This document and its annexes have been drafted in compliance with the provisions of Regulation (EU) 2016/679 on the protection of personal data and includes the policy of protection of company data as well as the technical and organizational measures necessary to guarantee the protection of individuals with regard to the processing of data of a personal nature.
This data protection document responds to the need of the company as responsible for the treatment of complying with the obligations derived from Regulation (EU) 2016/679 on the protection of personal data, taking into account the infrastructure and particular circumstances of the organization.
The Person in charge of the Treatment, according to the Regulation (EU) 2016/679 of data protection, is the physical and / or legal person, private or public, that decides on the treatment of the data. This responsibility must be developed throughout the “life” of the data, that is, since it becomes part of the information system until it is eliminated.
Its status as Responsible makes that it is subject to the requirements established in the regulations and that, consequently, it must observe as many obligations as the Regulation may provide.
DATA PROTECTION POLICY
SARA LOPEZ BLANCO with ID number 08037922C registered address at CMO. CASERIO 5, 1º To location TORRECABALLEROS CP 40160, Segovia, Spain, is responsible for the processing of personal data that carries out.
SARA LOPEZ BLANCO applies the principle of active responsibility in the processing of your personal data, keeping a constant update and a promotion of the continuous improvement of the data protection system. Maintains all documentation and records available to the control authority and those in charge of the treatment, providing the evidences that demonstrate its firm commitment to the protection of personal data.
SARA LOPEZ BLANCO guarantees:
– Respect for the freedoms and fundamental rights of natural persons
– Data is treated in a lawful, fair and transparent way
– The data processed is accurate, adequate, relevant and limited in relation to the purposes for which they are collected
– The purposes for which they are collected are explicit and legitimate and that they are not treated in a manner incompatible with said purposes
– Data will not be kept beyond the time necessary for the purposes for which they have been collected
– The appropriate technical and organizational measures to guarantee a level of security appropriate to the risk.
In those data treatments that entail a high risk for the rights and freedoms of people, SARA LOPEZ BLANCO will carry out an impact evaluation managed internally inside the company.
Also, if you have to designate a data protection representative for advice, supervision and cooperation between the company and the control authority, it will be determined in accordance with art. 37 of Regulation (EU) 2016/679 and as established in this document.
APPLICATION AND SCOPE
SARA LOPEZ BLANCO is established in Spain and performs, for the exercise of its activities, the processing of personal data of citizens residing in the European Union. It is responsible for the processing of personal data. In legal representation SARA LOPEZ BLANCO acts.
The activities developed can be summarized in the following:
For the development of its activities, the company has the following work centers:
The co-responsible for the treatment, when they exist, determine in a transparent and mutually agreed manner the respective responsibilities in fulfilling the obligations imposed by the Regulation (EU) 2016/679. The content of the agreement can be found in the Annex “CORRESPONSIBILITY” AGREEMENT OF DATA PROCESSING managed internally inside the company.
The treatment activities carried out by the company are included in the Register of Treatment Activities of this document. In the aforementioned record, the territorial scope of each of the activities is collected.
For the fulfillment of the obligations as in charge of the treatment, when data are processed for the account of third parties and pursuant to art. 28 of Regulation (EU) 2016/679 will be subject to the provisions of the contractual clauses that are added to the contract for the provision of services and that are included in the Annex CONTRACTUAL CLAUSES FOR THE PROVISION OF SERVICES AS MANAGER OF THE TREATMENT managed internally inside the company.
Regarding the data processing and / or storage system, the company performs:
– Automated processing of personal data (Digital / Computing). Data that is treated in an automated or mechanized way, that is, in electronic or digital format using computer systems
– Non-automated processing of personal data (Manual / Paper). Data that are treated manually, without any automated system, that is, the data that are treated exclusively in paper format.
BASIS OF LEGITIMATION FOR THE PROCESSING OF DATA
Identification of the legal basis on which the treatment is developed
Regulation (EU) 2016/679 preserves the principle established in Directive 95/46 by virtue of which all processing of personal data must be supported by a legal basis that legitimizes it.
It establishes, as a general rule, that personal data must be treated with the consent of the interested party, but admits any other legitimate basis according to Law: contractual relationship, vital interests of the interested party or third parties, legal obligation for the responsible party, public interest, etc.
Taking into account the general principle of “proactive responsibility”, it is a requirement to support the processing of data on a basis that legitimizes it. The legitimate interest on which each treatment activity is based is documented, as well as the Registry of Treatment Activities.
Also taking into account the principle of transparency and information, the company provides the legal basis of treatment to all interested parties as indicated in the corresponding section of this document.
