General privacy policy

1. Purpose and scope

This policy:

  • Establishes RETINSET, S.L.'s commitment to keep all personal information confidential and its responsibilities regarding the disclosure of such information;
  • Aims to ensure that all the personnel, whether directly employed or contracted, are aware of their responsibilities in relation to the confidentiality of personal information; and
  • Applies to all RETINSET, S.L.'s personnel including temporary and agency personnel, contractors and volunteers, and to personal information kept in any format, including paper, electronic and any other media.

2. Responsibilities

All employees, contractors and associates share responsibility for ensuring that information assets are managed in compliance with this policy.

3. Definitions

Data: Information as defined in the Data Protection Law, meaning:

  • Electronically processed data, i.e. information systems, databases, microfiles, audio and video (CCTV) systems and call recording systems.
  • Data recorded with the intention of being processed by the computer.
  • Data recorded as part of a relevant file system, i.e. data that has been structured either by reference to natural persons or to criteria relating to natural persons that is readily accessible.

Data controller: The person, company or organisation that determines the purpose and manner in which personal data may be processed.

Data processor: Any person who processes personal data on behalf of the data controller;

Data subject: Any person who is the subject of the data being processed.

Disclosure: Disclosing or providing access to the data.

Confidential personal data: Personal information about identified or identifiable individuals, which shall be kept private or secret. Personal information includes the definition of personal data in the General Data Protection Regulations (GDPR), but is tailored to include both dead and living persons, and 'confidential' includes both information 'delivered in confidence' and 'what entails certain confidence obligation', and is tailored to include 'sensitive' information as defined in data protection law.

Personal information: Data related to a living individual who can be identified from information under the data controller's possession or that may become so.

Processing: Using the information in any of the following ways:

  • Collection
  • Recording
  • Recovery
  • Alteration
  • Disclosure of information
  • Destruction
  • Use
  • Transmission
  • Erasure

Special category data (formally known as sensitive personal data): Any information about an individual relating to them:

  • Racial origin
  • Ethnic origin
  • Political opinions
  • Religious beliefs
  • Trade-union membership
  • Genetic data
  • Biometric data (when processed solely to identify a human being)
  • Health-related data
  • Sex life
  • Sexual orientation

Third parties: Any person other than:

  • The data subject;
  • The data controller; and
  • Any data processor or other person authorised to process the data on behalf of the data controller.

4. Data protection

Data protection principles

The data protection law sets out the following principles to promote best practices and fairness in the processing of personal information. These principles provide that:

  • Personal data shall be handled lawfully, fairly and transparently;
  • Personal data may only be collected for specific, explicit and legitimate purposes;
  • Personal data shall be suitable, relevant and limited to what is necessary for the processing thereof;
  • Personal data shall be accurate and kept up to date making all reasonable efforts to delete or rectify without delay;
  • Personal data shall be kept in such a way that the data subject may only be identified for the time necessary for processing;
  • Personal data shall be processed in a manner that ensures adequate security; and
  • The data controller shall be able to demonstrate compliance with any other data protection principles (accountability).

Information security

Ensuring the confidentiality of personal information requires the use of systems and procedures to control access to such information. Such controls are essential to ensure that only authorised persons have access to the information as follows:

  • Physical access to hardware and computers;
  • Access to computer system utilities that can override the system and access controls, e.g., administrator rights; and
  • Access to electronic or paper records which include confidential information about individuals. RETINSET, S.L.'s responsibilities of confidentiality and adequate processing of personal data are still applicable even if the processing is carried out by a third party.

Access to personal information

Persons acting on your behalf with your consent have a right to access the data in their power. This includes access to audit registers that indicate who has accessed your personal or confidential data.

5. Confidentiality

Duty of confidentiality

All the personnel and contractors shall agree that confidentiality is an obligation. Any breach of trust, inappropriate use of registers or abuse of computer systems may result in disciplinary and legal procedures.

Temporary and volunteer agency personnel are also subject to such obligations and shall sign a confidentiality agreement when working for or on behalf of RETINSET, S.L.

The personnel shall be certain that there is a legal basis before sharing information. Any questions about the legitimacy of sharing information shall be directed to the Chief Information Security Officer.

Any actual illegal exchange of personal or confidential data shall be reported as an incident and investigated in compliance with the Security Incident Management Procedure.

Objections to the processing of confidential data

Any doubts or objections regarding the processing of personal data shall be immediately referred to the Chief Information Security Officer. When RETINSET, S.L. acts as a contracted data processor, the query shall be referred to the data controller.

6. Privacy Impact Assessment (PIA)

New initiatives involving high-risk processing of personal data shall be subject to a PIA to ensure that the personal data is kept private and secure at all times.

7. Information flow mapping

Personal information flows in and out of RETINSET, S.L. shall be mapped in PIA reports.

8. International transfers

Personally identifiable information shall not be transferred outside the EEA, unless an appropriate risk assessment has been carried out and mitigating controls are in place. RETINSET, S.L. shall review flows of personally identifiable information to check for information flows to external organisations outside the UK and the EEA.

Decisions about the transfer of personally identifiable information shall only be made by a senior manager who has been authorised to make such decision.

Organisations shall be required to obtain an assurance statement from the third parties processing the personal data of their users or personnel overseas. This statement may be within the agreement between the two organisations or other processing terms.

9. Implementation

The Chief Information Security Officer is responsible for ensuring that relevant personnel within FARMAMIX VISION, S.L. have read and understood this document.

Document holder and approval

The Chief Information Security Officer is the holder of this document and is responsible for ensuring that this procedure is reviewed in compliance with the review requirements set out in this policy.

Signature:

Victor Climent's signature