Privacy Policy

Data Protection
1. Privacy policy
Yaiza Navarro Vega with ID 78502004Z with tax domicile at Avda Marítima del Norte, 10 Zip code: 35003 Las Palmas de Gran Canaria (Spain) hereinafter “SHINE MAMBO” informs users of the website about its policy regarding treatment and protection of the personal data of users and customers that may be relegated by browsing or contracting services through its website. In this sense, SHINE MAMBO guarantees compliance with current regulations on the subject of personal data protection, reflected in the Organic Law 15/1999 of December 13, Protection of Personal Data and Royal Decree 1720/2007, of December 21, which approves the Development Regulation of the LOPD. The use of this website implies acceptance of this privacy policy.
2. Collection, purpose and data processing “SHINE MAMBO” has the duty to inform users of your website about the collection of personal data that can be carried out, either by sending electronic mail or by filling in the forms included on the website. In this sense, “SHINE MAMBO” will be considered responsible for the data collected through the media described above. In turn, “SHINE MAMBO” informs users that the purpose of the treatment of the data collected includes: The attention of requests made by the users, the inclusion in the list of contacts, the provision of services, the management of the commercial relationship and other purposes (INDICAR) The operations, procedures and technical procedures that are carried out automatically or automated and that make possible the collection, storage, modification, transfer and other actions on personal data, are considered as personal data treatment. All personal data, which are collected through the website of “SHINE MAMBO”, and therefore have the consideration of data processing of character will be incorporated into the files declared before the Spanish Protection Agency of Data by “SHINE MAMBO” .
3. Communication of information to third parties “SHINE MAMBO” informs users that their personal data will not be transferred to third organizations, with the exception that such transfer of data is covered by a legal obligation or when the provision of a service implies the need for a contractual relationship with a treatment manager. In the latter case, only the transfer of alternating data will be carried out when Company A has the express consent of the user.
4. Rights of users Organic Law 15/1999, of December 13, on the Protection of Personal Data gives interested parties the possibility of exercising a series of rights related to the treatment of their personal data. As long as the user’s data is object of treatment by “SHINE MAMBO”. Users may exercise the rights of access, rectification, cancellation and opposition in accordance with the provisions of current legislation on personal data protection.To make use of the exercise of these rights, The user must contact them by written communication, providing documentation proving their identity (ID or passport), at the following address: Yaiza Navarro Vega with ID 78502004Z with tax address at Avda Marítima del Norte, 10 ZIP: 35003 Las Palmas de Gran Canaria (Spain) or by email to the address shinemambomadrid@gmail.com or the address that is substituted in the General Registry of Protec Data Collection. This communication must reflect the following information: Name and surname of the user, the request, the address and the supporting data. The exercise of rights must be carried out by the user. However, they may be executed by an authorized person as legal representative of the authorized party. In this case, it will be necessary to provide the documentation that proves this representation of the interested party. Documentation Informative label of the video-surveyed area Informative clauses Contracts with those in charge of processing Registration of treatment activities Information annex CUSTOMER DATA TRAINING Informative clause:
Data of the controller: Identity: Yaiza Navarro Vega – NIF: 78502004Z Mailing address: Avenida Marítima del Norte, 10 Las Palmas de Gran Canaria (Las Palmas) Spain Telephone: 657776157 – Email: shinemambomadrid@gmail.com “In Yaiza Navarro Vega we treat the information you provide us in order to provide the requested service and make your billing. The data provided will be kept as long as the commercial relationship is maintained or during the time necessary to comply with the legal obligations and meet the possible liabilities that may derive from the fulfillment of the purpose for which the data was collected. The data will not be transferred to third parties except in cases where there is a legal obligation. You have the right to obtain information about whether we are treating your personal data at Yaiza Navarro Vega, so you can exercise your rights of access, rectification, deletion and portability of data and opposition and limitation to your treatment before Yaiza Navarro Vega, Avenida Marítima del North, 10 Las Palmas de Gran Canaria (Las Palmas) Spain or at the email address info@shinemambo.com, attaching a copy of your ID or equivalent document. Likewise, and especially if it considers that it has not obtained full satisfaction in the exercise of its rights, it may present a claim before the national control authority, addressing to this effect the Spanish Agency for Data Protection, C / Jorge Juan, 6 – 28001 Madrid.
Likewise, we request your authorization to offer you products and services related to those hired and to retain you as a customer. “
Likewise, you can exercise your rights of access, rectification, deletion and portability of data and opposition and limitation to your treatment before Yaiza Navarro Vega, Avenida Marítima del Norte, 10 Las Palmas de Gran Canaria (Las Palmas) Spain or at the email address electronic info@shinemambo.com
DATA PROCESSING OF POTENTIAL CUSTOMERS
Informative clause:
Data of the controller:
Identity: Yaiza Navarro Vega – NIF: 78502004Z
Mailing address: Avenida Marítima del Norte, 10 Las Palmas de Gran Canaria (Las Palmas) Spain
Telephone: 657776157 – Email: shinemambomadrid@gmail.com
“In Yaiza Navarro Vega we treat the information you provide us in order to provide the requested service or send the required information. The data provided will be kept until you request us to cease the activity. The data will not be transferred to third parties except in cases where there is a legal obligation. You have the right to obtain information about whether we are treating your personal data at Yaiza Navarro Vega, so you can exercise your rights of access, rectification, deletion and portability of data and opposition and limitation to your treatment before Yaiza Navarro Vega, Avenida Marítima del North, 10 Las Palmas de Gran Canaria (Las Palmas) Spain or at the email address info@shinemambo.com, attaching a copy of your ID or equivalent document. Likewise, and especially if it considers that it has not obtained full satisfaction in the exercise of its rights, it may present a claim before the national control authority, addressing to this effect the Spanish Agency for Data Protection, C / Jorge Juan, 6 – 28001 Madrid.
