DENTAL HERNAN S.L. (the “Company”) is an Organization that carries out personal data processing activities, which assigns it significant responsibility in the design and organization of procedures to ensure they are aligned with legal compliance in this area.
In the exercise of these responsibilities and with the aim of establishing the general principles that must govern the processing of personal data within the Company, it approves this Personal Data Protection Policy, which it notifies to its Employees and makes available to all its Stakeholders.
1. Purpose.
The Personal Data Protection Policy is a measure of proactive Responsibility aimed at ensuring compliance with applicable legislation in this area and, in relation to it, respecting the right to honor and privacy in the processing of personal data of all individuals who interact with the Company.
In development of the provisions of this Personal Data Protection Policy, the Principles governing data processing within the organization are established, and consequently, the procedures, and the organizational and security measures that individuals affected by this Policy commit to implementing within their scope of responsibility.
To this end, Management will assign responsibilities to the personnel involved in data processing operations.
2. Scope of Application.
This Personal Data Protection Policy shall apply to the Company, its administrators, directors, and employees, as well as to all individuals who interact with it, including service providers with access to data (“Data Processors”).
3. Principles of Personal Data Processing.
As a general principle, the Company shall scrupulously comply with personal data protection legislation and must be able to demonstrate this (Principle of “proactive accountability”), paying special attention to those processing activities that may pose a greater risk to the rights of data subjects (Principle of “risk-based approach”).
In relation to the above, DENTAL HERNAN S.L. will ensure compliance with the following Principles:
– Lawfulness, fairness, transparency, and purpose limitation. Data processing must always be communicated to the data subject through clauses and other procedures; and it will only be considered legitimate if there is consent for data processing (with special attention to that provided by minors), or if it has another valid legal basis and its purpose is in accordance with Regulations.
– Data minimization. The data processed must be adequate, relevant, and limited to what is necessary in relation to the purposes of the processing.
– Accuracy. Data must be accurate and, if necessary, updated. In this regard, necessary measures will be adopted to ensure that personal data that is inaccurate with respect to the purposes of processing is deleted or rectified without delay.
– Storage limitation. Data will be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes of the processing.
– Integrity and Confidentiality. Data will be processed in a manner that ensures appropriate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, by applying appropriate technical or organizational measures.
– Data transfers. The purchase or obtaining of personal data from illegitimate sources or in cases where such data has been collected or transferred in contravention of the law or its legitimate origin is not sufficiently guaranteed is prohibited.
– Contracting of providers with access to data. Only providers offering sufficient guarantees to implement appropriate technical and security measures in data processing will be selected for contracting. A proper Agreement in this regard will be documented with these third parties.
– International data transfers. All processing of personal data subject to European Union regulations that involves a data transfer outside the European Economic Area must be carried out in strict compliance with the requirements established in applicable law.
– Rights of data subjects. The Company will facilitate the exercise of the rights of access, rectification, erasure, restriction of processing, objection, and data portability for data subjects, establishing for this purpose the internal procedures, and in particular the necessary and appropriate forms for their exercise, which must satisfy, at least, the applicable legal requirements in each case. The Company will promote that the principles set out in this Personal Data Protection Policy are taken into account (i) in the design and implementation of all work procedures, (ii) in the products and services offered, (iii) in all contracts and obligations that are formalized or assumed, and (iv) in the implementation of any systems and platforms that allow access by employees or third parties and/or the collection or processing of personal data.
4. Employee Commitment
Employees are informed of this Policy and declare themselves aware that personal information is an asset of the Company, and in this regard, they adhere to it, committing to the following:
– Complete the data protection awareness training that the Company makes available to them.
– Apply the user-level security measures applicable to their job, without prejudice to the responsibilities in their design and implementation that may be attributed to them based on their role within DENTAL HERNAN S.L.
– Use the established formats for the exercise of Rights by data subjects and inform the Company immediately so that a response can be effectively provided.
– Inform the Company, as soon as they become aware, of deviations from what is established in this Policy, particularly regarding “Personal data security breaches,” using the format established for this purpose.
5. Control and Evaluation
An annual verification, evaluation, and assessment of the effectiveness of technical and organizational measures to ensure processing security will be carried out, or whenever there are significant changes in data processing.
