any question or concern about our information security and data protection practices, please contact us.