POLÍTICA DE PROTECCIÓ DE DADES

Jordi Rosas Rafart with CIF 77745612T and registered office at Disseminado mas buidasachs, s/n, Viver i Serrateix, CP 08673, Barcelona province, is responsible for the processing of personal data.

Jordi Rosas Rafart applies the principle of active responsibility in the processing of your personal data, constantly updating and promoting continuous improvement of the data protection system. He keeps all documentation and records available to the supervisory authority and data processors, providing evidence that demonstrates his firm commitment to the protection of personal data.

Jordi Rosas Rafart guarantees:

  • Respect for the fundamental freedoms and rights of natural persons
  • That the data is processed in a lawful, fair and transparent manner
  • That the data processed are accurate, adequate, relevant and limited in relation to the purposes for which they are collected
  • That the purposes for which they are collected are explicit and legitimate and that they are not processed in a manner incompatible with those purposes.
  • That the data will not be kept beyond the time necessary for the purposes for which they were collected
  • The appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

In those data processing operations that entail a high risk to the rights and freedoms of individuals, Jordi Rosas Rafart will conduct an impact assessment as outlined in this manual.

Likewise, whether a data protection officer needs to be appointed to provide advice, supervision, and cooperation between the organization and the supervisory authority will be determined in accordance with Article 37 of Regulation (EU) 2016/679 and as set out in this manual.

SCOPE and SCOPE OF APPLICATION

Jordi Rosas Rafart is based in Spain and, in the course of its activities, processes the personal data of citizens residing in the European Union. It is the data controller. Jordi Rosas Rafart acts as its legal representative.

The activities carried out can be summarized as follows: LIVESTOCK,

AGRICULTURE AND AGROTOURISM.

For the development of its activities, the organization has the following centers: DISSEMINADO MAS BUIDASACHS, S/N de VIVER I SERRATEIX (08673 – Barcelona).

The joint controllers, where they exist, determine in a transparent manner and by mutual agreement their respective responsibilities for fulfilling the obligations imposed by Regulation (EU) 2016/679. The content of the agreement can be found in the Annex “Joint Responsibility for Data Processing” Agreement.

The processing activities carried out by the organization are recorded in the Processing Activities Register of this manual. The territorial scope of each activity is included in this register.

To comply with the obligations as data processor, when processing data on behalf of third parties and pursuant to Article 28 of Regulation (EU) 2016/679, the provisions of the contractual clauses added to the service provision contract, which are set out in the Annex CONTRACTUAL CLAUSES FOR THE PROVISION OF SERVICES AS DATA PROCESSOR, shall apply.

Regarding the data processing and/or storage system, the organization performs:

  • Automated processing of personal data (digital/computer). Data processed automatically or mechanized, that is, in electronic or digital format using computer systems.
  • Non-automated processing of personal data (Manual/Paper). Data processed manually, without any automated system, i.e., data processed exclusively in paper format.

LEGAL BASES FOR DATA PROCESSING

Identification of the legal basis on which the processing is carried out
 Regulation (EU) 2016/679 preserves the principle established in Directive 95/46 according to which all processing of personal data must be supported by a legal basis that legitimizes it.

It establishes, as a general rule, that personal data must be processed with the data subject’s consent, but allows for any other legitimate basis under the law: contractual relationships, vital interests of the data subject or third parties, legal obligations on the part of the controller, public interest, etc.
Taking into account the general principle of “proactive accountability,” it is a requirement to support data processing on a legitimate basis. The legitimate interest underlying each processing activity is documented and established in the Register of Processing Activities.
Furthermore, taking into account the principles of transparency and information, the organization provides the legal basis for processing to all data subjects, as indicated in the corresponding section of this manual.

Legality based on the service provision contract

The processing of personal data necessary for the proper provision of the contractually agreed services establishes the legal basis for such processing.
Data subject consent is only obtained if the purposes are different from those contractually agreed upon.

Lawfulness based on consent

The data subject’s consent may be given in writing, electronically, or by voice (depending on the organization’s priority and usual mode of communication), with records being kept available to the supervisory authority. The necessary information is available to collect data subject consent.

