Privacy Policy

TREATMENT OF EMPLOYEE DATA

Contracts:

1. Purpose of the treatment request
By means of the present clauses, VSV Advocats Associats SCP is authorized, with address at Carrer de Balmes, 18, 1º, 08007 Barcelona and NIF B66919069 as the processor in charge of processing on behalf of Iniciatic Digital Services, SLU, as the controller, the personal data necessary to provide the service specified below.
The treatment will consist of fiscal, labor and accounting management.

2. Identification of the affected information
For the execution of the benefits derived from the fulfillment of the object of this assignment, the entity Iniciatic Digital Services, S.L.U. as responsible for the treatment, makes available to the entity VSV Advocats Associats S.C.P. the identification data of your potential customers.

3. Duration
This agreement has a duration of, being renewed automatically unless decided against by any of the parties.
Once the present contract ends, the person in charge of the treatment must return the person in charge or transmit to another manager that the person responsible designates the personal data, and delete any copy that is in his power. However, you can keep the data blocked to address possible administrative or jurisdictional responsibilities.

4. Obligations of the treatment manager
The person in charge of the treatment and all his personnel is obliged to:

  • Use personal data subject to treatment, or those collected for inclusion, only for the purpose of this assignment. In no case may you use the data for your own purposes.
  • Treat the data according to the instructions of the controller.
  • Keep, in writing, a record of all categories of treatment activities carried out on behalf of the person in charge, which contains:
    1. The name and contact information of the person in charge or those in charge and of each person responsible for which the person in charge acts and, where appropriate, the representative of the person in charge or the person in charge and the delegate of data protection.
    2. The treatment categories carried out by the responsible party.
    3. A general description of the appropriate technical and organizational safety measures that you are applying.
  • Not communicate the data to third parties, unless you have the express authorization of the controller, in the legally admissible cases. If the manager wants to outsource, he has to inform the person in charge and request his prior authorization.
  • Maintain the duty of secrecy regarding the personal data to which you have had access under this order, even after the contract ends.
  • Guarantee that the persons authorized to process personal data commit themselves, expressly and in writing, to respect confidentiality and to comply with the corresponding security measures, of which they must be informed accordingly.
  • Maintain at the disposition of the responsible party the documentation proving compliance with the obligation established in the previous section.
  • Guarantee the necessary training in terms of protection of personal data of the persons authorized to process personal data.
  • When the affected persons exercise the rights of access, rectification, suppression and opposition, limitation of the treatment and portability of data before the person in charge of the treatment, this one must communicate it by email to the address indicated by the person in charge. The communication must be made immediately and in no case beyond the working day following the reception of the request, together with, where appropriate, other information that may be relevant to resolve the request.
    Notification of data security violations
    The person in charge of the treatment will notify the person responsible for the treatment, without undue delay and through the e-mail address indicated by the person responsible, for any breach of the security of the personal data in his charge that he or she has knowledge of, together with all the information relevant for the documentation and communication of the incident.

At least the following information will be provided:

  1. Description of the nature of the violation of the security of personal data, including, when possible, the categories and the approximate number of interested parties affected, and the categories and approximate number of personal data records affected.
  2. Contact person data to obtain more information.
  3. Description of the possible consequences of the violation of the security of personal data. Description of the measures adopted or proposed to remedy the violation of the security of personal data, including, if applicable, the measures adopted to mitigate the possible negative effects.
    If it is not possible to provide the information simultaneously, and to the extent that it is not, the information will be provided gradually without undue delay.

VSV Advocats Associats S.C.P., at the request of the responsible, will communicate in the shortest possible time the data security breaches to the interested parties, when it is probable that the violation supposes a high risk for the rights and the liberties of the physical persons.

