Privacy and data protection policy
Documentation
Information badge for video-surveillance area
Informative clauses
Contracts with data processors
Record of treatment activities
Informative annex
KOAN CONSULTING, SL - B82718545
C/ TOMILLO, 14 B
e-mail: info@koanconsulting.com
Purpose of treatment: Security of people, property and facilities
Interested parties: People who access or try to access the facilities
Recipients: Security Forces and Bodies
Conservation period: 1 month from collection
DOCUMENTATION TO REVIEW
This document contains the information clauses that must be included in the information request forms, the contractual clauses, regarding data protection, to be attached to each of the service provision contracts that you sign with the data processors, the registry of processing activities and an annex with the guidelines to respond to requests to exercise data protection rights received from interested parties, recommendations on the minimum security measures that should be implemented in the organization and the requirements to follow to correct treatment of the images captured by the video surveillance cameras together with the information poster to mark the video-surveillance area, already completed with the data of the person responsible for the treatment.
​
The documentation generated is adapted to the information provided for each of the treatments you selected when completing the application.
PROCESSING CUSTOMER DATA
Informative clause:
​
The text shown below must be included in all forms you use to collect personal data from your clients, whether it is done on paper or collected through a web form.
Data of the person responsible for the treatment:
Identity: KOAN CONSULTING, SL - NIF: B82718545
Postal address: C/ TOMILLO, 14 B
Telephone: 686497676 - Email: info@koanconsulting.com
“At KOAN CONSULTING, SL we process the information you provide us in order to provide you with the requested service and perform your billing. The data provided will be kept as long as the commercial relationship is maintained or for the time necessary to comply with legal obligations and address possible responsibilities that may arise from fulfilling the purpose for which the data was collected. The data will not be transferred to third parties except in cases where there is a legal obligation. You have the right to obtain information about whether at KOAN CONSULTING, SL we are processing your personal data, so you can exercise your rights of access, rectification, deletion and portability of data and opposition and limitation to its processing before KOAN CONSULTING, SL, C / TOMILLO, 14 B or at the email address info@koanconsulting.com, attaching a copy of your ID or equivalent document. Likewise, and especially if you consider that you have not obtained full satisfaction in the exercise of your rights, you may file a claim with the national control authority by contacting the Spanish Data Protection Agency, C/ Jorge Juan, 6 – 28001 for these purposes. Madrid.
Likewise, we request your authorization to offer you products and services related to those contracted and to retain you as a customer.”
​
YES
NO
NOTICE: You must bear in mind that, if your client checks the NO option, under no circumstances will they be able to send you advertising.
PROCESSING CUSTOMER DATA
Informative clause:
​
The text shown below must be included in all forms you use to collect personal data from your potential clients, whether it is done on paper or collected through a web form.
Data of the person responsible for the treatment:
​
Identity: KOAN CONSULTING, SL - NIF: B82718545
Postal address: C/ TOMILLO, 14 B
Telephone: 686497676 - Email: info@koanconsulting.com
​
“At KOAN CONSULTING, SL we process the information you provide us in order to provide you with the requested service or send the requested information. The data provided will be kept as long as you do not request us to cease the activity. The data will not be transferred to third parties except in cases where there is a legal obligation. You have the right to obtain information about whether at KOAN CONSULTING, SL we are processing your personal data, so you can exercise your rights of access, rectification, deletion and portability of data and opposition and limitation to its processing before KOAN CONSULTING, SL, C / TOMILLO, 14 B or at the email address info@koanconsulting.com, attaching a copy of your ID or equivalent document. Likewise, and especially if you consider that you have not obtained full satisfaction in the exercise of your rights, you may file a claim with the national control authority by contacting the Spanish Data Protection Agency, C/ Jorge Juan, 6 – 28001 for these purposes. Madrid.
Likewise, we request your authorization to send you advertising related to our products and services by any means (postal, email or telephone) and invite you to events organized by the company.”
​
YES
NO
NOTICE: If you purchase personal data from third parties to advertise their products and services, you must take into account whether they come from publicly accessible sources and are verified against the Robinson list.
​
NOTICE: Remember that you must delete the data when a period of time has passed without using it.
PROCESSING CUSTOMER DATA
Informative clause:
The text shown below must be included in all forms you use to collect personal data from suppliers or in the invoices you issue.
