Privacy Policy

  1. INTRODUCTION

1.1 – Purpose

The purpose of this policy is to define the commitment undertaken by RUNESCO DISTRIBUCIÓN, S.L. (hereinafter, “HÄMTA KRAFT”), with Tax Identification Number (C.I.F.) B84364694 and registered office at C/Los Carpinteros 5, Nave 2, 28200 San Lorenzo de El Escorial, Madrid, in relation to the processing of personal data in the performance of its duties, and to establish the framework in which said commitment is developed.

1.2 – Scope of application

This policy applies to all professionals within the organisational structure of HÄMTA KRAFT who hold positions or are personnel of HÄMTA KRAFT with access to information for which HÄMTA KRAFT is the data controller. It may also be extended, in accordance with data processing agreements signed for such purposes, to any other entity affiliated with HÄMTA KRAFT, whether regular or occasional collaborators, whose actions could, in any way, affect the responsibility or reputation of HÄMTA KRAFT.

1.3 – Applicable regulations

This document is based on compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – GDPR), as well as the applicable national data protection laws.

The regulatory framework applicable to the matter, which persons subject to this Policy must be aware of in addition to the aforementioned GDPR, is determined by:

  • Organic Law 3/2018, of 5 December, on the Protection of Personal Data and the Guarantee of Digital Rights (LOPDGDD).
  • Law 34/2002, of 11 July, on Information Society Services and Electronic Commerce (LSSI-CE).
  • Royal Decree 311/2022, of 3 May, which regulates the National Security Framework in the area of Electronic Administration.

1.4 – Data processing and information security principles

HÄMTA KRAFT, its organisational structure, and personnel shall process information and personal data under its responsibility in accordance with the following data protection and information security principles:

  • Lawfulness, fairness and transparency: Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.
  • Legal basis for processing: Personal data shall only be processed where such processing is supported by one of the legal bases established in Articles 6 and 9 of the GDPR.
  • Purpose limitation: Personal data shall be collected for specified, explicit and legitimate purposes and shall not be further processed in a manner that is incompatible with those purposes.
  • Data minimisation: Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
  • Storage limitation: Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
  • Integrity and confidentiality: Personal data shall be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. Anyone involved in the processing of data shall be subject to a duty of confidentiality, even after the processing has ended.
  • Accountability: HÄMTA KRAFT and its structure shall be responsible for compliance with the above principles and shall adopt the necessary technical and organisational measures to be able to demonstrate such compliance.
  • Rights of data subjects: Organisational measures shall be implemented to ensure that data subjects can effectively exercise their rights of access, rectification, erasure, restriction of processing, objection, and data portability, where applicable.
  • Strategic integration: Data protection and information security shall receive the full commitment and support of all organisational and management levels, ensuring alignment and integration with HÄMTA KRAFT’s broader strategic initiatives.
  • Differentiated responsibility: In information systems under the responsibility of HÄMTA KRAFT, the principle of differentiated responsibility shall be observed, clearly defining the various responsibilities and roles.
  • Comprehensive security: Security shall aim to preserve the confidentiality, integrity and availability of information, and may also cover other properties such as authenticity, accountability, reliability and non-repudiation. Security shall be understood as a comprehensive process encompassing all technical, human, material and organisational components related to the system, avoiding, except in cases of urgency or necessity, isolated or reactive actions.
  • Risk management: Risk management refers to the coordinated activities carried out by HÄMTA KRAFT to direct and control risk, understood as the effect of uncertainty on the achievement of objectives, which, under the GDPR, means protecting the rights and freedoms of data subjects. Risk analysis and management are essential parts of HÄMTA KRAFT’s data protection and information security processes and enable the organisation to maintain a controlled environment, reducing risks to acceptable levels. This reduction shall be achieved through the implementation of security measures that strike a balance between the nature of the data and processing activities, the impact and likelihood of risks, and the effectiveness and cost of the measures. In evaluating risks, HÄMTA KRAFT shall take into account those risks that may affect individuals’ rights in relation to their personal data.
  • Proportionality: HÄMTA KRAFT shall implement protection, detection and recovery measures proportional to the potential risks and the criticality and value of the information, the data processing activities, and the affected services.
  • Verification process: HÄMTA KRAFT shall establish a process for regular verification, evaluation, and assessment of the effectiveness of the technical and organisational measures implemented to ensure the security of data processing.

