Privacy Policy
PRIVACY POLICY
Last updated: March 24, 2023
In compliance with Regulation 2016/679 of the European Parliament, as well as Organic Law 15/1999 on the Protection of Personal Data, we inform you of the following:
Your personal data is stored in an automated file, under the responsibility of Manuel Martín Fernández, residing at C/Magnolia, 23 - CP08410 Vilanova del Vallés, for the purpose of informing you about our products and services, processing orders, and managing the invoicing of contracted products and services. You may exercise your rights of access, rectification, erasure, and objection by contacting the data controller at info@mmcarpintero.com
CUSTOMER DATA PROCESSING
Data of the data controller:
Identity: Manuel Martín Fernández
Postal address: Carrer Magnolia 23, 08410 Vilanova del Valles
Telephone: 644515857 - Email: info@mmcarpintero.com
From now on, the brand name will be MMCarpintero
At MMCarpintero, we process the information you provide in order to provide you with the requested service and to issue your invoice. The data provided will be kept for as long as the business relationship is maintained or for the time necessary to comply with legal obligations and address any potential liabilities that may arise from fulfilling the purpose for which the data was collected. The data will not be transferred to third parties except where there is a legal obligation to do so. You have the right to obtain information about whether Manuel Martín Fernández is processing your personal data. Therefore, you can exercise your rights of access, rectification, erasure, and data portability, as well as your rights to object to and restrict processing, by contacting Manuel Martín Fernández at Carrer Magnolia 23, 08410 Vilanova del Vallès, or by email at info@mmcarpintero.com, attaching a copy of your national identity document or equivalent. Furthermore, and especially if you believe that you have not obtained full satisfaction in the exercise of your rights, you may file a complaint with the national supervisory authority by contacting the Spanish Data Protection Agency, C/ Jorge Juan, 6 – 28001 Madrid.
We also request your authorization to offer you products and services related to those you have contracted and to build customer loyalty.
Contract with the agency responsible for handling billing procedures with clients:
1. Purpose of the processing order
Through these clauses, VILANOVA ASSESSORS 2005, SL, with address at PASSEIG DEL CENTENARI No. 45, Vilanova del Vallès, Postal Code 08410, Province of Barcelona and NIF B66255605, is authorized as the data processor to process, on behalf of Manuel Martín Fernández, as the data controller, the personal data necessary to provide the service specified below.
The treatment will consist of administrative procedures.
2. Identification of the affected information
For the execution of the services derived from the fulfillment of the purpose of this commission, the entity Manuel Martín Fernández as responsible for the processing, makes available to the entity VILANOVA ASSESSORS 2005, SL, the identification and banking data of its clients.
3. Duration
This agreement has a duration of 1 year, being automatically renewed unless either party decides otherwise.
Upon termination of this contract, the data processor must return the processed personal data to the controller, or transfer it to another processor designated by the controller, and delete any copies in its possession. However, it may keep the data blocked for the minimum time necessary to address any potential liabilities that may arise from its relationship with Manuel Martín Fernández, securely and permanently destroying it at the end of that period.
4. Obligations of the data processor
The data controller and all its staff are obliged to:
Process data in accordance with the documented instructions of the data controller. If the data processor believes that any of the instructions provided infringe the General Data Protection Regulation or any other data protection provision, the processor shall immediately inform the controller.
1 The name and contact details of the processor(s) and of each controller on whose behalf the processor acts and, where applicable, of the representative of the controller or the processor and of the data protection officer.
2 The categories of processing carried out on behalf of each controller.
3. An overview of the appropriate technical and organizational security measures you are implementing.
ü Maintain the duty of secrecy regarding the personal data to which he/she has had access under this assignment, even after the contract ends.
ü Ensure that persons authorized to process personal data expressly and in writing commit to respecting confidentiality and complying with the corresponding security measures, which the person in charge must duly inform them of.
ü Keep available to the responsible party the documentation proving compliance with the obligation established in the previous section.
ü Ensure the necessary training in personal data protection for persons authorized to process personal data.