Data of the person responsible for the treatment:
Identity: KOAN CONSULTING, SL - NIF: B82718545
Postal address: C/ TOMILLO, 14 B
Telephone: 686497676 - Email: info@koanconsulting.com
“At KOAN CONSULTING, SL we process the information you provide us in order to place orders and manage the billing of the contracted products and services. The data provided will be kept as long as the commercial relationship is maintained or for the time necessary to comply with legal obligations and address possible responsibilities that may arise from fulfilling the purpose for which the data was collected. The data will not be transferred to third parties except in cases where there is a legal obligation. You have the right to obtain information about whether at KOAN CONSULTING, SL we are processing your personal data, so you can exercise your rights of access, rectification, deletion and portability of data and opposition and limitation to its processing before KOAN CONSULTING, SL, C / TOMILLO, 14 B or at the email address info@koanconsulting.com, attaching a copy of your ID or equivalent document.
Likewise, and especially if you consider that you have not obtained full satisfaction in the exercise of your rights, you may file a claim with the national control authority by contacting the Spanish Data Protection Agency, C/ Jorge Juan, 6 – 28001 for these purposes. Madrid."
​
YES
NO
NOTICE: If suppliers provide their data through another system, they will be asked to sign a dated form containing the above information.
NOTICE: Do not forget to sign the last page of each of the contracts that have been obtained.
RECORD OF TREATMENT ACTIVITIES
The person responsible for the treatment must review the data recorded in the sections of the Records of Processing Activities generated and verify that they correspond to the exact circumstances of the data collected, the communications made and other conditions of each of the treatments.
​
Treatment: Clients
Treatment: Potential Clients
Treatment: Potential Clients
EXHIBIT
INFORMATION OF GENERAL INTEREST
This document has been designed for low-risk personal data processing, from which it follows that it cannot be used for personal data processing that includes personal data related to ethnic or racial origin, religious or philosophical political ideology, union affiliation, data genetic and biometric data, health data, and data on people's sexual orientation as well as any other data processing that entails a high risk for the rights and freedoms of people.
Article 5.1.f of the General Data Protection Regulation (hereinafter, GDPR) determines the need to establish adequate security guarantees against unauthorized or unlawful processing, loss of personal data, destruction or accidental damage. This implies the establishment of technical and organizational measures aimed at ensuring the integrity and confidentiality of personal data and the possibility of demonstrating, as established in article 5.2, that these measures have been put into practice (proactive responsibility).
​
In addition, it must establish visible, accessible and simple mechanisms for the exercise of rights and have defined internal procedures to guarantee effective attention to the requests received.
INFORMATION OF GENERAL INTEREST
The person responsible for the treatment will inform all workers about the procedure to address the rights of the interested parties, clearly defining the mechanisms by which the rights can be exercised (electronic means, reference to the Data Protection Officer if there is one, postal address , etc.) and taking into account the following:
Upon presentation of their national identity document or passport, the owners of personal data (interested parties) may exercise their rights of access, rectification, deletion, opposition, portability and limitation of processing. The exercise of rights is free.
The person responsible for the treatment must respond to the interested parties without undue delay and in a concise, transparent, intelligible manner, with clear and simple language and retain proof of compliance with the duty to respond to the requests for the exercise of rights made.
If the request is submitted by electronic means, the information will be provided by these means when possible, unless the interested party requests it to be otherwise.
Requests must be responded to within 1 month of receipt, and may be extended for another two months taking into account the complexity or number of requests, but in that case the interested party must be informed of the extension within one month from of receipt of the request, indicating the reasons for the delay.
​
RIGHT OF ACCESS: In the right of access, interested parties will be provided with a copy of the personal data available along with the purpose for which it has been collected, the identity of the recipients of the data, the expected conservation periods or the criteria used to determine it, the existence of the right to request the rectification or deletion of personal data as well as the limitation or opposition to its processing, the right to file a claim with the Spanish Data Protection Agency and if the data has not been been obtained from the interested party, any information available about its origin. The right to obtain a copy of the data cannot negatively affect the rights and freedoms of other interested parties.
• Form for exercising the right of access.
RIGHT OF RECTIFICATION: In the right of rectification, the data of the interested parties that are inaccurate or incomplete will be modified taking into account the purposes of the treatment. The interested party must indicate in the request what data it refers to and the correction to be made, providing, when necessary, documentation justifying the inaccuracy or incomplete nature of the data being processed. If the data has been communicated by the person responsible to other persons responsible, they must notify them of the rectification of this unless it is impossible or requires a disproportionate effort, providing the interested party with information about said recipients, if requested.
​
• Form for exercising the right of rectification
​
RIGHT OF DELETION: In the right of deletion, the data of the interested parties will be deleted when they express their refusal to the treatment and there is no legal basis that prevents it, they are not necessary in relation to the purposes for which they were collected, they withdraw their consent. provided and there is no other legal basis that legitimizes the treatment or it is illicit. If the deletion results from the exercise of the interested party's right to object to the processing of their data for marketing purposes, the identifying data of the interested party may be kept in order to prevent future processing. If the data has been communicated by the person responsible to other persons responsible, they must notify them of its deletion unless it is impossible or requires a disproportionate effort, providing the interested party with information about said recipients, if requested.
