Privacy Policy
Legal regulations to which this website is subject to
This blog applies 3 laws that regulate the relationship between the provider and users: The RGPD (Regulation (EU)/679 of the European Parliament and of the Council of 27 April on the protection of natural persons with this privacy policy template) The LOPDGDD (Organic Law 3/2018, of 5 December, on the Protection of Personal Data and guarantee of digital rights) The LSSI (Law 34/2002, of 11 July, on Information Society Services and Electronic Commerce on the blog).
Data of the data controller:
Identity: Nezeni Cosmetic S.L – NIF: B87980868
Postal address: C/ Orden de los Templarios, 2
E-mail: [email protected]
Sending and Recording Personal Data
Tendenzias Media SL processes the information you provide in order to provide the requested service and perform billing. The data provided will be kept as long as the business relationship is maintained or for the time necessary to comply with legal obligations and meet the possible responsibilities that may arise from the fulfillment of the purpose for which the data were collected. The data will not be transferred to third parties except in cases where there is a legal obligation. You have the right to obtain information about whether in Tendenzias Media SL we are processing your personal data, so you can exercise your rights of access, rectification, deletion and portability of data and opposition and limitation to their treatment before Tendenzias Media SL, Calle Cutanga 8 5D or email address [email protected], attaching a copy of your ID or equivalent document. Also, and especially if you consider that you have not obtained full satisfaction in the exercise of your rights, you may file a complaint with the national supervisory authority for these purposes to the Spanish Data Protection Agency, C / Jorge Juan, 6 – 28001 Madrid.
Data category
The categories of data processed are identification data, namely, user name, e-mail and IP address.
Duration
The data processed will be kept as long as the legal terms established for data retention do not expire, if there is a legal obligation to keep the data, or if there is no such legal term, until the interested party requests its deletion or revokes the consent given.
SERVICE COMPANIES
Contracts:
- Hosting: OVH.
- Hosting company located within the EU.
- Analysis Service: Google Analytics.
- It uses “cookies”, which are text files placed on your computer, to help us analyze how users use the site.
- Facebook Ads
- Platform for the creation of advertising campaigns
- Amazon Affiliates
- Platform for the contribution of products from the Amazon platform with information about its products, prices, etc.
- FEEBBO SOLUTIONS, S.L.
- Email marketing campaigns and promotions.
A) Clauses for service providers with access to information systems.
1. Purpose of the processing order
By means of the present clauses, the provider, as data processor, is authorized to process on behalf of Tendenzias Media SL, as data controller, the personal data necessary to provide the service specified hereinafter.
Identification of the affected information
For the execution of the services derived from the fulfillment of the object of this order, the entity Tendenzias Media SL as data controller, makes available to the provider entity the information available on the computer equipment that support the data processing carried out by the controller.
3. Obligations of the processor
The data processor and all its personnel are obliged to:
-
Use the personal data to which it has access as a result of the provision of the service only for the purpose of this order. Under no circumstances may you use the data for your own purposes.
-
Process the data in accordance with the documented instructions of the data controller. If the processor considers that any of the instructions provided violate the General Data Protection Regulation or any other data protection provisions, the processor shall immediately inform the controller.
-
Not to communicate or disseminate the data to third parties, except with the express authorization of the data controller or in the legally admissible cases. If the person in charge wants to subcontract, totally or partially, the services object of this contract, he/she has to inform the person in charge and request his/her previous authorization.
-
Maintain the duty of secrecy with respect to the personal data to which it has had access by virtue of this assignment, even after the end of the contract.
-
Ensure that the persons authorized to process personal data undertake, expressly and in writing, to respect confidentiality and to comply with the corresponding security measures, of which the person in charge shall inform them accordingly.
-
Keep at the disposal of the person in charge the documentation accrediting compliance with the obligation established in the previous section.
-
Ensure the necessary training in personal data protection for persons authorized to process personal data.
