Measures and Procedures for the Data Protection Law

1. Object of the document

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the free circulation of such data (hereinafter RGPD), and by repealing Directive 95/46 / EC, aims to harmonize the processing of personal data of all citizens of the Member States through the application of a single standard, which ensures a consistent level of protection of people throughout the EU, as well as avoiding divergences that hinder the free circulation of data within the market inside.

The RGPD provides legal security and transparency to economic operators, including micro, small and medium-sized enterprises, and offers natural persons from all Member States the same level of legally protected rights and obligations and the same level of responsibilities for those responsible. and Managers of Treatment, in order to guarantee a coherent supervision of the treatment of personal data. It also provides equivalent sanctions for all Member States, as well as the effective cooperation of the Authorities of the Control.

On May 25, 2016, the RGPD entered into force, although it will not be fully applicable until May 25, 2018. The publication of the RGPD entails the repeal of Directive 95/46 / EC of the European Parliament and of the Council of October 24 of 1995, two years after the date of its entry into force. In this sense, as established in the section “Introduction” of this Privacy Management System, those responsible for treatment located in Spanish territory or those who proceed to perform data processing in Spanish territory, should be attentive to the foreseen in the Organic Law 15/1999 of December 13, Protection of personal data, as well as other regulations of national scope that may coexist during the period of 2 years established by the RGPD.

The purpose of this document is to compile the regulations of BODEGAS BORDOY SL regarding the security measures applicable to the processing operations carried out by it. The rules established in it, will be considered mandatory for all staff with access to automated data of a personal nature and information systems.

Due to the continuous evolution and intrinsic changes of the information systems and the complexity of the organization itself, the document will try to be a stable and, at the same time, flexible framework, instead of a static description, for which it would be subject to continuous updates. In this line, the document includes references to other documents that make up the security policy established in the organization and, sometimes, instead of including static relationships, the procedure to obtain the aforementioned relationships at the time they are necessary is described.

This document will be kept updated at all times by the Data Protection Delgado and, failing that, by the Privacy Officer. It must be reviewed whenever there are relevant changes in the information system, in the organization of the same or in the organization of BODEGAS BORDOY SL.

In the same way, the Measures and Procedures, will be adapted at all times, to the current dispositions in matter of privacy of the personal data, as much at national level as at European level.

2. Scope of measures and procedures

The different Measures and Procedures specified in this document, are intended to protect the processing of personal data of any individual in the course of their professional or commercial activity, when those data are treated automatically or manually by a third party, whether in the capacity of Manager or Manager of Treatment, in the development of their professional or employment activity within the territory of the European Union.

In turn, it also intends to provide security for all actions related to the processing of personal data carried out BODEGAS BORDOY SL in the development of its actions, so that it can perform its functions normally and being in accordance with the regulations in force in matter of data protection.

For this, the measures and procedures that are detailed, seek to protect the privacy and confidentiality of all categories of data susceptible to treatment. These personal data can be found in files, applications, tools for updating and consulting, resources of the computer system, telecommunications networks, supports and computer equipment that are or may be susceptible to be managed by BODEGAS BORDOY SL or its Treatment Managers .

BODEGAS BORDOY SL has established a list of protected resources, to which all the Measures and Procedures foreseen in this document will apply.

3. Resources protected

The protected resources included within the scope of application of this document, are all the assets that intervene or may intervene in the operations and processes of processing personal data, which occur in the treatment systems, responsibility of the controller, or in those of the person in charge of the treatment, always under the mandate of the custom contract of treatment, and specified in article 4 of the RGPD.

Depending on the category and / or the type of specific treatment of the data of a general nature, these will be classified into the following categories, namely:

Special categories of personal data: personal data that reveal ethnic or racial origin, political opinions, religious or philosophical convictions, union affiliation, as well as genetic data, biometric data that allow the univocal identification of a person and data relating to health or life and sexual orientation of the person.

Categories of data relating to convictions and criminal offenses: they are all those personal data relating to convictions and criminal offenses, related to the personality of citizens and that allow evaluating certain aspects of the personality or behavior of the same.

Personal data only identification: All those personal data according to the definition provided by Article 4 of the RGPD and that are considered as defined in the 2 previous categories.

