Data Treatment
Data Processing of Clients, Potential Clients and Suppliers
Information Clause
Data controller:
Raquel Yazmina Pérez Pérez
43276644M
C/ Petrel 4
35138 Playa del Cura, Las Palmas (Canary Islands)
“On behalf of the company, we process the information you provide us with to provide you with the requested service and/or bill it. The data provided will be kept as long as the commercial relationship is maintained or for the years necessary to comply with legal obligations. The data will not be transferred to third parties except in cases with a legal obligation. You have the right to obtain confirmation as to whether at Canary Rooms we are processing your personal data, therefore you have the right to access your personal data, rectify inaccurate data, or request its deletion when the data is no longer necessary. We also request your authorization to offer you products and services related to those requested and to retain you as a customer.”
Contract Service Companies:
1. Purpose of the processing order:
Through these clauses, Dinahosting is enabled as the hosting company for this website, the Redsys companies as the management company for the online payments of the products and services offered on this website, and Dinahosting as the company registering the domain, as data processors. , to process, on behalf of Canary Rooms as data controller, the personal data necessary to provide the service specified below. The processing will consist of Email Services, contact forms, and web hosting.
2. Identification of the affected information:
For the execution of the services derived from the fulfillment of the object of this assignment, the entity Canary Rooms as data controller, makes available to the entities Dinahosting as the hosting company for this website, Redsys as the management company for the online payments of the products and services offered on this website and Dinahosting as the domain registration company the information available on the computer equipment that supports the data processing carried out by the person responsible.
3. Duration:
This agreement has an indefinite duration. Once this contract ends, the data processor must return the personal data to the data controller and delete any copy kept in his or her possession. However, he may keep the data blocked to address possible administrative or jurisdictional responsibilities.
4. Obligations of the person in charge of treatment:
The person in charge of the treatment and all his staff are obliged to:
– Use the personal data to which you have access only for the purpose of this assignment. Under no circumstances may you use the data for your own purposes.
– Process the data in accordance with the instructions of the data controller. If the processor considers that any of the instructions violate the GDPR or any other data protection provision, the processor will immediately inform the controller.
– Do not communicate the data to third parties, unless you have the express authorization of the person responsible for the treatment, in legally admissible cases.
– Maintain the duty of secrecy regarding the personal data to which you have had access by virtue of this assignment, even after the contract ends.
– Guarantee that the persons authorized to process personal data undertake, expressly and in writing, to respect confidentiality and to comply with the corresponding security measures, of which they must be appropriately informed.
– Keep at the disposal of the person responsible the documentation proving compliance with the obligation established in the previous section.
– Guarantee the necessary training on personal data protection for people authorized to process personal data.
Notification of data security breaches:
The person in charge of the treatment will notify the person responsible for the treatment, without undue delay and through the email address indicated by the person in charge, of the violations of the security of the personal data in his charge of which he is aware, together with all the information relevant for the documentation and communication of the incident.
At a minimum, the following information will be provided:
– Description of the nature of the personal data security breach, including, where possible, the categories and approximate number of data subjects affected, and the categories and approximate number of personal data records affected.
– Contact person details for more information.
– Description of the possible consequences of the violation of the security of personal data.
– Description of the measures adopted or proposed to remedy the violation of the security of personal data, including, if applicable, the measures adopted to mitigate possible negative effects.
– If and to the extent that it is not possible to provide the information simultaneously, the information will be provided gradually without undue delay.
– Make available to the person in charge all the information necessary to demonstrate compliance with his obligations, as well as to carry out audits or inspections carried out by the person in charge or another auditor authorized by him.
– Assist the data controller in implementing the necessary security measures to:
a) Guarantee the confidentiality, integrity, availability and permanent resilience of treatment systems and services.
b) Restore availability and access to personal data quickly, in the event of a physical or technical incident.
c) Verify, evaluate and assess, on a regular basis, the effectiveness of the technical and organizational measures implemented to guarantee the security of the treatment.
Data destination:
The person responsible for the treatment will not keep personal data related to the processing of the person in charge unless it is strictly necessary for the provision of the service, and only for the time strictly necessary for its provision.