Consent in the case of minors under 14 years of age

Article 8 of Regulation (EU) 2016/679 establishes new guidelines on the consent of minors for the processing of their personal data in order to increase information privacy.
The processing of the personal data of a minor may only be based on their consent if they are over 14 years of age. The processing of data of minors under 14 years of age, based on consent, will only be lawful if it is provided by the holder of parental authority or guardianship, to the extent determined by the holders of parental authority or guardianship.

Legality based on a legal obligation

The processing of personal data necessary for compliance with legal obligations is based on established regulations.
The organization processes its employees’ personal data as an inevitable and necessary consequence of the employment relationship, and it would be deceitful if it attempted to legitimize this processing through consent. Therefore, the organization does not base the processing of its employees’ personal data on consent, but rather uses the employment contract as the legal basis.

For data processing purposes other than fulfilling a legal obligation (such as an employment contract or communication with the tax authorities or social security), the provisions of the previous section (consent) will apply. 

Legality for the processing of data that have not been collected directly from the interested parties

In the event that personal data is processed that has not been collected directly from the data subjects, it is guaranteed that the rights and freedoms of the data subjects prevail over the legitimate interests pursued by the organization, for example, for the purpose of sending advertising.

It is also guaranteed that the source of the data is publicly accessible and that the interested parties are not registered on the Robinson List.

PROCESSING OF SPECIAL CATEGORIES OF DATA

Regulation (EU) 2016/679 establishes special categories of data in Article 9. These categories are sensitive data that require special protection, either by reason of their nature or their connection with individuals’ fundamental rights and freedoms. Specific provisions apply to them when their processing may entail significant data protection risks.
Regulation (EU) 2016/679 prohibits the processing of these categories of data by default, with specific exceptions for those cases where the data subject has given explicit consent or in the context of legitimate activities by certain associations or foundations aimed at enabling the exercise of fundamental freedoms. It
also determines that sensitive data may be processed when there is a public interest based on the legislation in force in each EU country, for example in the areas of employment, social protection, pensions, healthcare, or other serious threats to health.

As an exception to the default prohibition set out in the previous section, the organization only processes special categories of data when:

  • The data subject has given explicit consent for specific purposes (except where prohibited by applicable law).
  • It is necessary to protect the vital interests of the data subject when he or she is incapable of giving consent.
  • The processing is lawfully carried out by a non-profit organization for political, philosophical, religious or trade union purposes in relation to its purposes.
  • The interested party has clearly made his or her data public.

Or when the treatment is based on current legislation:

  • Under the responsibility of persons subject to the obligation of professional secrecy.
  • For the purposes of health or social care, preventive or occupational medicine, or medical diagnosis, including the assessment of the worker’s work capacity.
  • For judicial proceedings.
  • It is necessary to comply with labor legislation, social security or protection legislation, or collective agreements.
  • It is necessary for reasons of public interest in the field of public health or health care.
  • It is necessary for archiving purposes in the public interest for scientific, historical or statistical research.

The organization will process data based on profiling, which includes the creation of individual decisions based on automated processing intended to evaluate personal aspects or analyze or predict health data, when the data subject has given consent for specific purposes permitted by current legislation or the processing is carried out for purposes of public interest or under the supervision of public authorities, based on current legislation.

When the organization intends to perform processing operations that may affect the fundamental rights of the affected individuals, a risk analysis will determine whether or not there are risks inherent to the intended processing. If the risks cannot be reduced to tolerable limits, an impact assessment will be required, as determined in the corresponding section.

Certain processing operations require the appointment of a data protection officer. The organization will retain a data protection officer, where appropriate, and will inform all data subjects about the officer’s identity and contact information.

TRANSPARENCY AND INFORMATION FOR STAKEHOLDERS.