When data subjects exercise their rights of access, rectification, erasure, and data portability, as well as their rights to object to and restrict processing, before the data processor, the processor must promptly notify the data controller by email to the address provided. This notification must be made immediately and in no case later than the next business day following receipt of the request, along with any other information that may be relevant to resolving it. The processor will assist the data controller, whenever possible, in fulfilling and responding to requests for the exercise of these rights.
ü Notification of data security breaches:
The data processor shall notify the data controller, without undue delay and via the email address provided by the controller, of any personal data breaches under its responsibility of which it becomes aware, along with all relevant information for documenting and reporting the incident. It shall also notify the controller of any failures in its information processing and management systems that could jeopardize the security, integrity, or availability of the personal data processed, as well as any potential breaches of confidentiality resulting from the disclosure to third parties of data and information accessed during the performance of the contract.
At a minimum, the following information will be provided:
a) Description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects affected, and the categories and approximate number of personal data records affected.
b) Contact person details for further information.
c) Description of the possible consequences of the breach of personal data security.
d) Description of the measures taken or proposed to remedy the personal data breach, including, where appropriate, measures taken to mitigate possible adverse effects.
If it is not possible to provide the information simultaneously, and to the extent that it is not, the information shall be provided gradually without undue delay.
VILANOVA ASSESSORS 2005, SL, at the request of the controller, will communicate these data security breaches to the interested parties as soon as possible, when the breach is likely to pose a high risk to the rights and freedoms of natural persons.
Communication must be in clear and simple language and must include, at a minimum, the elements specified by the person in charge in each case:
a) The nature of the data breach.
b) Contact details of the person in charge or responsible where further information can be obtained.
c) Describe the possible consequences of a personal data security breach.
d) Describe the measures taken or proposed by the controller to remedy the personal data breach, including, where appropriate, measures taken to mitigate its possible adverse effects.
ü Make available to the responsible party all the information necessary to demonstrate compliance with their obligations, as well as to allow and contribute to the performance of audits or inspections carried out by the responsible party or another auditor authorized by them.
ü Implement the necessary technical and organizational security measures to guarantee the permanent confidentiality, integrity, availability and resilience of the systems and services for processing personal data.
ü Data destination:
Delete, return to the responsible party or deliver, where appropriate, to a new processor as determined by Manuel Martín Fernández, all personal data once the provision of the processing service entrusted has ended.
Data destruction is not permitted when there is a legal provision that requires its preservation, in which case it must be returned to the responsible party who will guarantee its preservation, duly blocked, while such obligation persists.
The return must involve the complete erasure of all data stored on the computer equipment used by the processor. However, the processor may retain a copy of the data, duly blocked, for as long as liabilities may arise from the performance of the services provided to the data controller.
5. Obligations of the data controller
The responsibility of the data controller lies with:
a) Provide the person in charge with the necessary information so that they can provide the service.
b) To ensure, both before and throughout the processing, compliance with the current data protection provisions by the data processor.
c) Monitor the treatment, including the possibility of requesting information to verify compliance with the obligations established in this contract.
PROCESSING OF DATA OF POTENTIAL CLIENTS
Information clause:
At MMCarpintero, we process the information you provide in order to provide you with the requested service or send you the required information. The data provided will be kept until you request that we cease processing it. The data will not be transferred to third parties except where there is a legal obligation to do so. You have the right to obtain information about whether Manuel Martín Fernández is processing your personal data. Therefore, you can exercise your rights of access, rectification, erasure, and data portability, as well as your rights to object to and restrict processing, by contacting Manuel Martín Fernández at Carrer Magnolia 23, 08410 Vilanova del Vallès, or by email at info@mmcarpintero.com, attaching a copy of your national identity document or equivalent. Furthermore, and especially if you believe that you have not received full satisfaction in the exercise of your rights, you may file a complaint with the national supervisory authority, the Spanish Data Protection Agency (Agencia Española de Protección de Datos), located at C/ Jorge Juan, 6 – 28001 Madrid.
We also request your authorization to send you advertising related to our products and services by any means (mail, email or telephone) and to invite you to events organized by the company.”
