Informative clause:
Data of the person responsible for the treatment:
Identity: CVF Service Center - NIF: X3747799H
Postal address: C / Arles de Tec Nº9 Cubelles Barcelona 08880
Telephone: 650622715 - Email: info@cvfservicenter.com CVF Service Center treats the information you provide us with in order to provide the requested service and perform your billing. The data provided will be kept as long as the business relationship is maintained or for the time necessary to comply with legal obligations and meet the possible responsibilities that may arise from the fulfillment of the purpose for which the data was collected. The data will not be transferred to third parties except in cases where there is a legal obligation. You have the right to obtain information about whether CVF Service Center is treating your personal data, so you can exercise your rights of access, rectification, deletion and portability of data and opposition and limitation to its treatment before CVF Service Center, C / Arles de Tec Nº9 Cubelles Barcelona 08880 or at the email address info@cvfservicecenter.com, attaching a copy of your ID or equivalent document. Likewise, and especially if you consider that you have not obtained full satisfaction in the exercise of your rights, you may file a claim with the national control authority by addressing this purpose to the Spanish Data Protection Agency, C / Jorge Juan, 6 - 28001 Madrid.Management contract in charge of managing with clients:
1. Purpose of the processing order
Through these clauses, AB&AR GARCIA CAQRDEÑOSA ASOCIADOS SCP, with address at Pasaje Joan Miro 8 Cubelles 08880 and NIF J64685852, is empowered to process personal data on behalf of CVF Service Center, as responsible for the treatment. necessary to provide the service specified hereinafter.
The treatment will consist of Professional Services Lawyers, Management and Architecture.
2. Identification of the affected information
For the execution of the services derived from the fulfillment of the object of this order, the CVF Service Center entity, as data controller, makes available to the entity AB&AR GARCIA CAQRDEÑOSA ASOCIADOS SCP, the identification and banking data of its clients.
3. Duration
This agreement has a duration of, being automatically renewed unless otherwise decided by one of the parties.
Once this contract ends, the person in charge of the treatment must return to the person in charge, or transmit to another person in charge designated by the person in charge, the personal data processed and delete any copy that is in their possession. However, you may keep the data blocked for the minimum time necessary to attend to possible responsibilities that may arise from your relationship with CVF Service Center, destroying them safely and definitively at the end of said period.
4. Obligations of the person in charge of the treatment
The person in charge of the treatment and all his staff are obliged to: Use the personal data that is the object of treatment, or those that he collects for their inclusion, only for the purpose of this order. In no case may you use the data for your own purposes.
Treat the data in accordance with the documented instructions of the controller. If the person in charge of the treatment considers that any of the instructions provided infringes the General Data Protection Regulation or any other provision on data protection, the person in charge will immediately inform the person in charge. Keep, in writing, a record of all the categories of treatment activities carried out on behalf of the person in charge, containing:1 The name and contact details of the person in charge or managers and of each manager on behalf of whom the manager acts and, where appropriate, the representative of the manager or manager and the data protection officer.
2 The categories of processing carried out on behalf of each person in charge.
3 An overview of the appropriate technical and organizational security measures you are applying. Do not communicate or disseminate the data to third parties, unless you have the express authorization of the person responsible for the treatment or in the legally admissible cases. If the person in charge wants to subcontract, totally or partially, the services that are the object of this contract, he must inform the person in charge and request their prior authorization. Maintain the duty of secrecy regarding the personal data to which you have had access by virtue of this order, even after the contract ends. Guarantee that the persons authorized to process personal data undertake, expressly and in writing, to respect confidentiality and to comply with the corresponding security measures, of which the person in charge must inform them appropriately. Keep at the disposal of the person in charge the supporting documentation of compliance with the obligation established in the previous section. Guarantee the necessary training in the protection of personal data of the persons authorized to process personal data. When the affected persons exercise the rights of access, rectification, deletion and portability of data and opposition and limitation of the treatment before the person in charge of the treatment, this must communicate it by email to the address indicated by the person in charge as soon as possible. The communication must be made immediately and in
no case beyond the business day following the receipt of the request, together, where appropriate, with other information that may be relevant to resolve it. It will assist the person in charge, whenever possible, so that he or she can comply with and respond to the exercises of rights. Notification of data security breaches:
The person in charge of the treatment will notify the person in charge of the treatment, without undue delay and through the email address indicated by the person in charge, of the violations of the security of the personal data in his charge of which he has knowledge, together with all the information relevant for the documentation and communication of the incident. Likewise, it will notify any failure that it has suffered in its information treatment and management systems and that may endanger the security of the personal data processed, its integrity or availability, as well as any possible violation of confidentiality as a result of the placing In the knowledge of third parties of the data and information accessed during the execution of the contract.