Lawfulness based on the contract for the provision of services
The treatment of the personal data necessary for the correct provision of the contractually agreed services establishes the legal basis necessary to carry out such treatment.
Only the consent of the interested parties is collected if the purposes are different from those agreed contractually.
Lawfulness based on consent
The consent is regulated in art. 6 of the Regulation (EU) 2016/679 as one of the assumptions that legitimize the treatment of data, additionally in art. 7 identify the conditions under which consent must be given and, finally, in art. 9 consent is regulated with sensitive data. It is also regulated in recitals 32, 40, 42, 43 and 171.
The consent must consist of an affirmative declaration or a clear affirmative action for the provision of the same, not admitting therefore the tacit consent.
For those interested whose data are treated for purposes other than those referred to in the contract for the provision of services, a voluntary, clear, specific, informed and unequivocal acceptance by the interested party is required.
The consent of the interested party may be written, by electronic means or by voice, keeping the records at the disposal of the control authority. Kept in Annex EXPRESS CONSENT FOR THE PROCESSING OF PERSONAL DATA OBTAINED DIRECTLY FROM THE INTERESTED PARTIES managed internally inside the company.
In case of dealing with special categories of data, the consent will always be in writing, keeping the evidence that shows that it has been provided.
Consent in the case of children under 13 years of age
Article 8 of Regulation (EU) 2016/679 establishes new guidelines on the consent of minors in the processing of their personal data in order to increase the privacy of information.
The use of personal data in the field of information society services in minors -such as, for example, social networks- will be legal as long as they are more than 13 years old.
Under the age of 13, the consent of the “holder of parental authority” will be needed (if both legal guardians are consenting, both must sign).
Lawfulness based on a legal obligation
The treatment of the personal data necessary for compliance with legal obligations establishes its legal basis in the established norms.
The company treats the personal data of its employees as an inevitable and necessary consequence of the employment relationship, and would act in a deceptive manner if it tried to legitimize this treatment through consent. Therefore the company does not base the processing of the personal data of its employees on the consent, but uses the employment contract as a legal basis.
For the processing of data with a purpose other than compliance with a legal obligation (such as the employment contract or communication with the tax administration or with security social) will be subject to the provisions of the previous section (consent).
Lawfulness for the treatment of data that has not been collected directly from the interested parties
In the case that personal data are processed that have not been collected directly from the interested parties, it is guaranteed that the rights and freedoms of the interested parties prevail over the legitimate interests pursued by the company, for example for sending advertising.
It is also guaranteed that the source of the data is a source of public access and that the interested parties are not enrolled in the Robinson List.
TREATMENT OF SPECIAL CATEGORIES OF DATA
Regulation (EU) 2016/679 establishes in art. 9 special data categories referring to sensitive data that require special protection, either because of their nature or because of the relationship they may have with the rights and fundamental freedoms of individuals and applies specific provisions when their treatment may entail high levels of risks in data protection.
Regulation (EU) 2016/679 establishes by default the prohibition of the treatment of these categories of data with specific exceptions for when the interested party has given his explicit consent or in the framework of legitimate activities by certain associations or foundations whose objective is to allow the exercise of fundamental freedoms.
It also determines that sensitive data may be processed when there is a public interest based on the current legislation of each EU country, for example in the workplace, social protection, pensions, health or other serious threats to health.
As an exception to the default prohibition set out in the previous section, the company only deals with special categories of data when:
– The interested party has given his explicit consent for specific purposes (except if prohibited by current legislation).
– It is necessary to protect the vital interests of the interested party, when he is unable to give his consent.
– The treatment is carried out legitimately by a non-profit organization with a political, philosophical, religious or union purpose in relation to its aims.
– The interested party has clearly made his data public.
Or when the treatment is based on current legislation:
– Under the responsibility of persons subject to the obligation of professional secrecy.
– For purposes of health or social care, preventive or occupational medicine or medical diagnosis including the assessment of the worker’s work capacity.
– For legal proceedings.
– It is necessary to comply with labor legislation, or security or social protection or collective agreements.
– It is necessary for reasons of public interest in the field of public health or healthcare.
– It is necessary for archival purposes in public interest in scientific, historical or statistical investigations.
The company will perform data processing based on a profile elaboration that contemplates the making of individual decisions based on an automated treatment aimed at evaluating personal aspects or analyze or predict health data, when the interested party has given his or her consent for specific purposes permitted by current legislation or the treatment is carried out for public interest purposes or under the supervision of public authorities, based on current legislation.
When the company performs special data category treatments, it keeps a record of these activities, as described in the TREATMENT ACTIVITIES REGISTRATION section.
When the company carries out large-scale treatments of special categories of data, it carries out an impact assessment related to data protection, as described in the IMPACT EVALUATION section.
