Rivas Marie Curie One, S.L.U. and Rivas Mercury Two S.L.U. (the “Company”) is an Organization which deals with personal data processing, which confers upon it an important responsibility to design and organize processes in such a way as to render them legally compliant in this respect. In exercising these responsibilities and with the aim of establishing general principles governing the processing of personal data within the Company, the Company endorses this personal data protection policy which it notifies to its Employees and makes available to all groups concerned.
The personal data protection policy is a measure of proactive responsibility, the aim of which is to ensure compliance with the legislation applicable in this area and relating to it, to respect the right to honour privacy in the processing of personal data of all persons who deal with the Company. In the creation of the provisions of this personal data protection policy, particular principles have been defined which are to govern the processing of data within the organization, and as a result, the procedures and organizational security measures which the people who are affected by this policy undertake to implement within their remit. It is to this end that Rivas Marie Curie One, S.L.U. and Rivas Mercury Two S.L.U. shall assign responsibilities to staff involved in data processing operations.
This personal data protection policy shall apply to the Company, its directors, managers and employees, as well as to all persons associated with it, especially service providers with access to data (“Processors”).
3. Principles pertaining to the processing of personal data
As a general principle, the Company shall scrupulously comply with personal data protection legislation and shall be capable of demonstrating it (principle of “proactive responsibility”), paying particular attention to those processing activities that may entail a greater risk for the rights of the data subjects (“risk focus” principle).
In relation to the aforementioned, Rivas Marie Curie One, S.L.U and Rivas Mercury Two S.L.U. shall ensure compliance with the following principles:
➔ Legality, loyalty, transparency and restriction of purpose. Data subjects shall at all times be informed of the processing activity by means of clauses and other procedures; the processing activity shall only be considered legitimate in the event of consent for the data processing (with particular attention to consent given by minors), or supported by another valid means of legitimation, the purpose of which is in accordance with the Directive.
➔ Minimization of data. The data processed shall be appropriate, relevant and restricted to what is required for the purposes of processing ➔ Accuracy. Data shall be accurate and updated as the need arises. To this end, the necessary measures shall be taken to erase or rectify without delay any personal data which are inaccurate for the purposes of processing.
➔ Limitation of the storage period. Data shall be kept in such a manner as to allow for the identification of the data subjects for no longer than is necessary for the processing purposes.
➔ Security and Confidentiality. Data shall be processed in such a way as to guarantee appropriate security of personal data, including protection against unauthorised or illegal processing as well as against loss, destruction or accidental damage, through the application of the appropriate technical or organizational measures.
➔ Transfers of data. The purchase or procurement of personal data from illegitimate sources or in cases where such data have been collected or transferred in contravention of the law, or where their lawful provenance has not been adequately guaranteed, shall be strictly prohibited.
➔ The hiring of providers with access to data. Only providers who are able to furnish suitable guarantees for the appropriate application of technical and security measures in the processing of data shall be hired. A proper agreement to this end shall be entered into with such third parties.
➔ International data transfers. All processing of personal data subject to the European Union Directive which entails transfer of data outside the European Economic Area shall be carried out in strict compliance with the requirements established in the applicable law.
➔ Rights of the data subjects. The Company shall facilitate, for data subjects, exercise of their rights of access, correction, erasure, restriction on processing, objection and portability, establishing to this end internal procedures, and in particular working models which may become necessary and timely and which shall, at the very least, meet the legal requirements applicable in each case.
The Company shall ensure that the principles contained in this personal data protection policy are taken into account (i) when designing and implementing all operational procedures, (ii) when offering products and services (iii) when entering into all contracts and obligations and (iv) when deploying as many systems and platforms as allow for the access of employees or third parties and/or the gathering or processing of personal data.
4. Employee Commitment
The employees have been informed of this policy and declare that they are aware that personal information is a company asset, acting accordingly in this respect. They undertake the following:
* To complete the data protection awareness-raising training which the company makes available.
* To apply user-level security measures which apply to their job, without prejudice to the responsibilities with regard to their design and deployment which may be attributed to it in accordance with their role in Rivas Marie Curie One, S.L.U. and Rivas Mercury Two S.L.U.
* To utilize established formats for the exercise of rights by data subjects and to inform the company immediately in such a way that an effective response may be given.
* To inform the Company, as soon as they are aware, of any derogations from the provisions set out in this Policy, in particular, “data breaches”, using the format established to this end.
5. Checking and evaluation
A verification, evaluation and rating of technical and organizational measures shall be carried out annually or every time that significant changes in data processing occur, to safeguard processing security.
Rivas Marie Curie One, S.L.U. and Rivas Mercury Two S.L.U.