General Conditions / Data Protection

GENERAL CONDITIONS ON DATA PROTECTION APPLICABLE TO ALL TYPES OF CONTRACTS AND SERVICES PROVIDED BY CEN

SCOPE OF APPLICATION OF THESE GENERAL CONDITIONS

These general conditions apply to the contracting and provision of all types of services that CEN agrees with its associates and/or clients, as set forth in the various documents or annexes signed with the specific conditions applicable to each contract or service.

The entity’s address is established as follows for the purposes of any communication:

NAVARRE BUSINESS CONFEDERATION
Tax ID No. G31130693
Address: C/ Doctor Huarte 3, 31003 Pamplona (Navarra)
Tel.: 948 26 33 00
Email: lopd@cen.es
Website: www.cen.es
Hereinafter CEN.

1. PERSONAL DATA PROTECTION

These clauses establish the conditions that authorize CEN to process personal data arising from the execution of the contract or the provision of services contracted with the client and/or partner.

To the extent that the execution of the contract or the provision of the service makes it essential, CEN will process personal data for which the partner and/or client is responsible, with CEN being considered the data processor.

These general conditions, mentioned in the specific conditions and accepted by the partner and/or client, are established to comply with the provisions of Article 33 of Organic Law 3/2018 on the protection of personal data and the guarantee of digital rights and Article 28 of EU Regulation 2016/679, defining the obligations of the data controller and the data processor.

The processing carried out will consist of the service detailed in the contract or quote accepted by the client and/or partner.

The partner and/or client, as the data controller, authorizes CEN to process the personal data contained therein on its own behalf to the extent necessary to provide the indicated service.

With respect to the data indicated, CEN may process it, making any decisions necessary to properly provide the service.

1.1. IDENTIFICATION OF THE AFFECTED INFORMATION

For the performance of the services derived from the fulfillment of the purpose of this assignment, the associate and/or client responsible for the processing has made available to CEN, the data processor, the information described in the specific conditions or in the accepted quote, although this description is not exhaustive and does not exclude other related documents.

1.2. OBLIGATIONS OF THE ASSOCIATE AND/OR CLIENT AS CONTROLLER

The associate and/or client, as controller, in addition to those established in the data protection regulations, have at least the following obligations:

  • Provide the data controller with access to the data that is part of their processing or deliver it to them in the manner appropriate for the correct provision of the service.
  • Inform the data subjects whose data is being processed, in accordance with regulations, and have lawfully obtained their express consent or have legitimate and credible reasons for doing so.
  • Have established the legal basis that legitimizes the processing.
  • Have simple mechanisms so that data subjects can exercise their rights.
  • Have risk assessments, a record of processing, and impact assessments if necessary due to the nature of the data processed.
  • Have appropriate security measures in place to safeguard the data during transmission to the data controller.
  • Appoint a data protection officer when required and communicate their identity to the Data Controller.

1.3. CEN’S OBLIGATIONS AS DATA PROCESSOR CEN undertakes to comply with the provisions of European and Spanish data protection regulations and undertakes to:

1.3.1 INSTRUCTIONS FOR THE USE AND DISCLOSURE OF DATA

  1. CEN will use the personal data processed, or the data it collects for inclusion, only for the purpose of this assignment. Under no circumstances may it use the data for its own purposes.
  2. It will process the data in accordance with the instructions of the data controller. If CEN considers that any of the instructions violate EU Regulation 2016/679D, the LOPDGDD (Spanish Data Protection Act), or any other data protection provision of the Union or the Member States, it will immediately inform the data controller.
  3. CEN undertakes not to copy or reproduce the information provided by the data controller except when processing is necessary for the purposes set forth in the contract or for the purposes inherent to the entity.
  4. CEN will not communicate the data to third parties except with the express authorization of the data controller or in the cases provided for by law. The transfer to subcontracted third parties is regulated in another section of this document.
  5. CEN will maintain confidentiality of the personal data processed indefinitely. This obligation persists after the termination of the contract.

1.4. CEN’S OBLIGATIONS AS DATA PROCESSOR CEN undertakes to comply with the provisions of European and Spanish data protection regulations and undertakes to:

1.4.1 INSTRUCTIONS FOR USE AND COMMUNICATION OF DATA

1.4.2 SECURITY MEASURES

CEN has adopted appropriate security measures to safeguard the integrity of the data to which it has access for the provision of services, and to prevent its alteration, loss, and unauthorized access. Likewise, the measures adopted guarantee the confidentiality, integrity, and availability of the information, as well as the permanent resilience of the processing systems in the event of a physical or technical incident. The measures constantly in place are the following.
1.4.2.1. Media. There is an updated list of storage media, if necessary due to the type of service or provision contracted, and the data processor’s personnel with access to them. If media must be transferred between the facilities of the data processor and the data controller, or vice versa, sensitive labeling, encryption, or password protection systems are used. Mechanisms that prevent unauthorized access or manipulation by unauthorized persons are used during the transport of all media.

