SANTA MARCELITA BIKES PRIVACY POLICY - Santa Marcelita

1. INTRODUCTION

On December 13, 1999, the Organic Law on the Protection of Personal Data was published, the purpose of which is to guarantee and protect everything related to the processing of personal data, public freedoms and the fundamental rights of natural persons and especially, your honor and personal and family privacy.

This Security Document has been prepared by the company BIKESANDRENTAL SL, in compliance with Royal Decree 1720/2007, of December 21, which approves the Development Regulation of Organic Law 15/1999 on the Protection of Personal Data.

This document is the development of the security policy regarding the processing of personal data, that is, any information that identifies or makes an individual identifiable, and includes the technical, legal and organizational measures necessary to guarantee the protection, the confidentiality, integrity and availability of the resources affected by current regulations on data protection.

Once this document is approved by the Information Security and Data Protection Committee, it will be communicated and disclosed to all staff through the internal means of communication, because they know its scope and apply it according to the responsibility that corresponds to them in Compliance with current legislation.

The objective of this document is to describe the measures, standards, procedures, rules and security standards that the company assumes in the processing of personal data to guarantee the security of these data avoiding their alteration, loss, treatment or access by unauthorized persons.

Its purpose is to help improve the quality of our services, offering greater security and confidence in the processing and guaranteeing the right to privacy of the people who are related to the company.

The company has declared the files of a personal nature to the AEPD and has drawn up this Security Document to establish the security measures that correspond to each of the files based on their level of security.

The security document, as well as the application of all the procedures it contains, must be kept up to date at all times and any relevant changes in the processing of personal data or current applicable regulations must always be reviewed.

2. THE SECURITY DOCUMENT

2.1. Object and purpose.

The Regulation for the development of the Organic Law on the Protection of Personal Data, approved by Royal Decree 1720/2007, in its article 88 establishes that the File Manager will prepare a Security Document that will include the technical and organizational measures in accordance with with the current security regulations that will be mandatory for personnel with access to personal data.

This Security Document compiles the rules and procedures necessary to apply these mandatory security measures for personnel with access to personal data and the systems and facilities that support them, and which must serve to guarantee protection, confidentiality , integrity and availability of the affected resources in accordance with that established by the LOPD.

This document must be kept permanently updated. Any relevant modification in the automated or non-automated information systems, in their organization, or in the current provisions regarding the security of personal data will entail the revision of the included regulations and, if necessary, the total modification. or partial.

The following aspects are defined in the Security Document:

The scope of the document and all those resources and people that are affected.
The rules, the policies, standards and procedures to follow to guarantee compliance with the security level specified in Royal Decree 1720/2007 that develops the LOPD.
Personnel Duties and Duties.
Inventory of files with personal data that is the responsibility of the company.
Security structure.
Functions of the Security Organization.
Procedure for the exercise of the rights of the affected party.
Rights of the affected party.
Safety rules and procedures:
Notification, registration and management of incidents.
Data backup and restore.
Support management.
User and authorization management.
Control of physical access to data processing areas.

2.3. Other measures and procedures to comply with the LOPD:

Creation, modification and deletion of files.
Duty of information in data collection.
Formalization of contracts with third parties.
Update of the security document.
Audit procedure.

3. SCOPE OF APPLICATION AND PROTECTED RESOURCES

3.1. Scope of application.

This Security Document is applicable to automated and non-automated files (paper documents) that contain personal data of and that are under the responsibility of the person in charge of the file, including the information systems, supports and equipment used for the treatment of personal data that must be protected in accordance with the provisions of current regulations, the people involved in the treatment and the premises in which they are located. The mention of the term “files” includes the two types provided for in this paragraph, when a specific reference is intended in one type or another, it must be duly stated.

Data processing (art 5.t of RD 1720/2007) is understood as any operation or technical procedure, whether or not automated, that allows the collection, recording, conservation, elaboration, modification, consultation, use, cancellation, blocking or deletion , as well as the transfers of data resulting from communications, consultations, interconnections and transfers.

3.2. Legal scope.

This document is applicable to all the files and information systems of the aforementioned organizations that contain personal data.

The files and their structure are defined in the Annex: Inventory of company files.
3.3. Personal scope.

This Security Document is mandatory for all personnel of the organizations described as well as those external collaborators who in one way or another intervene in the processing of personal data and the company’s information systems.

The internal regulations contained in this document have been informed to all personnel through the disclosure of the company’s Security Document, and Functions and obligations of the personnel, thus complying with the provisions of article 89 of Royal Decree 1720/2007.

All company personnel and collaborating personnel who work with, use, and process personal data and information systems must be aware of the content of this document and adopt the instructions established to guarantee adequate protection of the data of those affected. The ultimate goal is to spread the “safety culture” as much as possible.

3.4. Material scope.

The security standards contained in this document are applicable to any type of resource that forms the set of assets that contain personal data, of which the Company is the owner, including: electronic and paper documents, hardware, software, base software, communications, electronics and all other components that, directly or indirectly, are related to the processing of personal data.

Personal data files are classified at different levels depending on the information they contain and the treatment that is made of it. Thus, articles 80 and 81 of Royal Decree 1720/2007 establish 3 levels of security. Compliance with the security measures is cumulative so that any file has to comply with the measures of the lower levels:

BASIC level: any file with personal data.

MEDIUM level: files with data on administrative or criminal offenses and those that offer a definition of the characteristics or personality of citizens and that allow certain aspects of personality or behavior to be evaluated.< /li>

ALT levelOr: files containing data on ideology, union affiliation, religion, beliefs, racial origin, health or sexual life and data derived from acts of gender violence.

3.5. Protected resources.

The protection of data against unauthorized access will have to be carried out by controlling all the ways by which this information can be accessed.

The resources that will have to be controlled by this regulation to control direct or indirect access to data are:

The treatment centers and premises where the files are located or where the supports containing them are stored.
The computers, either local or remote, from which the files can be accessed.
The servers, if any, and the operating and communications system environment in which the files are located.
The applications set to access the data.

3.6. Staff.

The security measures contained in this Security Document are applicable to all personnel involved in the processing of personal data.

The staff of the organization who, in the performance of their functions, treat or access personal data, will have to observe the provisions of this Security Document.

The list of authorized personnel is included in the Annex “FILE USERS” of this document.

4. MEASURES, NORMS, PROCEDURES, RULES AND SECURITY STANDARDS FOR DATA PROCESSING.

4.1. Treatment centers and premises.

The premises where the computer equipment containing the files being processed are located must have the minimum security measures in place in order to guarantee the confidentiality of the personal data and their availability.

They will have to have the minimum security means that avoid the risks of unavailability of files or documents that may exist as a result of accidental or intentional incidents.
4.2. Work regimen outside the premises of the File Manager or data processor.

When personal data is stored on portable devices or processed outside the premises of the File or Processing Manager, or the person in charge of processing, prior authorization will be required from the File or Processing Manager, and in any case, to guarantee the level of security corresponding to the type of file processed.