The communication must be done in a clear and simple language and must include the elements indicated in each case by the person responsible, at least:

  1. The nature of the data breach.
  2. Data from the point of contact of the person in charge or the manager where more information can be obtained.
  3. Describe the possible consequences of the violation of the security of personal data. Describe the measures adopted or proposed by the data controller to remedy the violation of the security of personal data, including, if applicable, the measures adopted to mitigate the possible negative effects.
  • Provide the responsible party with all the information necessary to demonstrate compliance with their obligations, as well as for the performance of audits or inspections carried out by the person in charge or by another auditor authorized by him.
  • Implement the necessary technical and organizational security measures to guarantee the confidentiality, integrity, availability and permanent resilience of the treatment systems and services.
  • Destination of the data
    Return to the person responsible for the processing the personal data and, if applicable, the supports where they are recorded, once the service has been completed.
    The return must involve the total erasure of the existing data in the computer equipment used by the person in charge.
    However, the person in charge may keep a copy, with the data duly blocked, as long as responsibilities for the execution of the provision can be derived.

5. Obligations of the controller

Responsible for the treatment:

  • Deliver to the manager the necessary data so that he can provide the service.
  • Ensure, prior to and throughout the treatment, compliance with the RGPD by the person in charge.
  • Supervise the treatment.

TREATMENT OF CANDIDATE DATA

Informative clause:

Responsible: Identity: Iniciatic Digital Services, S.L.U. – NIF: B66469768 Postal address: Pg Pi i Margall, 66 10-3 08750 Molins de Rei Telephone: +34 93 390 6197

“On behalf of the company, we treat the information you provide us with in order to keep you informed of the different vacancies to a job that occur in our organization. The data provided will be kept until the award of a job or until you exercise your right of cancellation, therefore you have the right to access your personal data, correct inaccurate data or request its deletion when the data is no longer necessary. The data will not be transferred to third parties. “

If candidates submit their CV on plain paper, without a form, they will be asked to sign a dated form that includes the aforementioned information.

 

TREATMENT OF PROVIDER DATA

Informative clause:

Responsible: Identity: Iniciatic Digital Services, S.L.U. – NIF: B66469768 Postal address: Pg Pi i Margall, 66 10-3 08750 Molins de Rei Telephone: +34 93 390 6197

“On behalf of the company, we treat the information you provide us with in order to place an order and bill for the services. The data provided will be kept as long as the commercial relationship is maintained or during the years necessary to comply with the legal obligations. The data will not be transferred to third parties except in cases where there is a legal obligation. You have the right to obtain confirmation on whether at Iniciatic Digital Services, S.L.U. We are treating your personal data so you have the right to access your personal data, rectify inaccurate data or request its deletion when the data is no longer necessary. “

If the providers provide their data through another system, they will be asked to sign a dated form that includes the aforementioned information.

SERVICE COMPANIES

Contracts:

1. Purpose of the treatment request
By means of these clauses, Database Mart LLC is authorized, as the processor, to process, on behalf of Iniciatic Digital Services, S.L.U., as the data controller, the personal data necessary to provide the service specified below.
The treatment will consist of an email and hosting provider.

2. Identification of the affected information
For the execution of the benefits derived from the fulfillment of the object of this assignment, the entity Iniciatic Digital Services, S.L.U. As responsible for the treatment, it makes available to the entity Database Mart LLC the information available in the computer equipment that supports the data processing carried out by the person in charge.

3. Duration
This agreement has a duration of, renewable.
Once the present contract ends, the person in charge of the treatment must return the person responsible for the personal data, and delete any copy that he keeps in his possession. However, you can keep the data blocked to address possible administrative or jurisdictional responsibilities.

4. Obligations of the treatment manager
The person in charge of the treatment and all his personnel is obliged to:

  1. Use the personal data to which you have access only for the purpose of this assignment. In no case may you use the data for your own purposes.
  2. Treat the data according to the instructions of the controller.
    If the controller considers that any of the instructions violates the RGPD or any other provision in terms of data protection, the person in charge will immediately inform the person responsible.
  3. Not communicate the data to third parties, unless you have the express authorization of the controller, in the legally admissible cases.
  4. Maintain the duty of secrecy regarding the personal data to which you have had access under this order, even after the contract ends.
  5. Guarantee that the persons authorized to process personal data commit themselves, expressly and in writing, to respect confidentiality and to comply with the corresponding security measures, of which they must be informed accordingly.
  6. Maintain at the disposition of the responsible party the documentation proving compliance with the obligation established in the previous section.
  7. Guarantee the necessary training in terms of protection of personal data of the persons authorized to process personal data.
  8. Notification of data security violations.