Regulation (EU) 2016/679 establishes that information provided to data subjects, both regarding the conditions of the processing that affects them and in responses to the exercise of their rights, must be provided in a concise, transparent, intelligible, and easily accessible manner, using clear and simple language.
According to Organic Law 3/2018, of December 5, on the Protection of Personal Data and the Guarantee of Digital Rights, the basic information provided to data subjects includes:
a) The identity of the data controller and their representative, where applicable.
b) The purpose of the processing.
c) The possibility of exercising the rights established in Articles 15 to 22 of Regulation (EU) 2016/679.
If profiling or automated decision-making is involved, this information is also provided.
When the personal data has not been obtained from the data subject, data subjects are provided with the basic information above, along with a link that allows them to access all information on the organization’s processing activities, including the categories of data being processed and the sources from which the data originate.

Personal data may be transferred with the prior authorization of the interested party after analyzing the transfer (transfers may be based on legal or contractual requirements or a requirement necessary to enter into a contract).

The existence of automated decision-making and profiling, or the decision to adopt them, will be subject to a corresponding risk analysis and impact assessment if the risks cannot be reduced to acceptable limits.

Before processing personal data for a purpose other than that for which it was collected, a risk analysis is conducted. If the risk is acceptable, the data will be processed for the new purpose, always under a legal basis, and this will be included in the information provided to data subjects.

The information provided to interested parties is collected in the INFORMATION AND CONSENT documents.

If the personal data are used to establish communication with the data subject, the data subject is provided with the information to which he or she is entitled at the time of the first communication, and if the data is to be communicated to another recipient, the information is provided to the data subject no later than the time the personal data are communicated for the first time.

Data subjects do not need to be informed when they already have the information, when communication of such information is impossible or involves a disproportionate effort, when the information makes it impossible or hinders the achievement of the processing objectives, when obtaining or communicating it is expressly required by applicable law, or when the personal data are confidential based on an obligation of
professional secrecy.

Particularly cumbersome formulas have been avoided, and vocabulary has been used that facilitates understanding by any interested party.

Informative clauses explain the content they immediately refer to in a clear and accessible manner for interested parties, regardless of their knowledge of the subject matter.

Information is provided to interested parties in writing, including electronic means, and may also be provided verbally, subject to verification of the interested party’s identity.

RIGHTS OF INTERESTED PARTIES
Procedure for the exercise and obligations for the controller.

Generally speaking, Regulation (EU) 2016/679 requires controllers to facilitate data subjects’ exercise of their rights. This mandate requires that the procedures and forms for this exercise must be visible, accessible, and simple. Regulation (EU) 2016/679 does not establish a specific method for exercising rights, but it does require controllers to facilitate the submission of requests by electronic means, especially when processing is carried out
by such means.

Jordi Rosas Rafart guarantees that the exercise of these rights is free of charge for the interested party, provided that the requests are not manifestly unfounded or excessive, especially if they are repetitive. It is the responsibility of the person responsible for the organization to demonstrate the unfounded or excessive nature of the requests. In these cases, the person responsible may charge a fee to compensate for the administrative costs of responding to the request or refuse to act.

The interested party will be informed of the actions resulting from their request within one month, which may be extended by two months in the case of particularly complex requests.

This extension of the deadline must be notified within the first month. If the responsible party decides not to comply with the request, they must inform the responsible party of this, providing reasons for their refusal, within one month of its submission.

All reasonable measures are taken to verify the identity of those exercising the rights recognized in Regulation (EU) 2016/679, by requesting a national identity card or equivalent document proving the data subject’s identity. A RECORD OF EXERCISES OF RIGHTS (see appendix) is also maintained, which records and
monitors all exercises of rights requested by data subjects.

To exercise rights through applications, the organization provides interested parties who wish to exercise their rights with the corresponding forms included in the annexes and specified in the following points:

Right of access 

The right of access is regulated in Article 15 of Regulation (EU) 2016/679. Recitals 63 and 64 set out the right of the data subject to obtain confirmation from the data controller as to whether or not personal data concerning him or her are being processed.

