CUSTOMER DATA PROCESSING
Data of the person responsible for the treatment:
Identity: Medalab – NIF: B12886263
Postal address: C/ Aralar, 46, 12579 Alcoceber (Castellón) – Spain
Telephone: 682653712 – Email: info@medalab.com
"At Medalab we treat the information you provide us with in order to provide the requested service and bill it. The data provided will be kept as long as the commercial relationship is maintained or for the time necessary to comply with legal obligations and meet the possible responsibilities that may arise from fulfilling the purpose for which the data was collected. The data will not be transferred to third parties except in cases where there is a legal obligation. You have the right to obtain information about whether at Medalab we are treating your personal data, so you can exercise your rights of access, rectification, deletion and portability of data and opposition and limitation to its treatment before Medalab, C/ Aralar, 46, 12579 Alcoceber (Castellón) – Spain or at the email address info@medalab.com, attaching a copy of your ID or equivalent document. Likewise, and especially if you consider that you have not obtained full satisfaction in the exercise of your rights, you may file a claim with the national control authority by contacting the Spanish Data Protection Agency, C/ Jorge Juan, 6 – 28001. Madrid.
TREATMENT OF POTENTIAL CUSTOMER DATA
Informative clause:
Data of the person responsible for the treatment:
Identity: Medalab – NIF: B12886263
Postal address: C/ Aralar, 46, 12579 Alcoceber (Castellón) – Spain
Telephone: 682653712 – Email: info@medalab.com
"At Medalab we treat the information you provide us with in order to provide the requested service or send the required information. The data provided will be kept as long as you do not request the cessation of the activity. The data will not be transferred to third parties except in cases where there is a legal obligation. You have the right to obtain information about whether at Medalab we are treating your personal data, so you can exercise your rights of access, rectification, deletion and portability of data and opposition and limitation to its treatment before Medalab, C/ Aralar, 46, 12579 Alcoceber (Castellón) – Spain or at the email address info@medalab.com, attaching a copy of your ID or equivalent document. Likewise, and especially if you consider that you have not obtained full satisfaction in the exercise of your rights, you may file a claim with the national control authority by contacting the Spanish Data Protection Agency, C/ Jorge Juan, 6 – 28001. Madrid.
EMPLOYEE DATA PROCESSING
Informative clause:
Data of the person responsible for the treatment:
Identity: Medalab – NIF: B12886263
Postal address: C/ Aralar, 46, 12579 Alcoceber (Castellón) – Spain
Telephone: 682653712 – Email: info@medalab.com
"At Medalab we treat the information you provide us with in order to maintain the employment relationship. The data provided will be kept as long as the employment relationship is maintained or for the time necessary to comply with legal obligations and meet the possible responsibilities that may arise from fulfilling the purpose for which the data was collected. The data will not be transferred to third parties except in cases where there is a legal obligation. You have the right to obtain information about whether at Medalab we are treating your personal data, so you can exercise your rights of access, rectification, deletion and portability of data and opposition and limitation to its treatment before Medalab, C/ Aralar, 46, 12579 Alcoceber (Castellón) – Spain or at the email address info@medalab.com, attaching a copy of your ID or equivalent document. Likewise, and especially if you consider that you have not obtained full satisfaction in the exercise of your rights, you may file a claim with the national control authority by contacting the Spanish Data Protection Agency, C/ Jorge Juan, 6 – 28001. Madrid."
Contract with the Agency in charge of dealing with employees:
Object of the treatment order
Through these clauses, Gabitec-Alcala Cdad, with address in AV. VALENCIA, 71 12579 Alcossebre and NIF E12070405 as data processor to process on behalf of Medalab, as data controller, the personal data necessary to provide the service specified hereinafter.
The treatment will consist of Management and billing.
2. Identification of the affected information
For the execution of the benefits derived from the fulfillment of the object of this assignment, the entity Medalab as responsible for the treatment, makes available to the entity Gabitec-Alcala Cdad, the identification and banking data of its employees.
3 Duration
This agreement has a duration of , being automatically renewed unless decided against by one of the parties.
Once this contract ends, the person in charge of the treatment must return to the person in charge, or transmit to another person in charge designated by the person in charge, the personal data processed and delete any copy that is in their possession. However, he may keep the data blocked for the minimum time necessary to meet possible responsibilities that may arise from his relationship with Medalab, destroying them safely and definitively at the end of said period.