The person in charge of the treatment will notify the person responsible for the treatment, without undue delay and through the e-mail address indicated by the person responsible, for any breach of the security of the personal data in his charge that he or she has knowledge of, together with all the information relevant for the documentation and communication of the incident.

At least the following information will be provided:

  1. Description of the nature of the violation of the security of personal data, including, when possible, the categories and the approximate number of interested parties affected, and the categories and approximate number of personal data records affected.
  2. Contact person data to obtain more information.
  3. Description of the possible consequences of the violation of the security of personal data. Description of the measures adopted or proposed to remedy the violation of the security of personal data, including, if applicable, the measures adopted to mitigate the possible negative effects.
    If it is not possible to provide the information simultaneously, and to the extent that it is not, the information will be provided gradually without undue delay.

Provide the responsible party with all the information necessary to demonstrate compliance with their obligations, as well as for the performance of audits or inspections carried out by the person in charge or by another auditor authorized by him.
Assist the treatment manager to implement the necessary security measures to:

a) Guarantee the confidentiality, integrity, availability and permanent resilience of the treatment systems and services.
b) Restore availability and access to personal data quickly, in case of physical or technical incident.
c) Verify, evaluate and assess, on a regular basis, the effectiveness of the technical and organizational measures implemented to guarantee the safety of the treatment. availability and access to personal data quickly, in case of physical or technical incident.

Destination of the data

The data controller will not keep personal data related to the manager’s treatment unless it is strictly necessary for the provision of the service, and only for the time strictly necessary for its provision.

5. Obligations of the controller

Responsible for the treatment:
Provide the manager with access to the equipment in order to provide the contracted service.
Ensure, prior to and throughout the treatment, compliance with the RGPD by the person in charge.
Supervise the treatment.

Contract with the company that provides the service

1. Purpose of the treatment request

By means of these clauses, Ricardo Castellanos Gázquez is authorized as the processor in charge of processing on behalf of Iniciatic Digital Services, S.L.U., as data controller, the personal data necessary to provide the service specified below.
The treatment will consist of maintenance of the website.

2. Identification of the affected information
For the execution of the benefits derived from the fulfillment of the object of this assignment, the entity Iniciatic Digital Services, S.L.U. As responsible for the treatment, it makes available to the entity Ricardo Castellanos Gázquez the information available in the computer equipment that supports the data processing carried out by the person in charge.

3. Duration
This agreement has a duration of, renewable.
Once the present contract ends, the person in charge of the treatment must return the person responsible for the personal data, and delete any copy that he keeps in his possession. However, you can keep the data blocked to address possible administrative or jurisdictional responsibilities.

4. Obligations of the treatment manager
The person in charge of the treatment and all his personnel is obliged to:

  • Use the personal data to which you have access only for the purpose of this assignment. In no case may you use the data for your own purposes.
  • Treat the data according to the instructions of the controller.
    If the controller considers that any of the instructions violates the RGPD or any other provision in terms of data protection, the person in charge will immediately inform the person responsible.
  • Not communicate the data to third parties, unless you have the express authorization of the controller, in the legally admissible cases.
    Maintain the duty of secrecy regarding the personal data to which you have had access under this order, even after the contract ends.
  • Guarantee that the persons authorized to process personal data commit themselves, expressly and in writing, to respect confidentiality and to comply with the corresponding security measures, of which they must be informed accordingly.
  • Maintain at the disposition of the responsible party the documentation proving compliance with the obligation established in the previous section.
  • Guarantee the necessary training in terms of protection of personal data of the persons authorized to process personal data.
  • Notification of data security violations
    The person in charge of the treatment will notify the person responsible for the treatment, without undue delay and through the e-mail address indicated by the person responsible, for any breach of the security of the personal data in his charge that he or she has knowledge of, together with all the information relevant for the documentation and communication of the incident.