To address the access rights of any interested party, Jordi Rosas Rafart provides a suitable request form, which is included in the DATA ACCESS REQUEST Appendix.
Any interested party requesting this right and properly identifying themselves will receive a response from the organization in the form of an informative document (the form is included in the RESPONSE TO THE EXERCISE OF THE RIGHT OF ACCESS Appendix).
If the response to the right of access is sent by mail, the person requesting the right will be sent the response document by letter with acknowledgment of receipt, certified mail, or any other means that proves it was sent and received.
If the response is positive, the information will include the data subject’s personal data that are being processed, the purposes of the processing, the categories of personal data processed, as well as the recipients or categories of recipients to whom the data are or will be communicated, in addition to any available information regarding the origin of the data, the expected retention period for the data or, if not possible, the criteria used to
determine this period, as well as the right to lodge a complaint with a supervisory authority. The data subject will also be informed of the existence of the right to request from the controller rectification or erasure of personal data or restriction of the processing of personal data relating to the data subject, or to object to such processing.

Right of rectification

The right to rectification is enshrined in Article 16 of Regulation (EU) 2016/679, which provides that the data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary declaration.

In the event that the data subject’s data is incomplete or inaccurate, the organization guarantees that it will be updated without undue delay.

The interested party may request the right to rectify their data by using the application form attached in the DATA RECTIFICATION REQUEST Annex.

Once the data has been rectified, the organization will inform the interested party about the rectification carried out (Annex RESPONSE TO THE EXERCISE OF RIGHTS)

The right to restriction of processing
is regulated by Article 18 of Regulation (EU) 2016/679 and establishes the right to have data processing restricted at the data subject’s request.
Data subjects may request the right to restriction of their data by using the application form attached in the Annex, “REQUEST FOR LIMITATION OF DATA PROCESSING.”

In response, the organization may proceed to restrict the processing of the data subject’s data if any of the following circumstances apply:

  • When the data subject contests its accuracy, processing is limited to the period necessary to verify the accuracy of the data.
  • When the processing of data is unlawful but the data subject opposes the deletion of his or her data
  • When the data is no longer necessary for the purposes of the organization but is necessary for the interested party (complaints, etc.)
  • When the interested party objects to the processing while it is verified whether the legitimate interests of the organization prevail over those of the interested party

For data limitation, the organization will follow one of the following methods:

  • It will temporarily transfer the selected data to another processing system.
  • It will prevent users from accessing selected personal data.
  • Temporarily remove published data from a website.
  • It will clearly indicate in the system (automated file) that the data to be processed is limited in its processing.

In cases where the organization proceeds to restrict processing, the data of the affected party may only be processed:

  • for its conservation.
  • with the consent of the interested party.
  • for the formulation, exercise or defense of claims.
  • for the protection of the rights of the natural or legal person.
  • for reasons of public interest of the EU or Member States.

Once the data has been restricted, the data subject will be informed, justifying their decision (Annex RESPONSE TO THE EXERCISE OF RIGHTS) as well as the restriction implemented. They will also be informed when the restriction on processing is lifted.


Right to erasure / right to be forgotten
Article 17 of Regulation (EU) 2016/679 provides that data subjects shall have the right to obtain from the controller the erasure of personal data concerning them without undue delay.
Data subjects may request the right to erasure/right to have their data forgotten by using the application form attached in the Annex: REQUEST FOR ERASURE/RIGHT TO BE FORGOTTEN.

The organization proceeds to delete the processing of the interested party’s data when any of the following circumstances occur:

  • the personal data are no longer necessary in relation to the purposes for which they were collected.
  • the interested party withdraws the consent on which the treatment is based and is not based on another legal basis.
  • the interested party objects to the processing (right to object).
  • personal data have been processed unlawfully.
  • Personal data is deleted to comply with a legal obligation applicable to the data controller.
  • The personal data have been obtained in connection with the direct offer of information society services to children.

The organization does not accept requests for deletion from the interested party when the processing is necessary in the following cases:

  • to exercise the right to freedom of expression and information.
  • for compliance with a legal obligation requiring data processing imposed by EU or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
  • for reasons of public interest in the field of public health.
  • for archiving purposes in the public interest, scientific or historical research or statistical purposes.
  • for the formulation, exercise or defense of claims.

