1. Purpose, scope and users
NexTReT Ciberseguridad SL, henceforth the “Enterprise”, is focused on obey the relevant laws and regulations related to the personal data protection in the countries where operates.
The present policy aims to stablish the security information policy based on the requirements arranged in the GDPR (General Data Protection Regulation) and the LOPDGDD (Organic Law of Protection of Personal Data and guarantee of digital rights). This policy stablishes the basic principles whereby the Enterprise treats the consumers, customers, providers, commercial partners, employees and other people personal data, and shows its commercial departments and employers’ responsibilities while treats personal data.
This policy its applied to the Enterprise and its third parts controlled in a direct or indirect way that do business inside the European Economical Area (AEE) or process the personal data of those interested inside the AEE.
Users of this policy are all unlimited or temporary employees, and all the contractors that work in the Enterprise name.
As a very important point of the policy, there is the implementation, operation and maintenance of our own SGSI (Information Security Management System).
Basic points of the Enterprise security policy:
- Ensure the confidentiality, integrity and availability of the information.
- Obey all applicable legal requirements.
- Define the security responsible functions; who is the person in charge of the information security management system (SGSI).
- Guarantee the appropriate use of the personal data that the company manages.
- Instruct, raise awareness and inform to all employees about its functions and responsibilities related to the information security.
- Mange correctly all incidences.
- Have a continuity plan that allows the disaster recovery as soon as possible.
- Improve continuously the SGSI and therefore the information security of the organization.
- The law 3/2018 of the December 5th, about de Personal Data Protection and the Guarantee of Digital Rights (LOPDGDD).
- The RGPD EU 2016/679 (Regulation (EU) 2016/679 of the European Parliament and the Council of the April 27th of 2016 related to protection of natural persons in respect of the processing of personal data and the free movement of these data and repealing Directive 95/46 / EC).
- ISO 27001
The following definitions of used terms in this policy, come from the Article 4 of the General Data Protection Regulation of the European Union:
3.1. Personal data
All the information about a natural persona identified or identifiable, directly or indirectly, in particular by an identifier, for example a name, an identification number, location data, an on-line identifier or one or some own elements of the natural identity, physiological, genetic, psychic, economic, cultural or social identity of a natural person. Personal data includes the email of a natural person, phone number, biometric information (like the fingerprint), location data, IP direction, medical attention information, religions beliefs, social security number, marital status, etcetera.
3.2. Sensitive personal data
Personal data which is particularly sensitive comparing it to the rights and freedoms fundamentals, since the disclosure of such data could cause physical damage, financial loses, reputational damages, identity theft, fraud or discrimination, etcetera. The sensitive personal data include, but aren’t limited to that categories, information of racial origin, of ethnic, of political opinion, of religion or philosophical believes, of union affiliation, of general data, or of biometric data (fingerprint) and are used to identify unequivocally a natural person, including data related to his health, sex life and sexual orientation.
An operation or a group of operations done about personal data, either done by automated process or not, like the collection, register, organization, structuration, conservation, adaptation or modification, removal, consultation, utilization, communication by transmission, diffusion, limitation, deletion or destruction of data.
3.4. Data controller
Natural or legal person, public authority, service or other organization that only or next to others, defines the objectives and the treatment media.
3.5. Data processor
Natural or legal person, public authority, service or other organization that only or next to others, processes the data on behalf of the data controller.
Delete in an irreversible way the identification of personal data in order that it will not be possible the indirect or direct connection with a physical personal in that data.
3.7. Control authority
The Spanish Data Protection Agency, and how GDPR defines in the 4th article, 21st part, as an independent public authority stablished by a member State in accordance with the provisions of article 51.
4. General principles for the personal data treatment
4.1. Legality, impartiality and transparency
Personal data must be treated in a legal way, impartially and transparently related to those interested.
4.2. Objective limitation
Interested people personal data must be collected in order to accomplish defined and legal objectives, and won’t be treated subsequently in a incompatible way with that objectives.
4.3. Data minimization
Interested people personal data must be suitable, relevant and limited to the necessary in the relationship for the purposes for which they are treated. The security responsible should apply the personal data anonymization or pseudonymisation if it’s possible to reduce the risk concerning those interested.
The personal data of those interested should be specific, and if it is necessary, all reasonable measures shall be taken to remove or rectify personal data which are inaccurate with respect to the purposes for which they are treated without delay.
4.5. Limitation of shelf-life
The personal data must not be retained more than necessary for the purposes for which the personal data are treated, in accordance with the RGPD and LOPDGDD.
4.6. Integrity and confidentiality
Taking into account the state of technology and other available security measures, the cost of implementation and the probability and severity of risks, appropriate technical or organisational measures should be applied to treat personal data, including Protection against unauthorized or illicit treatment and against their loss, destruction or accidental damage.
