DATA PROTECTION POLICY
1. Purpose, scope, and users
VALENFOOD SDAD IMPORT, EXPORT Y DIST. ALIMENTARIA, S.L., hereinafter the "Company", strives to comply with applicable laws and regulations related to the protection of personal data in the countries where it operates. This policy establishes the basic principles by which the Company processes the personal data of consumers, customers, suppliers, business partners, employees, and other individuals, and indicates the responsibilities of its business departments and employees while processing personal data.
This policy applies to the Company and its directly or indirectly controlled subsidiaries that conduct business within the European Economic Area (EEA) or process the personal data of data subjects within the EEA.
The users of this document are all employees, permanent or temporary, and all contractors working on behalf of the Company.
2. Reference documents
• The EU GDPR 2016/679 (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC)
• Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights.
• Royal Decree 1720/2007, of December 21, Regulation implementing Organic Law 15/1999, of December 13, on the Protection of Personal Data (RLOPD).
• Employee personal data protection policy
• Data retention policy
• Data protection officer job description
• Guidelines for data inventory and processing activities
• Data subject access request procedure
• Guidelines for data protection impact assessment
• Procedure for cross-border transfer of personal data
• Information security policies
• Security breach notification procedure
3. Definitions
The following definitions of terms used in this document come from Article 4 of the European Union General Data Protection Regulation:
Personal data: any information relating to an identified or identifiable natural person ("Data Subject") whose identity can be determined, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity.
Sensitive personal data: Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms, as the context of their processing could entail significant risks to fundamental rights and freedoms. Such personal data should include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation.
Data Controller: The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing.
Data Processor: A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.
Processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
Anonymization: Irreversibly removing the identification of personal data so that the person cannot be identified using reasonable time, cost, and technology, either by the controller or by any other person. The principles of personal data processing do not apply to anonymous data as they are no longer personal data.
Pseudonymization: The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person. Pseudonymization reduces, but does not completely eliminate, the ability to associate personal data with a data subject. Since pseudonymized data is still considered personal data, the processing of this data must comply with personal data processing principles.
Cross-border processing of personal data: Processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.
Supervisory authority: an independent public authority which is established by a Member State pursuant to Article 51;
Lead supervisory authority: The supervisory authority with primary responsibility for dealing with a cross-border data processing activity, for example when a data subject files a complaint about the processing of their personal data; it is responsible, among others, for receiving data security breach notifications, being notified about risky processing activity, and will have full authority regarding its duties to ensure compliance with the provisions of the EU GDPR.
Each "local supervisory authority" shall maintain in its own territory and monitor any local data processing that affects data subjects or is carried out by a controller or processor within the EU, or non-EU based, when the processing targets data subjects residing in its territory. Its tasks and powers include carrying out investigations and applying administrative measures and fines, promoting public awareness of risks, rules, safeguards, and rights in relation to the processing of personal data, as well as obtaining access to the controller's and processor's premises, including any data processing equipment and means.
“Main establishment with respect to a controller” with establishments in more than one member state, i.e., the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter has the power to have such decisions implemented, in which case the establishment which has taken such decisions is to be considered the main establishment. “Main establishment with respect to a processor” with establishments in more than one member state, i.e., the place of its central administration in the Union or, if the processor has no central administration in the Union, the place where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation.
Corporate group: Any holding company together with its subsidiary.
4. Basic principles for the processing of personal data
Data protection principles describe the basic responsibilities of organizations that process personal data. Article 5 (2) of the GDPR stipulates that “the controller shall be responsible for, and be able to demonstrate compliance with”:
4.1. Lawfulness, fairness, and transparency
Personal data must be processed lawfully, fairly, and in a transparent manner in relation to the data subject.
4.2. Purpose limitation
Personal data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
4.3. Data minimization
Personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. The Company must apply anonymization or pseudonymization to personal data if possible to reduce the risk concerning data subjects.
4.4. Accuracy
Personal data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
4.5. Storage limitation
Personal data must not be kept for longer than is necessary for the purposes for which the personal data are processed.
4.6. Integrity and confidentiality
Taking into account the state of the art and other available security measures, the cost of implementation, and the likelihood and severity of risks to personal data, the Company must apply appropriate technical or organizational measures to process personal data in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
4.7. Accountability
Controllers shall be responsible for, and be able to demonstrate compliance with, the principles described above.
5. Development of data protection in business activities
To demonstrate compliance with data protection principles, an organization must develop data protection within its business activities.
5.1. Notice to data subjects
(See lawful processing guidelines.)
5.2. Data subject choice and consent
(See lawful processing guidelines.)
