Personal Data Protection Policy

PERSONAL DATA PROTECTION POLICY

 

PURPOSE

 

The Management Body of GLOBAL COAST INVESTMENTS S.L. (the “Company”) has the responsibility to formulate the strategy and approve the Company’s Corporate Policies, as well as the responsible commitment to the ongoing management of the potential risks associated with the processing of data from its design to the end thereof; either by the deletion or anonymization of personal data. This is so that all treatment of personal data meets the required requirements minimizing the risks that imply for the individual whose personal data are treated.
In the exercise of these responsibilities, and in order to establish the general principles that should govern the processing of personal data, under the directives established by the regulations and the General Data Protection Regulations, the Board of Directors approves this Personal Data Protection Policy.
The Personal Data Protection Policy establishes the operational principles and guidelines that should govern in the area of personal data protection, assuring, in any case, compliance with the applicable legislation. In particular, the Personal Data Protection Policy is intended to guarantee the right to the personal data protection of every person who is related to the Company, ensuring respect for the rights to honor and privacy in the processing of the distinct types of personal data, from different sources and with distinct purposes depending on its business activity.

 

SCOPE OF APPLICATION

 

The Personal Data Protection Policy will be applied to the Company, its directors, officers and employees, as well as to all persons who are related to the companies belonging to the Company and who, under the authority of the Company, process personal data on behalf of the Company for the fulfillment of its activities.
In those companies or subsidiaries, directly or indirectly, invested by the Company, its representatives shall endeavor to observe the provisions of this Personal Data Protection Policy and they shall promote, as far as possible, the application of its principles.
In addition, said companies or subsidiary entities will ensure that they comply, where applicable, with their respective data protection duties when acting as responsible parties and / or in charge of data processing.

 

PRINCIPLES OF PERSONAL DATA PROCESSING

 

General principles

 

The Company will scrupulously comply with the legislation of its jurisdiction in  perms of data protection, which is applicable depending on the processing of personal data that is carried out and that which is determined in accordance with norms or binding agreements adopted within this Company or, as the case may be, with other data controllers if personal data are processed on behalf of them.

The Company will promote that the principles contained in this Personal Data Protection Policy are taken into account in the design and implementation of all procedures that involve the personal data processing, in the products and services offered by the Company, in all contracts and obligations that formalize with natural persons and in the implementation of any systems and platforms that allow access by employees or third parties to personal data and / or the collection or processing of said data.

Principles relating to the processing of personal data

 

Principles of legitimacy, legality and loyalty in the processing of personal data

The processing of personal data will be fair, legitimate and lawful according to the applicable legislation. In this regard, personal data must be collected for one or more specific and legitimate purposes in accordance with the applicable legislation.

In cases where it is mandatory under the applicable legislation, the consent of the interested parties must be obtained before collecting their data.

Also, when required by law, the purposes of processing personal data will be explicit and determined at the time of collection.


Principle of minimization

Only those personal data that are strictly necessary for the purpose for which they are collected or processed and suitable for that purpose will be subject to processing.

Principle of accuracy

Personal data must be accurate and up-to-date. Otherwise, they must be deleted or rectified.

Principle of limitation of the term of conservation

Personal data will not be kept beyond the period necessary to achieve the purpose for which they are treated, except in the cases provided by law. Personal data will be deleted or anonymized when they are no longer necessary for the purpose or purposes of the treatment, unless they should be blocked, by virtue of the obligation required of the data controller, or retained as a consequence of exercising the right of limitation.

Principle of integrity and confidentiality

In the processing of personal data, it must be guaranteed, through technical or organizational measures, an adequate security that protects them from unauthorized or illegal treatment and that prevents their loss, destruction and suffering accidental damage.
The personal data collected and processed by the Group companies must be kept with the utmost confidentiality and secrecy, and can not be used for purposes other than those that justified and allowed collection and can not be communicated or assigned to third parties outside of cases allowed by applicable legislation.

 

Principle of proactive responsibility (accountability)

The Company will be responsible for complying with the principles stipulated in this Personal Data Protection Policy and those required in the applicable legislation and must be able to prove it, when required by applicable legislation.
The Company must make an assessment of the risk of the treatments carried out, in order to determine the measures to be applied to guarantee that the personal data are treated in accordance with legal requirements. In the cases in which the regulations require it, the risks that for the protection of personal data may involve new products, services or information systems will be evaluated in advance and the necessary measures will be adopted to eliminate or mitigate them. The Company must keep a record of activities describing the processing of personal data that it carries out in the framework of its activities.
In the event that there is a violation of the security of data that causes the destruction, loss or accidental or unlawful alteration of personal data, or communication or unauthorized access to such data, the internal protocols established for this purpose must be followed. and those established by applicable legislation. These violations must be documented and measures taken to resolve and alleviate the possible negative effects for the interested parties.


Principles of transparency and information

The processing of personal data will be transparent in relation to the interested party, providing them with information about the treatment of their data in a comprehensible and accessible way, when required by the applicable regulations.
In order to guarantee a fair and transparent treatment, the Society responsible for the treatment must inform the interested parties whose data it is intended to collect from the circumstances relating to the treatment according to the applicable legislation. Likewise, if the personal data has not been obtained from the interested parties, the Company will comply with the information principle in the terms provided in the applicable regulations, unless there is an exception to this or other measures can be taken in relation to this principle.