2.- OBLIGATION TO KNOW AND COMPLY

All professionals at HÄMTA KRAFT must be familiar with this Policy and act in accordance with the principles and behaviours defined herein, reporting to their immediate supervisor or the Compliance Department within the General Secretariat any doubt regarding compliance or any indication of conduct contrary to it.

This Policy, as well as any subsequent procedures that may derive from it, shall be permanently updated and available on the Intranet for consultation whenever needed.

All managers shall be responsible for ensuring compliance with this Policy within their respective areas, promoting its implementation, addressing queries or concerns raised by professionals, and establishing mechanisms to ensure its enforcement, with the support and guidance of the Compliance Department.

Any questions related to information security or data protection may be addressed to the Information Security Officer, who may in turn consult the Data Protection Officer.

Failure to comply with the rules contained in this Policy shall be subject to the disciplinary and sanctioning authority of HÄMTA KRAFT, pursuant to the principles and rules set forth in the applicable legislation. Accordingly, any significant doubts shall be referred to the Information Security Officer, and any breaches must be reported to HÄMTA KRAFT’s Compliance Officer. All handling of queries and breaches shall be conducted strictly in accordance with the principles of independence and confidentiality.

3.- WRITTEN CONFIDENTIALITY COMMITMENT

Within the framework of the employment relationship, HÄMTA KRAFT employees shall expressly undertake, in a document they will sign, to:

  • Not disclose to any person outside HÄMTA KRAFT, without its consent, any information accessed during the performance of their duties, except where necessary to comply with their own or the organisation’s legal or regulatory obligations, or when required by a competent authority in accordance with the law.
  • Use the information referred to in the previous point solely as required for the performance of their duties at HÄMTA KRAFT, and not for any other purpose or in any other manner. Copying or sending any information obtained or generated as a result of their work for purposes other than those of HÄMTA KRAFT is strictly prohibited.
  • Not use in any way any other information acquired by virtue of their status as an employee of HÄMTA KRAFT if it is not required for the performance of their job duties.
  • Comply, in the performance of their duties at HÄMTA KRAFT, with current national and EU regulations regarding the protection of personal data, particularly Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation – GDPR) and Organic Law 3/2018 of 5 December on the Protection of Personal Data and the Guarantee of Digital Rights (LOPDGDD), together with any supplementary or replacement regulations in force.
  • Abide by HÄMTA KRAFT’s Information Security Policies and systems, including email and other communication systems, and follow any procedures established and communicated by the company’s management.
  • Refrain from using HÄMTA KRAFT’s information systems and equipment for personal purposes in a way that interferes with their own work, the work of other employees, or the functioning of the company.
  • When browsing the internet, take appropriate precautions when downloading files, ensuring beforehand the reliability or trustworthiness of the source website.
  • Comply with the above commitments even after the termination, for any reason, of their relationship with HÄMTA KRAFT.

4.- USE OF HÄMTA KRAFT’S DIGITAL RESOURCES BY EMPLOYEES

Employees must comply with all information security and acceptable use policies or guidelines relating to HÄMTA KRAFT’s systems, email, and other communication tools, as established and communicated by the company’s management. They must not use HÄMTA KRAFT’s systems and digital resources for personal purposes in a way that interferes with their work, that of others, or the company’s operations.

Employees are informed that access to non-work-related websites is prohibited, including but not limited to chat sites, non-professional social networks, games, gambling, travel, online shopping, trading platforms, illegal content, or pornography. It is also expressly forbidden to distribute or download illegal material, infringe intellectual or industrial property rights, or use, copy, or transmit software or materials protected by copyright unlawfully.

