Privacy policy
USES AND RECOMMENDATIONS
All persons who have access to personal data, through the computer system or through any other automated means of access, are obliged to comply with the provisions of the Security Document provided by the entity, and therefore, subject to the consequences that may arise in the event of non-compliance. Failure to comply with security policies, practices and procedures will be subject to disciplinary action, which may lead to civil and/or criminal action.
This regulation must be disseminated to all employees so that all users know what security measures they are subject to in terms of Data Protection. Likewise, it is recommended to deliver it in some way that allows users to record the acknowledgment of receipt. .
FUNCTIONS ASSIGNED TO THE CONTROLLER
Prepare and implement the security regulations that must be adopted by the treatments detailed in the corresponding ANNEX A of the security document as well as the consequences that could be incurred in the event of non-compliance.
Create and maintain the Registry of Treatment Activities.
Check compliance with the duty of information, prior to collecting data in accordance with the means used for this purpose.
Obtain the consent of the interested parties, whenever this is necessary for the processing of their data.
Approve the designation and authorization of users who use the application in their daily work, assigning the accesses allowed to each user.
Approve a policy that aims to adequately train personnel for the following purposes:
knowledge of the security measures that affect the functions of each user.
knowledge of the procedures to be followed by the affected party to exercise their rights.
Authorize the implementation of the exploitation of personal data through a new computer application, or the implementation of substantial improvements to the existing one.
Authorize the approval of a policy for the departure of computer media containing personal data outside the premises where the processing is located.
Approve the correction of the procedures established for assigning passwords in order to guarantee their confidentiality.
Approve data backup and recovery procedures.
Approve the corrective measures derived from the corresponding audit.
And, in general, any obligation derived from the applicable regulations.
FUNCTIONS ASSIGNED TO USERS
Maintain the necessary secrecy regarding any type of personal information known based on the work carried out, even once the employment relationship with the organization has concluded.
Store all physical media and/or documents that contain information with personal data in a safe place, when they are not used, particularly outside of working hours.
The transfer of any support, list or document with personal data in which information owned by the organization is stored outside its premises is prohibited, without prior authorization from the Data Controller. In the event of transfer or distribution of media and documents, it will be carried out by encrypting said data, or through another mechanism that makes access or manipulation of the information by third parties impossible.
Temporary files or copies of documents are those in which personal data is stored, generated to fulfill a specific need or temporary and auxiliary work, as long as their existence does not exceed one month. These temporary files or copies of documents must be deleted once they are no longer necessary for the purposes that motivated their creation and, while they are in force, they must comply with the assigned security measures. If, after the month, the user needs to continue using the information stored in the file, they must notify the Controller to take the appropriate measures regarding it.
Only authorized persons in an access list may enter, modify or delete the data contained in the files or documents subject to protection. User access permissions are granted by the Controller. In the event that any user requires, to carry out their work, access to personal data or documents to which they are not authorized, they must notify the corresponding Responsible Party.
Communicate to the Controller, in accordance with the notification procedure, any security violations or incidents of which you are aware.
Change passwords at system request.
Close or block all sessions at the end of the working day or in the event of being temporarily absent from your workplace, in order to prevent unauthorized access.
Do not copy the information contained in the files in which personal data is stored to your personal computer, laptop or any other medium without express authorization from the corresponding Controller.
Save all files with personal data in the folder indicated by the corresponding Security Manager, in order to facilitate the application of the corresponding security measures.
Users are prohibited from sending sensitive personal information, unless expressly authorized by the Controller assigned this task. In any case, this sending can only be carried out if the necessary mechanisms are adopted to prevent the information from being intelligible or manipulated by third parties.
Users may not, unless expressly authorized by the Responsible Person assigned this task, install any type of computer programs or devices either on the central servers or on the computer used in the workplace.
It's forbidden:
Use identifiers and passwords of other users to access the system.
Attempt to modify or access the access log enabled by the competent Controller.
Circumvent the security measures established in the computer system, attempting to access data or programs whose access has not been allowed.
Send mass emails (spam) using the corporate email address.
And in general, the use of the corporate network, computer systems and any means made available to the user, violating the rights of third parties, those of the organization, or to carry out acts that could be considered illegal.
Keep properly guarded the access keys to the organization, its offices and the cabinets, filing cabinets or other elements that contain non-automated personal data, and must inform the competent person in charge of any fact that may have compromised this custody.
Lock office doors at the end of the work day or when you must be temporarily absent from this location, in order to prevent unauthorized access.
Make sure that no printed documents containing personal data remain printed in the printer output tray.
Establish procedures for the copying or reproduction of documents, so that only people authorized by the corresponding Responsible Party can access the copies.
ROLES ASSIGNED TO NON-AUTOMATED DATA USERS
Maintain the necessary secrecy regarding any type of personal information known based on the work carried out, even once the employment relationship with the entity has concluded.
Keep properly guarded the access keys to the residence, its offices and the closets, filing cabinets or other elements that contain non-automated personal data, and must inform the Controller of any fact that may have compromised this custody.
