b) Purpose of the processing
Management of potential customer relations
c) Categories of data subjects
Potential customers: People with whom it is sought to establish commercial relationships as customers
e) Categories of recipients
Those necessary for the commercial marketing of the company
Identification: name and surnames, postal address, telephone numbers, e-mail
Not covered
f) International transfers
No international transfers are planned
g) Term of erasure
A year from first contact
h) Security measures
Those reflected in SECURITY MEASURES ANNEX
ANNEX
GENERAL INTEREST INFORMATION
This document has been designed for the processing of low-risk personal data and it may not be used for the processing of personal data including data relating to ethnic or racial origin, political or religious or philosophical ideology, trade union affiliation, genetic and biometric data, data regarding the health or sexual orientation of persons and any other form of data processing that entails high risk for the rights and freedoms of the persons in question.
Article 5.1 f of the General Data Protection Regulation (hereinafter, GDPR) determines the need to establish adequate security guarantees against the unauthorized or illegal processing against the loss of personal data, destruction or accidental damage. This involves establishing technical and organizational measures geared towards ensuring the integrity and confidentiality of the personal data and the possibility of demonstrating, as established in Article 5.2, that these measures have been implemented (proactive responsibility).
Moreover, it must establish viable, accessible and simple mechanisms for the exercise of rights and define internal procedure to guarantee effective facilitation of the requests received.
FACILITATING THE EXERCISE OF RIGHTS
The controller shall inform all employees regarding the procedure for facilitating the exercise of rights on the part of data subjects, defining clear mechanisms through which the rights can be exercised and taking into account the following:
Subject to presentation of the national identification document or passport, the owners of the personal data (the data subjects) may exercise their rights to access, rectification, erasure, opposition, portability and limitation of processing. The exercise of rights is free.
The controller must respond to data subjects without undue delay and in a concise, transparent and intelligible manner with clear and simple language and retain proof of compliance with the duty to respond to requests for the exercise of fundamental rights.
If the request is presented by electronic means, the information will be facilitated by these means where possible, except where the data subject requests otherwise.
Requests must be responded to within a term of 1 month from receipt and may be extended another two months taking into account the complexity or the number of requests but in this case one must inform the data subject of the extension within a term of one month from receipt of the request, providing reasons for such delay.
RIGHTS TO ACCESS: For the right to access, data subjects will be provided a copy of personal data available together with the purpose for which they have been collected, the identity of the recipients of the data, the terms of retention provided and the criteria used to determine these, the existence of the right to request the rectification or erasure of personal data and the limitation of, or opposition to, processing, the right to lodge a complaint with the Spanish Data Protection Agency and if the data of the data subject have not been obtained, any information available regarding their origin. The right to obtain a copy of the data cannot negatively affect the rights and freedoms of the data subjects.
RIGHT TO RECTIFICATION: In the right to rectification the data of the data subject that were incorrect or incomplete shall be changed in accordance with the purposes of the processing. The data subject may indicate in the request what data are referred to and the correction to be made, providing, where necessary, the supporting documentation of the inaccuracy or incomplete nature of the data processed. If the data have been communicated by the controller to other processors, they must notify them of the rectification unless it is impossible to do so or requires disproportionate effort, providing the data subject with information regarding such recipients upon request.
RIGHT TO ERASURE: In the case of the right to erasure, the data of the data subjects shall be erased where they oppose processing and no legal basis impedes it, where not necessary in relation to the purposes for which they were collected, they withdraw the consent provided and there is no legitimate legal basis for the processing or where it is illegal. If the erasure arises from the exercise of the right to opposition to the processing of their data for marketing purposes on the part of the data subject, the identification data of the data subject may be retained for the purpose of preventing future processing. If the data have been communicated by the controller to other processors, they must notify them of the erasure unless it is impossible to do so or requires disproportionate effort, providing the data subject with information regarding such recipients if they request same.
