General Terms and Conditions

General terms and conditions on data protection applicable to all types of contracts

Scope of application of these general conditions

The present general conditions apply to the contracting of all types of contracts relating to products and/or services that CONSULTORES SAYMA SA, SAYMA MADRID SL, and SAYMA ALAVA SA agree with their clients, being so stated in the different documents or annexes that are subscribed with the particular conditions applicable to each contract or service.

CONSULTORES SAYMA SA A20098570
Address: Avenida de la libertad 10, 6º 20004 San Sebastián (Guipúzcoa)

SAYMA MADRID SL B86623667
Address: José Abascal 58, 28003 Madrid (Madrid)

SAYMA ALAVA SA A01123199
Address: C/ General álava 18,01005 Vitoria (Álava)

Hereinafter to refer to all of them: SAYMA.

Protection of personal data

These clauses establish the conditions that enable SAYMA for the processing of personal data arising from the execution of the contract or the provision of the service contracted with the customer. SAYMA will process, to the extent that the execution of the contract or the provision of the service makes it essential, personal data for which the customer is responsible. These general conditions, mentioned in the particular conditions and accepted by the customer are established to comply with the provisions of Article 12 of the LOPD, Articles 20 and 21 of RD 1720/2007, and 28 of EU Regulation 2016/679 delimiting the obligations of the controller and processor.

The processing carried out will consist of the service detailed in the contract or estimate accepted by the customer.

The customer, as data controller, authorizes SAYMA to process on its own behalf the personal data contained in its processing to the extent necessary to provide the service indicated.

SAYMA may process the data indicated by adopting those decisions that are necessary for the proper provision of the service.

Identification of affected information

For the execution of the services deriving from the fulfillment of the object of the order, the client responsible for the processing has made available to SAYMA, the entity in charge of the processing, the information described in the particular conditions, or in the accepted estimate, without this description being exhaustive or excluding other related documents.

Obligations of the customer as data controller

In addition to those established in the data protection regulations, at least the following obligations correspond to the customer, as data controller, in addition to those established in the data protection regulations:

  • A) To provide the person in charge with access to the data that form part of its files or to deliver them in the manner that is appropriate for the proper provision of the service.
  • B) To inform in accordance with the regulations the interested parties whose data are subject to processing and to have lawfully obtained their express consent or to have legitimate and accreditable reasons for the same.
  • C) To have established the legal basis that legitimizes the processing.
  • D) To provide simple mechanisms for interested parties to exercise their rights.
  • E) To have risk assessments, a register of processing operations and impact assessments if necessary due to the nature of the data processed.
  • F) To have the appropriate security measures in place to safeguard the data in the transmission of the data to the data processor.
  • G) Appoint a data protection delegate in those cases where it is mandatory and communicate his/her identity to the person in charge.

SAYMA’s obligations as data processor

SAYMA undertakes to comply with the provisions of European and Spanish data protection regulations and is obliged to:

INSTRUCTIONS FOR USE AND COMMUNICATION OF DATA

  • SAYMA will use the personal data being processed, or those collected for inclusion, only for the purpose of this order. Under no circumstances may it use the data for its own purposes.
  • It will treat the data in accordance with the instructions of the controller. If SAYMA considers that any of the instructions infringes EU Regulation 2016/679D, the LOPD or any other data protection provisions of the Union or Member States, it will immediately inform the controller.
  • SAYMA undertakes not to copy or reproduce the information provided by the data controller except when its processing is necessary for the purposes foreseen in the contract.
  • SAYMA will not communicate the data to third parties, except with the express authorization of the data controller, or in the cases provided by law. The transfer to subcontracted third parties is regulated in another section of this document.
  • SAYMA will keep the personal data being processed secret for an indefinite period of time. This obligation persists after the termination of the contract.