PROCESSING OF CANDIDATE DATA
Information clause:
At MMCarpintero, we process the information you provide to keep you informed of any job vacancies that arise within our organization. The data provided will be kept until a job is filled or until you exercise your right to erasure. The data will not be shared with third parties. You have the right to obtain information about whether Manuel Martín Fernández is processing your personal data. Therefore, you can exercise your rights of access, rectification, erasure, data portability, and objection and restriction of processing by contacting Manuel Martín Fernández at Carrer Magnolia 23, 08410 Vilanova del Vallès, or by email at info@mmcarpintero.com, attaching a copy of your national identity document or equivalent. Furthermore, and especially if you believe you have not received full satisfaction in the exercise of your rights, you may file a complaint with the national supervisory authority, the Spanish Data Protection Agency (Agencia Española de Protección de Datos), located at C/ Jorge Juan, 6 – 28001 Madrid.
PROCESSING OF SUPPLIER DATA
Information clause:
At MMCarpintero, we process the information you provide to us in order to process orders and manage the invoicing of contracted products and services. The data provided will be kept for as long as the business relationship is maintained or for the time necessary to comply with legal obligations and address any potential liabilities that may arise from fulfilling the purpose for which the data was collected. The data will not be transferred to third parties except where there is a legal obligation to do so. You have the right to obtain information about whether Manuel Martín Fernández is processing your personal data. Therefore, you can exercise your rights of access, rectification, erasure, and data portability, as well as your rights to object to and restrict processing, by contacting Manuel Martín Fernández at Carrer Magnolia 23, 08410 Vilanova del Vallès, or by email at info@mmcarpintero.com, attaching a copy of your national identity document or equivalent. Furthermore, and especially if you believe that you have not obtained full satisfaction in the exercise of your rights, you may file a complaint with the national supervisory authority by contacting the Spanish Data Protection Agency, C/ Jorge Juan, 6 – 28001 Madrid.”
SERVICE COMPANIES
Contracts:
A) Clauses for service providers with access to information systems.
1. Purpose of the processing order
These clauses authorize IONOS Cloud SLU, as the data processor, to process on behalf of Manuel Martín Fernández, as the data controller, the personal data necessary to provide the service specified below.
The treatment will consist of Hosting, web domains and email.
2. Identification of the affected information
For the execution of the services derived from the fulfillment of the purpose of this commission, the entity Manuel Martín Fernández as the data controller, makes available to the entity IONOS Cloud SLU the information available on the computer equipment that supports the data processing carried out by the controller.
3. Duration
This agreement has a duration of 1 year, being automatically renewed unless either party decides otherwise.
Once this contract ends, the data processor must return the processed personal data to the data controller and delete any copies held. However, the data processor may keep the data blocked for the minimum time necessary to address any potential liabilities that may arise from its relationship with Manuel Martín Fernández, after which the data will be securely and permanently destroyed.
4. Obligations of the data processor
The data controller and all its staff are obliged to:
ü Maintain the duty of secrecy regarding the personal data to which he/she has had access under this assignment, even after the contract ends.
ü Ensure that persons authorized to process personal data expressly and in writing commit to respecting confidentiality and complying with the corresponding security measures, which the person in charge must duly inform them of.
ü Keep available to the responsible party the documentation proving compliance with the obligation established in the previous section.
ü Ensure the necessary training in personal data protection for persons authorized to process personal data.
ü Notification of data security breaches:
The data processor shall notify the data controller, without undue delay and via the email address provided by the controller, of any personal data breaches under its responsibility of which it becomes aware, along with all relevant information for documenting and reporting the incident. It shall also notify the controller of any failures in its information processing and management systems that could jeopardize the security, integrity, or availability of the personal data processed, as well as any potential breaches of confidentiality resulting from the disclosure to third parties of data and information accessed during the performance of the contract.
At a minimum, the following information will be provided:
a) Description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects affected, and the categories and approximate number of personal data records affected.
b) Contact person details for further information.
c) Description of the possible consequences of the breach of personal data security.
d) Description of the measures taken or proposed to remedy the personal data breach, including, where appropriate, measures taken to mitigate possible adverse effects.
