Confidentiality, professional secret and security are highly important values for DSD Planning Center S.L. (hereinafter, DSD) which assumes the commitment to guarantee the privacy of those interested.
Therefore, following the principles of lawfulness, loyalty and transparency of the Regulation (UE) 2016/679 General Data Protection (RGPD) and the Spanish Organic Law 3/2018, of December 5, of Personal Data Protection and Data Protection digital rights (LOPDGDD), DSD makes the following information available to you to explain how DSD treats personal data that is collected and treated in this application (hereinafter, “DSD App”), both when acting as Data Controller as when it acts as Data Processor.
1.TREATMENT AS DATA CONTROLLER
1.1. Who is the Data Controller?
The responsible for processing your data is DSD Planning Center S.L. with address at Street C/ Ochandiano, 10, Planta 1, 28023, Madrid.
1.2. What categories of data are collected and processed?
DSD will collect and process:
1.3. For what purposes are your data collected?
1.3.1. Manage the registration as Users on DSD App.
1.3.2. Solve problems or technical incidents (e.g. forgotten password, lost device).
1.3.3. Detect, prevent or otherwise resolve fraud, legal complaints or abuse.
All personal data is collected and processed only when it is being executed by the user in the first place.
1.4. What are the bases that legitimize the treatment?
Grounds that legitimize the treatment of the previously abovementioned purposes are:
1.4.1. Execution of a contract (art.6.1 b) GDPR).
1.4.2. Ejection of the contract (art. 6.1º b GDPR)) and Legitimate interest (art. 6.1º f) GDPR).
1.4.3. Legitimate interests (art. 6.1º f) GDPR) and compliance with legal obligations (art.6.1º c) GDPR).
1.5. What is the retention period?
Your data will be processed while you remain registered as a User on DSD App and will be preserved until the purposes previously described are satisfied. After this period, it can remain to meet possible responsibilities or compliance with a legal obligation that will last 5 years after the last case process.
1.6. Who are the recipients of the data?
1.6.1. DSD will not transfer your data to third parties unless it is based on your express consent or compliance with a legal obligation. DSD also does not conduct international data transfers.
1.6.2. Your data will only be processed by DSD personnel or independent service providers/companies as detailed in Section 3.
1.7. What are your data protection rights?
1.7.1. Right of access: obtain information about what data is being processed, for what purpose, if any transfers are conducted or planned, as well as requesting a copy of them.
1.7.2. Right of rectification: request that data that is inaccurate or incomplete be modified. In this sense, be aware that the personal data that has been provided in the registry can be modified at any time by accessing your User profile on the App.
1.7.3. Right to erasure: request that your personal data be eliminated when it is not necessary or if it is treated illicitly. However, whenever it does not impede a legal obligation, it is necessary to exercise or defend claims.
1.7.4. Opposition right: request that a certain processing of personal data not be conducted, always when compelling legitimate reasons cannot prevail or are necessary for the formulation, exercise or defense of complaints.
1.7.5. Right to request the limitation of your treatment: request that your data not be treated while requesting the modification of the same; the treatment is unlawful but instead of requesting that it be suppressed, you request to implement opposition to your treatment; When DSD you do not need to process the data but you as User only has to formulate, exercise or defend complaints.
1.7.6. Right to portability: request that your data be facilitated to another entity, or to yourself, in a structured format, for common use and mechanical reading. A request can only be made on data whose processing is conducted by automated means.
1.7.7. The right to not be subject to automated decisions: request not to be subject to a decision based solely on automated processing, including the creation of profiles, which produces legal effects on the user or significantly affects it (in principle, it will not apply to them advance group treatments).
1.7.8. Right to withdraw consent: possibility and right to withdraw consent for any specific purpose granted at the moment, without it affecting the lawfulness of the treatment based on the consent prior to its withdrawal.
You can exercise these rights at any time, when proceeding, by sending a communication to the email account dpo@digitalsmiledesign.com.
