This document aims to establish principles, uniform practices and responsibilities regarding the processing of personal data in which Zoluxiones is involved.
This document is applicable to all personal data banks or personal data intended to be contained in Zoluxiones databases and to the treatment of these carried out by Zoluxiones directly and / or through third parties. The Policy will be fully known and complied with by all Zoluxiones employees. For the purposes of interpreting this Policy, the definitions contained in the Law and especially those included below apply.
All employees of Zoluxiones must comply permanently in the exercise of their functions with the principles established in the Law that we detail below:
- Legality. The processing of personal data carried out by Zoluxiones will be done in accordance with the provisions of the Law. The collection of personal data by fraudulent, unfair or illicit means is prohibited.
- Consent. Zoluxiones may not process personal data that does not have the prior, express, unequivocal and free consent of its owner as necessary, except for the exceptions provided by law.
- Purpose. Zoluxiones will collect personal data clearly indicating the purpose for which it carries out such collection, which must be determined, explicit and lawful. The personal data subject to processing may not be used for purposes other than or incompatible with those that motivated its obtaining, unless the consent of its owner. In this regard, Zoluxiones will comply with implementing measures that guarantee that the collection, storage and conservation of personal data comply with the principles of proportionality and purpose. The adequate protection of personal data complying with appropriate technical and legal security measures. It should be noted that Zoluxiones may not disclose personal data unless it is ordered by reasoned order of the judge or with the authorization of its owner, with the guarantees provided for in the Law. Likewise, Zoluxiones may not refuse to deliver to a public entity information containing personal data provided that such request is made for the strict fulfillment of the competences of said entities assigned by current legislation.
- Proportionality. Any processing of personal data carried out by Zoluxiones must be adequate, relevant and not excessive to the purpose for which they were collected.
- Quality. The personal data to be processed by Zoluxiones must be truthful, accurate and, as far as possible, up-to-date, necessary, relevant and adequate with respect to the purpose for which they were collected. They must be kept in such a way as to guarantee their security and only for the time necessary to comply with the purpose of the treatment respecting the legal deadlines for the conservation of applicable documents and information.
- Security. Zoluxiones and the third parties to whom it encodes the processing of personal data must adopt the necessary and appropriate technical, organizational and legal measures to ensure the security of personal data against different risks, such as accidental loss or destruction by accident, unauthorized access, covert use or infection of malware or computer viruses. These measures will be established, communicated and, if necessary, updated by Zoluxiones.
- Adequate level ofprotection. In case Zoluxiones makes international transfers of personal data, it must guarantee a sufficient level of protection for the personal data to be processed or, at least, comparable to what is provided for by law.
- Rights of the holders of personaldata. Zoluxiones will have a simple and free procedure to meet the rights of holders of personal data contemplated in the Law: (i) information, (ii) access, (iii) updating, (iv) inclusion, (v) rectification, (vi) deletion, (vii) prevent the supply, (viii) opposition and (ix) objective treatment. This procedure will be called “ARCO Rights Attention Procedure” (Access, Rectification, Cancellation and Opposition) and will be communicated and disseminated by Zoluxiones
Term Description Personal data Any information that identifies a natural person or can identify them through means reasonably used. For example, the DNI, physical address, full name. Sensitive data Personal data constituted by biometric data that by themselves can identify the owner; data relating to racial and ethnic origin; economic income, political, religious, philosophical or moral opinions or convictions; trade union membership; and information related to health or sex life. Processing of personal data Any operation or technical procedure, automated or not, that allows the collection, recording, organization, storage, conservation, processing, modification, extraction, consultation, use, blocking, deletion, communication by transfer or dissemination or any other form of processing that facilitates access, correlation or interconnection of personal data. In short, the processing of personal data regulates all possible forms of use and processing of personal data within the organization from its entry to its eventual deletion or conservation. Consent Prior, free, unequivocal and express authorization that the individual must grant to authorize the processing of their personal data.• Prior: It must be obtained before the collection.• Free: It must not be forced or conditioned.• Unequivocal and express: There must be no doubt of its manifestation and must be recorded in some tangible medium. Personal data bank Organized set of personal data, automated or not, regardless of the medium, whether physical, magnetic, digital, optical or other that are created, whatever the form or modality of its creation, formation, storage, organization and access (1) . Owner of the personal data bank Natural person, legal person under private law or public entity that determines the purpose and content of the personal data bank, the treatment of these and the security measures. Person in charge of the personal data bank Any natural person, legal person under private law or public entity that alone or acting jointly with another carries out the processing of personal data on behalf of the owner of the personal data bank Anonymization procedure Processing of personal data that prevents identification or that does not make the owner of the personal data identifiable. The procedure is irreversible Dissociation procedure Processing of personal data that prevents identification or that does not make the owner of the personal data identifiable. The procedure is reversible.