The authorization referred to in the previous paragraph must be included in the Security Document and may be established for a user or for a user profile and a validity period must be determined.
4.3. Jobs or teams.

They are all those devices from which you can access the data of the files, such as terminals and personal computers.

Workstations are also considered to be those system administration terminals, such as, for example, operation consoles, where in some cases the protected data of the files may also appear.

The security procedures applicable to them are implicit in the obligations of users and administrators that will be detailed in the next section of this Security document.

4.4. Computer system and file access applications.

They are all those computer systems, programs or applications with which you can access the data of the files, and that are usually used by users to access.

These systems can be computer applications expressly designed to access the file or general-use programmed systems such as applications or packages available on the computer market.

The computer systems for access to the files must have their access restricted by means of a user code and a password.

All users authorized to access the files, related to Annex C, will have to have a user code that will be unique, and that will be associated with the corresponding password, which will only be known by the user himself.

If the computer applications that allow access to the files do not have access control, it will have to be the operating system, where this application is executed, that prevents unauthorized access, by controlling the aforementioned user codes and passwords.

Additionally, for files with a high security level, fraudulent access attempts to the files must be controlled, limiting the maximum number of failed attempts and, in addition, the date, time, code and password must be saved in an auxiliary file. the wrong key that have been entered, as well as other daRelevant data that will help uncover the authorship of these fraudulent access attempts.

The Security Manager will be responsible for reviewing the registered control information at least once a month and will prepare a report on the reviews carried out and the problems detected.

For all the files, if real data is used during the tests prior to the implementation or modification of the access application, the same security treatment applied to this file will have to be applied to these test files.
4.5. Safeguarding and protection of personal passwords.

Personal passwords are one of the basic components of data security and must be specially protected.

As access keys to the system, the passwords must be strictly confidential and personal, and any incident that compromises their confidentiality must be immediately reported to the administrator and amended in the shortest time possible.

Passwords are assigned and will be changed by means of the mechanism and frequency determined by the file administrator and which will be included in this Security Document as an Annex.

The file where the passwords are stored must be protected and under the responsibility of the system administrator.

5. SECURITY MEASURES MANAGEMENT PROCEDURES

5.1. Incident management.

5.1.1. Definition of incidence.

“Security incidents”, among others, will be considered any breach of the regulations developed in this Security Document, as well as any anomaly that affects or may affect the security of personal data.

Any user who becomes aware of an incident is responsible for reporting it. The knowledge and non-notification of an incident by the staff will be considered as an offense against the security of the file.

The incident must be reported to the system administrator or security officer, verbally or in writing.
5.1.2. Incident management.

The person who has become aware of the incident will have communicated it to the designated subjects as quickly as possible, without prejudice to the fact that, depending on the circumstances, incidence and time, he or she may initiate or suggest control actions in order to avoid greater harm.

The Security Manager will take the necessary steps to resolve the consequences of the incident.

The Security Manager will collect the necessary information to cover the different fields of the incident record.

The Security Manager will enable a record of incidents that allows documenting and bringing a control of them.

5.1.3. Record of incidents.

The Security Manager will record the incidents in the Annex to the Security Document and will contain:

Type of incident.
Date and time it occurred.
Person making the notification.
Person to whom you communicate.
Effects it can produce.
Performed data recovery procedures.
Person running the recovery process.
Data restored.
Data that has been required to be manually restored in the recovery process.

5.2. Media Management.

5.2.1. Definition of computer media.

They are all those data recording and recovery media that are used to make copies or intermediate steps in the processes of the application that manages the files.

Since most of the supports that are used today, such as DVDs, portable devices, etc. they are easily transportable, reproducible and/or copyable, the importance of controlling these media for data security is evident.
5.2.2. Identification of the supports.

Media containing file data, either as a result of intermediate operations of the application that processes them, or as a result of periodic support processes or any other sporadic operation, must be clearly identified with an external label indicating what file it is, what type of data it contains, the process that originated it and the date of creation.

The supports and documents that contain personal data must allow the type of information they contain to be identified, be inventoried, and must only be accessible by authorized personnel indicated in the security document.

These obligations are excepted when the physical characteristics of the support make it impossible to comply, leaving a reasoned record in the security document.

In the case of files containing data that are consideredespecially sensitive, the labeling of the media must be carried out using an understandable and meaningful system that allows users with authorized access to identify its content and that makes identification difficult for other people.
5.2.3. Destruction of the supports.

In the event that any document or support containing personal data has to be rejected, it will have to be destroyed or deleted, adopting the necessary measures to prevent improper access to the information or its subsequent recovery.

Those means that are reusable, and that have contained copies of data from the files, will have to be physically erased before reuse, so that the data they contained are not recoverable.

The supports that contain data from the files will have to be stored in places to which unauthorized persons do not have access.

5.2.4. Output of supports.

The departure of computer media, portable devices or documents that contain personal data, including those included and / or attached to emails, outside the premises where the files are located, either by transfer or to process data outside the premises of the person in charge of the files, it will have to be expressly authorized by the aforementioned person in charge of the files.

In the transport of media or documents, measures must be taken to prevent the theft, loss, manipulation or improper access to the information.

Additionally, for files with a medium and high security level, the person responsible for the files will keep an entry and exit log book where the entry and exit forms of supports or documents duly completed and authorized will be kept. These books will allow, directly or indirectly, to know the type of document or support, the date and time, the issuer, the number of documents or supports included in the shipment, the type of information they contain, the form of shipment and the person responsible for the reception that must be duly authorized.

Only in the case of files with a high security level, the output of media containing personal data must be done by encrypting the data or, if not, using another mechanism that guarantees that the information is not accessible or manipulated during the time they are away from the premises of the person responsible for the files.
5.3. Copy and recovery procedures.

The security of the personal data in the files not only implies confidentiality but also implies the integrity and availability of these data.

In order to guarantee these two fundamental aspects of security, there must be copying and recovery processes that, in the event of a computer system failure, allow the data in the files to be recovered and, if necessary, reconstructed.

There will be a person, either the administrator or another expressly designated user, who will be responsible for periodically obtaining a backup copy of the files, for security purposes and possible recovery in case of loss.

These copies will have to be made on a daily basis, except in the event that there has been no update of the data.

The File Manager will be responsible for verifying every six months the correct definition, operation and application of the procedures for making backup copies and recovering the data.

In the event of a system failure with total or partial loss of file data, there must be a procedure, computerized or manual, that, starting from the last backup and the record of the operations carried out from the moment of the copy, reconstructs the data from the files to the state in which they were at the time of the decision.

Only in the event that the incident affects partially automated files or processing, and provided that the existence of documentation allows the objective referred to in the previous paragraph to be achieved, will the data have to be recorded manually. This procedure is described in annex I.

The written authorization of the person responsible for the files is required for the execution of the data recovery procedures, and a record must be made in the incident log of the manipulations that have had to be carried out for these recoveries, including the person who performed the process, the restored data and the data that had to be recorded manually in the recovery process.