We also request your authorization to send you advertising related to our products and services by any means (postal, email or telephone) and invite you to events organized by the company. “
Likewise, you can exercise your rights of access, rectification, deletion and portability of data and opposition and limitation to your treatment before Yaiza Navarro Vega, Avenida Marítima del Norte, 10 Las Palmas de Gran Canaria (Las Palmas) Spain or at the email address electronic info@shinemambo.com
TREATMENT OF EMPLOYEE DATA
Informative clause:
Data of the controller:
Identity: Yaiza Navarro Vega – NIF: 78502004Z
Mailing address: Avenida Marítima del Norte, 10 Las Palmas de Gran Canaria (Las Palmas) Spain
Telephone: 657776157 – Email: shinemambomadrid@gmail.com
“At Yaiza Navarro Vega we treat the information you provide us with in order to maintain the employment relationship. The data provided will be kept as long as the employment relationship is maintained or for the time necessary to comply with the legal obligations and meet the possible liabilities that may arise from the fulfillment of the purpose for which the data was collected. The data will not be transferred to third parties except in cases where there is a legal obligation. You have the right to obtain information about whether we are treating your personal data at Yaiza Navarro Vega, so you can exercise your rights of access, rectification, deletion and portability of data and opposition and limitation to your treatment before Yaiza Navarro Vega, Avenida Marítima del North, 10 Las Palmas de Gran Canaria (Las Palmas) Spain or at the email address info@shinemambo.com, attaching a copy of your ID or equivalent document. Likewise, and especially if it considers that it has not obtained full satisfaction in the exercise of its rights, it may present a claim before the national control authority, addressing to this effect the Spanish Agency for Data Protection, C / Jorge Juan, 6 – 28001 Madrid.”
Contract with the Agency in charge of the management of employees:
1. Purpose of the treatment request
By means of the present clauses, González Abogados & Asesores is authorized, with address at Calle Manuel García Olival, Councilor, 10, 35200 Telde (Las Palmas) and NIF 78502004Z, in charge of the treatment to be handled by Yaiza Navarro Vega, as the person in charge of the treatment, the personal data necessary to provide the service specified below.
The treatment will consist of Contracts, payroll, accounting, legal advice, highs and lows S: S and taxes.
2. Identification of the affected information
For the execution of the benefits derived from the fulfillment of the object of this assignment, the entity Yaiza Navarro Vega as responsible for the treatment, makes available to the González Abogados & Asesores entity, the identification and banking data of its employees.
3. Duration
This agreement has a duration of 1 year, being renewed automatically unless decided against by any of the parties.
Once this contract ends, the person in charge of processing must return the person responsible, or transmit to another manager designated by the person responsible, the personal data processed and delete any copy that is in his possession. However, you can keep the data blocked for the minimum time necessary to address possible responsibilities that may arise from your relationship with Yaiza Navarro Vega, destroying them safely and permanently at the end of that period.
4. Obligations of the treatment manager
The person in charge of the treatment and all its personnel is obliged to:
Use the personal data object of treatment, or those collected for inclusion, only for the purpose of this assignment. In no case may you use the data for your own purposes.
Treat the data in accordance with the documented instructions of the controller. If the data controller considers that any of the instructions provided violates the General Data Protection Regulation or any other provision regarding data protection, the person in charge will immediately inform the person responsible.
Keep, in writing, a record of all the categories of treatment activities carried out on behalf of the person in charge, which contains:
The name and contact information of the person in charge or those in charge and of each person responsible for which the person in charge acts and, where appropriate, the representative of the person in charge or the person in charge and the data protection officer.
The treatment categories carried out by each responsible person.
A general description of the appropriate technical and organizational safety measures that you are applying.
Not communicate or disseminate the data to third parties, unless you have the express authorization of the controller or in the legally admissible cases. If the manager wants to subcontract, totally or partially, the services that are the object of this contract, he must inform the person in charge and request his prior authorization.
Maintain the duty of secrecy regarding personal data to which you have had access under this order, even after the end of the contract.
Guarantee that the persons authorized to process personal data undertake, expressly and in writing, to respect confidentiality and to comply with the corresponding security measures, of which the person in charge must inform them accordingly.
Maintain at the disposal of the person in charge the documentation proving compliance with the obligation established in the previous section.
Guarantee the necessary training in terms of protection of personal data of the persons authorized to process personal data.
When the affected persons exercise the rights of access, rectification, deletion and portability of data and opposition and limitation of the treatment before the person in charge of the treatment, this must be communicated by e-mail to the address indicated by the person responsible as soon as possible. The communication must be made immediately and in no case beyond the working day following the reception of the request, together with any other information that may be relevant to resolve it. Assist the responsible, whenever possible, so that it can meet and respond to requests for exercise of rights.
Notification of data security violations:
The person in charge of the treatment will notify the person responsible for the treatment, without undue delay and through the e-mail address indicated by the person in charge, of the security breaches of the personal data in his charge that he / she has knowledge of, together with all the information relevant for the documentation and communication of the incident. Likewise, it will notify any failure that it has suffered in its systems of treatment and management of the information and that could endanger the security of the treated personal data, its integrity or availability, as well as any possible breach of the confidentiality as a result of the putting in the knowledge of third parties of the data and information accessed during the execution of the contract.
At least the following information will be provided:
Description of the nature of the violation of the security of personal data, including, when possible, the categories and the approximate number of interested parties affected, and the categories and the approximate number of personal data records affected.
