FROM ONE SIDE, the one who signs the proposal, (hereafter, the DATA PROCESSING RESPONSIBLE or DPR).
FROM THE OTHER SIDE, Mr. Javier Martínez Galiana, of legal age, 52997423H as ID card, acting on behalf of and in representation of LEIALTA, S.L.P. (hereafter, IN CHARGE OF DATA PROCESSING TREATMENT or ICDPT), B87291928 as TAX ID number, and Calle Zurbano, 45, 1º, CP 28010, Madrid (Madrid) as address for notification purposes.
And recognizing, mutually and reciprocally, with enough legal capacity for this act, STATE herein:
I.- That the ICDPT is dedicated, among other activities of its corporate purpose, to the provision of services of:•CONSULTING AND BUSINESS ADVISORY
II.- Based on the above, the DPR maintains with the ICDPT a professional service relationship: CONSULTING AND BUSINESS ADVISORY
III.- That, on the relationship of provision of services that binds both parties, the ICDPT needs to process certain personal data on behalf of the DPR.
IV.- That, based on the provisions of article 28.3 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27 on the protection of natural persons with regard to the processing of personal data and free movement of this data repealing Directive 95/46 / EC (General Data Protection Regulation), ” The treatment by the person in charge shall be governed by a contract or other legal act in accordance with Union law or of the Member States, which links the person in charge with the person responsible and establishes the purpose, duration, nature and purpose of the treatment, the type of personal data and categories of the interested parties, and the obligations and rights of the person in charge.”
In accordance with the foregoing, the parties agree with this contract, which will be governed in accordance with the following, PROVISIONS
The purpose of this contract is to regulate the treatment by the ICDPT of certain personal data on behalf of the DPR, on the occasion of the service provision relationship that binds both parties, in compliance with the obligations established in article 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April on the protection of natural persons with regard to the processing of personal data and the free movement of such data, repealing the Directive 95/46 / CE (General regulation of data protection), and in the Spanish regulations for the protection of personal data.
For the purposes of this contract, the following shall be understood as:
a. Personal data: all information about an identified or identifiable natural person; Any person whose identity can be determined, directly or indirectly, in particular by means of an identifier, such as a name, an identification number, location data, an online identifier or one or several elements of the identity, will be considered an identifiable physical person, physical, physiological, genetic, psychological, economic, cultural or social of said person (article 4 1) RGPD).
b. Processing: any operation or set of operations performed on personal data or personal data sets, either by automated procedures or not, such as collection, registration, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, diffusion or any other form of authorization for access, collation or interconnection, limitation, suppression or destruction (article 4 2) RGPD).
c. Data Processing Responsible : Physical or legal person, public authority, service or other body that, alone or together with others, determines the purposes and means of treatment; if Union or Member State law determines the aims and means of processing, the controller or the specific criteria for his appointment may be established by Union or Member State law (Article 4 7) RGPD).
d. In charge of data processing treatment: The individual or legal entity, public authority, service or other body that processes personal data on behalf of the data controller (Article 4 8) RGPD).
THIRD.- INSTRUCTIONS OF THE DPR.
The ICDPT shall process the personal data necessary for the provision of services on behalf of the DPR, derived from the relationship that binds both parties, in accordance with the instructions documented in the ANNEX to this contract.
FOURTH. – IDENTIFICATION OF THE INFORMATION CONCERNED.
The ICDPT will process on behalf of the DPR the information about identified or identifiable individuals documented in the ANNEX to this contract.
This contract will come into effect from the date of its signature and will be in force until the date of termination of the service provision relationship between the DPR and the ICDPT.
SIXTH.- OBLIGATIONS OF THE ICDPT
The ICDPT undertakes to comply with the following obligations:
a. Use personal data subject to treatment, or those collected for inclusion, only for the purpose of this assignment. In no case may you use the data for your own purposes.
b. Treat the data according to the instructions of the DPR.
If the DPR considers any of the instructions to be in breach of Regulation (EU) 2016/679 or any other data protection provision of the Union or of the Member States, the person in charge shall immediately inform the ICDPT.
c. Keep, in writing, a record of all categories of treatment activities carried out on behalf of the DPR in charge, which contains:
- The name and contact information of the person in charge or those in charge and of each person responsible for which the person in charge acts and, where appropriate, the representative of the person in charge or the person in charge and the data protection officer.
- The categories of treatments carried out on behalf of each person responsible.
