DATA PROTECTION POLICY
1. Definitions
1.1Consent– means any freely given, informed, specific and unambiguous indication of the data subject’s wishes by which she or he, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data.
1.2 Data controller –the legal or natural person, agency, public authority or other body which, jointly with others or alone, decides the means and purposes of the processing of personal data; where the means and purposes of this processing are decided by Union or Member State law, the specific criteria for its nomination or the controller may be provided for by Union or Member State law.
1.3 Data Subject– any living individual who is the subject of personal data held by an organisation.
1.4 Personal Data Breach– any breach of security leading to the accidental, or unlawful, loss, destruction, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. There is an obligation on the controller to report personal data breaches to the supervisory authority and where the breach is likely to adversely affect the personal data or privacy of the data subject.
1.5 Personal Data– any data relating to an identifiable or identified natural person; an identifiable natural person is one who can be identified, indirectly or directly, by reference to an identifier such as an identification number, a name, location data, an online identifier or to one or more factors specific to the physiological, genetic, physical, mental, cultural, economic, or social identity of that natural person.
1.6 Processing– any operation which is carried out on personal data, whether or not by automated means, such as recording, collection, structuring, organisation, storage, alteration or adaptation, consultation, retrieval, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, erasure, restriction or destruction.
1.7 Processor– a legal or natural person, agency, public authority or other body which processes personal data on behalf of the controller.
1.8 Profiling– is any type of automated processing of personal data intended to evaluate some personal aspects relating to a natural person, or to predict or analyse that person’s performance at work, location, economic situation, health, reliability, personal preferences or behaviour. This category is linked to the right of the data subject to object to profiling and a right to be informed about the existence of profiling, of measures based on profiling and the envisaged effects of profiling on the individual.
1.9 Special Categories of Personal Data– personal data revealing ethnic or racial origin, religious or philosophical beliefs, political opinions, or trade-union membership, and the processing of biometric data, genetic data for the purpose of uniquely identifying a natural person, data concerning a natural person’s sex life or sexual orientation or data concerning health.
1.10 Third Party– a legal or natural person, agency or body other than the data subject, public authority, processor, controller and people who, under the direct authority of the controller or processor, are authorised to process personal data.
2. Purpose
2.1 TRADUPLA, S.L.U. is committed to conducting its company in compliance with all applicable Data Protection regulations and law and in line with the standards of ethical conduct. TRADUPLA, S.L.U. is the Data Controller under the Data Protection laws, which means that it decides what purposes personal information held, will be used for.
2.2 This policy sets forth the expected behaviours of all TRADUPLA, S.L.U. employees and Third Parties in relation to the use, collection, retention, disclosure, transfer and destruction of any Personal Data belonging to a Data Subject.
2.3 Personal Data is any data (including intentions and opinions) which relates to an Identifiable or Identified Natural Person. Personal Data is subject to certain legal regulations and other safeguards, which impose restrictions on how entities may process Personal Data. An entity that processes Personal Data and makes decisions about its utilisation is known as a Data Controller. TRADUPLA, S.L.U., as a Data Controller, is responsible for ensuring accordance with the Data Protection requirements described in this policy.
2.4 TRADUPLA, S.L.U.’s leadership is committed to ensuring effective and continued implementation of this policy and expects all employees and Third Parties to share in this commitment. Any breach of this policy will be taken seriously and may result in company sanction or disciplinary action.
3. Scope and field op application
3.1 This policy applies to TRADUPLA, S.L.U. company processing Personal Data.
3.2 This policy applies to all Processing of Personal Data in digital form or where it is held in manual documents which contains data and information about individuals.
4.Foundations
4.1 TRADUPLA, S.L.U. has launched the following principles to manage its use, collection, transfer, retention, destruction and disclosure of Personal Data:
- Accountability: TRADUPLA, S.L.U. shall be responsible for demonstrate accordance with the above-mentioned principles. This policy provides the principle for adherence to this responsibility.
- Accuracy: Any Personal Data collected shall be accurate and kept up to date if necessary.
- Data minimisation: Any Personal Data collected shall be relevant, adequate and limited to what is essential in relation to the purposes for which they are processed.
- Confidentiality and Integrity: Personal Data shall be processed in a way that ensures appropriate security of the personal data, including protection against unlawful and unauthorised processing and against destruction or damage, accidental loss, using organisational measures and appropriate technical methods.
- Transparency, fairness, lawfulness: Personal Data is processed fairly, lawfully and in a transparent way regarding the data subject.
- Purpose limitation: Any Personal Data collected shall have an explicit, specified and legitimate purpose.
- Storage limitation: Personal Data shall not be stocked longer than what is required for the objectives for which the Personal Data are processed.
5 Lawfulness of data processing
5.1 TRADUPLA, S.L.U. will Process Personal Data in compliance with all applicable contractual obligations and all applicable laws.
5.2 In particular, TRADUPLA, S.L.U. will not Process Personal Data unless one of the other available foundations for processing is applicable. For example:
- Processing is required for accordance with a legal obligation to which the Data Controller is subject.
