Privacy Policy

PRIVACY POLICY


Last updated: March 24, 2023


In compliance with Regulation 2016/679 of the European Parliament, as well as Organic Law 15/1999 on the Protection of Personal Data, we inform you of the following:

Your personal data is stored in an automated file, the responsibility of Manuel Martín Fernández, with registered address at C/Magnolia, 23 - CP08410 Vilanova del Vallés, for the purpose of informing you about our products and services, placing orders and managing the billing of the products and services contracted. You may exercise your rights of access, rectification, cancellation and opposition at the address of the person responsible for the file: info@mmcarpintero.com


CUSTOMER DATA PROCESSING

Data of the person responsible for the treatment:

Identity: Manuel Martin Fernandez

Postal address: Carrer Magnolia 23, 08410 Vilanova del Valles

Phone: 644515857 - Email: info@mmcarpintero.com


From now on with the brand name MMCarpintero


At MMCarpintero we process the information you provide us with in order to provide you with the requested service and invoice you. The data provided will be kept for as long as the business relationship is maintained or for the time necessary to comply with legal obligations and address any potential liabilities that may arise from the fulfillment of the purpose for which the data was collected. The data will not be transferred to third parties except in cases where there is a legal obligation. You have the right to obtain information about whether Manuel Martín Fernández is processing your personal data, so you can exercise your rights of access, rectification, deletion and portability of data and opposition and limitation to its processing by writing to Manuel Martín Fernández, Carrer Magnolia 23, 08410 Vilanova del Valles or by emailing info@mmcarpintero.com, attaching a copy of your ID or equivalent document. Likewise, and especially if you consider that you have not obtained full satisfaction in the exercise of your rights, you may file a claim with the national supervisory authority by contacting the Spanish Data Protection Agency, C/ Jorge Juan, 6 – 28001 Madrid.

We also request your authorization to offer you products and services related to those contracted and to retain you as a customer.

 

Contract Management Company responsible for managing billing with clients:

1. Purpose of the processing order

By means of these clauses, VILANOVA ASSESSORS 2005, SL, with address at Adreça PASSEIG DEL CENTENARI No. 45, Població VILANOVA DEL VALLÈS, Postal Code 08410, Province BARCELONA and NIF B66255605 is authorized as the data processor to process on behalf of Manuel Martín Fernández, as data controller, the personal data necessary to provide the service specified below.

The treatment will consist of administrative procedures.

2. Identification of the affected information

In order to carry out the services derived from the fulfilment of the purpose of this assignment, the entity Manuel Martín Fernández, as the data controller, makes the identification and banking data of its clients available to the entity VILANOVA ASSESSORS 2005, SL.

3. Duration

This agreement has a duration of 1 year, being automatically renewed unless decided otherwise by one of the parties.

Once this contract has ended, the data processor must return to the controller, or transmit to another processor designated by the controller, the personal data processed and delete any copy in its possession. However, the data processor may keep it blocked for the minimum time necessary to meet any potential liabilities that may arise from its relationship with Manuel Martín Fernández, destroying it safely and definitively at the end of said period.

4. Obligations of the data controller

The data controller and all its staff are obliged to:

ü Use the personal data that is being processed, or that is being collected for inclusion, only for the purpose of this assignment. Under no circumstances may the data be used for personal purposes.

Process the data in accordance with the documented instructions of the data controller. If the data processor considers that any of the instructions provided infringe the General Data Protection Regulation or any other data protection provisions, the data processor shall immediately inform the controller.

ü Keep a written record of all categories of processing activities carried out on behalf of the controller, containing:

1 The name and contact details of the processor(s) and of each controller on whose behalf the processor acts and, where applicable, of the controller's or processor's representative and the data protection officer.

2 The categories of processing carried out on behalf of each controller.

3 An overview of the appropriate technical and organizational security measures you are implementing.

ü Not to communicate or disseminate the data to third parties, unless expressly authorized by the data controller or in legally admissible cases. If the processor wishes to subcontract, in whole or in part, the services covered by this contract, it must inform the controller and request prior authorization.

ü Maintain the duty of confidentiality regarding the personal data to which you have had access by virtue of this assignment, even after the contract ends.

ü Ensure that persons authorized to process personal data undertake, expressly and in writing, to respect confidentiality and comply with the corresponding security measures, of which the person in charge must inform them appropriately.

