Version: 1.1

Effective date: 01/01/2021

 

The Privacy and Personal Data Protection Conditions (the Conditions) contained in this document apply to the services contracted as a result of the acceptance of an offer or proposal for consulting or audit services.

The applicable conditions will be those effective at the time the offer or proposal is sent. However, INGECAL reserves the right to make changes to these conditions, which will be communicated sufficiently in advance to the interested parties. The changes will become effective automatically as of the dates of entry into force indicated. In the event that you do not wish to accept them, you may give notice before the effective date to cancel the contracted services.

PRIVACY POLICY

Acceptance of the offer or proposal of services implies that both parties mutually authorize each other to incorporate their personal contracting data, together with any data obtained during the term of the contract, to be processed under their respective responsibility.

In the event that either party has provided personal data of third parties, the signatory of the respective party guarantees that it has lawfully collected them and has provided the data subjects with the necessary information on the processing of their data. Furthermore, the signatories agree that each party is responsible for seeking the consent of the data subjects for the transfer and processing of their personal data on behalf of the other party.

The purpose of the treatment is to carry out the management of this contractual relationship and the provision of the services deriving from it.

The processing is legitimized by the fact that it is necessary for the performance of a contract to which the data subjects are party.

The data may be communicated to necessary collaborators to whom we delegate part of the provision of the contracted services and other companies that provide us with services related to the ordinary and administrative activity of the company as data processors, whether national or international, such as, among others, email services providers, web hosting services, server hosting, SaaS management application services, file archiving in the cloud and others.

The provision of these services may involve the processing of personal data by companies located in countries outside the European Economic Area (international data transfers). However, this will only be done with countries that offer an adequate level of protection or that have made Standard Contractual Clauses (SCC) available to us in accordance with the European Commission’s decision for data transfers from controllers in the EU to processors established outside the EU.

Also, the data provided may be communicated to third parties and competent official bodies under the terms required by the legislation and regulations in force in order to enable the provision of the contracted services.

The data collected will be kept for the time necessary to fulfil the purpose for which they were collected, to maintain the INGECAL customers register and to determine the possible liabilities that may arise from this purpose and from the processing of the data.

The data subject may at any time exercise their rights of access, rectification, deletion and portability of their personal data, as well as those of opposition and limitation of their processing.

These rights may be exercised free of charge by the interested party, and where appropriate by anyone representing him, by means of a written and signed request, accompanied by a copy of their ID card or equivalent document accrediting their identity, addressed to:

  • By email: ingecal@ingecal.cat
  • By post: Av. Cerdanyola 98, stairs B, 4º, office 18 – Edif. Collserola, 08173 Sant Cugat del Vallès (Barcelona)

In the case of representation, it must be proven by means of a written document and by attaching a copy of the ID card or equivalent document proving the representation.

In addition to the aforementioned rights, the data subject shall have the right to withdraw the consent granted at any time by means of the procedure described above, without this withdrawal of consent affecting the lawfulness of the processing prior to the withdrawal of consent. INGECAL may continue to process the data subject’s personal data of the extent that any other legitimacy justifying such processing persists.

INGECAL reminds the data subject that they have the right to lodge a complaint with the relevant supervisory authority (Spanish Data Protection Agency).

CONFIDENTIALITY OF INFORMATION

Confidential information is any information (commercial, technical, clinical or other) of the client company about its business affairs, technology, processes, products, plans, facilities and premises, which before being received by either parties was not known to them or were in their possession without obligation of confidentiality. Information that is publicly accessible on the websites of customers, suppliers or employees is not considered confidential.

The confidential nature of the information that could come to your knowledge through access to the company’s computer systems is expressly stated.

INGECAL undertakes to treat all information to which it has access or which it receives from its clients as confidential and to use it only to fulfil its obligations in accordance with the contracted service.

In particular, INGECAL undertakes to maintain secrecy and guarantee confidentiality and security with respect to the data to which it may have access for reasons of providing the contracted service. It may not make use of the confidential information to which it has access for purposes other than those determined by the services proposal, and the communication or transfer of confidential information is expressly prohibited.