- Processing is required for the performance of a contract to which the Data Subject is party.
- The Data Subject has given valid Consent.
5.3 To the extent that TRADUPLA, S.L.U. process Special Categories of Data, such processes shall receive special attention in the management of personal data. More specifically, such processing shall only perform if the requirements for Processing of Special Categories of Data are fulfilled. For example:
- The Data Subject has given valid Consent.
- The Processing is required for the exercise, establishment or defence of legal claims.
- The Processing is specifically required or authorised by law.
- The Processing is based on Personal Data which has already been made public by the Data Subject.
6. Information to data subjects
6.1 TRADUPLA, S.L.U. will provide the information about the purpose of collecting Personal Data with a document or contract signed by the parties
6.2 All Adequate disclosures will be made when any Personal Data is collected in a way that draws attention to them, unless one of the following apply:
- A legal exemption applies to the requirements for disclosure or Consent.
- The Data Subject already has the data or information
6.3 TRADUPLA, S.L.U. has implemented the following standard measures of providing information to Data Subjects as an example:
- All Personal Data processed on TRADUPLA, S.L.U.s website is explained in a Privacy Policy of TRADUPLA, S.L.U.’s website, and all the users can access it.
- All Personal Data processed on TRADUPLA, S.L.U.s own employees, is explained in the Employee agreements of each employee.
7. Continued compliance with basic principles
- In particular it is very important there are no changes in the purpose of Processing of Personal Data.
7.3 All stocked Personal Data must be up-to-date and accurate. TRADUPLA, S.L.U. has implemented the following measures:
- Reviewing and Modifying Personal Data known to be inaccurate, incorrect, incomplete, misleading, ambiguous or outdated.
- Only Stocking Personal Data for the time necessary to achieve the permitted uses.
- Restriction or deletion of Personal Data, insofar as: a law bans erasure, erasure would impair legitimate interests of the Data Subject, the Data Subject disputes that their Personal Data is correct, and it cannot be clearly determined whether their information is incorrect or correct.
8. Use of data processors
- The contract must require the Data Processor to conserve the Personal Data from further outreach and to only Process Personal Data in accordance with TRADUPLA, S.L.U. conventions. Furthermore, the contract will require the Data Processor to implement organisational and technical procedures to protect the Personal Data as well as measures for providing notification of Personal Data Breaches.
- TRADUPLA, S.L.U. will sign a contract with the Data Processors.
- TRADUPLA, S.L.U. outsources services to a Third Party (for example: Cloud Computing services). They will identify whether the Third Party will Process Personal Data on its behalf and whether the outsourcing will entail any Third Country transfers of Personal Data. It will make sure to add adequate provisions in the outsourcing contract for such Processing and Third Country transfers.
9. Transfers to Third parties
- TRADUPLA, S.L.U. will only transfer Personal Data to Third Parties when it is assured that the data will be protected and processed legitimately by the recipient.
10. Transfer of personal data outside EU
- TRADUPLA, S.L.U. will only transfer Personal Data to internal or Third Party not belonging to the European Union, where the conditions for this transfer are fulfilled.
11. Security
- The minimum set of security procedures to be carried out by TRADUPLA, S.L.U. is included in the Data Security Policy. Some measures provided by TRADUPLA, S.L.U. are for example:
- Guarantee that access logs are in place to establish whether, and by whom, the Personal Data was modified, removed or entered into from a data processing system.
- Ensure that in the case where Processing is achieved by Data Processor, the data can be Processed only in compliance with the instructions of the Data Controller.
- Guarantee that Personal information collected for several purposes is Processed separately.
- Ensure that Personal Data during electronic transmission during transport can not be removed, modified, copied or read without authorisation.
- Guarantee that Personal Data is not kept longer period than necessary.
- Ensure that Personal Data is protected against undesired loss, destruction or removal.
TRADUPLA, S.L.U. will adopt technical, organisational and physical measures to guarantee the security of Personal Data.
12. Breach Reporting
- Any person who suspects that a Personal Data Breach has taken place due to the exposure or theft Personal Data must immediately contact the Data Protection Officer Pilar Pla giving a description of what happened. Notification of the incident can me made via e-mail comercial@tradupla.com or by calling the phone number +34 677899554
- The Data Protection Officer will study all reported incidents to confirm whether a Personal Data Breach has taken place. If a Personal Data Breach is confirmed, the Data Protection Officer will follow the procedures based on the quantity and criticality of the Personal Data involved.
13. Limitation of retention period
- Personal Data will not be retained by TRADUPLA, S.L.U. for longer period than necessary according with the purposes for which it was collected, or it was further Processed.
- The length of time for which TRADUPLA, S.L.U. need to retain Personal Data is established in the Personal Data Retention Schedule. This considers the contractual and legal requirements, both maximum and minimum, that influence the retention periods set forth in the schedule. All Personal Data should be destroyed or deleted as fast as possible where it has been confirmed that there is no longer a need to save it.