Contact person data to obtain more information.
Description of the possible consequences of the violation of the security of personal data.
Description of the measures adopted or proposed to remedy the violation of the security of personal data, including, if applicable, the measures adopted to mitigate the possible negative effects.
If it is not possible to provide the information simultaneously, and to the extent that it is not, the information will be provided gradually without undue delay.
González Abogados & Asesores, at the request of the person in charge, will communicate in the shortest possible time those data security breaches to the interested parties, when it is probable that the violation will pose a high risk to the rights and freedoms of natural persons.
The communication must be done in a clear and simple language and must include the elements indicated in each case by the person responsible, at least:
The nature of the data breach.
Data from the point of contact of the person in charge or the manager where more information can be obtained.
Describe the possible consequences of the violation of the security of personal data.
Describe the measures adopted or proposed by the controller to remedy the violation of the security of personal data, including, if applicable, the measures adopted to mitigate the possible negative effects.
Provide the responsible party with all the necessary information to demonstrate compliance with their obligations, as well as to allow and contribute to the performance of audits or inspections carried out by the person in charge or by another auditor authorized by him.
Implement the necessary technical and organizational security measures to guarantee the confidentiality, integrity, availability and permanent resilience of the systems and services for the processing of personal data.
Destination of the data:
Delete, return the responsible or deliver, if necessary, a new manager as determined by Yaiza Navarro Vega, all personal data once the provision of the treatment service commissioned.
The destruction of data is not applicable when there is a legal provision that requires its conservation, in which case it must be returned to the responsible party who will guarantee its conservation, duly blocked, as long as such obligation persists.
The return must involve the total erasure of the existing data in the computer equipment used by the person in charge. However, the person in charge may keep a copy of the data, duly blocked, as long as responsibilities for the execution of the services provided to the controller can be derived.
5. Obligations of the controller. Responsible for the processor:
A) Deliver to the manager the necessary data so that he can provide the service.
B) Ensure, prior to and throughout the treatment, compliance with the provisions in force on data protection by the person in charge of the treatment
C) Supervise the treatment, including the possibility of requesting information to verify compliance with the obligations established in this contract.
SERVICE COMPANIES
Contracts:
A) Clauses for service providers with access to information systems.
1. Purpose of the treatment request
By means of the present clauses, Antonio García Cárdenes is authorized, as the person in charge of the processing, to treat on behalf of Yaiza Navarro Vega, as data controller, the personal data necessary to provide the service specified below.
The treatment will consist of Maintenance web pages.
2. Identification of the affected information
For the execution of the benefits derived from the fulfillment of the object of this assignment, the entity Yaiza Navarro Vega as responsible for the treatment, makes available to the entity Antonio García Cárdenes the information available in the computer equipment that supports the data processing performed by the person in charge.
3. Duration
This agreement has a duration of, being renewed automatically unless decided against by any of the parties.
Once the present contract ends, the person in charge of the treatment must return to the person responsible the personal data processed and delete any copy that he keeps in his possession. However, you can keep the data blocked for the minimum time necessary to address possible liabilities that may arise from your relationship with Yaiza Navarro Vega, destroying yourself safely and definitively at the end of that period.
4. Obligations of the treatment manager
The person in charge of the treatment and all its personnel is obliged to:
Use personal data to which you have access as a result of providing the service only for the purpose of this assignment. In no case may you use the data for your own purposes.
Treat the data in accordance with the documented instructions of the controller. If the data controller considers that any of the instructions provided violates the General Data Protection Regulation or any other provision regarding data protection, the person in charge will immediately inform the person responsible.
Not communicate or disseminate the data to third parties, unless you have the express authorization of the controller or in the legally admissible cases. If the manager wants to subcontract, totally or partially, the services that are the object of this contract, he must inform the person in charge and request his prior authorization.
Maintain the duty of secrecy regarding personal data to which you have had access under this order, even after the end of the contract.
Guarantee that the persons authorized to process personal data undertake, expressly and in writing, to respect confidentiality and to comply with the corresponding security measures, of which the person in charge must inform them accordingly.
Maintain at the disposal of the person in charge the documentation proving compliance with the obligation established in the previous section.
Guarantee the necessary training in terms of protection of personal data of the persons authorized to process personal data.
Notification of data security violations:
The person in charge of the treatment will notify the person responsible for the treatment, without undue delay and through the e-mail address indicated by the person in charge, of the security breaches of the personal data in his charge that he / she has knowledge of, together with all the information relevant for the documentation and communication of the incident. Likewise, it will notify any failure that it has suffered in its systems of treatment and management of the information and that could endanger the security of the treated personal data, its integrity or availability, as well as any possible breach of the confidentiality as a result of the putting in the knowledge of third parties of the data and information accessed during the execution of the contract.
At least the following information will be provided:
Description of the nature of the violation of the security of personal data, including, when possible, the categories and the approximate number of interested parties affected, and the categories and the approximate number of personal data records affected.
Contact person data to obtain more information.
Description of the possible consequences of the violation of the security of personal data.
Description of the measures adopted or proposed to remedy the violation of the security of personal data, including, if applicable, the measures adopted to mitigate the possible negative effects.
If it is not possible to provide the information simultaneously, and to the extent that it is not, the information will be provided gradually without undue delay.
Provide the responsible party with all the information necessary to demonstrate compliance with its obligations, as well as to allow and contribute to the performance of audits or inspections carried out by the person in charge or by another auditor authorized by him.
Assist the treatment manager to implement the necessary security measures to:
a) Guarantee the confidentiality, integrity, availability and permanent resilience of the treatment systems and services.
b) Restore the availability and access to personal data quickly, in case of physical or technical incident.
c) To verify, evaluate and assess, on a regular basis, the effectiveness of the technical and organizational measures implemented to guarantee the safety of the treatment.
