BACK_TO_TOP

PRIVACY POLICY – PERSONAL DATA TREATMENT

 

Date of preparation of this privacy policy: 04/25/2018

 

PADEL NUESTRO S.L (hereinafter PN) in accordance with the recommendations established by the Spanish Agency for Data Protection in relation to providing, in the best way, the right to information of users (data holders), has developed a new privacy policy establishing in its first block (Basic Information) a structure and language as clear, concise and understandable as possible, taking into account what this text must and wants to transmit (privacy policy). You will find two different information blocks:

 

  1. Basic Information, a space that we believe is sufficient for the user (owner of data) to have an approach to the processing (use) of their data by PN, in general, and knowledge of the exercise of rights that the new framework broad normative (General Data Protection Regulation), as well as how to proceed to the request (rights), where to go and to whom, in a particular way

 

  1. Corporate rules associated to an internal code established by PN regarding the processing of personal data, in general, that are incorporated into a guide or code of internal treatment (by its employees and collaborators)

 

A. BASIC INFORMATION

Below, we present this block, in order to facilitate access to information, a structure of epigraphs, where any web user can access each point, in a specific way by clicking himself, without having to read the total of all the points established for that purpose.

  1. 1. Treatment Manager

 

At this point you can find the identification of the company that treats your data from the current domain, where the website is located and where data is collected and processed through the use of cookies, forms (contact, purchase and similar).

 

Tenga en cuenta que PN puede operar desde varios dominios donde se integran páginas webs, y dichas páginas, con carácter general, se encuentran bajo un mismo marco de normas, directrices y orientaciones comunes en el tratamiento de datos de carácter personal. Por este motivo, en relación con este sitio web u otros que pueda visitar a través del mismo, le recomendamos que lea la política de privacidad.

 

 

Name

CIF

Interlocution of Rights Unit

Business Address

PADEL NUESTRO S.L

B73676413

Dirigirse al Polígono Industrial Oeste, calle Venezuela, Parcela 1, 17, 30820, Alcantarilla, Murcia.

La misma que se establece en la Unidad de Interlocución de derechos.

 

 

  1. 2. Delegate of Data Protection (coordinators or department heads)

 

In this point we bring you information about the figure called "Delegate of Data Protection" (hereinafter DPD), which appears in the new regulatory framework of application on May 25, 2018, which acts for the PN and the different domains where you carry out your activity.

 

The purpose is that you, in the case of wanting to establish any request, can have references to address specific people, both DPD and other people from other departments, to which the DPD has derived functions in order to improve procedures And channels So, we present the present information table of valid interlocutors:

 

Data Protection Delegate

Intern

 

NAME

 

Rafael

SURNAME

Parras Marín

DEPARTAMENT

Personal

CONTACT (EMAIL)

rafaparras@padelnuestro.com

Telephone

0034 664 05 47 16

¹ Atención al Cliente Final

Intern

 

NAME

Alberto

SURNAME

Brocal López

DEPARTAMENT

Atención al Cliente

CONTACT (EMAIL)

contacto@padelnuestro.com

Telephone

0034 672 10 45 39

 

[¹ The purpose of having a third party to gather and respond to requests from data subjects, under the delegation of functions established by the DPD, is to be able to provide a service as efficient as possible derived from the code of conduct and standards determined by PN (see block B)].

  1. 3. Purpose of Data Processing

In the point below, you can find a table with the description of the purposes of the data treatment that can be given on the website, associated with the registered files, responsibility of PN:

 

File

Purpose of the data usage

Comments

Treatment Legitimacy

 

Web User

 

- Browsing (cookies)

- Send information of interest in the case that the user has communicated his/her email, or similar.

 

The contact data can be treated and used according to the object of the form in question. Example: If you sign up for a newsletter, your email can be used to send the newsletter, and for that purpose you will not need express consent derived from the purpose / object of the form / functionality.

 

 

 

 

 

Customers

 

 

 

 

- Browsing (cookies)

- Send information of interest in case the user has communicated his / her email

- Facilitate the contracting of services or products, after-sales service and similar.

