Privacy Policy

By means of this Privacy Policy, Sigma Economistes (hereinafter, “we” or “SIGMA”) hereby informs you of the personal data that we collect through the services that we offer, as displayed on this Website, as well as how we process them, and the rights you may exercise regarding your personal data and our processing thereof under current data protection legislation.

Applicable legislation

1.Andorran Law 29/2021 of 28 October, known as the Qualified Personal Data Protection Law (hereinafter, the “LQPD”), and its implementing provisions, and

2.Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, commonly known as the General Data Protection Regulation (hereinafter, the “GDPR”).

In the following table you can find links to the different sections of interest of this policy. We do, however, recommend reading it in its entirety.

1.Who does this Privacy Policy apply to?

2.Who is the controller of your data?

3.How do we collect your personal data?

4.What do we use your data for and what is the lawful basis?

  • To begin and maintain the relationship with our suppliers
  • To begin and maintain the relationship with our clients
  • To ensure security via video surveillance
  • To select and hire our employees
  • To send updates and news about our sector (newsletters)
  • To answer your requests, queries and claims
  • To manage any potential claims
  • To guarantee the correct operation of our Website (functional cookies)
  • To extract aggregated statistics on how our Website is used (analytics cookies)
  • To show you more relevant advertisements (advertising cookies)
  • To enable the use of Google services
  • For other purposes that are not incompatible with the above-mentioned


5.Who can we share your personal data with?

6.How long do we store your personal data for?

7.What rights do you have?

  • Your rights
  • Where and how to exercise your rights
  • Forms for exercising your rights


8.What responsibilities do you have?

9.How do we protect your personal data?

10.Modifications to this Privacy Policy

 

1. Who does this Privacy Policy apply to?

This policy applies to visitors to this website (“our Website”), users of the services offered by SIGMA for the purposes described in section 4 of this policy (“the Services”), and to all people whose personal data may appear on our Website or in the context of the Services (such as their images, for example).

2.Who is the controller of your data?

The sole person responsible for using your personal data, as indicated in section 4, is the owner of this Website:

SIGMA Saboya Assessors S.A. (SIGMA), with TRN A-708636-B and headquarters at carrer Prat de la Creu, 8, office 403, AD500, Andorra la Vella (Principality of Andorra).

You may contact our Data Protection Officer by sending an email to dpdextern@win2win.ad.

In addition, if you are located in the European Union, you will be interested to know that our data protection representative is the company COMPLIANCE GAP MITIGATION, with headquarters at calle Ferraz 28, 2n Esq. 28008 Madrid (Spain), who you can contact by calling (+34) 917589441 or (+34) 915482701, or (preferably) by sending an email to alfaquest@compliancegapmitigation.com

SIGMA is not responsible for the actions taken or activity found on other websites, even if they can be accessed via links found on our Website. Therefore, we strongly recommend that you carefully read the information that these other data controllers provide before giving them your personal data (especially the privacy and cookies policies of each of the websites you visit), and that you contact the corresponding data controller if you have any doubts or questions.

3.How do we collect your personal data?

Generally speaking, you provide us with your personal data directly and freely, such as by entering data in the forms found on our Website. The only exceptions to this rule are:

  • Your image, which may be recorded by our video surveillance cameras or our presence detectors;
  • The data provided to us by third parties who request our services on your behalf (as a beneficiary);
  • The contact data provided to us by our service and product suppliers when you represent them;
  • The last four digits of your credit card number which, together with the total purchase cost and the operation number, is sent to us by our payment service provider in the event we need to consult or cancel the operation;
  • Photographs of the events that we organize or in which we participate, and in which you may appear;
  • Images contained in news stories, where we deem that the public interest and the right to information prevail over the possible interests of the people whose image or other personal data are published on our Website;
  • Your personal data which may appear in the emails we receive; and
  • This Website’s cookies, about which you can find more information in our cookies policy.


4.What do we use your data for and what is the lawful basis?

To begin and maintain the relationship with our suppliers

If you represent a product or service provider, we collect your contact details and your signature in order to:

a) Manage all kinds of relationships with the provider that you represent.

b) Manage thecorresponding record in our list of authorized providers.

c) Manage quotations and invoices from the provider that your represent.