At least the following information will be provided:

a) Description of the nature of the breach of the security of personal data, including, when possible, the categories and the approximate number of affected stakeholders, and the categories and approximate number of personal data records affected.
b) Details of the contact person to obtain more information.
c) Description of the possible consequences of the violation of the security of personal data. Description of the measures adopted or proposed to remedy the violation of the security of personal data, including, if applicable, the measures adopted to mitigate the possible negative effects.
If it is not possible to provide the information simultaneously, and to the extent that it is not, the information will be provided gradually without undue delay.

Provide the responsible party with all the information necessary to demonstrate compliance with their obligations, as well as for the performance of audits or inspections carried out by the person in charge or by another auditor authorized by him.

  • Assist the treatment manager to implement the necessary security measures to:
    a) Guarantee the permanent confidentiality, integrity, availability and resilience of the treatment systems and services.
    b) Restore the availability and access to personal data quickly, in case of physical or technical incident.
    c) To verify, evaluate and assess, on a regular basis, the effectiveness of the technical and organizational measures implemented to guarantee the safety of the treatment.
  • Destination of the data
    The data controller will not keep personal data related to the manager’s treatment unless it is strictly necessary for the provision of the service, and only for the time strictly necessary for its provision.

5. Obligations of the controller
Responsible for the treatment:
a) Provide the manager with access to the equipment in order to provide the contracted service.
b) Ensure, prior to and throughout the treatment, compliance with the RGPD by the person in charge.
c) Supervise the treatment.

RECORD OF TREATMENT ACTIVITIES

Treatment: Clients
Purpose of the treatment
Management of the relationship with customers
Description of customer categories and personal data categories:
Customers:
People with whom a business relationship is maintained as clients
Categories of personal data:
Those necessary for the maintenance of the commercial relationship.
Identification: name and surnames, NIF, postal address, telephone numbers, e-mail
Bank details: for direct debit payments
The categories of recipients to whom the personal data was communicated or communicated:
Spanish data protection agency
When possible, the deadlines set for the deletion of the different categories of data:
Those foreseen by the tax legislation regarding the prescription of responsibilities

Treatment: Employees
Purpose of the treatment
Management of the employment relationship with employees
Description of employee categories and personal data categories:
Employees:
People who work for the person responsible for the treatment
Categories of personal data:
Those necessary for the maintenance of the commercial relationship. Manage payroll, training
Identification: name, surnames, Social Security number, postal address, telephone numbers, e-mail
Personal characteristics: marital status, date and place of birth, age, sex, nationality and percentage of disability
Academic data
Professional data
Bank details, for direct payment of payroll
The categories of recipients to whom the personal data was communicated or communicated:
Labor management
When possible, the deadlines set for the deletion of the different categories of data:
Those foreseen by the fiscal and labor legislation regarding the prescription of responsibilities

Treatment: Candidates
Purpose of the treatment
Management of the relationship with candidates for a job in the company
Description of the categories of candidates and categories of personal data:
Candidates:
People who want to work for the person responsible for the treatment
Categories of personal data:
The necessary to manage the curriculum of possible future employees
Identification: name, surnames, postal address, telephone numbers, e-mail
Personal characteristics: marital status, date and place of birth, age, sex, nationality and others excluding data on race, health or union affiliation
Academic data
Professional data
The categories of recipients to whom the personal data was communicated or communicated:
It is not contemplated
When possible, the deadlines set for the deletion of the different categories of data:
One year since the presentation of the candidacy

Treatment: Providers
Purpose of the treatment
Management of the relationship with suppliers
Description of the categories of providers and categories of personal data:
Suppliers:
People with whom a commercial relationship is maintained as suppliers of products and / or services
Categories of personal data:
Those necessary for the maintenance of the employment relationship
Identification: name, NIF, postal address, telephones, e-mail
Bank details: for direct debit payments
When possible, the deadlines set for the deletion of the different categories of data:
Those foreseen by the tax legislation regarding the prescription of responsibilities

 

