REGISTRATION OF PROCESSING ACTIVITIES

Treatment: Clients

a) Responsible for the treatment

Identity: Maria Borgoñó García - NIF: 73206665B

Postal address:  C. Salamero, 1, 22430 Graus, Huesca

Email: contacto@floristeriaborgono.es

Phone: 974540075

b) Purpose of processing

Customer relationship management

(c) Categories of stakeholders

Customers: People with whom a business relationship is maintained as customers

d) Categories of data

Those necessary for the maintenance of the commercial relationship. Invoicing, sending postal or email advertising, after-sales service and loyalty

Identification: name and surname, NIF, postal address, telephones, e-mail

Bank details: for direct debit payments

(e) Categories of recipients

Marketing

(f) International transfers

No international transfers are planned

g) Period of deletion

Those provided for by tax legislation regarding the prescription of responsibilities

(h) Security measures

Those reflected in the ANNEX SECURITY MEASURES

Treatment: Potential Clients

a) Responsible for the treatment

Identity: Maria Borgoñó García - NIF: 73206665B

Postal address:  C. Salamero, 1, 22430 Graus, Huesca

Email: contacto@floristeriaborgono.es

Phone: 974540075

b) Purpose of processing

Management of the relationship with potential customers

(c) Categories of stakeholders

Potential customers: People with whom you seek to maintain a business relationship as customers

d) Categories of data

Those necessary for the commercial promotion of the company

Identification: name and surname and postal address, telephone numbers, e-mail

(e) Categories of recipients

Marketing Agency

(f) International transfers

No international transfers are planned

g) Period of deletion

One year from first contact

(h) Security measures

Those reflected in the ANNEX SECURITY MEASURES

ANNEX 

INFORMATION OF GENERAL INTEREST

This document has been designed for low-risk personal data processing, from which it follows that it may not be used for the processing of personal data that includes personal data relating to ethnic  or racial origin, religious or philosophical political ideology, trade union membership, genetic and biometric data, health data, and sexual orientation data of individuals as well as any other data processing that involves high risk for children. rights and freedoms of individuals. 

Article 5.1.f of the General Data Protection Regulation (hereinafter GDPR) determines the need to establish adequate security guarantees against unauthorized or unlawful processing, against loss of personal data, destruction or accidental damage. This implies the establishment of technical and organizational measures aimed at ensuring the integrity and confidentiality of personal data and the possibility of demonstrating, as established in article 5.2, that these measures have been implemented (proactive responsibility).

In addition, it must establish visible, accessible and simple mechanisms for the exercise of rights and have defined internal procedures to guarantee the effective attention of the requests received.

ATTENTION TO THE EXERCISE OF RIGHTS

The data controller will inform all workers about the procedure for addressing the rights of the interested parties, clearly defining the mechanisms by which the rights can be exercised (electronic means, reference to the Data Protection Delegate if any, postal address, etc.) and taking into account the following:

Upon presentation of their national identity document or passport, the holders of the personal data (interested parties) may exercise their rights of access, rectification, deletion, opposition, portability and limitation of treatment. The exercise of rights is free of charge.

The controller shall respond to data subjects without undue delay and in a concise, transparent, intelligible manner, in clear and plain language and shall retain proof of compliance with the duty to respond to requests for the exercise of rights made. 

If the request is submitted by electronic means, the information shall be provided by these means where possible, unless the data subject requests otherwise.

Requests must be answered within 1 month of receipt, and may be extended by another two months taking into account the complexity or number of requests, but in that case the interested party must be informed of the extension within one month of receipt of the request, indicating the reasons for the delay.

RIGHT OF ACCESS: In the right of access, the interested parties will be provided with a copy of the personal data available together with the purpose for which they were collected, the identity of the recipients of the data, the expected conservation periods or the criterion used to determine it, the existence of the right to request the rectification or deletion of personal data as well as the limitation or opposition to their treatment, the right to file a claim with the Spanish Agency for Data Protection and if the data has not been obtained from the interested party, any available information on its origin. The right to obtain a copy of the data may not adversely affect the rights and freedoms of other data subjects.

Form for the exercise of the right of access.

RIGHT OF RECTIFICATION: In the right of rectification, the data of the interested parties that were inaccurate or incomplete will be modified according to the purposes of the treatment. The interested party must indicate in the request to which data it refers and the correction to be made, providing, when necessary, the documentation justifying the inaccuracy or incompleteness of the data being processed. If the data have been communicated by the person in charge to other controllers, he must notify them of the rectification of these unless it is impossible or requires a disproportionate effort, providing the interested party with information about said recipients, if requested.