SECURITY MEASURES

SAYMA has adopted appropriate security measures to safeguard the integrity of the data to which it has access for the provision of service, and avoid its alteration, loss, unauthorized access. Likewise, the measures adopted guarantee the confidentiality, integrity and availability of the information, as well as the permanent resilience of the processing systems in the event of a physical or technical incident. The measures that are in place on an ongoing basis are as follows.

  • 4.2.1. Soportes. Existe una relación actualizada de los soportes de almacenamiento, caso ser necesarios por el tipo de prestación o servicio contratado, y del personal del encargado con acceso a los mismos. Si se han de producir traslados de soportes ente las instalaciones de encargado y responsable o viceversa se utilizan sistemas de etiquetado sensible, cifrado, encriptado o protección por contraseña, usando en el transporte de todo tipo de soportes mecanismos que obstaculizan la apertura acceso o manipulación por personas no autorizadas.
  • 4.2.2 Incidents. Any incident affecting personal data will be immediately communicated to the data controller.
  • 4.2.3. Copias de respaldo. Si la prestación de servicio contratada implica que los datos se almacenan en los sistemas de SAYMA existirá un procedimiento normalizado que garantice la realización de copias de seguridad, así como mecanismos de comprobación de la calidad de la misma con carácter periódico.
  • 2.4. SAYMA cuenta con un sistema que verifica, evalúa y revisa de manera continua las medidas de seguridad.

STAFF

The number of people who depend on SAYMA, which treats the personal data of the responsible is limited and known. There is an updated list of workers with access, which are always those essential to comply with the purpose of the contract. All SAYMA personnel receive regular training in confidentiality and data protection, know the applicable regulations, their obligations in this area and the consequences of non-compliance with the law.

TREATMENT ACTIVITY LOG

SAYMA keeps a written record of all categories of processing activities carried out on behalf of the controller, and this record contains:

  1. The name and contact details of the processor and of each controller on whose behalf the processor is acting and, where appropriate, of the representative of the controller or of the processor and of the data protection officer.
  2. The categories of processing carried out on behalf of each person in charge.
  3. Where applicable, transfers of personal data to a third country or international organization, including the identification of the same and, in the case of transfers referred to in Article 49(1), second paragraph of the GDPR, documentation of appropriate safeguards.

Communication to other processors

SAYMA may communicate the data to other data processors of the same controller, according to its instructions. In this case, the controller shall identify, in advance and in writing, the entity to which the data must be communicated, the data to be communicated and the security measures to be applied to proceed with the communication. If SAYMA, must transfer personal data to a third country or to an international organization, under the law of the Union or of the Member States that is applicable to it, it shall inform the data controller of this legal requirement in advance, unless such law prohibits it for important reasons of public interest.

Subcontracting

The subcontracting of the services that are part of the object of this contract involving the processing of personal data is not allowed, except for the auxiliary services necessary for the normal operation of the services of the person in charge. If it is necessary to subcontract any processing, this fact must be previously communicated in writing to the data controller at least TWO MONTHS in advance, indicating the processing to be subcontracted and clearly and unequivocally identifying the subcontracting company and its contact details. The subcontracting may be carried out if the data controller does not express its opposition within the established term. The subcontractor, who will also have the status of data processor, is also obliged to comply with the obligations established in this document for SAYMA as data processor and the instructions issued by the controller. It is up to SAYMA as the initial processor, to regulate the new relationship so that the new processor is subject to the same conditions (instructions, obligations, security measures…) and with the same formal requirements as him, regarding the proper processing of personal data and the guarantee of the rights of the persons concerned. In the event of non-compliance by the sub-processor, SAYMA as the initial processor shall remain fully liable to the controller.

Communication to other processors

SAYMA may communicate the data to other data processors of the same controller, according to its instructions. In this case, the controller shall identify, in advance and in writing, the entity to which the data must be communicated, the data to be communicated and the security measures to be applied to proceed with the communication. If SAYMA, must transfer personal data to a third country or to an international organization, under the law of the Union or of the Member States that is applicable to it, it shall inform the data controller of this legal requirement in advance, unless such law prohibits it for important reasons of public interest.

