Privacy Policy and Terms of Use

Document RGPD from www.guitarrasesquivias.com

DATA PROCESSING

 Information clause:

The identity of the responsible person in Guitarras Esquivias and www.guitarrasesquivias.com is Eduardo Esquivias D. and whose e-mail address is info@guitarrasesquivias.com.

In Esquivias Guitars I treat the information you provide me by email with the sole purpose of: answering questions, resolving doubts and responding to requests or queries you have about the guitars that appear in www.esquiviasguitars.com and the construction of them or other ones. I will keep your data only as long as strictly necessary and as long as you do not ask me to cease our contact and / or relationship, which you can do by e-mail. info@guitarrasesquivias.com or when they have not been used for some time. I have no intention of passing on your data to third parties except in cases where there is a legal obligation to do so. You have the right to obtain confirmation as to whether Guitarras Esquivias is processing your personal data. Therefore you have the right to access them, rectify those that are inaccurate or request their deletion when they are no longer necessary for the purposes for which they were collected.

SERVICE COMPANY

Contracts:

1. Purpose of the processing order

By means of the present clauses Raiola Networks S.L. is enabled, as the person in charge of the treatment, to treat on behalf of Guitarras Esquivias, as the person in charge of the treatment, the personal data necessary to provide the service that in ahead are specified..

Treatment will consist of Hosting Home SSD - guitarrasesquivias.com (03/12/2017 - 02/12/2018) Would you like to install a CMS?: WordPress Registration and Domain - guitarrasesquivias.com - 1 Year (03/12/2017 - 02/12/2018) + ID Protection.

2. Identification of the information concerned

For the execution of the services derived from the fulfillment of the object of this order, Guitarras Esquivias as responsible for the treatment, puts at the disposal of the entity Raiola Networks S.L. the available information in the computer equipments that give support to the treatments of data carried out by the responsible person.

3. Duration

This agreement has a duration of 1 year, renewable.

At the end of this contract, the data processor must return the personal data to the data controller and delete any copies he keeps in his possession. He or she may, however, keep the data blocked in order to meet any administrative or jurisdictional responsibilities.

4. Obligations of the processor

The person in charge of the treatment and all his personnel are obliged to:

  • Use the personal data to which you have access only for the purpose of this order. Under no circumstances may you use the data for your own purposes.
  • Process the data according to the instructions of the processor.

If the processor considers that any of the instructions violate the RGPD or any other data protection provision, the processor shall immediately inform the controller.

  • Not to communicate the data to third parties, except with the express authorisation of the data controller, in legally admissible cases.
  • Maintain the duty of secrecy with regard to personal data to which you have had access by virtue of this order, even after the end of the contract.
  • Ensure that persons authorised to process personal data undertake, expressly and in writing, to respect confidentiality and to comply with the relevant security measures, of which they must be informed accordingly.
  • Maintain at the disposal of the person in charge the documentation accrediting compliance with the obligation established in the previous section.
  • Ensure the necessary training in the protection of personal data of persons authorised to process personal data.
  • Notification of data security breaches

The data processor shall notify the data controller, without undue delay and via the e-mail address indicated by the data controller, of any breaches of the security of the personal data of which it is aware, together with all relevant information for the documentation and communication of the incident.

As a minimum, the following information shall be provided:

  1. Description of the nature of the breach of personal data security, including, where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of personal data records concerned.
  2. Contact person details for more information.
  3. Description of the possible consequences of the breach of the security of personal data. Description of the measures taken or proposed to remedy the breach of personal data security, including, where appropriate, measures taken to mitigate possible negative effects.

If and to the extent that it is not possible to provide the information simultaneously, the information shall be provided in a phased manner without undue delay.

  • Make available to the person responsible all the information necessary to demonstrate compliance with their obligations, as well as for the performance of audits or inspections carried out by the person in charge or another auditor authorised by him.
  • Assist the person responsible for treatment to implement the necessary security measures for:
  1.  Ensure the continued confidentiality, integrity, availability and resilience of treatment systems and services.
  2.  Restore availability and access to personal data quickly in the event of a physical or technical incident.
  3.  To verify, evaluate and evaluate, on a regular basis, the effectiveness of the technical and organisational measures implemented to guarantee the safety of the treatment.
  • Destination of the data

The data controller shall not store personal data relating to the data processor's processing unless strictly necessary for the provision of the service, and only for the time strictly necessary for the provision of the service.

5. Obligations of the controller

It is the responsibility of the data controller:

  1. To provide the manager with access to the equipment in order to provide the contracted service.
  2. Ensuring, prior to and throughout the treatment, the compliance of the person in charge with the RGPD.
  3. Monitor the treatment.

RECORDING OF PROCESSING ACTIVITIES

Treatment Potential web users.

Purpose of treatment

  • Relationship management with potential users.

Description of categories of potential customers and categories of personal data:

  • Potential users:
    • People potentially interested in Esquivias guitars
  • Categories of personal data:
    • The necessary ones to answer the questions, to solve the doubts and to take care of the requests or consultations that they have on the guitars that appear in the web (guitarrasesquivias.com) and the construction of the same or others by e-mail.

These are low-risk personal data.

The categories of recipients to whom the personal data have been or will be communicated:

  • Not contemplated. Guitarras Esquivias is the only recipient.

 

ANNEX. SECURITY MEASURES

INFORMATION OF GENERAL INTEREST

This document has been designed for the treatment of low-risk personal data from which it follows that it may not be used for the processing of personal data including personal data relating to racial or ethnic origin, religious or philosophical political ideology, trade union membership, genetic and biometric data, health data, data relating to the sexual orientation of individuals and any other processing of data involving a high risk to the rights and freedoms of individuals.

