The Spanish Constitution, in its Article 18 guarantees the right to honour, to personal and family privacy and to the own image. In particular, in section 4, it establishes the need to protect those fundamental rights in the field of information technologies. Thus, Article 18.4 of the Spanish Constitution stipulates:
“The law shall restrict the use of data processing in order to guarantee the honour and personal and family privacy of citizens and the full exercise of their rights.”.
To comply with this order and expand its content, the Organic Law on Regulation of the Automated Processing of Personal Data (5/1992, 29 October), known as the LORTAD, was enacted.
Subsequently, the European Union enacted the Directive 95/46/EC on the protection of natural persons with regard to the processing of personal data and on the free circulation of data.
In compliance with that Directive, Spain enacted the Organic Law on the Protection of Personal Data (L.O. 15/1999, 13 December), colloquially known as LOPD, which meant the transposition of the Directive 95/46/EC to the Spanish legal frame, and the Royal Decree 1702/2007, 21 December, which approves the development regulation of the LOPD, also known as RDLOPD.
However, in order to ensure a consistent level of protection for natural persons throughout the Union and to prevent divergences hampering the free movement of personal data within the internal market, a Regulation was necessary to provide legal certainty and transparency for economic operators and to provide natural persons in all Member States with the same level of legally enforceable rights and obligations and responsibilities for controllers and processors, to ensure consistent monitoring of the processing of personal data, and equivalent sanctions in all Member States as well as effective cooperation between the supervisory authorities of different Member States.
That is why the UE approved in 25 May 2016 the Regulation (UE) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free circulation of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
Currently, the General Data Protection Regulation of the European Union in force (hereinafter, GDPR) has repealed Directive 95/46/EC and it is fully and directly applicable throughout the territory of the European Union.
Article 24 of the mentioned GDPR sets the obligation of accountability of VERANDA MEDIA, S.L., hereinafter VERANDA, to implement appropriate data protection policies to ensure and to be able to demonstrate that processing is performed in accordance with that regulation.
Along the same lines, article 28 of the Organic Law 3/2018, 5 December, on the Protection of Personal Data and guarantee of digital rights (also known as LOPDGDD), indicates that both controllers and processors, taking into account the elements listed in articles 24 and 25 of the GDPR, will determine the appropriate technical and organizational measures that must be applied in order to guarantee and prove that the processing is in accordance with the aforementioned regulation, with the mentioned organic law, its detailed rules and the legislation applicable to the sector.
One of the basic obligations of VERANDA is the training of staff involved in processing operations and awareness-raising of the staff in the importance and necessity to obey the regulation.
Based on these assessments, and aware of how important it is for the staff to know the current regulation in relation to data protection, this internal regulation for data protection has been approved as mandatory for every employee.
Purpose of the policy
The present policy has been approved by VERANDA y its purpose is to establish the obligations of the employees of VERANDA on a corporative level to comply with the current personal data protection regulation in the fulfilment of their duties.
Data Protection Officer
VERANDA has a Data Protection Officer with the contact email address email@example.com who, among other functions, cooperates with the data protection supervisory authorities and attends to data subjects during their claims regarding data protection, in particular those made prior to the filing of a claim with the supervisory authority.
General principles of data protection
The general principles that must govern any processing of personal data that is carried out by VERANDA are the following:
Principle of fairness, which implies the compliance with the general or sector legislation applicable to processing, as well as the policies and guidelines of VERANDA.
Principle of proportionality, which implies that the right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality.
Principle of lawfulness, which implies that any processing shall be lawful if at least one of the following applies:
- The subject has given consent to the processing of their personal data for one or more specific purposes;
- Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- Processing is necessary for compliance with a legal obligation to which the controller is subject;
- Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- Processing is necessary to satisfy the legitimate interests pursued by VERANDA or by a third party directly related to VERANDA, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
Principle of transparency, which implies that the subject shall be informed of the extent of the processing in a fair, unequivocal, specific and express manner.
Principle of purpose and limitation of purpose, which implies that processing shall always be carried out with explicit, lawful and specific purposes.
Principle of compatibility, which forbids the processing of personal data for purposes incompatible with those for which the personal data were initially collected Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purpose will not be considered incompatible.
Principle of data minimisation, which implies that the data processed will be adequate, relevant and limited to the minimum amount of data necessary in relation to the purposes for which they are processed.
Principle of accuracy, which implies that personal data will be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
Principle of storage due date, which implies that the data will be kept in a form which allows identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
Principle of integrity, confidentiality and security, which implies that the data are processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Data protection by design and by default keeping the processing of personal data at a minimum in relation to (i) the amount of personal data collected, (ii) the extent of their processing, (iii) the period of their storage and (iv) their accessibility
Principle of accountability, which implies that the controller shall be responsible and be able to demonstrate compliance with the principles mentioned.