Destination of the data:
The person in charge of the treatment will not keep personal data related to the treatments carried out unless it is strictly necessary for the provision of the service object of the contract and only for the minimum necessary time.
Once the provision of the service object of the contract is completed, the person in charge of the treatment will delete, return the person in charge or deliver, as the case may be, a new manager, as determined by Yaiza Navarro Vega, all the personal data.
The destruction of data is not applicable when there is a legal provision that requires its conservation, in which case it must be returned to the responsible party who will guarantee its conservation, duly blocked, as long as such obligation persists.
The return must involve the total erasure of the existing data in the computer equipment used by the person in charge. However, the person in charge may keep a copy of the data, duly blocked, as long as responsibilities for the execution of the services provided to the controller can be derived.
5. Obligations of the controller
It corresponds to the person responsible for the treatment:
Provide the manager with access to the equipment so that he can provide the contracted service.
Ensure, prior and throughout the treatment, compliance with the provisions in force in data protection material by the processor.
Supervise the treatment, including the possibility of requesting information to verify compliance with the obligations established in this contract.
B) Confidentiality clauses for service providers with accidental access to data.
1. Duty of confidentiality
The service provision object of this contract does not include the processing of personal data.
However, in the event that the staff of Antonio García Cárdenes, accidentally or accessory, was aware of information of personal data relating to the treatment activities of Yaiza Navarro Vega, they will be obliged to strictly observe the duty of secrecy and confidentiality, both during the course of the contractual relationship and once terminated,
following at all times the instructions of Yaiza Navarro Vega staff
not being able to use the information to which they could have access for any purpose other than that derived from the provision of service and
not being able to disclose, disclose or use for their own benefit or that of third parties the information they may have known during the provision of the service object of this contract.
A) Clauses for service providers with access to information systems.
1. Purpose of the treatment request
By means of the present clauses, Webempresa Europa S.L. is empowered, as the person in charge of the processing, to treat on behalf of Yaiza Navarro Vega, as data controller, the personal data necessary to provide the service specified below.
The treatment will consist of Hosting, web hosting.
2. Identification of the affected information
For the execution of the benefits derived from the fulfillment of the object of this assignment, the entity Yaiza Navarro Vega as responsible for the treatment, makes available to the entity Webempresa Europa S.L. the information available in the computer equipment that supports the data processing performed by the person in charge.
3. Duration
This agreement has a duration of, being renewed automatically unless decided against by any of the parties.
Once the present contract ends, the person in charge of the treatment must return to the person responsible the personal data processed and delete any copy that he keeps in his possession. However, you can keep the data blocked for the minimum time necessary to address possible liabilities that may arise from your relationship with Yaiza Navarro Vega, destroying yourself safely and definitively at the end of that period.
4. Obligations of the treatment manager
The person in charge of the treatment and all its personnel is obliged to:
Use personal data to which you have access as a result of providing the service only for the purpose of this assignment. In no case may you use the data for your own purposes
Treat the data in accordance with the documented instructions of the controller. If the data controller considers that any of the instructions provided violates the General Data Protection Regulation or any other provision regarding data protection, the person in charge will immediately inform the person responsible.
Not communicate or disseminate the data to third parties, unless you have the express authorization of the controller or in the legally admissible cases. If the manager wants to subcontract, totally or partially, the services that are the object of this contract, he must inform the person in charge and request his prior authorization.
Maintain the duty of secrecy regarding personal data to which you have had access under this order, even after the end of the contract.
Guarantee that the persons authorized to process personal data undertake, expressly and in writing, to respect confidentiality and to comply with the corresponding security measures, of which the person in charge must inform them accordingly.
Maintain at the disposal of the person in charge the documentation proving compliance with the obligation established in the previous section.
Guarantee the necessary training in terms of protection of personal data of the persons authorized to process personal data.
Notification of data security violations:
The person in charge of the treatment will notify the person responsible for the treatment, without undue delay and through the e-mail address indicated by the person in charge, of the security breaches of the personal data in his charge that he / she has knowledge of, together with all the information relevant for the documentation and communication of the incident. Likewise, it will notify any failure that it has suffered in its systems of treatment and management of the information and that could endanger the security of the treated personal data, its integrity or availability, as well as any possible breach of the confidentiality as a result of the putting in the knowledge of third parties of the data and information accessed during the execution of the contract.
At least the following information will be provided:
Description of the nature of the violation of the security of personal data, including, when possible, the categories and the approximate number of interested parties affected, and the categories and the approximate number of personal data records affected.
Contact person data to obtain more information.
Description of the possible consequences of the violation of the security of personal data.
Description of the measures adopted or proposed to remedy the violation of the security of personal data, including, if applicable, the measures adopted to mitigate the possible negative effects.
If it is not possible to provide the information simultaneously, and to the extent that it is not, the information will be provided gradually without undue delay.
Provide the responsible party with all the information necessary to demonstrate compliance with its obligations, as well as to allow and contribute to the performance of audits or inspections carried out by the person in charge or by another auditor authorized by him.
Assist the treatment manager to implement the necessary security measures to:
a) Guarantee the confidentiality, integrity, availability and permanent resilience of the treatment systems and services.
b) Restore the availability and access to personal data quickly, in case of physical or technical incident.
c) To verify, evaluate and assess, on a regular basis, the effectiveness of the technical and organizational measures implemented to guarantee the safety of the treatment.
Destination of the data:
The person in charge of the treatment will not keep personal data related to the treatments carried out unless it is strictly necessary for the provision of the service object of the contract and only for the minimum necessary time.