Processing activities linked to purposes ‎a) and ‎b) are made lawful by the employment or service agreement signed with the provider that you represent and our legitimate interest in contacting said provider. Processing activities linked to purpose ‎c) are lawful given that they are necessary for the execution of the agreements that you have entered into with us.

To begin and maintain the relationship with our clients

We collect your data that you give us directly, either orally or in writing, or via a third party that you either represent or of which you are a beneficiary, when you contract a service or product for the purpose of managing said contracting.

In addition, we inform you that, as a result of this contractual relationship, we can communicate to you, either orally or in writing, commercial information related to the products or services that you have contracted with us.

The processing of these data is made lawful given that it is necessary for the execution of the service or product agreement in which you act as a party, and by our legitimate interest in keeping you up to date with regards to the products or services that you have acquired.

To ensure security via video surveillance

We collect your image via our video surveillance systems for the purpose of ensuring the security of the people and goods at our facilities, and that of the facilities themselves.

The lawful basis for this processing is the public interest in public safety, our legitimate interest in the safety of our establishment, and the legitimate interest of third parties who request recordings for the legal action relating to a crime that may have been committed and recorded by our systems.

To select and hire our employees

We process the data contained in the CVs that you voluntarily send to us in order to manage the process of your application to a job vacancy at SIGMA, with this including the searching, filtering and storing of the CVs of potential candidates; the employee selection process; and the hiring process.

The lawful basis for said processing is your consent, which you duly give by sending us your CV, undertaking pre-contractual steps and – if at that moment we receive your CV we do not have an open selection process, or you are not hired during this initial process but we believe that you may be suitable for inclusion in future selection processes – our legitimate interest in storing your CV for the purpose of including it in said future processes. You may withdraw your consent or oppose our legitimate interest in the way indicated in section 7 of this policy and, if you do, your CV will be destroyed (if you withdraw your consent) or it will only be stored for the purpose of the selection process for which it was sent to us.

To send updates and news about our sector (newsletters)

We collect your email address when you subscribe to our bulletin so that we can send you updates and news related to our services and sector.

The lawful basis for this processing is your consent, which you may withdraw at any moment by exercising your right as detailed below, or by accessing the link contained at the bottom of each email. The only consequence of withdrawing your consent is that you will no longer receive the information that we send via email.

To answer your requests, queries and claims

We collect the personal data that you provide us in your emails, over the telephone, in the form on our contact page, or in any requests to exercise your rights for the purpose of answering your requests, queries and claims regarding our services or the rights you have regarding your personal data.

The lawful basis for this processing is the consent that you provide by sending or giving us these data, our legal obligation to answer requests about your rights and our legitimate interest to answer you. Therefore, your data are provided to us voluntarily, although if you do not provide us with them, we will not be able to answer your request, query or claim. You may withdraw your consent at any moment; however, this will make it impossible for us to proceed with your request, query or claim.

To manage any potential claims

We store all data necessary to manage any claims that you, or we, may make regarding our legitimate interest in defending ourselves and to safeguard our rights.

To guarantee the correct operation of our Website (functional cookies)

We use functional cookies to collect, store, consult and process personal information (linked to you by means of a unique identifier or your IP address) from your device’s browser in order to guarantee the correct operation of our Website.

As these cookies are necessary for the correct operation of our Website, we do not require your express consent to use them, and the lawful basis for their use is our legitimate interest in offering you the services found on our Website.

For more information on these cookies, please consult our cookies policy.

To extract aggregated statistics on how our Website is used (analytics cookies)

We use analytics or statistics cookies to identify the pages that are visited the most and least, to analyze the content that is of greatest interest to our visitors, and to measure the success of our information campaigns, all with the goal of improving the services that we offer you on our Website. All of these purposes provide us with aggregate results, meaning that is impossible for us to use them to individually identify any person.

As they are analytics cookies, we will not use them without your consent, and not giving us your consent, or withdrawing it, will make it more difficult for us to improve our Website by analyzing aggregate statistics on the browsing habits of our visitors.

For more information on these cookies, please consult our cookies policy.

To show you more relevant advertisements (advertising cookies)

We install third-party advertising cookies on the browser you use. These files help us find out what your interests are based on the pages that you visit, the content that you click on, and other actions that you perform online.

As these cookies are not necessary, we will not use them without your consent, and not giving us your content, or withdrawing it, will make it impossible for us to use your browsing habits to improve the relevance of the advertisements that you see.