5.3. Collection
The company must strive to collect the minimum amount of personal data possible. If personal data is collected from a third party, the Security Manager must ensure that the personal data is collected lawfully.
5.4. Use, retention, and disposal
The purpose, methods, storage limitation, and retention period of personal data must be consistent with the information contained in the Privacy Notice. The Company must maintain the accuracy, integrity, confidentiality, and relevance of personal data based on the purpose of the processing. Appropriate security mechanisms designed to protect personal data must be used to prevent theft, misuse, or abuse of personal data and to prevent personal data security breaches. The Security Manager is responsible for compliance with the requirements listed in this section.
5.5. Disclosure to third parties
Whenever the Company uses an external provider or a business partner to process personal data on its behalf, the Security Manager must ensure that this processor will provide security measures to safeguard personal data that are appropriate to the associated risks. For this purpose, the Processor GDPR Compliance Questionnaire must be used.
The Company must contractually require the provider or business partner to provide the same level of data protection. The provider or business partner must only process personal data to fulfill its contractual obligations with the Company or following the Company's instructions and not for other purposes. When the Company processes personal data together with an independent third party, the Company must explicitly specify their respective responsibilities and those of the third party in the relevant contract or any other binding legal document, such as the Vendor Data Processing Agreement.
5.6. Cross-border transfer of personal data
Before transferring personal data outside the European Economic Area (EEA), appropriate safeguards must be employed, including the signing of a data transfer agreement, as indicated by the European Union, and, if necessary, authorization from the corresponding data protection authority must be obtained. The entity receiving the personal data must comply with the personal data processing principles established in the Cross-Border Data Transfer Procedure.
5.7. Data subject access rights
When acting as a data controller, the Security Manager is responsible for providing data subjects with a reasonable access mechanism that allows them to access their personal data, as well as update, rectify, erase, or transmit their personal data, where appropriate or required by law. The access mechanism will be further detailed in the data subject access request procedure.
5.8. Data portability
Data subjects have the right to receive, upon request, a copy of the data they provided to us in a structured format and to transmit those data to another controller, free of charge. The Security Manager is responsible for ensuring that such requests are processed within one month, that they are not excessive, and that they do not affect the personal data rights of other individuals.
5.9. Right to be forgotten
Upon request, data subjects have the right to obtain from the company the erasure of their personal data. When the Company acts as controller, the Security Manager must take necessary measures (including technical measures) to inform third parties using or processing those data to comply with the request.
6. Lawful processing guidelines
Personal data must be processed only when explicitly authorized by the Security Manager.
The Company must decide whether to perform a data protection impact assessment for each data processing activity in accordance with the Data Protection Impact Assessment Guidelines.
6.1. Notice to data subjects
At the time of collection or before collecting personal data for any type of processing activities, including but not limited to the sale of products, services, or commercial activities, the Security Manager is responsible for adequately informing data subjects about the following: the types of personal data collected, the purposes of the processing, the methods of processing, the rights of data subjects regarding their personal data, the retention period, possible international data transfers, if the data will be shared with third parties, and the Company's security measures to protect personal data. This information is provided through a privacy notice.
If your company has multiple data processing activities, you will need to develop different notices that will vary depending on the processing activity and the categories of personal data collected; for example, one notice may be written for email and another for postal mail.
When personal data is shared with a third party, the Security Manager must ensure that data subjects have been notified of this through a privacy notice.
When personal data is transferred to a third country in accordance with the cross-border data transfer policy, the privacy notice must reflect this and clearly indicate where and to which entity the personal data are being transferred.
When sensitive personal data is collected, the data protection officer must ensure that the Privacy Notice explicitly states the purpose for which these sensitive personal data are collected.
6.2. Obtaining consent
Whenever the processing of personal data is based on the data subject's consent or other legal grounds, the Security Manager is responsible for keeping a record of such consent. The Security Manager is responsible for providing data subjects with options to provide consent and must inform and ensure that their consent (whenever consent is used as the legal basis for processing) can be withdrawn at any time.
When the collection of personal data relates to a child under 16 years of age, the Security Manager must ensure that parental consent is provided before collection using the parental consent request (Article 8 of the GDPR states that “the controller shall make reasonable efforts to verify in such cases that consent is given or authorized by the holder of parental responsibility over the child, taking into account available technology”.)
Where there are requests to correct, amend, or destroy personal data records, the Security Manager must ensure that these requests are handled within a reasonable timeframe. The Security Manager must also record the requests and maintain a log of them.