​
• Form for exercising the right of deletion
​
RIGHT OF OPPOSITION: In the right of opposition, when the interested parties express their refusal to the processing of their personal data to the person responsible, the latter will stop processing them as long as there is no legal obligation that prevents it. When the processing is based on a mission of public interest or on the legitimate interest of the person responsible, upon a request to exercise the right of opposition, the person responsible will stop processing the data unless compelling reasons are proven that prevail over the interests, rights and freedoms of the interested party or are necessary for the formulation, exercise or defense of claims. If the interested party objects to the processing for direct marketing purposes, the personal data will no longer be processed for these purposes.
​
• Form for exerciting the right of opposition
​
RIGHT OF PORTABILITY: In the right of portability, if the processing is carried out by automated means and is based on consent or is carried out within the framework of a contract, interested parties may request to receive a copy of their personal data in a structured format, common use and machine reading. Likewise, they have the right to request that they be transmitted directly to a new person in charge, whose identity must be communicated, when technically possible.
​
• Form for exerciting the right of portabilitys.
​
RIGHT OF LIMITATION TO PROCESSING: In the right of limitation of processing, interested parties may request the suspension of the processing of their data to challenge its accuracy while the person responsible carries out the necessary verifications or in the event that the processing is carried out based on the interest legitimate of the person responsible or in compliance with a mission of public interest, while verifying whether these reasons prevail over the interests, rights and freedoms of the interested party. The interested party may also request the conservation of the data if they consider that the processing is unlawful and, instead of deletion, request the limitation of the processing, or if the data controller no longer needs them for the purposes for which they were collected, the interested party You need them for the formulation, exercise or defense of claims. The fact that the processing of the interested party's data is limited must be clearly stated in the controller's systems. If the data has been communicated by the controller to other controllers, they must notify them of the limitation of their processing unless it is impossible or requires a disproportionate effort, providing the interested party with information about said recipients, if requested.
​
• Form for the exerciting the right of limitaion to processingo.
If the interested party's request is not processed, the person responsible for the treatment will inform them, without delay and no later than one month after receiving it, of the reasons for their failure to act and of the possibility of submitting a claim to the Agency. Spanish Data Protection and to exercise judicial actions
SECURITY MEASURES
Depending on the type of processing that you revealed when you completed this form, the minimum security measures that you should take into account are the following:
​
​
INFORMATION THAT SHOULD BE KNOWN BY ALL STAFF WITH ACCESS TO PERSONAL DATA
All personnel with access to personal data must be aware of their obligations in relation to the processing of personal data and will be informed about these obligations. The minimum information that will be known to all staff will be the following:
​
DUTY OF CONFIDENTIALITY AND SECRET
​
Access by unauthorized persons to personal data must be prevented. To this end, it will be avoided to leave personal data exposed to third parties (unattended electronic screens, paper documents in public access areas, media with personal data, etc.). This consideration includes the screens used to display images from the video surveillance system. When you are absent from the workplace, the screen will be locked or the session will be closed.
Paper documents and electronic media will be stored in a secure place (closets or rooms with restricted access) 24 hours a day.
Documents or electronic media (CDs, pen drives, hard drives, etc.) with personal data will not be discarded without guaranteeing their effective destruction.
No personal data or any other personal information will be communicated to third parties, paying special attention to not disclosing protected personal data during telephone consultations, emails, etc.
The duty of secrecy and confidentiality persists even when the worker's employment relationship with the company ends.
PERSONAL DATA SECURITY VIOLATIONS
When security violations of personal data occur, such as theft or improper access to personal data, the Spanish Data Protection Agency will be notified within 72 hours about said security violations, including all information necessary to clarify the facts that gave rise to improper access to personal data. The notification will be made by electronic means through the electronic headquarters of the Spanish Data Protection Agency at the address https://sedeagpd.gob.es/sede-electronica-web/.
​
​
ID
​
When the same computer or device is used for the processing of personal data and personal use purposes, it is recommended to have several different profiles or users for each of the purposes. Professional and personal uses of the computer should be kept separate.
It is recommended to have profiles with administration rights for installation and system configuration and users without privileges or administration rights for access to personal data. This measure will prevent access privileges from being obtained or the operating system modified in the event of a cybersecurity attack.
The existence of passwords will be guaranteed for access to personal data stored in electronic systems. The password will have at least 8 characters, a mix of numbers and letters.