At least the following information will be provided:
a) Description of the nature of the violation of personal data security, including, when possible, the categories and approximate number of affected interested parties, and the categories and approximate number of affected personal data records.
b) Contact person details for more information.
c) Description of the possible consequences of the violation of the security of personal data.
d) Description of the measures adopted or proposed to remedy the violation of the security of personal data, including, if applicable, the measures adopted to mitigate the possible negative effects.If it is not possible to provide the information simultaneously, and to the extent that it is not, the information will be provided gradually without undue delay.
AB&AR GARCIA CAQRDEÑOSA ASOCIADOS SCP, at the request of the person in charge, will communicate these data security violations to the interested parties as soon as possible, when the violation is likely to pose a high risk to the rights and freedoms of natural persons.
The communication must be carried out in a clear and simple language and must include the elements indicated by the person in charge in each case, at least:
a) The nature of the data breach.
b) Data of the contact point of the person in charge or the person in charge where more information can be obtained.
c) Describe the possible consequences of the violation of the security of personal data.
d) Describe the measures adopted or proposed by the person responsible for the treatment to remedy the violation of the security of personal data, including, if applicable, the measures adopted to mitigate the possible negative effects.
Make available to the person in charge all the information necessary to demonstrate compliance with their obligations, as well as to allow and contribute to the performance of the audits or inspections carried out by the person in charge or another auditor authorized by him. Implement the technical and organizational security measures necessary to guarantee the confidentiality, integrity, availability and permanent resilience of the systems and services for the treatment of personal data:
Delete, return to the person in charge or deliver, where appropriate, to a new manager as determined by CVF Service Center, all personal data once the provision of the treatment service in charge has been completed.
The destruction of the data does not proceed when there is a legal provision that requires its conservation, in which case it must be returned to the person in charge who will guarantee its conservation, duly blocked, as long as such obligation persists.
The return must entail the total erasure of the existing data in the computer equipment used by the person in charge. However, the person in charge may keep a copy of the data, duly blocked, while responsibilities may arise from the execution of the services provided to the person responsible for the treatment.
5. Obligations of the data controller
Corresponds to the person responsible for the treatment:
a) Give the person in charge the necessary data so that he can provide the service.
b) Ensure, previously and throughout the treatment, compliance with the current provisions on data protection by the person in charge of the treatment.
c) Supervise the treatment, including the possibility of requesting information to verify compliance with the obligations established in this contract.
Treatment: Clients
a) data controller
Identity: CVF Service Center - NIF: X3747799H
Postal address: C / Arles de Tec Nº9 Cubelles Barcelona 08880
Email: info@cvfservicescenter.com
Phone: 650622715
b) Purpose of the treatment
Customer relationship management
c) Categories of interested parties
Clients: People with whom a commercial relationship is maintained as clients
d) Data categories
Those necessary for the maintenance of the commercial relationship. Billing, sending postal or email advertising, after-sales service and loyalty
Identification: name and surname, NIF, postal address, telephone numbers, e-mail
Bank details: for direct debit of payments
e) Categories of recipients
State Tax Administration Agency
f) International transfers
International transfers are not planned
g) Period of deletion
Those provided for by tax legislation regarding the prescription of responsibilities
h) Security measures
Those reflected in the ANNEX SECURITY MEASURES
Treatment: Potential Clients
a) Responsible for the treatment
Identity: CVF Service Center - NIF: X3747799H
Postal address: C / Arles de Tec Nº9 Cubelles Barcelona 08880
Email: info@servicecenter.com
Phone: 650622715
b) Purpose of the treatment
Management of the relationship with potential clients
c) Categories of interested parties
Potential customers: People with whom you want to maintain a business relationship as customers
d) Data categories
Those necessary for the commercial promotion of the company
Identification: name and surname and postal address, telephone numbers, e-mail
e) Categories of recipients
It is not contemplated
f) Period of deletion
One year from the first contact
g) Security measures
Those reflected in the ANNEX SECURITY MEASURES
ANNEXED
INFORMATION OF GENERAL INTEREST
This document has been designed for low-risk personal data processing from which it is deduced that it cannot be used for personal data processing that includes personal data related to ethnic or racial origin, religious or philosophical political ideology, union affiliation, data genetic and biometric data, health data, and data on people's sexual orientation, as well as any other data processing that involves high risk for people's rights and freedoms.
Article 5.1.f of the General Data Protection Regulation (hereinafter, RGPD) determines the need to establish adequate security guarantees against unauthorized or illegal treatment, against the loss of personal data, destruction or accidental damage. This implies the establishment of technical and organizational measures aimed at ensuring the integrity and confidentiality of personal data and the possibility of demonstrating, as established in article 5.2, that these measures have been carried out (proactive responsibility).