Finally, DSD informs you that if you consider that your data is not treated correctly by DSD, you have the right to file a complaint before your Data Protection Delegate (dpo@digitalsmiledesign.com) or before the Spanish Data Protection Agency, www.aepd .es.
1.8. What security measures does DSD adopt to protect your data?
1.8.1. DSD has implemented the technical and organizational security measures necessary to guarantee the confidentiality, integrity, availability and permanent resistance of processing systems and services, establishing sensitive information encryption systems.
1.8.2. To determine the safety measures to be implemented, DSD has considered the risk analysis of our company, through which the most appropriate measures have been determined to guarantee the safety of treatment. In any case, DSD continues working to improve the security of our systems and ensure that information is adequately protected. You can consult the security measures implemented in section 2.8 of the Data Processing Agreement (DPA) detailed below.
2. TREATMENT AS A DATA PROCESSOR
2.1. Who is the Data Processor?
The Data Processor is DSD Planning Center S.L. with address at Street C/ Ochandiano, 10, Planta 1, 28023, Madrid.
2.2. What categories of data are processed?
2.2.1. data that voluntarily you as User enter and save in DSD App.
In this regard, all User who register on DSD App accept the conditions for the data processing and are responsible for informing the data owner of the data processing as well as obtaining authorization for their image processing. Likewise, they undertake not to include data that directly identifies the data owner (e.g. name and surname, date of birth).
2.3. Data Processor Agreement
Regarding the access and/or data processing that enhances DSD of pseudonymized data and images related to its treatment of those that could lead to inferring data, DSD, together with all its employees, will act according to the following statements:
2.3.1. Use personal data subject to processing, or those received for processing, exclusively for the purpose subject to your responsibility. In no case can the data be used for personal purposes other than those determined by Users.
2.3.2. Process data according to professional guidelines. DSD may communicate data to other freelancers/companies for the provision of its services, acting as sub-charges for processing, but always within the European Economic Space (EEA).
2.3.3. Accordingly, those Users who are entrusted with the provision or execution of the service will act as subordinates and are obliged to comply with the minimum measures established in this section.
2.3.4. Ensure that those authorized to process personal data are expressly committed to keeping confidentiality and professional secrets and complying with the corresponding security measures. The obligation of secrecy and confidentiality regarding personal data that has been able to be accessed due to this treatment will prevail indefinitely for this period of time.
2.3.5. Provide, when requested by the User, a record of all categories of treatment activities.
2.3.6. Support Users, when possible, taking into account the nature of this treatment and with appropriate technical and organizational means, so that Users comply with the rights of access, rectification, suppression, right of opposition, limitation of treatment , I have the right to data portability and the right not to be subject to a decision based solely on automated processing (including the creation of profiles)When interested parties exercise the rights of access, rectification, suppression, right of opposition, limitation of treatment, right to portability of data and right not to be the object of a decision based solely on:
If notification has been made to the User, DSD must be notified via email to dpo@digitalsmiledesign.com. This notification must be conducted immediately and no later than five days after the request is received, adding, in this case, additional information relevant to the request.
If notification has been made directly to DSD, DSD will communicate it to the User within a maximum period of five working days from the receipt of the request, attaching, in this case, additional information relevant to the request.
2.3.7. Provide support to the Use in the development of impact assessments related to data protection and in previous consultancy activities with the Control Authority, in this case and when considered opportune, following the data protection regulations that could be of application and/or following the guidelines provided by the local Control Authority.
2.3.8. DSD will implement the technical and organizational security measures necessary to guarantee the permanent confidentiality, integrity, availability and resilience of systems and treatment services. As minimum guarantees, DSD has implemented the following measures:
Access control. DSD has implemented access controls and user management processes to ensure that only authorized persons obtain access to applications, systems and commercial computer devices, that individual responsibility is assured and to provide authorized users with access privileges that are sufficient to allow them to carry out their tasks. duties, but do not allow them to exceed their authority.