- Payment Management

- Administrative Management

 

 

- The contact data may be processed and used by PN, and other companies that may be owned in the future or where PN can be integrated or form a Group.

 

- The legitimacy of the treatment is established by the contractual relationship, and by the history of the relationships and communications established prior to the application of the RGPD (May 25, 2018).

 

- For those treatments, after the application of the RGPD (May 25, 2018), protocols will be established to obtain consent, unequivocal and / or express "according to the purpose of use. For example, before a purchase process, the object of the form to make the purchase has a purpose of own use and associated with the purchase of a product,

 

In the case that you want to establish the use of your email for commercial shipments outside the scope of product service requested or purchased, in this case to establish a functionality to obtain their express consent.

 

 

 

Candidatures

 

-Management of the personnel selection of PN or third partie (collaborating companies or clients)

- Contact data can be processed and used by PN.

- La legitimidad del tratamiento viene establecida por la relación por la acción del candidato, por iniciativa de este.

 

[i  We ask the users / holders of data that before accepting the privacy policy (click on the acceptance box) perform an approach to the basic information with a general character, and in a specific way to this table where the purpose of the use of the data that you provide us and the file or files where they can be integrated.]

 

  1. 4. Time limits or criteria for data storage

The new regulatory framework establishes the need to bring the data owner closer, in this case through the channel that is used by PN, the web user, the information concerning the storage period of data processing that may occur. That is, how long will the data be responsible for the data (PN)?

 

We would like to inform you about this issue, and for this purpose we present the following table:

 

File/Data

Conservation Term

 

 

Conservation Term

Data Exceptions

 

Web Users

 

- The contact data will be kept indefinitely while there is no application for opposition or cancellation by its owner.

 

 

- It has not been established at this time.

 

 

Customers

- The customer identification data is kept as long as the commercial / contractual relationship is maintained.

 

- The data associated with billing and purchasing processes for 5 years, which may be extended based on the evolution of other laws (tax, tax, corporate or similar).

 

- Data on commercial operations may be maintained for a period of more than 5 years. The treatment of the data will be treated in a dissociated or anonymized way for statistical purposes.

 

- Contact data is maintained indefinitely. As long as there is no application for opposition cancellation by the owner of the data.

 

 

- Maintenance of service data for statistical purposes indefinitely.

 

 

 

 

 

Potential Customers

- Contact data indefinitely as long as there is no request for opposition or cancellation by the owner of the data.

 

- The communications associated with the request of the potential client will not be considered of an advertising nature derived from the legitimacy associated with the pre-commercial or pre-contractual relationship.

 

- For communications of an advertising and promotional nature, a functionality will be established to obtain unequivocal consent, as of the entry into force of the RGPD (General Data Protection Regulation).

 

 

 

 

Candidatures (Selection)

 

- For 1 year as long as the application is not integrated into any selection process, in which case the application will be held for a period of at least 2 years, which could be extended depending on the result of the process.

 

 

The data of holders of data that has passed a selection process and are incorporated into a job board or the provision of service (hiring) by PN or Collaborators, will not be considered as Candidatures.

 

[i The maintenance of the term of the data is established on the basis (1) of a PN criterion, associated with the purpose of using said data and the company's interest, (2) criteria established by a legal basis that obliges its maintenance to PN (another law that requires its maintenance) and (3) other associated statistical or historical reports that may be of interest to the company (group) at a strategic level. PN, once they have fulfilled the purpose of their own use, may, according to those expressed in points 1,2 and 3, be canceled (be out of production environment) or be deleted].

 

  1. 5. Recipients” (of assignments or transfers)

FILES

GENERAL

SPECIFIC

All those described in this privacy policy

 

 

 

Competent public bodies that request data or registers of data holders without needing the consent of the owner of the data, derived from exceptionalities arranged in the Spanish regulatory framework

 

 

 

It has not been considered at this time. But we would like to inform you that in the event that PN participates or is integrated into a company or group of companies, the data will be accessible and processed by said third parties, since they will be considered as Data / Treatment Managers.

 

 

 

* Note: access to data by third parties necessary for the provision of service or request is not considered data transfer. Establish that said third parties, especially collaborators, use the data only to provide said benefit, and the use of data for any other purpose must be done in accordance with their right to information and authorization of express consent (on their part).