For files of any type of security level, a backup copy and the data recovery procedures must be kept, in a different place from the one where the computer equipment that processes them is located.in any case, the security measures required in the Regulation.

5.4. Input and output of data through the network.

5.4.1. Exclusive section for medium and high security level files.

Network data transmission, either by email or file transfer systems, is becoming one of the most widely used means of sending data, to the point that it is replacing physical media. For this reason, they deserve special treatment since, due to their characteristics, they may be more vulnerable than traditional physical media.

It is recommended that all the data entries and exits of the files that are made by email be made from a single account or email address controlled by a user specially authorized by the person responsible for the files.

Likewise, if data is input or output via network file transfer systems, only a user or administrator is authorized to perform these operations.

Copies of all emails that involve data entries or exits from the files will be kept in protected directories and under the control of the aforementioned person in charge.

Copies of these emails will be kept for at least two years.

A copy of the files received or transmitted by network file transfer systems will also be kept for a minimum of two years, in protected directories, together with a record of the date and time the operation was performed and the destination of the files. the files sent.

When data from files with a high security level have to be sent by email or by file transfer systems, through public or unprotected networks, they must be sent encrypted so that they can only be read and interpreted by the recipient.
5.5. Access log.

5.5.1. Physical access.

Accesses to the premises where the files are located by those who are not explicitly authorized (visits, maintenance, etc.) must be recorded.

In addition, the access of authorized personnel outside of their working hours must be recorded.
5.5.2. Exclusive section for files with a high security level.

The access attempts of each user to the file must be recorded, saving, at a minimum, the user’s identification, date and time, the type of access, the file accessed and whether or not it has been authorized. In the event that access has been authorized, the information that allows the accessed record to be identified must be saved.

In the case of failed access attempts, for each user the maximum number of failed attempts is limited to five.

The mechanisms that allow access registration will be under the direct control of the competent Security Manager without having to allow their deactivation or manipulation.

The minimum period of conservation of the registered data is three years.
The Security Manager will be responsible for reviewing the registered control information at least once a month and will prepare a report on the reviews carried out and the problems detected.

When the person responsible for the file is a natural person and guarantees that only he has access to and processes the personal data, it will not be necessary to have this access log.

5.6. Non-automated files.

5.6.1. Security measures.

Those responsible for processing or non-automated files and/or those in charge of processing must implement the appropriate security measures based on the level of security required for the document or non-automated file. The security levels are listed at the beginning of this security document, specifically in the Scope of application section.

The measures applicable depending on each level in the case of non-automated files (normally called documents) have been commented on in this security document.

In order to provide non-automated files or documents with the greatest possible security, it is necessary to develop certain specific criteria for this type of file.
5.6.2. Archive criteria.

The File Manager must guarantee that the file of the media or documents is carried out in such a way as to guarantee the correct conservation and management of all the documents. You must have the option of being able to easily locate and consult all the stored information at all times.

The establishment of a documentation organization in a clear way will allow to comply with the legal obligation to facilitate, to interested persons who request it, the exercise of the rights of opposition, access, rectification or cancellationation of the processing of personal data.

The person in charge of the File will have to review or have it reviewed periodically, at least once a year, the situation of the archived documents to verify their correct status, as well as determine the need to carry out some action to maintain, among others , the integrity of the documents or the logical order of the documentation.
5.6.3. Storage devices.

Document storage devices, generally filing cabinets, cabinets, boxes or similar structures, that contain personal data, must be equipped with a lock or some similar system that makes it difficult to open them.

If the physical characteristics of the storage devices do not allow it to be equipped with a lock or controlled opening system, the person responsible for the file or treatment or the person authorized by it must prevent access by unauthorized persons to the cabinet, filing cabinet or device in general.

5.6.4. Custody of the media.

As long as the documentation with personal data is not filed in the storage devices or filing cabinets, to be in the process of review or processing, either before or after filing, the person in charge must guard and prevent at all time, that any unauthorized person can access this documentation.

The File Manager must know the status of this documentation at all times, and in the event of any incident, they must notify you as quickly as possible so that the corrections or measures to be adopted in each case can be decided.

5.7. Review procedures.

The Security Document must be kept up to date at all times and must be reviewed whenever relevant changes occur in the information system or in its organization.

Likewise, you will have to adapt, at all times, to the current provisions regarding the security of personal data.

On an annual basis, the Security Manager will proceed to review all the sections of the Document and specifically, to list the following aspects:

File structure.
Change passwords.
Users who have access.
Formalization of the record of incidents.
Computer system structure, which may involve changes in the way backup and recovery are performed, for example.

5.8. Audit.

The information systems and data processing and storage facilities will be submitted, at most every two years, to an internal or external audit, which verifies compliance with the R.L.O.P.D.

On an extraordinary basis, this audit will have to be carried out whenever substantial modifications are made to the information system that may have repercussions on compliance with the security measures implemented in order to verify adaptation, adequacy and effectiveness. This audit begins the calculation of two years indicated in the previous paragraph.

6. FUNCTIONS AND OBLIGATIONS OF THE PERSONNEL.

In order to comply with the provisions of article 88.3.c and 89 of Royal Decree 1720/2007, all BIKESANDRENTAL SL staff who work with media and/or information systems where personal data is processed , you will have to comply with the following regulations.

6.1. Regulations to apply:

Organic Law 15/1999, of December 13, on the Protection of Personal Data.

Royal Decree 1720/2007, of December 21, which approves the Regulation that develops the LOPD, in its article 89 indicates that the functions and obligations of each of the people with access to personal data and to information systems will be clearly defined and documented within the Security Document. In addition, the necessary measures will be adopted so that the personnel knows the security measures that affect the performance of their functions.
6.2. Basic principles.

The security of the company’s information systems and personal data files is based on the following premises:

– Security, we do it together. Everyone participates from their workplace with their attitude, habits and behaviors to create a state of global and corporate security.

– All users have to achieve a sufficient level of awareness, education and training, to be able to participate adequately in creating a fairly high security climate.

– The Security Document must be accessible, known and understood by all users, to the extent that it corresponds to them and based on their responsibility.

– The DOCSecurity increase will be disseminated to all users whenever there are changes to functions and obligations.

– Everyone is responsible, in their share, for the joint security of the company’s “information systems and files”.
6.3. The duty of secrecy.

Organic Law 15/1999, in its article 10, establishes the duty of professional secrecy to any person who intervenes in any phase of the processing of personal data and the duty to keep it, an obligation that extends beyond the duration of the relationship of the person with the entity, or the person responsible for the file.

Users have the duty to keep total reserve regarding confidential data, documents, methodologies, passwords, documentation generated in the development of their functions during their stay or provision of service of the company and personal data that they know as a consequence to participate in the processing of company data.

Users will not provide or communicate personal data to third parties, not even for its conservation, unless they have the express authorization of the File or Treatment Manager, in the legally admissible cases. Supply will be understood as any disclosure of information, even due to negligence, that allows third parties to know, totally or partially, the aforementioned information.

