1. Purpose, scope and users
NexTReT, SL, hereinafter the “Company”, strives to comply with the applicable laws and regulations related to the protection of personal data in the countries where it operates.
The purpose of this policy is to establish the information security policy for, based on the requirements set forth in the GDPR (General Data Protection Regulation) and the LOPDGDD (Organic Law on Data Protection and Guarantee of Digital Rights), this policy establishes the basic principles by which the Company processes the personal data of consumers, suppliers, business partners, employees and other people, and indicates the responsibilities of its commercial departments and employees while processing personal data.
This policy applies to the Company and its directly or indirectly controlled subsidiaries that conduct business within the European Economic Area (EEA) or process the personal data of data subjects within the EEA.
Users of this policy are all employees, permanent or temporary, and all contractors working on behalf of the Company.
As a fundamental point of the policy is the implementation, operation and maintenance of its own ISMS (Information Security Management System).
Basic aspects of the Company’s security policy:
- Ensure the confidentiality, integrity and availability of the information.
- Comply with all applicable legal requirements.
- Define the functions of the security manager, in charge of the ISMS information security management system.
- Guarantee an adequate use of the personal information that the company manages.
- Train, raise awareness and inform all employees of their functions and obligations in relation to information security.
- Properly manage all incidents that have occurred.
- Have a continuity plan that allows you to recover from a disaster in the shortest possible time.
- Continuously improve the ISMS and therefore, the security of the organization’s information.
- Law 3/2018, of December 5, on Protection of Personal Data and Guarantee of Digital Rights.
- The GDPR EU 2016/679 (Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 regarding the protection of natural persons with regard to the processing of personal data and the free circulation of these data and repealing Directive 95/46 / EC)
- ISO 27001
- National Security (ENS)
The following definitions of terms used in this policy come from Article 4 of the General Data Protection Regulation of the European Union:
3.1. Personal Data
All information about an identified or identifiable natural person, directly or indirectly, in particular by means of an identifier, such as a name, an identification number, location data, an online identifier or one or more elements of the physical identity, physiological, genetic, psychic, economic, cultural or social of a natural person. Personal data includes an individual’s email address, telephone number, biometric information (such as fingerprint), location data, IP address, health care information, religious beliefs, social security number, marital status, and so on.
3.2. Sensitive personal data
Personal data that is particularly sensitive in relation to fundamental rights and freedoms, since the disclosure of such data could cause physical damage, financial loss, damage to reputation, identity theft or fraud or discrimination, etc. Sensitive personal data normally includes, but is not limited to, the disclosure of personal data of racial or ethnic origin, political opinions, religious or philosophical convictions, union affiliations, genetic data, biometric data (fingerprint), aimed at identifying in a way unique to a natural person, data related to health or data related to the sexual life or sexual orientation of a natural person.
An operation or set of operations carried out on personal data, whether by automated procedures or not, such as the collection, registration, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination, limitation, deletion or destruction of data.
3.4. Data controller
The natural or legal person, public authority, service or other organization that, alone or together with others, determines the purposes and means of the treatment.
3.5. Data processor
The natural or legal person, public authority, service or other organization that, alone or together with others, processes the data on behalf of the data controller.
Irreversibly eliminate the identification of personal data so that the direct or indirect link with a natural person of said data is not possible.
3.7. Control authority
The Spanish Data Protection Agency as defined by the GDPR in article 4, paragraph 21, as the independent public authority established by a Member State in accordance with the provisions of article 51.
4. General principles for the processing of personal data
4.1. Legality, impartiality and transparency
Personal data must be treated in a legal, impartial and transparent manner in relation to the interested parties.
4.2. Purpose limitation
The personal data of the interested parties must be collected for specific, explicit and legitimate purposes, and will not be further processed in a manner incompatible with said purposes.
4.3. Data minimization
The personal data of the interested parties must be adequate, pertinent and limited to what is necessary in relation to the purposes for which they are processed. The security manager must apply anonymization or pseudonymization to personal data if possible to reduce the risk concerning the interested parties.
The personal data of the interested parties must be exact and, if necessary, updated; All reasonable measures will be taken so that personal data that are inaccurate with respect to the purposes for which they are processed are deleted or rectified without delay.
4.5. Limitation of the conservation period
Personal data should not be kept longer than is necessary for the purposes for which personal data are processed, in accordance with the GDPR and the LOPDGDD.
4.6. Integrity and confidentiality
Taking into account the state of technology and other available security measures, the cost of implementation and the probability and severity of the risks, appropriate technical or organizational measures should be applied to process personal data, including protection against unauthorized processing or illegal and against its loss, destruction or accidental damage.
4.7. Proactive accountability
Those responsible for the treatment will be responsible for compliance with the principles described above and will be able to demonstrate it.