The organization will promptly inform the interested party of the right requested, as well as any deletion. Model Annex RESPONSE TO THE EXERCISE OF RIGHTS.

Right to object

The right to object is regulated in Article 21 of Regulation (EU) 2016/679. We can say that it is the right of the data subject to object, at any time, for legitimate and well-founded reasons related to their particular situation, to the processing of their personal data.
To address the right of objection of any data subject, Jordi Rosas Rafart provides a suitable application form, which is included in the Annex: APPLICATION FOR OBJECTION.

When the data subject exercises their right to object, Jordi Rosas Rafart will stop processing said personal data, conducting an analysis to determine whether the data subject’s right prevails over the organization’s legitimate interests. To this end, the situation, reasons, and documentation provided by the data subject will be thoroughly analyzed.

If there are legitimate grounds that justify the processing (for example, to formulate, exercise, or defend claims), the data will continue to be processed even if the data subject’s request is granted, and it may be rejected.

Right to portability

Article 20 of Regulation (EU) 2016/679 establishes a new right for users: the right to data portability. This right complements the right of access, as it allows data subjects to obtain the data they have provided in a structured, commonly used, and machine-readable format.
The right to data portability also means that the data subject’s personal data may be transmitted directly from one entity or organization to another, without having to transfer it to the data subject, provided that this is technically feasible.

The Regulation thus opens up the possibility not only of obtaining and reusing data, but also of transmitting it to another service provider. Data subjects will therefore have the option of requesting their data or having it transmitted directly from one entity to another.

The organization guarantees the exercise of the interested party’s right to data portability through an appropriate application form, which is included in the PORTABILITY REQUEST Annex.

Once the right has been requested, the interested party will be sent all the personal data concerning them that they have provided, provided that the processing is based on consent or is necessary for the execution of a contract and is carried out by automated means.

It also makes it easier for interested parties to receive data in a structured, commonly used, machine-readable, and interoperable format, technology permitting.

The organization does not apply the right to data portability to data that the data subject has provided about third parties or to data provided to the organization through third parties.

RESPONSIBLE-MANAGER RELATIONSHIPS

Choice of data processor

Article 28 of Regulation (EU) 2016/679 states that “the controller shall only choose a processor who provides sufficient guarantees to implement appropriate technical and organizational measures to ensure that the processing complies with the requirements of this Regulation and ensures the protection of the rights of the data subject.”

Recital 81 adds that, in particular, the controller shall take into account the expertise, reliability, and resources of the processor in implementing the technical and organizational measures that meet the requirements of the Regulation.

Jordi Rosas Rafart guarantees due diligence in selecting a data processor who offers sufficient guarantees to ensure that data processing is carried out in accordance with Regulation (EU) 2016/679 and protects the rights of the data subjects.

Jordi Rosas Rafart is responsible for the data processing carried out by the data controller and does not lose this consideration under any circumstances.

Jordi Rosas Rafart signs a binding confidentiality agreement with each and every one of the data processors selected, regulating the relationship between the two parties and establishing appropriate signature controls.

The confidentiality agreement between the data controller and the data processor may be part of the service provision contract. In this case, a specific data protection clause will be added to the contract, reflecting the content of the appendix cited in the previous paragraph.

The contract guarantees, among other aspects:

  • that the data processor does not use another data processor without the prior written authorization of the organization responsible for data processing.
  • that the persons authorized to process the data have undertaken to respect the confidentiality of the data and that they have the necessary training in the matter.
  • that the data controller will make available to the controller all necessary documentation to demonstrate compliance with the obligations and will contribute to the performance of audits by the controller.

The DATA PROCESSORS REGISTER (see Annex) lists all data processors hired by the organization.

Verification of compliance with obligations
Pursuant to Article 28(3)(h) of Regulation (EU) 2016/679, Jordi Rosas Rafart requires each data processor to demonstrate, at least annually, that they maintain compliance with their contractual obligations and the security measures that guarantee data protection.