Signature policy. DSD has implemented a security policy that guarantees the following minimum safety levels:
o Minimum eight characters long
o You must apply the completeness of the password, including uppercase, lowercase, numbers and special characters.
The passwords change every six months.
o Account blocking must be applied after no more than a total of ten failed login attempts.
Antivirus and similar systems.
Firebreak prevention, intrusion and detection systems or similar systems.
Physical access control system to the installations where the information is stored.
Audit records will be produced that record user activities and information security events in the systems that support the Service and will be kept for a minimum period of ninety days.
Daily support systems. Documented backup and data recovery process.
All software will be updated to ensure you have the latest security patches.
If employees are going to connect to remote systems, security systems such as VPN or other encrypted connection systems will be implemented.
In case the user decides to store the data on our Servers (and not on his own device), the data will be hosted in a trusted provider within the European Economic Area (EEA)
2.3.9. DSD will notify you as User, without delay and, in any case, within a period of no more than 72 hours from the notification of the event via electronic mail, of the security breaches of Personal Data under their responsibility, who has knowledge; as well as any information relevant to the documentation and communication of the subject.
The following minimum information must be provided, if it is available:
Description of the nature of the personal data security gap, including, when possible, the categories and approximate number of affected people and the approximate number of affected personal data records.
Name and contact details of the data protection delegate or other contact that can facilitate more information.
Description of consequences of a security breach in personal data.
Description of the measures implemented or proposed to correct the security gap in personal data, including, in this case, the measures established to alleviate possible negative effects.
If the aforementioned information could not be facilitated immediately, it will be facilitated, within the possibilities, gradually, as it is available, without greater delay.
It will not be necessary to notify professionals when it is unlikely that a security breach could pose a risk to the rights and freedoms of physical persons.
2.3.10. One the one hand User is responsible for eliminating/suppressing pseudonymized data and images related to their treatment that could lead to inferring data, 5 years after the last care process according to the applicable regulation. On the other hand, DSD will eliminate personal data introduced by the User once the contractual relationship has ended. However, DSD may keep a copy of the data duly blocked if there are responsibilities arising from the provision of the service or if there is a legal obligation to do so.
3. INFORMATION FOR INDIVIDUALS USING THE DSD APP AND COMPLIANCE WITH THE “APPLE APPSTORE REVIEW GUIDELINES”.
3.1. No facial biometric data is collected or processed in the DSD App.
3.2. DSD will collect and process as data controller the following data:
3.3. DSD will collect and process as data processor photographs, or videos that Users voluntarily enter and save in DSD App.
3.4. Hereby the only data that can be stored in DSD are photographs, or videos that Users voluntarily enter and save in DSD App.
3.5. Retention period is detailed in Section 1.6. and 2.10. of the Privacy Policy and will last 5 years after the last case process.
3.6. DSD does not share any Users data with third parties. The User may choose to share face data, including face data, with third parties. Notwithstanding, for data storage ( data processor) we rely on Amazon Web Services, which has its servers within the EEA and complies with appropriate technical and organizational security measures https://aws.amazon.com/es/lega.... Amazon will follow the retention periods detailed above (Sections 1.6. and 2.10).
3.7. The only reason for sharing Users data with third parties will be User´s express consent or compliance with a legal obligation as detailed in Section 1.6.
3.8. The retention period and security measures that DSD adopt to protect data are detailed in Section 1.6, 2.10 and 1.8 and respectively.
4. MODIFICATIONS TO THIS PRIVACY POLICY
4.1. DSD can change this Privacy Policy to adapt it to legislative changes on personal data that will appear and affects it.
4.2. Whenever DSD updates this Privacy Policy, DSD will take appropriate measures to inform you based on the importance of the changes DSD makes.
4.3. DSD will ensure that DSD obtains your consent for any important change in the Privacy Policy whenever it requires applicable data protection laws. DSD recommends that you periodically review this page to obtain the latest information on our privacy practices.