For more information on these cookies, please consult our cookies policy.

To enable the use of Google services

In addition, under obligation to Google LLC, of which Google Ireland Ltd is a subsidiary, all entities that use the Google Analytics and Google Ads tools, such as us, are compelled to inform you that these two services are operated by Google Inc., with headquarters at 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, and that Google Inc. is a beneficiary of these services.

The information generated by cookies on your use of this Website and your advertising preferences are in general sent to a Google server in the USA, where it is stored. For more information, consult the page which details how Google uses the information from our Website and/or Google’s privacy policy regarding the aforementioned services.

We inform you that we have activated the IP anonymization option in the Google service in order to provide additional safeguards in our contractual clauses to protect international data transfers to the USA. As such, Google will mask your IP address before sending it to the USA (data obfuscation). Only in exceptional cases will your full IP address be sent to a Google server in the USA for it to be shortened there. Google ensures that the IP address sent by your browser to Google Analytics will not be processed alongside any other piece of data that Google may have.

You can consult the different categories of personal data that are processed by these services by visiting https://business.safety.google/adsservices/.

For other purposes that are not incompatible with the above-mentioned

We may use your personal data for other purposes that are not incompatible with the above-mentioned (such as storing them for reasons of public interest, scientific or historic research, or for statistical purposes) provided that we are permitted to do so under current personal data protection legislation and, of course, acting at all times in accordance with this and all other applicable legislation.

5.Who can we share your personal data with?

We will not transfer your personal data to any third parties, except when:

  • You request that we do so.
  • We are legally obliged to do so.
  • You contract our products or services through an intermediary (such as your advisor or representative) to whom we must deliver products or services acquired in your name, whether because you have provided your consent or because you have explicitly contracted us.
  • We continue to have a joint responsibility for the data collection because, always with your consent, other entities are processing the data. This is the case with: o Google Ireland Ltd, with headquarters at Gordon House 4, Barrow – Dublin, Ireland, to whom we have subcontracted the processing of data gathered by cookies that are necessary to use the reCAPTCHA, Analytics and Ads services. Google Ireland Ltd is solely responsible for all processing activities it performs on your behalf, in accordance with its privacy policy. We transfer data to Google Ireland Ltd under the data protection agreement that this EU-based company includes in the addendum to the standard contract for countries covered by the GDPR, as is the case with Andorra, in which we provide additional safeguards by anonymizing the IP addresses of the data collected by these cookies. Consult our cookies policy to see which analytics and advertising cookies we use and how to configure them.
  • We need to protect your rights, our own, those of our employees or those of third parties (which may require that the data be transfered to the police for reasons of security, or to the health authorities to prevent the spreading of diseases by tracing contacts, for example). For example: o If our video surveillance cameras record a theft at our installations, or o If a third party requests our video surveillance images on the basis of their legitimate interest in starting legal action for a crime or seeking compensation for damages and losses resulting from the images in question, and with the third party undertaking to only use these images to report the crime or demand compensation for the damages and losses suffered. In these cases, the images given shall only be those that are strictly necessary for the given purpose.
  • We need our service providers to process them on our behalf and under the terms and conditions of the corresponding data processing agreement.


Any international transfer that is required must comply with the applicable legislation that is in force at any time.

6.How long do we store your personal data for?

SIGMA shall only store your personal data for as long as required for the processing activity and, after which, for as long as necessary to meet all legal requirements applicable at all times that derive from the processing (including the obligation to prove that we have complied with your request to destroy the personal data that we have on you).

For example, we store our video surveillance recordings for a maximum of 30 days when there are no incidents and, in the exceptional case that there has been a security incident or any indication of a crime during this time (such as a theft), we make a copy of the part of the recording in which there is an incident and store it until it is sent to the police or to the person involved who requires the recording for their legal dispute.

We destroy your CV after five years due it being outdated and no longer relevant for the purpose for which it was collected.

When we do not have a lawful purpose for processing any of your personal data, we either delete or anonymize them or, if this is not possible (such as when backup copies have been made), we store them securely and block access them to prevent them from being used in any subsequent processing activity until they are erased.

7.What rights do you have?

You have the right to receive confirmation of whether or not we have a certain piece of data on you.