To this end, review audits may be carried out on data processors or, alternatively, the data processor may be required to provide the necessary documentary evidence (Annex INFORMATION LETTER FOR DATA PROCESSORS).

Data processing on request

When a data controller (usually a client) requests data processing on a commissioned basis, Jordi Rosas Rafart will act as the data processor, complying with all the obligations established by Article 28 of Regulation (EU) 2016/679.

The Annex CONFIDENTIALITY CLAUSE FOR THE PROCESSING OF DATA ON REQUEST contains the binding contractual content that must be signed by both parties or, failing that, the contractual agreement established by the data controller.

ACTIVE RESPONSIBILITY MEASURES

Risk analysis. Record of processing activities.

Regulation (EU) 2016/679 does not offer a set of predefined security measures. It proposes that security measures be established based on the identified risk and that they can be adapted to new risks or the changing circumstances of the organization.

Essentially, it’s a proactive approach to security that requires not only the existence of these measures on paper but also their effective implementation.
Jordi Rosas Rafart adheres to the aforementioned proactive approach to data security by establishing appropriate security safeguards that primarily prevent:

  • Unauthorized or unlawful processing of personal data.
  • The loss of personal data, its accidental destruction or damage.

To determine the technical and organizational measures, the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing, as well as the risks that these may pose to the rights and freedoms of natural persons, are taken into account.

Risk analysis is the result of a reflection on the implications that the processing of personal data has on data subjects.

To this end, the nature and types of processing carried out by Jordi Rosas Rafart have been defined, along with their characteristics, purposes, processing methods, potential recipients, and control over personnel with access to the data. “The risk analysis carried out determines whether each processing activity carried out by the organization, as well as any changes or new activities to be undertaken, presents
risks to the fundamental rights and freedoms of individuals.
The results of the risk analysis are recorded in the corresponding RISK ANALYSIS REPORT, a document that demonstrates both the aspects analyzed and the results obtained.”

If the risk analysis results determine that the risk is low, no further action is necessary. If the risk analysis determines that there are high risks, the necessary corrective and preventive measures are adopted to reduce the risk levels found. An impact assessment will be conducted when the measures adopted fail to reduce the risks.

All processing activities carried out by the organization are recorded in the PROCESSING ACTIVITY REGISTER Appendix of this manual. Not only is the scope of each activity defined: definition of data categories, data types, operations, purposes, legality, data origins, recipients, scope of action for each activity, as well as the existence or absence of profiling, but also the access, permissions, workers involved, commissioned processing, and the media associated with each activity are analyzed.
Any change in the activities or their organization is updated in the PROCESSING ACTIVITY REGISTER, which demonstrates the organization’s firm commitment to the protection and control of personal data.

Data protection by design and by default

Pursuant to Article 25 of Regulation (EU) 2016/679, and taking into account the nature, scope, context, and purpose of the processing indicated in the previous section, the organization has implemented both technical and organizational security measures to ensure that processing is carried out securely.

The organization also guarantees that data processing is analyzed before and during the processing activity, determining the scope of the processing, the minimum data necessary to fulfill the intended purpose, the duration of the processing, data retention, and access control.

For each processing activity and prior to its implementation, in compliance with protection by design and default, the organization analyzes all aspects involved in the security of the processing: the risks to the freedoms and rights of individuals based on the nature of the data to be requested, the purpose for which they are requested, the origin, the type of processing, the recipients, the possibility of international data transfers
, the possibility of profiling studies, and the amount of data expected to be processed.

Based on the above, the most appropriate processing methods are determined, which in all cases will be technical and organizational means that guarantee compliance with Regulation (EU) 2016/679.
During processing activities, the organization adopts the technical and organizational control measures described in this manual, both regarding the processing methods and the persons with access to the processed data.
The organization guarantees that, by default, the data are not accessible to an indeterminate number of natural persons, and that they are only accessible to authorized persons (both data processors and organization employees) and through controlled and periodically supervised means.
The following section describes the measures adopted, both technical and organizational, for data protection: storage media and methods, access control, backups, confidentiality commitments, etc.