ü Keep the documentation proving compliance with the obligation established in the previous section available to the person responsible.

ü Ensure the necessary training in personal data protection for persons authorized to process personal data.

ü When affected persons exercise their rights of access, rectification, deletion and portability of data and opposition and limitation of processing before the data processor, the latter must communicate this by email to the address indicated by the controller as soon as possible. The communication must be made immediately and in no case later than the business day following receipt of the request, together, where appropriate, with other information that may be relevant to resolve it. The controller shall assist the controller, whenever possible, so that he can comply with and respond to the exercise of rights.

ü Notification of data security breaches:

The data processor shall notify the data controller, without undue delay and via the email address provided by the controller, of any breaches of security of the personal data under its control of which it is aware, together with all relevant information for the documentation and communication of the incident. It shall also notify any failure it has suffered in its information processing and management systems that may jeopardize the security of the personal data processed, its integrity or availability, as well as any possible breach of confidentiality as a result of the data and information accessed during the execution of the contract being made known to third parties.

The following information shall be provided as a minimum:

a) Description of the nature of the personal data breach, including where possible the categories and approximate number of data subjects affected, and the categories and approximate number of personal data records affected.

b) Contact person details for further information.

c) Description of the possible consequences of the violation of the security of personal data.

d) Description of the measures taken or proposed to remedy the breach of personal data security, including, where applicable, the measures taken to mitigate any potential negative effects.

If and to the extent that it is not possible to provide the information simultaneously, the information will be provided gradually without undue delay.

VILANOVA ASSESSORS 2005, SL, at the request of the controller, will communicate any data security breaches to the data subjects as soon as possible, when the breach is likely to pose a high risk to the rights and freedoms of natural persons.

Communication must be made in clear and simple language and must include the elements that the person responsible indicates in each case, as a minimum:

a) The nature of the data breach.

b) Contact details of the controller or processor where further information may be obtained.

c) Describe the possible consequences of a breach of personal data security.

d) Describe the measures adopted or proposed by the data controller to remedy the personal data breach, including, where applicable, the measures taken to mitigate any negative effects.

ü Make available to the controller all the information necessary to demonstrate compliance with its obligations, as well as to allow and contribute to the performance of audits or inspections carried out by the controller or another auditor authorized by him.

ü Implement the necessary technical and organizational security measures to guarantee the permanent confidentiality, integrity, availability and resilience of the systems and services for processing personal data.

ü Destination of data:

Delete, return to the controller or deliver, where appropriate, to a new controller as determined by Manuel Martín Fernández, all personal data once the provision of the commissioned processing service has been completed.

Data destruction is not appropriate when there is a legal provision requiring its conservation, in which case it must be returned to the person responsible who will guarantee its conservation, duly blocked, while such obligation persists.

The return must involve the complete deletion of the data existing on the computer equipment used by the data processor. However, the data processor may retain a copy of the data, duly blocked, as long as liabilities may arise from the execution of the services provided to the data controller.

5. Obligations of the data controller

The data controller is responsible for:

a) Provide the person in charge with the data necessary to provide the service.

b) Ensure, prior to and throughout the processing, compliance with the provisions in force regarding data protection by the data processor.

c) Monitor the processing, including the possibility of requesting information to verify compliance with the obligations established in this contract.

 

PROCESSING OF DATA OF POTENTIAL CLIENTS

Information clause:

At MMCarpintero we process the information you provide us with in order to provide you with the requested service or send you the required information. The data provided will be kept as long as you do not ask us to stop the activity. The data will not be transferred to third parties except in cases where there is a legal obligation. You have the right to obtain information about whether Manuel Martín Fernández is processing your personal data, so you can exercise your rights of access, rectification, deletion and portability of data and opposition and limitation to its processing by writing to Manuel Martín Fernández, Carrer Magnolia 23, 08410 Vilanova del Valles or by emailing info@mmcarpintero.com, attaching a copy of your ID or equivalent document. Likewise, and especially if you consider that you have not obtained full satisfaction in the exercise of your rights, you may file a claim with the national control authority by contacting the Spanish Data Protection Agency, C/ Jorge Juan, 6 – 28001 Madrid.

We also request your permission to send you advertising related to our products and services by any means (post, email or telephone) and to invite you to events organized by the company.”

