Privacy Policy

RECORD OF TREATMENT ACTIVITIES

Treatment: Customers

a) Data controller	Identity: SENTIDOS TRUFEROS SL – NIF: ESB67992511 Postal address: AVDA. PIRINEOS 3 ALTILLO PUERTA A 22300 BARBASTRO (Huesca) Email: informacion@sentidostruferos.com Telephone: 640050798
b) Purpose of the treatment	Customer relationship management
c) Categories of interested parties	Customers: People with whom a business relationship is maintained as customers
d) Data categories	Those necessary for maintaining the business relationship. Invoicing, sending advertising by mail or email, after-sales service and customer loyalty programs. Identification details: name and surname, NIF (Spanish tax identification number), postal address, telephone numbers, email Bank details: for direct debit payments
e) Categories of recipients	State Tax Administration Agency National Institute of Social Security Banks and financial institutions Security Forces and Corps
f) International transfers	International transfers are not planned
g) Deletion period	Those provided for by tax legislation regarding the statute of limitations for liabilities
h) Security measures	Those reflected in the SECURITY MEASURES ANNEX

Treatment: Potential Clients

a) Data controller	Identity: SENTIDOS TRUFEROS SL – NIF: ESB67992511 Postal address: AVDA. PIRINEOS 3 ALTILLO PUERTA A 22300 BARBASTRO (Huesca) Email: informacion@sentidostruferos.com Telephone: 640050798
b) Purpose of the treatment	Managing relationships with potential customers
c) Categories of interested parties	Potential customers: People with whom we seek to maintain a business relationship as clients
d) Data categories	Those necessary for the commercial promotion of the company Identification details: name and surname, postal address, telephone numbers, email
e) Categories of recipients	Marketing agency
f) International transfers	International transfers are not planned
g) Deletion period	One year since first contact
h) Security measures	Those reflected in the SECURITY MEASURES ANNEX

Treatment: Suppliers

a) Data controller	Identity: SENTIDOS TRUFEROS SL – NIF: ESB67992511 Postal address: AVDA. PIRINEOS 3 ALTILLO PUERTA A 22300 BARBASTRO (Huesca) Email: informacion@sentidostruferos.com Telephone: 640050798
b) Purpose of the treatment	Supplier relationship management
c) Categories of interested parties	Suppliers: People with whom a business relationship is maintained as suppliers of products and/or services
d) Data categories	Those necessary for maintaining the employment relationship Identification details: name, NIF (Spanish tax identification number), postal address, telephone numbers, email Bank details: for direct debit payments
e) Categories of recipients	State Tax Administration Agency Banks and financial institutions [Other possible recipients]
f) International transfers	International transfers are not planned
g) Deletion period	Those provided for by tax legislation regarding the statute of limitations for liabilities
h) Security measures	Those reflected in the SECURITY MEASURES ANNEX

EXHIBIT

 

INFORMATION OF GENERAL INTEREST

This document has been designed for low-risk personal data processing, which means it cannot be used for personal data processing that includes personal data relating to ethnic or racial origin, political, religious or philosophical ideology, trade union membership, genetic and biometric data, health data, and data concerning a person's sexual orientation, as well as any other data processing that entails a high risk to the rights and freedoms of individuals.

Article 5.1.f of the General Data Protection Regulation (hereinafter, GDPR) establishes the need to implement appropriate security measures against unauthorized or unlawful processing, loss of personal data, accidental destruction, or damage. This entails the implementation of technical and organizational measures to ensure the integrity and confidentiality of personal data and the ability to demonstrate, as established in Article 5.2, that these measures have been put into practice ( proactive responsibility ).

In addition, it must establish visible, accessible and simple mechanisms for the exercise of rights and have defined internal procedures to guarantee the effective handling of requests received.

ATTENTION TO THE EXERCISE OF RIGHTS

The data controller will inform all employees about the procedure for addressing the rights of data subjects, clearly defining the mechanisms by which these rights can be exercised (electronic means, reference to the Data Protection Officer if there is one, postal address, etc.) and taking into account the following:

• Upon presentation of their national identity document or passport, data subjects may exercise their rights of access, rectification, erasure, objection, portability, and restriction of processing. Exercising these rights is free of charge.
• The data controller must respond to interested parties without undue delay and in a concise, transparent, intelligible manner, using clear and simple language, and retain proof of compliance with the duty to respond to requests to exercise rights.
• If the application is submitted electronically, the information will be provided by these means where possible, unless the applicant requests otherwise.
• Applications must be answered within 1 month of receipt, which may be extended by a further two months taking into account the complexity or number of applications, but in that case the interested party must be informed of the extension within one month of receipt of the application, indicating the reasons for the delay.

RIGHT OF ACCESS: The right of access entitles data subjects to a copy of their personal data held, along with the purpose for which it was collected, the identity of the recipients, the envisaged retention periods or the criteria used to determine them, the existence of the right to request rectification or erasure of personal data, as well as the restriction or objection to its processing, the right to lodge a complaint with the Spanish Data Protection Agency, and, if the data was not obtained from the data subject, any available information as to its source. The right to obtain a copy of the data cannot negatively affect to the rights and freedoms of other interested parties.