14. Notification of Data Protection Officer
- All inquiries received for rectification, access or elimination of Personal Data must be adressed to the Data Protection Officer: Pilar comercial@tradupla.com
15. Data Subject enquiry handling process
The Data Protection Officer has started a system to facilitate and enable the exercise of Data Subject rights, involving the following aspect:
- Data elimination.
- Data transfer.
- Data modification.
- Data access.
- Objection to automated decision-making and Profiling.
- Objection to Processing.
- Restriction of Processing.
- If a person sends a request about any of the rights listed above, TRADUPLA, S.L.U. will study each request in compliance with all applicable Data Protection regulations and laws. If the request is deemed to be excessive or unnecessary due to repetitive requests, an administration fee will be charged.
16. Information access
- Data Subjects are entitled to obtain, by writing to the Office of Data Protection and after a successful verification of their identity, the following data about their own Personal Data:
- The categories of Personal Data stocked for the Data Subject.
- The envisaged period of stocking for the Personal Data or the rationale for determining the storage period.
- The purposes of the processing, collection, storage and use of their Personal Data.
- The categories or recipients to whom the Personal Data may be transmitted and their location.
- The source(s) of the Personal Data, if it was not collected from the Data Subject;
- The use of any automated decision-making, for example: Profiling.
17. Reaction time
- A response to each enquiry will be given within 40 days of the receipt of the written enquiry from the Data Subject. We will verify that the requestor is the Data Subject or their authorised legal representative. Data Subjects shall have the right to require TRADUPLA, S.L.U. to supplement or correct misleading, erroneous, incomplete or outdate Personal Data. If TRADUPLA, S.L.U. cannot react fully to the enquiry within 40 days, the Office of Data Protection shall however give the following information to the Data Subject within the specified time:
- An acknowledgement of receipt of the enquiry.
- An estimate of any fees to be paid by the Data Subject where the request is excessive or unnecessary.
- A date by which any remaining answers will be given.
- Any data located to date.
- Description of any requested data or rectifications which will not be given to the Data Subject, the reason(s) for the refusal, and any procedures available for appealing the decision.
- The contact and name information of the TRADUPLA, S.L.U. person who the Data Subject should contact for follow up.
18. Data Protection Officer
- To prove our engagement to Data Protection, TRADUPLA, S.L.U. has appointed an employee to be the primary supervisor of TRADUPLA, S.L.U.s accordance with the Data Protection rules.
- The DPO is the CEO of TRADUPLA, S.L.U: Pilar Pla.
- The DPO’s duties are:
- Acting as a point of contact for;
- Guarantying the alignment of this policy with Data Protection rules, Union based Data Protection provisions or national law;
- Advising and Informing TRADUPLA, S.L.U. who performs Processing pursuant to Data Protection regulations, Union based Data Protection provisions or national law;
- Informing officers, directors and senior managers of TRADUPLA, S.L.U. of any potential corporate, criminal and civil penalties which may be levied against TRADUPLA, S.L.U. and/or its Employees for violation of applicable Data Protection laws.
- Keeping and Making current notifications to one or more DPAs because of TRADUPLA, S.L.U.s current or intended Personal Data processing methods;
- The operation of a system giving prompt answers to Data Subject requests;
- Guarantying establishment of process and standard contractual provisions for achieving accordance with this Policy by any Third Party who:
- gives Personal Data to TRADUPLA, S.L.U.
- receives Personal Data from TRADUPLA, S.L.U.
- has access to Personal Data processed or collected by TRADUPLA, S.L.U..
19. Awareness
- The management team of TRADUPLA, S.L.U. will ensure that all TRADUPLA, S.L.U. Employees are aware of and comply with the contents of this policy.
- All TRADUPLA, S.L.U. Employees that have access to Personal Data will have their responsibilities under this policy.
20. Governance of Third Parties and Data processors
- Furthermore, TRADUPLA, S.L.U. will make sure all Third Parties engaged to Process Personal Data on TRADUPLA, S.L.U.s behalf are aware of and comply with the contents of this policy.
- Assurance of such accordance must be provided from all Third Parties, whether individuals or companies, prior to granting them access to Personal Data managed by TRADUPLA, S.L.U.
21. Data Protection Impact Assessments
- The Data Protection Officer will guarantee that a Data Protection Impact Assessment is conducted, in collaboration with the Office of Data Protection, for all new revised process or systems for which it has responsibility. The Information Technology department, will cooperate with the Data Protection Supervisor to assess the impact of any new technology uses on the security of Personal Data.
22. Compliance Monitoring
- To confirm that an appropriate level of accordance that is being carried out by TRADUPLA, S.L.U. according with this policy, the Data Protection Officer will do an annual Data Protection accordance audit for all important parts of the organisation. Each audit will assess:
- Accordance with Policy related to the protection of Personal Data, for example the assignment of responsibilities and raising awareness.
- The accuracy of Data Processor methods.
- The accuracy of Personal Data being stocked.
- The adequacy of methods for redressing poor accordance and Personal Data Breaches.
- The effectiveness of Data Protection related operational practices.
- The level of understanding of Privacy Notices and Data Protection policies.
- The DPO will devise a plan with a schedule for correcting any deficiencies within a defined time frame.