LEGAL TEXT
ORDER OF PERSONAL DATA PROCESSING
TOGETHER
ONE PARTY: LUISA RIPOLL SIQUIER (hereinafter THE RESPONSIBLE FOR THE TREATMENT), with CIF 43088120N and address at Carrer Perez Galdos 10, 5º, B. 07006 Palma, operator in his own name and representation, with DNI 43088120N
AND ON THE OTHER PART (hereinafter THE DATA PROCESSOR)
Both parties agree with sufficient legal capacity to sign this contract that regulates the transfer and/or access to personal data between the contracting parties, in accordance with article 28 of Regulation EU 2016/679 of the European Parliament and of the Council of 27 of April regarding the protection of natural persons with regard to the processing of personal data and the free circulation of these data (RGPD), as well as in Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter Law 3/2018 Protection of Personal Data or LOPDGDD), the following clauses being applicable:
MANIFEST
FIRST. The purpose of this contract is the regulation of the transfer and processing of personal data, between the DATA PROCESSOR and the client RESPONSIBLE FOR THE TREATMENT, in accordance with the provisions of article 28 of the RGPD. The DATA CONTROLLER is the owner of several mixed files that contain personal data. The RESPONSIBLE FOR THE PROCESSING has been using, since the date of signing the contract, the services offered by the PROCESSING MANAGER, who will be considered in charge of processing the personal data contained in the files of the RESPONSIBLE, to which he has access and that are processed to provide the contracted services.
Purpose of the processing order: enable the DATA PROCESSING MANAGER to process, on behalf of the DATA CONTROLLER, the personal data necessary to provide their services.
The specific operations to be carried out on the personal data (check the corresponding box/s):
Pickup
Record
Structuring
Modification
Conservation
Extraction
Query
Transmission communication
Diffusion
Interconnection
Comparison
Limitation
Suppression
Destruction
Communication
SECOND. For the execution of the benefits derived from the fulfillment of the Purpose of this assignment, the client, as the Treatment Manager, makes the information described below available to the Treatment Manager. THIRD. This agreement has a duration that is set in the contract for the provision of services between the parties. Once the contract for the provision of services between the parties ends, the Person in Charge of the Treatment must delete/return to the Responsible and/or, where appropriate, return the personal data to another person in charge designated by the Responsible and delete any copy that is in his possession.
FOURTH. OBLIGATIONS OF THE DATA PROCESSOR The Data Processor and all his staff are obliged to: A) Use the personal data subject to processing, or those collected for inclusion, only for the purpose of this assignment. In no case may you use the data for your own purposes. In no case will the Treatment Manager access or apply the data contained in the files for purposes other than those established in this contract, nor will it communicate them, either directly or indirectly, to unauthorized third parties. The Person in Charge of the Treatment has a Security Document and/or a record of all the categories of treatment activities carried out on behalf of the person in charge. In addition, the Treatment Manager has implemented security measures of the level corresponding to the processing of personal data that are the subject of this contract. B) Treat the data in accordance with the instructions of the Data Controller. If the Data Processor considers that any of the instructions violates the RGPD or any other data protection provision of the Union or of the Member States, the data processor shall immediately inform the controller. The Person in Charge of the Treatment undertakes to comply with the provisions of this contract and with the provisions of the applicable regulations on data protection. In the event of failing to comply with any of its obligations, the Person in Charge of the Treatment will be considered the Person in Charge of the Treatment, with all the obligations that it implies, responding to the infractions in which it would have incurred personally. C) Keep, in writing, a record of all the categories of treatment activities carried out on behalf of the person in charge.