When the company performs large-scale treatments of special data categories, it designates a Data Protection Delegate, as described in the DELEGATE DATA PROTECTION section.
TRANSPARENCY AND INFORMATION TO INTERESTED PARTIES
Regulation (EU) 2016/679 states that the information to the interested parties, both regarding the conditions of the treatments that affect them, and in the answers to the exercises of the rights, must be provided in a concise, transparent, intelligible and easy access, with a clear and simple language.
As established in art. 13 Regulation (EU) 2016/679, when the data is obtained directly from the interested parties, the company provides the following information:
– The identity and contact details of the person responsible.
– Data of the data protection delegate, if applicable.
– The purposes of the treatment to which the personal data, the legal basis and the legitimate interest are intended.
– Recipients or categories of recipients.
– The term of conservation of personal data or the criteria used to determine it.
– The existence of the right to request access, rectification or deletion, the limitation of treatment, to oppose and the right to portability.
– The right to file a claim with the supervisory authority.
The personal data may be transferred, prior authorization of the interested party after analysis of the assignment (the assignments may be based on legal or contractual requirements or a requirement necessary to subscribe a contract)
The existence of automated decisions and profiling will be subject to the impact evaluation, duly informing the interested parties in this regard.
Before processing personal data for a purpose other than that which was collected, the interested party is informed and the information covers that other purpose and any other pertinent information.
The information provided to the interested parties is included in the PERSECTIVE DATA PROTECTION INFORMATION ANNEX WHEN THE PERSONAL DATA IS OBTAINED DIRECTLY FROM THE INTERESTED PARTY managed internally inside the company.
As established in art. 14 Regulation (EU) 2016/679, when the data is not obtained directly from the interested parties, the company provides the information mentioned in the previous paragraph, plus information about the source from which the personal data come from.
If the personal data is used to establish communication with the interested party, he is informed of the information to which he is entitled at the time of the first communication and if it is foreseen to communicate the data to another addressee, the information is communicated to him at the latest in the moment in which personal data are communicated for the first time.
The information provided to those interested in this case is included in the PERSECTIVE DATA PROTECTION INFORMATION ANNEX WHEN THE PERSONAL DATA IS NOT OBTAINED FROM THE INTERESTED PARTY managed internally inside the company.
It is not necessary to inform the interested parties when they already have the information, when the communication of such information is impossible or involves a disproportionate effort, when the information makes it impossible or hinders the achievement of the objectives of the treatment, when the obtaining or communication is expressly established by applicable rules of law, or when personal data have a confidential nature based on an obligation of professional secrecy.
Especially cumbersome formulas have been avoided and a vocabulary is used that facilitates understanding by any interested party.
The informative clauses explain the content to which they immediately refer in a clear and accessible way for the interested parties, regardless of their knowledge in the subject.
The information to the interested parties is provided in writing, including electronic means, even if it is provided verbally, after proof of the identity of the interested party.
RIGHTS OF INTERESTED PARTIES
Procedure for the exercise and obligations for the person in charge.
In general, Regulation (EU) 2016/679 requires those responsible to facilitate the exercise of their rights by those concerned. This mandate assumes that the procedures and forms for this must be visible, accessible and simple. Regulation (EU) 2016/679 does not establish a specific way for the exercise of rights, but it does require those responsible to enable the submission of applications by electronic means, especially when the treatment is carried out by these means.
SARA LOPEZ BLANCO guarantees that the exercise of these rights is free for the interested party, provided that the requests are not manifestly unfounded or excessive, especially for repetitive ones, corresponding to the person in charge of the company demonstrating the character
unfounded or excessive requests, in these cases may be responsible charge a fee to offset the administrative costs of meeting the request or refuse to act.
The interested party will be informed about the actions derived from his request within the period of one month, which may be extended two more months in the case of particularly complex requests.
That extension of the term is notified within the first month. If the person in charge decides not to comply with the request, he must inform of this, motivating his refusal, within a period of one month from its presentation.
All reasonable measures are taken to verify the identity of those exercising the rights recognized in Regulation (EU) 2016/679, through the requirement of a national identity document or equivalent document proving the identity of the interested party. Likewise, it maintains a REGISTRY OF EXERCISES OF RIGHTS (also managed internally inside the company) where all the exercises of the rights requested by the interested parties are collected and maintained.
For the exercise of rights through applications, the company provides the interested parties wishing to exercise their rights the corresponding models included in the annexes and specified in the following points:
Right of ACCESS
The right of access is regulated in art. 15 of Regulation (EU) 2016/679. In recitals 63 and 64, it is included as a right of the interested party to obtain, from the data controller, confirmation of whether or not personal data concerning him are being processed.