 

  1. 6. International Data Transfers

 

At this momento, in PN they do not do data transfers to third parties set in a different country out of the European Union.

  1. 7. Rights of data holders (or interested people)

In order to meet some of the fundamental aspects of this regulatory framework (applicable in May 2018), such as the rights attributed to natural persons (data holders), we present the different rights and attach a downloadable "ad hoc" model for this purpose.

 

  1. Access
1Download Model

 

[i Note: The right of access is the one that has a data owner, as it may be the case, consisting in being able to know the information that the company has about you.]

 

  1. Rectification
1Download Model

 

[i Note: The right of rectification is the one that has a data owner, as it may be the case, consistent rectify that information / data that the company has of a data owner, such as you, and it is not updated or adequate to the reality of the data owner or is erroneous.]

 

  1. Deletion
1Download Model

 

[i Note: The right of suppression is the one that has a data holder, as it may be the case, consisting of suppressing that information / data that the company, and that you do not want to continue using it (information / data).]

 

  1. Data Portability
1Download Model

 

[i Note: This right will apply on May 25, 2018. It is designed so that PN can provide in a standard format, for example Excel, the migration / sending of data to another third party authorized by you. In order to comply with this right, you must: (a) prove that you own the data (b) identify the third party that is the recipient of the data (c) authentically authorize portability (sending data)]

 

 

  1. Treatment Opposition
1Download Model

 

[i Note: The right of opposition is that which has a data holder, as it may be the case, consisting of opposing the use of that information / data that the company has of you, and you do not want to continue using it. the same (information / data) for specific purposes, for example, not receiving commercial information.]

 

 

  1. Right to withdraw consent or consents granted

 

[i Note: The right is that which has a data owner, as it may be the case, consisting of opposing the use of those purposes for which he gave his consent or that were treated as having a basis of legitimacy. If you, as data owner, do not want to continue using it (information / data) for specific purposes, for example, not receiving commercial information.]

 

1Download Model

 

[i Note: This right will be applied as of May 25, 2018]

 

  1. Right of Provenance

 

[i Note: The right to know where and how your data were obtained.]

 

1 Download Model

 

[i Note: This right will be applied as of May 25, 2018]

  1. 8. Source of data (origin)

 

In general, the data, through this website, are obtained from the interested party. For this reason, in the case that you communicate data from third parties, you must have the authorization, consent and / or legal capacity for this purpose (communication).

  1. 9. Data collection forms

We wanted to develop this epigraph, thinking of the web user, with a double objective:

  1. Given that the different forms may have a specific purpose associated with it, and for which (purpose) we consider that we are legitimized in the treatment since the use and transmission of data is done by the user, you, freely.

 

  1. To be an epigraph that is updated in time according to the modification and / or incorporation of new forms or functionalities.

 

In general, on the website we can find the following forms for data collection, according to what is established in this table:

Type

Purpose

Assignees and / or Accesses of Third Parties

Comments

 

Newsletter and similar

 

Advertising, commercial and informative shipments.

 

- There are not considered.

 

- Only contact information will be requested (usually email).

- The unequivocal (express) consent derived from the object of the form itself is not requested, which legitimizes the treatment.

 

 

Hiring a product or service

 

- Contract management or verification of the purchase process.

 

- Commercial and informative shipments associated with the product or service contracted.

 

- Advertising, different to the contracted product or service, will be requested unequivocal (express) consent as of May 25, 2018

 

 

-  In the case that, due to the interest of PN, an investee company was created or integrated.

 

- Third parties necessary to give scope to the product or service contracted or requested (it will be considered as data processing managers).

 

 

- For commercial or promotional shipments outside the service or product contracted express authorization will be required through a functionality provided for that purpose (footer of form) for treatment after the application of RGPD

 

 

Candidatures

 

 

- Management of the profile and / or CV of the candidacy to promote it in society

 

.- Public Organisms (derived from the profile, type or characteristics of the candidate).

 

 

 

 

Registration or registers to use functions or private areas created for specific purposes

 

 

- Management of the community of collaborators / distributors of PN according to the conditions of use, with general character and other particular that could be established.

