Privacy Policy and Data Protection

PRIVACY POLICY AND DATA PROTECTION

 

Data Controller Information:

Identity: HORACIO ROMÁN BERMUDO – NIF: 48820827S

Postal Address: C/ PEDRO PÉREZ FERNÁNDEZ, 27, LOCAL-A, 41011, SEVILLE

Phone: 640231106 – Email: investigacionesroman.com

Trade name: INVESTIGACIONES ROMÁN

 

At INVESTIGACIONES ROMÁN, we process the information you provide to offer the requested service or send the required information. The data provided will be kept as long as you do not request the cessation of the activity. Data will not be transferred to third parties unless there is a legal obligation. You have the right to obtain information about whether INVESTIGACIONES ROMÁN is processing your personal data, so you can exercise your rights of access, rectification, deletion, data portability, objection, and restriction of processing by contacting HORACIO ROMÁN BERMUDO, C/ PEDRO PÉREZ FERNÁNDEZ 27A, 41011, Seville or at the email address investigacionesroman.com, attaching a copy of your ID or equivalent document. Likewise, and especially if you believe that your rights have not been fully satisfied, you may file a complaint with the national supervisory authority by contacting the Spanish Data Protection Agency, C/ Jorge Juan, 6 – 28001 Madrid.

 

a)    Data Controller	Identity: HORACIO ROMÁN BERMUDO – NIF: 48820827S Postal Address: C/ PEDRO PÉREZ FERNÁNDEZ, 27, LOCAL-A, 41011, SEVILLE Email: investigacionesroman.com Phone: 640231106
b)    Purpose of Processing	Managing the relationship with potential clients
c)     Categories of Data Subjects	Potential clients: Individuals with whom a commercial relationship is sought as clients
d)    Data Categories	Data necessary for the commercial promotion of the company Identification data: name, surname, postal address, phone numbers, email
e)    Categories of Recipients	None foreseen
f)     International Transfers	No international transfers are planned
g)    Deletion Period	One year from the first contact
h)    Security Measures	As reflected in the ANNEX SECURITY MEASURES

 

EXERCISING RIGHTS

The data controller will inform all employees about the procedure for attending to the rights of data subjects, clearly defining the mechanisms by which the rights can be exercised (electronic means, reference to the Data Protection Officer if applicable, postal address, etc.), taking into account the following:

• Upon presentation of their national identity card or passport, the holders of personal data (data subjects) may exercise their rights of access, rectification, deletion, objection, data portability, and restriction of processing. The exercise of rights is free of charge.
• The data controller must respond to data subjects without undue delay and in a concise, transparent, intelligible manner, using clear and simple language, and must keep proof of compliance with the obligation to respond to requests to exercise rights.
• If the request is submitted electronically, the information will be provided through these means where possible, unless the data subject requests otherwise.
• Requests must be answered within 1 month from receipt, which may be extended by another two months considering the complexity or number of requests, but in that case, the data subject must be informed of the extension within one month of receiving the request, stating the reasons for the delay.

 

RIGHT OF ACCESS: The right of access will provide data subjects with a copy of their personal data held by the data controller, along with the purpose for which it was collected, the identity of the data recipients, the retention periods or criteria used to determine them, the right to request rectification or deletion of personal data, as well as restriction or opposition to processing, the right to file a complaint with the Spanish Data Protection Agency, and if the data was not obtained from the data subject, any available information about its origin. The right to obtain a copy of the datamust not adversely affect the rights and freedoms of other data subjects.

• Form to exercise the right of access

 

RIGHT OF RECTIFICATION: The right of rectification allows data subjects to request the modification of inaccurate or incomplete data, considering the purposes of the processing. The data subject must specify which data is to be corrected and provide any necessary supporting documentation. If the data has been shared with other controllers, the data controller must notify them of the rectification unless it is impossible or requires disproportionate effort, and provide the data subject with information about those recipients if requested.

• Form to exercise the right of rectification

 

RIGHT OF DELETION: The right of deletion applies when data subjects object to processing and there is no legal basis to prevent it, the data is no longer necessary for the purposes it was collected for, or the data subject withdraws consent without other legal grounds for processing, or if the processing is unlawful. If deletion results from the exercise of the data subject’s right to object to marketing, the identifying data may be retained to prevent future processing. If the data has been shared with other controllers, the data controller must notify them of the deletion unless it is impossible or requires disproportionate effort, and provide the data subject with information about those recipients if requested.

• Form to exercise the right of deletion

 

RIGHT OF OBJECTION: The right of objection allows data subjects to object to processing for legitimate reasons, and the controller will cease processing unless there are compelling legitimate grounds or it is necessary for the establishment, exercise, or defense of legal claims. If the data subject objects to processing for direct marketing purposes, personal data will no longer be processed for these purposes.