Data protection rights
The subjects will be informed of the following rights, which will also be dealt with and managed by VERANDA as far as they are object of the exercise:
Right of access: the data subject shall have the right to obtain from VERANDA confirmation as to whether or not personal data concerning them are being processed, and, where that is the case, access to the personal data and the following information:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
- the right to lodge a complaint with a supervisory authority;
- where the personal data are not collected from the data subject, any available information as to their source;
- the existence of automated decision-making, including profiling and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
- Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 of the GDPR relating to the transfer.
Right to rectification which will grant the data subject the right to obtain from VERANDA without undue delay the rectification of inaccurate personal data concerning them and the right to have incomplete personal data completed, including by means of providing a supplementary statement.
Right to erasure (‘right to be forgotten’) which grants the data subject the right to obtain from VERANDA the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
- the data subject objects to the processing for reasons related to their particular situation and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing with a marketing purpose;
- the personal data have been unlawfully processed;
- the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
- the personal data have been collected in relation to the offer of information society services when the subject was under age.
Right to restriction of processing which will grant the data subject the right to obtain from VERANDA restriction of processing where one of the following applies:
- the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
- the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
- the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
- the data subject has objected to processing based on reasons related to their particular situation, pending the verification whether the legitimate grounds of the controller override those of the data subject.
Right to data portability which will grant the right to receive the personal data concerning them, which they have provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
- the processing is based on consent or on a contract; and
- the processing is carried out by automated means.
Right to object which will grant the data subject the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on a task carried out in the public interest or the purposes of the legitimate interests pursued by the controller, including profiling based on those provisions. VERANDA shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. Moreover, where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89 (1) of the GDPR, the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
The data subject shall have the right not to be subject to an individual automated decision, including profiling based solely on automated processing,which produces legal effects concerning them or similarly significantly affects them.
The aforementioned rights shall be guaranteed and managed in the extent to which they are exercised by the subjects, always taking into account their reach, particularities and limitations.
The attention and management of these rights will be executed by the VERANDA Data Protection Officer, with whom the data subject can contact through firstname.lastname@example.org.
Provision of services by third parties
Where processing is to be carried out on behalf of VERANDA, only a processor providing sufficient guarantees to implement appropriate technical and organisational measures shall be used, in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject.
The processor shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.
The relationship with the third parties acting as processors will always be regulated in writing, by means of a processing contract, binding the processor with regard to the controller and setting out the purpose, duration and nature of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.
Records of Activities
VERANDA shall maintain a record containing all of the following information:
- The name and contact details of VERANDA as the controller entity and, where applicable, the joint controller and the controller’s representative;
- The name and the contact details of the data protection officer;
- The purposes of the processing;
- A description of the categories of data subjects;
- A description of the categories of personal data;
- The categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
- The recipients in third countries or international organizations, meaning transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, where appropriate, the documentation of suitable safeguards
- Where possible, the envisaged time limits for erasure of the different categories of data;
- Where possible, a general description of the technical and organisational security measures.
In order to comply with the security requirements established in the GDPR, VERANDA has established security measures for the processing of personal data in the course of its activities, taking into account the state of the art, application costs, and the nature, scope, context and purposes of the processing, as well as risks of variable probability and severity for the rights and freedoms of the natural persons the data refer to.
These measures are diverse in nature (technical, organizational, documentary, management, control, audit, documentary and disciplinary measures), all of them aimed at achieving a level of security appropriate to the risk of processing and, in particular, to guarantee:
The measures have been implemented evaluating in particular the risks that data processing may present as a consequence of the destruction, loss or accidental or unlawful alteration of personal data transmitted, preserved or otherwise processed, or unauthorized communication or access to said data.
Security measures include the security policies established for employees as well as their commitment to confidentiality and the obligation of secrecy of information.
Obligation of secrecy
The obligation to keep professional secrecy in relation to personal data and safeguard it is a basic and personal principle for every person taking part in the processing of such data. Such obligations will remain even after ending the relation to VERANDA or, where applicable, the processor.
Therefore, personal information will not be revealed under any circumstances to any third parties different than the subject, even to relatives of the subject (not even verbally), unless it is stated by law or with the express authorization of the subject.
International transfer of personal data
Any Department with the intention to transfer personal data outside of the European Economic Area will previously consult with email@example.com
Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if the conditions laid down in the GPDR are complied with by VERANDA and other controllers and processors involved in the transfer, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation.
Any inquiry or suggestions regarding this policy may be consulted with VERANDA through firstname.lastname@example.org .