-
Notification of data security breaches:
The data processor shall notify the controller, without undue delay and via the e-mail address provided by the controller, of any breaches of security of the personal data under its responsibility of which it becomes aware, together with all relevant information for the documentation and communication of the incident. It shall also notify any failure it has suffered in its information processing and management systems that may jeopardize the security of the personal data processed, its integrity or availability, as well as any possible breach of confidentiality as a result of the disclosure to third parties of the data and information accessed during the performance of the contract.
At a minimum, the following information shall be provided:
-
Description of the nature of the personal data security breach, including, where possible, the categories and approximate number of data subjects affected, and the categories and approximate number of personal data records affected.
-
Contact person’s data for further information.
-
Description of the possible consequences of a breach of personal data security.
-
Description of the measures taken or proposed to be taken to remedy the breach of security of personal data, including, if applicable, measures taken to mitigate the possible negative effects.
If and to the extent that it is not possible to provide the information simultaneously, the information shall be provided gradually without undue delay.
-
Make available to the person in charge all information necessary to demonstrate compliance with its obligations, as well as to allow and contribute to the performance of audits or inspections carried out by the person in charge or another auditor authorized by the person in charge.
-
Assist the data controller to implement the necessary security measures to:
a) To ensure the confidentiality, integrity, availability and resilience of processing systems and services at all times.
b) Restore availability and access to personal data quickly in the event of a physical or technical incident.
c) Verify, evaluate and assess, on a regular basis, the effectiveness of the technical and organizational measures implemented to ensure the security of the processing.
-
Destination of the data:
The data processor shall not retain personal data relating to the processing carried out unless it is strictly necessary for the provision of the service covered by the contract and only for the minimum time necessary.
Once the provision of the service covered by the contract has been completed, the data processor will delete, return to the person in charge or deliver, where appropriate, to a new processor, as determined by Tendenzias Media SL, all personal data.
Data should not be destroyed when there is a legal provision requiring their retention, in which case they should be returned to the data controller, who will ensure their retention, duly blocked, for as long as such obligation persists.
The return must involve the complete erasure of the data on the computer equipment used by the processor. However, the processor may keep a copy of the data, duly blocked, for as long as liabilities may arise from the performance of the services provided to the data controller.
4. Obligations of the data controller
It is the responsibility of the data controller:
- Provide the person in charge with access to the equipment so that he/she can provide the contracted service.
- To ensure, prior to and throughout the processing, that the data processor complies with the applicable data protection provisions.
- Monitor the processing, including the possibility of requesting information to verify compliance with the obligations set forth in this contract.
Conflict resolution platform
As a User, you have here at your disposal the dispute resolution platform provided by the European Commission itself, which you can access here: ???????? https://ec.europa.eu/consumers/odr/main/index.cfm?event=main.home2.show&lng=ES
TREATMENT ACTIVITY LOG
a) Responsible for the treatment | Identity: Tendenzias Media SL – NIF: B85014223
Postal address: Calle Cutanga 8 5D E-mail: [email protected] |
b) Purpose of processing | Customer relationship management |
c) Categories of stakeholders | Customers: Persons with whom a business relationship is maintained as customers. |
d) Categories of data | Sending postal or e-mail advertising, after-sales service and loyalty service
Identification data: name and surname, NIF, postal address, telephone numbers, e-mail address |
e) Categories of recipients | Feebbo Digital ICM |
f) International transfers | There are no plans to make international transfers |
g) Period for elimination | Those provided for by tax legislation with respect to the statute of limitations for liabilities. |
h) Security measures | Those reflected in the APPENDIX SECURITY MEASURES |
ATTENTION TO THE EXERCISE OF RIGHTS
The data controller will inform all employees about the procedure for attending to the rights of data subjects, clearly defining the mechanisms by which the rights may be exercised (electronic means, reference to the Data Protection Officer if any, postal address, etc.) and taking into account the following:
– Upon presentation of their national identity card or passport, the holders of personal data (data subjects) may exercise their rights of access, rectification, erasure, objection, portability and limitation of processing. The exercise of these rights is free of charge. – The data controller must respond to data subjects without undue delay and in a concise, transparent, intelligible, clear and simple language and keep proof of compliance with the duty to respond to requests for the exercise of rights made. – If the request is submitted by electronic means, the information shall be provided by electronic means whenever possible, unless the interested party requests otherwise. – Requests must be answered within 1 month of receipt, which may be extended by a further two months taking into account the complexity or number of requests, but in this case the interested party must be informed of the extension within one month of receipt of the request, stating the reasons for the delay. RIGHT OF ACCESS: In the right of access, the interested parties will be provided with a copy of the personal data available together with the purpose for which they have been collected, the identity of the recipients of the data, the expected retention periods or the criteria used to determine it, the existence of the right to request the rectification or deletion of personal data as well as the limitation or opposition to their processing, the right to file a complaint before the Spanish Data Protection Agency and if the data have not been obtained from the interested party, any available information on their origin. The right to obtain a copy of the data may not adversely affect the rights and freedoms of other interested parties.