• Form for exercising the right of access.

RIGHT OF RECTIFICATION: The right to rectification allows for the modification of inaccurate or incomplete personal data of data subjects, taking into account the purposes of the processing. The data subject must specify in the request which data is being rectified and the correction to be made, providing, where necessary, supporting documentation demonstrating the inaccuracy or incompleteness of the data being processed. If the data has been communicated by the controller to other controllers, the controller must notify them of the rectification unless this is impossible or involves a disproportionate effort, providing the data subject with information about these recipients upon request.

• Form for exercising the right of rectification

RIGHT OF ELIMINATION: The right to erasure allows for the deletion of data subjects' personal data when they object to its processing and there is no legal basis preventing it, the data is no longer necessary for the purposes for which it was collected, they withdraw their consent, and there is no other legal basis legitimizing the processing or the processing is unlawful. If the erasure stems from the data subject's exercise of their right to object to the processing of their data for marketing purposes, the data subject's identifying information may be retained to prevent future processing. If the data has been communicated by the controller to other controllers, the controller must notify them of the erasure unless this proves impossible or involves a disproportionate effort, and must provide the data subject with information about these recipients upon request.

• Form for exercising the right to erasure .

RIGHT OF OBJECTION: In the case of the right to object, when data subjects express their refusal to the processing of their personal data to the controller, the controller will cease processing it unless there is a legal obligation preventing it. When the processing is based on a task carried out in the public interest or on the legitimate interests of the controller, upon a request to exercise the right to object, the controller will cease processing the data unless compelling legitimate grounds are demonstrated which override the interests, rights and freedoms of the data subject or the processing is necessary for the establishment, exercise or defense of legal claims. If the data subject objects to processing for direct marketing purposes, the personal data will no longer be processed for these purposes.

• Form for exercising the right to object .

RIGHT TO PORTABILITY: Under the right to data portability, if the processing is carried out by automated means and is based on consent or within the framework of a contract, data subjects may request to receive a copy of their personal data in a structured, commonly used, and machine-readable format. They also have the right to request that their data be transmitted directly to a new controller, whose identity must be disclosed, where technically feasible.

• Form for exercising the right to data portability .

RIGHT TO LIMIT PROCESSING: Under the right to restriction of processing, data subjects may request the suspension of the processing of their data to contest its accuracy while the controller carries out the necessary verifications, or if the processing is based on the controller's legitimate interests or in the performance of a task carried out in the public interest, while it is verified whether these grounds override the data subject's interests, rights, and freedoms. Data subjects may also request the retention of their data if they consider the processing unlawful and, instead of erasure, request restriction of processing, or if, even though the controller no longer needs the data for the purposes for which it was collected, the data subject requires it for the establishment, exercise, or defense of legal claims. The fact that the processing of the data subject's data is restricted must be clearly stated in the systems from the controller. If the data has been communicated by the controller to other controllers, they must notify them of the limitation of the processing of these data unless it is impossible or requires a disproportionate effort, providing the data subject with information about these recipients, if requested.

• Form for exercising the limitation of treatment.

If the data subject's request is not processed, the controller shall inform him, without delay and no later than one month after receipt of the request, of the reasons for not acting and of the possibility of filing a complaint with the Spanish Data Protection Agency and of exercising legal action.

SECURITY MEASURES

Based on the type of treatment you have indicated when completing this form, the minimum security measures you should take into account are the following:

 

ORGANIZATIONAL MEASURES

INFORMATION THAT MUST BE KNOWN BY ALL STAFF WITH ACCESS TO PERSONAL DATA

All personnel with access to personal data must be aware of their obligations regarding the processing of personal data and will be informed of these obligations. The minimum information that all personnel will be aware of is as follows:

• DUTY OF CONFIDENTIALITY AND SECRECY
• Unauthorized access to personal data must be prevented. To this end, personal data must not be left exposed to third parties (unattended electronic screens, paper documents in public areas, storage media containing personal data, etc.). This includes screens used for viewing images from the video surveillance system. When leaving the workstation, the screen must be locked or the session closed.
• Paper documents and electronic media will be stored in a secure location (cabinets or restricted access rooms) 24 hours a day.
• Documents or electronic media (CDs, pen drives, hard drives, etc.) containing personal data will not be disposed of without ensuring their effective destruction.
• No personal data or any other personal information will be communicated to third parties, paying special attention to not disclosing protected personal data during telephone consultations, emails, etc.
• The duty of secrecy and confidentiality persists even when the employee's employment relationship with the company ends.

• PERSONAL DATA SECURITY VIOLATIONS
• When personal data security breaches occur, such as theft or unauthorized access to personal data, the Spanish Data Protection Agency must be notified within 72 hours of such breaches, including all the information necessary to clarify the facts that led to the unauthorized access to the personal data. Notification must be made electronically through the Spanish Data Protection Agency's website at the following address: https://sedeagpd.gob.es/sede-electronica-web/ .