4. Obligations of the data processor
The person in charge of the treatment and all its personnel are obliged to:
Use the personal data that is the object of treatment, or those that you collect for inclusion, only for the purpose of this order. In no case may you use the data for your own purposes.
Process the data in accordance with the documented instructions of the data controller. If the person in charge of the treatment considers that any of the instructions provided infringes the General Data Protection Regulation or any other provision on data protection, the person in charge will immediately inform the person in charge.
Keep a written record of all the categories of treatment activities carried out on behalf of the person in charge, containing:
The name and contact details of the person in charge or persons in charge and of each person in charge on behalf of whom the person in charge acts and, where appropriate, of the representative of the person in charge or of the person in charge and of the data protection delegate.
The categories of processing carried out on behalf of each person in charge.
An overview of the appropriate technical and organizational security measures you are applying.
Do not communicate or disseminate the data to third parties, unless you have the express authorization of the data controller or in the legally admissible cases. If the person in charge wants to subcontract, totally or partially, the services object of this contract, he must inform the person in charge and request prior authorization from him.
Maintain the duty of secrecy regarding the personal data to which you have had access by virtue of this order, even after the contract ends.
Guarantee that the persons authorized to process personal data undertake, expressly and in writing, to respect confidentiality and to comply with the corresponding security measures, of which the person in charge must inform them accordingly.
Keep at the disposal of the person in charge the supporting documentation of compliance with the obligation established in the previous section.
Guarantee the necessary training in the protection of personal data of the persons authorized to process personal data.
When the affected persons exercise the rights of access, rectification, deletion and portability of data and opposition and limitation of the treatment before the person in charge of the treatment, this must communicate it by email to the address indicated by the person in charge as soon as possible. The communication must be made immediately and in no case beyond the business day following receipt of the request, together, where appropriate, with other information that may be relevant to resolve it. He will assist the person in charge, whenever possible, so that he can comply with and respond to requests for the exercise of rights.
Notification of data security breaches:
The person in charge of the treatment will notify the person in charge of the treatment, without undue delay and through the email address indicated by the person in charge, the violations of the security of the personal data in his charge of which he is aware, together with all the information relevant for the documentation and communication of the incident. Likewise, it will notify any failure that it has suffered in its information treatment and management systems and that may jeopardize the security of the personal data processed, its integrity or availability, as well as any possible breach of confidentiality as a result of the in knowledge of third parties of the data and information accessed during the execution of the contract.
At a minimum, the following information shall be provided:
Description of the nature of the personal data security breach, including, where possible, the categories and approximate number of data subjects affected, and the categories and approximate number of personal data records affected.
Contact person details for more information.
Description of the possible consequences of the violation of the security of personal data.
Description of the measures adopted or proposed to remedy the breach of personal data security, including, if applicable, the measures adopted to mitigate possible negative effects.
If it is not possible to provide the information simultaneously, and to the extent that it is not, the information will be provided gradually without undue delay.
Gabitec-Alcala Cdad, at the request of the person in charge, will communicate these data security violations to the interested parties as soon as possible, when it is likely that the violation poses a high risk to the rights and freedoms of natural persons.
The communication must be made in clear and simple language and must include the elements indicated in each case by the person in charge, as a minimum:
The nature of the data breach.
Data of the contact point of the person in charge or the person in charge where more information can be obtained.
Describe the possible consequences of the personal data security breach.
Describe the measures adopted or proposed by the data controller to remedy the personal data security breach, including, if applicable, the measures taken to mitigate possible negative effects.
Make available to the person in charge all the information necessary to demonstrate compliance with their obligations, as well as to allow and contribute to the performance of audits or inspections carried out by the person in charge or another auditor authorized by him.
Implement the necessary technical and organizational security measures to guarantee the permanent confidentiality, integrity, availability and resilience of the personal data processing systems and services.
Data destination:
Suppress, return to the person in charge or deliver, where appropriate, to a new person in charge as determined by Medalab, all personal data once the provision of the treatment service in charge has ended.
The destruction of the data is not appropriate when there is a legal provision that requires their conservation, in which case they must be returned to the person in charge who will guarantee their conservation, duly blocked, while such obligation persists.