Once the provision of the service object of the contract is completed, the person in charge of the treatment will delete, return the person in charge or deliver, as the case may be, a new manager, as determined by Yaiza Navarro Vega, all the personal data.
The destruction of data is not applicable when there is a legal provision that requires its conservation, in which case it must be returned to the responsible party who will guarantee its conservation, duly blocked, as long as such obligation persists.
The return must involve the total erasure of the existing data in the computer equipment used by the person in charge. However, the person in charge may keep a copy of the data, duly blocked, as long as responsibilities for the execution of the services provided to the controller can be derived.
5. Obligations of the controller
It corresponds to the person responsible for the treatment:
Provide the manager with access to the equipment so that he can provide the contracted service.
Ensure, prior and throughout the treatment, compliance with the provisions in force in data protection material by the processor.
Supervise the treatment, including the possibility of requesting information to verify compliance with the obligations established in this contract.
B) Confidentiality clauses for service providers with accidental access to data.
1. Duty of confidentiality
The service provision object of this contract does not include the processing of personal data.
However, in the event that the staff of Webempresa Europa SL, accidentally or accessory, is aware of information of personal data relating to the treatment activities of Yaiza Navarro Vega, they will be obliged to strictly observe the duty of secrecy and confidentiality, both during the course of the contractual relationship and once terminated,
following at all times the instructions of Yaiza Navarro Vega staff
not being able to use the information to which they could have access for any purpose other than that derived from the provision of service and
not being able to disclose, disclose or use for their own benefit or that of third parties the information they may have known during the provision of the service object of this contract.
A) Clauses for service providers with access to information systems.
1. Purpose of the treatment request
By means of the present clauses, GOOGLE SPAIN SL, as the person in charge of the processing, is authorized to treat on behalf of Yaiza Navarro Vega, as the data controller, the personal data necessary to provide the service specified below.
The treatment will consist of administrative activities and auxiliary services.
2. Identification of the affected information
For the performance of the benefits derived from the fulfillment of the object of this assignment, the entity Yaiza Navarro Vega as responsible for the treatment, puts at the disposal of the entity GOOGLE SPAIN SL the information available in the computer equipment that supports the data processing performed by the person in charge.
3. Duration
This agreement has a duration of 1 year, being renewed automatically unless decided against by any of the parties.
Once the present contract ends, the person in charge of the treatment must return to the person responsible the personal data processed and delete any copy that he keeps in his possession. However, you can keep the data blocked for the minimum time necessary to address possible liabilities that may arise from your relationship with Yaiza Navarro Vega, destroying yourself safely and definitively at the end of that period.
4. Obligations of the treatment manager
The person in charge of the treatment and all its personnel is obliged to:
Use personal data to which you have access as a result of providing the service only for the purpose of this assignment. In no case may you use the data for your own purposes.
Treat the data in accordance with the documented instructions of the controller. If the data controller considers that any of the instructions provided violates the General Data Protection Regulation or any other provision regarding data protection, the person in charge will immediately inform the person responsible.
Not communicate or disseminate the data to third parties, unless you have the express authorization of the controller or in the legally admissible cases. If the manager wants to subcontract, totally or partially, the services that are the object of this contract, he must inform the person in charge and request his prior authorization.
Maintain the duty of secrecy regarding personal data to which you have had access under this order, even after the end of the contract.
Guarantee that the persons authorized to process personal data undertake, expressly and in writing, to respect confidentiality and to comply with the corresponding security measures, of which the person in charge must inform them accordingly.
Maintain at the disposal of the person in charge the documentation proving compliance with the obligation established in the previous section.
Guarantee the necessary training in terms of protection of personal data of the persons authorized to process personal data.
Notification of data security violations:
The person in charge of the treatment will notify the person responsible for the treatment, without undue delay and through the e-mail address indicated by the person in charge, of the security breaches of the personal data in his charge that he / she has knowledge of, together with all the information relevant for the documentation and communication of the incident. Likewise, it will notify any failure that it has suffered in its systems of treatment and management of the information and that could endanger the security of the treated personal data, its integrity or availability, as well as any possible breach of the confidentiality as a result of the putting in the knowledge of third parties of the data and information accessed during the execution of the contract.
At least the following information will be provided:
Description of the nature of the violation of the security of personal data, including, when possible, the categories and the approximate number of interested parties affected, and the categories and the approximate number of personal data records affected.
Contact person data to obtain more information.
Description of the possible consequences of the violation of the security of personal data.
Description of the measures adopted or proposed to remedy the violation of the security of personal data, including, if applicable, the measures adopted to mitigate the possible negative effects.
If it is not possible to provide the information simultaneously, and to the extent that it is not, the information will be provided gradually without undue delay.
Provide the responsible party with all the information necessary to demonstrate compliance with its obligations, as well as to allow and contribute to the performance of audits or inspections carried out by the person in charge or by another auditor authorized by him.
Assist the treatment manager to implement the necessary security measures to:
a) Guarantee the confidentiality, integrity, availability and permanent resilience of the treatment systems and services.
b) Restore the availability and access to personal data quickly, in case of physical or technical incident.
c) To verify, evaluate and assess, on a regular basis, the effectiveness of the technical and organizational measures implemented to guarantee the safety of the treatment.
Destination of the data:
The person in charge of the treatment will not keep personal data related to the treatments carried out unless it is strictly necessary for the provision of the service object of the contract and only for the minimum necessary time.
Once the provision of the service object of the contract is completed, the person in charge of the treatment will delete, return the person in charge or deliver, as the case may be, a new manager, as determined by Yaiza Navarro Vega, all the personal data.