 

CANDIDATE DATA PROCESSING

Information clause:

At MMCarpintero we process the information you provide us with in order to keep you informed of the different job vacancies that occur in our organization. The data provided will be kept until a job is awarded or until you exercise your right to deletion. The data will not be transferred to third parties. You have the right to obtain information on whether Manuel Martín Fernández is processing your personal data, so you can exercise your rights of access, rectification, deletion and portability of data and opposition and limitation to its processing by writing to Manuel Martín Fernández, Carrer Magnolia 23, 08410 Vilanova del Valles or by emailing info@mmcarpintero.com, attaching a copy of your ID or equivalent document. Likewise, and especially if you consider that you have not obtained full satisfaction in the exercise of your rights, you may file a claim with the national control authority by contacting the Spanish Data Protection Agency, C/ Jorge Juan, 6 – 28001 Madrid.”

 

PROCESSING OF SUPPLIER DATA

Information clause:

At MMCarpintero we process the information you provide us with in order to place orders and manage the billing of the products and services contracted. The data provided will be kept as long as the commercial relationship is maintained or for the time necessary to comply with legal obligations and meet any potential liabilities that may arise from compliance with the purpose for which the data was collected. The data will not be transferred to third parties except in cases where there is a legal obligation. You have the right to obtain information about whether Manuel Martín Fernández is processing your personal data, so you can exercise your rights of access, rectification, deletion and portability of data and opposition and limitation to its processing by writing to Manuel Martín Fernández, Carrer Magnolia 23, 08410 Vilanova del Valles or by email to info@mmcarpintero.com, attaching a copy of your ID or equivalent document. Likewise, and especially if you consider that you have not obtained full satisfaction in the exercise of your rights, you may file a claim with the national supervisory authority by contacting the Spanish Data Protection Agency, C/ Jorge Juan, 6 – 28001 Madrid.”

 

SERVICE COMPANIES

Contracts:

 

A) Clauses for service providers with access to information systems.

1. Purpose of the processing order

By means of these clauses, IONOS Cloud SLU, as the data processor, is authorized to process on behalf of Manuel Martín Fernández, as the data controller, the personal data necessary to provide the service specified below.

The treatment will consist of Hosting, web domains and email.

2. Identification of the affected information

In order to carry out the services derived from the fulfilment of the purpose of this assignment, the entity Manuel Martín Fernández as the data controller, makes available to the entity IONOS Cloud SLU the information available on the computer equipment that supports the data processing carried out by the controller.

3. Duration

This agreement has a duration of 1 year, being automatically renewed unless decided otherwise by one of the parties.

Once this contract has ended, the data processor must return the personal data processed to the controller and delete any copies in its possession. However, the data may be kept blocked for the minimum time necessary to meet any potential liabilities that may arise from its relationship with Manuel Martín Fernández, and it will be destroyed safely and definitively at the end of said period.

4. Obligations of the data controller

The data controller and all its staff are obliged to:

ü Use the personal data to which you have access as a result of the provision of the service only for the purpose of this assignment. Under no circumstances may you use the data for your own purposes.

ü Process the data in accordance with the documented instructions of the data controller. If the data processor considers that any of the instructions provided infringe the General Data Protection Regulation or any other data protection provision, the data processor shall immediately inform the controller.

ü Not to communicate or disseminate the data to third parties, unless expressly authorized by the data controller or in legally admissible cases. If the processor wishes to subcontract, in whole or in part, the services covered by this contract, it must inform the controller and request prior authorization.

ü Maintain the duty of confidentiality regarding the personal data to which you have had access by virtue of this assignment, even after the contract ends.

ü Ensure that persons authorized to process personal data undertake, expressly and in writing, to respect confidentiality and comply with the corresponding security measures, of which the person in charge must inform them appropriately.

ü Keep the documentation proving compliance with the obligation established in the previous section available to the person responsible.

ü Ensure the necessary training in personal data protection for persons authorized to process personal data.

ü Notification of data security breaches:

The data processor shall notify the data controller, without undue delay and via the email address provided by the controller, of any breaches of security of the personal data under its control of which it is aware, together with all relevant information for the documentation and communication of the incident. It shall also notify any failure it has suffered in its information processing and management systems that may jeopardize the security of the personal data processed, its integrity or availability, as well as any possible breach of confidentiality as a result of the data and information accessed during the execution of the contract being made known to third parties.