Article 5.1.f of the General Data Protection Regulation (RGPD) determines the need to establish adequate security safeguards against unauthorised or unlawful processing, loss of personal data, destruction or accidental damage. This implies the establishment of technical and organisational measures aimed at ensuring the integrity and confidentiality of personal data and the possibility (Article 5.2) of demonstrating that these measures have been implemented (proactive liability).

In the case of Guitarras Esquivias: Hosting Inicio SSD - guitarrasesquivias.com (03/12/2017 - 02/12/2018) WordPress Registration and Domain - guitarrasesquivias.com - 1 Year (03/12/2017 - 02/12/2018) + ID Protection and https://www.guitarrasesquivias.com/.

Depending on the type of treatment you are manifesting, the minimum security measures you should have and I take into account are as follow

ORGANISATIONAL MEASURES

  • DUTY OF CONFIDENTIALITY AND SECRECY
    • Only I have access to personal data, to this end will be avoided: leaving personal data exposed to third parties (unattended electronic screens, paper documents in areas of public access, media with personal data, etc.). When I have finished answering and replying to emails, I will block the screen or close the session and sanseacabó.
    • Paper documents, if necessary I don't think so; and electronic media will be stored in a safe place (closets or restricted access rooms) 24 hours a day.
    • No documents or electronic media (cd, pen drives, hard disks, etc.) with personal data will be discarded without guaranteeing and ensuring their destruction.
    • No personal data or any personal information will be communicated to third parties, I will pay special attention not to divulge protected personal data from emails, etc.

 

  • RIGHTS OF DATA SUBJECTS

Guitarras Esquivias is just me and, I think I can say, it will always be me but in any case:

It would inform all employees about the procedure for dealing with the rights of data subjects, clearly defining the mechanisms by which rights may be exercised (electronic means, reference to the Data Protection Officer if any, postal address, etc.) taking into account the following:

  • On presentation of their national identity card or passport, the holders of personal data (data subjects) may exercise their rights of access, rectification, erasure, objection and portability. The controller must respond to data subjects without undue delay.

For right of access data subjects will be provided with a list of the personal data at their disposal together with the purpose for which they were collected, the identity of the recipients of the data, the storage periods, and the identity of the data controller to whom they may request rectification, erasure and opposition to the processing of the data.

For right of rectification the data subject's inaccurate or incomplete data will be modified for the purposes of processing.

For right of withdrawal data subjects' data will be deleted when the data subjects express their refusal or opposition to the consent for the processing of their data and there is no legal duty that prevents it.

For portability right the data subjects must communicate their decision and inform the controller, where appropriate, of the identity of the new controller to whom they are providing their personal data.

The controller must inform all persons with access to personal data about the terms of compliance to meet the rights of data subjects, the form and procedure in which these rights will be met.

  • BREACHES OF PERSONAL DATA SECURITY
    • When security violations of PERSONAL DATA occur, such as, for example, theft or improper access to personal data will be notified to the Spanish Data Protection Agency within 72 hours about such security violations, including all necessary information for the clarification of the facts that would have led to improper access to personal data. The notification will be made by electronic means through the electronic headquarters of the Spanish Data Protection Agency at the address: https://sedeagpd.gob.es

 

TECHNICAL MEASURES

IDENTIFICATION

  • When the same computer or device is used for the processing of personal data and purposes of personal use it is recommended to have several different profiles or users for each of the purposes. Professional and personal uses of the computer should be kept separate.
  • It is recommended to have profiles with administration rights for the installation and configuration of the system and users without privileges or administration rights for access to personal data. This measure will prevent that in case of cybersecurity attack, access privileges can be obtained or the operating system can be modified.
  • The existence of passwords for access to personal data stored in electronic systems shall be guaranteed. The password shall have at least 8 characters, a mixture of numbers and letters.
  • Where personal data are accessed by different persons, for each person with access to personal data, a specific username and password (unambiguous identification) shall be available. However, in the case of Guitarras Esquivias only one user has access to such data and no one else.
  • The confidentiality of passwords is guaranteed and they are not exposed to third parties. For the management of passwords you can consult The Internet Privacy and Security Guide of the Spanish Data Protection Agency and the National Cybersecurity Institute.
  • Under no circumstances will I share passwords or leave them written down in a common place or with access by people other than myself or the Christ who founded it.

 

DUTY OF CARE

The minimum technical measures to ensure the safeguarding of personal data are set out below:

  • UPDATING COMPUTERS AND DEVICESThe devices and computers that I use for the storage and processing of personal data are updated as far as possible.
  • MALWAREIn the computers and devices where the automated treatment of personal data is carried out, an antivirus system will be available that guarantees, as far as possible, the theft and destruction of information and personal data. The antivirus system must be updated periodically.
  • FIREWALLIn order to avoid undue remote access to personal data, care will be taken to guarantee the existence of an activated firewall in those computers and devices in which personal data are stored and/or processed.
  • DATA ENCRYPTIONWhen it is necessary to extract personal data outside the premises where it is processed, either by physical means or by electronic means, the possibility of using an encryption method to guarantee the confidentiality of personal data in the event of undue access to the information should be considered.
  • BACKUP COPYPeriodically, a backup copy will be made in a second support different from the one used for the daily work. The copy will be stored in a safe place, different from the one where the computer with the original files is located, in order to allow the recovery of personal data in case of loss of information.

Signed: Eduardo Esquivias D.