Data protection notice
ASENTIA PROJECT, S.A.
Madrid, February, 2019
1. Our objective
In ASENTIA PROJECT, S.A. we consider of highest importance the protection and security of Personal Data. In ASENTIA PROJECT, S.A. we aim not only to offer an excellent service as a real-state company but to be a model of privacy protection. Therefore, is within our nature to fulfil all the legal requisites when collecting and processing Personal Data. These requisites include, in particular, the regulations set by the EU GDPR (General Data Protection Regulation), the Spanish Organic Law 3/2018 of December 5 on Data Protection and Guarantee of Digital Rights (LOPDGDD) and all the laws about data protection that might be applied.
Our data protection notice describes the principles and measures used by ASENTIA PROJECT, S.A. to protect the rights of all persons regarding the processing of their personal data.
2. Our principles to use personal information
When processing Personal Data, we follow these principles:
- Lawfulness: Personal Data processing has to be always carried out on a legal basis.
- Transparency: Every data subject has to be able to understand how his/her personal data are used.
- Purpose limitation: All purposes for processing Personal Data must be clearly identified in advance and be well defined when collected.
- Data minimisation: The processing of Personal Data and access options will be limited to the appropriate use, factual, relevant and required to the impartial processing.
- Exact and updated data: Personal Data must be correctly and completely stored, they must be respectively processed and have to be updated evenly. Appropriate measures must be used to erase, correct, complement or update imprecise data or those which are incomplete or out-of-date.
- Storage limitation: Personal Data will only be stored during the needed time for their use or according to what is allowed by legal regulations.
- Integrity and confidentiality: The appropriate technical and organisational measures must be used to correctly protect Personal Data, in particular regarding the illegal or unauthorized use, accidental loss and accidental destruction or damage.
As part of our compromise about responsibility we supply documentary evidence of the use of Personal Data to prove the compliance of the principles mentioned above.
3. Lawfulness of Personal Data use
Any use of Personal Data is illegal if there is not a legal basis to do it. ASENTIA PROJECT, S.A. processes Personal Data based, in particular, to the following legal reasons:
· Execution of a contract or due to the application of pre-contract measures, for instance, processing of the consumers’ data in base of a contracted service or use of the employees’ data in base of a labour contract.
· Compliance of a legal obligation, for example, the storage of data after the ending of the relationship to accomplish fiscal legislation.
· Legitimate interests, for instance, in order to send publicity of our own products similar to those contracted (unless the client has asked for publicity exemption).
· Data subject consent, for example, to outline the data subject features or to process health data.
Some special categories of Personal Data, for example racial or ethnic origin, religious beliefs or physical or mental health, are considered “sensitive personal data” and can be used exclusively with explicit consent or in the event of one of the cases specified in Article 9 of the GDPR.
4. Your rights
The protection of rights and freedom of all people regarding the use of their Personal Data is a key priority for ASENTIA PROJECT, S.A. In order to ensure this protection, the data subject has, among others, the following rights:
· The right to be informed: The data subject will be quickly and transparently informed of the use of his/her data regardless the collection of data derives directly from the interested party or comes from other organizations (third party collection).
· The right to access: The data subject can submit at any time a request about his/her stored or processed data, as well as a copy of their stored or processed personal data.
· The right to rectification: The data subject can request at any time the correction of any fake data or ask to complete any incomplete data; for example, if name or address is incorrect.
· The right to erasure: The data subject shall have the right to obtain from the controller the erasure of personal data, unless there is a conflict with existing obligations or rights; for example, obligation to store data according to legislation in force.
· The right to limit the use of data: The data subject can request the restriction of use of his/her personal data; for instance, if the data are imprecise.
· The right to object: The data subject can object to the use of his/her personal data for advertising purposes at any time. To other types of processing, the use is right under certain conditions depending on the particular personal circumstances of the data subject.
· Automated individual decision on a case-by-case basis: In the context of efficient commercial transactions, the data subject will be subject to an automated individual decision case-by-case as long as the decision is legal; for example, in the case of the accomplishment of a contract. The data subject shall be informed about the corresponding automated procedures.
The data subject will receive all the information related to the use of his/her Personal Data in a clear and simple language.
In the case of a personal data breach related to Personal Data, the data subject will be informed of the incident insofar as the legal requirements corresponding to the risk for his/her rights are met.
The data subject has the right to lodge a complaint to ASENTIA PROJECT, S.A., to the supervisory authority of data protection or to exercise his/her rights regarding the use of Personal Data. This policy does not affect legal rights and data subject’s claims.
5. Use by third parties and transfer of data
If personal data are used by external service suppliers or external collaborators on behalf of ASENTIA PROJECT, S.A., we will take appropriate actions to protect data (depending of the action field), for example in the following cases:
· Use by third parties of Personal Data: In the case of a service supplier to be asked to process Personal Data, there will be a data processor agreement signed with this supplier. Such agreements will be only signed with suppliers who adopt the appropriate technical and organizational measures to protect Personal Data. This will be applied also in regarding the access to data for service and maintenance operations.
· Transfer of duties: If a third party is in charge of some other duties, in addition to the use of Personal Data, to which the third party needs its own choice regarding the use of personal information, there will be a data processor agreement signed to protect the Personal Data (similar to those signed in the case of use of personal data by third parties) that will establish the appropriate technical and organizational measures, similar to the ones needed to the use of personal information by third parties.
· Confidentiality agreement: If in some particular cases it is impossible to discard a limited disclosure of Personal Data, there must be a confidentiality agreement with the supplier for security reasons.
Personal Data will be available to be processed or seen outside the EU only if there are some guaranties or suitable proofs that ensure the secure use of data; for instance, drawing up standard clauses to protect data.
6. Data security, impact assessment and technological design
We apply all the appropriate technical and organizational measures to protect the use of Personal Data. These measures include, in particular, the ones that ensure the confidentiality, integrity and availability of Personal Data, including the capacity to recover systems and services.
In all the operations carried out we take into account the potential risk for the data subject’s’ rights and, therefore, we select carefully which technical and organizational measures to use. If the potential risk is high, the procedures will be subject to an additional control of risks and measures.
When processing Personal Data, we conform to the principle of “data protection through the design of suitable technology and adjustment to protect the data” (data privacy by design/by default); for example, through the pseudonymisation or minimisation of Personal Data.
Technical and organizational measures are reviewed on a regular basis in terms of effectiveness and are adjusted as needed, having into account the last technological advances. This is also done in relation to technical and organizational measures in the case of external service suppliers or external partners.
7. Responsability and organization of the data protection
ASENTIA PROJECT, S.A. is responsible of the implementation of the regulations in relation to data protection. The corporate management is in charge of the previous conditions needed to execute the data protection requirements in the case of the employees of the different departments, either if they work within the premises or if they work outside.