If it is not possible to provide the information simultaneously, and to the extent that it is not, the information shall be provided gradually without undue delay.
ü Make available to the responsible party all the information necessary to demonstrate compliance with their obligations, as well as to allow and contribute to the performance of audits or inspections carried out by the responsible party or another auditor authorized by them.
ü Assist the data controller in implementing the necessary security measures to:
a) Guarantee the ongoing confidentiality, integrity, availability and resilience of treatment systems and services.
b) Restore the availability and access to personal data quickly, in the event of a physical or technical incident.
c) Regularly verify, evaluate and assess the effectiveness of the technical and organizational measures implemented to ensure the security of the processing.
ü Data destination:
The data processor will not retain personal data relating to the processing carried out unless strictly necessary for the provision of the service covered by the contract and only for the minimum time required.
Once the provision of the contracted service has ended, the data processor will delete, return to the controller or deliver, as appropriate, to a new processor, as determined by Manuel Martín Fernández, all personal data.
Data destruction is not permitted when there is a legal provision that requires its preservation, in which case it must be returned to the responsible party who will guarantee its preservation, duly blocked, while such obligation persists.
The return must involve the complete erasure of all data stored on the computer equipment used by the processor. However, the processor may retain a copy of the data, duly blocked, for as long as liabilities may arise from the performance of the services provided to the data controller.
5. Obligations of the data controller
The responsibility of the data controller lies with:
a) To facilitate the person in charge's access to the equipment so that they can provide the contracted service.
b) To ensure, both before and throughout the processing, compliance with the current data protection regulations by the data processor.
c) Monitor the treatment, including the possibility of requesting information to verify compliance with the obligations established in this contract.
B) Confidentiality clauses for service providers with accidental access to data.
1. Duty of confidentiality
The provision of services covered by this contract does not include the processing of personal data.
However, if IONOS Cloud SLU personnel accidentally or incidentally become aware of personal data relating to MMCarpintero's processing activities, they will be obliged to strictly observe the duty of secrecy and confidentiality, both during the course of the contractual relationship and once it has ended.
a) following at all times the instructions of Manuel Martín Fernández's staff
b) not being able to use the information to which they may have had access for any purpose other than that derived from the provision of the service and
c) not being able to disclose, make known or use for their own benefit or that of third parties the information that they may have learned during the provision of the service that is the subject of this contract.
A) Clauses for service providers with access to information systems.
1. Purpose of the processing order
These clauses authorize Contasimple SLU, as the data processor, to process on behalf of Manuel Martín Fernández, as the data controller, the personal data necessary to provide the service specified below.
The treatment will consist of a billing application.
2. Identification of the affected information
For the execution of the services derived from the fulfillment of the purpose of this commission, the entity Manuel Martín Fernández as the data controller, makes available to the entity Contasimple SLU the information available on the computer equipment that supports the data processing carried out by the controller.
3. Duration
This agreement has a duration of 1 year, being automatically renewed unless either party decides otherwise.
Once this contract ends, the data processor must return the processed personal data to the data controller and delete any copies held. However, the data processor may keep the data blocked for the minimum time necessary to address any potential liabilities that may arise from its relationship with Manuel Martín Fernández, after which the data will be securely and permanently destroyed.
4. Obligations of the data processor
The data controller and all its staff are obliged to:
ü Maintain the duty of secrecy regarding the personal data to which he/she has had access under this assignment, even after the contract ends.
ü Ensure that persons authorized to process personal data expressly and in writing commit to respecting confidentiality and complying with the corresponding security measures, which the person in charge must duly inform them of.
ü Keep available to the responsible party the documentation proving compliance with the obligation established in the previous section.
ü Ensure the necessary training in personal data protection for persons authorized to process personal data.
ü Notification of data security breaches:
The data processor shall notify the data controller, without undue delay and via the email address provided by the controller, of any personal data breaches under its responsibility of which it becomes aware, along with all relevant information for documenting and reporting the incident. It shall also notify the controller of any failures in its information processing and management systems that could jeopardize the security, integrity, or availability of the personal data processed, as well as any potential breaches of confidentiality resulting from the disclosure to third parties of data and information accessed during the performance of the contract.