This duty of secrecy will subsist beyond the termination of the user’s relationship with the File Manager and with the company.

No user may use material or information provided by the company for uses not related to the function entrusted to them. The authorization of access to this information is always considered strictly temporary and in no case will it imply the right of possession, ownership, or right to copy the mentioned information.

The user has the duty to return all non-public material and information available to him, immediately after the end of the tasks that gave rise to its temporary use, and in any case prior to the end of his relationship with the company.

Failure to comply with the duty of secrecy may constitute a crime of revealing secrets as provided in article 195, and from 197 to 201 of the Penal Code.
6.4. Jobs.

The workstations will be under the responsibility of an authorized user contained in annex C, who will guarantee that the information they show cannot be visible to unauthorized persons.

This implies that both the screens and the printers or other types of device connected to the workstation have to be physically located in places that guarantee this confidentiality.

When the person in charge of a job leaves it, either temporarily or at the end of his work shift, he will have to leave it in a state that prevents the viewing of protected data. This can be done with a screen saver that prevents the data from being displayed. The resumption of work will imply the deactivation of the protective screen with the introduction of the corresponding password.

In non-automated files or documents, when the person in charge of the job has to be absent, it must be ensured that the documents used are kept in a safe place away from the reach of unauthorized persons.

In the case of printers, it must be ensured that there are no printed documents left in the output tray that contain protected data. If the printers are shared with other users who are not authorized to access the data in the files, those responsible for each workstation will have to remove the documents as they are being printed.

The workstations from which the files are accessed will have a configuration in their applications and operating systems that can only be changed with the authorization of the Security Manager or by authorized administrators from Annex C.

6.5. Use of data.

Users will be responsible for the use of confidential and personal information to which they have access and for maintaining their quality.

Confidential information shall be understood as all information that contains personal data, as well as all information of a relevant nature for the company.

Data quality has to be understood as:

The adequacy of the data to the purpose for which it was collected, only the data strictly necessary and legitimate for the provision of the service will be requested.
The legitimate and lawful use of the data in accordance with the purpose for which they were collected.
The accuracy, reliability and veracity of the data.

When the user considers that the personal data could be usedtwo with purposes incompatible with the original purpose for which they were collected, you will have to notify the person responsible for the file prior to their use, who, if applicable, will have to regularize the situation before authorizing the treatment, asking, if there is no other course that legitimizes the treatment, the consent of those affected.

Personal data files can be created as long as the File Manager is notified to keep the inventory updated and follow the procedure required by the regulations.

When the user considers that there may be a transfer of personal data that has not been declared or authorized, he will have to previously communicate the fact to the File Manager for his authorization. If there is no assumption that legitimizes the transfer, such as treatment for historical purposes, the collection or generation of data for another administration or the exercise of identical powers on a common matter, the File Manager will have to request the consent of the interested parties with character prior to the assignment.

It is strictly forbidden to remove or send outside the company’s facilities or systems any confidential or personal information, through any support or medium (DVD, USB devices, printed copies on paper, etc.), without prior and explicit authorization. of the person responsible for the file.

If the File Manager authorizes it, mechanisms must be used to guarantee that this information will be intelligible and cannot be manipulated during its transport.
6.6. Identification codes and access codes.

The identification codes and passwords assigned to each individual user are personal and non-transferable, never being able to share them with other people, and the user is ultimately responsible for the consequences that may arise from the misuse, disclosure, or loss of are.

Each user will be responsible for the confidentiality of their password, in the event that it is accidentally or fraudulently known by unauthorized persons, they must inform the Security Manager because he records it as an incident and will have to proceed to change it.

To guarantee the confidentiality of the credentials, each individual will be responsible for using passwords that are not easily ascertainable, changing the initial password temporarily assigned during the first connection to the system, changing it periodically every three months and in the event of any suspected incident of identity theft. Username.

It is expressly prohibited:

Attempt to find out or decipher the passwords of another user and impersonate her. </ li>
Attempting to increase the level of privileges of a user, to access system resources without express authorization from the functional manager or the application administrator.

6.7. Use of system resources.

The information systems, networks, workstations and other computer resources used within the Department are for the exclusive use of the Department. The users will be responsible for the correct use of the information systems and in general of all the computer resources to which they have access to carry out the tasks and functions entrusted to them, without incurring in activities that may be considered illicit, illegal , contrary to the established regulations or that violate the rights of those affected.

Users are obliged to use only the resources of the information systems that the company makes available to them, always and in accordance with the guidelines established in the Security Document and current legal regulations.

In relation to the structure, location and organization of the data, they must follow the following guidelines:

Always work on network drives.
Define common work areas on the servers, for groups that need to share files with personal data.
Ensure the security of the data in temporary files.
Delete any extraction or temporary file, the generation of which has been necessary in the development of the user’s attributions, once the reason for which it will be created is finished.

It is expressly prohibited:

Destroy, alter, disable or damage data, documents, software, hardware or any information system owned by the company or third parties, which are within the company’s facilities or in its custody.
Deliberately hindering other users’ access to the network through the massive consumption of computing or telematic resources.
Installing software to the company workstation without help desk support.
Delete any of thes legally installed programs or tools owned by the company.
Disable antivirus software.
Use standard computer programs for commercial use, without having the corresponding license, as well as the unauthorized reproduction, assignment, transformation or communication of any product owned by the company.
Deliberately introducing devices, programs, viruses or sequences of characters that cause, or are likely to cause, any type of alteration in the company’s information systems and that have not been previously authorized.

Likewise, the use of the company’s computer resources for activities that are not directly related to the user’s job will be avoided.

6.8. Incident management.

Any user who is aware of an incident is responsible for its communication or, if necessary, for its registration in the file incident registration system.

The knowledge and non-notification of an incident by a user are considered as an offense against the security of the files by this user.

6.8.1. Incident notification.

Users have the duty to immediately report any incident, anomaly or suspicion that affects or may affect:

The protection, quality or availability of data from information systems or paper files.
The responsible use of computing resources.
The treatment or transfer of data in accordance with current regulations.
The exercise of the rights of those affected.

This communication will be made to the functional manager of the application, the user service or the service manager of the affected unit according to the type of incident detected.
6.8.2. Computer incidents.

If the incident is related to access to information systems, their availability, the company’s workstation or mobile devices, the case will be reported immediately to the user service, through the channels established for this purpose.

Incidents related to access and authorizations to the information systems will always be reported to the functional managers of the applications.

Are examples:

Impersonation or suspected impersonation of the user’s identity.
The sharing of identifiers and passwords between users.
Unauthorized access to data and systems. Their extraction and disclosure.
Attempt to read, delete, copy, or modify other users’ email messages or files.
Unauthorized physical access to technical rooms.
Theft or loss of portable or mobile devices (tablets, pdas, laptops, etc.)
The lack of availability of the systems.
The reception of insulting or malicious emails: SPAM, Phishing, defamatory emails, abuse of the right to privacy, etc.