The destruction of data is not applicable when there is a legal provision that requires its conservation, in which case it must be returned to the responsible party who will guarantee its conservation, duly blocked, as long as such obligation persists.
The return must involve the total erasure of the existing data in the computer equipment used by the person in charge. However, the person in charge may keep a copy of the data, duly blocked, as long as responsibilities for the execution of the services provided to the controller can be derived.
5. Obligations of the controller
It corresponds to the person responsible for the treatment:
Provide the manager with access to the equipment so that he can provide the contracted service.
Ensure, prior and throughout the treatment, compliance with the provisions in force in data protection material by the processor.
Supervise the treatment, including the possibility of requesting information to verify compliance with the obligations established in this contract.
B) Confidentiality clauses for service providers with accidental access to data.
1. Duty of confidentiality
The service provision object of this contract does not include the processing of personal data.
However, in the event that the staff of GOOGLE SPAIN SL, accidentally or accessoryly, is aware of information of personal data relating to the treatment activities of Yaiza Navarro Vega, they will be obliged to strictly observe the duty of secrecy and confidentiality, both during the course of the contractual relationship and once terminated,
following at all times the instructions of Yaiza Navarro Vega staff
not being able to use the information to which they could have access for any purpose other than that derived from the provision of service and
not being able to disclose, disclose or use for their own benefit or that of third parties the information they may have known during the provision of the service object of this contract.
REGISTRATION OF TREATMENT ACTIVITIES
Treatment: Clients
a) Responsible for the treatment
Identity: Yaiza Navarro Vega – NIF: 78502004Z
Mailing address: Avenida Marítima del Norte, 10 Las Palmas de Gran Canaria (Las Palmas) Spain
Email: shinemambomadrid@gmail.com
Phone: 657776157
b) Purpose of the treatment
Management of the relationship with customers
c) Stakeholder categories
Clients: People with whom a commercial relationship is maintained as clients
d) Categories of data
Those necessary for the maintenance of the commercial relationship.
Identification: name and surname, NIF, postal address, telephone, e-mail
Bank details: for direct debit payments
e) Recipient categories
Antonio García Cárdenes
f) International transfers
No international transfers are planned
g) Termination of suppression
Those foreseen by the tax legislation regarding the prescription of responsibilities
h) Security measures
Those reflected in the ANNEX SECURITY MEASURES
Treatment: Potential Customers
a) Responsible for the treatment
Identity: Yaiza Navarro Vega – NIF: 78502004Z
Mailing address: Avenida Marítima del Norte, 10 Las Palmas de Gran Canaria (Las Palmas) Spain
Email: shinemambomadrid@gmail.com
Phone: 657776157
b) Purpose of the treatment
Management of the relationship with potential clients
c) Stakeholder categories
Potential customers: People with whom you want to maintain a commercial relationship as clients
d) Categories of data
Those necessary for the commercial promotion of the company
Identification: name and postal address, telephone numbers, e-mail
e) Recipient categories
It is not contemplated
f) International transfers
No international transfers are planned
g) Termination of suppression
One year from the first contact
h) Security measures
Those reflected in the ANNEX SECURITY MEASURES
Treatment: Employees
a) Responsible for the treatment
Identity: Yaiza Navarro Vega – NIF: 78502004Z
Mailing address: Avenida Marítima del Norte, 10 Las Palmas de Gran Canaria (Las Palmas) Spain
Email: shinemambomadrid@gmail.com
Phone: 657776157
b) Purpose of the treatment
Management of the employment relationship with employees
c) Stakeholder categories
Employees: People who work for the person responsible for the treatment
d) Categories of data
Those necessary for the maintenance of the commercial relationship. Manage the payroll
Identification: name, surname, Social Security number, postal address, telephone, e-mail
e) Recipient categories
State Tax Administration Agency
National Institute of Social Security
Banks and financial entities
[Other possible recipients]
f) International transfers
No international transfers are planned
g) Termination of suppression
Those foreseen by the fiscal and labor legislation regarding the prescription of responsibilities
h) Security measures
Those reflected in the ANNEX SECURITY MEASURES
ANNEXED
INFORMATION OF GENERAL INTEREST
This document has been designed for the treatment of low risk personal data from which it can be inferred that it can not be used for the processing of personal data that includes personal data related to ethnic or racial origin, religious or philosophical political ideology, union affiliation, data genetic and biometric data, health data, and data on sexual orientation of people as well as any other data treatment that entails high risk for the rights and freedoms of individuals.
Article 5.1.f of the General Data Protection Regulation (hereinafter, RGPD) determines the need to establish adequate security guarantees against unauthorized or illegal treatment, against the loss of personal data, destruction or accidental damage. This implies the establishment of technical and organizational measures aimed at ensuring the integrity and confidentiality of personal data and the possibility of demonstrating, as established in Article 5.2, that these measures have been implemented (proactive responsibility).
In addition, it must establish visible, accessible and simple mechanisms for the exercise of rights and have defined internal procedures to guarantee effective attention to the requests received.
ATTENTION OF THE RIGHTS EXERCISE
The controller will inform all workers about the procedure to address the rights of the interested parties, clearly defining the mechanisms by which the rights can be exercised (electronic means, reference to the Delegate for Data Protection if there is one, postal address , etc.) and taking into account the following:
Upon presentation of your national identity document or passport, the holders of personal data (interested) may exercise their rights of access, rectification, deletion, opposition, portability and limitation of treatment. The exercise of rights is free.
The controller must respond to the interested parties without undue delay and in a concise, transparent, intelligible manner, with a clear and simple language and keep proof of compliance with the duty to respond to requests for the exercise of rights made.
If the request is submitted by electronic means, the information will be provided by these means whenever possible, unless the interested party requests that it be otherwise.