The following information shall be provided as a minimum:

a) Description of the nature of the personal data breach, including where possible the categories and approximate number of data subjects affected, and the categories and approximate number of personal data records affected.

b) Contact person details for further information.

c) Description of the possible consequences of the violation of the security of personal data.

d) Description of the measures taken or proposed to remedy the breach of personal data security, including, where applicable, the measures taken to mitigate any potential negative effects.

If and to the extent that it is not possible to provide the information simultaneously, the information will be provided gradually without undue delay.

ü Provide the person responsible with all the information necessary to demonstrate compliance with his/her obligations, as well as to allow and contribute to the performance of audits or inspections carried out by the person responsible or another auditor authorized by him/her.

ü Assist the data controller in implementing the necessary security measures to:

a) Ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.

b) Restore the availability and access to personal data quickly, in the event of a physical or technical incident.

c) Verify, evaluate and assess, on a regular basis, the effectiveness of the technical and organisational measures implemented to ensure the security of the processing.

ü Destination of data:

The data controller will not retain personal data relating to the processing carried out unless it is strictly necessary for the provision of the service covered by the contract and only for the minimum time necessary.

Once the provision of the contracted service has been completed, the data processor will delete, return to the controller or deliver, where appropriate, to a new controller, as determined by Manuel Martín Fernández, all personal data.

Data destruction is not appropriate when there is a legal provision requiring its conservation, in which case it must be returned to the person responsible who will guarantee its conservation, duly blocked, while such obligation persists.

The return must involve the complete deletion of the data existing on the computer equipment used by the data processor. However, the data processor may retain a copy of the data, duly blocked, as long as liabilities may arise from the execution of the services provided to the data controller.

5. Obligations of the data controller

The data controller is responsible for:

a) Provide the person in charge with access to the equipment so that he or she can provide the contracted service.

b) Ensure, prior to and throughout the processing, compliance with the provisions in force regarding data protection by the data processor.

c) Monitor the processing, including the possibility of requesting information to verify compliance with the obligations established in this contract.

 

B) Confidentiality clauses for service providers with accidental access to data.

1. Duty of confidentiality

The provision of services covered by this contract does not include the processing of personal data.

However, in the event that IONOS Cloud SLU staff, accidentally or incidentally, becomes aware of personal data information relating to the processing activities of MMCarpintero, they will be obliged to strictly observe the duty of secrecy and confidentiality, both during the course of the contractual relationship and once it has ended.

a) following at all times the instructions of Manuel Martín Fernández's staff

b) not being able to use the information to which they may have had access for any purpose other than that derived from the provision of service and

c) not being able to disclose, make known or use for their own benefit or that of third parties any information that they may have learned during the provision of the service covered by this contract.

 

A) Clauses for service providers with access to information systems.

1. Purpose of the processing order

By means of these clauses, Contasimple SLU, as the data processor, is authorized to process on behalf of Manuel Martín Fernández, as the data controller, the personal data necessary to provide the service specified below.

The treatment will consist of Billing Application.

2. Identification of the affected information

In order to carry out the services derived from the fulfilment of the purpose of this assignment, the entity Manuel Martín Fernández as the data controller, makes available to the entity Contasimple SLU the information available on the computer equipment that supports the data processing carried out by the controller.

3. Duration

This agreement has a duration of 1 year, being automatically renewed unless decided otherwise by one of the parties.

Once this contract has ended, the data processor must return the personal data processed to the controller and delete any copies in its possession. However, the data may be kept blocked for the minimum time necessary to meet any potential liabilities that may arise from its relationship with Manuel Martín Fernández, and it will be destroyed safely and definitively at the end of said period.

4. Obligations of the data controller

The data controller and all its staff are obliged to:

ü Use the personal data to which you have access as a result of the provision of the service only for the purpose of this assignment. Under no circumstances may you use the data for your own purposes.

ü Process the data in accordance with the documented instructions of the data controller. If the data processor considers that any of the instructions provided infringe the General Data Protection Regulation or any other data protection provision, the data processor shall immediately inform the controller.

ü Not to communicate or disseminate the data to third parties, unless expressly authorized by the data controller or in legally admissible cases. If the processor wishes to subcontract, in whole or in part, the services covered by this contract, it must inform the controller and request prior authorization.

