PRIVACY AND COOKIES POLICY

Through this Privacy and Cookie Policy, MUSY  aims to demonstrate its compliance commitment  and to meet the data protection requirements  imposed  by the European Union Regulation 2016/679, relative to the protection of natural persons with regard to the processing of personal data and the free movement of such data (the "General Data Protection Regulation"), as well as the Organic Law 3/2018 on the Protection of Personal Data and guarantee of digital rights (the "LOPD") and the Law 34/2002 on information society services and electronic commerce (the "LSSICE").

MUSY undertakes to keep this Privacy and Cookie Policy up to date, depending on the changes that occur in both the legal system and the business reality of the Responsible.

This Privacy and Cookie Policy is an integral and inseparable part of the Legal Notice, available on the Portal.

1. ​Responsible for the treatment

The controller of your personal data, that is, the subject who will determine the purposes and means for the processing of your personal data, is MUSY SOCIEDAD COOPERATIVA ANDALUZA  (MUSY S. COOP. AND.), with address at Calle Mosquera 11, 3B, 29008 Málaga and N.I.F. F01781947. From now on, "MUSY" or the "Responsible".

To contact the Responsible regarding the protection of your personal data, you can do so through the email address of contact@musy-art.com

2. Purpose of treatment

The personal data of the data subject will be processed exclusively for the following purposes: (1) the management of the commercial relationship that exists or that may exist with MUSY or with a third party through MUSY; (2) sending information or advertising about MUSY products or services, including possible promotions, event invitations, collaborations, training or alike; and (3) compliance with legal obligations of any kind concerning the Responsible.

In the event that the Data Responsible should  process the personal data of the data subject for a purpose not indicated in this Privacy and Cookies Policy, the Responsible will provide the data subject with any information required by the data protection regulations prior to that processing.

MUSY will retain the personal data of the data subject for as long as the relationship between MUSY and the interested parties is in force, as well as for an additional period of five years from the end of the relationship between MUSY and the interested parties. This five-year period corresponds to the period referred to in Article 1.964 of the Civil Code, applicable in matters of contractual liability. Personal data may be kept for different periods of time if required by a regulatory provision. The data subject retains the right of deletion, which he/she may exercise in accordance with the provisions of the GDPR, the LOPD and this Privacy and Cookie Policy.

Please note that certain personal data will require a minimum retention period depending on different time limits set by various rules of legal matter. For clarity, follows an illustrative table:

Finality     |     Legal deadline

Commercial accounting (Articles 25 et seq. of the Commercial Code) : 6 years

Statute of limitations in tax matters (Ley General Tributaria) : 4 years

Statute of limitations in matters of contractual liability (Civil Code) : 5 years

3. Legitimation

First, for the use of the data collection forms included in the Portal, it will be necessary to complete all the fields that are indicated as mandatory. If all the requested information is not indicated, the Responsible may be unable to properly manage the sent message.

The processing of personal data carried out by the Responsible can find its legitimacy in different bases, namely:

Purpose     |     Foundation of legitimation

Management of the business relationship with MUSY or with a third party through MUSY : Consent (by checking the mandatory acceptance box to make use of the contact form)

Need to process for the execution of a contract or for the application of pre-contractual measures : Sending advertising communications about MUSY products or services

Consent (by checking the mandatory acceptance box to make use of the corresponding contact form) : Only in cases where the regulation does not require consent, the processing need grounds from a legitimate interest of the Responsible

Compliance with legal obligations : Need for treatment to comply with a legal obligation

 

Here are some additional and/or clarifying notes on the foundations of legitimation:

(a) Consent

The following data processing is based on the consent of the data subject: the management of the commercial relationship with MUSY or with a third party through MUSY, and the sending of advertising communications about MUSY products or services.

The data subject will consent to the processing of his/her personal data by checking the acceptance box next to the data collection forms. Consent means a free, specific, informed and unequivocal will by which the data subject accepts the processing of his/her personal data, by means of a statement or a clear affirmative action.

Please note that, in the event of a different basis of legitimacy from the express consent of the holder of the personal data, the aforementioned different basis of legitimacy would be enough to justify the processing, without requiring consent, with the exception of the categories of special personal data in Article 9.1 of the General Data Protection Regulation.