Personal data should only be processed for the purpose for which they were initially collected. In the event that the Company wants to process collected personal data for another purpose, the Company must seek the consent of its data subjects in clear and concise writing. Any such request must include the initial purpose for which the data were collected, as well as the new additional purpose(s). The request must also include the reason for the change in purpose(s). The Security Manager is responsible for complying with the rules in this paragraph. Now and in the future, the Security Manager must ensure that collection methods comply with relevant laws, good practices, and industry standards.
The Security Manager is responsible for creating and maintaining a record of privacy notices.
Consent for the communication of personal data to a third party shall be void when the information provided to the data subject does not allow them to know the purpose for which the data will be used, or the type of activity of the party to whom it is intended to be communicated.
A special case of communication is access on behalf of third parties linked to the business. Access by a third party to information will not be considered data communication when such access is necessary for the provision of a service to the company.
Processing on behalf of third parties must be regulated in a contract that must be in writing, or in some other form that allows for proof of its execution and content, expressly stating that the processor will only process the data according to the instructions of the controller, that they will not apply or use them for a purpose other than that appearing in said contract, nor communicate them, even for preservation, to other persons. The contract will also stipulate the security measures that the processor is obliged to implement and indications of any other nature regarding the processing of data.
As already seen, a fundamental piece, both in the processing and communication of personal data, is the consent of the affected party. According to current regulations, the processing of personal data, as well as its transfer, will require the unequivocal consent of the affected party, unless the Law provides otherwise.
Consent will not be necessary when personal data are collected for the exercise of functions specific to Public Administrations within the scope of their competencies; when they refer to the parties of a contract or pre-contract for a business, labor, or administrative relationship and are necessary for its maintenance or fulfillment; when the processing of the data is intended to protect a vital interest of the data subject, or when the data appear in sources accessible to the public and their processing is necessary for the satisfaction of the legitimate interest pursued by the controller of the file or by the third party to whom the data are communicated, provided that the fundamental rights and freedoms of the data subject are not violated.
That is, it will not be necessary to obtain customer consent to process their personal data for the purpose of providing legal representation or any other service, or to transfer those data to the Public Administration, as long as they are not used for any other purpose. Nor will customer consent be needed when third parties must access that information within the framework of a service provision to the company. However, the scope and responsibilities must be defined in the corresponding service contract.
In cases where those data must be communicated to a third party, such as a sales force company, customer consent must be obtained. Said consent must be:
- Free, which means it must have been obtained without any defect in consent under the terms regulated by the Civil Code.
- Specific, that is, referring to a specific processing operation and for a determined, explicit, and legitimate purpose of the controller.
- Informed, meaning that the affected party knows, prior to the operation for which consent is requested, the purposes for which authorization is sought.
- Unequivocal, which implies that it is not permissible to deduce consent from mere acts performed by the affected party (presumed consent), it being necessary that there expressly exists an action or omission that implies the existence of consent.
From what has been indicated, it does not follow that consent must be express in all cases, which is why in those cases where the legislator intended for consent to have that character, it has been expressly indicated. This happens in the case of processing especially protected data, Article 7.2 indicating the need for express and written consent for the processing of data on ideology, religion, beliefs, and trade union affiliation, and Article 7.3 the need for express although not necessarily written consent for the processing of data related to health, racial origin, and sex life.
Therefore, consent may be tacit for the processing of data that are not especially protected (Article 7.2 and 7.3 of Organic Law 15/1999), although for that tacit consent to be considered unequivocal, it will be necessary to grant the affected party a reasonable period so they can clearly be aware that their omission to oppose the processing or transfer of data implies consent to it, there being at the same time no doubt that the interested party has been aware of the existence of the processing or transfer of data and the existence of that period to prevent it from proceeding.
The processing of data without the prior consent of the affected party in those cases not legally exempted may be grounds for a serious infringement.
7. Organization and responsibilities
The responsibility for ensuring the proper processing of personal data lies with everyone who works for or with the Company and has access to personal data processed by the Company.
Key areas of responsibility for personal data processing lie with the following positions in the organization:
The Management makes decisions and approves the general strategies of the Company on personal data protection issues.
The Data Protection Officer (DPO) or the Security Manager is responsible for managing the personal data protection program and developing and promoting comprehensive personal data protection policies, as defined in the data protection officer job description;
The Legal Department/Advisor along with the data protection officer, monitors and analyzes changes in personal data laws and regulations, develops compliance requirements, and assists business departments in achieving their personal data objectives.
The Maintenance Manager is responsible for:
- Ensuring all systems, services, and equipment used for data storage comply with acceptable security standards.
- Carrying out regular checks and scans to ensure that hardware and software are functioning correctly.