D) Do not communicate the data to third parties, unless you have the express authorization of the Data Controller, in the legally admissible cases. The person in charge can communicate them to other persons in charge of the treatment of the same person in charge, in accordance with the instructions of the person in charge. In this case, the Responsible will identify, in advance and in writing, the entity to which the data must be communicated, the data to be communicated and the security measures to be applied to proceed with the communication. If the person in charge must transfer personal data to a third country or an international organization, by virtue of the Law of the Union or of the Member States that are applicable to it, it will inform the Person in Charge of that legal requirement in advance, unless such Law prohibits it. for important reasons of public interest. E) Maintain the duty of secrecy regarding the personal data to which you have had access by virtue of this assignment, even after its purpose has ended. F) Guarantee that the persons authorized to process personal data undertake, expressly and in writing, to respect confidentiality and to comply with the corresponding security measures, of which they must be duly informed. G) Keep at the disposal of the Responsible the supporting documentation of compliance with the obligation established in the previous section. H) Guarantee the necessary training in personal data protection for those authorized to process personal data. I) Assist the Data Controller in responding to the exercise of the rights of: 1. Access, rectification, deletion and opposition. 2. Limitation of treatment. 3. Data portability. 4. Not to be subject to automated individualized decisions (including profiling). J) Provide support to the Data Controller in carrying out impact assessments related to data protection, when appropriate. K) Provide support to the Data Controller in carrying out prior consultations with the control authority, when appropriate. L) Make available to the Data Controller all the information necessary to demonstrate compliance with its obligations, as well as to carry out the audits or inspections carried out by the Data Controller or another auditor authorized by him. M) Appoint a data protection delegate and communicate their identity and contact details to the Data Controller. FIFTH. The Treatment Manager undertakes to implement the security measures established in the Security Document or in the registration document for all categories of treatment activities. In any case, the Person in Charge of the Treatment must apply the mandatory security measures to the personal data contained in the Files, by virtue of the nature of the information processed. The person in charge of the treatment and, where appropriate, the person in charge of the treatment, must write down the measures of a technical and organizational nature of the personal data to avoid its alteration, loss, treatment or unauthorized access, taking into account the state of the technology , the nature of the stored data and the risks to which they are exposed, whether they come from human action or from the physical or natural environment. The Person in Charge of the Treatment may be subject to audits by the Person in Charge of the treatment, to guarantee compliance with the applicable security measures. In any case, it must implement and accredit mechanisms to guarantee the permanent confidentiality, integrity, availability and resilience of the treatment systems and services. SIXTH. Return the personal data and, if applicable, the media where they appear, to the person in charge designated in writing by the Data Controller, once the service has been completed.
The return must entail the total deletion of the existing data in the computer equipment used by the person in charge. However, the person in charge may keep a copy, with the data duly blocked, while responsibilities may arise from the execution of the service. SEVENTH. The Person in Charge of the Treatment and all its staff undertakes to: not subcontract any of the services that are part of the object of this contract that involve the processing of personal data, except for the auxiliary services necessary for the normal operation of the services of the person in charge. If it is necessary to subcontract any treatment, this fact must be previously communicated in writing to the person in charge, 30 days in advance, indicating the treatments that are intended to be subcontracted and clearly and unequivocally identifying the subcontractor company and its contact details. Subcontracting may be carried out if the Responsible Party does not express its opposition within the established period. The subcontractor, who will also have the status of Treatment Manager, is also obliged to comply with the obligations established in this document for the Treatment Manager and the instructions issued by the person in charge. It is up to the initial manager to regulate the new relationship in such a way that the new manager is subject to the same conditions (instructions, obligations, security measures…) and with the same formal requirements as him, regarding the proper processing of data. and to the guarantee of the rights of the people affected. In the event of default by the sub-processor, the initial processor will remain fully responsible to the Controller for the performance of the obligations. EIGHTH. When the affected persons exercise the rights of access, rectification, deletion and opposition, limitation of treatment, data portability and not to be subject to automated individualized decisions, before the Person in Charge of the Treatment, he must communicate it by email to the address indicated by the responsible. The communication must be made immediately and in no case beyond the business day following receipt of the request, together, where appropriate, with other information that may be relevant to resolve the request. NINETH. Notification of data security breaches. The Person in Charge of the Treatment will notify the Person in Charge of the treatment, without undue delay, and in any case before the maximum period of 24 hours, to the email of the Person in Charge, the violations of the security of the personal data in his charge of which he is aware, together with all the relevant information for the documentation and communication of the incident. Notification will not be necessary when it is unlikely that said security breach constitutes a risk to the rights and freedoms of natural persons. If available, at least the following information will be provided: a) Description of the nature of the breach of personal data security, including, where possible, the categories and approximate number of interested parties affected, and the categories and the approximate number of personal data records affected. b) The name and contact details of the data protection delegate or other point of contact where more information can be obtained. c) Description of the possible consequences of the personal data security violation. d) Description of the measures adopted or proposed to remedy the breach of personal data security, including, if applicable, the measures adopted to mitigate possible negative effects. If it is not possible to provide the information simultaneously, and to the extent that it is not, the information will be provided gradually without undue delay.
