1. Purpose, scope and users

NexTReT Ciberseguridad, SL, hereinafter the “Company”, strives to comply with the applicable laws and regulations related to the protection of personal data in the countries where it operates.

The purpose of this policy is to establish the information security policy for, based on the requirements set forth in the GDPR (General Data Protection Regulation) and the LOPDGDD (Organic Law on Data Protection and Guarantee of Digital Rights), this policy establishes the basic principles by which the Company processes the personal data of consumers, suppliers, business partners, employees and other people, and indicates the responsibilities of its commercial departments and employees while processing personal data.

This policy applies to the Company and its directly or indirectly controlled subsidiaries that conduct business within the European Economic Area (EEA) or process the personal data of data subjects within the EEA.

Users of this policy are all employees, permanent or temporary, and all contractors working on behalf of the Company, as well as web users who access the domains and web pages of NexTReT Ciberseguridad, S.L. and its subsidiaries.

As a fundamental point of the policy is the implementation, operation and maintenance of its own ISMS (Information Security Management System).

Basic aspects of the Company’s security policy:

  • Ensure the confidentiality, integrity and availability of the information.
  • Comply with all applicable legal requirements.
  • Define the functions of the security manager, in charge of the ISMS information security management system.
  • Guarantee an adequate use of the personal information that the company manages.
  • Train, raise awareness and inform all employees of their functions and obligations in relation to information security.
  • Properly manage all incidents that have occurred.
  • Have a continuity plan that allows you to recover from a disaster in the shortest possible time.
  • Continuously improve the ISMS and therefore, the security of the organization’s information.

2. References

  • Law 3/2018, of December 5, on Protection of Personal Data and Guarantee of Digital Rights.
  • The GDPR EU 2016/679 (Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 regarding the protection of natural persons with regard to the processing of personal data and the free circulation of these data and repealing Directive 95/46 / EC)
  • ISO 27001
  • National Security (ENS)

3. Definitions

The following definitions of terms used in this policy come from Article 4 of the General Data Protection Regulation of the European Union:

3.1. Personal Data

All information about an identified or identifiable natural person, directly or indirectly, in particular by means of an identifier, such as a name, an identification number, location data, an online identifier or one or more elements of the physical identity, physiological, genetic, psychic, economic, cultural or social of a natural person. Personal data includes an individual’s email address, telephone number, biometric information (such as fingerprint), location data, IP address, health care information, religious beliefs, social security number, marital status, and so on.

3.2. Sensitive personal data

Personal data that is particularly sensitive in relation to fundamental rights and freedoms, since the disclosure of such data could cause physical damage, financial loss, damage to reputation, identity theft or fraud or discrimination, etc. Sensitive personal data normally includes, but is not limited to, the disclosure of personal data of racial or ethnic origin, political opinions, religious or philosophical convictions, union affiliations, genetic data, biometric data (fingerprint), aimed at identifying in a way unique to a natural person, data related to health or data related to the sexual life or sexual orientation of a natural person.

3.3. Treatment

An operation or set of operations carried out on personal data, whether by automated procedures or not, such as the collection, registration, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination, limitation, deletion or destruction of data.

3.4. Data controller

The natural or legal person, public authority, service or other organization that, alone or together with others, determines the purposes and means of the treatment.

3.5. Data processor

The natural or legal person, public authority, service or other organization that, alone or together with others, processes the data on behalf of the data controller.

3.6. Anonymization

Irreversibly eliminate the identification of personal data so that the direct or indirect link with a natural person of said data is not possible.

3.7. Control authority

The Spanish Data Protection Agency as defined by the GDPR in article 4, paragraph 21, as the independent public authority established by a Member State in accordance with the provisions of article 51.

4. General principles for the processing of personal data

4.1. Legality, impartiality and transparency

Personal data must be treated in a legal, impartial and transparent manner in relation to the interested parties.

4.2. Purpose limitation and basis of legitimation

The personal data of the interested parties must be collected for specific, explicit and legitimate purposes, and will not be further processed in a manner incompatible with said purposes.