Applications must be answered within 1 month of receipt, and can be extended in another two months taking into account the complexity or number of requests, but in that case the interested party must be informed of the extension within a month from of the receipt of the request, indicating the reasons for the delay.
RIGHT OF ACCESS: In the right of access, the interested parties will be provided with a copy of the personal data that is available together with the purpose for which they were collected, the identity of the recipients of the data, the expected conservation periods or the criteria used to determine it, the existence of the right to request the rectification or deletion of personal data as well as the limitation or opposition to its processing, the right to file a claim with the Spanish Data Protection Agency and if the data has not been obtained from the interested party, any information available about its origin. The right to obtain a copy of the data can not negatively affect the rights and freedoms of other interested parties.
Form for the exercise of the right of access.
RIGHT OF RECTIFICATION: In the right of rectification will proceed to modify the data of the interested parties that were inaccurate or incomplete attending to the purposes of the treatment. The interested party must indicate in the application to which data it refers and the correction that must be made, providing, when necessary, the documentation justifying the inaccuracy or incompleteness of the data subject to treatment. If the data have been communicated by the responsible party to other responsible parties, they must notify them of the rectification of the data unless it is impossible or requires a disproportionate effort, providing the interested party with information about said recipients, if so requested.
Form for the exercise of the right of rectification
RIGHT OF SUPPRESSION: In the right of suppression the data of the interested parties will be eliminated when they manifest their refusal to the treatment and there is no legal basis that prevents it, they are not necessary in relation to the purposes for which they were collected, they withdraw the consent borrowed and there is no other legal basis that legitimizes the treatment or it is unlawful. If the suppression derives from the exercise of the interested party’s right of opposition to the processing of their data for marketing purposes, the identification data of the interested party may be retained in order to prevent future treatments. If the data has been communicated by the responsible party to other responsible persons, it should notify them of the suppression of these unless it is impossible or requires a disproportionate effort, providing the interested party with information about said addressees, if so requested.
Form for the exercise of the right of withdrawal
RIGHT OF OPPOSITION: In the right of opposition, when the interested parties express their refusal to treat their personal data before the person responsible, the latter will stop processing them whenever there is no legal obligation to prevent it. When the treatment is based on a mission of public interest or the legitimate interest of the responsible, before a request to exercise the right of opposition, the responsible person will stop processing the data unless compelling reasons that prevail over the interests, rights and freedoms of the interested party or are necessary for the formulation, exercise or defense of claims. If the interested party objects to the treatment for direct marketing purposes, the personal data will no longer be processed for these purposes.
Form for the exercise of the right of opposition.
RIGHT OF PORTABILITY: In the portability right, if the processing is carried out by automated means and is based on the consent or is made within the framework of a contract, the interested parties may request to receive a copy of their personal data in a structured format, common use and mechanical reading. Likewise, they have the right to request that they be transmitted directly to a new manager, whose identity must be communicated, when technically possible.
Form for the exercise of data portability.
RIGHT OF LIMITATION TO THE TREATMENT: In the right of limitation of the treatment, the interested parties can request the suspension of the treatment of their data to challenge its accuracy while the person responsible makes the necessary verifications or in case the treatment is made based on the interest the responsible party or in compliance with a mission of public interest, while verifying whether these reasons prevail over the interests, rights and freedoms of the interested party. The interested party may also request the preservation of the data if it considers that the treatment is illegal and, instead of the deletion, requests the limitation of the treatment, or if not yet needed by the person responsible for the purposes for which they were collected, the interested party you need them for the formulation, exercise or defense of claims. The fact that the data processing of the interested party is limited must be clearly stated in the systems of the person responsible. If the data have been communicated by the responsible party to other responsible persons, they should notify them of the limitation of the treatment of these, unless it is impossible or requires a disproportionate effort, providing the interested party with information about said recipients, if so requested.
Form for the exercise of limitation of treatment.
If the request of the interested party is not followed, the person responsible for the processing will inform him, without delay and no later than one month after receipt of the request, of the reasons for not acting and of the possibility of submitting a claim to the Agency. Spanish Data Protection and legal actions.
SECURITY MEASURES
According to the type of treatment that you have shown when you have completed this form, the minimum security measures that you should take into account are the following:
ORGANIZATIONAL MEASURES
INFORMATION THAT SHALL BE KNOWN BY ALL STAFF WITH ACCESS TO PERSONAL DATA
All personnel with access to personal data must be aware of their obligations in relation to the processing of personal data and will be informed about these obligations. The minimum information that will be known by all the staff will be the following:
DUTY OF CONFIDENTIALITY AND SECRET
The access of unauthorized persons to personal data should be avoided. To this end, it will be avoided to leave the personal data exposed to third parties (unattended electronic screens, paper documents in areas of public access, supports with personal data, etc.). This consideration includes the screens that are used to display images of the video surveillance system. When you are absent from the workplace, the screen will be blocked or the session closed.
Paper documents and electronic media will be stored in a secure place (lockers or restricted access rooms) 24 hours a day.
Documents or electronic media (cd, pen drives, hard drives, etc.) will not be discarded with personal data without guaranteeing their effective destruction
Personal data or any other personal information will not be communicated to third parties, paying special attention not to disclose protected personal data during telephone consultations, emails, etc.
The duty of secrecy and confidentiality persists even when the worker’s employment relationship with the company ends.
SECURITY VIOLATIONS OF PERSONAL DATA
When security breaches of personal data occur, such as theft or improper access to personal data, the Spanish Data Protection Agency will be notified within 72 hours of said security breaches, including all the information necessary for the clarification of the facts that would have given rise to improper access to personal data. The notification will be made by electronic means through the electronic headquarters of the Spanish Agency for Data Protection at https://sedeagpd.gob.es/sede-electronica-web/.