5. Security Policy
The Company’s security policy aims to set the high-level guidelines to follow so that all processing of personal data is carried out safely and only by authorized personnel, as well as to protect the information of the organization, against possible losses of confidentiality, integrity and / or availability.
The scope of this policy is limited to all departments of the Company.
The actions necessary to comply with the declaration of the security Policy go through the implementation, operation and maintenance of the ISMS (Information security management System), which is in every moment aligned with this policy.
In the planning phase, a study of the security of the company is included as a fundamental point through a risk and impact analysis and the establishment of its corresponding risk treatment plan not accepted by the organization.
The implantation of the ISMS is the main responsibility of the responsible of the treatment (or responsible of the ISMS) supported in every moment by technical personnel and with the total support of management.
Based on the results obtained in the planning phase, certain security controls are implanted, in addition to operating the procedures of the ISMS to comply with the RGPD and LOPDGDD.
The information security policy and the ISMS are regularly reviewed at planned intervals or if significant changes occur to ensure its continued suitability, efficiency and effectiveness. In a generic way, they are reviewed annually together with the internal audit processes of the ISMS.
There are monitoring procedures that provide information on the correct performance of the ISMS.
Management also plays an important role in reviewing the system, conducting a thorough analysis of the system and finding possible improvements and deficiencies.
With all these input data, a global review is carried out by the safety committee.
Possible improvements to the information security policy and the ISMS are established either during the review phases or based on contributions that are considered interesting from both Company personnel and external personnel.
Said improvements are evaluated and once their viability has been studied, they are implemented, operated and maintained. The entire ISMS is part of the Demming cycle (PDCA cycle), its implementation and operation, its review and subsequent improvement. All of this applied to information security.
6. Treatment guidelines
Personal data must be treated solely and exclusively, only when explicitly authorized by the Company.
6.1. Notice to interested parties
At the time of collection or before collecting personal data for any type of activities, the interested parties will be informed about:
- Legitimation (what data we collect).
- The purpose (for what purpose).
- Retention (Time the data will be saved).
- User rights (What are the rights and how to exercise them).
- Where the data will be hosted.
- Claims (Where and how to file claims).
When personal data is shared with a third party, you must ensure that the interested parties have been notified of this through a privacy notice and that the third party complies with the provisions of the GDPR and the LOPDGDD.
6.2. Obtaining consent
At the time of collection or before collecting personal data for any type of activities, the explicit consent of the interested party must be requested for each of the purposes of the treatment.
This will be done whenever possible, using a form in which each of the purposes of the treatment will be reflected together with some check boxes, where the interested party must indicate “yes” or “no”, upon request for consent. In the event that the user does not take an affirmative action, clearly indicating the option “yes”, it will be understood that he does not consent to the collection and treatment.
7. Organization and responsibilities
The responsibility of guaranteeing the adequate treatment of personal data rests with all the Company’s employees, as well as third parties who intervene in said treatment.
The security committee and the management of the Company will make decisions and approve the general strategies of the Company in matters of personal data protection and may delegate specific functions to third parties in order to guarantee adequate treatment
8. Cross-border processing of personal data
There is no cross-border processing of personal data.
9. Supplier Management
The department that hires a new supplier will have to take into account the possible security risks derived from the service provided, for which it will be required to comply with the GDPR and the LOPDGDD.
In the event that this provider must perform personal data processing tasks, they must sign a personal data processing contract “CONTRACT FOR THE PROVISION OF SERVICES AND PERSONAL DATA PROCESSING ORDER”.
10. Management of incidents
Any incident in matters of security must be reported, following the established procedure. Said notification will be made immediately to his hierarchical superior or to the person in charge of information security or whoever delegates on his behalf. Once received, it will be in charge of monitoring it, completing the notifications established in the corresponding procedure, and establishing the actions for its correction.
11. Business continuity
Business interruptions will be counteracted and critical business processes will be protected from the effects of major or catastrophic failures of information systems.
The main guarantee of business continuity is based on the backups, the process and the policies of the BACKUP procedure.
All employees will collaborate in the timely resumption of all critical services for the Company in the event of a serious contingency, thus helping to restore most of the services in the shortest possible time.
12. Legal compliance
Any type of breach of the laws or legal, regulatory or contractual obligations and of the security requirements that affect the information systems and personal data of the Company will be avoided.
13. Exercise of Rights
In the event that you would like to make a complaint about how we have processed your personal data, please contact the person responsible for the security of personal data, at firstname.lastname@example.org or write to Rambla Catalunya, 33, 08007-Barcelona. Our personal data security officer will review your complaint and work with you to resolve the issue.
If you still consider that your personal data has not been properly treated in accordance with the law, you can contact the Spanish Agency for Data Protection and file a claim with them www.aepd.es.
This policy is valid as of 09/06/2019