ü Maintain the duty of confidentiality regarding the personal data to which you have had access by virtue of this assignment, even after the contract ends.

ü Ensure that persons authorized to process personal data undertake, expressly and in writing, to respect confidentiality and comply with the corresponding security measures, of which the person in charge must inform them appropriately.

ü Keep the documentation proving compliance with the obligation established in the previous section available to the person responsible.

ü Ensure the necessary training in personal data protection for persons authorized to process personal data.

ü Notification of data security breaches:

The data processor shall notify the data controller, without undue delay and via the email address provided by the controller, of any breaches of security of the personal data under its control of which it is aware, together with all relevant information for the documentation and communication of the incident. It shall also notify any failure it has suffered in its information processing and management systems that may jeopardize the security of the personal data processed, its integrity or availability, as well as any possible breach of confidentiality as a result of the data and information accessed during the execution of the contract being made known to third parties.

The following information shall be provided as a minimum:

a) Description of the nature of the personal data breach, including where possible the categories and approximate number of data subjects affected, and the categories and approximate number of personal data records affected.

b) Contact person details for further information.

c) Description of the possible consequences of the violation of the security of personal data.

d) Description of the measures taken or proposed to remedy the breach of personal data security, including, where applicable, the measures taken to mitigate any potential negative effects.

If and to the extent that it is not possible to provide the information simultaneously, the information will be provided gradually without undue delay.

ü Provide the person responsible with all the information necessary to demonstrate compliance with his/her obligations, as well as to allow and contribute to the performance of audits or inspections carried out by the person responsible or another auditor authorized by him/her.

ü Assist the data controller in implementing the necessary security measures to:

a) Ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.

b) Restore the availability and access to personal data quickly, in the event of a physical or technical incident.

c) Verify, evaluate and assess, on a regular basis, the effectiveness of the technical and organisational measures implemented to ensure the security of the processing.

ü Destination of data:

The data controller will not retain personal data relating to the processing carried out unless it is strictly necessary for the provision of the service covered by the contract and only for the minimum time necessary.

Once the provision of the contracted service has been completed, the data processor will delete, return to the controller or deliver, where appropriate, to a new controller, as determined by Manuel Martín Fernández, all personal data.

Data destruction is not appropriate when there is a legal provision requiring its conservation, in which case it must be returned to the person responsible who will guarantee its conservation, duly blocked, while such obligation persists.

The return must involve the complete deletion of the data existing on the computer equipment used by the data processor. However, the data processor may retain a copy of the data, duly blocked, as long as liabilities may arise from the execution of the services provided to the data controller.

5. Obligations of the data controller

The data controller is responsible for:

a) Provide the person in charge with access to the equipment so that he or she can provide the contracted service.

b) Ensure, prior to and throughout the processing, compliance with the provisions in force regarding data protection by the data processor.

c) Monitor the processing, including the possibility of requesting information to verify compliance with the obligations established in this contract.

 

B) Confidentiality clauses for service providers with accidental access to data.

1. Duty of confidentiality

The provision of services covered by this contract does not include the processing of personal data.

However, in the event that Contasimple SLU staff, accidentally or incidentally, becomes aware of personal data information relating to the processing activities of Manuel Martín Fernández, they will be obliged to strictly observe the duty of secrecy and confidentiality, both during the course of the contractual relationship and once it has ended,

a) following at all times the instructions of Manuel Martín Fernández's staff

b) not being able to use the information to which they may have had access for any purpose other than that derived from the provision of service and

c) not being able to disclose, make known or use for their own benefit or that of third parties any information that they may have learned during the provision of the service covered by this contract.

 

RECORD OF TREATMENT ACTIVITIES

Treatment: Clients

a) Data controller

Identity: Manuel Martín Fernández - NIF: 47704401D As MMCarpenter

Postal address: Carrer Magnolia 23, 08410 Vilanova del Valles

Email: info@mmcarpintero.com

Phone: 644515857

b) Purpose of the treatment

Customer relationship management

c) Categories of interested parties

Clients: People with whom a business relationship is maintained as clients.

d) Categories of data

Those necessary for the maintenance of the business relationship. Invoicing

Identification: name and surname, NIF, postal address, telephone numbers, e-mail

Bank details: for direct debit payments

e) Categories of recipients

State Tax Administration Agency

f) International transfers

No international transfers are planned.