TECHNICAL MEASURES
ID
When the same computer or device is used for the processing of personal data and personal purposes, it is recommended to have several profiles or different users for each of the purposes. The professional and personal uses of the computer must be kept separate.
It is recommended to have profiles with administrative rights for the installation and configuration of the system and users without privileges or administrative rights for access to personal data. This measure will prevent access privileges or modify the operating system in case of cybersecurity attack.
The existence of passwords for access to personal data stored in electronic systems will be guaranteed. The password will have at least 8 characters, a mixture of numbers and letters.
When personal data are accessed by different people, for each person with access to personal data, a specific username and password will be available (unambiguous identification).
The confidentiality of passwords must be guaranteed, preventing them from being exposed to third parties. For the management of passwords you can consult the privacy and security guide on the internet of the Spanish Agency for Data Protection and the National Institute of Cybersecurity. In no case will the passwords be shared nor will they be recorded in a common place and accessed by people other than the user.
DUTY OF SAFEGUARD
The following are the minimum technical measures to guarantee the safeguarding of personal data:
UPDATING OF COMPUTERS AND DEVICES: The devices and computers used for the storage and processing of personal data must be kept up-to-date as possible.
MALWARE: On computers and devices where the automated processing of personal data is carried out, an antivirus system will be available to guarantee the theft and destruction of personal information and data as much as possible. The antivirus system must be updated periodically.
FIREWALL OR FIREWALL: To avoid undue remote access to personal data will be ensured to ensure the existence of an activated firewall and properly configured on those computers and devices in which the storage and / or processing of personal data is made.
DATA ENCRYPTION: When it is necessary to perform the extraction of personal data outside the area where it is processed, either by physical means or by electronic means, the possibility of using an encryption method to guarantee the confidentiality of the data must be assessed. personal data in case of improper access to information.
COPY OF SECURITY: Periodically a backup copy will be made on a second support different from the one used for daily work. The copy will be stored in a secure place, different from that in which the computer is located with the original files, in order to allow the recovery of personal data in case of loss of information.
The security measures will be reviewed periodically, the review may be done by automatic mechanisms (software or computer programs) or manually. Consider that any computer security incident that has happened to any acquaintance can happen to you, and be warned against it.
If you would like more information or technical guidance to guarantee the security of personal data and the information your company deals with, the National Institute of Cybersecurity (INCIBE) on its website www.incibe.es, puts at your disposal tools with a business focus on its “Protect your company” section where, among other services, it has:
a section of training with a videogame, challenges to respond to incidents and interactive videos of sectorial training,
an Awareness Kit for employees,
various tools to help the company improve its cybersecurity, including policies for the employer, the technical staff and the employee, a catalog of companies and security solutions and a risk analysis tool.
thematic dossiers complemented with videos and infographics and other resources,
guides for the entrepreneur,
In addition, INCIBE, through the Internet Security Office, also puts at your disposal free computer tools and additional information can be useful for your company or your professional activity.
CAPTURING IMAGES WITH CAMERAS AND SECURITY PURPOSES
(VIDEO SURVEILLANCE)
The image of a person, insofar as it identifies it or identifies it, constitutes a personal data that can be object of treatment for different purposes. Although the most common is to use the cameras to ensure the safety of people, goods and facilities, they can also be used for other purposes such as the control of workers’ work. Below, the basic guidelines to be followed are included so that the treatment of the images obtained from video surveillance cameras complies with the data protection regulations. However, it is recommended to consult the Guide on the use of video cameras for security and other purposes for a more exhaustive knowledge of the obligations that this type of treatment entails.
LOCATION OF THE CAMERAS: The capture of images in areas destined for the workers’ rest, as well as the capture of the public road if external cameras are used, will be avoided, being only allowed the capture of the minimum necessary extension to preserve the security of the people, goods and facilities.
LOCATION OF MONITORS: The monitors where the images of the cameras are displayed will be located in a space of restricted access so that they are not accessible to third parties. Recorded images will only be accessed by authorized personnel.
CONSERVATION OF IMAGES: The images will be stored for a maximum period of one month, with the exception of images that accredit the commission of acts that attempt against the integrity of persons, goods and facilities. In this case, the images must be made available to the competent authority within 72 hours after the existence of the recording was known.
DUTY OF INFORMATION: The existence of the cameras and recording of images will be informed by means of an informative badge placed in a sufficiently visible place where, at least, the identity of the person in charge and the possibility of the interested parties to exercise their rights in matter are identified. of data protection. In the pictogram itself you can also include a connection code or internet address where this information is displayed. It has models, both the pictogram and the text, on the website of the Agency.
Model of warning poster of video-monitored zone.
LABOR CONTROL: When the cameras are going to be used for the purpose of labor control as provided in Article 20.3 of the Workers’ Statute, the worker and their union representatives will be informed by any means that guarantees the receipt of information about the control measures established by the employer with express indication of the purpose of labor control of the images captured by the cameras.
RIGHT OF ACCESS TO THE IMAGES: To comply with the right of access of the interested parties to the recordings of the video surveillance system, a recent photograph and the National Identity Document of the interested party will be requested to verify their identity, as well as the details of the date and time to which the right of access refers. The interested party will not be given direct access to the images of the cameras in which images of third parties are shown. If it is not possible to visualize the images by the interested party without showing images of third parties, a document confirming or denying the existence of images of the interested party will be provided.
For more information you can consult the guide and the video surveillance files and the legal reports published by the Spanish Agency for Data Protection in the Video Surveillance section.