Email to [email protected] RIGHT OF RECTIFICATION: In the right of rectification will proceed to modify the data of the interested parties that were inaccurate or incomplete according to the purposes of treatment. The interested party must indicate in the request to which data refers and the correction to be made, providing, where necessary, supporting documentation of the inaccuracy or incompleteness of the data being processed. If the data have been communicated by the data controller to other data controllers, the data controller shall notify them of the rectification of the data unless it is impossible or requires a disproportionate effort, providing the data subject with information about such recipients, if requested.
Email to [email protected] RIGHT OF DELETION: In the right of deletion, the data of the interested parties will be deleted when they express their refusal to the processing and there is no legal basis that prevents it, they are not necessary in relation to the purposes for which they were collected, they withdraw their consent and there is no other legal basis that legitimizes the processing or it is unlawful. If the erasure derives from the exercise of the data subject’s right to object to the processing of his or her data for marketing purposes, the data subject’s identification data may be retained in order to prevent future processing.
If the data have been communicated by the data controller to other data controllers, the data controller shall notify them of the deletion of the data unless this is impossible or would require a disproportionate effort, providing the data subject with information about such recipients, if requested.
Email to [email protected] RIGHT TO OPPOSITION: Under the right to object, when data subjects express their refusal to the controller to process their personal data, the controller shall cease processing them provided that there is no legal obligation to do so. Where the processing is based on a public interest mission or on the legitimate interest of the controller, upon a request to exercise the right to object, the controller shall cease processing the data unless compelling grounds overriding the interests, rights and freedoms of the data subject or necessary for the formulation, exercise or defense of claims are demonstrated. If the data subject objects to the processing for direct marketing purposes, the personal data will no longer be processed for these purposes.
Email to [email protected] RIGHT OF PORTABILITY: Under the right of portability, if the processing is carried out by automated means and is based on consent or is carried out within the framework of a contract, data subjects may request to receive a copy of their personal data in a structured, commonly used and machine-readable format. They also have the right to request that it be transmitted directly to a new controller, whose identity must be communicated, where technically feasible.
Email to [email protected] RIGHT OF LIMITATION ON PROCESSING: Under the right of limitation on processing, data subjects may request the suspension of processing of their data to contest its accuracy while the controller carries out the necessary verifications or in the event that the processing is carried out on the basis of the legitimate interest of the controller or in fulfilment of a public interest mission, while verifying whether these grounds override the interests, rights and freedoms of the data subject. The data subject may also request the retention of the data if he/she considers that the processing is unlawful and, instead of erasure, requests the restriction of the processing, or if, although the data are no longer needed by the controller for the purposes for which they were collected, the data subject needs them for the formulation, exercise or defense of claims. The fact that the processing of the data subject’s data is restricted must be clearly stated in the controller’s systems. If the data have been communicated by the data controller to other data controllers, the data controller shall notify them of the limitation of the processing of such data unless it is impossible or would require a disproportionate effort, providing the data subject with information about such recipients, if so requested.