At a minimum, the following information will be provided:
a) Description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects affected, and the categories and approximate number of personal data records affected.
b) Contact person details for further information.
c) Description of the possible consequences of the breach of personal data security.
d) Description of the measures taken or proposed to remedy the personal data breach, including, where appropriate, measures taken to mitigate possible adverse effects.
If it is not possible to provide the information simultaneously, and to the extent that it is not, the information shall be provided gradually without undue delay.
ü Make available to the responsible party all the information necessary to demonstrate compliance with their obligations, as well as to allow and contribute to the performance of audits or inspections carried out by the responsible party or another auditor authorized by them.
ü Assist the data controller in implementing the necessary security measures to:
a) Guarantee the ongoing confidentiality, integrity, availability and resilience of treatment systems and services.
b) Restore the availability and access to personal data quickly, in the event of a physical or technical incident.
c) Regularly verify, evaluate and assess the effectiveness of the technical and organizational measures implemented to ensure the security of the processing.
ü Data destination:
The data processor will not retain personal data relating to the processing carried out unless strictly necessary for the provision of the service covered by the contract and only for the minimum time required.
Once the provision of the contracted service has ended, the data processor will delete, return to the controller or deliver, as appropriate, to a new processor, as determined by Manuel Martín Fernández, all personal data.
Data destruction is not permitted when there is a legal provision that requires its preservation, in which case it must be returned to the responsible party who will guarantee its preservation, duly blocked, while such obligation persists.
The return must involve the complete erasure of all data stored on the computer equipment used by the processor. However, the processor may retain a copy of the data, duly blocked, for as long as liabilities may arise from the performance of the services provided to the data controller.
5. Obligations of the data controller
The responsibility of the data controller lies with:
a) To facilitate the person in charge's access to the equipment so that they can provide the contracted service.
b) To ensure, both before and throughout the processing, compliance with the current data protection regulations by the data processor.
c) Monitor the treatment, including the possibility of requesting information to verify compliance with the obligations established in this contract.
B) Confidentiality clauses for service providers with accidental access to data.
1. Duty of confidentiality
The provision of services covered by this contract does not include the processing of personal data.
However, if the staff of Contasimple SLU, accidentally or incidentally, become aware of personal data relating to the processing activities of Manuel Martín Fernández, they will be obliged to strictly observe the duty of secrecy and confidentiality, both during the course of the contractual relationship and once it has ended.
a) following at all times the instructions of Manuel Martín Fernández's staff
b) not being able to use the information to which they may have had access for any purpose other than that derived from the provision of the service and
c) not being able to disclose, make known or use for their own benefit or that of third parties the information that they may have learned during the provision of the service that is the subject of this contract.
RECORD OF TREATMENT ACTIVITIES
Treatment: Clients
a) Data controller
Identity: Manuel Martín Fernández - NIF: 47704401D As MMCarpintero
Postal address: Carrer Magnolia 23, 08410 Vilanova del Valles
Email: info@mmcarpintero.com
Telephone: 644515857
b) Purpose of the treatment
Customer relationship management
c) Categories of interested parties
Customers: People with whom a business relationship is maintained as customers
d) Data categories
Those necessary for maintaining the business relationship. Invoicing
Identification details: name and surname, NIF (Spanish tax identification number), postal address, telephone numbers, email
Bank details: for direct debit payments
e) Categories of recipients
State Tax Administration Agency
f) International transfers
International transfers are not planned
g) Deletion period
Those provided for by tax legislation regarding the statute of limitations for liabilities
h) Security measures
Those reflected in the SECURITY MEASURES ANNEX
Treatment: Potential Clients
a) Data controller
Identity: Manuel Martín Fernández - NIF: 47704401D
Postal address: Carrer Magnolia 23, 08410 Vilanova del Valles
Email: info@mmcarpintero.com
Telephone: 644515857
b) Purpose of the treatment
Managing relationships with potential customers
c) Categories of interested parties
Potential customers: People with whom we seek to maintain a business relationship as clients
d) Data categories
Those necessary for the commercial promotion of the company
Identification details: name and surname, postal address, telephone numbers, email
e) Categories of recipients
It is not considered
f) International transfers
International transfers are not planned
g) Deletion period
One year since first contact
h) Security measures
Those reflected in the SECURITY MEASURES ANNEX
Treatment: Candidates
a) Data controller
Identity: Manuel Martín Fernández - NIF: 47704401D As MMCarpintero
Postal address: Carrer Magnolia 23, 08410 Vilanova del Valles
Email: info@mmcarpintero.com
Telephone: 644515857
b) Purpose of the treatment
Managing the relationship with job applicants at the company
c) Categories of interested parties
Candidates: People who want to work for the data controller
d) Data categories
Those needed to manage the resumes of potential future employees
Identification details: name, surname, postal address, telephone numbers, email
Personal characteristics: marital status, date and place of birth, age, sex, nationality and others excluding data on race, health or union affiliation
Academic data
Professional data
e) Categories of recipients
The sending of personal data to any recipient is not contemplated.