4.7. Proactive responsibility
Those responsible for the treatment will be responsible for the fulfilment of the principles described above and will be able to prove it.
5. Security Policy
The company’s security policy is intended to mark the high-level guidelines for all personal data treatments to be performed safely and only by authorized personnel, as well as to protect information from the Organization, in the face of possible loss of confidentiality, integrity and/or availability.
The scope of this policy is confined to all departments of the company.
The actions necessary to comply with the declaration of the security Policy go through the implementation, operation and maintenance of the ISMS (Information security management System), which is in every moment aligned with this policy.
In the planning phase, a study of the security of the company is included as a fundamental point through a risk and impact analysis and the establishment of its corresponding risk treatment plan not accepted by the organization.
The implantation of the ISMS is the main responsibility of the responsible of the treatment (or responsible of the ISMS) supported in every moment by technical personnel and with the total support of management.
Based on the results obtained in the planning phase, certain security controls are implanted, in addition to operating the procedures of the ISMS to comply with the RGPD and LOPDGDD.
The information security policy and the ISMS are regularly reviewed at scheduled intervals or if significant changes occur to ensure the continued suitability, effectiveness and effectiveness of it. In a generic way they are reviewed annually together with the internal audit processes of the ISMS.
There are monitoring procedures that provide information on the correct performance of the ISMS.
Management also plays an important role in reviewing the system, conducting a thorough analysis of the system and finding possible improvements and deficiencies.
With all this input data, a global review is performed by the security committee.
The possible improvements in the information security policy and the ISMS are well established during the review phases or on the basis of contributions that are considered interesting both by company personnel and external personnel.
These improvements are assessed and once they have been studied, they are implemented, operated and maintained. All the ISMS is framed within the cycle of Deming (cycle PDCA), its implantation and operation, its revision and its subsequent improvement. All this applied to the security of the information.
6. Treatment guidelines
The personal data must be treated only and exclusively, only when it is explicitly authorized by the Company.
6.1. Notice to interested parties
At the time of collection or before collecting personal data for any type of activities, you must inform the interested parties about:
- Legitimation (which data we collect).
- The purpose (for what purpose).
- Retention (time to save data).
- Rights of the user (what are the rights and how to exercise them).
- Where the data will be hosted.
- Claims (where and how to file claims).
When personal data is shared with a third party, you must ensure that the stakeholders have been notified of this by a privacy notice and that the third party complies with the provisions of the RGPD and LOPDGDD.
6.2. Obtaining consent
At the time of collection or before collecting personal data for any type of activities, you must proceed to request the explicit consent of the interested party for each of the purposes of the treatment.
This will be done whenever possible, by means of a form in which each of the purposes of the treatment is reflected together with a check boxes, where the interested party must indicate “yes ” or “no ” to the consent request. In the event that the user does not make an affirmative action, clearly indicating the option “yes “, it is understood that he/she does not consent to the collection and treatment.
7. Organization and responsibilities
The responsibility to guarantee the proper treatment of the personal data rests with all the employees of the company, as well as third parties that intervene in such treatment.
The Security Committee and the management of the Company will make decisions and approve the general strategies of the Company in matters of personal data protection and may delegate specific functions in third parties with the objective of guaranteeing an adequate treatment.
8. Cross-border processing of personal data
No cross-border treatment of personal data is carried out.
9. Dealers management
The department that contracted a new supplier will have to take into account the possible safety risks arising from the service provided, for this you will be required to comply with the RGPD and the LOPDGDD.
In the case that this provider should perform personal data processing tasks, you must sign a personal data processing contract “service delivery contract and personal data processing order”.
10. Incidents management
Any incidence of safety should be communicated, following the established procedure. This notification will be made immediately to your hierarchical superior or to the information security officer or who delegates on your behalf. Once received you will be responsible for tracking, completing the notifications established in the corresponding procedure, establish the actions for its correction.
11. Business continuity
Disruptions to business activities will be countered and critical business processes protected from the effects of important or catastrophic information systems failures.
The main business continuity guarantee is based on backups, process and policies are described in the document “BACKUP procedure”.
All employees will collaborate in the timely resumption of all critical services for the Company in the event of a serious contingency, helping to be able to restore most of the services in the minimum possible time.
12. Legal compliance
Any breach of the laws or obligations, statutory or contractual and of the security requirements affecting the information systems and the personal data of the Company will be avoided.
13. Exercise of Rights
In the case that you would like to make a complaint about how we have treated your personal data, please contact the person in charge of personal data security at firstname.lastname@example.org or write to Rambla Catalunya, 33, 08007-Barcelona. Our personal Data Security Manager will analyse your claim and work with you to solve the problem.
If you still consider that your personal data has not been properly treated in accordance with the law, you can contact the Spanish Data Protection Agency and file a complaint with them (www.aepd.es).
This policy applies from 28/11/2019.