To meet the access rights of any interested party, SARA LOPEZ BLANCO provides you with an appropriate application form, a model included in the Appendix DATA ACCESS REQUEST accessible under mail request.
The interested party that requests this right and that is properly identified will obtain from the company the due response through an informative document (Annex RESPONSE TO THE EXERCISE OF THE RIGHT OF ACCESS).
If the answer to the right of access is sent by mail, the requestor of the right will be sent the reply document by letter with acknowledgment of receipt, bureaufax or any other means that proves the sending and receiving.
If the answer is an estimate, the information will include the personal data of the interested party that is being treated, the purposes of the treatment, the categories of personal data treated as well as the recipients or categories of recipients to whom the data are communicated or communicated, in addition to any available information on the origin of the data, the deadline planned to conserve them or, if this is not possible, the criteria used to determine this term, as well as the right to submit a claim to a supervisory authority. Likewise, the interested party shall be informed of the existence of the right to request from the person responsible the rectification or deletion of personal data or the limitation of the processing of personal data relating to the interested party, or to oppose such treatment.
Right of RECTIFICATION
The right of rectification is set out in Article 16 of Regulation (EU) 2016/679, by which the interested party will have the right to obtain, without undue delay, the rectifier of the inaccurate personal data concerning him.
Taking into account the purposes of the treatment, the interested party shall have the right to complete incomplete personal data, including by means of an additional declaration.
In the event that the data of the interested party are incomplete or inaccurate, the company guarantees the update thereof without undue delay.
The interested party can request the right to rectify their data by means of the application form that is included in the Annex DATA RECTIFICATION APPLICATION accessible under mail request.
Once the data has been rectified, the company will inform the interested party about the rectification carried out (Annex RESPONSE TO THE EXERCISE OF RIGHTS).
Right to LIMITATION of treatment
The right to limitation of treatment is regulated in art. 18 of Regulation (EU) 2016/679 and establishes the right to limited data at the request of the interested party.
The interested party can request the right to limit their data by means of the application form that is included in the Annex REQUEST FOR LIMITATION OF DATA PROCESSING accessible under mail request.
The company in response may proceed to limit the processing of data of the interested party if any of the following circumstances:
– When the interested party challenges its accuracy, the treatment is limited for the necessary period to verify the accuracy of the data.
– When the processing of the data is illegal but the interested party is opposed to the deletion of their data
– When the data is no longer necessary for the purposes of the company but is necessary for the interested party (claims, etc …)
– When the interested party opposes the treatment while verifying if the legitimate interests of the company prevail over those of the interested party.
For the limitation of the data, the company will follow any of the following methods:
– Temporarily move the selected data to another treatment system.
– It will prevent user access to the selected personal data.
– Temporarily remove the published data from an internet site.
– It will clearly indicate in the system (automated file) that the data that is intended to be treated is limited in its treatment.
In the cases in which the company proceeds to the limitation of the treatment, the data of the affected one can only be object of treatment:
– For its conservation.
– With the consent of the interested party.
– For the formulation, exercise or defense of claims.
– For the protection of the rights of the natural or legal person
– For reasons of public interest of the EU or Member States.
Once the data is limited, the interested party will be informed justifying his decision (Annex RESPONSE TO THE EXERCISE OF RIGHTS) as well as the limitation carried out. It will also be reported when the limitation to treatment is lifted.
Right to SUPPRESSION / right to be forgotten
The art. 17 of Regulation (EU) 2016/679 indicates that the interested party will have the right to obtain without undue delay from the data controller the deletion of personal data concerning him.
The interested party can request the right to rectify their data by means of the application form that is included in the APPLICATION FOR SUPPRESSION / RIGHT TO BE FORGOTTEN accessible under mail request.
The company proceeds to suppress the processing of data of the interested party when any of the following circumstances occur:
– Personal data are no longer necessary in relation to the purposes for which they were collected.
– The interested party withdraws the consent on which the treatment is based and is not based on another legal basis.
– The interested party opposes the treatment (right of opposition).
– Personal data have been treated illicitly.
– Personal data are deleted for compliance with a legal obligation that applies to the controller.
– Personal data have been obtained in relation to the direct offer to children of information society services.
The company does not proceed to accept the requests of suppression of the interested party when the treatment is necessary in the following cases:
– To exercise the right to freedom of expression and information.
– For the fulfillment of a legal obligation that requires the treatment of data imposed by EU law or the Member States that applies to the controller or for the fulfillment of a mission carried out in the public interest or in the exercise of powers public conferred to the person in charge.
– For reasons of public interest in the field of public health.