5. Obligations of the data controller
It is up to the person responsible for the treatment:
– Provide the manager with access to the equipment in order to provide the contracted service.
– Ensure, prior to and throughout the processing, compliance with the RGPD by the processor.
– Supervise treatment.
Record of Treatment Activities:
Treatment: Clients
Purpose of processing: Customer relationship management
Description of customer categories and personal data categories:
Clients: People with whom a commercial relationship is maintained as clients.
Categories of personal data: Those necessary to maintain the commercial relationship and identification billing: name and surname, NIF, postal address, telephone numbers, e-mail.
Bank details: for direct debit payments
The categories of recipients to whom the personal data were or will be communicated: Tax administration, Social Security, Banks and financial entities.
When possible, the deadlines provided for the deletion of the different categories of data: Those provided for by tax legislation regarding the prescription of responsibilities
Treatment: Potential Clients
Purpose of treatment: Management of the relationship with potential clients
Description of the categories of potential clients and categories of personal data: Potential clients: People with whom we seek to maintain a commercial relationship as clients Categories of personal data: Those necessary for the commercial promotion of the company
identification: name and surname and postal address, telephone numbers, e-mail
The categories of recipients to whom the personal data were or will be communicated: Not contemplated When possible, the deadlines for the deletion of the different categories of data: One year from the first contact
Treatment: Providers
Purpose of treatment: Management of the relationship with suppliers
Description of supplier categories and personal data categories:
Suppliers: People with whom a commercial relationship is maintained as suppliers of products and/or services
Categories of personal data: Those necessary to maintain the identification employment relationship: name, NIF, postal address, telephone numbers, e-mail
Bank details: for direct debit payments
When possible, the deadlines provided for the deletion of the different categories of data: Those provided for by tax legislation regarding the prescription of responsibilities.
ANNEX SECURITY MEASURES INFORMATION OF GENERAL INTEREST
This document has been designed for low-risk personal data processing, from which it follows that it cannot be used for personal data processing that includes personal data related to ethnic or racial origin, religious or philosophical political ideology, union affiliation, data genetic and biometric data, health data, and data on people’s sexual orientation as well as any other data processing that entails a high risk for the rights and freedoms of people.
Article 5.1.f of the General Data Protection Regulation (GDPR) determines the need to establish adequate security guarantees against unauthorized or unlawful processing, loss of personal data, destruction or accidental damage. This implies the establishment of technical and organizational measures aimed at ensuring the integrity and confidentiality of personal data and the possibility (article 5.2) of demonstrating that these measures have been put into practice (proactive responsibility). Depending on the type of treatment that you have revealed when you completed this form, the minimum security measures that you should take into account are the following:
ORGANIZATIONAL MEASURES INFORMATION THAT SHOULD BE KNOWN BY ALL STAFF WITH ACCESS TO PERSONAL DATA
All personnel with access to personal data must be aware of their obligations in relation to the processing of personal data and will be informed about these obligations. The minimum information that will be known by all staff will be the following:
DUTY OF CONFIDENTIALITY AND SECRECY Access by unauthorized persons to personal data must be avoided, to this end the following will be avoided: leaving personal data exposed to third parties (unattended electronic screens, paper documents in public access areas, media with personal data , etc.), this consideration includes the screens used to display images from the video surveillance system. When you are absent from the workplace, the screen will be locked or the session will be closed. Paper documents and electronic media will be stored in a secure place (closets or rooms with restricted access) 24 hours a day. Documents or electronic media (CDs, pen drives, hard drives, etc.) with personal data will not be discarded without guaranteeing their destruction. No personal data or any personal information will be communicated to third parties, special care will be taken not to disclose protected personal data during telephone consultations, emails, etc. The duty of secrecy and confidentiality persists even when the worker’s employment relationship with the company ends.
RIGHTS OF THE DATA OWNERS All workers will be informed about the procedure to address the rights of the interested parties, clearly defining the mechanisms by which the rights can be exercised (electronic means, reference to the Data Protection Officer if necessary). any, postal address, etc.) taking into account the following: Upon presentation of their national identity document or passport, the owners of the personal data (interested parties) may exercise their rights of access, rectification, deletion, opposition and portability.