Purposes and legal bases of treatment


Purposes Legal bases of treatment
Maintain contact and communication, manage the possible contractual/pre-contractual relationship Contractual relationship
Send current customers, through electronic communications, information about our activities, products and/or services similar to those requested.
Installation of technical cookies
Conducting opinion/satisfaction surveys
Legitimate interest
Send potential customers, through electronic communications, information about our activities, products and/or services similar to those requested.
Installation of non-technical cookies
Participate in events, activities, promotions, organized by the companies of the NexTReT Group
Management of selection processes and CVs received for this purpose.
Assignments derived from tax regulations/consumers and users, labor and social security Compliance with a legal obligation
Transmissions of data between companies of the NextTReT Group for internal administrative purposes, including the transfer of personal data of clients or employees, according to Considerant 48 GDPR. Legitimate interest
When the legitimacy is based on consent, you may withdraw that consent at any time by sending us an e-mail in this regard to rgpd@nextret.net. Said withdrawal will not condition the processing of your data for the rest of the purposes described.
When the processing of personal data is based on our legitimate interest, we will consider that this is proportionate and has a minimal impact on the privacy sphere of the interested party, but the interests, rights or freedoms of the interested party will always prevail over our legitimate interest. Therefore, if you do not want us to process your data for these purposes, please send us an e-mail to that effect at rgpd@nextret.net and we will do so.


4.3. Data minimization

The personal data of the interested parties must be adequate, pertinent and limited to what is necessary in relation to the purposes for which they are processed. The security manager must apply anonymization or pseudonymization to personal data if possible to reduce the risk concerning the interested parties.

4.4. Accuracy

The personal data of the interested parties must be exact and, if necessary, updated; All reasonable measures will be taken so that personal data that are inaccurate with respect to the purposes for which they are processed are deleted or rectified without delay.

4.5. Limitation of the conservation period

Personal data should not be kept longer than is necessary for the purposes for which personal data are processed, in accordance with the GDPR and the LOPDGDD.

The personal data provided by the interested users will be kept as long as the contractual, pre-contractual or commercial relationship is maintained and, once these are finished, as long as the interested person does not request their deletion. Even if the deletion is requested, we can keep them for the necessary time and limiting their treatment, only for:

  • Comply with the legal/contractual obligations to which we are subject,
  • And/or during the legal terms established for the prescription of any liability on our part,
  • And/or the exercise or defense of claims derived from the relationship maintained with the person concerned.

In coordination with the previous criteria, the deletion of personal data, either in computer records or on paper, may be carried out, at the discretion of the organization, based on logistical and/or storage space needs that make it advisable to delete information or documentation.

4.6. Integrity and confidentiality

Taking into account the state of technology and other available security measures, the cost of implementation and the probability and severity of the risks, appropriate technical or organizational measures should be applied to process personal data, including protection against unauthorized processing or illegal and against its loss, destruction or accidental damage.

4.7. Proactive accountability

Those responsible for the treatment will be responsible for compliance with the principles described above and will be able to demonstrate it.

5. Security Policy

5.1. Objectives

The Company’s security policy aims to set the high-level guidelines to follow so that all processing of personal data is carried out safely and only by authorized personnel, as well as to protect the information of the organization, against possible losses of confidentiality, integrity and / or availability.

5.2. Scope

The scope of this policy is limited to all departments of the Company.


The actions necessary to comply with the declaration of the security Policy go through the implementation, operation and maintenance of the ISMS (Information security management System), which is in every moment aligned with this policy.

In the planning phase, a study of the security of the company is included as a fundamental point through a risk and impact analysis and the establishment of its corresponding risk treatment plan not accepted by the organization.

The implantation of the ISMS is the main responsibility of the responsible of the treatment (or responsible of the ISMS) supported in every moment by technical personnel and with the total support of management.

Based on the results obtained in the planning phase, certain security controls are implanted, in addition to operating the procedures of the ISMS to comply with the RGPD and LOPDGDD.

5.4. Review

The information security policy and the ISMS are regularly reviewed at planned intervals or if significant changes occur to ensure its continued suitability, efficiency and effectiveness. In a generic way, they are reviewed annually together with the internal audit processes of the ISMS.

There are monitoring procedures that provide information on the correct performance of the ISMS.

Management also plays an important role in reviewing the system, conducting a thorough analysis of the system and finding possible improvements and deficiencies.

With all these input data, a global review is carried out by the safety committee.

5.5. Improvement

Possible improvements to the information security policy and the ISMS are established either during the review phases or based on contributions that are considered interesting from both Company personnel and external personnel.

Said improvements are evaluated and once their viability has been studied, they are implemented, operated and maintained. The entire ISMS is part of the Demming cycle (PDCA cycle), its implementation and operation, its review and subsequent improvement. All of this applied to information security.

6. Treatment guidelines

Personal data must be treated solely and exclusively, only when explicitly authorized by the Company.

6.1. Notice to interested parties

At the time of collection or before collecting personal data for any type of activities, the interested parties will be informed about:

  • Legitimation (what data we collect).
  • The purpose (for what purpose).
  • Retention (Time the data will be saved).
  • User rights (What are the rights and how to exercise them).
  • Where the data will be hosted.
  • Claims (Where and how to file claims).