We remind you that, when we share personal data with other data controllers, you must exercise your rights with these controllers by following the instructions they provide in their own privacy policies. In particular, regarding the data that our cookies share with Google, we inform you that you may install an add-on to your browser – whether Chrome, Internet Explorer, Safari, Firefox or Opera – that prevents your Google Analytics or Google Ads data from being sent to Google Inc.

Below we explain what rights you have and how you can exercise them.

Your rights

You may send us a request to exercise the following rights:

  • Access to your personal data.
  • Rectification of your personal data, specifying the motive.
  • Erasure of some or all of your personal data.
  • Restriction of the processing of your data, specifying the motive for the restriction.
  • Opposition to the processing of your data.
  • Portability of your data when the lawful basis of the collection is consent or an agreement.
  • Not to be subject to automated decision-making.


Where and how to exercise your rights

You may exercise your rights:

  1. By sending a written request to SIGMA at the postal address indicated in section ‎2 of this policy, specifying a contact method for us to respond to your request or to ask you for more information, if necessary. Please state “Exercise of Personal Data Protection Rights” on the envelope.
  2. By sending the form corresponding to the right that you wish to exercise to dpdextern@win2win.ad, making sure to write “Exercise of Personal Data Protection Rights” in the subject line. These forms are included below in this section of the Privacy Policy.


In either case, if we are unable to prove that you are who you say you are, we may request that you send us proof of your identity, as such guaranteeing that we are only interacting with the data subject or their legal representative.

Likewise, and particularly if you are not satisfied with how we attended to your request to exercise your rights, we inform you that you may file a complaint with your country’s national data protection authority, or even contact the Data Protection Agency of Andorra (APDA).

Forms for exercising your rights

In order to facilitate the exercise of your rights, we recommend using the corresponding request form below:

  • Form for exercising the right to access
  • Form for exercising the right to rectification
  • Form for exercising the right to object (form A and form B)
  • Form for exercising the right to erasure
  • Form for exercising the right to restrict processing
  • Form for exercising the right to data portability
  • Form for exercising the right not to be subject to automated decision-making


8.What responsibilities do you have?

By providing us with your data, you guarantee that they are accurate and complete. Likewise, you confirm that the data you have sent us are truthful and that you will update them so that they reflect the true situation at all times. In addition, you accept liability for any false or inexact data that you may provide us, as well as any damages or losses, whether direct or indirect, that may arise as a result of this inaccuracy.

You may not provide us with the personal data of any other persons, except if required for the services you request from us. In any case, if you provide us with personal data belonging to a third party, it shall be your responsibility to inform that person of this prior to providing us with their personal data. You must make the third party whose data you are providing us with aware of all of the provisions of our Privacy Policy, and you shall be solely responsible for the lawfulness of their personal data and for informing them of the rights that may exercise in relation to their personal data.

In the event that you are required to provide us with the personal data of a person under the age of 16 or a person with limited rights, by doing so you declare that you have been authorized to do so by the data owners or that you have legal custody over them. Without this authorization, it is strictly forbidden to provide us with these people’s personal data.

9.How do we protect your personal data?

We are fully committed to protecting your privacy and your personal data. We keep a record of all personal data processing activities that we undertake, we have analyzed the risk that each of these activities poses, and we have implemented sufficient legal, technical and organizational safeguards to prevent, to the greatest extent possible, alterations being made to your personal data, their incorrect use, loss, theft, unauthorized access and unauthorized processing. We duly keep our policies updated so as to ensure that we provide you with all the information that we have on the processing of your personal data, and to guarantee that our employees receive the proper guidelines for how to process your personal data. We have signed data protection clauses and processing agreements with all of our service providers, and we are at their full disposition for any questions regarding the processing of personal data.

We restrict access to personal data to those employees who need to do so in order to perform one of the processing activities detailed in this policy, and we have trained them in and made them aware of the importance of confidentiality and maintaining the integrity and availability of the information, as well as the disciplinary measures that would apply in the case of any breach in this regard.

10.Modifications to this Privacy Policy

We update this policy whenever necessary to reflect any changes that may be made to legislation or our processing activities. If these changes are considerable, we will inform you before they enter into force by sending you a notification or publishing an easy-to-see notice on our Website, and you will have the option of exercising your rights as described in the previous section. In any case, we recommend that you periodically check this Privacy Policy to see how we are protecting your personal data.

If you have any questions about this policy, you can send us an email to dpdextern@win2win.ad.

Last update: 30 November 2022