1. Accueil
  2. Data Protection

Data Protection

TABLE OF CONTENTS

  1. Purpose
  2. Scope
  3. References
  4. Development
  5. Annexes

1. PURPOSE

The purpose of this document is to provide the necessary information to comply with the regulations in force regarding data protection, in relation to the processing of personal data at CONGELADOS DE NAVARRA, S.A.

This document describes the obligations and procedures to be followed by the organisation’s personnel—both in-house and external—who process or have access to personal data in the course of their activities, in order to ensure that these data are processed for lawful purposes, in a transparent and consensual manner, and that there are no violations of the fundamental rights and freedoms of data subjects.


2. SCOPE

This document is applicable to and obligatory for all users who, permanently or occasionally, provide their services to Congelados de Navarra, S.A., including the personnel of external suppliers who process or may access personal data under the responsibility of Congelados de Navarra, S.A.

Within the scope of this document, a user is understood to be any employee belonging or not belonging to Congelados de Navarra, S.A., as well as personnel of external organisations, collaborating entities or any other with any type of relationship with Congelados de Navarra, S.A. and who processes, uses or has access to personal data or to the Information Systems for which Congelados de Navarra, S.A. is responsible.


3. REFERENCES

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR).
  • Spanish Organic Law 3/2018, of 5 December, on the Protection of Personal Data and guarantee of digital rights (LOPDGDD).

4. DEVELOPMEN


4.1.- BASIC CONCEPTS


To provide a better understanding of data protection, we define the main basic concepts:

Processing structure:

  • Personal data: Information relating to a natural person by which their identity can be established.
  • Processing: Any operation carried out on personal data: collection, access, intervention, transmission, storage and deletion.
  • Data subject:Natural person subject to the processing of their personal data.
  • File: Structured set of personal data that can be processed for a specific purpose.
  • Data Controller: Organisation that determines the purposes and means of the processing (CONGELADOS DE NAVARRA, S.A.).
  • Authorised personnel: Person authorised by the Data Controller to carry out data processing by means of a confidentiality agreement.

Data categories:

  • Basic: Data that do not fall into Criminal or Special categories, for example: name, address, email, telephone, age, sex, signature, image, hobbies, assets, bank details, academic, professional, social, commercial, financial, etc. information.
  • Criminal: Data relating to administrative or criminal offences, or data which may provide a definition of personality characteristics, etc.
  • Special: Data concerning ethnic or racial origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data allowing the unique identification of a person, data concerning health or sexual life and orientation.

4.2.- PRINCIPLES OF DATA PROTECTION


The fundamental principles of data processing are:

  • Lawfulness: Fairness and transparency towards the DATA SUBJECT.
  • Limitation of purposes: Collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes.
  • Data minimisation: Only data that are relevant and limited to what is necessary for the purposes for which they are processed should be collected.
  • Accuracy: Data should be updated without delay with respect to the purposes for which they are intended.
  • Limitation of the storage period: Data should be kept in such a way as to allow identification of the DATA SUBJECTS for no longer than is necessary for the purposes for which they are processed.
  • Integrity and confidentiality: iImplementing appropriate technical and organisational measures to protect data against unauthorised or unlawful processing and against accidental loss, destruction or damage, at all stages of processing.
  • Proactive responsibility: It must be possible to demonstrate compliance with all data protection principles.

Lawfulness of treatment

Processing is only lawful where it entails:

  • Explicit CONSENT for specific purposes.
  • Contract or pre-contract with the DATA SUBJECT.
  • Protection of the vital interests of the DATA SUBJECT or other natural person.
  • Legitimate interest of the Data Controller or third parties, provided that the interests or the rights and freedoms of the DATA SUBJECT, especially if the Data Subject is a MINOR, do not prevail.
  • Legitimate sourcing of publicly accessible files:
  • Obtained from a public source.
  • The DATA SUBJECT has manifestly made the data public.

Or when it is based on the legislation in force by:

Legal obligation to which the Data Controller is subject. Fulfilment of a task of PUBLIC interest. Historical, statistical or scientific research purposes. Legitimate interest of the Public Authorities in the exercise of their duties.

Information on processing for the data subject

We shall provide the following information to the data subject:

  • Identity and contact details of the Data Controller
  • Purposes of the processing.
  • Legal basis for the processing.
  • Data retention period or the criteria that determine it.
  • Rights of the data subject.
  • And, when applicable:
    • Recipients or categories of recipients of the data.
    • Transmission of data to countries or organisations established outside the EU.

For further information, please read the document “Protocol of information and communication of processing to the data subject”, a copy of which can be requested from the Systems Department or from the Security Officer by emailing lopd@congeladosnavarra.com.


4.3.- RESPONSIBILITY FOR THE PROCESSING


The processing of data may be carried out by external organisations provided that there is express authorisation from the Data Controller and a contract has been signed to carry out such processing in accordance with the legislation in force. To find out which companies or third parties are authorised to transfer data, contact the Security Officer.