RIGHT TO OPPOSITION: In the case of the right to opposition, where the data subjects refuse to provide consent for the processing of their personal data before the controller, the controller shall cease processing them provided that no legal obligation prevents them from doing so. Where the processing is based on a mission of public interest or legitimate interest of the controller, before a request to exercise the right to opposition, the controller must cease processing the data except where overriding reasons prevail above the interests, rights and freedoms of the data subject or are necessary for their formulation, exercise or defence of the claims. If the data subject opposes the processing for the purposes of direct marketing, the personal data shall no longer be processed for these purposes.
RIGHT TO PORTABILITY: In the case of right to portability, if the processing is carried out by automated means and is based on consent or is carried out within the framework of a contract, the data subject may request a copy of their personal data in a structured, commonly used and electronically readable format. Thus, they have the right to request that they are transmitted directly to a new controller whose identity must be communicated where technically possible.
RIGHT TO LIMITATION OF PROCESSING: In the case of the right to limitation of processing, the data subjects may request the suspension of processing of their data to impugn the inaccuracy while the controller carries out the necessary verifications or, in the event that the processing is carried out based on the legitimate interest of the controller or in compliance with a mission of public interest, while it is verified if these reasons prevail over the interests, rights and freedoms of the data subject. The data subject may also request the retention of the data if it is considered that the processing is illegal and, rather than suspension, request the limitation of processing or if the controller no longer needs the data for the purposes for which they were collected, the data subject needs them for the formulation, exercise or defence of complaints or claims. In the event that the processing of the data subject’s data is limited this must be clearly stated in the controller's systems. If the data have been communicated by the controller to other processors, they must notify them of the rectification unless it is impossible to do so or requires disproportionate effort, providing the data subject with information regarding such recipients on request.
If the data subject’s request is not granted, the controller shall inform them without delay and no later than one month after receipt of same, of the reasons for not granting the request and the possibility of presenting a claim before the Spanish Data Protection Agency and of taking legal action.
SECURITY MEASURES
Given the type of processing demonstrated when this form was completed, the minimum security measures to be taken are the following:
ORGANIZATIONAL MEASURES
INFORMATION THAT MUST BE KNOWN BY ALL PERSONNEL WITH ACCESS TO PERSONAL DATA
All personnel with access to personal data must have knowledge of the obligations in relation to the processing of personal data and shall be informed in relation to said obligations. The minimum information which personnel must know shall be the following:
DUTY OF CONFIDENTIALITY AND SECRECY
Any access to the personal data by unauthorized persons must be avoided. In order to achieve this, the disclosure of personal data to third parties (unattended screens, paper documents left in public access areas, supports with personal data, etc.) must be avoided. This consideration includes the screens that are used for viewing images of the video surveillance system. When you leave your work station, ensure that you lock your screen or log out.
Paper documents and electronic media must be stored in a secure place (in a press or in restricted access rooms) 24 hours a day.
Documents and electronic media with personal data may not be discarded (CD, USB storage devices, hard drives, etc.) without ensuring their effective destruction
Personal data or any other information of a personal nature will not be revealed to third parties, taking special care not to disclose protected personal data for the duration of the telephone consultation, email, etc.
The duty of confidentiality and secrecy remains in effect even after the employment relationship between the employee and the company has come to an end.
PERSONAL DATA SECURITY VIOLATIONS
Where a violation of the security of personal data occurs, for example, the theft or unauthorized access to the personal data, the Spanish Data Protection Agency must be notified within 72 hours of said security violations, including all the information necessary for clarifying the facts that have given rise to the unauthorized access to personal data. This notification will be made electronically through the website of the Spanish Data Protection Agency, to the address https://sedeagpd.gob.es/sede-electronica-web/.
TECHNICAL MEASURES
IDENTIFICATION
When the same computer or device is used for processing personal data and for personal use it is advised that different profiles are created for each of these uses. Professional and personal uses of the computer should be kept separate.
The creation of a profile with administration rights is recommended for the installation and configuration of the system and users without administration rights or privileges for accessing personal data. In the event of cyber attack, this prevents attackers from obtaining the rights or privileges to access or modify the operating system.