The person responsible for the treatment must respond to the interested parties without undue delay.
For the right of access, the interested parties will be provided with a list of the personal data they have together with the purpose for which they have been collected, the identity of the recipients of the data, the conservation periods, and the identity of the person responsible before them. which can request rectification, deletion and opposition to the processing of data.
For the right of rectification, the data of the interested parties that are inaccurate or incomplete will be modified taking into account the purposes of the treatment.
For the right of deletion, the data of the interested parties will be deleted when the interested parties express their refusal or opposition to the consent for the processing of their data and there is no legal duty that prevents it.
For the right of portability, the interested parties must communicate their decision and inform the person responsible, if applicable, about the identity of the new person responsible to whom they will provide their personal data.
The data controller must inform all persons with access to personal data about the terms of compliance to address the rights of the interested parties, the manner and procedure in which said rights will be addressed.
PERSONAL DATA SECURITY VIOLATIONS
When security violations OF PERSONAL DATA occur, such as theft or improper access to personal data, the Spanish Data Protection Agency will be notified within 72 hours about said security violations, including all information necessary to clarify the facts that gave rise to improper access to personal data.
The notification will be made by electronic means through the electronic headquarters of the Spanish Data Protection Agency at the address: https://sedeagpd.gob.es
TECHNICAL MEASURES IDENTIFICATION
When the same computer or device is used for the processing of personal data and personal use purposes, it is recommended to have several different profiles or users for each of the purposes. Professional and personal uses of the computer should be kept separate.
It is recommended to have profiles with administration rights for system installation and configuration and users without privileges or administration rights for access to personal data. This measure will prevent access privileges from being obtained or the operating system modified in the event of a cybersecurity attack.
The existence of passwords will be guaranteed for access to personal data stored in electronic systems. The password will have at least 8 characters, a mix of numbers and letters.
When personal data is accessed by different people, for each person with access to personal data, there will be a specific username and password (unambiguous identification).
The confidentiality of passwords must be guaranteed, preventing them from being exposed to third parties.
To manage passwords, you can consult the internet privacy and security guide of the Spanish Data Protection Agency and the National Cybersecurity Institute. In no case will passwords be shared or left written down in a common place and access by people other than the user.
SAFEGUARD DUTY
The minimum technical measures to guarantee the safeguarding of personal data are set out below:
COMPUTER AND DEVICES UPDATE:
The devices and computers used for the storage and processing of personal data must be kept up to date as much as possible.
MALWARE: The computers and devices where the automated processing of personal data is carried out will have an antivirus system that guarantees, to the extent possible, the theft and destruction of personal information and data. The antivirus system must be updated periodically.
FIREWALL OR FIREWALL: To avoid improper remote access to personal data, care will be taken to guarantee the existence of a firewall activated on those computers and devices in which the storage and/or processing of personal data is carried out.
DATA ENCRYPTION: When it is necessary to extract personal data outside the premises where its processing is carried out, whether by physical means or by electronic means, the possibility of using an encryption method must be considered to guarantee the confidentiality of the data. personal in case of improper access to information.
BACKUP: Periodically a backup copy will be made on a second medium different from the one used for daily work. The copy will be stored in a safe place, different from where the computer with the original files is located, in order to allow the recovery of personal data in the event of loss of information.
The security measures will be reviewed periodically; the review may be carried out by automatic mechanisms (software or computer programs) or manually.
Consider that any computer security incident that has happened to anyone you know could happen to you, and prepare against it.
If you want more information or technical guidance to guarantee the security of personal data and the information your company processes, the National Cybersecurity Institute (INCIBE) on its website www.incibe.es, makes available tools with a business focus on its “Protect your company” section where, among other services, it has: a training section with a video game, challenges for incident response and interactive sector training videos, an awareness kit for employees, various tools to help the company to improve your cybersecurity, including policies for the employer, technical staff and employees, a catalog of companies and security solutions, and a risk analysis tool. thematic dossiers complemented with videos and infographics and other resources, guides for the entrepreneur. In addition, INCIBE, through the Internet User Security Office, also makes available free computer tools and additional information that may be useful for your company or your activity. professional.