SUCESORES DE CUMBRES MAYORES, S.L. (the “Company”) is an Organization in which personal data processing activities are carried out, which attributes to it an important responsibility in the design and organization of procedures so that they are aligned with legal compliance in this matter.
In the exercise of these responsibilities and in order to establish the general principles that must govern the processing of personal data in the Company, it approves this Personal Data Protection Policy, which it notifies its Employees and makes available to all its stakeholders.
1. Purpose
The Personal Data Protection Policy is a proactive Responsibility measure that aims to ensure compliance with the applicable legislation in this area and related to it, respect for the right to honour and privacy in the processing of the personal data of all persons who interact with The Company.
In accordance with the provisions of this Personal Data Protection Policy, the Principles governing the processing of data in the organisation are established and, consequently, the procedures, and the organisational and security measures that the persons affected by this Policy undertake to implement in their area of responsibility. To this end, the Directorate shall assign responsibilities to the staff involved in the data processing operations.
2. Scope
This Personal Data Protection Policy shall apply to the Company, its directors, officers and employees, as well as to all persons related to it, including expressly service providers with access to data (“Data Processors”)
3. Principles of the processing of personal data
As a general principle, the Company will scrupulously comply with the legislation on the protection of personal data and must be able to demonstrate this (Principle of “Proactive Responsibility”), paying particular attention to those processes that may pose a greater risk to the rights of those affected (Principle of “risk approach”). In relation to the above, SUCESORES DE CUMBRES MAYORES, S.L. will ensure compliance with the following Principles:
– Lawfulness, loyalty, transparency and limitation of purpose. The data processing must always be informed to the affected party, through clauses and other procedures; and it will only be considered legitimate if there is consent for the processing of data (with special attention to that provided by minors), or if it has another valid legitimacy and the purpose of the same is in accordance with the Regulations.
– Data minimization. The data processed must be adequate, relevant and limited to what is necessary in relation to the purposes of the processing.
–Accuracy. The data must be accurate and, if necessary, up-to-date. In this regard, the necessary measures will be taken to ensure that personal data that are inaccurate with respect to the purposes of the processing are erased or rectified without delay.
– Limitation of the retention period. The data will be kept in such a way as to allow the identification of the data subjects for no longer than is necessary for the purposes of the processing.
– Integrity and Confidentiality. The data will be processed in such a way as to ensure adequate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, through the application of appropriate technical or organisational measures.
– Data transfers. It is forbidden to purchase or obtain personal data from illegitimate sources or in those cases in which such data have been collected or transferred in contravention of the law or their legitimate origin is not sufficiently guaranteed.
– Contracting suppliers with access to data. Only suppliers that offer sufficient guarantees to apply appropriate technical and security measures in the processing of data will be chosen for their contract. With these third parties, the appropriate Agreement in this regard will be documented.
– International Data Transfers. Any processing of personal data subject to European Union regulations that involves a transfer of data outside the European Economic Area must be carried out in strict compliance with the requirements established in the applicable law.
– Rights of data subjects. The Company will facilitate the exercise of the rights of access, rectification, deletion, limitation of processing, opposition and portability to those affected, establishing for this purpose the internal procedures, and in particular the models for their exercise that are necessary and appropriate, which must satisfy, at least, the legal requirements applicable in each case.
The Company will ensure that the principles set out in this Personal Data Protection Policy are taken into account (i) in the design and implementation of all work procedures, (ii) in the products and services offered (iii) in all contracts and obligations entered into or assumed by them, and (iv) in the implementation of any systems and platforms that allow access by employees or third parties and/or the collection or processing of personal data.
4. Employee commitment Employees are informed of this Policy and declare themselves aware that personal information is an asset of the Company, and in this regard they adhere to it, committing to the following:
– Carry out the awareness training in Data Protection that the Company makes available to you.
– Apply the security measures at the user level that apply to their workplace, without prejudice to the responsibilities in their design and implementation that may be attributed to them depending on their role within SUCESORES DE CUMBRES MAYORES, S.L.
– Use the established formats for the exercise of Rights by those affected and inform the Company immediately so that the response can be effective.
– Inform the Company, as soon as it becomes aware, of deviations from the provisions of this Policy, in particular of “Personal Data Security Breaches”, using the format established for this purpose.
5. Monitoring and evaluation
An annual verification, evaluation and assessment will be carried out, or whenever there are significant changes in data processing, of the effectiveness of the technical and organisational measures to ensure the security of the processing. SUCESORES DE CUMBRES MAYORES, S.L.