The Data Controller is responsible for communicating data security violations to the Data Protection Authority. The Data Controller is responsible for communicating data security violations to the interested parties as soon as possible, when it is likely that the violation poses a high risk to the rights and freedoms of natural persons. TENTH. The Responsible Party is responsible for: A) Facilitating the right to information at the time of data collection.
B) Provide the person in charge with the necessary data and provide access to the necessary resources of its information systems so that it can provide the service that is the object of the contract. C) Ensure, prior to and throughout the treatment, compliance with the applicable regulations regarding the protection of personal data by the Person in Charge of the Treatment. D) Supervise the treatment. ELEVENTH. This contract will have a specific duration depending on the services that the Treatment Manager performs on behalf of the Treatment Manager. In such a way that once the services are finished, this Contract will be understood to be terminated, unless the Parties by mutual agreement and in writing decide to extend its validity. TWELFTH. This Agreement will be governed and interpreted in accordance with the laws of Spain and will be subject to the jurisdiction of the competent Courts and Tribunals. THIRTEENTH. All notifications, requirements, petitions and other communications that must be made between the Parties in relation to this Contract must be made in writing and it will be understood that they have been duly made when they have been delivered by hand or sent by certified mail to the address of the other Party that appears in the heading of this Contract. FOURTEENTH. Information about the processing of personal data contained in this contract. The representatives of both parties acknowledge being informed and consent to their personal data being incorporated into the systems and processed by the other party, for the purpose of the correct development of the services covered by this contract, being necessary for the performance of the same. In order to keep the data updated at all times, each party must notify the other of any change in said personal data. Any interested party has the right to file a claim with a control authority and may exercise their rights of access, rectification, deletion, limitation of treatment and opposition, as well as portability, requesting it from the party that corresponds to the address indicated at the beginning of this document, specifying the right you exercise and providing a valid official document that identifies you. ———- In accordance with the provisions of Regulation (EU) 2016/679 General Data Protection (RGPD), you are informed of the following: 1.- RESPONSIBLE FOR THE TREATMENT: LUISA RIPOLL SIQUIER Address: Carrer Perez Galdos 10, 5º, B. 07006 Palma Contact: luisaripolls@gmail.com Web: www.inmoetica.com 2.- PURPOSE: manage the requested services, as well as send you information about our activity and products by electronic means. SENDING OF COMMERCIAL COMMUNICATIONS: YES □ NO □ You can revoke this consent at any time, by notifying the Responsible in writing. 3.- LEGITIMATION: execution of the contract for the correct provision of the service, including all administrative, tax and accounting procedures. Legal authorization based on Royal Legislative Decree 1/2007, of November 16, which approves the consolidated text of the General Law for the Defense of Consumers and Users. User consent. 4.- CONSERVATION PERIODS: Your personal data will be kept while this contract is in force. At the end of it, they will be kept during the established legal terms. 5.- RECIPIENTS: the Responsible. Your data will not be transferred to third parties, except legal obligation. By working on a shared folder system in the Google Drive application, an international transfer to the United States will be made under the enablement of the US-European Union Privacy Shield agreement. More information: https://www.privacyshield.gov/welcome OTHER RECIPIENTS: YES □ NO □ Website of the Data Controller www.inmoetica.com
6.- RIGHTS: you can exercise the rights of access, rectification, deletion, opposition, limitation and portability. If you wish to exercise any of the aforementioned rights, the Responsible Party will provide you with an appropriate form, which must be submitted to the address Carrer Perez Galdos 10, 5º, B. 07006 Palma, attaching your ID or passport or to the following address: email luisaripolls@gmail.com You have the right to file a claim with the Spanish Agency for Data Protection in the event that you consider that the exercise of your rights has not been properly addressed (www.aepd.es) The maximum term to resolve is one month from receipt of your request.
In the event that there was any change in your data, we appreciate you duly communicating it in writing in order to keep your data updated.