f) International transfers
International transfers are not planned
g) Deletion period
One year since the candidacy was submitted
h) Security measures
Those reflected in the SECURITY MEASURES ANNEX
Treatment: Providers
a) Data controller
Identity: Manuel Martín Fernández - NIF: 47704401D As MMCarpintero
Postal address: Carrer Magnolia 23, 08410 Vilanova del Valles
Email: info@mmcarpintero.com
Telephone: 644515857
b) Purpose of the treatment
Supplier relationship management
c) Categories of interested parties
Suppliers: People with whom a business relationship is maintained as suppliers of products and/or services
d) Data categories
Those necessary for maintaining the employment relationship
Identification details: name, NIF (Spanish tax identification number), postal address, telephone numbers, email
Bank details: for direct debit payments
e) Categories of recipients
State Tax Administration Agency
Banks and financial institutions
f) International transfers
International transfers are not planned
g) Deletion period
Those provided for by tax legislation regarding the statute of limitations for liabilities
h) Security measures
Those reflected in the SECURITY MEASURES ANNEX
APPENDIX
INFORMATION OF GENERAL INTEREST
This document has been designed for low-risk personal data processing, which means it cannot be used for personal data processing that includes personal data relating to ethnic or racial origin, political, religious or philosophical ideology, trade union membership, genetic and biometric data, health data, and data concerning a person's sexual orientation, as well as any other data processing that entails a high risk to the rights and freedoms of individuals.
Article 5.1.f of the General Data Protection Regulation (hereinafter, GDPR) establishes the need to implement appropriate security measures against unauthorized or unlawful processing, loss of personal data, accidental destruction, or damage. This entails the implementation of technical and organizational measures to ensure the integrity and confidentiality of personal data and the ability to demonstrate, as established in Article 5.2, that these measures have been put in place (proactive accountability).
In addition, it must establish visible, accessible and simple mechanisms for the exercise of rights and have defined internal procedures to guarantee the effective handling of requests received.
ATTENTION TO THE EXERCISE OF RIGHTS
The data controller will inform all employees about the procedure for addressing the rights of data subjects, clearly defining the mechanisms by which these rights can be exercised (electronic means, reference to the Data Protection Officer if there is one, postal address, etc.) and taking into account the following:
Upon presentation of their national identity document or passport, data subjects may exercise their rights of access, rectification, erasure, objection, portability, and restriction of processing. Exercising these rights is free of charge.
The data controller must respond to interested parties without undue delay and in a concise, transparent, intelligible manner, using clear and simple language, and retain proof of compliance with the duty to respond to requests for the exercise of rights made.
If the application is submitted electronically, the information will be provided by these means where possible, unless the applicant requests otherwise.
Applications must be answered within 1 month of receipt, which may be extended by a further two months taking into account the complexity or number of applications, but in that case the interested party must be informed of the extension within one month of receipt of the application, indicating the reasons for the delay.