(b) Need for processing for the execution of a contract or for the application of pre-contractual measures to which the data subject is a party

The processing of the personal data of the data subject will be necessary for the execution of a contractual relationship to which the data subject is a party. The nature and subject matter of the contract will depend on each particular case. In general, MUSY will intermediate between buyers and creators of works of art, generating between them a contractual relationship of sale or a contractual relationship of order and sale.

Treatment may also be necessary for the adoption of pre-contractual measures. For illustrative purposes: budgeting or managing prior consultations and negotiations.

(c) Need for treatment to comply with a legal obligation

It will be necessary to carry out certain processing of personal data in order for the Responsible to comply with the obligations of any kind imposed by the legal order. By way of example but not limited to, taxation or accounting obligations.

The Responsible, to the extent possible and within reason, has prepared the following table indicating which rules with the scope of law impose the legal obligations for which the processing of personal data is necessary:

Nature of obligations     |     Standard

Accounting : Trade Code

Taxation : General Tax Law; Corporation Tax Act; Value Added Tax Act

MUSY will update the above table in due course in the event that it has to take on new legal obligations, as well as in cases where it becomes apparent that it needs to comply with legal obligations that it had not foreseen. 

(d) Need for treatment to protect the vital interests of the data subject or another natural person

On the basis of legitimacy, data protection regulations are covered. In practice, however, it will be reserved for very specific, unforeseen or urgent treatments.

(e) Need for processing to satisfy the legitimate interests of the Responsible

Under no circumstances will processing be based on your need for the satisfaction of legitimate interests of the Responsible or a third party if the interests or fundamental rights and freedoms of the data subject that require the protection of personal data prevail over such interests.

The processing of personal data may be necessary for direct marketing purposes, in particular the sending of commercial information or communications. The interest of the Responsible lies in keeping its customers or potential customers informed about the business activity of the Responsible and the offer of its products and / or services.

4. Recipients

MUSY acts as an intermediary between buyers and art creators. MUSY may communicate the personal data of buyers to creators and vice versa, within the territorial scope of the European Economic Area and with full respect for data protection regulations and this Privacy and Cookie Policy.

Where the author does not radiate in the European Economic Area but does in a country or territory declared of adequate level of protection by the European Commission, MUSY shall also transfer personal data. Countries or territories that have been declared adequately protected are:  Switzerland, Canada, Argentina, Guernsey, Isle of Man, Jersey, Faroe Islands, Andorra, Israel, Uruguay, New Zealand and Japan.

Where the author does not radiate in the European Economic Area or in a country or territory declared of adequate level of protection by the European Commission, MUSY shall proceed in accordance with Article 46.2(c) of the General Data Protection Regulation. In this scenario,  MUSY will only communicate a buyer's  personal data to an author where that author has been legally linked to MUSY through the "standard contractual clauses"  adopted by the Commission, and specifically, set out in the Commission Decision of 27 December 2004 amending Decision 2001/497/EC on the introduction of an alternative set of standard contractual clauses for the transfer of personal data to third countries.

MUSY uses cloud storage services for data storage whose servers are located in the United States. In any case, the contractual relationship between MUSY and those responsible for such cloud storage services includes the "standard contractual clauses" adopted by the Commission to ensure that personal data are processed in accordance with the General Data Protection Regulation.

In connection with the provision of adequate guarantees through the "standard contractual clauses", the interested party may contact MUSY to, to the extent possible of MUSY and reasonably, obtain a copy or confirmation of the provision of such guarantees.

Considering that MUSY's catalogue of authors is extensive and subject to constant changes, it is not reasonably possible to determine in advance the identity of the recipients of transfers of personal data. Thus, the Responsible merely points out that the authors have only been considered as a category of recipients.

5. Rights

Natural persons holding personal data enjoy all the rights recognized in the data protection regulations, namely:

  1. Access: it is the right to receive confirmation as to whether your personal data is being processed, to be informed about the processing and to receive a copy of the data being processed.

  2. Rectification: it is the right to rectify those inaccurate data and to complete those incomplete data.

  3. Deletion: is the right to have the personal data held by the Responsible deleted, provided that certain circumstances are present.

  4. Opposition: it is the right to object to certain data processing, including direct marketing.

  5. Limitation of processing: is the right to limit the processing of personal data in certain circumstances: (a) the accuracy of personal data is challenged; (b) the processing is unlawful; (c) need for data for the approach or defence of claims; or (d) exercise of the right of opposition, while checking whether the Responsible has legitimate grounds prevailing over those of the data subject.

  6. Portability: is the right to receive your own personal data in a structured format of common use and mechanical reading, and to transmit it to another Responsible, provided that certain circumstances are present.