When browsing the internet, employees must exercise appropriate caution before downloading files and must verify the trustworthiness of the website.

HÄMTA KRAFT may access digital resources provided to employees in order to monitor compliance with employment obligations and to ensure the integrity of those systems.
Accordingly, no employee of HÄMTA KRAFT should expect that their communications through or usage of HÄMTA KRAFT’s IT systems will be confidential or private, as they are subject to monitoring by the employer.

Employees will be informed that HÄMTA KRAFT’s IT equipment and systems may include tools that analyse inbound and outbound internet traffic and allow or block it according to rules defined by system administrators.

5.- EMPLOYEE HANDBOOK

The fundamental principles and obligations of employees will be included in a document called the Data Protection Employee Handbook, which shall be distributed to employees periodically and updated as needed.

6.- INFORMATION SECURITY POLICY

Information security is governed by HÄMTA KRAFT’s Information Security Policy, aligned with the security measures set forth in the National Security Framework (National Security Scheme) and a series of supporting documents, procedures, and implementation measures (Security Standards; Security Procedures; Authorisation Processes; Operational and Protection Framework Security Measures), all of which must be understood by those responsible for their application.

System security shall be managed, reviewed, and audited by qualified personnel with appropriate training for all stages of the systems’ lifecycle: installation, maintenance, incident management, and decommissioning.

HÄMTA KRAFT personnel shall receive specific training to ensure the security of IT systems applicable to HÄMTA KRAFT’s platforms and services.

7.- DATA PROTECTION DOCUMENTATION SYSTEM

HÄMTA KRAFT’s Data Protection Documentation System comprises an organised collection of documents related to the protection of personal data created by the company, both as data controller and data processor, in compliance with the GDPR, national legislation, and any future regulatory developments.

As a data controller and data processor, HÄMTA KRAFT is responsible for complying with the principles and obligations of the GDPR and the LOPDGDD, and must be able to demonstrate such compliance in accordance with the principle of accountability (proactive responsibility).

The purpose of the Data Protection Documentation System is to provide evidence of compliance with the GDPR and LOPDGDD. The system is managed by the Management Control Department and the Information Security Officer.

8.- PROCESSING OF PERSONAL DATA

8.1 – Definition

“Personal data” means any information relating to an identified or identifiable natural person (the “data subject”). An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number (e.g., national ID, social security number), location data (e.g., home address), an online identifier (e.g., email address), or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person (e.g., biometric data).
Hereinafter referred to as “Personal Data.”

Examples of Personal Data include full name, national ID or passport number, professional or personal address, nationality, profession, financial data, health information, genetic or biometric data of an identified or identifiable natural person.

8.2 – Scope

The rules apply exclusively to natural persons, as the relevant legislation does not apply to data related to legal entities.

8.3 – Data Format

The format in which personal data is presented is irrelevant for classification as personal data. It may be digital/electronic (Excel, Word, Access, PowerPoint, application, audio or video files, etc.) or physical (paper documents, photographs, etc.).

The applicable security measures shall vary depending on the format in which the personal data are stored.

8.4 – Record of Processing ActivitiesUse of Data

HÄMTA KRAFT shall maintain an up-to-date Record of Processing Activities (RPA) involving personal data for which it is the data controller, including all the information required under Article 30 of the GDPR.

The purposes that legitimise the processing of personal data are those set out in each of the processing activities listed in the RPA.

This record will be continuously updated and may be consulted via HÄMTA KRAFT’s website, in accordance with the provisions of the LOPDGDD.

Any doubts regarding the purposes of processing shall be referred to the Information Security Officer or the Data Protection Officer, where applicable.

Personal data must be adequate, relevant, and not excessive in relation to the purposes for which they are collected.

No more data than necessary shall be collected, nor shall the data be used for purposes other than or incompatible with those for which they were originally collected.