The Commercial Manager is responsible for:
- Approving any data protection statement included in communications such as emails and letters.
- Addressing any data protection inquiries from journalists or media outlets such as newspapers.
- When necessary, working with the data protection officer to ensure that marketing initiatives comply with data protection principles.
The Human Resources Manager is responsible for:
- Improving the knowledge of all employees about user personal data protection.
- Organizing specialized knowledge and awareness training on personal data protection for employees working with personal data.
- Comprehensive protection of employee personal data. They must ensure that employee personal data are processed based on the employer's legitimate business purposes and needs.
The Purchasing Manager is responsible for transmitting personal data protection responsibilities to suppliers, and improving the knowledge levels of suppliers regarding personal data protection, as well as reducing personal data requirements for any third party using a supplier. The purchasing department must ensure that the Company reserves the right to audit its suppliers.
8. Guidelines for establishing the main supervisory authority
8.1. The need to establish the main supervisory authority
The appointment of a lead supervisory authority is only relevant if the Company carries out cross-border processing of personal data.
Cross-border data processing is carried out if:
a) the processing of personal data is carried out by Company subsidiaries based in other member states;
or
b) the processing of personal data takes place in a single establishment of the Company in the European Union, but substantially affects or may substantially affect data subjects in more than one member state.
If the company only has establishments in one Member State and its processing activities only affect data subjects in that Member State, it is not necessary to establish a lead supervisory authority. The only competent authority will be the supervisory authority in the country where the Company is legally established.
8.2. Main establishment and the lead supervisory authority
8.2.1. Main establishment of the data controller
The Company's management needs to identify its main headquarters so that the lead supervisory authority can be determined.
If the Company is located in an EU member state and makes decisions related to cross-border processing activities at its main headquarters, there will be only one lead supervisory authority for the data processing activities carried out by the Company.
If the company has multiple establishments acting independently and making decisions on the purposes and means of personal data processing, the Company's management needs to recognize that there is more than one lead supervisory authority.
8.2.2. Main establishment of the data processor
When the Company acts as a data processor, then the main establishment will be the place of central administration. In the event that the place of central administration is not located in the EU, the main establishment will be established where the main activities are carried out in the EU.
8.2.3. Main establishment of controllers and processors for companies outside the EU
If the Company does not have a main establishment in the EU, but has subsidiary(ies) in the EU, then the competent supervisory authority is the local supervisory authority.
If the Company has neither a main establishment in the EU nor subsidiaries, it must appoint a representative in the EU, and the competent local authority will be the local supervisory authority where the representative is located.
9. Response to data security breaches.
When the Company becomes aware of a presumed or real personal data security breach, the Security Manager must conduct an internal investigation and take appropriate corrective measures in a timely manner, in accordance with the data security breach policy. Where there is a risk to the rights and freedoms of data subjects, the Company must notify the relevant data protection authorities without undue delay and, where possible, within 72 hours.
10. Audit and accountability
The Security Manager is responsible for auditing whether all departments implement this personal data security policy, which may be done through the hiring of external auditors.
Any employee who violates this policy will be subject to disciplinary measures and the employee may also be subject to civil or criminal liabilities if their conduct violates laws or regulations.
11. Conflicts of law
This policy is intended to comply with the laws and regulations in the place of establishment and the countries in which VALENFOOD SDAD IMPORT, EXPORT Y DIST. ALIMENTARIA, S.L. operates. In the event of a conflict between this policy and applicable laws and regulations, the latter shall prevail.
12. Management of records kept based on this document
| Record Name | Location | Person responsible for storage | Controls for record protection | Retention time |
| Data subject consent request | GDPR Folder | Data Protection Officer or Security Manager | Only authorized personnel can access requests | 10 years |
| Data subject withdrawal of consent request | GDPR Folder | Data Protection Officer or Security Manager | Only authorized personnel can access requests | 10 years |
| Parental consent request | GDPR Folder | Data Protection Officer or Security Manager | Only authorized personnel can access requests | 10 years |
| Parental withdrawal of consent request | GDPR Folder | Data Protection Officer or Security Manager | Only authorized personnel can access requests | 10 years |
| Vendor data processing agreements | GDPR Folder | Data Protection Officer or Security Manager | Only authorized personnel can access the folder | 5 years after the agreement has expired |
| Privacy notice record | GDPR Folder | Data Protection Officer or Security Manager | Only authorized personnel can access the folder | Permanent |
13. Validity and document management
This document is valid as of 09/17/24.
The owner of this document is the Security Manager, who must review and, if necessary, update the document at least once a year.
The Security Manager
JOAQUÍN ANTONIO CARRILHO REYES