Subcontracting

The subcontracting of the services that are part of the object of this contract involving the processing of personal data is not allowed, except for the auxiliary services necessary for the normal operation of the services of the person in charge. If it is necessary to subcontract any processing, this fact must be previously communicated in writing to the data controller at least TWO MONTHS in advance, indicating the processing to be subcontracted and clearly and unequivocally identifying the subcontracting company and its contact details. The subcontracting may be carried out if the data controller does not express its opposition within the established term. The subcontractor, who will also have the status of data processor, is also obliged to comply with the obligations established in this document for SAYMA as data processor and the instructions issued by the controller. It is up to SAYMA as the initial processor, to regulate the new relationship so that the new processor is subject to the same conditions (instructions, obligations, security measures…) and with the same formal requirements as him, regarding the proper processing of personal data and the guarantee of the rights of the persons concerned. In the event of non-compliance by the sub-processor, SAYMA as the initial processor shall remain fully liable to the controller.

Rights of interested parties

SAYMA, undertakes to assist the data controller in responding to the exercise of the rights of:

  1. Access, rectification, deletion and opposition
  2. Treatment limitation
  3. Data portability
  4. Not be subject to automated individualized decisions (including profiling).

When the affected persons exercise their rights of access, rectification, deletion and opposition, limitation of processing, data portability and not to be subject to automated individualized decisions, before SAYMA, SAYMA must communicate it by email to the usual address of the responsible. The communication will be made immediately and in no case later than the working day following receipt of the request, together, where appropriate, with other information that may be relevant to resolve the request.

Notification of data security breaches

SAYMA as data processor shall notify the data controller, without undue delay, and in any case within 72 hours, and via EMAIL, of any breach of security of the personal data under its responsibility of which it becomes aware, together with all relevant information for the documentation and communication of the incident. Notification shall not be required when such security breach is unlikely to constitute a risk to the rights and freedoms of natural persons. If available, at least the following information shall be provided:

  • a) Description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects affected, and the categories and approximate number of personal data records affected.
  • b) The name and contact details of the data protection officer or other point of contact where further information can be obtained.
  • c) Description of the possible consequences of the personal data security breach.
  • d) Description of the measures taken or proposed to be taken to remedy the breach of security of personal data, including, where appropriate, measures taken to mitigate the possible negative effects.

If and to the extent that it is not possible to provide the information simultaneously, the information shall be provided gradually without undue delay. The data controller shall be the one to make the communications to the Data Protection Agency or to the data subjects.

Collaboration with the person in charge

SAYMA is committed to

  • a) To support the controller in carrying out data protection impact assessments, where appropriate.
  • b) Support the controller in carrying out prior consultations with the supervisory authority, where appropriate.
  • c) Make available to the controller all information necessary to demonstrate compliance with its obligations, as well as for the performance of audits or inspections carried out by the controller or another auditor authorized by the controller.
  • d) Designate a data protection officer and communicate his/her identity and contact details to the data controller. This obligation shall only exist in the cases established in the regulations.

Termination of the relationship

Once the performance has been fulfilled, as established in the contract, SAYMA, at the choice of the data controller, will proceed to:

  • Return to the data controller the personal data and, where appropriate, the media on which they are stored. The return will entail the total deletion of the data existing on the computer equipment used by the data processor.
  • Hand over to another processor designated in writing by the data controller, the personal data and, where appropriate, the media on which they are stored. The return must involve the complete erasure of the data on the computer equipment used by the processor.
  • Destroy the data, once the service has been rendered. Once destroyed, the processor must certify its destruction in writing and must deliver the certificate to the data controller.

However, SAYMA may keep a copy, with the data duly stamped, as long as liabilities may arise from the execution of the execution of the SAYMA‘s obligations under the terms and conditions of the contract.