ANNEX SECURITY MEASURES

INFORMATION OF GENERAL INTEREST
This document has been designed for the treatment of low risk personal data from which it can be inferred that it can not be used for the processing of personal data that includes personal data related to ethnic or racial origin, religious or philosophical political ideology, union affiliation, data genetic and biometric, health data, and data on sexual orientation of people as well as any other data treatment that entails high risk for the rights and freedoms of individuals.
Article 5.1.f of the General Data Protection Regulation (RGPD) determines the need to establish adequate security guarantees against unauthorized or illegal treatment, against the loss of personal data, destruction or accidental damage. This implies the establishment of technical and organizational measures aimed at ensuring the integrity and confidentiality of personal data and the possibility (Article 5.2) to demonstrate that these measures have been implemented (proactive responsibility).
According to the type of treatment that you have shown when you have completed this form, the minimum minimum security measures that you should take into account are the following:

ORGANIZATIONAL MEASURES
INFORMATION THAT SHALL BE KNOWN BY ALL STAFF WITH ACCESS TO PERSONAL DATA
All personnel with access to personal data must be aware of their obligations in relation to the processing of personal data and will be informed about these obligations. The minimum information that will be known by all the staff will be the following:

DUTY OF CONFIDENTIALITY AND SECRET

  1. The access of unauthorized persons to personal data should be avoided, for this purpose it will be avoided: leaving personal data exposed to third parties (unattended electronic screens, paper documents in areas of public access, supports with personal data, etc.), this consideration includes the screens that are used for the visualization of images of the video-surveillance system. When you are absent from the workplace, the screen will be blocked or the session closed.
  2. Paper documents and electronic media are stored in a secure place (cupboards or restricted access rooms) 24 hours a day.
  3. Documents or electronic media (cd, pen drives, hard drives, etc.) will not be discarded with personal data without guaranteeing their destruction.
  4. Personal data or any personal information will not be communicated to third parties, special attention will be given in not divulging protected personal data during telephone consultations, emails, etc.
  5. The duty of secrecy and confidentiality persists even when the worker’s employment relationship with the company ends.

RIGHTS OF THE DATA HOLDERS
All workers will be informed about the procedure to address the rights of the interested parties, clearly defining the mechanisms by which the rights can be exercised (electronic means, reference to the Delegate of Data Protection if there is one, postal address, etc.). ) taking into account the following:
Upon presentation of their national identity document or passport, the holders of personal data (interested) may exercise their rights of access, rectification, deletion, opposition and portability. The person responsible for the treatment must respond to the interested parties without undue delay.
For the right of access, the interested parties will be provided with a list of the personal data they have available, along with the purpose for which they were collected, the identity of the recipients of the data, the conservation periods, and the identity of the person responsible. which can request the rectification suppression and opposition to the processing of the data.
For the rectification right will proceed to modify the data of the interested parties that were inaccurate or incomplete attending to the purposes of the treatment.
For the right of suppression the data of the interested parties will be suppressed when the interested ones express their refusal or opposition to the consent for the treatment of their data and there is no legal duty that prevents it.
For the portability right, the interested parties must communicate their decision and inform the person responsible, as the case may be, about the identity of the new responsible person to whom they provide their personal data.
The person responsible for the treatment must inform all persons with access to personal data about the terms of compliance to meet the rights of the interested parties, the manner and procedure in which said rights will be met.

SECURITY VIOLATIONS OF PERSONAL DATA

When security breaches occur PERSONAL DATA, such as theft or improper access to personal data will be notified to the Spanish Agency for Data Protection within 72 hours about these security violations, including all the information necessary for the clarification of the facts that would have given rise to improper access to personal data. The notification will be made by electronic means through the electronic headquarters of the Spanish Agency for Data Protection at the address: https://sedeagpd.gob.es

CAPTURING IMAGES WITH CAMERAS AND SECURITY PURPOSE (VIDEO SURVEILLANCE)