– For purposes of archiving in the public interest, scientific or historical research or statistical purposes.
– For the formulation, exercise or defense of claims.
The company informs without delay of the character of the request or rejection of the right requested by the interested party, as well as the suppression carried out. Annex RESPONSE TO THE EXERCISE OF RIGHTS.
Right of OPPOSITION
The right of opposition is regulated in art. 21 of Regulation (EU) 2016/679. We can say that it is the right of the interested party to oppose, at any time, for legitimate and well-founded reasons related to his / her particular situation, to the fact that the personal data that concerns him / her is the object of a treatment.
To meet the right of opposition of any interested SARA LOPEZ BLANCO provides an appropriate application model, model included in the OPPOSITION APPLICATION APPLICATION accesible under mail request.
When the interested party exercises the right of opposition, SARA LOPEZ BLANCO will stop treating said personal data, performing an analysis in order to consider whether or not the right of the interested party prevails over the legitimate interests of the company. For this purpose, the situation, the reasons and the documentation provided by the interested party will be analyzed in detail.
If there are legitimate reasons to justify the treatment (for example for the formulation, the exercise or the defense of claims) the data will still be treated, even if the request of the interested party, being able to be rejected.
The art. 20 of Regulation (EU) 2016/679, reflects that users have a new right, the right to portability. This right complements the right of access, since it allows interested parties to obtain the data that has been provided in a structured, commonly used and machine-readable format.
The right to portability also implies that the personal data of the interested party may be transmitted directly from one entity or company to another, without the need to be delivered to the interested party, provided that this is technically possible.
The Regulation thus opens the possibility not only of obtaining the data and reusing them, but also of transmitting them to another service provider. Therefore, the interested party will have the option to request their data or the transmission thereof directly from one entity to another.
The company guarantees the exercise of the right to portability of the interested party through an appropriate application model, APPLICATION OF PORTABILITY accessible under mail request.
Once the right has been requested, the interested party is informed of all the personal data that are incumbent on him and that he has provided, provided that the treatment is based on the consent or is necessary for the execution of a contract and it is carried out by automated means.
It also facilitates that the interested parties receive the data in a structured format of common use and of mechanical and interoperable reading, whenever the technology allows it.
The company does not apply the right to portability to the data that the interested party has provided on third parties or on the data that has been provided through third parties.
RELATIONS BETWEEN DATA RESPONSIBLE AND DATA PROTECTION OFFICER
Choice of the treatment manager
The art. 28 of Regulation (EU) 2016/679 states that “the controller will choose only one manager who offers sufficient guarantees to apply appropriate technical and organizational measures, so that the treatment complies with the requirements of this Regulation and guarantees the protection of the rights of the interested party “.
In turn, in recital 81 it is added that, in particular, the person in charge will attend to the specialized knowledge, reliability and resources of the person in charge of processing, in view of the application of the technical and organizational measures that comply with the requirements of the Regulation.
SARA LOPEZ BLANCO guarantees a due diligence in the choice of the person in charge of the treatment that offers sufficient guarantees so that the treatment of the data is carried out in accordance with Regulation (EU) 2016/679, and protects the rights of the people affected.
SARA LOPEZ BLANCO is responsible for the data processing performed by the person in charge and does not lose this consideration in any case.
With each and every one of the chosen treatment managers SARA LOPEZ BLANCO signs a binding confidentiality contract (CONFIDENTIALITY CONTRACTS OF TREATMENT MANAGERS, managed internally inside the company) regulating the relationship between both.
It is possible that the confidentiality agreement between the person in charge and the person in charge is part of the contract for the rendering of services. In this case, a specific data protection clause will be added to the contract that includes the contents of the annex mentioned in the previous paragraph.
The contract guarantees, among other aspects:
– That the person in charge of the treatment does not resort to another person in charge of the treatment without the prior written authorization of the company responsible for the data processing.
– That the persons authorized to process the data have committed themselves to respect the confidentiality of the data and that they have the necessary training in the matter
– That the person in charge of the treatment will make available to the person in charge all the necessary documentation to demonstrate the fulfillment of the obligations and that will contribute to the realization of audits by the person in charge.
In the REGISTER OF TREATMENT MANAGERS (internal document) all the treatment managers hired by the company are collected.
Verification of compliance with obligations
According to art. 28 apdo 3.h) of Regulation (EU) 2016/679, SARA LOPEZ BLANCO requires each person in charge of the treatment so that at least with an annual periodicity it demonstrates that it maintains the fulfillment of the contractual obligations as well as the security measures that guarantee the protection of the data.
For this purpose, audits of revision on the people in charge of the treatment may be carried out or in its place, it may be urged that the person in charge provide the necessary documentary evidence (Annex INFORMATIVE LETTER FOR TREATMENT MANAGERS).