Form for exercising the right of rectification

RIGHT OF DELETION: In the right of deletion, the data of the interested parties will be eliminated when they express their refusal to the treatment and there is no legal basis that prevents it, they are not necessary in relation to the purposes for which they were collected, they withdraw the consent given and there is no other legal basis that legitimizes the treatment or it is illegal. If the deletion derives from the exercise of the right of opposition of the interested party to the processing of their data for marketing purposes, the identification data of the interested party may be kept in order to prevent future processing. If the data have been communicated by the controller to other controllers, he must notify them of the deletion of these unless it is impossible or requires a disproportionate effort, providing the interested party with information about said recipients, if requested.

Form for the exercise of the right of deletion.

RIGHT OF OPPOSITION: In the right of opposition, when the interested parties express their refusal to the processing of their personal data before the person in charge, the latter will stop processing them provided that there is no legal obligation that prevents it. When the processing is based on a task of public interest or on the legitimate interest of the controller, in response to a request to exercise the right to object, the controller shall cease to process the data unless compelling reasons are demonstrated that prevail over the interests, rights and freedoms of the interested party or are necessary for the formulation, Exercise or defense of claims. If the data subject objects to processing for direct marketing purposes, the personal data will no longer be processed for these purposes.

Form for the exercise of the right of opposition.

RIGHT OF PORTABILITY: In the right of portability, if the treatment is carried out by automated means and is based on consent or is carried out within the framework of a contract, the interested parties may request to receive a copy of their personal data in a structured, commonly used and machine-readable format. Likewise, they have the right to request that they be transmitted directly to a new person in charge, whose identity must be communicated, when technically possible.

Form for the exercise of data portability.

RIGHT OF LIMITATION TO TREATMENT: In the right of limitation of treatment, the interested parties can request the suspension of the processing of their data to contest its accuracy while the person responsible carries out the necessary verifications or in the event that the treatment is carried out based on the legitimate interest of the person responsible or in compliance with a mission of public interest, while verifying whether these grounds prevail over the interests, rights and freedoms of the data subject. The interested party may also request the conservation of the data if he considers that the treatment is unlawful and, instead of the deletion, requests the limitation of the treatment, or if even if the person responsible for the purposes for which they were collected does not already need them, the interested party needs them for the formulation, exercise or defense of claims. The fact that the processing of the data subject is restricted shall be clearly stated in the controller's systems. If the data have been communicated by the controller to other controllers, he must notify them of the limitation of the processing of these unless it is impossible or requires a disproportionate effort, providing the interested party with information about said recipients, if requested. 

Form for the exercise of the limitation of the treatment.

If the request of the interested party is not processed, the data controller will inform him, without delay and no later than one month after receipt of this, of the reasons for his non-action and of the possibility of filing a claim with the Spanish Agency for Data Protection and of exercising legal actions.

SECURITY MEASURES

Depending on the type of processing you have shown when you have completed this form, the minimum security measures that you should take into account are the following:

ORGANIZATIONAL MEASURES

INFORMATION THAT MUST BE KNOWN BY ALL PERSONNEL WITH ACCESS TO PERSONAL DATA

All personnel with access to personal data shall be aware of their obligations in relation to the processing of personal data and shall be informed of such obligations. The minimum information that will be known to all staff will be the following:

DUTY OF CONFIDENTIALITY AND SECRECY

Access to personal data by unauthorized persons must be prevented. To this end, it will be avoided to leave personal data exposed to third parties (unattended electronic screens, paper documents in public access areas, supports with personal data, etc.). This consideration includes screens that are used for the display of images of the video surveillance system. When you are absent from the workstation, the screen will be blocked or the session will be closed.

Paper documents and electronic media will be stored in a secure place (cabinets or rooms with restricted access) 24 hours a day. 

Documents or electronic media (CDs, pen drives, hard drives, etc.) containing personal data will not be discarded without ensuring their effective destruction

Personal data or any other personal information will not be communicated to third parties, paying special attention not to disclose protected personal data during telephone consultations, emails, etc.

The duty of secrecy and confidentiality persists even when the worker's employment relationship with the company ends.

PERSONAL DATA SECURITY BREACHES

When personal data security breaches occur, such as theft or improper access to personal data, the Spanish Agency for Data Protection will be notified within 72 hours about such security breaches, including all the information necessary for the clarification of the facts that would have given rise to improper access to personal data. The notification will be made by electronic means through the electronic headquarters of the Spanish Agency for Data Protection at the address https://sedeagpd.gob.es/sede-electronica-web/.

TECHNICAL MEASURES

IDENTIFICATION

When the same computer or device is used for the processing of personal data and purposes of personal use, it is recommended to have several different profiles or users for each of the purposes. The professional and personal uses of the computer should be kept separate.

It is recommended to have profiles with administrative rights for system installation and configuration and users without privileges or administrative rights for access to personal data. This measure will prevent access privileges or modification of the operating system from being obtained in the event of a cybersecurity attack.

The existence of passwords for access to personal data stored in electronic systems shall be guaranteed. The password will have at least 8 characters, mixture of numbers and letters.