Alteration of protection measures or software to the user’s workstation.
The deactivation of system protection measures (passwords, etc.)
Viruses and other malicious code.

Regarding the technical staff:

Attacks or attempted attacks on systems.
The absence or failure of backup copies of systems or databases.
The unauthorized or certified destruction of the company’s backup media.
Theft or loss of media with company backups.
Activation of the contingency plan in the event of a disaster.
The execution of tests with real data without having security measures equivalent to the production environment.

6.9. Breach of basic principles L.O.P.D. and incidents arising from the use of information media.

Incidents related to non-compliance with the basic principles of the L.O.P.D. and those related to the treatment of paper files and information supports that are not owned by the company will be notified to the User’s Head of Service.

Are examples:

The collection of personal data without the consent of the affected party when it is required or without providing information on the purposes.
Failure to exercise the rights of the affected party within the terms established by law.
The unauthorized transfer of data or without the consent, when applicable, of the affected party.
Breach of the duty of secrecy.
The destruction or loss, whether accidental or deliberate, of paper files or other media (DVD, USB,…)
Detache from a medium without having previously deleted the information.
Sending or disclosing personal information abroad without authorization, through any material support, including attachments in an email.

6.10. Use of email.

Use email in a dignified and responsible manner. The use of corporate email represents us personally but also as members of the company and wherever we go we are leaving a business card.

Email will be considered both internal, between the terminals of the corporate network, and external, which is addressed to or comes from other public or private networks and, especially, from the Internet.

The computer system, the internal network, the software and the terminals used by the workers are the property of the company. That is why no email sent or received from the company’s computer systems can be considered personal. Workers will not be able to encrypt messages and if they do, it will have to be with approved tools or in a way that the company can open them if necessary.

The email service must be used solely for the communication of aspects related to the development of daily work and/or the fulfillment of work obligations.

Email may be used incidentally for personal purposes provided that:

Do not mean a significant waste of time.
Cannot damage equipment.
Not for personal gain.
It is not about mass mailings.
Not chain letters or pyramid schemes.
Do not send content expressly prohibited in this document.

Through email, there will be no massive and generic dissemination of communications, news or information of a particular nature. The use of electronic mail is limited to interpersonal communications and between small groups, the communications of which will have to be directly related to the object of the message. The general information will be disseminated through the corporate Intranet and the specific channels established by the company for this purpose.

Users are responsible for all activities carried out with the access accounts and their respective mailbox provided by the administration.

Users will not have to allow the use of the account and/or the corresponding mailbox to unauthorized persons.

Users must be aware of the risks involved in the improper use of email addresses provided by the administration.

The use, in the computer equipment provided by the administration, of e-mail mailboxes of other Internet providers is prohibited.

The connection to external networks or systems of the workstations from which the files are accessed is expressly prohibited. The revocation of this prohibition will be authorized by the person responsible for the files, leaving a record of this modification in the incident book.

In accordance with the provisions of Law 34/2002, on Services of the Information Society and Electronic Commerce, modified by Law 32/2003 General Telecommunications, SPAM is strictly prohibited, sending information that has not been previously requested or duly authorized.

6.11. Intellectual and industrial property.

The use of computer programs without the corresponding license is strictly prohibited, as well as the use, reproduction, assignment, transformation or public communication of any type of computer program protected by intellectual or industrial property rights.

6.12. Responsibility.

Failure to comply with the obligations and security measures established in this document by the affected personnel may entail consequences of a different nature (labour, civil, criminal, etc.), in accordance with current legal regulations.

7. RESPONSIBLE FOR THE FILES

7.1. The File Manager.

7.1.1. Function.

The person responsible for the files is the natural or legal person who is responsible for defining the security measures established in this document.

In addition, it will implement the security measures established in it and will adopt the necessary measures so that the personnel affected by this document knows the regulations that affect the performance of their functions.
7.1.2. Designation of the File Manager.

BIKESANDRENTAL SL, S.L.U. with NIF/CIF Nº: B98640816and address at: C/ MAESTRO PALAU 10, PTA.2Zip Code: 46008Population : VALENCIAProvince: VALENCIA
7.1.3. Obligations.

The person responsible for the files will implement the security measures established in this document and will guarantee its dissemination among all personnel who have to use it.

You will have to keep it updated whenever relevant changes occur in the information system, in the treatment system used, in your organization, in the content of the information included in the files or treatments or, if necessary, as a result of the controls newspapers carried out, likewise, to adapt the content at all times to the current provisions on data security.
7.1.4. Operating and communications system environment.

It will approve or designate the administrator who will be responsible for the operating and communications system that will have to be listed in Annex C.
7.1.5. Computer system or file access applications.

The person responsible for the files will ensure that the computer systems used to access them have their access restricted by means of a user code and a password.

He will also take care that all users authorized to access the files, related to Annex C, have a user code that will be unique, and that will be associated with the corresponding password, which will only be known by the user himself.

In the event that there is a contract for the provision of services by which a Data Processing Manager is established, their identification will be available in Annex D.

The duration of the contract for the provision of services will be specified in the contract, but if for any reason this is not the case, it will be understood to be of indefinite duration, as long as neither of the parties decides otherwise.

If the Treatment Manager provides its services at the premises of the person responsible for the files, the latter must ensure that the Treatment Manager’s staff complies with all the security measures provided for in this security document. In the event that the data processing is carried out in the premises of the person in charge of the treatment, this point must be reflected in this security document.

If there are remote connections to the data, all the personnel of the Data Processor must also comply with the security measures established in this document.

In the case of paper documents or non-automated files, the File Manager must ensure that only authorized personnel in Annex C have access to them.

Additionally, the File Manager will adopt the appropriate measures to limit staff access to personal data for the performance of work that does not involve the processing of personal data.
7.1.6. Safeguard and protection of personal passwords.

Only the people related to Annex C may have access to the data in the files.
7.1.7. Media management.

The output of computer media containing data from the files outside the premises where these files are located must be expressly authorized by the person responsible for the files. In the same way, it is necessary to proceed for documents that contain personal data that have to leave the premises in which they are processed.

7.1.8. Security and recovery procedures.

The File Manager will be responsible for verifying every six months the correct definition, operation and application of the procedures for making backup copies and recovering the data.

7.2. The Treatment Manager.

7.2.1. Definition.

The current regulations on data protection define the person in charge of the treatment: “the natural or legal person, public or private, or the administrative body that, alone or jointly with others, processes personal data on behalf of the person in charge of the treatment or the person in charge of the file, as a consequence of the existence of a legal relationship that binds it and delimits the scope of its action for the provision of a service. Entities without legal personality that act in the traffic as differentiated subjects can also be in charge of the treatment.

We have to keep in mind that the people who are professionally linked to the File Manager will not be considered data processors.
7.2.2. Contractual relationship.