• Form to exercise the right of objection

 

RIGHT OF DATA PORTABILITY: The right of data portability allows data subjects, when processing is based on consent or a contract and is carried out by automated means, to receive a copy of their personal data in a structured, commonly used, and machine-readable format and to request direct transmission to another controller, where technically feasible.

• Form to exercise the right of data portability

 

RIGHT TO RESTRICT PROCESSING: The right to restrict processing allows data subjects to request a suspension of processing while contesting the accuracy of the data or when processing is based on the controller’s legitimate interest or a public interest mission, until it is determined whether those grounds override the data subject’s interests, rights, and freedoms. Data subjects may also request data retention if they believe processing is unlawful and prefer restriction over deletion or if they need the data for legal claims. The restriction of processingmust be clearly reflected in the controller’s systems. If the data has been shared with other controllers, the controller must notify them of the restriction unless it is impossible or requires disproportionate effort, and provide the data subject with information about those recipients if requested.

• Form to exercise the right to restrict processing

 

If the data subject’s request is not processed, the controller will inform them without delay and no later than one month after receipt, explaining the reasons for not acting and the possibility of filing a complaint with the Spanish Data Protection Agency and seeking judicial remedies.

 

SECURITY MEASURES

Considering the type of processing indicated when completing this form, the minimum security measures you should consider are as follows:

 

ORGANIZATIONAL MEASURES

INFORMATION THAT MUST BE KNOWN BY ALL PERSONNEL WITH ACCESS TO PERSONAL DATA

All personnel with access to personal data must be aware of their obligations concerning personal data processing, and they will be informed of these obligations. The minimum information known by all personnel will be as follows:

• DUTY OF CONFIDENTIALITY AND SECRECY
• Unauthorized access to personal data must be avoided. To this end, personal data must not be exposed to third parties (unattended screens, paper documents in public access areas, data storage devices, etc.). This includes screens used to view surveillance system images. When leaving the workstation, the screen must be locked, or the session must be closed.
• Paper documents and electronic devices must be stored in a secure location (restricted access cabinets or rooms) 24 hours a day.
• Documents or electronic devices (CDs, pen drives, hard drives, etc.) containing personal data must not be discarded without ensuring their effective destruction.
• Personal data or any other personal information must not be disclosed to third parties, paying special attention not to disclose protected personal data during phone calls, emails, etc.
• The duty of confidentiality and secrecy persists even after the employee’s working relationship with the company ends.

 

• PERSONAL DATA SECURITY BREACHES
• When personal data security breaches occur, such as theft or unauthorized access to personal data, the Spanish Data Protection Agency must be notified within 72 hours of the breach, including all necessary information to clarify the facts that led to unauthorized access to personal data. The notification will be made electronically through the Spanish Data Protection Agency’s online portal at https://sedeagpd.gob.es/sede-electronica-web/.

 

TECHNICAL MEASURES

IDENTIFICATION

• When the same computer or device is used for processing personal data and personal use, it is recommended to have separate profiles or users for each purpose. The professional and personal use of the computer must be kept separate.
• It is recommended to have profiles with administrative rights for system installation and configuration and users without administrative privileges for accessing personal data. This measure will prevent access privileges from being gained in the event of a cybersecurity attack.
• Passwords must be used to access personal data stored in electronic systems. The password should be at least 8 characters long, mixing numbers and letters.
• When personal data is accessed by multiple individuals, a specific user and password must be created for each individual with access to personal data (unequivocal identification).

DUTY OF SAFEKEEPING

The following minimum technical measures must be implemented to safeguard personal data:

• UPDATING COMPUTERS AND DEVICES: Devices and computers used for storing and processing personal data must be updated as much as possible.
• MALWARE: Computers and devices used for automated processing of personal data must have antivirus software to protect against theft and destruction of information and personal data. The antivirus software must be updated periodically.
• FIREWALL: To prevent unauthorized remote access to personal data, ensure that a firewall is activated and properly configured on computers and devices used for storing and/or processing personal data.
• DATA ENCRYPTION: When personal data needs to be transferred outside the facility where it is processed, either physically or electronically, consider using encryption to ensure the confidentiality of the data in case of unauthorized access.
• BACKUP: Periodically, a backup should be made to a second storage medium other than the one used for daily work. The backup should be stored in a secure location, separate from the computer where the original files are stored, to allow recovery of personal data in case of data loss.

 

Security measures will be reviewed periodically, either through automatic mechanisms (software or programs) or manually. Consider that any IT security incident that has occurred to anyone you know can happen to you, and take preventive measures against it.