The return must entail the total deletion of the existing data in the computer equipment used by the person in charge. However, the person in charge may keep a copy of the data, duly blocked, while responsibilities may arise from the execution of the services provided to the person responsible for the treatment.
5. Obligations of the data controller
It corresponds to the data controller:
Provide the manager with the necessary data so that he can provide the service.
Ensure, prior to and throughout the treatment, compliance with the current provisions on data protection by the person in charge of the treatment.
Supervise the treatment, including the possibility of requesting information to verify compliance with the obligations established in this contract.
SERVICE COMPANIES
Contracts:
A) Clauses for service providers with access to information systems.
1. Purpose of the treatment order
By means of these clauses, Webempresa Europa SL, as data processor, is authorized to process, on behalf of Medalab, as data controller, the personal data necessary to provide the service specified hereinafter.
The treatment will consist of Hosting.
2. Identification of the affected information
For the execution of the services derived from the fulfillment of the object of this assignment, the entity Medalab as the person in charge of the treatment, makes available to the entity Webempresa Europa SL the information available in the computer equipment that supports the data processing carried out by the responsible.
3 Duration
This agreement has a duration of , being automatically renewed unless decided against by one of the parties.
Once this contract ends, the person in charge of the treatment must return the personal data processed to the person in charge and delete any copy that it keeps in its possession. However, he may keep the data blocked for the minimum time necessary to meet possible responsibilities that may arise from his relationship with Medalab, destroying it safely and definitively at the end of said period.
4. Obligations of the data processor
The person in charge of the treatment and all its personnel are obliged to:
Use the personal data to which you have access as a result of the provision of the service only for the purpose of this assignment. In no case may you use the data for your own purposes.
Process the data in accordance with the documented instructions of the data controller. If the person in charge of the treatment considers that any of the instructions provided infringes the General Data Protection Regulation or any other provision on data protection, the person in charge will immediately inform the person in charge.
Do not communicate or disseminate the data to third parties, unless you have the express authorization of the data controller or in the legally admissible cases. If the person in charge wants to subcontract, totally or partially, the services object of this contract, he must inform the person in charge and request prior authorization from him.
Maintain the duty of secrecy regarding the personal data to which you have had access by virtue of this order, even after the contract ends.
Guarantee that the persons authorized to process personal data undertake, expressly and in writing, to respect confidentiality and to comply with the corresponding security measures, of which the person in charge must inform them accordingly.
Keep at the disposal of the person in charge the supporting documentation of compliance with the obligation established in the previous section.
Guarantee the necessary training in the protection of personal data of the persons authorized to process personal data.
Notification of data security breaches:
The person in charge of the treatment will notify the person in charge of the treatment, without undue delay and through the email address indicated by the person in charge, the violations of the security of the personal data in his charge of which he is aware, together with all the information relevant for the documentation and communication of the incident. Likewise, it will notify any failure that it has suffered in its information treatment and management systems and that may jeopardize the security of the personal data processed, its integrity or availability, as well as any possible breach of confidentiality as a result of the in knowledge of third parties of the data and information accessed during the execution of the contract.
At a minimum, the following information shall be provided:
Description of the nature of the personal data security breach, including, where possible, the categories and approximate number of data subjects affected, and the categories and approximate number of personal data records affected.
Contact person details for more information.
Description of the possible consequences of the violation of the security of personal data.
Description of the measures adopted or proposed to remedy the breach of personal data security, including, if applicable, the measures adopted to mitigate possible negative effects.
If it is not possible to provide the information simultaneously, and to the extent that it is not, the information will be provided gradually without undue delay.
Make available to the person in charge all the information necessary to demonstrate compliance with their obligations, as well as to allow and contribute to the performance of audits or inspections carried out by the person in charge or another auditor authorized by him.
Help the data controller to implement the necessary security measures to:
a) Guarantee the confidentiality, integrity, availability and permanent resilience of treatment systems and services.
b) Restore the availability and access to personal data quickly, in the event of a physical or technical incident.
c) Verify, evaluate and assess, on a regular basis, the effectiveness of the technical and organizational measures implemented to guarantee the safety of the treatment.
Data destination:
The person in charge of the treatment will not keep personal data related to the treatments carried out unless it is strictly necessary for the provision of the service object of the contract and only for the minimum essential time.
