ALJAOLIVA S.L. (the “company”) is an organization that deals with activities which involve Personal Data. Therefore, the company has the power to design and organize the procedures so that they comply with the legal regulations regarding this matter. In exercising these powers, and in order to lay down the general principles that are to govern the processing of personal data in the company – based on the European Parliament Directive 2016/679 EU of April 27th, 2016 at European level and the Spanish Law 3/2018 of December 5th regarding this matter and which guarantees digital rights as well as any transaction with involves dealing with personal data within national territory – this policy has been approved and is available to employees, customers and third parties.
The personal data protection policy is a proactive responsibility measure that establishes the common principles and guidelines for conduct that are to govern the company as regards personal data protection, ensuring compliance with the applicable law under all circumstances. In particular, this Policy is intended to guarantee the right to protection of personal data for all subjects who establish relations with the company, ensuring respect of the rights to reputation and to privacy in the processing of the various categories of personal data from different sources and for various purposes based on their business activities all in compliance with the Company´s Policy. For this purpose, the management personnel will assign the responsibilities to the staff who participate in activities which involve processing personal data.
This Personal Data Protection Policy shall apply to the Company, administrators, directors and employees as well as to all the subjects who establish relations with it including those providers who have access to data (“in charge of processing data”). The processing of personal data by the Company complies with the European Union regulations at all times including data which may be processed outside a geographical setting. In any case, if personal data is processed in any country outside the EU, we shall look into the possibility to adapt its processing to the norms of the applicable always in compliance with European regulations. Personal data will never be sent to countries or regions where their protection cannot be guaranteed at the level of EU regulations.
- Principles for the Processing of Personal Data
As a general principle the company shall thoroughly comply with personal data protection law in their jurisdiction and shall be able to prove it (Principle of “proactive responsibility”), and pay special attention to the processing of data which may involve a higher risk for the rights of people involved (Principle of “risk scope”). On the basis of the above-mentioned, ALJAOLIVA S.L. will comply with the following Principles:
–Principle of legitimate, lawful and fair processing of personal data. The processing of data shall always be available to the subject through clauses and other procedures. It will only be considered lawful if the consent of the subject is obtained before the data are collected (primarily minors) or another valid authentication is provided and its scope complies with the law.
–Principle of minimization. Only personal data that are strictly necessary of the purposes for which it is collected or processed and adequate for such purposes shall be processed.
– Principle of accuracy. Personal data must be accurate and up-to-date if necessary. Proper measures will be adopted in order to erase or rectify personal data which are inaccurate for specific processing purposes.
–Principle of storage duration limitation. Personal data shall not be stored for longer than is necessary for the purposes for which they are processed.
–Principles of integrity and confidentiality. Personal data must be processed in a manner that uses technical or organizational measures to ensure appropriate security that protects the data against un authorized or unlawful processing and against accidental loss, destruction or damage.
– Acquisition or procurement of personal data. It is forbidden to purchase or obtain personal data from unlawful sources, from sources that do not sufficiently ensure the lawful origin of such data or from sources whose date have been collected or transferred in violation of the law.
–Engagement of data processors. The company will only contract service providers that can guarantee that the personal data processing techniques are appropriate. A written agreement regarding this matter will be documented.
–International data transfers. Any processing of personal data that is subject to European Union regulations and entails a transfer of data outside the European Economic Area must be carried out strictly in compliance with the requirements established by applicable law in the jurisdiction of origin.
-Rights of data subjects. The company must allow data subjects to exercise access rights, rectification, erasure, restriction of processing, portability and objection that are applicable in each jurisdiction, establishing for such purpose such internal procedures as may be necessary to at least satisfy the legal requirements applicable in each case.
The company shall ensure that the principles in this personal data protection policy are taken into consideration (i) when designing and implementing all work procedures, (ii) in all products and services offered, (iii) in all contracts and obligations the company signs, and (iv) when implementing systems and platforms which allow employees or third parties to access personal data.
- Company-worker agreement
The staff shall be informed of this policy and shall be aware of the fact that personal data processing is the company´s responsibility, and when signing a contract with the company they shall comply with the following:
– They must do the appropriate training provided by the company regarding personal data processing.
– They must implement the users´ safety measures pertinent to their job, notwithstanding their responsibilities within their job in ALJAOLIVA, S.L. regarding the design and implementation of such.
– They must use the formats established for the exercise of the rights of the data subjects and inform the Company immediately to ensure an effective response.
– They must inform the company as soon as they have been aware of about possible deviations in this policy, more particularly of “violations of the safety of personal data” by using the pertinent format for such purpose.
- Control and evaluation
Regular audits shall be performed annually or whenever there are significant changes made to data processing and the efficacy of technical and organizational measures in order to verify compliance with this policy.