 

- Third parties necessary for the provision of service or request.

 

- With specific character these forms are referenced for registration procedures or registration to a purchase intranet associated with a certain user profile (collaborator)




B. ADDITIONAL INFORMATION: GUIDELINES FOR PADEL NUESTRO DATA PROTECTION AND TREATMENT

This block is intended to communicate, to the web user, values, rules and guidelines established by PN, internally, in the processing of personal data, in accordance with the regulatory change, in order to create a culture of protection and data treatment.

 

Below, we present the structure of this block (additional information), where you can access each point, in a specific way, by clicking on it, without having to read the total text of the set of points established for that purpose.

  

  1. Objective to establish standards and guidelines on data protection and processing to create an internal code

 

As an expression of responsibility for data protection and in accordance with the new regulatory change (General Data Protection Regulation), PN undertakes to comply with the Spanish legislation for the protection of personal data. These sections are integrated into a guide and / or internal code valid for PN, and are based on principles recognized by the Spanish State and the Spanish Agency for Data Protection,

 

Data protection is one of the foundations of a business or trust relationship and the image of PN. Through this block, we want to bring closer the framework of the necessary conditions for the collection and subsequent processing of data. This block wants to inform the user of the criteria, values and efforts made by PN to establish an adequate level of protection of data processing of a personal nature required by the European directive on data protection and by different national regulations for the correct treatment of same.

 

  1. Scope of application and modification of the internal data protection code

 

These epigraphs associated with an internal code are limited to the company PN, that is, for PN and as well as for all companies (in charge of treatment) and their employees.

 

A dependent company according to this guide is considered to be any company to which PN may demand general or specific compliance with this data protection and processing guide for collaborating with it or for carrying out any action involving data processing (as well as formalizing the relationship between the person in charge of treatment through an "ad hoc" contract for the activity or service that will be provided or performed by PN).

 

  1. Application of National Law

The data protection and processing code contains the principles of security, confidentiality and consent (information) derived from the European Directive and the European Commission for Data Protection and regulatory development of the Spanish State according to the resources, means and capacities of PN.

 

PN is responsible for complying with the data protection and treatment code and the legal obligations included in the legal framework of the Spanish State. If you, as a user / data subject, have reason to assume that there are legal obligations that contradict what is stated in the privacy policy and epigraphs, you may inform the Data Protection Delegate of the Group (see contact information in the "Basic Information" section) ").

 

 

  1. Basic principles for the treatment of personal data (associated with the website)

  1. 1. Honesty and legitimacy

During the collection and processing of personal data, through the websites owned by PN, PN will supervise that the personal rights of data holders are covered.

 

Personal data must be collected, according to the principles of consent (express and unequivocal when there is no basis for legitimacy) and information, and treated honestly and legitimately.

  1. 2. Use for specific purposes

 

Personal data can only be processed in relation to the purpose for which they were originally collected. For this reason, informative clauses have been established in forms or similar (unmixed / express acceptance boxes). Subsequent modification of the specific purpose / s will be possible only under certain conditions and requires an objective justification or sufficient accreditation.

  1. 3. Transparency

The data owner must be informed about the use of their data. As a general rule, personal data, through this website, are always collected directly from the interested parties. Whenever data of a personal nature is collected, the data owner must be in a position to personally recognize the following aspects, or be informed about them:

 

» The identity of the person responsible for collecting the data

» The purpose of data processing

» Possible third parties or categories of third parties to which the data are transferred where appropriate

 

For this reason, it is recommended to read the privacy policy. Especially the block "Basic Information" where the previous points are contained, and accept the same through a functionality so arranged in some of the forms.

 

[i Note: This information is included in section (1) of the General Information block. We advise users / holders of data that, before accepting the privacy policy, perform an approach to said information, and specifically to the point associated with the purpose of using the data.]

  1. 4. Avoid and reduce the collection and processing of data

PN, according to this block and new regulatory framework, before proceeding to the collection and subsequent processing of personal data will study the set of data necessary, and to what extent are relevant to meet the intended purpose.