Data processing on request
When a responsible person (a client usually) requests the processing of data by order, SARA LOPEZ BLANCO will act as the person in charge of the treatment, observing all the obligations established by art. 28 of Regulation (EU) 2016/679.
In the internal document CLAUSE OF CONFIDENTIALITY FOR THE PROCESSING OF DATA BY ORDER, the binding contractual content that must be subscribed by both parties is gathered or, failing that, the contractual agreement that the controller establishes.
ACTIVE LIABILITY MEASURES
Risk analysis. Registration of treatment activities.
Regulation (EU) 2016/679 does not offer a repertoire of predefined security measures. What it proposes is that the security measures are established based on the detected risk and that they can be adapted according to the new risks or the changing circumstances of the company.
Basically it is a proactive approach with regard to security that requires not only the existence of these measures on paper but also their effective application.
SARA LOPEZ BLANCO complies with the aforementioned proactive approach in the security of data processing, establishing adequate security guarantees that prevent, fundamentally:
– The unauthorized or illicit treatment of personal data.
– The loss of personal data, destruction or accidental damage.
To determine the technical and organizational measures, the state of the art, the costs of the application, and the nature, scope, context and purposes of the treatment are taken into account, as well as the risks that they can generate about the rights and freedoms of natural persons.
The analysis of the risks is the result of a reflection on the implications that the treatment of personal data have on those interested.
For this purpose, the nature and types of treatment that SARA LOPEZ BLANCO performs, its characteristics, purposes, treatment methods, potential recipients and control of personnel with access to data have been defined.
From this analysis, it is determined if each treatment activity has LITTLE RISK (LOW level according to the LOPD of 1999) or on the contrary it has a HIGH RISK (MEDIUM and HIGH levels according to the LOPD) for the rights and fundamental freedoms of people.
This procedure for analyzing the treatment activities and the risks they entail is repeated and reviewed periodically in order to guarantee the principle of proactive responsibility.
The results of the risk assessment are recorded in the register of treatment activities.
If the result of the evaluation in all the treatment activities determines that the risk is SCARCE (low), it will not be necessary to carry out an impact evaluation.
If the result of the evaluation in any of the treatment activities determines that the risk is HIGH (medium / high), an impact evaluation is carried out, which will be documented as indicated in the corresponding section of this document.
The analysis of the risks will determine the existence of the data protection delegate as defined in the corresponding section of this document.
The technical and organizational measures applied by the company are described in the section corresponding to security measures.
Protection of data from design by default
Under the art. 25 of the Regulation (EU) 2016/679 and taking into account the nature, the scope of application, the context and the purpose of the treatments indicated in the previous section, the company has implemented the security measures, both technical and organizational, that they guarantee that the treatments are carried out safely.
The company also guarantees that the treatment of the data is analyzed before and during the treatment activity, determining the scope of the treatment, the minimum data necessary to meet the intended purpose, the duration of the treatment, the conservation of the data and the control of access to them.
For each treatment activity and prior to it, complying with the protection from the design and by default, the company analyzes all aspects involved in the safety of treatment: the risks to freedoms and the rights of people based on the nature of the data that will be requested, the purpose for which they are requested, the origin, the type of treatment, the recipients, the possibility of making international transfers of data, the possibility of carrying out profile studies and the amount of data that are expected to be treated.
Based on the above, the most appropriate means of treatment are determined, being in any case, technical and organizational means to ensure compliance with Regulation (EU) 2016/679.
During the treatment activities, the company adopts the control, technical and organizational measures, which are described in this document both on the means of treatment and on the people with access to the treated data.
The company guarantees that, by default, the data are not accessible to an undetermined number of natural persons, which are only accessible to authorized persons (both in charge of the treatment and workers of the company), and through means controlled and supervised in a manner periodical.
The following section includes the measures adopted, both of a technical and organizational nature, for the protection of data; supports and storage modes, access control, backup copies, confidentiality commitments, etc.
Technical and organizational security measures
Regulation (EU) 2016/679 indicates that safety measures must be proportional and appropriate to the risk detected in each treatment activity.
To guarantee permanent protection, a process of verification, evaluation and periodic assessment of the effectiveness of technical and organizational measures is carried out to guarantee the safety of the treatment.
For technical measures, the person responsible or, failing that, the designated person has a procedure to control the media containing personal data (SUPPORTS AND SECURITY MEASURES managed internally inside the company). The results of the analyzes are described in the same document as well as the technical safety measures adopted.
The control procedure analyzes all supports, both electronic (computers, smart electronic devices, servers, etc.) and manuals (file cabinets, folders, etc.) and determines the risks according to the treatment activities they contain.