- Where applicable, the transfer of personal data to a third country or international organization, including the identification of said third country or international organization and, in the case of the transfers indicated in article 49 paragraph 1, second paragraph of the Regulation (EU) 2016/679, the documentation of adequate guarantees.
- A general description of the technical and organizational safety measures related to:
a) Pseudonymization and encryption of personal data.
b) The ability to guarantee the confidentiality, integrity, availability and permanent resilience of the treatment systems and services.
c) The ability to restore availability and access to personal data quickly, in the event of a physical or technical incident.
d) The process of regular verification, evaluation and assessment of the effectiveness of technical and organizational measures to ensure the safety of treatment.
d. Not communicate the data to third parties, unless you have the express authorization of the DPR, in the legally admissible cases.
The ICDPT can communicate the data to other DPR of the same responsible, according to the instructions of the DPR. In this case, the DPR will identify, in advance and in writing, the entity to which the data must be communicated, the data to be communicated and the security measures to be applied to proceed with the communication.
If the ICDPT must transfer personal data to a third country or to an international organization, by virtue of applicable Union or Member State law, he / she will inform the DPR for that legal requirement in advance, except that such right prohibit it for important reasons of public interest.
e. THE ICDPT may not subcontract any of the services that are part of the object of this contract that involve the processing of personal data, except for the auxiliary services necessary for the normal functioning of the services of the person in charge.
If it is necessary to subcontract any data processing treatment, this fact must be previously communicated in writing to the DPR, with a prior written communication of ten working days, indicating the data processing treatments that are intended to subcontract and clearly and unambiguously identifying the subcontractor company and their contact information. The subcontracting can be carried out if the DPR does not show his opposition within the established term.
The subcontractor, who will also have the status of ICDPT, is also obliged to comply with the obligations established in this document before the DPR and the instructions dictated by the person in charge.
The subcontracted ICDPT will be subjected to the same conditions (instructions, obligations, security measures …) and with the same formal requirements as the firstly ICDPT engaged, regarding the proper treatment of personal data and the guarantee of the rights of the people affected. In the case of non-compliance by this latter, the initial ICDPT will remain fully responsible to the current contract for the compliance of this engagement.
f. Maintain the duty of secrecy with respect to personal data to which you have had access under this order, even after the end of its purpose.
g. Guarantee that the persons authorized to process personal data commit themselves, expressly and in writing, to respect confidentiality and to comply with the corresponding security measures, of which they must be informed accordingly.
h. Keep the documentation at DPR disposal for the compliance of the obligation established in the previous section.
i. To guarantee the necessary training in terms of protection of personal data of the persons authorized to process personal data.
j. Assist the DPR in the response to the exercise of the rights of:
- Access, rectification, deletion and opposition.
- Limitation of the treatment.
- Data portability.
- Not to be subject to automated individualized decisions (including profiling).
When the affected persons exercise the rights of access, rectification, deletion and opposition, limitation of processing, data portability and not being the subject of automated individualized decisions, before the, this must be communicated by email to the address indicated by the DPR. The communication must be made immediately and in no case beyond the working day following the reception of the request, together with, where appropriate, other information that may be relevant to resolve the request.
If the communication cannot be made by email because it has not been provided by the DPR an address for the above purposes, the ICDPT must make such communication by any means of notification admitted by law through any means of notification admitted by law.
k. The ICDPT, at the time of collecting the data, must provide information regarding the data processing that will be performed. The wording and the format in which the information will be provided must be agreed with the DPR before the start of the data collection.
l. The ICDPT shall notify the DPR, without undue delay, and in any case before the maximum period of 24 hours, and by email to the address indicated by the DPR, the breaches of the security of the personal data to your position of which you have knowledge, together with all the relevant information for the documentation and communication of the incidence.
If the notification cannot be made by email because it has not been provided by the DPR an address for the above purposes, the ICDPT must comply with the aforementioned obligation through any means of notification admitted by law.
Notification will not be necessary when it is unlikely that such a breach of security constitutes a risk to the rights and freedoms of natural persons.
If it is available, at least the following information will be provided:
a) Description of the nature of the breach of the security of personal data, including, when possible, the categories and the approximate number of affected stakeholders, and the categories and approximate number of personal data records affected.
b) The name and contact details of the data protection delegate or other contact point where more information can be obtained.
c) Description of the possible consequences of the violation of the security of personal data.
d) Description of the measures adopted or proposed to remedy the violation of the security of personal data, including, if applicable, the measures adopted to mitigate the possible negative effects.