 

To achieve this end, risk analysis and impact evaluation reports (IEI) will be carried out, whenever possible to achieve the intended purpose, and the costs are reasonable in relation to the purpose. Personal data will not be collected and processed for preventive purposes for possible future uses, unless required or permitted by current legislation at the time.

  1. 5. Deletion

PN will erase the personal data, associated with the data collected and processed in this website, which are not necessary after the expiration of the prescribed storage periods or as permitted by law, according to the data and the registered file. If, in an individual case, there are indications of a need for protection or historical interest in these data, the storage period of these data will be extended until the legal need for protection has been clarified, or until PN has assessed the relevance historical data for inclusion in the file.

  1. 6. Accuracy and current data

PN will keep the personal data as you have communicated and according to your resources and the subsequent communications that you can make in this regard, and will be updated whenever necessary or known.

 

[i Note: For this purpose, forms associated to this situation have been established, data update / modification, and a Data Protection Delegate has been designated, as well as a responsible / alternative contact.]

  1. 7. Confidentiality and data security

The personal data of PN are subject to an obligation of confidentiality. That is, they will be treated confidentially by their human resources (employees) and will be protected by appropriate organizational and technical measures against access by unauthorized persons, illegal treatment or illegal transfer to third parties, as well as against casual loss, modification or destruction.

 

[i Note: To comply with the principle of confidentiality, commitments have been established in this regard for employees and contracts of treatment / confidentiality managers for third parties (service providers.]

  1. Legal basis in the collection and processing of data

 

It is legal to collect, process and use personal data only if one of the requirements of legality described in what will be established below is met. One of the legality requirements must also be met if you wish to change the purpose of the collection, processing and use of personal data in relation to the original objective.

 

  1. 1. Data processing for a contractual relationship

 

The personal data of the interested party, the cuestomer and / or the website user can be treated for the preparation, realization or cancellation of a contract or request. This also includes the attention of the contractual user / customer, as long as it is related to the object of the contract.

 

Before the formalization of a contract - that is, in the pre-eminently informative phase of the contract - the processing of personal data to prepare offers, to prepare requests for products or services or to fulfill other wishes of the client is permitted. interested in order to reach the conclusion of the business relationship. It is allowed to contact potential clients or users, according to circumstances, during the pre-information phase, using the data that they have communicated or be able to offer similar products or services or that may be of interest due to the profile of potential client / user. . If applicable, the restrictions mentioned by the interested party (data holder) should be taken into account.

  1. 2. Data processing for advertising purposes

If the interested party goes to a PN company requesting information (for example, request to send informative material about a product, act or service), the processing of their data is allowed to fulfill this desire.

 

The advertising and loyalty measures of customers / users require compliance with other legal requirements. The processing of personal data for advertising or market research and opinion purposes is permitted if this treatment is compatible with the purpose for which it was collected or express consent has been obtained.

 

The affected / data subjects (users) will be informed about the use of their data (see block of "Basic Information", purpose of use). If data is collected exclusively for advertising measures, the communication thereof, by the affected party, will always be voluntary.

 

If the interested party rejects the use of their data for advertising purposes, their data should not be used for this purpose and will be blocked accordingly (use of "robinson list").

  1. 3. Consent with data processing

It is possible to carry out the data processing if the interested parties have given their consent. Before requesting their consent, the interested party will be informed in accordance with section 4.3 of this block on the protection and data processing guidelines. For reasons of plausibility, the declaration of consent must always be collected in writing or electronically (acceptance of conditions in the form). Under certain conditions, such as telephone counseling, verbal consent may be granted. The consent granted will be documented.

  1. 4. Data processing due to legal permission

The processing of personal data is also legal if there are legal provisions that require, presuppose or authorize this treatment. The type and extent of data processing must be necessary for the treatment authorized by legislation, and must be carried out in accordance with these provisions.

  1. 5. Data processing due to a legitimate interest

Personal data may also be processed if necessary to safeguard a legitimate PN interest. In general, legitimate interests can be of a legal nature (for example, to execute outstanding debts) or economic (for example, to avoid contract disturbances).

