Personal data protection policy
AQUALAND MIJAS S.A. (hereinafter AQUAMIJAS or the “Company”) is an organisation in which personal data processing activities take place, which gives it an important responsibility in the design and organisation of procedures so that they are in line with legal compliance in this matter.
In the exercise of these responsibilities and in order to establish the general principles that must govern the processing of personal data in the Company, this Personal Data Protection Policy is approved, its Employees are notified hereof and it is made available to others concerned.
The Personal Data Protection Policy is a measure of proactive responsibility that aims to ensure compliance with the applicable legislation in this area and, as such, respects the right of privacy in the processing of personal data of all individuals related to the Company.
In development of the provisions of this Personal Data Protection Policy, the Principles governing data processing in the organisation are established and, consequently, the procedures, organisational and security measures, shall be implemented by those who are affected by this Policy, in their area of responsibility. To this end, management shall assign responsibilities to staff involved in data processing operations.
This Personal Data Protection Policy shall apply to the Company, its directors, officers and employees, as well as to all persons who deal with the Company, expressly including service providers with access to data (“Data Processors”).
As a general principle, The Company shall scrupulously comply with the personal data protection legislation and must be able to demonstrate this (Principle of “proactive responsibility”), paying special attention to those data processing operations that may pose a greater risk to the rights of those affected (Principle of “risk approach”).
In relation to the above, AQUAMIJAS shall ensure compliance with the following Principles:
➔ Lawfulness, fairness, transparency and purpose limitation. The subject of data processing shall always be informed, by means of clauses and other procedures; and shall only be considered legitimate if consent for the processing of data has been given (with special attention to that provided by minors), or has another valid legitimation and the purpose of the same is in accordance with the Regulations.
➔ Data minimisation. The data processed shall be adequate, relevant and limited to what is necessary in relation to the purposes of the processing.
➔ Accuracy. The data must be accurate and, where necessary, kept up to date. In this respect, the necessary steps shall be taken to ensure that personal data which are inaccurate in relation to the purposes of the processing are erased or rectified without delay.
➔ Limitation of the retention period. Data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes of the processing.
➔ Integrity and Confidentiality. Data shall be processed in such a way as to ensure appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, by implementing appropriate technical or organisational measures.
➔ Transfer of data. It is forbidden to purchase or obtain personal data from illegitimate sources or in those cases in which such data have been collected or transferred in contravention of the law or where their legitimate origin is not sufficiently guaranteed.
➔ Hiring of suppliers with access to data. Only suppliers that offer sufficient guarantees for the application of appropriate technical and security measures in the processing of data shall be selected for contracting. An appropriate agreement shall be documented with these third parties in this respect.
➔ International data transfers. Any processing of personal data subject to European Union regulations involving the transfer of data outside the European Economic Area shall be carried out in strict compliance with the requirements of the applicable law.
➔ Rights of data subjects. The Company will facilitate the right of access, rectification, erasure, limitation of processing, objection and portability for data subjects, establishing for this purpose the necessary and appropriate internal procedures, and in particular the models for the exercise thereof, which must at least meet the legal requirements applicable in each case.
The Company shall ensure that the principles set out in this Personal Data Protection Policy are taken into account (i) in the design and implementation of all work procedures, (ii) in the products and services offered, (iii) in all contracts and obligations formalised or assumed, and (iv) in the implementation of all systems and platforms that allow access by employees or third parties and/or the collection or processing of personal data.
Employees are informed of this Policy and declare that they are aware that personal information is an asset of the Company, and in this respect, adhere to it, committing themselves to the following:
The effectiveness of the technical and organisational measures to ensure the security of the processing shall be verified, evaluated and assessed annually, or whenever there are significant changes in the data processing.