1.4.2.2 Incidents. Any incident affecting personal data will be immediately reported to the data controller.

1.4.2.3. Backup Copies. If the contracted service provision involves storing data in CEN systems, there will be a standardized procedure to ensure backup copies are made, as well as mechanisms for periodically verifying their quality.

1.4.2.4. CEN has a system that continuously verifies, evaluates, and reviews security measures.

1.4.3 PERSONNEL

The number of people reporting to CEN who process the controller’s personal data is limited and known. There is an updated list of employees with access, which are always essential to fulfilling the contract’s purpose.

All CEN staff receive periodic training on confidentiality and data protection, are aware of applicable regulations, their obligations, and the consequences of non-compliance.

1.4.4. RECORD OF PROCESSING ACTIVITIES

CEN keeps a written record of all categories of processing activities carried out on behalf of the controller, which contains:

  1. The name and contact details of the processor and of each controller on behalf of which the processor acts and, where applicable, of the controller’s or processor’s representative and the data protection officer.
  2. The categories of processing carried out on behalf of each controller.
  3. Where applicable, transfers of personal data to a third country or international organization, including their identification and, in the case of transfers referred to in the second subparagraph of Article 49(1) of the GDPR, documentation of appropriate safeguards.

1.5.- COMMUNICATION TO OTHER PROCESSORS

CEN may communicate the data to other processors of the same controller, in accordance with its instructions. In this case, the controller will identify, in advance and in writing, the entity to which the data must be communicated, the data to be communicated, and the security measures to be applied to proceed with the communication.

If CEN must transfer personal data to a third country or an international organization, pursuant to Union or Member State law applicable to it, it will inform the controller of this legal requirement in advance, unless such law prohibits it for important reasons of public interest.

1.6.- SUBCONTRACTING

Certain services are provided by specialized companies or entities that are not part of CEN, and that are selected by it based on criteria of professional experience and data processing assurance.

Subcontracting of some of the services included in this contract that involve the processing of personal data is permitted.

At the request of the data controller, the specific services that may be subcontracted will be indicated, clearly and unequivocally identifying the subcontracting company and its contact information.

The subcontractor, who will also have the status of data processor, is also obliged to comply with the obligations established in this document for CEN as the data processor and the instructions issued by the data controller. CEN, as the initial data processor, is responsible for regulating the new relationship so that the new data processor is subject to the same conditions (instructions, obligations, security measures, etc.) and the same formal requirements as the subcontractor, regarding the proper processing of personal data and the guarantee of the rights of the data subjects. In the event of non-compliance by the subprocessor, CEN, as the initial data processor, will remain fully liable to the data controller.

1.7.- RIGHTS OF DATA SUBJECTS

CEN undertakes to assist the data controller in responding to the exercise of the rights of:

  • Access, rectification, erasure, and objection.
  • Restriction of processing.
  • Data portability.
  • Not to be subject to automated individualized decisions (including profiling).
  • When data subjects exercise their rights to access, rectification, erasure, objection, restriction of processing, data portability, and not to be subject to automated individualized decisions, CEN must notify the data controller by email to the controller’s usual address. Communication will be made immediately and in no case later than the business day following receipt of the request, together, where applicable, with other information that may be relevant to resolving the request.

1.8.- NOTIFICATION OF DATA SECURITY BREACHES

CEN, as the data processor, will notify the data controller, without undue delay and in any case within a maximum period of 72 hours, and via EMAIL, of any personal data security breaches under its control of which it becomes aware, together with all relevant information for documenting and reporting the incident.

Notification will not be necessary when such a breach is unlikely to constitute a risk to the rights and freedoms of natural persons.

If available, the following information shall be provided, as a minimum:

  1. Description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects affected, and the categories and approximate number of personal data records affected.
  2. The name and contact details of the Data Protection Officer or other point of contact where further information can be obtained.
  3. Description of the possible consequences of the personal data breach.
  4. Description of the measures taken or proposed to remedy the personal data breach, including, where appropriate, measures taken to mitigate any potential negative effects.

If and to the extent that it is not possible to provide the information simultaneously, the information shall be provided gradually without undue delay.

The controller shall be responsible for making communications to the Data Protection Authority or to the data subjects.

1.9.- COLLABORATION WITH THE CONTROLLER

CEN undertakes to:

  1. Provide support to the data controller
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.