8.5 – Legal Basis for Data Processing. Data Collection. Obtaining Consent

Processing is considered to be any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Personal Data are considered to be under processing from the moment they are accessed or made available for viewing—even if only potentially accessible. Thus, the mere possibility of access constitutes processing.

The legal basis for data processing shall be grounded in one of the legitimate bases set out in Articles 6 and 9 of the GDPR.

Each specific legal basis for HÄMTA KRAFT’s processing activities is detailed in the Record of Processing Activities.

HÄMTA KRAFT shall not collect personal data without the data subject’s knowledge. Data submission through forms shall be voluntary and duly announced, with appropriate layered privacy notices (first and second layer). These layers will follow the format and content established in the Guidelines on the Duty to Inform (2018) published by the Spanish Data Protection Authority (AEPD).

Whenever data are collected, the first-layer notice shall be provided in writing or, in the case of telephone collection, by voice. It shall include a table format with the headings: “Controller,” “Purpose,” “Legal Basis,” “Disclosures/Recipients,” and “Rights,” with contact via the email address: protecciondedatos@noxdata.es. The heading “Source” will be added when the data are not provided directly by the data subject. The version date of the clause shall also be included, along with a link or reference to extended information (+info), and the corresponding entry in the Record of Processing Activities.
Any personal data collected directly from the data subject through informed consent shall be incorporated into the relevant processing activity for which HÄMTA KRAFT is responsible.

Where processing is based on consent, HÄMTA KRAFT shall use the methods established in its internal Procedures for Obtaining and Retaining Consent, which are part of its Personal Data Protection Documentation System. The systems used in each case shall be identified by processing activity, and appropriate records shall be kept of the consent obtained, the data provided, and the information clauses shown.

8.6 – Form of Access

Personal Data are considered to be under processing regardless of the form in which access occurs (digital/electronic or physical format). In all cases, the appropriate procedure must be followed.
Similarly, processing is deemed to occur when such data are entered into HÄMTA KRAFT’s IT systems or physical facilities.

8.7 – Security Level

HÄMTA KRAFT employees must be aware of and apply the security measures specified in the National Security Framework and as documented in the Record of Processing Activities and the Information Security Management System.

To learn more about security levels for personal data protection, employees should contact the Information Security Officer.

8.8 – Web and Internet Personal Data Processing and Privacy Policy

The Web and Internet Data Protection and Privacy Policy is part of HÄMTA KRAFT’s Personal Data Protection Documentation System and governs the processing of personal data via its website and online platforms, including cookie management.

This policy must be known by HÄMTA KRAFT staff and will be published on the company’s website for public awareness.

8.9 – Data Retention Period. Data Blocking

In accordance with data protection regulations, personal data shall be retained only for as long as necessary for the purposes for which they are processed. Retention periods or criteria for each processing activity are recorded in the Record of Processing Activities.
After this period, the data shall be duly blocked. Data blocking involves identifying and isolating the data, using technical and organisational measures to prevent their processing, including viewing, except when required for legal purposes by courts, public prosecutors, competent public authorities—particularly data protection authorities—for the purpose of establishing possible legal liability.

Once the relevant limitation period has passed, the data shall be permanently deleted.
Blocked data may not be processed for any purpose other than those specified above.
For the deletion of personal data (other than auxiliary copies), HÄMTA KRAFT staff shall consult the Information Security Officer regarding the appropriate procedure.

8.10 – Data Recipients

Personal data may be disclosed or communicated to other recipients under the legal bases permitted by the GDPR.
All specific disclosures or communications for each activity are recorded in the Record of Processing Activities and must be reflected in the relevant information clauses and consent forms when consent is the legal basis for the processing.

8.11 – Data Subject Rights

The rights recognised under Articles 15 to 22 of the GDPR may be exercised directly by data subjects or through a legal or voluntary representative.
Parents or legal guardians may exercise these rights on behalf of children under fourteen years of age.