Passwords will be used for access to personal data stored in electronic files. The password must have 8 characters and a combination of numbers and letters.
When different people access personal data, a specific username and password (unequivocal identification) must be kept.
The confidentiality of passwords must be maintained, avoiding any disclosure to third parties. For managing password’s, you can consult The Guide to Privacy and Security (Spanish) produced by the Spanish Data Protection Agency (AEPD) and the National Cybersecurity Institute (INCIBE). Under no circumstances shall they share passwords or leave notes in common areas accessed by persons other than the user.
DUTY TO SAFEGUARD
Below are the minimum technical measures required to guarantee the safeguarding of personal data:
UPDATING COMPUTERS AND DEVICES The devices and computers used for the storage and processing of the personal data must be maintained up to date insofar as possible.
MALWARE: Th computers and devices on which automated data processing is performed must have an antivirus system that will ensure, insofar as possible, the prevention of possible theft and destruction of the information and personal data. The antivirus system must be updated regularly.
FIREWALLS: To prevent unauthorized remote access to personal data, firewalls will be activated and correctly configured on those computers and devices where personal data are stored and/or processed.
ENCRYPTED DATA: Where personal data are required off the premises where they are processed, whether by physical or electronic means, the possibility of using a method of encryption to guarantee confidentiality of the personal data in the event of unauthorized access to the information must be assessed.
BACKUP COPY Periodically, backup copies will be made on a second device, different from that used for day-to-day work. The copy will be stored in a secure place, different from that where the computer and original files are stored, in order to allow for data recovery in the event of the loss of information.
PRIVACY POLICY
This Privacy Policy has been drafted according to the provisions set forth in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR), Organic Act 3/2018 of 6 December on Personal Data Protection and its implementing regulation.
Identification of the website's owner
The owner of this website is:
Who is the data controller of the personal data we collect from this website?
The data controller of this website is:
What data are we going to obtain from you? And What is the purpose of such data processing?
The only personal data that we obtain from you are those necessary to process the payment of our products as well as to send you the order.
We also have a newsletter that you can subscribe to; If you decide to subscribe, we will use your email address to send you our news.
Finally, we have a contact form. If you decide to write to us, we will use your name and email address to answer your questions.
What are the legal grounds of this data processing?
The legal grounds consist of:
the data subject has given consent to the processing of his or her personal data for one or more specific purposes. (Art. 6.1.a GDPR).
processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; (Art 6.1.b GDPR).
How long will your data be kept?
We will keep your personal data for so long as we maintain a contractual or pre-contractual relationship with you.
You can write to us at any time to seek the erasure of your data. In such case, your personal data will be blocked and will only be made available to Judges and Courts, the State Prosecution Service, the Spanish Data Protection Agency and other competent authorities and public administrations to resolve any issue or liability related to the processing of your data or with the exercising of subsequent legal actions, complaints or queries during the statute of limitations thereof.
The data's recipient or categories of recipients
Your personal data will not be provided or ceded to any entity not connected to this web. If you purchase any product from us and we need to ship it to you by a courier service, your contact and postal data will be provided to the relevant courier company.
What rights is the data subject entitled to?
The GDPR grants you the rights set out below, which you may exercise by sending an e-mail. You will have to send the e-mail from the same e-mail address you initially used to buy to us.
Below we proceed to explain what each of the rights recognized in the GDPR means.
Rights to access: for the right to access, data subjects will be provided a copy of personal data available together with the purpose for which they have been collected, the identity of the recipients of the data, the terms of retention provided and the criteria used to determine these, the existence of the right to request the rectification or erasure of personal data and the limitation of, or opposition to, processing, the right to lodge a complaint with the Spanish Data Protection Agency and if the data of the data subject have not been obtained, any information available regarding their origin. The right to obtain a copy of the data cannot negatively affect the rights and freedoms of the data subjects.
Right to rectification: in the right to rectification the data of the data subject that were incorrect or incomplete shall be changed in accordance with the purposes of the processing. The data subject may indicate in the request what data are referred to and the correction to be made, providing, where necessary, the supporting documentation of the inaccuracy or incomplete nature of the data processed. If the data have been communicated by the controller to other processors, they must notify them of the rectification unless it is impossible to do so or requires disproportionate effort, providing the data subject with information regarding such recipients upon request.
Right to erasure: we are obliged to erase without undue delay personal data where any of the following circumstances come about:
the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
the data subject withdraws consent granted for specific purposes or on which the processing is based for the processing of special data categories, such as those which reveal the data subject's political opinions, while such processing is not based on other legal grounds;
the data subject objects to the processing for reasons related to his/her specific situation and there are no overriding legitimate grounds for the processing;
the personal data have been unlawfully processed;
the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
The obligation to erase personal data shall not apply to the extent that processing is necessary:
for exercising the right of freedom of expression and information;
for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject;
for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as the right of erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing;
for the establishment, exercise or defence of legal claims.
Right to opposition: in the case of the right to opposition, where the data subjects refuse to provide consent for the processing of their personal data before the controller, the controller shall cease processing them provided that no legal obligation prevents them from doing so. Where the processing is based on a mission of public interest or legitimate interest of the controller, before a request to exercise the right to opposition, the controller must cease processing the data except where overriding reasons prevail above the interests, rights and freedoms of the data subject or are necessary for their formulation, exercise or defence of the claims. If the data subject opposes the processing for the purposes of direct marketing, the personal data shall no longer be processed for these purposes.
Right to portability: in the case of right to portability, if the processing is carried out by automated means and is based on consent or is carried out within the framework of a contract, the data subject may request a copy of their personal data in a structured, commonly used and electronically readable format. Thus, they have the right to request that they are transmitted directly to a new controller whose identity must be communicated where technically possible.
Right to limitation of processing: in the case of the right to limitation of processing, the data subjects may request the suspension of processing of their data to impugn the inaccuracy while the controller carries out the necessary verifications or, in the event that the processing is carried out based on the legitimate interest of the controller or in compliance with a mission of public interest, while it is verified if these reasons prevail over the interests, rights and freedoms of the data subject. The data subject may also request the retention of the data if it is considered that the processing is illegal and, rather than suspension, request the limitation of processing or if the controller no longer needs the data for the purposes for which they were collected, the data subject needs them for the formulation, exercise or defence of complaints or claims. In the event that the processing of the data subject’s data is limited this must be clearly stated in the controller's systems. If the data have been communicated by the controller to other processors, they must notify them of the rectification unless it is impossible to do so or requires disproportionate effort, providing the data subject with information regarding such recipients on request.
Complaints before data protection authorities
You have the right to file complaints before Spanish Data Protection Agency if you deem that your personal data are not being processed properly.
Processing of minors' data
Our services should be used by people over 18 years of age. You should therefore refrain from using them if you are younger than said age. We may require you to provide an official document to certify your age.
RECORDS OF PROCESSING ACTIVITIES
Processing: Customers
a) Controller
b) Purpose of the processing
Management of customers relations
c) Categories of data subjects
Customers: Persons with whom a commercial relationship as customers is maintained
d) Categories of data
Categories necessary for maintaining the commercial relationship. Billing, post sales service and customer loyalty
Identification: name and surnames, Tax ID number, postal address, telephones, email
Bank details: for payments by transfer
e) Categories of recipients
State Tax Administration Agency
Banks and financial entities
Law enforcement Authorities
f) International transfers
No international transfers are planned
g) Term of erasure
The terms provided for in tax legislation with respect to the expiry of responsibilities
h) Security measures
Those reflected in SECURITY MEASURES ANNEX
Processing: Potential Customers
a) Controller
Spanify
Professional English-to-Spanish translation, localization, transcreation and proofreading services to connect with Spanish-speaking audiences worldwide.
© 2024. All rights reserved.