TECHNICAL MEASURES

ID

• When the same computer or device is used for processing personal data and for personal use, it is recommended to have separate user profiles for each purpose. Professional and personal use of the computer should be kept separate.
• It is recommended to have user profiles with administrative rights for system installation and configuration, and users without administrative privileges for accessing personal data. This measure will prevent unauthorized access or modification of the operating system in the event of a cybersecurity attack.
• The existence of passwords for accessing personal data stored in electronic systems will be guaranteed. The password must be at least 8 characters long and consist of a mix of numbers and letters.
• When personal data is accessed by different people, each person with access to the personal data will have a specific username and password (unambiguous identification).
• Password confidentiality must be guaranteed, preventing them from being exposed to third parties. For password management, please refer to [link/resource]. the guide to internet privacy and security from the Spanish Data Protection Agency and the National Cybersecurity Institute. Under no circumstances will passwords be shared or left written down in a common place, and access will be restricted to persons other than the user.

DUTY TO SAFEGUARD

The following are the minimum technical measures to guarantee the safeguarding of personal data:

• UPDATING COMPUTERS AND DEVICES : The devices and computers used for the storage and processing of personal data must be kept up-to-date as much as possible.
• MALWARE : Computers and devices where automated processing of personal data takes place must have an antivirus system in place to guarantee, as far as possible, the prevention and destruction of personal information and data. The antivirus system must be updated regularly.
• FIREWALL : To prevent unauthorized remote access to personal data, we will ensure that a firewall is activated and correctly configured on the computers and devices where personal data is stored and/or processed.
• DATA ENCRYPTION : When it is necessary to extract personal data from the premises where it is processed, whether by physical or electronic means, the possibility of using an encryption method should be considered to guarantee the confidentiality of personal data in case of unauthorized access to the information.
• BACKUP : A backup copy will be periodically made on a separate storage medium from the one used for daily work. This copy will be stored in a secure location, separate from the computer containing the original files, to allow for the recovery of personal data in case of data loss.

Security measures will be reviewed periodically, either automatically (using software or computer programs) or manually. Keep in mind that any cybersecurity incident that has happened to someone you know could happen to you, so take precautions.

If you would like more information or technical guidance to ensure the security of personal data and information processed by your company, please visit the website of the National Cybersecurity Institute (INCIBE). www.incibe.es offers business-focused tools in its " Protect your company " section, which includes, among other services:

• a section of training with a video game , challenges for incident response and interactive videos of sector-specific training ,
• a Awareness kit for employees,
• various tools to help the company improve its cybersecurity, including policies For the business owner, the technical staff, and the employee, a catalog of security companies and solutions and a risk analysis tool .
• thematic dossiers supplemented with videos, infographics, and other resources,
• guides for the businessman,

Furthermore, INCIBE, through the The Internet User Security Office also makes available to you tools Free computer software and additional information can be useful for your business or professional activity.

IMAGE CAPTURE WITH CAMERAS FOR SECURITY PURPOSE

(VIDEO SURVEILLANCE)

A person's image, insofar as it identifies or can identify them, constitutes personal data that may be processed for various purposes. While the most common use is to ensure the safety of people, property, and facilities, cameras can also be used for other purposes, such as monitoring employee performance. The following are basic guidelines to ensure that the processing of images obtained from video surveillance cameras complies with data protection regulations. However, it is recommended to consult the relevant legislation. Guide on the use of video cameras for security and other purposes for a more thorough understanding of the obligations involved in this type of treatment.

 

• CAMERA PLACEMENT : Images must not be captured in areas designated for worker rest, nor in public areas if outdoor cameras are used. Only the minimum area necessary to preserve the safety of people, property and facilities may be captured.

 

• MONITOR LOCATION : The monitors displaying the camera images will be located in a restricted access area so that they are not accessible to third parties. Only authorized personnel will have access to the recorded images.

 

• IMAGE RETENTION : Images will be stored for a maximum of one month, except for images that prove the commission of acts that threaten the integrity of persons, property, and facilities. In that case, the images must be made available to the competent authority within 72 hours of becoming aware of the recording.

 

• DUTY TO INFORM : Information regarding the existence of cameras and image recording will be provided by means of an information sign placed in a sufficiently visible location, identifying at least the data controller and the possibility for data subjects to exercise their data protection rights. The sign itself may also include a connection code or internet address where this information is displayed. Templates for both the sign and the text are available on the Agency's website.
  • Model of a sign warning of a video surveillance area .

• WORK MONITORING : When cameras are to be used for the purpose of work monitoring as provided for in article 20.3 of the Workers' Statute, the worker and his union representatives will be informed by any means that guarantees the receipt of the information about the control measures established by the employer with express indication of the purpose of work monitoring of the images captured by the cameras.

 

• RIGHT OF ACCESS TO IMAGES : To comply with the right of access of interested parties to the recordings of the video surveillance system, a recent photograph and the National Identity Document of the interested party will be requested to verify their identity, as well as details of the date and time to which the right of access refers. The interested party will not be granted direct access to images from cameras that show images of third parties. If it is not possible for the interested party to view the images without showing images of third parties, they will be provided with a document confirming or denying the existence of images of the interested party.

For more information, you can consult the guides and fact sheets on video surveillance and the legal reports published by the Spanish Data Protection Agency in the section on Video surveillance .