 

The processing of personal data by reason of a legitimate interest is not permitted if there are in some particular cases indications that the protection of the legitimate interests of the interested party predominates over the interest of the responsible body in the processing of the data. The legitimacy of these interests will be examined before each data processing.

 

In this regard, you should understand that PN has made an effort to establish a criterion and a basis that allows it to have legitimacy about the purpose of using the data, based on the profile of the owner. This criterion is based on the fact that the company can develop its activity in order to remain in time, maintain or expand its workforce and obtain a legitimate benefit.

  1. 6. Processing of data subject to special protection

 

Personal data subject to special protection (health, sexual orientation, political ideas and the like) can only be treated if it is mandatory by law, or if the interested party has given their express consent. In general, PN does not collect or treat this type of data.

 

For the rest, the processing of these data may also be allowed if this is necessary so that the responsible body can exercise their rights, claim them or defend them against the interested party. If there is an intention to process data subject to special protection, the PN Data Protection Delegate will be informed in advance.

  1. 7. User and Internet data

 

Whenever personal data are collected, processed or used on the website or on integrated platforms, the interested parties will be informed about this aspect in notices about data protection and, where appropriate, about cookies. The notices about the protection and processing of data about cookies must be integrated so that they are available continuously, and that the interested party can easily recognize them and access them immediately.

 

 

If the possibility of accessing personal data in a restricted area (subject to registration) of web pages or Apps is offered, the identification and authentication of the interested party will be configured in such a way that an adequate level of protection of this access is achieved.

  1. Transfer of personal data

In case of data transfer to a recipient or to a third party located in a third state, the recipient must guarantee a level of data protection appropriate to the terms of this guide and regulatory framework for data protection of the Spanish State.

 

 

  1. Data processing on request

 

There is a case of data processing on request if a contractor is assigned the processing of personal data, without transferring responsibility for the corresponding process / commercial relationship. In these cases, a data processing agreement must be taken on request, both with the external contractor and between PN. The company (PN) that grants the order retains full responsibility for the correct implementation of the data processing. The contractor is authorized to process personal data only within the framework of the contractor's instructions.

 

When granting the order, the following prescriptions must be observed; the department that grants the order must ensure compliance:

 

  1. Select the contractor (in charge of treatment) according to their suitability to guarantee the necessary technical and administrative protection measures.

 

  1. The order must be formally granted. The instructions for the data processing and the responsibility of the contractor and the contractor must be documented in the order.

 

  1. The standard contracts made available by Delegate of Data Protection for the different departments with capacity for this purpose will be taken into account.

 

  1. Before the beginning of the data processing, the contractor must verify the fulfillment of the obligations by the contractor. The contractor must document compliance with data security requirements, especially by submitting an appropriate certificate. Depending on the risk of data processing, it may be necessary to repeat the control periodically during the term of the contract.

 

  1. If the processing of the data is entrusted to a company located abroad, the applicable national requirements for the transfer of personal data to companies abroad must be complied with. In particular, only the processing of personal data of the European Union Space to a third state can be entrusted if the contractor can document a level of data protection comparable to the Spanish State regulations on data protection.

 

They are established as suitable instruments to give scope to what has been previously referenced:

 

  1. An agreement of the clauses of the standard contract established by the Spanish Data Protection Agency for the processing of data by order in third states with the contractor and, where appropriate, with the subcontractors.
  2. The participation of the contractor in a certification system recognized by the Spanish Agency for Data Protection to create a reasonable level of data protection.
  3. The recognition by state control bodies responsible for binding rules of the contractor's company to create an adequate level of data protection.

 

 

  1. Rights of the interested party (data owner)

 

All interested parties, data holders, you as user, can enforce the rights specified below. The responsible body must immediately process the claim of rights, and the interested parties should not be discriminated against in any way for asserting their rights.

 

  1. The interested party may demand information about the personal data stored about him, about his origin and about the intended use.

 

  1. If personal data are transferred to third parties, the identity of the recipient or the categories of recipients will also be reported.

 

  1. If the personal data are incorrect, or incomplete, the interested party may demand its correction or addition.

 

  1. The interested party may object to the processing of their personal data for the purpose of publicity, or within the framework of market and opinion studies. In this case, the data will be blocked to prevent its being used for this purpose.