g) Deletion period

Those provided for by tax legislation regarding the prescription of liabilities

h) Security measures

Those reflected in the SECURITY MEASURES ANNEX

 

Treatment: Potential Clients

a) Data controller

Identity: Manuel Martin Fernandez - Tax ID: 47704401D

Postal address: Carrer Magnolia 23, 08410 Vilanova del Valles

Email: info@mmcarpintero.com

Phone: 644515857

b) Purpose of the treatment

Managing relationships with potential customers

c) Categories of interested parties

Potential clients: People with whom you seek to maintain a business relationship as clients.

d) Categories of data

Those necessary for the commercial promotion of the company

Identification: name and surname and postal address, telephone numbers, e-mail

e) Categories of recipients

Not contemplated

f) International transfers

No international transfers are planned.

g) Deletion period

One year since first contact

h) Security measures

Those reflected in the SECURITY MEASURES ANNEX

 

Treatment: Candidates

a) Data controller

Identity: Manuel Martín Fernández - NIF: 47704401D As MMCarpenter

Postal address: Carrer Magnolia 23, 08410 Vilanova del Valles

Email: info@mmcarpintero.com

Phone: 644515857

b) Purpose of the treatment

Managing relationships with candidates for employment in the company

c) Categories of interested parties

Candidates: People who wish to work for the data controller

d) Categories of data

Those necessary to manage the resumes of potential future employees

Identification: name, surname, postal address, telephone numbers, e-mail

Personal characteristics: marital status, date and place of birth, age, sex, nationality and others excluding data on race, health or union membership

Academic data

Professional data

e) Categories of recipients

The sending of personal data to any recipient is not contemplated.

f) International transfers

No international transfers are planned.

g) Deletion period

One year since the presentation of the candidacy

h) Security measures

Those reflected in the SECURITY MEASURES ANNEX

 

Treatment: Suppliers

a) Data controller

Identity: Manuel Martín Fernández - NIF: 47704401D As MMCarpenter

Postal address: Carrer Magnolia 23, 08410 Vilanova del Valles

Email: info@mmcarpintero.com

Phone: 644515857

b) Purpose of the treatment

Supplier relationship management

c) Categories of interested parties

Suppliers: People with whom a commercial relationship is maintained as suppliers of products and/or services.

d) Categories of data

Those necessary for the maintenance of the employment relationship

Identification: name, NIF, postal address, telephone numbers, e-mail

Bank details: for direct debit payments

e) Categories of recipients

State Tax Administration Agency

Banks and financial institutions

f) International transfers

No international transfers are planned.

g) Deletion period

Those provided for by tax legislation regarding the prescription of liabilities

h) Security measures

Those reflected in the SECURITY MEASURES ANNEX

 

ANNEX

 

INFORMATION OF GENERAL INTEREST

This document has been designed for low-risk personal data processing, from which it follows that it cannot be used for personal data processing that includes personal data relating to ethnic or racial origin, political, religious or philosophical ideology, trade union membership, genetic and biometric data, health data, and data on the sexual orientation of individuals, as well as any other data processing that entails a high risk for the rights and freedoms of individuals.

Article 5.1.f of the General Data Protection Regulation (hereinafter, GDPR) determines the need to establish appropriate security guarantees against unauthorized or unlawful processing, against loss of personal data, accidental destruction or damage. This implies the establishment of technical and organizational measures aimed at ensuring the integrity and confidentiality of personal data and the possibility of demonstrating, as established in Article 5.2, that these measures have been put into practice (proactive accountability).

In addition, it must establish visible, accessible and simple mechanisms for exercising rights and have defined internal procedures to guarantee effective attention to the requests received.

 

ATTENTION OF THE EXERCISE OF RIGHTS

The data controller shall inform all employees about the procedure for exercising the rights of interested parties, clearly defining the mechanisms by which the rights may be exercised (electronic means, reference to the Data Protection Officer if applicable, postal address, etc.) and taking into account the following:

o Upon presentation of their national identity document or passport, the holders of personal data (interested parties) may exercise their rights of access, rectification, deletion, opposition, portability and limitation of processing. The exercise of rights is free of charge.

o The data controller must respond to interested parties without undue delay and in a concise, transparent, intelligible manner, using clear and simple language and retain proof of compliance with the duty to respond to requests for the exercise of rights made.

o If the application is submitted by electronic means, the information will be provided by these means whenever possible, unless the interested party requests otherwise.

o Requests must be answered within 1 month of receipt, and may be extended by another two months taking into account the complexity or number of requests, but in this case the interested party must be informed of the extension within one month of receipt of the request, indicating the reasons for the delay.