Acquisition of personal data

It is forbidden to acquire or obtain personal data from illegitimate sources, from sources that do not sufficiently guarantee their legitimate origin or from sources whose data have been collected or transferred in contravention of the regulations. It is also forbidden any treatment of personal data that does not comply with the requirements required by the applicable regulations or the obtaining of personal data in breach of the principles of legality and loyalty as, for example, through deception or forms not permitted by law on the protection of personal data.

Hiring of data processors

Prior to hiring any service provider that accesses personal data that are the responsibility of the Company, as well as during the term of the contractual relationship, it must adopt the necessary measures to guarantee and, when legally required, demonstrate, that data processing by the person in charge is carried out in accordance with the applicable regulations. Any service provider acting as the processor must have signed or subscribed with the Company a contract or other legal act that complies with the requirements of the applicable regulations on data protection and must be able, at all times, even in the moment of termination of the service that involves the processing of personal data, of assisting the Company to comply and demonstrate compliance with the matter.

 

International data transfers

Any processing of personal data that involves a transfer of data outside the European Economic Area must be carried out in strict compliance with the requirements established in the applicable regulations on data protection. Any company or person that receives personal data as a result of an international transfer of data, will adopt the necessary measures to comply with the applicable data protection regulations and those to which it has been bound by the Company.


Rights of the interested parties

The Company will facilitate that the interested parties can exercise the rights of access, rectification, deletion, limitation of the treatment, portability and opposition, including, where appropriate, the elaboration of profiles, which are applicable, establishing, for this purpose, appropriate measures and procedures inmates that are necessary to satisfy, at least, the legal requirements applicable in each case.

 

Implantation

 

In accordance with the provisions of this Personal Data Protection Policy, the internal data protection management regulations will be developed and updated, and will be mandatory for all directors and employees of the Company.
THE DATA CONTROLLER will be responsible for reporting to GLOBAL COAST INVESTMENTS S.L. of developments and regulatory developments that occur in this area.
THE DATA CONTROLLER, or the management that assumes its functions, will be in charge of implementing in the information systems of the company, the controls and computer developments that are adequate to guarantee compliance with the internal regulations for data protection management and will ensure that these developments are updated at all times.

 

Control and Evaluation

 

Control

It is up to THE DATA CONTROLLER, or the management that assumes its functions, to supervise compliance with the provisions of this Personal Data Protection Policy by the Company. The foregoing shall be understood, in any case, without prejudice to the responsibilities that correspond to other bodies and directorates of the Company. To verify compliance with this Personal Data Protection Policy, periodic audits will be carried out with internal or external auditors.

Evaluation

THE DATA CONTROLLER will evaluate, at least once a year, the compliance and effectiveness of this Personal Data Protection Policy and will report the result to GLOBAL COAST INVESTMENTS S.L. , or to the management that assumes these functions at each moment.
THE DATA CONTROLLER or the management that assumes its functions, in case the former has not been appointed, will evaluate, at least once a year or whenever necessary in response to the risk involved in the processing of personal data, compliance and the effectiveness of this Personal Data Protection Policy and will inform GLOBAL COAST INVESTMENTS SL . the result of said evaluation.
This Personal Data Protection Policy was initially approved by the Board of Directors on 19/06/2018.

 

COMMITMENT AND APPROVAL OF THE PERSONAL DATA PROTECTION POLICY


Implementation of the Personal Data Protection Policy

THE MANAGEMENT BODY of GLOBAL COAST INVESTMENTS S.L. , as responsible for the treatment, on June 19, 2018, has approved this Personal Data Protection Policy by virtue of its obligation to apply technical and organizational measures to comply with and demonstrate compliance with applicable regulations on protection of personal data and in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the free movement of personal data that repeals Directive 95/46 / EC (General Data Protection Regulation or GDPR).

Scope and purpose of the Personal Data Protection Policy


In particular, the objective of this Personal Data Protection Policy is to apply technical and organizational measures to all processing of personal data that is carried out in GLOBAL COAST INVESTMENTS S.L. in order to ensure compliance with the obligations required under the applicable regulations on the protection of personal data to protect the fundamental right to protection of personal data of natural persons whose personal data are subject to treatment.
It is a corporate policy that applies to the processing of personal data that is carried out by GLOBAL COAST INVESTMENTS S.L. regardless of whether they do it themselves or through the data processors they turn to.
At all times the risk involved in the processing of personal data for the rights and freedoms of the interested parties will be addressed.
Thus, all processing of personal data will have to comply with the applicable principles regarding the protection of personal data, so as to ensure that the treatment is lawful, complying with the requirements of legality, loyalty and transparency; limitation of purpose; minimization of treated personal data; accuracy of the personal data processed; limitation of the term of conservation, as well as integrity and confidentiality, through the adoption of the applicable security measures.
The security measures to be adopted will be determined and applied taking into account the state of the art, the costs of application, and the nature, scope, context and purposes of the treatment, as well as risks of varying probability and severity for the rights. and freedoms of natural persons. The technical and organizational measures will be those that are appropriate to guarantee a level of security appropriate to the risk.
In turn, the technical and organizational measures, such as the impact assessment relating to the protection of personal data, the prior consultation with the data protection authority, the notification of security breaches to the data protection authority and, in its case, the interested parties, or others that are applicable, will be adopted by GLOBAL COAST INVESTMENTS SL in view of the risk identified in the indicated terms.

Review and update of the data protection policy

This Personal Data Protection Policy will be reviewed and, where appropriate, updated as necessary, taking into account the risk involved in the processing of personal data for those interested.