Email to [email protected] If the data subject’s request is not acted upon, the data controller shall inform the data subject, without delay and no later than one month after receipt of the request, of the reasons for not acting and of the possibility of filing a complaint with the Spanish Data Protection Agency and of taking legal action.
SECURITY MEASURES
Based on the type of processing you have indicated when completing this form, the minimum security measures you should consider are as follows: ORGANIZATIONAL MEASURES
INFORMATION THAT SHALL BE KNOWN TO ALL STAFF WITH ACCESS TO PERSONAL DATA
All staff with access to personal data shall be aware of their obligations in relation to the processing of personal data and shall be informed about such obligations. The minimum information that shall be known by all personnel shall be the following:
– DUTY OF CONFIDENTIALITY AND SECRETY
– Access to personal data by unauthorized persons shall be prevented. To this end, leaving personal data exposed to third parties (unattended electronic screens, paper documents in public access areas, media with personal data, etc.) shall be avoided. This includes screens used to display images from the video surveillance system. When absent from the workstation, the screen shall be locked or the session shall be closed. – Paper documents and electronic media shall be stored in a safe place (cabinets or restricted access rooms) 24 hours a day. – Documents or electronic media (CDs, pen drives, hard disks, etc.) containing personal data shall not be disposed of without ensuring their effective destruction
– Personal data or any other information of a personal nature shall not be communicated to third parties, paying particular attention not to disclose protected personal data during telephone consultations, e-mails, etc. – The duty of secrecy and confidentiality persists even when the employee’s employment relationship with the company ends. – PERSONAL DATA SECURITY VIOLATIONS
– When personal data security violations occur, such as, for example, theft or improper access to personal data, the Spanish Data Protection Agency shall be notified within 72 hours of such security violations, including all the information necessary to clarify the facts that have given rise to the improper access to personal data. The notification will be made by electronic means through the electronic headquarters of the Spanish Data Protection Agency at the address https://sedeagpd.gob.es/sede-electronica-web/. TECHNICAL MEASURES
IDENTIFICATION
– When the same computer or device is used for personal data processing and personal use purposes, it is recommended to have several different profiles or users for each of the purposes. Professional and personal use of the computer should be kept separate. – It is recommended to have profiles with administration rights for system installation and configuration and users without privileges or administration rights for access to personal data. This measure will prevent access privileges from being obtained or the operating system from being modified in the event of a cybersecurity attack. – Passwords shall be guaranteed for access to personal data stored in electronic systems. The password will have at least 8 characters, a mixture of numbers and letters.
– When personal data is accessed by different persons, each person with access to personal data shall have a specific user name and password (unequivocal identification). – The confidentiality of passwords must be guaranteed, preventing them from being exposed to third parties. For the management of passwords you can consult the guide of privacy and security on the Internet of the Spanish Data Protection Agency and the National Institute of Cybersecurity. In no case will passwords be shared nor will they be left written down in a common place and accessed by persons other than the user. DUTY TO SAFEGUARD
The following are the minimum technical measures to ensure the safeguarding of personal data:
– UPDATING OF COMPUTERS AND DEVICES: Devices and computers used for the storage and processing of personal data must be kept up to date to the extent possible. – MALWARE: Computers and devices where the automated processing of personal data is carried out shall have an antivirus system that guarantees as far as possible the theft and destruction of personal information and data. The antivirus system shall be updated periodically. – FIREWALL: In order to avoid undue remote access to personal data, a firewall shall be activated and correctly configured in those computers and devices where personal data is stored and/or processed. – DATA ENCRYPTION: When it is necessary to extract personal data outside the premises where it is processed, whether by physical or electronic means, the possibility of using an encryption method to guarantee the confidentiality of personal data in the event of improper access to the information must be assessed. – SECURITY COPY: A backup copy shall be made periodically on a second medium other than the one used for daily work. The copy will be stored in a safe place, different from the one where the computer with the original files is located, in order to allow the recovery of personal data in case of loss of information.