 


RIGHT OF ACCESS: Under the right of access, interested parties will be provided with a copy of the personal data available, together with the purpose for which they have been collected, the identity of the recipients of the data, the expected retention periods or the criteria used to determine it, the existence of the right to request the rectification or deletion of personal data as well as the limitation or opposition to their processing, the right to file a claim with the Spanish Data Protection Agency and, if the data have not been obtained from the interested party, any available information about their origin. The right to obtain a copy of the data cannot negatively affect the rights and freedoms of other interested parties.

- Form for exercising the right of access.

 

RIGHT TO RECTIFICATION: The right to rectification will be used to modify the data of interested parties that are inaccurate or incomplete in accordance with the purposes of the processing. The interested party must indicate in the request which data it refers to and the correction that must be made, providing, when necessary, the supporting documentation for the inaccuracy or incompleteness of the data being processed. If the data has been communicated by the controller to other controllers, they must be notified of the rectification of these unless it is impossible or requires a disproportionate effort, providing the interested party with information about said recipients, if requested.

- Form for exercising the right of rectification

 

RIGHT TO DELETION: The right to deletion shall mean that the data of interested parties shall be deleted when they express their refusal to the processing and there is no legal basis that prevents it, the data is not necessary in relation to the purposes for which it was collected, they withdraw the consent given and there is no other legal basis that legitimises the processing or it is unlawful. If the deletion is derived from the exercise of the interested party's right to object to the processing of their data for marketing purposes, the data subject's identification data may be retained in order to prevent future processing. If the data has been communicated by the controller to other controllers, they must be notified of the deletion of the data unless it is impossible or requires a disproportionate effort, providing the interested party with information about said recipients, if requested.

- Form for exercising the right to erasure.

 


RIGHT TO OBJECT: In the right to object, when interested parties express their refusal to the processing of their personal data to the controller, the latter will stop processing them provided there is no legal obligation that prevents it. When the processing is based on a mission of public interest or on the legitimate interest of the controller, in response to a request to exercise the right to object, the controller will stop processing the data unless compelling reasons are proven that prevail over the interests, rights and freedoms of the interested party or are necessary for the formulation, exercise or defense of claims. If the interested party objects to the processing for direct marketing purposes, the personal data will no longer be processed for these purposes.

- Form for exercising the right to object.

 


RIGHT TO PORTABILITY: In the right to portability, if the processing is carried out by automated means and is based on consent or is carried out within the framework of a contract, interested parties may request to receive a copy of their personal data in a structured, commonly used and machine-readable format. They also have the right to request that they be transmitted directly to a new controller, whose identity must be communicated, when technically possible.

- Form for exercising data portability.

 

RIGHT TO LIMIT PROCESSING: In the right to limit processing, interested parties may request the suspension of the processing of their data to challenge its accuracy while the controller carries out the necessary verifications or in the event that the processing is carried out based on the legitimate interest of the controller or in compliance with a mission of public interest, while verifying whether these reasons prevail over the interests, rights and freedoms of the interested party. The interested party may also request the conservation of the data if they consider that the processing is illegal and, instead of deletion, requests the limitation of processing, or if the controller no longer needs them for the purposes for which they were collected, but the interested party needs them for the formulation, exercise or defense of claims. The fact that the processing of the interested party's data is limited must be clearly stated in the controller's systems. If the data has been communicated by the controller to other controllers, they must notify them of the limitation of the processing of these unless it is impossible or requires a disproportionate effort, providing the interested party with information about said recipients, if requested.

· Form for exercising limitation of processing.

 

If the interested party's request is not acted upon, the data controller will inform the interested party, without delay and no later than one month after receipt of the request, of the reasons for its failure to act and of the possibility of filing a claim with the Spanish Data Protection Agency and of taking legal action.