Lock office doors at the end of the work day or when you must be temporarily absent from this location, in order to prevent unauthorized access.
Communicate to the Controller, in accordance with the notification procedure, any security violations or incidents of which you are aware.
The transfer of any list or similar document with personal data in which information owned by the entity is stored outside its premises is prohibited.
Store all physical media or documents that contain information with personal data in a safe place, when they are not used, particularly outside of working hours.
Ensure that no printed documents containing protected data remain printed in the printer output tray.
Only persons authorized to do so in the access list may enter, modify or delete the data contained in the files subject to protection. User access permissions to the different files are granted by the Controller. In the event that any user requires, to carry out their work, access to files to which they are not authorized, they must inform the Controller.
Temporary files are those in which personal data is stored, generated to fulfill a specific need, as long as their existence does not exceed one month. Temporary files must be destroyed once they are no longer necessary for the purposes that motivated their creation and, while they are in force, the security measures contained in this document must be considered.
FUNCTIONS ASSIGNED TO COMPUTER ADMINISTRATOR USERS
The user who has privileges for the administration of computer equipment must know the obligations that correspond to him or her as computer personnel. Due to the special access that IT personnel have, they are assigned complementary responsibilities:
Keep secret all information of a personal nature, or that affects it, of which you become aware in the development of your work, even after the relationship with the organization has ended.
Although due to its functions it has privileged access to certain resources, it undertakes to access only the data necessary to carry out its functions.
In the event that they detect security deficiencies in the information system, they must notify the corresponding person in charge.
Collaborate with the Responsible Person(s) in resolving the incidents assigned to them.
Perform their duties in strict compliance with the obligations established by the GDPR.
FUNCTIONS ASSIGNED TO PUBLIC SERVICE USERS
Maintain the necessary secrecy regarding any type of personal information known based on the work carried out, even once the employment relationship with the organization has concluded.
Keep your system access codes secret, and must inform the Controller of any fact that may have compromised the secret.
The system access passwords are personal and non-transferable, with the user being solely responsible for the consequences that may arise from their misuse, disclosure or loss.
Change passwords at system request.
Close or lock all sessions at the end of the work day.
Block sessions in the event of being temporarily absent from your workplace, in order to avoid unauthorized access.
Communicate to the Controller, in accordance with the notification procedure, any security violations or incidents of which you are aware.
Do not copy the information contained in the files in which personal data is stored to the computer itself, or to any other medium without express authorization from the Controller. The transfer of any medium on which information owned by the company is stored outside of the company's premises is also prohibited.
Save all files with personal data in the folder indicated by the Controller in order to facilitate the application of the security measures that correspond to them.
Store all physical media that contain information with personal data in a safe place, when they are not used, particularly outside of working hours.
Ensure that no printed documents containing protected data remain printed in the printer output tray.
Only persons authorized to do so in the access list may enter, modify or cancel the data contained in the treatments subject to protection. User access permissions to the different files are granted by the competent Controller. In the event that any user requires, in order to carry out their work, access to files to which they are not authorized, they must inform the Controller.
Temporary files are those in which personal data is stored, generated to fulfill a specific need, as long as their existence does not exceed one month. Temporary files must be deleted once they are no longer necessary for the purposes that motivated their creation and, while they are valid, they must be stored in the folder designated by the Controller. If, after the month, the user needs to continue using the information stored in the file, they must notify the Controller to take the appropriate measures.
Email is considered by the entity as a fundamental element for communications between the organization and the rest of the agents, public or private, that intervene in the relationships inherent to the activity carried out. For this reason, email, regardless of the assigned address, is configured as a non-exclusive, collective and freely accessible work tool, assigned to areas or jobs and not to people. Its use for purposes not related to the assigned work functions is prohibited. The use of the name or surname of the workers or officials together with the domain of the organization in the email addresses does not mean the assignment by the organization of a personal email, this is done solely for internal organizational reasons for assigning areas and jobs. . Users are prohibited from sending sensitive personal information, unless expressly authorized by the Controller. In any case, this sending can only be carried out if the necessary mechanisms are adopted to prevent the information from being intelligible or manipulated by third parties.
Users may not, unless expressly authorized by the Controller, install any type of computer programs or devices either on the central servers or on the personal computer used to carry out their work.
Know the existence of rights of the interested parties (access, rectification, cancellation, opposition, portability, deletion and limitation), as well as their response procedure when exercising one of them.
It's forbidden:
Use identifiers and passwords of other users to access the system.
Attempt to modify or access the access log enabled by the Controller.
Circumvent the security measures established in the computer system, attempting to access data or programs whose access has not been allowed.
Use the Internet for tasks that are not directly related to the functions assigned to the user. The organization will regulate the modalities of access and its restrictions or limitations. The downloading of software or files of any type from the Internet is prohibited without the express consent of the organization, even if it results from consented access for work reasons.
Introduce content into the corporate network and/or personal computer that is not related to the activity and objectives of the entity.
Send mass emails (spam) using the corporate email address.
And in general, the use of the corporate network, computer systems and any means made available to the user, violating the rights of third parties, those of the organization, or to carry out acts that could be considered illegal.