In order to apply the regulation established between the File Manager and the person in charge of the treatment, it is necessary that the requirements of article 12 of the L.O.P.D. and of 20 of the R.L.O.P.D.:

Access to personal data must be necessary for the provision of a service to the data controller.
The service provided by the EThe person in charge of the Treatment may or may not be paid and may be temporary or indefinite.
The carrying out of treatments on behalf of third parties must be regulated in a contract that must be in writing or some other form that allows accrediting the agreement and the content. This contract must expressly state:
That the Data Processor will only process the data in accordance with the instructions of the data controller.
That they cannot be applied or used for a purpose other than that stated in the contract.
That you cannot communicate them to other people, not even to keep them. This last requirement will be nuanced with the possibility of subcontracting that will be seen in the next point.
The security measures that must be implemented and that are required according to the type of personal data that must be processed. To articles 82 and 83 of the R.L.O.P.D. Some specifications are established regarding the Person in Charge of the Treatment that will be seen in the section on security measures.
Yes, once the contractual provision has been fulfilled, the personal data must be destroyed or returned to the data controller, as well as any support or document containing any personal data subject to processing. This, without prejudice to what we will see later in relation to the possibility of conservation of the data by the person in charge of the treatment.
The mechanism by which the data controller will ensure that the Data Processor complies with the guarantees for compliance provided by the data protection regulations.

7.2.3. Rights of access, rectification, cancellation and opposition.

The contract can also provide that the affected person exercises their rights of access, rectification, cancellation and opposition before the person in charge of the treatment.

Both parties will have defined yes:

The person in charge has to transfer the request to the person in charge, so that he can resolve it.
The person in charge has to attend, on behalf of the person in charge, the requests for the exercise of his rights by the affected people. </ li>

7.3. Head of Security.

7.3.1. Function.

When there are files that require the adoption of medium or high level security measures, one or more security managers must be designated in charge of coordinating and controlling the measures defined in this document, serving at the same time as a liaison with the person responsible for the files. , without this implying in any case a delegation of the responsibility that corresponds to the latter, in accordance with the R.D.L.O.P.D. 1720/2007 of December 21.

7.3.2. Obligations.

The Security Manager will coordinate the implementation of the security measures, will collaborate with the person in charge of the files in the dissemination of the Security Document and will cooperate with the person in charge of the files controlling compliance with them.

The Security Manager will personally assign each user of the information system with access to medium or high level automated files and, if necessary, each user with access to documents containing personal data corresponding to these security levels. , the functions and responsibilities in relation to the confidentiality and protection of the data that, due to their job, they have to process, manipulate or safeguard, leaving a written record of their “aware” or “I have received” in this document.

7.3.3. Incident management.

The Security Manager will enable an incident book available to all users and file administrators in order to record any incident that may pose a danger to their security.

He will analyze the recorded incidents, taking the appropriate measures in collaboration with the person responsible for the files.

7.4. Systems Administrator.

7.4.1. Function.

They will be responsible for the maximum privileges and, therefore, the maximum risk that an erroneous action may affect the system.

This figure can be internal if it belongs to the company responsible for the treatment or external if a person in charge of the treatment is hired.

They will have access to the software (program and data) of the system, to the tools necessary for their work and to the files or databases necessary to solve the problems that arise.

7.4.2. Obligations.

7.4.2.1. Operating and communications system environment.

No tool or utility program that allows access to files has to be accessible to any user or administratornot authorized in Annex C.

The previous rule includes any means of raw access, that is, not elaborated or edited, to the data of the files, such as the so-called universal editors, file analyzers, etc., which will have to be under the control of the authorized administrators related in annex G.

The administrator will have to be responsible for keeping the backup copies and file supports in a safe place, so that no unauthorized person has access to them.

If the application or file access systems usually use temporary files or any other medium in which copies of the protected data could be recorded, the administrator must ensure that these data are not subsequently accessible to unauthorized personnel.

These temporary files must be deleted when they are no longer necessary for the until that motivated their creation.

In the case of working copies of documents, these will only be available to authorized personnel and will have to be destroyed when they are no longer necessary for the purpose for which they were created.

If the computers where the files are located are integrated into a communications network in such a way that access to the files is possible from other computers connected to it, the administrator responsible for the system must ensure that this access is not allowed to unauthorized persons.

7.4.2.2. Computer system or file access applications.

If the computer applications with access to the files do not have access control, it will have to be the operating system where this application is executed that prevents unauthorized access, by controlling the aforementioned user codes and passwords.
7.4.2.3. Safeguard and protection of personal passwords.

The passwords will be managed by means of the mechanism that is determined in Annex I. This mechanism for assigning and distributing the passwords must guarantee their confidentiality. In no case will the maximum time for changing passwords exceed one year.

As long as they are valid, the passwords will be saved in an unintelligible way. The file where the passwords are stored must be protected and under the responsibility of the system administrator.

8. EXERCISE AND PROTECTION OF THE RIGHTS OF THOSE AFFECTED

The company, part of the premise that the person who gives us their data (or their legal representative), is the true owner, and therefore can exercise the right of access, rectification, cancellation and opposition of the data, when so decide it.

Any citizen who requests it and identifies himself before the company (Data Controller), will have the right to obtain, within a maximum period of one month, his personal data subject to treatment, as well as the communications or transfers that have been made to other agencies or entities.

At the same time, he may obtain information through a legal representative when he is in a situation of disability or minority that makes it impossible for him to exercise his personal rights. In this case, it will be necessary for the legal representative to certify this condition.

The company has the obligation to make effective the right of rectification, cancellation and opposition of the interested party within 10 days. In the event that your data has been previously communicated to other entities, the rectification or cancellation will have to be notified to whoever has been communicated.

If a citizen initiates a file requesting the cancellation of their personal data, they will have to proceed in accordance with that established in instruction 1/1998 of January 19, of the Personal Data Protection Agency.

The interested party will have to use any means that allows him to prove the sending and receiving of his request. The File Manager will have to respond to the request regardless of whether personal data of the interested party appears in his files, having to use any means that allows proof of sending and receiving.

The cancellation will not come from third parties or when there is an obligation to keep the data. In this case, the interested party will have to be notified motivating the decision not to attend to the request (instruction 1/1998 of the A.E.P.D. Regulation 3a article 5 onwards).

In the event that the request is admitted, two different ways will be followed; If the information record can be removed because there are no links with other information (in the case of directories, agendas, basic information records, etc.), the systems will be removed without further ado and, if appropriate, proceed to destruction. of the file or any associated documentation existing on paper, whether it is in the management file or the central file.

If personal information is requiredIf you want to attend to potential claims for benefits, services, subsidies and financial aid, we will proceed during the prescription period of the responsibilities derived from the treatment to:

Lock the file of the affected party.
Place the file number in the identification fields (name, address, telephone, etc.), so that we can continue to maintain the information that interests us online, yes, without personal data.
At the end of the limitation period of the aforementioned responsibilities, we will delete these files from the systems and require their destruction of the file.

8.1. Guarantees and procedures for the exercise of the rights of access, rectification, and cancellation (A.R.C.O. rights).
8.2. Rights and Guarantees of those affected.