If it is not possible to provide the information simultaneously, and to the extent that it is not, the information will be provided gradually without undue delay.
m. Give support to the DPR in carrying out the impact evaluations related to data protection, when appropriate.
n. Give support to the DPR in carrying out the consultations prior to the control authority, when appropriate.
o. Provide the DPR with all the necessary information to demonstrate compliance with their obligations, as well as for the performance of audits or inspections carried out by the person in charge or by another auditor authorized by him.
p. Implement the security measures included in the ANNEX to this contract. In any case, the ICDPT should implement mechanisms to:
a) Guarantee the permanent confidentiality, integrity, availability and resilience of the treatment systems and services.
b) Restore the availability and access to personal data quickly, in case of physical or technical incident.
c) To verify, evaluate and assess, on a regular basis, the effectiveness of the technical and organizational measures implemented to guarantee the safety of the treatment.
d) Pseudonymize and encrypt personal data, if applicable.
q. Designate a delegate of data protection and communicate their identity and contact information to the DPR, as long as this is mandatory by virtue of what is established in Regulation (EU) 2016/679 and the Spanish regulations on data protection.
r. Once the relationship of provision of services that binds both parties is completed, the ICDPT shall assign the personal data to DPR according to the instructions contained in the ANNEX included in this contract.
The ICDPT undertakes to communicate and enforce its personnel, including employees of temporary employment agencies, the obligations set out in this contract and in particular the obligation of secrecy regarding the personal data of the DPR and compliance with the corresponding security measures.
In the event that the ICDPT allocates the data for another purpose, communicates or uses them in breach of the stipulations of this contract, it shall be liable to the DPR, the interested parties, and competent control authorities, for the breach thereof. and of the infractions that would have been incurred personally.
SEVENTH.- OBLIGATIONS OF THE DPR
The DPR is committed to compliance with the following obligations:
a. Deliver to the ICDPT the data referred to in the ANNEX to this contract.
b. Carry out an evaluation of the impact on the protection of personal data of the treatment operations to be carried out by ICDPT, as long as this is mandatory under the provisions of Regulation (EU) 2016/679 and Spanish protection regulations of data.
c. Carry out the corresponding prior consultations, as long as it is mandatory under the provisions of Regulation (EU) 2016/679 and Spanish data protection regulations.
d. Ensure, prior to and throughout the treatment, compliance with Regulation (EU) 2016/679 and Spanish regulations on data protection by the ICDPT.
e. Supervise the treatment, including conducting inspections and audits.
In the event that the DPR fails to comply with the stipulations of this contract, it shall be liable before the ICDPT, the affected stakeholders, and competent control authorities, for the breach of the same and for any infractions that may have been incurred personally.
EIGHTH. – CONFIDENTIALITY.
Both parties undertake to keep due confidentiality about the facts, information, knowledge, documents, objects and any other elements protected by secrecy, to which they have access due to the relationship of provision of services, without being able to use the information to which they accede for any purpose other than the execution of the contract that unites both parties.
In this regard, and without limiting or excluding, the aforementioned duty of confidentiality and secrecy includes the following information:
- Any information protected by the regulations on intellectual and industrial property.
- Any information on identified or identifiable individuals, protected by the regulations on protection of natural persons with regard to the processing of personal data.
- Any information protected by Organic Law 1/1982, of May 5, on civil protection of the right to honor, to personal and family privacy and to one’s own image.
- Any information subject to the duty of professional secrecy.
- Undisclosed technical knowledge and business information (trade secrets).
- Any other information that by its nature cannot be disclosed to third parties unrelated to the signatory parties and, therefore, is not public knowledge.
Failure to comply with the aforementioned obligations may result in the exercise of the legal actions that, where appropriate, may arise and the responsibilities arising from said exercise.
NINTH.- INFORMATION IN COMPLIANCE WITH THAT ESTABLISHED IN ARTICLE 13 OF REGULATION (EU) 2016/679.
The data of the people signing this contract will be processed by each of the entities they represent in order to execute it. Said data will be kept during the statutory limitation periods of the responsibilities arising from the relationship of provision of services that binds both parties. The signatories have the right to request each of the entities responsible for processing access to their personal data, as well as their rectification or deletion, in the addresses for the purposes of notifications indicated in the heading of this contract. Likewise, they have the right to present a claim to the competent control authority in the event that they understand that their right to data protection has been violated.
TENTH. – APPLICABLE LAW AND FORUM.