This obligation of confidentiality does not apply (a) where the disclosing party has given its prior written consent; (b) to disclosures that we make to our subcontractors, external consultants to whom we delegate part of the performance of services, or to our auditors and professional advisors; (c) to disclosures that must be made in order to comply with legal or regulatory obligations; (d) to information that has been independently generated by the receiving party; or (e) where the disclosing party has given its prior written consent; (c) to disclosures that must be made in order to comply with legal or regulatory obligations; (d) to information that has been independently generated by the receiving party; or (e) where the disclosing party obtains the information without any breach of this confidentiality obligation.

Should it be necessary to communicate confidential information to a third party for justified reasons in the provision of the service, INGECAL guarantees that the recipient will assume an obligation of confidentiality at least as strict as that provided for in the provisions of this clause.

The obligation to maintain confidentiality shall remain in force after the termination or expiry of the service contract.

PERSONAL DATA PROCESSOR

The provision of the contracted service may entail the need to access circumstantially to personal data for which the client is responsible.

In this event, INGECAL states that:

  • The customer is the PERSON RESPONSIBLE FOR THE PROCESSING of personal data that it makes available to INGECAL as a PROCESSOR by virtue of the service contract that binds them. This access is not considered as a communication of data.
  • By means of these clauses, the data controller provides and delegates the necessary functions so that INGECAL can process the personal data necessary to provide the contracted services.
  • That, for the execution of the services derived from the fulfilment of the object of this order, the data controller allows INGECAL access to the personal data of its company necessary to carry out the contracted service.
  • In this case, access by INGECAL’s staff and collaborators, as data processor, will only be carried out using the means and equipment provided by the client itself, as data controller, and in accordance with its instructions. Neither INGECAL, nor its staff or collaborators shall carry out any processing of personal data on behalf of the client on their own equipment.
  • Only in exceptional, specific, fully justified and formally authorised cases may INGECAL staff and collaborators process personal data on behalf of the client on their own equipment.
  • Consequently, it is determined that it is only required to provide processing guarantees in relation to confidentiality risks. In no case is INGECAL obliged to the custody of data and, therefore, it is not required to provide guarantees in relation to the risks of integrity and availability of personal data to which it may have access on behalf of the data controller.
  • That the processing, due to the nature of the data processed, is subject to the provisions contained in the current legislation on Personal Data Protection.

INGECAL undertakes to process the personal data to which it has access in accordance with the instructions received by virtue of the contractual relationship for the provision of services that links both parties, in all those aspects in which its intervention is required and in accordance with the activities specified in the previous point.

This agreement shall remain in force as long as the present agreement or contractual relationship between the parties exists, unless either party decides otherwise.

Upon termination of this contract, INGECAL must cancel, return to the data controller the personal data in its charge, and delete any copies in its possession. However, it may keep the data blocked in order to attend to possible administrative or jurisdictional responsibilities.

INGECAL, as the party responsible for the processing of such personal data in order to carry out the services entrusted to it, undertakes to treat such data with due diligence and in accordance with its best professional judgement and dedication.

The customer, as the controller, is responsible for complying with all technical and organisational measures necessary to guarantee the security of the processing, in terms of processing centres, premises, equipment, systems, programmes and persons involved in the processing of the personal data in question.

The data controller undertakes to:

  • Guarantee that such treatments are duly legitimised and legalised, stating that they have complied with all the legal requirements for the collection and treatment of personal data.
  • To provide access and adequate means so that INGECAL can provide the contracted service
  • Respond to the guarantees of those affected, such as the rights of access, rectification, cancellation and opposition.
  • Facilitate the right to information at the time of data collection.
  • Carry out a personal data protection impact assessment of the processing operations to be carried out by the processor.
  • Conduct prior consultation as appropriate.
  • Communicate to the data processor any variation that may occur in the personal data provided so that the latter may proceed to update them.
  • To ensure, before and during the term of the contract, that the person in charge complies with the legislation in force.
  • It must be verified that the processor provides sufficient guarantees regarding the implementation and maintenance of appropriate technical and organisational measures.
  • Overseeing treatments, including carrying out inspections and audits.