Once the provision of the contracted service has ended, the person in charge of the treatment will delete, return to the person in charge or deliver, where appropriate, to a new person in charge, as determined by Medalab, all the personal data.
The destruction of the data is not appropriate when there is a legal provision that requires their conservation, in which case they must be returned to the person in charge who will guarantee their conservation, duly blocked, while such obligation persists.
The return must entail the total deletion of the existing data in the computer equipment used by the person in charge. However, the person in charge may keep a copy of the data, duly blocked, while responsibilities may arise from the execution of the services provided to the person responsible for the treatment.
5. Obligations of the data controller
It corresponds to the data controller:
Provide the person in charge with access to the equipment so that he can provide the contracted service.
Ensure, prior to and throughout the treatment, compliance with the current provisions on data protection by the person in charge of the treatment.
Supervise the treatment, including the possibility of requesting information to verify compliance with the obligations established in this contract.
B) Confidentiality clauses for service providers with accidental access to data.
1. Duty of confidentiality
The provision of the service object of this contract does not include the processing of personal data.
However, in the event that the staff of Webempresa Europa SL, accidentally or incidentally, becomes aware of personal data information related to the processing activities of Medalab, they will be obliged to strictly observe the duty of secrecy and confidentiality. , both during the course of the contractual relationship and once it has expired,
following the instructions of the Medalab staff at all times
not being able to use the information to which they could have had access for any purpose other than that derived from the provision of service and
not being able to disclose, make known or use for their own benefit or that of third parties the information that they may have known during the provision of the service object of this contract.
RECORD OF TREATMENT ACTIVITIES
Treatment: Clients
| a) Responsible for the treatment | Identity: Medalab – NIF: B12886263 Postal address: C/ Aralar, 46, 12579 Alcoceber (Castellón) – Spain Email: info@medalab.com Phone: 682653712 |
| b) Purpose of the treatment | Customer relationship management |
| c) Categories of stakeholders | Clients: People with whom a commercial relationship is maintained as clients |
| d) Data categories | Those necessary for the maintenance of the commercial relationship. Check in Identification: name and surname, NIF, postal address, telephone numbers, e-mail Personal characteristics: marital status, date and place of birth, age, sex, nationality Bank details: for direct debit payments |
| e) Categories of recipients | State Tax Administration Agency |
| f) International transfers | International transfers are not planned |
| g) Deletion period | Those provided by tax legislation regarding the prescription of responsibilities |
| h) Security measures | Those reflected in the ANNEX SECURITY MEASURES |
Treatment: Potential customers
| a) Responsible for the treatment | Identity: Medalab – NIF: B12886263 Postal address: C/ Aralar, 46, 12579 Alcoceber (Castellón) – Spain Email: info@medalab.com Phone: 682653712 |
| b) Purpose of the treatment | Management of the relationship with potential customers |
| c) Categories of stakeholders | Potential customers: People with whom you want to maintain a business relationship as customers |
| d) Data categories | Those necessary for the commercial promotion of the company Identification: name and surname and postal address, telephone numbers, e-mail |
| e) Categories of recipients | It is not contemplated |
| f) International transfers | International transfers are not planned |
| g) Deletion period | One year from the first contact |
| h) Security measures | Those reflected in the ANNEX SECURITY MEASURES |
Treatment: Staff
| a) Responsible for the treatment | Identity: Medalab – NIF: B12886263 Postal address: C/ Aralar, 46, 12579 Alcoceber (Castellón) – Spain Email: info@medalab.com Phone: 682653712 |
| b) Purpose of the treatment | Management of the employment relationship with employees |
| c) Categories of stakeholders | Employees: People who work for the controller |
| d) Data categories | Those necessary for the maintenance of the commercial relationship. manage payroll Identification: name, surname, Social Security number, postal address, telephone numbers, e-mail Personal characteristics: marital status, date and place of birth, age, sex, nationality and percentage of disability Bank details, for direct debit payment of payroll |
| e) Categories of recipients | State Tax Administration Agency National Institute of Social Security Banks and financial institutions |
| f) International transfers | International transfers are not planned |
| g) Deletion period | Those provided for by tax and labor legislation regarding the prescription of responsibilities |
| h) Security measures | Those reflected in the ANNEX SECURITY MEASURES |