  1. LOCATION OF THE CAMERAS: The capture of images in zones destined to the rest of the workers will be avoided.
  2. LOCATION OF MONITORS: The monitors where the images of the cameras are displayed will be located in a space of restricted access so that they are not accessible to third parties.
  3. CONSERVATION OF IMAGES: Images will be stored for a maximum period of one month, with the exception of images that are submitted to the courts and security forces.
  4. DUTY OF INFORMATION: The existence of the cameras and recording of images will be informed by means of an informative badge where by means of a pictogram and a text the person responsible before whom the interested parties will be able to exercise their right of access will be informed. The informative text may be included in the pictogram itself. On the website of the Agency have models, both the pictogram and the text.
  5. LABOR CONTROL: When the cameras are going to be used for the purpose of labor control as provided in Article 20.3 of the Workers’ Statute, the worker or his representatives will be informed about the control measures established by the employer with an express indication of the purpose of labor control of the images captured by the cameras.
  6. RIGHT OF ACCESS TO THE IMAGES: To comply with the right of access of the interested parties, a recent photograph and the National Identity Document of the interested party will be requested, as well as the detail of the date and time to which the right of access refers.
    The interested party will not be given direct access to the images of the cameras in which images of third parties are shown. In case it is not possible to visualize the images by the interested party without displaying images of third parties, a document will be provided to the interested party in which the existence of images of the interested party is confirmed or denied.

For more information you can consult the video surveillance guides of the Spanish Agency for Data Protection that are available to you in the publications section of the web www.aepd.es.

TECHNICAL MEASURES

ID

  1. When the same computer or device is used for the processing of personal data and personal purposes, it is recommended to have several profiles or different users for each of the purposes. The professional and personal uses of the computer must be kept separate.
  2. It is recommended to have profiles with administration rights for the installation and configuration of the system and users without privileges or administrative rights for access to personal data. This measure will prevent access privileges or modify the operating system in case of cybersecurity attack.
  3. The existence of passwords for access to personal data stored in electronic systems will be guaranteed. The password will have at least 8 characters, a mixture of numbers and letters.
  4. When personal data are accessed by different people, for each person with access to personal data, a specific username and password will be available (unambiguous identification).
  5. The confidentiality of passwords must be guaranteed, preventing them from being exposed to third parties. For the management of passwords you can consult the privacy and security guide on the internet of the Spanish Agency for Data Protection and the National Institute of Cybersecurity. In no case will the passwords be shared nor annotated in common place and accessed by people other than the user.

DUTY OF SAFEGUARD

The following are the minimum technical measures to guarantee the safeguarding of personal data:

  1. UPDATING OF COMPUTERS AND DEVICES: The devices and computers used for the storage and processing of personal data must be kept up-to-date as possible.
  2. MALWARE: On computers and devices where the automated processing of personal data is carried out, an antivirus system will be available to guarantee the theft and destruction of personal information and data as much as possible. The antivirus system should be updated periodically.
  3. FIREWALL OR FIREWALL: To avoid undue remote access to personal data will be ensured to ensure the existence of an activated firewall on those computers and devices in which the storage and / or processing of personal data is made.
  4. ENCRYPTION OF DATA: When it is necessary to perform the extraction of personal data outside the site where it is processed, either by physical means or by electronic means, the possibility of using an encryption method to guarantee the confidentiality of the data should be assessed. personal in case of undue access to information.
  5. COPY OF SECURITY: Periodically a backup copy will be made in a second support different from that used for daily work. The copy will be stored in a secure place, different from that in which the computer is located with the original files, in order to allow the recovery of personal data in case of loss of information.

 

The security measures will be reviewed periodically, the review may be done by automatic mechanisms (software or computer programs) or manually. Consider that any computer security incident that has happened to any acquaintance can occur to you, and be warned against it.

If you would like more information or technical guidance to guarantee the security of personal data and the information your company is dealing with, the National Institute of Cybersecurity (INCIBE) on its website www.incibe.es, puts at your disposal tools with a business focus on its “Protect your company” section where, among other services, it has:

 

  1. a training section with a videogame, challenges to respond to incidents and interactive videos of sectorial training,
  2. an Awareness Kit for employees,
    various tools to help the company improve its cybersecurity, including policies for the employer, the technical staff and the employee, a catalog of companies and security solutions and a risk analysis tool.
  3. thematic dossiers complemented with videos and infographics and other resources,
  4. guides for the entrepreneur,

In addition, INCIBE, through the Internet Security Office, also offers free computer tools and additional information may be useful for your company or your professional activity.

We inform you that this website uses its own and third-party cookies for performance, functionality and advertising purposes. By browsing it, you consent to the use of them. You can obtain more information or reject cookies in our Cookies Policy. I agree and agree to edit and control cookies more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close