INGECAL, as data processor, and all its staff and collaborators are obliged to:

  • Use the personal data undergoing processing, or those collected for their inclusion, only for the purpose of this order. Under no circumstances may it use the data for its own purposes.
  • To process the data in accordance with the instructions of the data controller.
  • Keep, in writing, a record of all categories of processing activities carried out on behalf of the controller.
  • Not to communicate the data to third parties, except with the express authorisation of the data controller, or in the legally admissible cases.

The processor may communicate the data to other processors of the controller in accordance with the instructions of the controller.

  • In the event that personal data have to be transferred to a third country outside the EU, assure the controller that they are transferred to a country that is recognised by the European Commission as providing an adequate level of protection or that there are safeguards for protection.
  • Only subcontract those services that form part of the object of this contract and that involve the processing of personal data to necessary collaborators to whom part of the provision of the contracted services is delegated and other companies that provide services related to the ordinary and administrative activity of the company.

In any event, the sub-processor shall be subject to the same conditions and in the same manner as the processor as regards the proper processing of personal data and the guarantee of the rights of the data subjects.

In the event of non-compliance by the sub-processor, the processor shall remain fully responsible to you for compliance with the sub-processor’s obligations:

  • Maintain the duty of secrecy with regard to personal data to which it has access by virtue of this assignment, even after the end of the contract
  • Ensure that persons authorised to process personal data undertake, expressly and in writing, to respect confidentiality and to comply with the corresponding security measures, of which they have been duly informed.
  • Keep at the disposal of the data controller the documentation accrediting compliance with the obligation established in the previous section.
  • Ensure the necessary training in the protection of personal data for persons authorised to process personal data.

If the data subjects exercise their rights of access, rectification, erasure and objection, restriction of processing and data portability before the data processor, the latter must communicate this by e-mail to the address indicated by the data controller. The communication must be made immediately and in no case later than the working day following receipt of the request, together, where appropriate, with other information that may be relevant for resolving the request.

INGECAL shall notify the data controller, without undue delay and by the means indicated by the latter, of any breaches of the security of the personal data under its responsibility of which it becomes aware, together with all relevant information for the documentation and communication of the incident.

If and to the extent that it is not possible to provide the information simultaneously, the information shall be provided gradually without undue delay.

INGECAL makes available to the controller all the information necessary to demonstrate compliance with its obligations, as well as for the performance of audits or inspections carried out by the controller or any other auditor authorised by the controller.

In the event of non-compliance by INGECAL with any of its obligations as data processor, it shall be considered responsible for the processing, and shall be liable for any infringements it may have personally incurred.

INFORMATION SECURITY GUARANTEES

In order to safeguard the security of information in general and personal data in particular, INGECAL has adopted all the technical and organisational measures necessary to ensure the security of the data to which it has access in terms of guaranteeing the permanent confidentiality, integrity, availability and resilience of the processing systems and services.

Specifically, security measures are in place consisting of:

  • Physical access control and protection of equipment, persons and facilities where data processing is carried out.
  • Access to its computer systems is by means of individual users and passwords, limiting access to data to those employees who strictly require it for the performance of their jobs.
  • That it makes backup copies of personal data for which it has an obligation to maintain the integrity and availability.
  • Where media or documents containing personal data are managed, they are duly kept under lock and key or equivalent locking devices.
  • Network perimeter protection systems to prevent intrusions and anti-virus protection of your computer systems.
  • A security incident log is in place and security breach notification mechanisms and procedures are in place.
  • That a Continuity Plan is in place that provides for the ability to restore availability and access to personal data quickly in the event of a physical or technical incident within the timeframe required to meet the business commitments to which we are obliged under our service contract.

INGECAL has also implemented internal controls in order to verify, evaluate and assess, on a regular basis, the effectiveness of the technical and organisational measures implemented to guarantee the security of the processing.

Contact Us

We're not around right now. But you can send us an email and we'll get back to you, asap.

Not readable? Change text. captcha txt
0

Start typing and press Enter to search

"data-cookieyes"=“cookieyes-other”"data-cookieyes"=“cookieyes-analytics”"data-cookieyes"=“cookieyes-advertisement”"data-cookieyes"=“cookieyes-functional”