​
When personal data is accessed by different people, for each person with access to personal data, there will be a specific username and password (unambiguous identification).
The confidentiality of passwords must be guaranteed, preventing them from being exposed to third parties. For password management you can consult the guide of privacity and security in internet of the Spanish Data Protection Agency and the National Cybersecurity Institute. In no case will passwords be shared or left written down in a common place and access by people other than the user.
​
​
Below are the minimum technical measures to guarantee the safeguarding of personal data:
​
UPDATING COMPUTERS AND DEVICES: The devices and computers used for the storage and processing of personal data must be kept up to date as much as possible.
MALWARE: The computers and devices where the automated processing of personal data is carried out will have an antivirus system that guarantees, to the extent possible, the theft and destruction of personal information and data. The antivirus system must be updated periodically.
​
FIREWALL OR FIREWALL: To avoid improper remote access to personal data, efforts will be made to guarantee the existence of an activated and correctly configured firewall on those computers and devices in which the storage and/or processing of personal data is carried out.
​
DATA ENCRYPTION: When it is necessary to extract personal data outside the premises where its processing is carried out, whether by physical means or by electronic means, the possibility of using an encryption method must be considered to guarantee the confidentiality of the data. personal in case of improper access to information.
BACKUP: Periodically a backup copy will be made on a second medium different from the one used for daily work. The copy will be stored in a safe place, different from where the computer with the original files is located, in order to allow the recovery of personal data in the event of loss of information.
​
The security measures will be reviewed periodically; the review may be carried out by automatic mechanisms (software or computer programs) or manually. Consider that any computer security incident that has happened to anyone you know could happen to you, and prepare against it.
​
If you want more information or technical guidance to guarantee the security of personal data and the information your company processes, the National Cybersecurity Institute (INCIBE) on its website www.incibe.es, puts at your disposal tools with a business focus in its section «Protege tu empresa» where, among other services, it has: formationn with a videogame, for incident response and interactive videos sectorial formation:
​
-
Too many tools to help the company improve its cybersecurity, including politics for the employer, technical staff and the employee, a catalog of companies and security solutions and a risk analysis tool.
-
thematic dossiers complemented with videos and infographics and other resources guides for the entrepreneur.
​​
In addition, INCIBE, through the Internet User Security Office, also makes available free computer tools and additional information that may be useful for your company or professional activity.
CAPTURE OF IMAGES WITH CAMERAS AND SECURITY PURPOSE
VIDEO SURVEILLANCE)
The image of a person, to the extent that it identifies them or can identify them, constitutes personal data that can be processed for various purposes. Although the most common is to use cameras to guarantee the safety of people, goods and facilities, they can also be used for other purposes such as controlling the work performance of workers. Below are the basic guidelines to respect so that the processing of images obtained from video surveillance cameras complies with data protection regulations. However, it is recommended to consult the Guide on the use of video cameras for security and other purposes for a more exhaustive knowledge of the obligations that this type of treatment entails
​
LOCATION OF THE CAMERAS: The capture of images in areas intended for workers' rest will be avoided, as well as the capture of public roads if exterior cameras are used, only allowing the capture of the minimum extension essential to preserve the safety of the people, goods and facilities
​
LOCATION OF MONITORS: The monitors where the images from the cameras are displayed will be located in a restricted access space so that they are not accessible to third parties. Only authorized personnel will have access to the recorded images.
CONSERVATION OF IMAGES: Images will be stored for a maximum period of one month, with the exception of images that prove the commission of acts that threaten the integrity of people, property and facilities. In that case, the images must be made available to the competent authority within 72 hours of becoming aware of the existence of the recording.
​
DUTY OF INFORMATION: Information will be given about the existence of the cameras and image recording by means of an informative badge placed in a sufficiently visible place where, at least, the identity of the person responsible and the possibility of the interested parties to exercise their rights in this matter are identified. of data protection. The pictogram itself may also include a connection code or internet address in which this information is displayed. There are models of both the pictogram and the text on the Agency's website.
LABOR CONTROL: When the cameras are going to be used for the purpose of labor control as provided for in article 20.3 of the Workers' Statute, the worker and their union representatives will be informed by any means that guarantees the receipt of information about the control measures established by the employer with express indication of the purpose of labor control of the images captured by the cameras.
​
RIGHT OF ACCESS TO IMAGES: To comply with the right of access of the interested parties to the recordings of the video surveillance system, a recent photograph and the National Identity Document of the interested party will be requested to verify their identity, as well as details of the date and time to which the right of access refers. The interested party will not be provided direct access to the images from the cameras in which third party images are shown. If it is not possible for the interested party to view the images without showing third-party images, a document will be provided confirming or denying the existence of images of the interested party