Likewise, measures have been included to ensure the confidentiality, integrity, availability and permanent resilience of each of the supports or treatment systems, as well as measures to ensure the ability to restore availability and access to personal data quickly if necessary. of physical or technical incident.
The commitment to train all workers who have access to and / or treat personal data is met. Adequate and reviewable data protection training (a specific section for the training of each worker is included in the control register).
Special mention to the organizational measures adopted to guarantee that the persons authorized to process personal data follow certain instructions and good practices that they manifest to know, understand and respect (COMMITMENT OF CONFIDENTIALITY, managed internally inside the company)
Violations of security of personal data. Security breaches
SARA LOPEZ BLANCO has taken into account the risks that the treatment presents as a result of its destruction, loss or accidental or illicit alteration that are transmitted, conserved or treated, or the unauthorized communication or access to said data to evaluate the
level of security applied.
When security breaches occur, such as the theft or improper access to personal data and in compliance with articles 33 and 34 of Regulation (EU) 2016/679 of personal data, the registration procedure of the security violation detected.
To manage the breach or breach of data security, the security officer (or the data protection delegate where appropriate) will act by carrying out a procedure to analyze and record the situation.
For the analysis will be taken into account if the violation of the affected data poses a risk to the rights and freedoms of people that could cause physical, material or immaterial or that may suppose:
– Discrimination problems
– Identity theft or fraud
– Financial losses
– Damage to reputation
– Loss of confidentiality of data subject to professional secrecy
– Unauthorized reversion of pseudonymisation or any other significant economic or social damage
It also analyzes whether the violation of the data may deprive the interested parties of their rights and freedoms or prevent them from exercising control over personal data that reveals:
– Ethnic or racial origin
– Political opinions
– The religion or philosophical beliefs
– The militancy in unions
– The treatment of genetic data
– Data related to health or data on sexual life
– Concerning sentences and criminal offenses or related security measures
The cases in which personal aspects are evaluated are analyzed:
– In particular the analysis or prediction of aspects related to job performance
– Economic situation
– Health data
– Preferences or personal interests
– Reliability or behavior, situation or movements, in order to create or use personal profiles
Likewise, the cases in which personal data of vulnerable persons are treated, in particular children, are analyzed.
If in the previous analysis it is concluded that the breach affects or may pose a risk to natural persons, the violation will be notified in the Spanish Agency for Data Protection Registry and the affected party will be notified.
Notification of data security breaches
In case it is necessary to notify the security breach, the notification will be made before the 72 hours after the person in charge has proof of it.
It will be done by electronic means through the electronic headquarters of the Spanish Agency for Data Protection at the address: https://sedeagpd.gob.es providing all the necessary information to clarify the facts that would have led to the incident . The notification includes:
– The nature of the violation, data categories and affected stakeholders. https://sedeagpd.gob.es providing all the necessary information to clarify the facts that would have led to the incident.
The notification includes:
– The nature of the violation, data categories and affected stakeholders.
– The measures imposed by the person responsible to resolve this bankruptcy.
– If applicable, the measures adopted to reduce possible negative effects on the interested parties.
Notification to those affected will be made in the same period and form as described.
Impact evaluation on data protection
The impact evaluation is, mainly, an exercise in the analysis of the risks that a certain information, product or service system can suppose for the data protection right of those affected whose data are treated and, as a result of that analysis, the management of said risks through the adoption of the necessary measures to eliminate or mitigate as much as possible those that have been identified.
The company collects the advice of the data protection delegate, where appropriate, when carrying out the impact evaluation.
The company carries out an impact evaluation in large-scale treatments of special categories of data or relating to convictions and criminal offenses; in treatments that involve a large-scale systematic observation of a public access area; as well as in treatment operations included in a list published by the authority.
The impact evaluation carried out by the company includes a systematic description of the planned treatment operations and the purposes of the treatment, and when the legitimate interest comes pursued; it also includes an assessment of the necessity and proportionality of the treatment operations with respect to their purpose and an assessment of the risks to rights and freedoms; as well as the measures envisaged to demonstrate compliance with Regulation (EU) 2016/679, taking into account the legitimate rights and interests of the interested parties and other affected persons, and finally includes the measures envisaged to address the risks, guarantees and mechanisms to guarantee data protection.
The company reexamines the EIPD (impact evaluation on data protection) whenever it is necessary and when there is a change in the risks that represent the treatment activities, and also consults with the control authority before proceeding to the treatment when a EIPD shows that it will entail a high risk if they do not take measures to mitigate it. When the company consults the supervisory authority, it complies with the obligation to inform of the respective responsibilities of those involved in the treatment in the consultation with the supervisory authority, as well as the purposes and means of the treatment envisaged in the consultation, and of the measures and guarantees established to protect rights and freedoms; where appropriate, the contact details of the data protection delegate are provided, as well as the impact evaluation and provide any other information requested by the supervisory authority.