 

  1. The interested parties have the right to demand that their data to be deleted if the legal basis for the processing of the data has lapsed or has expired. The same applies in the case that the reason for the data processing has been prescribed, either for the time elapsed or for other reasons. The periods of mandatory conservation of certain documents and the legitimate rights that oppose the deletion or allow cancellation will be taken into account.

 

  1. The interested parties have a basic right of opposition against the processing of their personal data, which will be taken into account whenever it is found that their interest in the protection of their personal data predominates because of their personal situation on the interest in the treatment of the data. This right does not apply if there is a legal regulation that prescribes the treatment of the data.

 

 

  1. Confidentiality in data processing

 

Personal data are subject to the principle of confidentiality. It is established for the employees that the collection, processing and use of data cannot occur:

 

(a) Without knowledge (this is directly related to the right to information)

 

(b) Without authorization (this concept has a direct interest in obtaining express and / or unambiguous consent).

 

It is considered illegal any data processing performed by an employee or third party without constituting its role in accordance with their work and without being authorized to do so. PN establishes supervisory procedures so that employees only have access to personal data when necessary and within the framework of the need for their tasks or functions. Derived from the above, PN performs an allocation and precise division of roles and privileges, as well as the implementation and updating within the framework of authorization concepts.

 

Employees or third parties (in charge of processing) can not use personal data for particular or economic uses, deliver them to unauthorized third parties or allow third parties access in another way. Department managers will inform their employees and will present a specific commitment, at the beginning of an employment relationship, about the obligation to observe the confidentiality of the data. This obligation will persist after the employment relationship ends

 

  1. Control of data protection

 

Compliance with the data protection guidelines of this guide and current data protection laws is controlled through periodic audits and other controls. The realization will be promoted by the Delegate in Data Protection (DPD), Coordinators and Responsible (by department) of the company with control rights and / or external auditors in charge.

 

The results of the controls (situation controls, impact evaluation studies, audits and the like) of the data protection will be monitored by DPD. The same will transfer and inform the PN Surveillance Committee about relevant results in the framework of the corresponding information obligations.

 

The results of the data protection controls will be made available to the competent authorities on data protection if they request it. The competent authorities on data protection can also carry out their own controls to comply with this rule in accordance with the authorizations contemplated in the legislation.

 

  1. Incidents or non-compliance in the guidance of the protection and data processing guide

 

All PN employees have the capacity and channels to communicate their superiors, their coordinator or the Data Protection Delegate (DPD) about incidents or breaches of the recommendations, guidelines or guidelines of this guide for the protection and treatment of data. The coordinator (responsible for a department) must inform the DPD, in general, and specifically, if the following cases occur:

 

  • Receipt or illegal delivery of personal data to, or by, third parties
  • Unauthorized access of third parties to personal data
  • Loss of personal data. In this scenario, the communication will be carried out with the greatest speed to Responsible or DPD (management of incidents against information security), in order to be able to comply with the legal obligations of information of this type of incidents.

 

  1. The PN Data Protection Delegate

The Delegate for Data Protection (DPD) is an internal figure, who enjoys autonomy, who watches over the observance of national data protection requirements. It is responsible for the guidelines related to the data protection and treatment, and monitors compliance.

 

The Delegate for Data Protection is appointed by the PN Surveillance Committee (Administrator). The departments (their coordinators) and Centers (responsible) of PN are obliged to what the DPD establishes at all times. The specific exceptions to this rule should be agreed with the DPD. The coordinator and responsible persons must inform the DPD diligently about the risks of protection and data processing in specific areas of their activity (department or center) as a valid interlocutor.

 

Any interested party may contact the DPD at any time, to communicate suggestions, process inquiries, request information or submit complaints regarding the protection of personal data and the security of this data.

 

Those responsible for the Departments or Work Centers must take into consideration the decisions of the DPD in relation to incidents or breaches of the data protection regulations. Consultations of authorities will always be communicated to the DPD. The DPD and its collaborators are available according to the information provided in point 1.2 of BASIC INFORMATION (see 1.2 Delegate on Data Protection.