External organisations can be:

  • Data processors: Organisation that processes personal data on behalf of the Data Controller.
  • Data recipients: Organisation other than the Processor, which receives personal data from the Controller.

4.4.- SECURITY MEASURES


The organisation has implemented technical and organisational measures to ensure a level of security appropriate for the risks that processing may have as a result of accidental or unlawful destruction, loss, alteration or unauthorised disclosure of data, and access to data when transmitted, stored or otherwise processed.

Personnel shall ensure the security of the data processed by the organisation and shall inform the Data Controller of any processing operation that may involve a risk to data protection or to the interests and freedoms of data subjects.

Prior to its implementation, any design of a new processing operation or update of an existing operation shall ensure the protection of personal data and the exercise of the rights of data subjects at all stages of processing: collection, access, intervention, transmission, storage and deletion.


4.5- ROLES AND RESPONSIBILITIES OF PERSONNEL


Personnel must at all times act in accordance with the instructions detailed in the confidentiality agreement with the organisation and those outlined in this Security Policy. For this purpose, the following data protection measures are established, which the personnel are expressly obliged to comply with:


Rights of data subjects

The current legislation on data protection recognises a series of rights for citizens, such as the right of access, rectification, cancellation and opposition of their personal data.

As a general rule, when a data subject wishes to exercise any of their rights, they will be sent to the CONTROLLER as soon as possible, via the e-mail address lopd@congeladosnavarra.com, so that they can take charge of the management of the data.

For further information, please read the documents “Instructions for requests to exercise the data subject’s rights” and “Action protocol for exercising the data subject’s rights”, a copy of which can be obtained from the Systems Department or requested from the Security Officer by emailing lopd@congeladosnavarra.com.


Organisation of information

The data must be classified in such a way that the data subjects’ rights can be exercised: access, rectification, deletion and portability of the data and limitation or opposition to the processing.


Storage of data

Documentary and computer media must be arranged in such a way that they are not accessible to unauthorised persons.

The data must be kept in the premises and department intended for this purpose. For automated processing, the files will be stored in the media, folders or network directory indicated by the Security Officer.

It is not allowed to keep data on the physical or digital desktop. They are only allowed to be processed temporarily on said desktop for the operations that require it and must be kept in the appropriate place at the end of the working day.


Access to information

Mechanisms of restricted access to the information implemented by the organisation should be applied, safeguarding the access codes from any disclosure or communication to other people.

Each person is only authorised to access those resources that are necessary for carrying out and fulfilling their duties.

Access to computer equipment shall be restricted by procedures that can identify and authenticate the person accessing the equipment. Usernames and passwords shall be considered non-transferable personal data.


Data processing

If a person leaves their workstation temporarily, they should hide the documents and lock the computer so that the information they were working on cannot be seen.

When using printers and photocopiers, documents should be immediately collected after printing jobs containing personal information, or printing should be performed securely, making sure that no printed documents are left in the output tray.


Transport of media

Transport of media containing personal data shall only be carried out by authorised personnel or external companies contracted for this purpose by the Data Controller.


Disposal of documents

Any physical document or digital media to be disposed of that includes personal data must be destroyed with the shredder or removed by an approved document destruction company.


Data backup and recovery

Personnel must store all processed information in the corresponding network directory indicated by the Security Officer, which will allow existing security measures to be applied to this information and to be subject to the backup procedures applied by the organisation.


Data Protection

Data protection measures established by the organisation concerning the security of the processing, such as pseudonymisation or encryption of data or intrusion warnings such as anti-virus, anti-spam, etc., shall be implemented.


Incident management

An incident is considered to be any breach of security that results in the accidental or unlawful destruction, loss, alteration, or unauthorised access or communication of personal data, which affects or could affect the security of personal data or the breach of the obligations outlined in this document.

The USER is obliged to notify the CONTROLLER as soon as possible of any incidents that may arise in the organisation, by email to lopd@congeladosnavarra.com, in order to establish corrective measures to remedy and mitigate the effects that may have been caused.

This notification must contain a clear identification of the incident and a detailed description of it, indicating at least: the time—day and time—at which it occurred, the person who became aware of it, the persons to whom it was communicated, the effects caused, and the corrective measures taken.

A failure to report an incident known by personnel shall be considered a breach of data security and may lead to the initiation of legal action, as well as the claim for compensation, sanctions and damages that the Controller may be obliged to pay as a result of such breach.

For further information, please read the document "Protocol for security breaches", a copy of which can be obtained from the Systems Department or from the Security Officer by emailing lopd@congeladosnavarra.com.


5. RESPONSIBILITY

To enforce this Policy, the organisation has designated a Security Officer who will be available to all personnel, via email at lopd@congeladosnavarra.com. The Security Officer will be responsible for coordinating, controlling, developing and verifying compliance with these regulations.

As already explained, the USER shall communicate to the CONTROLLER, as soon as possible, all those incidents that occur in the organisation (by emailing lopd@congeladosnavarra.com), in order to establish corrective measures to remedy and mitigate the effects that may have been caused.


6. ANNEXES

The Acceptable Use Policy Confirmation List by NetSupport DNA.