Technical and organizational security measures

Regulation (EU) 2016/679 states that security measures must be proportionate and appropriate to the risk identified in each processing activity.
The technical and organizational measures developed take into account:

  • Workers who have access to data, establishing access controls, determining and recording the processing activities carried out by each, establishing a training mechanism for workers in data protection matters that can raise awareness and ensure knowledge of responsibilities, establishing a
    confidentiality commitment mechanism that workers with access to data agree to adopt by signing, and determining the workers who assume certain functions in terms of data protection, creating a system of accepted appointments.
  • The media used for data storage and processing, establishing media control as well as the processing activities associated with each media, security measures for access, copying, deletion, encryption, etc., and an input and output control system.
  • The existence of remote access points and external servers, whether public or private, analyzing the security features they offer and ensuring effective protection.
  • As well as other measures to restrict and control access to data that are determined based on the results of the risk analyses carried out.

To ensure ongoing data protection, a process of periodic verification and evaluation of the effectiveness of the measures adopted is carried out. The periodic evaluation process consists of a systematic review of the processing activities carried out or those intended to be initiated, the personnel with access to them, monitoring of
confidentiality commitments, monitoring of recipients and, in particular, data processors, as well as any other measures indicated in the risk analysis report.

The control procedure analyzes all media, both electronic (computers, smart electronic devices, servers, etc.) and manual (file cabinets, folders, etc.) and determines the risks based on the processing activities they contain.

Measures have also been included to ensure the ongoing confidentiality, integrity, availability, and resilience of each data processing medium or system, as well as measures to ensure the ability to quickly restore the availability and access to personal data in the event of a physical or technical incident.

The commitment to train all employees who have access to and/or process personal data is met. Appropriate and reviewable data protection training is provided (a specific section for training each employee is included in the control log).

Personal data security breaches. Security breaches.
Jordi Rosas Rafart has taken into account the risks posed by processing as a result of accidental or unlawful destruction, loss, or alteration of personal data transmitted, stored, or processed, or unauthorized communication or access to such data, to assess the level of security applied.
When security breaches occur, such as theft or unauthorized access to personal data and in compliance with Articles 33 and 34 of Regulation (EU) 2016/679 on personal data, the procedure for recording the
detected security breach will be followed.
To manage the data breach or security violation, the security officer (or the data protection officer, as applicable) will carry out a procedure to analyze and record the situation.
The analysis will take into account whether the breach of the affected data poses a risk to the rights and freedoms of individuals that may cause physical, material, or immaterial harm or that may entail:

  • discrimination problems
  • identity theft or fraud
  • financial losses
  • damage to reputation
  • loss of confidentiality of data subject to professional secrecy
  • unauthorized reversal of pseudonymization or any other significant economic or social harm

It also examines whether a data breach could deprive data subjects of their rights and freedoms or prevent them from exercising control over personal data that reveals:

  • ethnic or racial origin
  • political opinions
  • religion or philosophical beliefs
  • union membership
  • the processing of genetic data
  • data relating to health or data about sexual life
  • relating to convictions and criminal offences or related security measures

Cases in which personal aspects are evaluated are analyzed:

  • in particular the analysis or prediction of aspects related to work performance
  • economic situation
  • health data
  • personal preferences or interests
  • reliability or behavior, situation or movements, in order to create or use personal profiles

Cases involving the personal data of vulnerable individuals, particularly children, are also analyzed.
If the above analysis concludes that the breach affects or may pose a risk to individuals, the breach will be reported to the Spanish Data Protection Agency’s Registry, and the affected party will be notified.

Data Security Breach Notification

If a security breach is required, notification must be made within 72 hours of the data controller becoming aware of it.

This notification will be made electronically through the Spanish Data Protection Agency’s website at https://sedeagpd.gob.es, providing all the necessary information to clarify the events that led to the incident. The notification includes:

  • The nature of the breach, categories of data and affected data subjects.
  • The measures imposed by the responsible party to resolve this bankruptcy.
  • if applicable, the measures taken to reduce potential negative effects
    on data subjects.