When personal data is shared with a third party, you must ensure that the interested parties have been notified of this through a privacy notice and that the third party complies with the provisions of the GDPR and the LOPDGDD.

6.2. Obtaining consent

At the time of collection or before collecting personal data for any type of activities, the explicit consent of the interested party must be requested for each of the purposes of the treatment.

This will be done whenever possible, using a form in which each of the purposes of the treatment will be reflected together with some check boxes, where the interested party must indicate “yes” or “no”, upon request for consent. In the event that the user does not take an affirmative action, clearly indicating the option “yes”, it will be understood that he does not consent to the collection and treatment.

7. Organization and responsibilities

The responsibility of guaranteeing the adequate treatment of personal data rests with all the Company’s employees, as well as third parties who intervene in said treatment.

The security committee and the management of the Company will make decisions and approve the general strategies of the Company in matters of personal data protection and may delegate specific functions to third parties in order to guarantee adequate treatment

8. Cross-border processing of personal data

We will ensure that personal data is always processed and located in the European Economic Area (EEA). However, in certain circumstances, we may make international data transfers, for example, in the event that it is necessary for the conclusion or execution of a contract, in the interest of the interested party, between the company of the NexTReT Group with which the client has contracted and another physical or legal person; or in the event that it is necessary for the execution of a contract between the interested party and the company of the NexTReT Group with which the client has contracted, for example when using service providers located outside the European Union, who may have access to personal data, for the provision of services (by way of example and without limitation: hosting, housing, XaaS, remote backup copies, computer support or maintenance services, email managers, sending emails and email marketing , file transfer, etc.) or for the execution of pre-contractual measures adopted at the request of the interested party.

These entities may be different and vary over time, but we will try to choose entities, either belonging to countries that have a level of protection equivalent to the European one in terms of data protection, or that have the adequate guarantees to reach that level, or they will be carried out on the basis of any of the exceptions provided for this purpose in the GDPR.

9. Supplier Management

The department that hires a new supplier will have to take into account the possible security risks derived from the service provided, for which it will be required to comply with the GDPR and the LOPDGDD.

In the event that this provider must perform personal data processing tasks, they must sign a personal data processing contract “CONTRACT FOR THE PROVISION OF SERVICES AND PERSONAL DATA PROCESSING ORDER”.

10. Management of incidents

Any incident in matters of security must be reported, following the established procedure. Said notification will be made immediately to his hierarchical superior or to the person in charge of information security or whoever delegates on his behalf. Once received, it will be in charge of monitoring it, completing the notifications established in the corresponding procedure, and establishing the actions for its correction.

11. Business continuity

Business interruptions will be counteracted and critical business processes will be protected from the effects of major or catastrophic failures of information systems.

The main guarantee of business continuity is based on the backups, the process and the policies of the BACKUP procedure.

All employees will collaborate in the timely resumption of all critical services for the Company in the event of a serious contingency, thus helping to restore most of the services in the shortest possible time.

12. Legal compliance

Any type of breach of the laws or legal, regulatory or contractual obligations and of the security requirements that affect the information systems and personal data of the Company will be avoided.

13. Exercise of Rights

As an interested party, you can, when appropriate, exercise your rights of access, rectification, deletion, limitation and opposition to your treatment, as well as other rights, at the postal address: Rambla Catalunya, 33, 08007-Barcelona, or by email to: rgpd@nextret.net; in both cases by written and signed request attaching a copy of the ID or passport or other valid document that identifies you. In case of modification of your data, you must notify it at the same address, this entity declining all responsibility in case of not doing so.

  • Right of access: You can ask us what personal data we are dealing with, even request a copy of it.
  • Right of rectification: You can ask us to rectify inaccurate personal data or to complete incomplete ones, including through an additional statement.
  • Right of deletion (right to be forgotten): You can request the deletion of your personal data when: they are not necessary for the purposes for which they were collected, you withdraw your consent, there has been an illegal treatment of them or due to compliance with an obligation legal.
  • Right to limitation of treatment: You can ask us to limit the treatment of your data, in which case we will only keep them for the exercise or defense of claims.
  • Right of opposition: You can oppose the treatment that is made of your data if said treatment is based on the legitimate interest of the person in charge of treatment or is for advertising purposes.
  • Right to portability: You can receive your personal data, in a structured, commonly used and machine-readable format, to transmit it to another controller as long as the processing is carried out by automated means and when the processing is based on consent or a contract.

Once any of the above requests have been received, we will respond to you within the legally established deadlines.

If you consider that your personal data has not been adequately processed in accordance with current legislation, you can contact the Spanish Agency for Data Protection and file a claim with the Control Authority: www.aepd.es.

14. Apply

This policy is valid as of 14/02/2023.