The main rights of those affected in terms of personal data protection, regardless of those that constitute the duties and obligations of the file manager, are the rights of access, rectification and cancellation (A.R.C.O rights).
8.3. General requirements of these rights.

Next, we will proceed to define the main characteristics of these rights and the essential requirements for their exercise, as well as the obligations and procedures to be taken into account by the File Manager in the event of a possible request to exercise them.

Characteristics of these rights:

*Very personal: These rights are very personal and will be exercised by the affected party against the person responsible for the file, for which it will be necessary for the affected party to prove the identity of the person in charge.

The legal representative may act when the affected party is in a situation of disability or minority, which makes it impossible for him to exercise his rights.

In these cases, the legal representative will have to prove her condition through the relevant documentation for this purpose.

*Independence: the rights of access, rectification and cancellation are independent, not constituting the exercise of head of them prerequisite for the exercise of the other.

*Request: the rights are exercised by means of a request addressed to the person in charge of the file that will contain:

Name and surname of the interested party.
Photocopy of the D.N.I., as well as, in the permitted cases, documents proving the status of legal representative. (The D.N.I. may be replaced by other documents, provided that the identity of the person is proven, by any of the other means admitted by law).
Request in which the request is specified.
Address for notification purposes.
Date and signature of the applicant.
Documents accrediting or complementary to the petition that is formulated.

The interested party will have to use any means that allows to prove the sending and receipt of the request.

Due response: The person responsible for the file will have to answer the request addressed to him, regardless of whether or not personal data of the affected party appears in his files. Therefore, he will always have to answer.

If the request does not meet the requirements set out in the previous section, the File Manager will have to request their amendment.

In any case, the person in charge of the file will use some means that allows proving the sending of these communications and the receipt of the response.
8.4. Information and help with exercise.

The File Manager facilitates through these policies described in the previous sections, the information and training necessary to guarantee the company’s users the full exercise of their rights of access, rectification and cancellation.

For this purpose, a copy of this Security Document will be distributed to the personnel with access to the data, because they have the necessary training to attend to those affected and provide them with the information to exercise the rights recognized by the Organic Law on Protection of Personal Data. , all this in compliance with the provisions of the first section fifth rule of Instruction 1/1998.

The staff will keep the models for the exercise of these rights available to the public, taking care of their replacement and making them available to the public when requested, as well as providing all the information necessary for their correct presentation.

8.5. Right of Access.

The interested party has the right to request and obtain free information on their personal data included in the files of this company, the origin of these data, as well as the communications made or expected to be made.
8.6. Means of access.

In the exercise of this right, the affected party may choose oneof the following file query systems, provided that the physical configuration of the file allows it:

Screen display.
Written, copy or photocopy sent by mail or by *Burofax
Any other procedure that is appropriate to the material implementation configuration of the file.

8.7. Resolution.

The File Manager will decide on the access request within a maximum period of one month from receipt of the request.

Once this period has elapsed without a response to the request, it may be deemed rejected for the purposes of filing the claim provided for in article 18 of the Organic Law on the Protection of Personal Data.

In the event that personal data of those affected is not available, it must also be communicated within the same period.

If the resolution is upheld, access will be effective within 10 days of notification of the resolution.

8.8. Denial.

The File Manager may deny access to personal data when the right has been exercised in an interval of less than twelve months and no legitimate interest is proven for this purpose, as well as when the request is made by a person other than the affected person.

8.9. Information.

The information, whatever the support, will be provided in a legible or intelligible form, after transcription, if necessary, and will include all the basic data of the affected party, those resulting from any computer process, as well as the origin of the data, the assignees of the same and the specification of the uses and purposes for which they were stored.

In the event that they come from different sources, they must be specified, identifying the information that comes from each of them.

8.10. Rights of rectification and cancellation.

If the data is inaccurate, incomplete, inadequate and/or excessive, the person responsible for the files may be requested to rectify or, if applicable, cancel them.

Effectiveness: The rights of rectification and cancellation will be made effective by the person responsible for the files within 10 days following receipt of the request. If the rectified or canceled data had been transferred previously, the File Manager will have to notify the rectification or cancellation made to the assignee, within the same period, because the latter, in turn, carries it out in his file.

Request for rectification: The request for rectification must indicate the data that is erroneous and the correction that must be made and must be accompanied by supporting documentation for the rectification requested, unless it depends exclusively on the consent of the interested party.

Cancellation request: the cancellation request, the interested party will have to indicate if he revokes the consent granted, in the cases in which the revocation proceeds, or if, on the contrary, it is an erroneous or inaccurate data, in this case he will have to accompany supporting documentation.

Inadmissibility of the cancellation: The cancellation will not proceed when it could cause harm to the legitimate interests of the affected party or third parties or when there is an obligation to preserve the data.

Answer: If the rectification or cancellation is requested, the File Manager considers that it is not appropriate to attend to the request of the affected party, it will be communicated with reasons within the period of ten days following receipt of the same, so that by this the corresponding claim can be used.

Once the five-day period has elapsed without an express response to the request for rectification or cancellation, it may be deemed rejected for the purposes of filing the corresponding claim.

Effects of cancellation: The cancellation of entry requires the physical deletion of the data, without a logical mark being sufficient for these purposes, or the maintenance of another alternative file in which the cancellations produced are recorded.

In the cases that, being the cancellation of the data, its physical extinction is not possible, both for technical reasons and because of the support used, the File Manager will proceed to block the data in order to prevent its subsequent processing or utilization.

However, the case in which it is shown that the data has been collected or registered by fraudulent, unfair or illegal means is excepted, in this case the cancellation of the same will always entail the destruction of the support in which they appeared.

The cancellation will lead to the blocking of the data, keeping it only available to public administrations, judges and courts.

When the prescription period of the possible responsibilities arising from the treatment ends.Then, you will have to proceed to the physical deletion of the data.

Any interested party may oppose the processing of their data when there is no legitimate interest for the company to process them; when they are used to send advertising without his consent or are processed automatically without human intervention.

8.12. Effectiveness.

The right to object will be made effective by the File Manager within 10 days of receipt of the request. If the data had been transferred previously, the File Manager will have to notify the opposition made to the assignee, within the same period, because the latter, in turn, carries it out in his file.

8.13. Opposition request.

The request for rectification must indicate the well-founded and legitimate reasons and must be accompanied by the supporting documentation that proves it.

8.14. Denial of the right to object to data processing.

The company may deny opposition to data processing when it claims to have a legitimate interest or when there is an obligation to retain the data.

8.15. Answer:

If the person in charge of the file considers that it is not appropriate to attend to the request of the affected party, it will be communicated with reasons within the period of ten days following receipt of the request, so that the corresponding claim can be made use of. .

9. PRINCIPLES OF THE DATA PROTECTION POLICY.

The implementation of the Personal Data Protection policy must involve all the organization’s personnel with access to the File or Treatment. The person in charge of the File or its Treatment will take the appropriate measures to make all personnel with access aware of the basic principles that must be governed by the data protection policy.
9.1. Data Processing.