All the impact evaluations that the company must carry out will be duly documented.
Delegate of data protection
According to article 37.1 of the GDPR there are 3 specific cases in which the person in charge or the person in charge of the treatment will designate a delegate of data protection:
– When the treatment is carried out by an authority or public body, except the Courts that act in the exercise of their judicial function.
– When the principal activities of the person in charge or the manager consist of treatment operations that, due to their nature, scope or purposes, require a regular and systematic observation of large-scale stakeholders; or
– When the main activities of the person in charge or the person in charge consist in the large-scale treatment of special categories of personal data and data related to convictions and criminal offenses.
If after the analysis of the treatment activities it is determined that the company requires the appointment of a Data Protection Delegate, it will do so by legal requirement according to their professional qualities, knowledge and competences in the matter.
The appointment model of the Delegate for Data Protection is included in the DELEGATE DATA PROTECTION Annex (DPD) and once their data have been named they must be made public.
The company guarantees that the DPD participates adequately and in a timely manner in all matters relating to the protection of personal data and supports it in the performance of its duties.
It also provides the necessary resources for the performance of their duties and for the maintenance of their knowledge, access to personal data and treatment operations.
The company guarantees that the data protection officer does not receive any instructions regarding the performance of their duties, and also guarantees that he does not dismiss or sanction the data protection officer for performing his duties.
The data protection delegate reports to the company at the highest hierarchical level, attends to the interested parties and is obliged to maintain confidentiality in the performance of their duties.
If the data protection delegate performs other functions, the company guarantees that it does not give rise to a conflict of interests.
Likewise, the functions of the DPD are to inform, advise and train personnel of their obligations, and acts and cooperates as a point of contact with the supervisory authority.
In order to make international transfers of personal data, art. 44 Regulation (EU) 2016/679 imposes on the controller and processor the obligation to comply with the conditions of chapter V. The transfer can be made when:
1. there are guarantees for the protection of the data of natural persons in the third country that is the recipient of the data;
2. binding corporate rules (NCV) or;
3. in the absence of the foregoing, when it may benefit from one of the exceptions provided for.
When the company makes international transfers of data or uses internet servers for the storage of personal data, it will conduct a study of the situation of said servers, as well as of their suppliers, analyzing whether there are guarantees for the persons whose data are in said situation, specifically if:
– there is a legally binding and enforceable legal instrument between the authorities or public bodies of the different countries.
– there are binding corporate rules (approved by the control / commission authority) between the company and the companies that receive the data.
– there are standard clauses (approved by the control / commission authority) annexed to the services contract.
– there is a code of conduct (approved by the control / commission authority) together with binding commitments required by the third country.
– there is a certification mechanism.
– the explicit consent of the interested party is available and he has been informed of the possible risks.
The results will be duly documented in the register of treatment activities
PERIODIC VERIFICATION OF THE DATA PROTECTION SYSTEM
In order to maintain a constant control of the data protection systems adopted by the company, on a regular basis and every time changes are made in the treatment activities … the company … undertakes to perform periodic internal verification audits , where all the control points related to the treatment activities carried out are analyzed. The results will be documented and made available to the control authority and interested parties who so request as proof of compliance.
Updated document dated: 4th June 2018
RECORD OF ACTIVITIES OF TREATMENT OF SARA LOPEZ BLANCO
Responsible for the treatment
Company name: SARA LOPEZ BLANCO
Address: CMO CASERIO 5, 1º A
Postal Code: 40160
Stewards of the treatment
Personal data processing activities
– Diary – Email
– Web Users
Treatment activity: EMPLOYEES
Purpose of treatment: This file contains data related to the control, evolution and administration of our employees when appropriate.
Result of risk analysis: Basic
Treatment activity: CLIENTS
Purpose of treatment: This file contains data related to the control, evolution and administration of our CLIENTS.
Result of risk analysis: Basic
Treatment activity: SUPPLIERS
Purpose of treatment: This file contains data related to the control, evolution and administration of our SUPPLIERS.
Result of risk analysis: Basic
Treatment activity: DIARY -EMAIL
Purpose of treatment: Internal management of services, loyalty and business improvement.
Result of risk analysis: Basic
Treatment activity: WEB USERS
Purpose of treatment: Users, (natural persons) who use the services offered from the website of the company will be declared when collecting personal data through the Web, forms, records, etc.
Result of risk analysis: Basic