RIGHT OF ACCESS: The right of access entitles data subjects to a copy of their personal data held, along with the purpose for which it was collected, the identity of the recipients, the envisaged retention periods or the criteria used to determine them, the existence of the right to request rectification or erasure of personal data, as well as the restriction or objection to its processing, the right to lodge a complaint with the Spanish Data Protection Agency, and, if the data was not obtained from the data subject, any available information as to its source. The right to obtain a copy of the data may not adversely affect the rights and freedoms of other data subjects.
- Form for exercising the right of access.
RIGHT OF RECTIFICATION: The right of rectification allows for the modification of inaccurate or incomplete data concerning data subjects, taking into account the purposes of the processing. The data subject must specify in the request which data is being referred to and the correction to be made, providing, where necessary, supporting documentation justifying the inaccuracy or incompleteness of the data being processed. If the data has been communicated by the controller to other controllers, the controller must notify them of the rectification unless this is impossible or involves a disproportionate effort, providing the data subject with information about these recipients upon request.
- Form for exercising the right of rectification
RIGHT TO ERASURE: Under the right to erasure, data subjects' personal data will be deleted when they object to its processing and there is no legal basis preventing it, the data is no longer necessary for the purposes for which it was collected, they withdraw their consent, and there is no other legal basis legitimizing the processing or the processing is unlawful. If the erasure stems from the data subject's exercise of their right to object to the processing of their data for marketing purposes, the data subject's identifying information may be retained to prevent future processing. If the data has been communicated by the controller to other controllers, the controller must notify them of the erasure unless this proves impossible or involves a disproportionate effort, providing the data subject with information about these recipients upon request.
- Form for exercising the right to erasure.
RIGHT TO OBJECT: Under the right to object, when data subjects express their refusal to the processing of their personal data to the controller, the controller will cease processing it unless there is a legal obligation preventing it. When the processing is based on a task carried out in the public interest or on the legitimate interests of the controller, upon a request to exercise the right to object, the controller will cease processing the data unless compelling legitimate grounds are demonstrated which override the interests, rights and freedoms of the data subject or the processing is necessary for the establishment, exercise or defense of legal claims. If the data subject objects to processing for direct marketing purposes, the personal data will no longer be processed for these purposes.
- Form for exercising the right to object.
RIGHT TO DATA PORTABILITY: Under the right to data portability, if the processing is carried out by automated means and is based on consent or within the framework of a contract, data subjects may request to receive a copy of their personal data in a structured, commonly used, and machine-readable format. They also have the right to request that their data be transmitted directly to a new controller, whose identity must be disclosed, where technically feasible.
- Form for exercising the right to data portability.
RIGHT TO RESTRICTION OF PROCESSING: Under the right to restriction of processing, data subjects may request the suspension of the processing of their data to contest its accuracy while the controller carries out the necessary verifications, or if the processing is based on the legitimate interests of the controller or is carried out in the public interest, while it is verified whether these grounds override the interests, rights, and freedoms of the data subject. The data subject may also request the retention of the data if they consider the processing to be unlawful and, instead of erasure, request restriction of processing, or if, even though the controller no longer needs the data for the purposes for which it was collected, the data subject requires it for the establishment, exercise, or defense of legal claims. The fact that the processing of the data subject's data is restricted must be clearly indicated in the controller's systems. If the data has been communicated by the controller to other controllers, the controller must notify them of the restriction of processing unless this proves impossible or involves disproportionate effort, providing the data subject with information about those recipients upon request.
· Form for exercising the limitation of treatment.
If the data subject's request is not processed, the controller shall inform him, without delay and no later than one month after receipt of the request, of the reasons for not acting and of the possibility of filing a complaint with the Spanish Data Protection Agency and of exercising legal action.