The data must be treated in a loyal manner, in accordance with the prescriptions issued by the File Manager and strictly complying with the conditions and limitations imposed by this Security and Lawful Document, complying with the provisions of the regulations on Protection of Personal Data. Current staff.

9.2. Data Quality and Conservation.

The data collected from the interested parties must be adequate and pertinent and not excessive with respect to the specific purpose for which they were obtained. They may not be used for purposes other than those for which they were collected. The data must be stored in a way that allows the exercise of the right of access. Under no circumstances may fraudulent, unfair or illicit mediums be used for collection.

The data must be accurate and must be up to date. If this is not the case, they must be canceled or replaced ex officio. Personal data must always respond truthfully to the current situation of the affected party. Nor can personal data be kept in the file when they are no longer necessary or relevant for the purpose for which they were collected or recorded.

The data must be kept in a form that allows the identification of the interested parties for a period not exceeding that necessary for the purposes for which they were collected or for which they are subsequently processed.
9.3. Rights of those affected.

The staff of the organization with functions of access to the File must ensure the protection and normal exercise of the rights of those affected, informing the Person Responsible for the File or the person to whom he has designated, about any incident that may affect the normal exercise and protection of the rights of those affected.

The protection of the rights of those affected extends, logically, not only to the normal exercise of their rights against the File Manager, but also in the fulfillment of all those obligations that the regulations impose on the File Manager and that constitute the guarantee of the preservation of the rights of those affected, such as, for example, the right of prior information to those affected in the collection of their personal data.

9.4. Data security and the Duty of Secrecy.

The security of personal data must be guaranteed and its alteration, loss, treatment or unauthorized access must be prevented. All the staff of the organization withfunctions of access to the File or Treatment, you will have to inform the File Manager of any incident that alters or may alter the principle of data security, by the laws and the procedure established in this Document.

The File Manager and whoever intervenes in any phase of the processing of personal data are bound by professional secrecy regarding the data and have the duty to keep it. These obligations will still subsist after the end of their relations with the owner of the file or, if applicable, with their manager.

10. VIDEO SURVEILLANCE

10.1. General Principles:

10.1.1. Exclusions:

Personal data recorded for domestic use or purposes are excluded from this procedure in accordance with the provisions of article 2a) of Organic Law 15/1999, on the Protection of Personal Data, that is, for what it does to the treatment of personal data and the free circulation of these data only contemplates “activities that fall within the framework of the private or family life of individuals” and not other different ones.

Nor will it apply to the treatment of images when they are used for the exercise of their functions by the Security Forces and Bodies, which is covered by specific regulations, everything and that these treatments must also comply with the guarantees established by Organic Law 15 /1999.

10.1.2. Target scope.

The procedure applies to the processing of personal data from images of identified or identifiable natural persons, for surveillance purposes through camera systems and video cameras.

The treatment of images includes the capture, registration, transmission, conservation, and storage of the images captured by the video surveillance systems, including their reproduction or broadcast in real time, as well as the treatment that results from the personal data related to them.

A person will be considered identifiable when his identity can be determined by means of the treatments that are incorporated in this procedure.

10.1.3. Procedure:

I.- Registration of a VIDEO SURVEILLANCE file in the A.E.P.D.

II.– Have the technical report that must contain at least information on the video surveillance system used:

a) Plan for the location of the security cameras in the company and its approach.

b) Number of registration cameras connected to the Security System fundamental characteristics (serial number and optics)

c) Technical description of the characteristics of the computer server that processes the captured images

d) Type of transmissions used to connect the cameras to the receiving server.

III.-Establish a system of copies and storage of the images captured by the video surveillance cameras.

IV.- The person in charge of processing the data in the “VIDEOSURVEILLANCE” File, will be the person appointed as the person in charge of security of the company’s information systems.

V.-Make available to interested parties the form for cancellation of data by the organization.

11. DEFINITIONS.

For the correct implementation of the technical and organizational measures contained in the Security Document, it is necessary to include the definitions given by the regulations on the terms used.

Personal data: Any numerical, alphabetical, graphic, photographic, acoustic or any other type of information that concerns identified or identifiable natural persons.

File: any organized set of personal data that allows access to the data in accordance with certain criteria, whatever the form or modality of the creation, storage, organization and access of the file. .

Non-automated file: Any set of personal data organized in a non-automated manner and structured according to specific criteria relating to natural persons that allow access to their personal data without disproportionate efforts, whether it is centralized , decentralized or distributed functionally or geographically.

Data processing: Any operation or technical procedure, whether automated or not, that allows the collection, recording, conservation, processing, modification, consultation, use, modification, cancellation, blocking or deletion of data, as well as data transfers resulting from communications, queries, interconnections and transfers.

Responsible for the File or Treatment: Natural or legal person, naturalpublic or private entity, or administrative body, which usually or jointly with others decides on the purpose, content and use of the treatment, even if it does not do so materially.

Affected or interested party: Natural person who owns the data that is the object of the treatment.

Data Processor: The natural or legal person, public or private, or administrative body that, alone or jointly with others, processes personal data on behalf of the data controller or the file controller, as a result of the existence of a legal relationship that binds it and defines the scope of its action for the provision of a service.

Consent of the interested party: Any expression of will, free, unequivocal, specific and informed, through which the interested party allows the processing of personal data that concerns him.

Cession or communication of data: Data processing that involves disclosing them to a person other than the interested party.

Authorized accesses: Authorizations granted to a user to use the various resources. If necessary, they must include the authorizations or functions attributed to a user by delegation of the person in charge of the file or treatment or the person in charge of security.

Authentication: Procedure for verifying the identity of a user.

Password: Confidential information, often consisting of a string of characters, that can be used to authenticate a user or to access a resource.

Access control: Mechanism that, depending on the already authenticated identification, allows access to data or resources.

Backup copy: Copy of the data from an automated file on a support that makes it possible to recover them.

Document: Any writing, graphic, sound, image or any other kind of information that can be treated in an information system as a differentiated unit.

Temporary files: Work files created by users or processes that are necessary for occasional processing or as an intermediate step during processing.

Identification: Procedure for recognizing the identity of a user.

Incident: Any anomaly that affects or may affect data security.

User profile: Authorized access to a group of users.

Resource: Any component part of an information system.

Security Manager: Person or persons to whom the File Manager has formally assigned the function of coordinating and controlling the applicable security measures.

Information system: Set of files, treatments, programs, supports and, if necessary, equipment used for the processing of personal data.

Processing system: How an information system is organized or used. Depending on the treatment system, the information systems can be automated, non-automated or partially automated.

Support: Physical object that stores or contains data or documents, or object that can be processed in an information system and on which data can be recorded and retrieved.

Transmission of documents: Any transfer, communication, shipment, delivery or disclosure of the information it contains.

User: Subject or process authorized to access data or resources. Processes that allow access to data or resources without identification of a physical user are considered users.