PERSONAL DATA PROTECTION POLICY
MIRIAM QUEVEDO S.L. (the "Company") is an organisation where personal data processing activities are carried out, therefore it has an important responsibility in the design and implementation of procedures so that they comply with the legal requirements in this matter.
In the exercise of these responsibilities and in order to establish the general principles that should govern the processing of personal data in the Company, it approves this Personal Data Protection Policy, which is notified to its Employees and made available to all its Stakeholders.
The Personal Data Protection Policy is a measure of proactive responsibility to ensure compliance with applicable legislation in this matter and, in connection with this, respect for the right to honour and privacy in the processing of the personal data of all individuals related to the Company.
In development of the provisions of this Personal Data Protection Policy, the Principles governing the processing of data in the organisation are established and, consequently, the procedures, and the organisational and security measures that the individuals subject to this Policy undertake to implement in their area of responsibility.
For this purpose, the Management shall assign responsibilities to the staff involved in data processing operations.
This Personal Data Protection Policy shall apply to the Company, its directors, officers and employees, as well as to all persons interacting with it, expressly including service providers with access to data ("Data Processors").
3. Principles of personal data processing
As a general principle, The Company shall scrupulously comply with the laws on the protection of personal data and must be able to evidence it (Principle of "proactive responsibility"), giving special attention to the processing that may pose a greater risk to the rights of data subjects (Principle of "risk approach").
In this regard, MIRIAM QUEVEDO S.L. undertakes to ensure compliance with the following Principles:
– Lawfulness, fairness, transparency and purpose limitation. Data processing must always be informed to the data subject, by means of clauses and other procedures; and it will only be considered legitimate when there is consent for the data processing (with special attention to the consent provided by minors), or if there is another valid legitimisation and the purpose of the processing conforms to the law.
– Data minimisation. The data processed must be adequate, relevant and limited as necessary in relation to the purposes of the processing.
– Accuracy. The data must be accurate and, if necessary, kept up to date. In this respect, the necessary measures shall be taken to ensure that personal data which are inaccurate in relation to the purposes of the processing are deleted or rectified promptly.
– Limitation of the retention period. Data shall be kept in a form which permits the identification of data subjects for no longer than is necessary for the purposes of the processing.
– Integrity and confidentiality. Data shall be processed in such a way as to ensure appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, by implementing appropriate technical or organisational measures.
– Transfer of data. The purchase or obtaining of personal data from illegitimate sources or in those cases in which such data have been collected or transferred in violation of the law or where their legitimate origin is not sufficiently guaranteed is expressly prohibited.
– Engagement of suppliers with access to data. Only suppliers that offer sufficient guarantees to apply appropriate technical and security measures in the processing of data shall be chosen for engagement. The appropriate agreement shall be documented with these third parties.
– International data transfers. Any processing of personal data subject to European Union regulations that involves a transfer of data outside the European Economic Area must be carried out in strict compliance with the requirements established in the applicable law.
– Rights of data subjects. The Company shall facilitate the exercise of the rights of access, rectification, erasure, limitation of processing, objection and portability for data subjects, establishing for this purpose the internal procedures, and in particular the models for their exercise that are necessary and appropriate, which must comply, at least, with the legal requirements applicable in each case.
The Company shall ensure that the principles set out in this Personal Data Protection Policy are taken into account (i) in the design and implementation of all work procedures, (ii) in the products and services offered (iii) in all contracts and obligations entered into or assumed and (iv) in the implementation of all systems and platforms that allow access by employees or third parties and/or the collection or processing of personal data.
4. Commitment of employees
Employees are informed of this Policy and acknowledge that personal information is an asset of the Company, and in this respect they agree to adhere to it, committing themselves to the following:
– To undergo the Data Protection awareness training that the Company makes available to them.
– To implement the security measures at user level that apply to their job, notwithstanding the responsibilities in their design and implementation that may be attributed to them depending on their role within MIRIAM QUEVEDO S.L.
– To use the formats established for the exercise of rights by data subjects and to inform the Company immediately so that the response can be effective.
– To inform the Company, immediately upon becoming aware of any deviations from the provisions of this Policy, especially "Violations of personal data security", using the format established for this purpose.
5. Monitoring and assessment
A verification, evaluation and assessment of the effectiveness of the technical and organisational measures to ensure the security of the processing shall be carried out annually, or whenever there are significant changes in data processing.
MIRIAM QUEVEDO S.L.