SECURITY MEASURES
Based on the type of treatment you have indicated when completing this form, the minimum security measures you should take into account are the following:
ORGANIZATIONAL MEASURES
INFORMATION THAT MUST BE KNOWN BY ALL STAFF WITH ACCESS TO PERSONAL DATA
All personnel with access to personal data must be aware of their obligations regarding the processing of personal data and will be informed of these obligations. The minimum information that all personnel will be aware of is as follows:
- DUTY OF CONFIDENTIALITY AND SECRECY
Unauthorized access to personal data must be prevented. To this end, personal data must not be left exposed to third parties (unattended electronic screens, paper documents in public areas, storage media containing personal data, etc.). This includes screens used for viewing images from the video surveillance system. When leaving the workstation, the screen must be locked or the session closed.
Paper documents and electronic media will be stored in a secure place (cabinets or restricted access rooms) 24 hours a day.
o Documents or electronic media (CDs, pen drives, hard drives, etc.) containing personal data will not be disposed of without guaranteeing their effective destruction
No personal data or any other personal information will be communicated to third parties, paying special attention to not disclosing protected personal data during telephone consultations, emails, etc.
The duty of secrecy and confidentiality persists even when the employee's employment relationship with the company ends.
- PERSONAL DATA SECURITY VIOLATIONS
When personal data security breaches occur, such as theft or unauthorized access to personal data, the Spanish Data Protection Agency (AEPD) must be notified within 72 hours of such breaches, including all the information necessary to clarify the facts that led to the unauthorized access to the personal data. Notification must be made electronically through the AEPD's electronic headquarters at https://sedeagpd.gob.es/sede-electronica-web/.
TECHNICAL MEASURES
ID
When the same computer or device is used for processing personal data and for personal use, it is recommended to have several different profiles or users for each purpose. Professional and personal use of the computer should be kept separate.
It is recommended to have user profiles with administrative rights for system installation and configuration, and users without administrative privileges for accessing personal data. This measure will prevent unauthorized access or modification of the operating system in the event of a cybersecurity attack.
The existence of passwords for accessing personal data stored in electronic systems will be guaranteed. The password will have at least 8 characters, a mix of numbers and letters.
When personal data is accessed by different people, each person with access to the personal data will have a specific username and password (unambiguous identification).
The confidentiality of passwords must be guaranteed, preventing them from being exposed to third parties. For password management, you can consult the privacy and security guide on the internet from the Spanish Data Protection Agency and the National Cybersecurity Institute. Under no circumstances should passwords be shared or written down in a common place, and access should be restricted to those other than the user.
DUTY TO SAFEGUARD
The following are the minimum technical measures to guarantee the safeguarding of personal data:
or UPDATING COMPUTERS AND DEVICES: The devices and computers used for the storage and processing of personal data must be kept up-to-date as much as possible.
Malware: Computers and devices where automated processing of personal data takes place must have an antivirus system in place to guarantee, as far as possible, the prevention and destruction of personal information and data. The antivirus system must be updated periodically.
or FIREWALL: To prevent unauthorized remote access to personal data, we will ensure that a firewall is activated and correctly configured on the computers and devices where personal data is stored and/or processed.
or DATA ENCRYPTION: When it is necessary to extract personal data from the premises where it is processed, whether by physical or electronic means, the possibility of using an encryption method should be considered to guarantee the confidentiality of personal data in case of unauthorized access to the information.
or BACKUP COPY: A backup copy will be periodically made on a separate storage medium from the one used for daily work. The copy will be stored in a secure location, separate from the computer containing the original files, to allow for the recovery of personal data in case of data loss.
Security measures will be reviewed periodically, either automatically (using software or computer programs) or manually. Keep in mind that any cybersecurity incident that has happened to someone you know could happen to you, so take precautions.
If you would like more information or technical guidance to ensure the security of personal data and information processed by your company, the National Cybersecurity Institute (INCIBE) offers business-focused tools on its website www.incibe.es in the "Protect your company" section, which includes, among other services:
- a training section with a video game, incident response challenges and interactive industry training videos,
- an employee awareness kit,
- various tools to help the company improve its cybersecurity, including policies for the business owner, technical staff and employees, a catalog of security companies and solutions and a risk analysis tool.
- thematic dossiers supplemented with videos, infographics and other resources,
- guides for entrepreneurs,
In addition, INCIBE, through the Internet User Security Office, also provides free computer tools and additional information that may be useful for your company or professional activity.