Notification to those affected will be made within the same timeframe and in the same manner as described.

Data protection impact assessment

The impact assessment is a subsequent exercise to the analysis of the risks that a specific processing operation may require to guarantee the data subjects’ right to data protection.
It consists of a detailed evaluation of the processing operations that, as a result of the analysis, require the adoption of other necessary additional measures to eliminate or mitigate as far as possible those risks that have been classified as intolerable.
The organization seeks the advice of the data protection officer, where appropriate, when conducting the impact assessment.
For large-scale processing of special categories of data, processing of data relating to criminal convictions and offenses, processing involving large-scale systematic observation of a public area, or for processing operations for which the risk analysis proves intolerable, an impact assessment is conducted. The assessment will include a systematic description of the planned processing operations and the purposes of the processing, as well as the legitimate interest. It will include an assessment of the risks to rights and freedoms, as well as the measures planned to
address the risks, safeguards, and mechanisms to ensure data protection.
All impact assessments that the organization must carry out will be duly documented.

Data Protection Officer

The organization declares its commitment to Article 34 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and the Guarantee of Digital Rights, appointing a data protection officer if required to do so.
Likewise, if, after analyzing the processing activities, it is determined that the organization requires the appointment of a Data Protection Officer, it will do so as required by law, taking into account their professional qualifications, knowledge, and skills in the field.

Where appropriate, the organization will maintain a data protection officer, identified to the interested parties and notified to the competent data protection authority, ensuring that the data protection officer:

  • participates appropriately and in a timely manner in all matters relating to the protection of personal data.
  • supports the organization in the performance of its functions.
  • has the necessary resources to perform its duties and maintain its knowledge, access to personal data and processing operations.
  • He receives no instruction regarding the performance of his duties.
  • The data protection officer is not dismissed or sanctioned for performing his or her duties.
  • is accountable to the company at the highest hierarchical level.
  • assists interested parties and maintains confidentiality in the performance of its duties.

If the data protection officer performs other functions within the organization, it is guaranteed that the situation does not give rise to a conflict of interest.
INTERNATIONAL TRANSFERS
In order to carry out international transfers of personal data, Article 44 of Regulation (EU) 2016/679 imposes on the controller and the processor the obligation to comply with the conditions of Chapter V. The transfer may be carried out when:
1. there are guarantees for the protection of the data of natural persons in the third
country to which the data are transferred;
2. binding corporate rules (BCRs) have been drawn up and approved; or;
3. failing the above, when one of the exceptions provided for can be benefited from.

When the organization carries out international data transfers or uses internet servers to store personal data, it will conduct a study of the status of said servers, as well as their providers, analyzing whether there are guarantees for the people whose data is in this situation, specifically whether:

  • There is a legal instrument that is binding and enforceable between the authorities or
    public bodies of the different countries.
  • There are binding corporate rules (approved by the supervisory authority/commission) between the organization and the organizations receiving the data.
  • There are standard clauses (approved by the supervisory authority/commission) attached to the service contract.
  • There is a code of conduct (approved by the supervisory authority/commission) together with binding commitments enforceable by the third country.
  • there is a certification mechanism.
  • the explicit consent of the interested party is available and he or she has been informed of the possible risks.

The results will be duly documented in the data processing activities log.
PERIODIC VERIFICATION OF THE DATA PROTECTION SYSTEM
In order to maintain constant control of the data protection systems adopted by the organization, the organization undertakes to periodically conduct internal verification audits whenever changes are made to the processing activities, analyzing all control points related to the processing activities carried out. The results will be documented and made available to the supervisory authority
and interested parties upon request as proof of compliance.

Legal notice | Web design: BaguésDisseny
Tourism registration number PCC-001209

T. (+34) 606 575 516 | masbuidasachs@gmail.com

T. (+34) 606 575 516 | masbuidasachs@gmail.com

Instagram

Legal notice
Web design: BaguésDisseny
Tourism registration number PCC-001209

Funded by the European Union – NextGenerationEU