When personal data is accessed by different persons, for each person with access to personal data, a specific username and password will be available (unambiguous identification).

The confidentiality of passwords must be guaranteed, preventing them from being exposed to third parties. For the management of passwords you can consult the guide to privacy and security on the internet of the Spanish Agency for Data Protection and the National Institute of Cybersecurity. In no case will passwords be shared or left in a common place and access by people other than the user.

DUTY TO SAFEGUARD 

The following are the minimum technical measures to ensure the safeguarding of personal data: 

UPDATING OF COMPUTERS AND DEVICES: The devices and computers used for the storage and processing of personal data must be kept up to date as much as possible.  

MALWARE: In the computers and devices where the automated processing of personal data is carried out, an antivirus system will be available that guarantees as far as possible the theft and destruction of personal information and data. The antivirus system should be updated periodically.

FIREWALL: To prevent improper remote access to personal data, care will be taken to guarantee the existence of an activated and correctly configured firewall on those computers and devices on which the storage and / or processing of personal data is carried out.

DATA ENCRYPTION: When it is necessary to extract personal data outside the premises where it is processed, either by physical or electronic means, the possibility of using an encryption method to guarantee the confidentiality of personal data in case of improper access to the information must be assessed.

BACKUP: Periodically a backup will be made on a second medium different from the one used for daily work. The copy will be stored in a safe place, other than that where the computer with the original files is located, in order to allow the recovery of personal data in case of loss of information. 

The security measures will be reviewed periodically, the review may be carried out by automatic mechanisms (software or computer programs) or manually. Consider that any computer security incident that has happened to anyone you know can happen to you, and be against it.

If you want more information or technical guidance to guarantee the security of personal data and the information processed by your company, the National Institute of Cybersecurity (INCIBE) on its website www.incibe.es, makes available tools with a business focus in its section "Protect your company"   where, among other services, it has:

a training section with a video game, challenges for incident response and interactive sectoral training videos, 

an Employee Awareness Kit,

Various tools to help the company improve its cybersecurity, including policies for the employer, technical staff and employee, a catalog of companies and security solutions and a risk analysis tool.

thematic dossiers supplemented with videos and infographics and other resources, 

guides for the entrepreneur, 

In addition, INCIBE, through the Internet Security Office, also offers  you free computer tools and additional information that may be useful for your company or your professional activity. 

CAPTURE OF IMAGES WITH CAMERAS AND SECURITY PURPOSE

(VIDEO SURVEILLANCE)

The image of a person, to the extent that it identifies him or can identify him, constitutes personal data that can be processed for various purposes. Although the most common is to use cameras to ensure the safety of people, goods and facilities, they can also be used for other purposes such as monitoring the labor provision of workers. Below are the basic guidelines to be respected so that the treatment of images obtained from video surveillance cameras is in accordance with data protection regulations. However, it is recommended to consult the Guide on the use of video cameras for security and other purposes for a more exhaustive knowledge of the obligations involved in this type of treatment.

LOCATION OF THE CAMERAS: The capture of images in areas intended for the rest of workers will be avoided, as well as the capture of public roads if outdoor cameras are used, being only allowed the capture of the minimum extension essential to preserve the safety of people, goods and facilities.

LOCATION OF MONITORS: The monitors where the images of the cameras are displayed will be located in a restricted access space so that they are not accessible to third parties. The recorded images will only be accessed by authorized personnel.

CONSERVATION OF IMAGES: The images will be stored for a maximum period of one month, with the exception of images that prove the commission of acts that threaten the integrity of people, property and facilities. In that case, the images must be made available to the competent authority within 72 hours of becoming aware of the existence of the recording.

DUTY OF INFORMATION: It will be informed about the existence of cameras and recording of images by means of an informative badge placed in a sufficiently visible place where at least the identity of the person responsible and the possibility of the interested parties to exercise their rights in terms of data protection are identified. In the pictogram itself, a connection code or internet address in which this information is displayed may also be included. Models of both the pictogram and the text are available on the Agency's website.

Model of warning poster of video-monitored area.

LABOR CONTROL: When the cameras are to be used for the purpose of labor control as provided in article 20.3 of the Workers' Statute, the worker and his union representatives will be informed by any means that guarantees the receipt of information about the control measures established by the employer with express indication of the purpose of labor control of the images captured by the cameras.

RIGHT OF ACCESS TO IMAGES: To comply with the right of access of the interested parties to the recordings of the video surveillance system, a recent photograph and the National Identity Document of the interested party will be requested to verify their identity, as well as the detail of the date and time to which the right of access refers. The data subject shall not be given direct access to images from cameras showing images of third parties. If it is not possible for the interested party to view the images without showing images of third parties, they will be provided with a document confirming or denying the existence of images of the interested party.

For more information you can consult the guide and video surveillance sheets and legal reports published by the Spanish Agency for Data Protection in the Video Surveillance section. 

Product added to wishlist
Product added to compare.