In addition, it must establish visible, accessible and simple mechanisms for the exercise of rights and have defined internal procedures to guarantee the effective attention of the requests received.
ATTENTION OF THE EXERCISE OF RIGHTS
The person responsible for the treatment will inform all workers about the procedure to address the rights of the interested parties, clearly defining the mechanisms by which the rights can be exercised (electronic means, reference to the Data Protection Delegate, if any, postal address , etc.) and taking into account the following:
o Upon presentation of their national identity document or passport, the holders of personal data (interested parties) may exercise their rights of access, rectification, deletion, opposition, portability and limitation of treatment. The exercise of rights is free.
o The person in charge of the treatment must respond to the interested parties without undue delay and in a concise, transparent, intelligible way, with a clear and simple language and keep the proof of compliance with the duty to respond to the requests for the exercise of rights made.o If the request is submitted by electronic means, the information will be provided by these means whenever possible, unless the interested party requests otherwise.
o Requests must be answered within 1 month of receipt, and may be extended by another two months taking into account the complexity or number of requests, but in that case the interested party must be informed of the extension within a month to from the receipt of the request, indicating the reasons for the delay.
RIGHT OF ACCESS: In the right of access, the interested parties will be provided with a copy of the personal data that is available together with the purpose for which they have been collected, the identity of the recipients of the data, the anticipated retention periods or the criteria used to determine it, the existence of the right to request the rectification or deletion of personal data as well as the limitation or opposition to its treatment, the right to file a claim with the Spanish Agency for Data Protection and if the data has not been obtained from the interested party, any available information about its origin. The right to obtain a copy of the data cannot adversely affect the rights and freedoms of other interested parties.
RIGHT OF RECTIFICATION: In the right of rectification, the data of the interested parties that were inaccurate or incomplete will be modified according to the purposes of the treatment. The interested party must indicate in the request what data they refer to and the correction to be made, providing, when necessary, supporting documentation for the inaccuracy or incompleteness of the data being processed. If the data has been communicated by the person in charge to other managers, they must notify them of the rectification of these unless it is impossible or requires a disproportionate effort, providing the interested party with information about said recipients, if requested.
RIGHT OF DELETE:
In the right of deletion, the data of the interested parties will be deleted when they express their refusal to treatment and there is no legal basis that prevents it, they are not necessary in relation to the purposes for which they were collected, they withdraw consent provided and there is no other legal basis that legitimizes the treatment or it is illegal. If the deletion derives from the exercise of the interested party's right of opposition to the processing of their data for marketing purposes, the identification data of the interested party may be kept in order to prevent future processing.If the data has been communicated by the person in charge to other managers, they must notify them of the deletion of these unless it is impossible or requires a disproportionate effort, providing the interested party with information about said recipients, if requested.
RIGHT OF OPPOSITION:
In the right of opposition, when the interested parties express their refusal to process their personal data before the person in charge, this
will stop processing them as long as there is no legal obligation to prevent it. When the treatment is based on a mission of public interest or the legitimate interest of the person in charge, upon a request to exercise the right of opposition, the person in charge will stop processing the data unless compelling reasons are proven that prevail over the interests, rights and freedoms of the interested party or are necessary for the formulation, exercise or defense of claims. If the interested party opposes the treatment for direct marketing purposes, the personal data will no longer be processed for these purposes.
PORTABYLITY RIGHT:In the portability right, if the treatment is carried out by automated means and is based on consent or is carried out within the framework of a contract, the interested parties may request to receive a copy of their personal data in a structured format, of common use and machine reading. Likewise, they have the right to request that they be transmitted directly to a new person in charge, whose identity must be communicated, when technically possible. RIGHT TO LIMIT THE TREATMENT:
In the right to limit the treatment, the interested parties may request the suspension of the treatment of their data to challenge its accuracy while the person in charge carries out the necessary verifications or in the event that the treatment is carried out based on interest legitimate authority of the person in charge or in compliance with a mission of public interest, while verifying if these reasons prevail over the interests, rights and freedoms of the interested party. The interested party can also request the conservation of the data if he considers that the treatment is illegal and, instead of the deletion, requests the limitation of the treatment, or if the person responsible for the purposes for which they were collected is no longer needed, the interested party You need them for the formulation, exercise or defense of claims. The circumstance that the processing of the data of the interested party is limited must be clearly stated in the systems of the person in charge. If the data has been communicated by the person in charge to other controllers, they must notify them of the limitation of their treatment unless it is impossible or requires a disproportionate effort, providing the interested party with information about said recipients, if requested.
If the interested party's request is not followed up, the data controller will inform them, without delay and no later than one month after receiving the request, of the reasons for their non-action and the possibility of filing a claim with the Agency. Spanish Data Protection and to exercise legal actions.