This contract shall be governed and construed in accordance with Spanish law in matters not expressly regulated. If any of the stipulations or conditions of this contract are null, invalid or ineffective and could not have effect because of the legislation applicable to it, such nullity, invalidity or ineffectiveness will not affect the rest of the stipulations or conditions.
The parties submit, for disputes that may arise in relation to this contract, to the jurisdiction of the Courts and Tribunals of the city indicated in the header thereof, waiving any other forum that may correspond.
And for this to be the case, both the one who proposes the consulting service, ICDPT, and the one who signs the service proposal, DPR, agrees and ratifies this contract for the processing of data on behalf of third parties in the moment in which the service proposal is signed by both parties.
ANNEX TO THE DATA PROCESSING CONTRACT
I) INSTRUCTIONS OF THE DPR REGARDING THE DATA PROCESSING TO BE CARRIED OUT BY THE ICDPT
a) Description of the form of service provision:
The service will be provided in the premises of the DPR, which will provide the ICDPT with access to their systems.
The service will be provided through remote access, expressly forbidding the ICDPT to incorporate the data subject to treatment systems or supports other than those of the DPR.
The service will be provided by the ICDPT in their own premises and with their systems, other than those of the DPR.
b) Specific operations to be carried out on personal data
II) IDENTIFICATION OF THE AFFECTED INFORMATION
a) Types of personal data processed:
|NIF / DNI||Postal address||Email address||Phone||Name and surname|
|Economic, financial and insurance||Infractions and administrative sanctions.||Solvency of assets and credit||Transactions of goods and services||Academics and professionals|
|Signature / Footprint||Electronic signature||Commercial information||No. SS / Mutuality|
b) Groups or categories of interested parties:
|Beneficiaries||Employees||Contact persons||Owners or tenants||Suppliers|
|Employees of contractors and subcontractors||Public administration||Associates or members||Clients and users||Potential customers|
III) SECURITY MEASURES TO BE IMPLEMENTED BY THE ICDPT
The security measures that will be implemented by the ICDPT will be the following:
a) General measures:
Personal data protection policy document
Functions and obligations of users and rules of use of TIC resources
Training and education of users in data protection.
Inventory of information assets (list of all those resources – physics, software, documents, services, people, facilities, etc. – that have value for the organization and need to be protected from potential risks)
b) Regarding pseudonymization and encryption of personal data:
Technical and organizational measures of pseudonymization
|User identification and authentication system||Access privilege management system||System of control of access to the information system||Electronic signature system (authentication)||Private network of electronic communications|
|System of analysis and management of vulnerabilities and threats / System of protection against malicious and downloadable code (eg antivirus)||Adoption of measures to ensure the material durability of documents (eg, preventive measures against various factors of deterioration, destruction or disappearance of documents: humidity control, fire, theft, etc.)||Application of the criteria and methods of documentary organization (classification and organization)||Control of access to documentation (eg, lock with key, biometric identification, smart card, access code, etc.)||Security of information assets outside the premises of the data controller (eg, authorization process for exit, password, encryption, etc.)|
|Control of physical access to the room of the Data Processing Center (CPD) / Server room||Secure and confidential destruction of information assets||Authorization process for new types and / or means of data processing.||Safe and confidential destruction of documentation:||Registration of access to documentation|
|Own server||Own mail server||Own web server||Policy of clean tables||Rules for the use of document printers|
|Transfer and safe shipment of documentation:||– Document shredding machines||– Contract of services with external company of certified documentary destruction|
c) In relation to the ability to guarantee the confidentiality, integrity, availability and permanent resilience of the treatment systems and services:
d) In relation to the ability to restore the availability and access to personal data quickly in the event of a physical or technical incident:
Uninterruptible power supply (UPS) / Generating set
Redundant computer system (eg redundant server)
Identification, registration and incident management system
System of management of backups and recovery of personal data Management system and notification of personal data security breaches.
e) In relation to the process of regular verification, evaluation and assessment of the effectiveness of technical and organizational measures to ensure the safety of treatment:
Internal compliance controls every 3 months.
Regular review of the data protection policy at planned intervals.
IV) DESTINATION OF INFORMATION
Return to the manager designated in writing by the DPR, the personal data and, if applicable, the media where they appear, once the service has been completed.
The return must involve the total erasure of the existing data in the computer equipment used by the person in charge.
However, the ICDPT can keep a copy, with the data duly blocked, as long as responsibilities for the execution of the provision can be derived