 

For the exercise of the aforementioned rights, the data subject must contact the Responsible through the email address contact@musy-art.com, having to provide a photocopy of his/her national identity document and specifying what right or rights   he/she  wishes to exercise and on what terms.

The data subject may revoke the consent given for the processing of his/her personal data at any time, for which he/she must contact the email address contact@musy-art.com, providing a photocopy of his/her national identity document and specifying in what terms he wishes to revoke the consent given.

In any case, and whenever the data subject deems it appropriate, the data subject may submit to the Spanish Data Protection Agency any complaints he deems relevant. For more information, the website of the Spanish Data Protection Agency is as follows:  https://www.aepd.es/es

Despite the possibility of contacting the Spanish Data Protection Agency, MUSY maintains a strong commitment to the protection of personal data, which is why it encourages the data subject to address prior to the email address contact@musy-art.com so that MUSY can offer a quick and friendly solution to any complaints and complaints that the interested party may have.

6. Origin

The personal data subject to processing will in any case be the case of the data subject, or, where appropriate, third parties to whom the data subject has communicated his/her personal data in order to be communicated to MUSY. The personal data communicated by third parties will be of an identifying nature.

7. Cookies

Cookies are data storage and retrieval devices on users' terminal equipment. Its use can respond to different purposes, depending on its typology:

  • Technical cookies: allow and facilitate the user's navigation.

  • Preference or personalization cookies: allow some customization of the website based on previous user experiences or stored information, for example, determining the language of the website or the appearance or content of the service according to the user's browser or region.

  • Analysis or measurement cookies: allow the Responsible to monitor and analyse user behaviour, including quantifying the impacts of advertisements.

  • Behavioural advertising cookies: they store data about the habits of users, by continuously observing browsing habits, thus allowing the advertising shown to the user to be more personalized.

 

What cookies does MUSY use?

In particular, MUSY uses its own and third-party cookies. These cookies are technical, to allow and optimize the user's navigation; analytics, to learn how users behave on the website.

MUSY has prepared a table of the cookies you use, including the approximate expiration period. MUSY will endeavours the updating and accuracy of the cookie table to the extent reasonable.

Name                     |     Domain           |     Purpose     |     Approximate expiry period

  • _wixCIDX                           |     .wix.com                           |     System monitoring and debugging     |     3 months

  • bSession                           |     es.musy-art.com          |     Measure system efficiency     |     30 minutes

  • XSRF-TOKEN                     |     www.musy-art.com     |     Contributes to the security of the website, preventing cross-site counterfeiting attacks     |     At the end of the browsing session

  • hs                                        |     www.musy-art.com     |     Security     |     At the end of the browsing session

  • ssr-caching                    |     www.musy-art.com     |     Used to indicate the system from which the site was played     |     1 minute

  • svSession                         |     www.musy-art.com     |     Used in connection with the user's login     |     2 years

  • consent-policy              |     wix.com                            |     Cookie banner parameters     |     12 months

  • TS011a6bb9                      |     es.musy-art.com          |     Application of security elements with database management on the accommodation servers     |     At the end of the browsing session

  • TS01e85bed                     |     es.musy-art.com          |     Application of security elements with database management on the accommodation servers      |     At the end of the browsing session

  • _wix_browser_sess     |     wix.com                            |     System monitoring and debugging     |     At the end of the browsing session

The information obtained through cookies is not expected to be transferred or transferred to countries not members of the European Union or to international organisations.

In any case, users enjoy the possibility to refuse cookies when they enter the Portal through the cookie banner. It is also possible to disable, block or delete cookies through the browser they use. The way to proceed is different depending on the browser, each of them offering the relevant instructions:

Google Chrome: https://support.google.com/chrome/answer/95647?co=GENIE.Platform%3DDesktop&hl=es

Mozilla Firefox: https://support.mozilla.org/es/kb/habilitar-y-deshabilitar-cookies-sitios-web-rastrear-preferencias

Internet Explorer: https://support.microsoft.com/es-es/help/17442/windows-internet-explorer-delete-manage-cookies

Microsoft Edge: https://support.microsoft.com/es-es/help/4468242/microsoft-edge-browsing-data-and-privacy

Safari: https://support.apple.com/es-es/guide/safari/sfri11471/mac

In all that is not provided for in this section relating to cookies, the rest of the Privacy and Cookies Policy will apply.