The notion “database” includes that of “databases” which is usually associated with computer definitions.
- Compliance Responsibilities
ZOLUXIONES will assign and communicate the corresponding responsibilities to the different Zoluxiones Managements for the fulfillment of this Policy.The area responsible for annually reviewing this Policy and making the respective adjustments within ZOLUXIONES will be the General Management. Likewise, said Management will be responsible for absolving any query related to the application and scope of this Policy. Without prejudice to this, all employees of ZOLUXIONES as well as all third parties with whom ZOLUXIONES is linked in the regular exercise of its business and have access to or process personal data are subject to compliance with the Policy.Finally, no employee of ZOLUXIONES must perform on behalf of ZOLUXIONES actions or incur in omissions that imply a breach with the Law..
This Policy will be for the internal and exclusive use of ZOLUXIONES and, therefore, is confidential. Any use other than that indicated is prohibited and must be expressly authorized in writing by the General Management.The personal data to which both the workers of ZOLUXIONES and related third parties have access or participate in its treatment may not be treated or used in any way without the prior consent of the owner of the personal data even after the termination of their relationship with ZOLUXIONES, except for the exceptions regulated in Law.In the case of workers who, due to the nature of their functions, have access to confidential and sensitive personal information, ZOLUXIONES will seek to develop specific training and awareness actions. Persons involved in the processing of personal data are obliged to maintain professional secrecy and to maintain confidentiality with respect to them. This obligation will be maintained even after the end of your relationship with ZOLUXIONES.
- Transfers of personal data
The personal data processed by ZOLUXIONES may only be transferred or transferred to third parties for the fulfillment of the purposes related to the legitimate interest of the assignor and the assignee and with the prior, express, free, unequivocal and informed consent of the owner of the personal data. Such consent will not be required in the cases permitted by law.
- Collection of sensitive data
ZOLUXIONES will only collect personal data and/or sensitive data when strictly necessary and in compliance with the principles of purpose and proportionality. When the collection and processing of such data derives from compliance with a legal obligation, ZOLUXIONES will inform the owner of the data prior to its collection of such situation.
- Disclosure of personal data
ZOLUXIONES will not disclose personal data to third parties except when:
a) It is necessary for the purpose for which the personal data was collected;
b) The holder of the personal data is informed before the disclosure or at the time of the collection of the personal data;
c) The owner of the personal data gives his prior and express consent.
d) Consent is not required by law;
e) Personal data are required by public entities within the scope of their legal competences and attributions;
f) The personal data are necessary to satisfy legitimate requirements of any company interested in acquiring any of the operations of ZOLUXIONES, with the prior consent of its owner; or,
g) Access to personal data by auditors and lawyers and other professionals obliged to maintain professional secrecy
- Contractual relations with third parties
In its relations with third parties ZOLUXIONES must contemplate clauses not only of confidentiality but also of protection of personal data that regulate the life cycle of personal data within the organization. In case ZOLUXIONES commissions the processing of personal data to third parties, it will ensure that as far as possible the respective contracts contemplate:
a) Provisions that provide that the processing of personal data will be carried out in accordance with the guidelines and guidelines expressly defined by ZOLUXIONES;
b) Security measures;
c) Confidentiality indefinitely, or for the longest possible periods in accordance with current legislation;
d) Purpose of data processing personal;
e) Prohibition of transfers or additional transfers to third parties unless you have the consent of the owner and it is strictly necessary;
f) Elimination of personal data once the treatment is finished, unless you have authorization to keep them by the owner.
g) Knowledge of the Policy
- Deletion of personal data
Once the processing of personal data has been completed and the principle of purpose has been complied with, and provided that there is no legal mandate or reason that justifies the conservation of personal data, ZOLUXIONES will proceed to delete them from its records. Alternatively, ZOLUXIONES may apply dissociation, anonymization or equivalent processes when for some commercial, statistical or market analysis reason they justify the convenience of keeping such data. ZOLUXIONES will define in a timely manner the respective procedures that are necessary for the deletion of personal data.
- Internal audit
ZOLUXIONES will comply with the internal audit requirements established in the Law and its Regulations.
- Sanctions regime
It will be considered a serious fault and susceptible to sanction the employee who commits any infraction to the provisions established in this Policy. ZOLUXIONES will take the disciplinary measures it deems appropriate in cases of non-compliance with the obligations stipulated herein by employees.
- Dissemination and compliance with the policy
ZOLUXIONES will seek:
- that the provisions of this Policy are complied with;
- make known, observe and respect this Policy for each employee;
- publish this Policy in easily accessible places; and
- subscribe confidentiality obligations with employees, users, contractors and third parties who access the personal data included in the databases