Data Protection Information
Information on EU Regulation 2016/679 on the Protection of Personal Data.
In accordance with current legislation on Personal Data Protection, as we have contracted our Employee Portal platform and other remote access services, we proceed to inform you about the service:
The purpose of the EU Data Protection Regulation 2016/679 is to lay down the rules relating to the protection of natural persons with regard to the processing of personal data and the rules relating to the free movement of such data, as well as to protect the fundamental rights and freedoms of natural persons and, in particular, their right to the protection of personal data.
Therefore, the purpose of this document is to provide information regarding the obligations that GM INTEGRA RRHH has to comply with when contracting our Employee Portal platform, although it should be noted that there is another series of obligations that the File Manager must comply with and that more information can be obtained through the web page of the Data Protection Agency, www.agpd.es.
By contracting and storing personal data in our Employee Portal platform or with respect to the HR services you may have contracted, GM INTEGRA HR becomes the data processor of such personal data.
Specifically, the legislation states:
Where processing is to be carried out on behalf of a controller, the controller shall choose only a processor providing sufficient guarantees to implement appropriate technical and organisational measures, so that the processing is in compliance with the requirements of this Regulation and ensures the protection of the rights of the data subject.
The processing by the processor shall be governed by a contract or other legal act under Union or Member State law, binding the processor to the controller and setting out the subject-matter, duration, nature and purpose of the processing, the type of personal data and categories of data subjects, and the obligations and rights of the controller. Moreover, if a processor infringes this Regulation in determining the purposes and means of processing, it shall be considered to be a controller in respect of that processing. ¨
This commitment to confidentiality and good use of data is guaranteed and regulated both in the conditions of the contract established when contracting the service with GM INTEGRA RRHH and with respect to the guarantee provided by being certified in the ISO 27001 of Information Security. However, you can sign a data processing contract separately from the main contract by downloading the Data Processing Contract model. Print two copies, sign them and send them by post to GM INTEGRA HR, we will return your copy signed by a legal representative of our company.
Registration of the file with the Data Protection Agency:
Until 25 May 2018, one of the obligations established in current data protection legislation is to declare files containing personal data to the Data Protection Agency (APD).
In order to make this registration, you will need to fill in the data in section 4 (PROCESSOR), bearing in mind that only the data of one of the processors will be included in this section and the Data Protection Agency recommends that the name of the processor carrying out the data processing that may involve a longer duration or greater risks depending on the type and quantity of data processed should be stated.
After 25 May 2018, such registration shall not be mandatory, but both the controller and the processor shall keep a register of all categories of processing activities carried out on behalf of a controller, containing:
- the name and contact details of the processor(s) and of each controller on whose behalf the processor is acting, and, where applicable, of the representative of the controller or of the processor, and of the data protection officer;
- the categories of processing operations carried out on behalf of each controller;
- where appropriate, transfers of personal data to a third country or international organisation,
- where possible, a general description of technical and organisational security measures
Until the entry into force of the EU Data Protection Regulation 2016/679, security measures were established in Royal Decree 1720/2007, of 21 December, approving the Regulation implementing the Organic Law of 13 December, on the protection of personal data. From May 2018 GM INTEGRA RRHH will proceed to establish the necessary technical and organisational measures in accordance with the principle of proactivity and risk-based design.
As GM INTEGRA RRHH is in charge of the processing, the security measures provided are limited to those contractually established by the data controller.
In any case, GM INTEGRA RRHH has obtained the ISO 27001:2015 certification from APPLUS for the Information Security Management System (ISMS) implemented in its data centres in Barcelona, Madrid and Manresa. This recognises the high level of security and the commitment of GM INTEGRA RRHH to guarantee the confidentiality, integrity and availability of the data housed in these facilities.
The security of the information and the compliance with the current data protection legislation are of vital importance for GM INTEGRA RRHH, being observed in each and every one of its sections.
Security is a crucial aspect of the Employee Portal platform as well as of HR management and therefore the privacy of users and the responsible use of the information provided is guaranteed.
- The Employee Portal and the rest of our services through a platform whose development and service provision have taken into account all the security requirements relating to confidentiality, integrity and availability demanded by organisations for their information in general and personal data in particular.
- The infrastructure that provides the service is currently located in the GM Integra HR Datacenter in Manresa (Barcelona), which complies with the highest security standards to guarantee the quality of the service.
- We have the most demanding features in terms of physical security, access control, component redundancy, monitoring and 24×7 availability.
- Encryption. GM Integra HR uses an encryption system for the transit of data. The data is protected by applying the SSL protocol. Certificates issued by organisations recognised by almost all browsers are used for encryption.
- Data Protection. The management is carried out under the requirements of the EU Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
According to the services contracted by the Client, and in accordance with the terms of the commercial service contract, GM INTEGRA RRHH is responsible for implementing the following security measures in the services provided in the following terms:
- Functions and obligations of the staff: GM INTEGRA HR administration and systems operation staff has received the necessary training to carry out the management tasks in the systems involved, has the rules and procedures to carry them out and is aware of the commitment of GM INTEGRA HR regarding the confidentiality and integrity of the client's data.
- Incident register: GM INTEGRA RRHH will communicate the incidents that may affect the client's information, indicating the type of incident, the moment when it has occurred, the person who made the notification, the person to whom it is communicated and the effects that may have been derived from it.
- Identification and authentication: GM INTEGRA RRHH will maintain an updated list of users with authorised access to the administration and operation of the information systems, with a procedure for assigning, distributing and storing access passwords that guarantees their confidentiality and integrity, implementing mechanisms for the unequivocal and personalised identification of these users. Likewise, authorised access will be indicated for each user, as well as the list of personnel authorised to grant, alter or cancel authorised access to data and resources related to the service provided by GM INTEGRA RRHH. The management of passwords does not include those provided to the Client for access to the service, whose maintenance and control will be the Client's responsibility as stipulated in the contracted service conditions.
- Access control: GM INTEGRA HR employees will have authorised access only to the resources necessary for the performance of their administrative and operational functions.
- Physical access control: The premises housing the infrastructure providing the service are equipped with access control and control to ensure that only authorised personnel have access to the premises.
- Media management: GM INTEGRA RRHH carries out the management and inventory of media. GM INTEGRA RRHH has also implemented measures for the destruction and disposal of media and management of incoming and outgoing media.
- Backup and recovery copies: GM INTEGRA HR will make backup copies of the information in compliance with current legislation as well as with respect to ISO 27001 information security. GM INTEGRA HR performs general control operations to verify the correct functioning of the backup system.
- Access log: The physical access control will have a log that will make it possible to determine the user who accessed the datacentre premises at any given time.
EU Regulation 2016/679 removes the concept of the Security Document, which until now had been used to record the data processing methodology and security measures.
The aforementioned Security Document has been replaced by the General Data Protection Policy and the Information Security Policy. These policies shall describe those technical and organisational measures that guarantee a level of security appropriate to the risk.
The regulation establishes that the data controller is obliged to create a security document with a description of the file, the functions and obligations of the personnel, the structure of the file, and other data relating to the file.
When drafting such security measures, the existing guidelines of the Data Protection Agency could be used, as well as those relating to the Impact Assessment.