Any person has the right to obtain confirmation as to whether or not HÄMTA KRAFT is processing personal data concerning them.

Data subjects have the right to access their personal data, obtain a copy of them, update them, request rectification of inaccurate data, or request their erasure when the data are no longer necessary for the purposes for which they were collected.

In the situations covered by Article 18 GDPR, data subjects may request restriction of processing, in which case the data will only be retained by HÄMTA KRAFT for the exercise or defence of legal claims.

In the context of the right to erasure or objection to online processing, data subjects have the “right to be forgotten” as interpreted by the case law of the Court of Justice of the European Union.

Data subjects may object to the processing of their data for direct marketing purposes, including profiling. In particular, they may request that their data not be used for advertising or commercial prospecting.

Under the right to data portability, data subjects may obtain their personal data in a structured, commonly used, machine-readable format and transmit them to another controller.

All data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects or significantly affects them, except under the exceptions set out in Article 22.1 of the GDPR. HÄMTA KRAFT does not engage in automated decision-making without human involvement.

Data subjects may request erasure of their personal data due to the disappearance of the purpose for processing, withdrawal of consent (when this is the legal basis), or for the other reasons set out in Article 17 of the GDPR. Final deletion will always be preceded by data blocking.

8.12 – Handling of Data Subject Rights

HÄMTA KRAFT has established a straightforward and personalised procedure for exercising data subject rights, accessible via the email address: protecciondedatos@noxdata.es, as defined in the internal Procedure for Handling the Exercise of Rights, which all HÄMTA KRAFT employees must know and follow.
Any request received by HÄMTA KRAFT through any channel shall be forwarded by staff to this email address. This rule shall be included in the Employee Data Protection Handbook.
Responses to data subject requests will be sent via email with read confirmation (if received by email) or by registered postal mail with acknowledgment of receipt (if received by other means), without undue delay and within one month at the latest.

HÄMTA KRAFT bears the burden of proof regarding compliance with this obligation and will retain copies of all responses and proof of delivery and receipt.

8.13 – Security Breach Management

The Security Breach Management Procedure, part of HÄMTA KRAFT’s Data Protection Documentation System, is established to ensure proper identification, recording, and resolution—with damage minimisation—of personal data breaches.

This procedure is governed by HÄMTA KRAFT’s Information Security Policy and its associated implementation documents, which address prevention, detection, and corrective measures to ensure that information security threats are avoided or mitigated.

The existence of this procedure shall be stated in the Employee Data Protection Policy and explained to all members of the organisation, who shall be trained on how to act in the event of a data breach and on their respective responsibilities.

9.- APPROVAL OF THE MODEL

9.1 – Ownership

The approval of this document is the responsibility of the company’s Management. The drafting and updating of the document falls under the responsibility of the Compliance Department.

9.2 – Interpretation

The interpretation of this document corresponds to the company’s Data Protection Officer.

9.3 – Validity and Review

This model shall enter into force on the date of its approval and publication. Its content shall be subject to periodic review, with any changes or modifications deemed appropriate being implemented.

10.- DOCUMENT VERSION CONTROL

Version         File Name          Date
1.0        Privacy Policy        30/05/2025
1.1        Web Report        30/05/2025

Hämta Kraft by Scapa - Beds of Sweden

C/ Carpinteros, 5
San Lorenzo de el Escorial, Madrid • Spain

info@runesco.com
T: 91 896 15 78

More information


    Basic information about personal data processing.
    Controller: Runesco Distribución, S.L.
    E-mail address: info@runesco.com
    Processing purpose: manage our relationship with you and answer all the questions and queries that might have been asked.
    Rights: you have right of access, right to rectification, right to erasure (to be forgotten), right to restriction of processing, right to data portability and right to object. For further information you can visit our privacy policy in this link

    Sitemap

    Legal NoticePrivacy PolicyRecord of Processing Activities (R.PA.)Cookie Policy / © Runesco Distribución s. l. / Tel. + 34 918 961 578

    This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.