 

SECURITY MEASURES

Depending on the type of processing you have indicated when completing this form, the minimum security measures you should take into account are the following:

 

ORGANIZATIONAL MEASURES

INFORMATION THAT SHOULD BE KNOWN BY ALL PERSONNEL WITH ACCESS TO PERSONAL DATA

All staff with access to personal data must be aware of their obligations in relation to the processing of personal data and will be informed about these obligations. The minimum information that will be known to all staff will be the following:

- DUTY OF CONFIDENTIALITY AND SECRECY

o Access to personal data by unauthorised persons must be prevented. To this end, personal data must not be left exposed to third parties (unattended electronic screens, paper documents in public areas, media containing personal data, etc.). This consideration includes screens used to display images from the video surveillance system. When you leave your workstation, the screen must be blocked or your session closed.

o Paper documents and electronic media will be stored in a secure location (cupboards or rooms with restricted access) 24 hours a day.

o Documents or electronic media (CDs, pen drives, hard drives, etc.) containing personal data will not be discarded without ensuring their effective destruction.

o No personal data or any other personal information will be communicated to third parties, paying particular attention to not disclosing protected personal data during telephone consultations, emails, etc.

o The duty of secrecy and confidentiality persists even when the employee's employment relationship with the company ends.


 

- PERSONAL DATA SECURITY VIOLATIONS

o When personal data security breaches occur, such as theft or improper access to personal data, the Spanish Data Protection Agency will be notified within 72 hours of said security breaches, including all the information necessary to clarify the events that led to improper access to personal data. Notification will be made by electronic means through the electronic headquarters of the Spanish Data Protection Agency at the address https://sedeagpd.gob.es/sede-electronica-web/.


 

TECHNICAL MEASURES

ID

o When the same computer or device is used for processing personal data and for personal use, it is recommended to have several different profiles or users for each of the purposes. Professional and personal uses of the computer must be kept separate.

o It is recommended to have profiles with administrative rights for the installation and configuration of the system and users without privileges or administrative rights for access to personal data. This measure will prevent access privileges from being obtained or the operating system from being modified in the event of a cybersecurity attack.

o Passwords must be provided for access to personal data stored in electronic systems. The password must be at least 8 characters long, and be a mixture of numbers and letters.

o When personal data is accessed by different people, a specific username and password will be available for each person with access to the personal data (unique identification).

o Passwords must be kept confidential and must not be exposed to third parties. For password management, you can consult the Internet privacy and security guide of the Spanish Data Protection Agency and the National Cybersecurity Institute. Under no circumstances will passwords be shared or written down in a common place and accessible to persons other than the user.


DUTY OF SAFEGUARDING

The minimum technical measures to ensure the protection of personal data are set out below:

o UPDATE OF COMPUTERS AND DEVICES: The devices and computers used for the storage and processing of personal data must be kept up to date to the extent possible.

o MALWARE: Computers and devices where personal data is processed automatically will have an antivirus system that guarantees, to the extent possible, the theft and destruction of personal information and data. The antivirus system must be updated periodically.

o FIREWALL: To prevent unauthorized remote access to personal data, care will be taken to ensure that a firewall is activated and correctly configured on those computers and devices where personal data is stored and/or processed.

o DATA ENCRYPTION: When it is necessary to extract personal data from outside the premises where it is processed, whether by physical or electronic means, the possibility of using an encryption method should be assessed to guarantee the confidentiality of personal data in the event of improper access to the information.

o BACKUP: A backup copy will be made periodically on a second medium different from the one used for daily work. The copy will be stored in a safe place, different from the one where the computer with the original files is located, in order to allow the recovery of personal data in case of loss of information.


 

Security measures will be reviewed periodically, and the review may be carried out by automatic mechanisms (software or computer programs) or manually. Please consider that any computer security incident that has happened to someone you know may happen to you, and take precautions against it.

If you require more information or technical guidance to ensure the security of personal data and the information processed by your company, the National Cybersecurity Institute (INCIBE) on its website www.incibe.es, provides you with business-focused tools in its “Protect your company” section where, among other services, you have:

- a training section with a video game, challenges for incident response and interactive sector training videos,

- an Employee Awareness Kit,

- various tools to help companies improve their cybersecurity, including policies for employers, technical staff and employees, a catalogue of security companies and solutions, and a risk analysis tool.

- thematic dossiers complemented by videos and infographics and other resources,

- guides for the entrepreneur,

 

In addition, INCIBE, through the Internet Security Office, also provides you with free computer tools and additional information that may be useful for your company or professional activity.

Share by: