Privacy Policy
1. Purpose, scope and users
NexTReT, SL, henceforth as the
“Enterprise”, is focused on achieve the law and the regulations related with
Data protection where the Enterprise operate.
The objective of the Data
protection is stablish the information security’s policy based on the requirements of the GDPR (General
Data Protection Regulation) and the LOPD (Organic Law of data protection). This policy stablishes
the basic principles by which the enterprise processes the personal data of the
costumer, dealers, partners, employers and other people, and denote the responsibilities
of their commercial department and employers while process the personal data.
This policy applies
on the enterprise and their direct or indirect subsidiary which operate their
business inside the European Economic Area (EEA) or process the data inside the
EEA.
Users of this policy
are all employees, permanent or temporary, and all contractors who work on
behalf of the company.
The policy’s bases are apply, operate and maintain the own ISMS
(Information security management System)
Basics facts of the enterprise security’s policy:
- Guarantee the confidentiality, integrity and availability of information
- Achieve all the law requirements
- Stablish the manager security functions, in charge of the system (ISMS)
- Guarantee an appropriate management of the use of the personal information.
- Trainee, make aware and inform to the employers of their functions and duties related to the information’s security.
- Manage properly the incidents.
- Achieve a continuity plan that allows to recover of a disaster in the less time possible.
- Constantly improve the SGSI and consequently, the data organization’s security.
2. References
• The RGPD EU 2016/679
(Regulation (EU) 2016/679 of the European Parliament and of the Council of 27
April 2016 concerning the protection of natural persons with regard to the
processing of personal data and the free circulation of these data and
repealing the day Board 95/46/EC)
• ISO 27001
3. Definitions
The following definitions of terms used in this policy are derived from article 4 of the General rules of data protection of the European Union:
3.1 Personal data
Any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
3.2 Sensitive personal Data
Personal data that particularly sensible related with the fundamental rights and freedom, because their exposure may produce physical damage, lost advisory, reputation damage, identify theft, fraud o discrimination. The sensitive personal data usually include the ethnic, politic, religion, union affiliation, genetic and biometric data, addressed to identify a person.
3.3 Processing
Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
3.4 Controller
The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
3.5 Anonymization
Delate in an irreversible way the identification of personal data in order that it will not be possible the indirect or direct connection with a physical personal in that data.
3.6 Supervisory authority
Means an independent public authority which is established by a Member State pursuant to Article 51
4. General principles for the processing of personal data
4.1. Legality,
fairness and transparency
The personal data must be process in a legal,
impartial, clear way related with the interest.
4.2. Limiting
the purpose
The personal data of those interested have to be
picked up with determinate, explicit, legitimate, propose, and cannot be
processed incompatibility related with that propose.
4.3. Minimizing
data
The personal data of those interested have to be
appropriate, relevant and limited necessary in relation to the purposes for
which they are treated. The security responsible must apply anonymization on
the personal data to reduce the risk of those interested.
4.4. Accuracy
The personal data of
those interested should be specific, and if it is necessary, all reasonable
measures shall be taken to remove or rectify personal data which are inaccurate
with respect to the purposes for which they are treated without delay.
4.5. Limitation
of shelf-life
The personal data must not be retained more than necessary for the purposes
for which the personal data are treated, in accordance with the RGPD.
4.6. Integrity
and confidentiality
Taking into account the
state of technology and other available security measures, the cost of
implementation and the probability and severity of risks, appropriate technical
or organisational measures should be applied to treat personal data, including
Protection against unauthorized or illicit treatment and against their loss,
destruction or accidental damage.
4.7. Proactive
responsibility
Those responsible for the
treatment will be responsible for the fulfilment of the principles described
above and will be able to prove it.
5. Security policy
5.1. Purpose
The company's security policy is intended to mark the high-level guidelines
for all personal data treatments to be performed safely and only by authorized personnel,
as well as to protect information from the Organization, in the face of
possible loss of confidentiality, integrity and/or availability.
5.2. Reach
The scope of this policy is confined to all departments of the company.
5.3. Organization
The actions necessary
to comply with the declaration of the security Policy go through the
implementation, operation and maintenance of a ISMS (Information security
management System), which is at all times aligned with this policy.
In the planning
phase, a study of the security of the company is included as a fundamental
point through a risk and impact analysis and the establishment of its
corresponding risk treatment plan not accepted by the organization.
The implantation of
the ISMS is the main responsibility of the responsible of the treatment (or
responsible of the ISMS) supported at all times by technical personnel and with
the total support of management.
Based on the results
obtained in the planning phase, certain security controls are implanted, in
addition to operating the procedures of the ISMS to comply with the RGPD I
LOPD.
5.4.
Review
The information
security policy and the ISMS are regularly reviewed at scheduled intervals or
if significant changes occur to ensure the continued suitability, effectiveness
and effectiveness of it. In a generic way they are reviewed annually together
with the internal audit processes of the ISMS
There are monitoring
procedures that provide information on the correct performance of the ISMS.
Management also plays
an important role in reviewing the system, conducting a thorough analysis of
the system and finding possible improvements and deficiencies.
With all this input
data, a global review is performed by the security committee.
5.5
Improvement
The possible
improvements in the information security policy and the ISMS are well
established during the review phases or on the basis of contributions that are
considered interesting both by company personnel and external personnel.
These improvements
are assessed and once they have been studied, they are implemented, operated
and maintained. All the ISMS is framed within the cycle of Deming (cycle PDCA),
its implantation and operation, its revision and its subsequent improvement.
All this applied to the security of the information.
6. Treatment guidelines
The personal data must be treated only and exclusively, only when it is explicitly authorized by the company.
6.1. Notice to interested parties
At the time of collection or before collecting personal data for any type of activities, you must inform the interested parties about:
• Legitimation (which data we collect).
• The purpose (for what purpose).
• Retention (time to save data).
• Rights of the user (what are the rights and how to exercise them).
• Where the data will be hosted.
• Claims (where and how to file claims).
When personal data is shared with a third party, you must ensure that the stakeholders have been notified of this by a privacy notice and that the third party complies with the provisions of the RGPD.
6.2. Obtaining consent
At the time of collection or before collecting personal data for any type of activities, you must proceed to request the explicit consent of the interested party for each of the purposes of the treatment.
This will be done whenever possible, by means of a form in which each of the purposes of the treatment is reflected together with a check boxes, where the interested party must indicate "yes " or "no " to the consent request. In the event that the user does not make an affirmative action, clearly indicating the option "yes ", it is understood that he/she does not consent to the collection and treatment.
7. Organization and responsabilities
The responsibility to
guarantee the proper treatment of the personal data rests with all the employees
of the company, as well as third parties that intervene in such treatment.
The Security
Committee and the management of the company, will make decisions and approve
the general strategies of the company in matters of personal data protection
and may delegate specific functions in third parties with the objective of guaranteeing
an adequate treatment.
8. Cross-border processing of personal data
No cross-border treatment of personal data is carried
out.
9. Dealers management
The department that contracted
a new supplier will have to take into account the possible safety risks arising
from the service provided, for this you will be required to comply with the
RGPD.
In the event that
this provider should perform personal data processing tasks, you must sign a
personal data processing contract "service delivery contract and personal
data processing order"
10. Incidents management
Any incidence of safety should be communicated, following the established
procedure. This notification will be made immediately to your hierarchical
superior or to the information security officer or who delegates on your
behalf. Once received you will be responsible for tracking, completing the
notifications established in the corresponding procedure, establish the actions
for correction.
11. Business continuity
Disruptions to
business activities will be countered and critical business processes protected
from the effects of important or catastrophic information systems failures.
The main business
continuity guarantee is based on backups, process and policies are described in
the document (PR-INFR-01) BACKUP procedure.
All employees will
collaborate in the timely resumption of all critical services for the company
in the event of a serious contingency, helping to be able to restore most of
the services in the minimum possible time.
12. Legal Compliance
Any breach of the
laws or obligations, statutory or contractual and of the security requirements
affecting the information systems and the personal data of the company will be
avoided.
13. Exercise of Rights
In the event that you
would like to make a complaint about how we have treated your personal data,
please contact the person in charge of personal data security at
nextret@nextret.net or write to Rambla Catalunya, 33, 08007-Barcelona. Our
personal Data Security Manager will analyse your claim and work with you to
solve the problem.
If you still consider
that your personal data has not been properly treated in accordance with the
law, you can contact the Spanish Data Protection Agency and file a complaint with
them.
14. Apply
This policy applies from 24/05/2018