Categories of data that do not require identification: a set of data for which a data subject submits personal data that does not require the identification of an interested party by the Treatment Manager.

In turn, reference is also made to a specific treatment of data according to the concrete legislative development by each EU Member State. These categories of data that may merit a specific legislative development by each of the Member States are the following:

  • Personal data and reuse of sector information public
  • Personal data and freedom of expression and information: refers to personal data for journalistic purposes or for purposes of academic, artistic or literary
  • Data relating to tax identification codes of persons physical
  • Personal data for purposes related to the Health
  • Data in the workplace: understood as personal data of workers in the workplace, particularly for the purpose of hiring personnel, execution of the employment contract, including compliance with the obligations established by law or collective agreement, management, planning and organization of work, equality and diversity in the workplace, health and safety at work, protection of the assets of employees or customers, as well as for the exercise and enjoyment, individual or collective, of the rights and benefits related to employment and the effects of the termination of the relationship labor

Finally, there are a series of exceptions applicable to the processing of personal data for the purposes of archiving in the public interest or for the purposes of scientific and historical research or statistics.

The following are assets of BODEGAS BORDOY SL that are involved in the processing operations of personal data and that make up the information systems of BODEGAS BORDOY SL and that are subject to regulation in these Measures and Procedures.

In the table below, a description is made of the different protected resources used in BODEGAS BORDOY SL, classifying them according to the treatment operation and assets involved in it, type of asset as well as its location and its responsible:

INVENTORY OF INFORMATION TECHNOLOGIES

Active type

 Active name Active manager

Active location

PAPER DOCUMENTATION

INVOICES, BUDGETS
SOFTWARE

PACK OFFICE

In Annex E “Registration of treatment activities” all personal data subject to protection is collected under the current regulations on data protection, thus collecting treatment operations and compiling the measures provided by BODEGAS BORDOY SL to order to carry them out in aadequate

4. Identification of the responsible of treatment

Business name

 CIF

Fiscal address
 BODEGAS BORDOY SL B57135907

CL INDUSTRIA,10 07013, PALMA DE MALLORCA (ILLES BALEARS)

Activity developed by the Treatment Manager: Winemaking and aging. List of dependent subsidiaries of the Treatment Manager:

BODEGAS BORDOY SL, does not have affiliates or other companies within its corporate structure.

5. Structure and roles in the field of the privacy

In accordance with everything provided in current data protection regulations, BODEGAS BORDOY SL, in order to properly organize and manage its data protection policies, has structured its organization based on different roles, which are attributed different functions in terms of privacy.The hierarchical scheme that emerges from this organization is the one that follows continuation:

5.1. Functions and obligations of the personal

In order to establish the functions attributed to each privacy role, BODEGAS BORDOY SL has defined them as described below:

  • Delegate of Data Protection: will be responsible for coordinating the security measures defined in this manual of Measures and Procedures. This delegation, however, does not exempt from legal responsibility in terms of data security, which continues to fall on the person responsible for the data. Treatment.

Specific functions attributed:

    • Advise and inform BODEGAS BORDOY SL of the obligations incumbent upon it in matters of Privacy
    • Supervise the regulatory compliance of BODEGAS BORDOY SL in the processing of personal data
    • Supervise the implementation and application of BODEGAS BORDOY SL’s policies on data protection personal
    • Supervise the analysis of data processing operations personal
    • Supervise the analysis of the data categories covered by the Organization
    • Supervise the analysis of the risks that may arise from the treatment operations carried out by BODEGAS BORDOY SL
    • Provide advice to the Privacy Officer regarding the protection of data
    • To impart the training plan to the personnel of BODEGAS BORDOY SL that performs data processing
    • Intermediate between BODEGAS BORDOY SL and the Authority of Control
    • Perform the notifications required by the Authority of Control
    • Supervise the implementation of the Impact Assessment of data protection personal
    • Supervise the conduct of audits corresponding
  • Responsible for Privacy or Security: will be the person designated by the Delegate of Data Protection or, failing this, by the BODEGAS BORDOY SL management to coordinate all the related aspects and defined in the present Measures and Procedures

Specific functions attributed:

    • Update the Manual of Measures and Procedures and its adaptation to current regulations
    • Implement the training plan on data protection for the employees
    • Adopt the necessary measures so that the personnel know the safety regulations that affect the performance of their functions and the consequences that may be incurred in case of breach
    • Adopt corrective measures as a consequence of the deficiencies detected in an audit process and approved by the entity
    • Maintain a list of authorized personnel to grant, cancel or alter access rights, in accordance with the criteria established
    • Maintain a staff relationship with authorized access to the place where the copies of security
    • Maintain a list of authorized personnel to access the premises where the systems are located. information
    • Establish communication protocols with the Data Protection Delegate on behalf of the employees
    • Adopt protocols for compliance with the measures of security
    • Perform protocols for the design of treatment flows of data
    • Report the consequences of non-compliance with the Measurement and Procedures
  • Systems manager: will be responsible for managing or maintaining the operating environment of the data categories. These personnel were explicitly relate, since by their developed tasks can use management tools that allow access to data not required for their tasks, in the case of this role not been created within the entity, its obligations will fall on the Delegate of Protection of Data. These he relate in the Annexed D “ID Y authentication”.

Specific functions attributed:

    • It will be responsible for managing and maintaining the operating environment of the categories of data
    • Supervise the correct installation of the access software for the categories of data
    • Supervise the configuration of the organization’s computer system, with special attention to local network connections, as well as any other connection external
    • Establish mechanisms that prevent access to the system from any point, whether local or remote, unauthorized. Ensuring the implementation of as many security measures as those approved in this manual of Measures and Procedures
    • Maintain a list of authorized personnel with access to the system, noting the minimum requirements established in the Manual of Measures and Procedures
    • Implement all those necessary measures, foreseen in the Manual of Measures and Procedures, in what refers to tests with data real
    • Communicate to the Treatment Manager, or if applicable, the personnel to whom it has been delegated, all those changes that may be significant in the system’s environment computer
  • Administrative managers of the treatment systems: they will be in charge of managing and coordinating compliance with technical and organizational measures, as well as any legal obligation arising from their treatment. In the case of not having created the present place of work, its obligations will fall on the Responsible of Privacy. These are listed in Annex D “Identification and authentication”.
  • Users of the system: those who usually use the information system, both at the level of automated data and non-automated data, these are referred to in Annex D “Identification and authentication”.
  • Employees without access to automated treatments: personnel who carry out tasks at BODEGAS BORDOY SL, but whose functions do not require access to the system computer

BODEGAS BORDOY SL will appoint a Data Protection Delegate, based on their professional qualities and specialized knowledge of the legislation and practices on data protection. In the absence of this position, its functions will be assumed by the Privacy or Security Manager or, failing that, by the legal representative of BODEGAS BORDOY SL.

In any case, the management of BODEGAS BORDOY SL will ensure and support that the Data Protection Delegate participates adequately and appropriately in all matters relating to the protection of personal data, providing both the resources necessary for the performance of these tasks, and the access to personal data and treatment operations, as well as to maintain their specialized knowledge.

Interested parties may contact the Data Protection Delegate to deal with all matters relating to the processing of data that corresponds to them and the exercise of the rights conferred by the current regulations on data protection.

Copies of the appointment of the Delegate for Data Protection are included in Annex A “Appointment of privacy roles”.

Certain of the functions attributed to the Data Protection Delegate may be delegated to other employees designated for that purpose, as long as the persons authorized to grant these delegations, as well as those authorized by them, are included in the Manual of Measures and Procedures. those that fall to that delegation. In no case this designation supposes a delegation of the responsibility that corresponds to the Responsible of Treatment.

Additionally, for those employees who develop roles different from those of the Data Protection Delegate and the Privacy Manager, BODEGAS BORDOY SL has issued an internal communication where the guidelines are established for the treatment by the staff of the data that can be treated as consequence of the development of their tasks within the company.

This release contains the main obligations regarding security of personal data, including the express prohibition of installing any type of application on computer equipment and the use of computer and non-computer resources for purposes other than strictly derived. of the development of their work activity, as well as the obligation to maintain the duty of confidentiality on all data processed in connection with the development of their job and not communicate this information to any person or entity without authorization relevant.

6. Protocols for compliance with security measures

6.1. Registration of categories of activities of treatment

In accordance with current regulations on data protection, BODEGAS BORDOY SL and, if applicable, its representative will keep a record of the treatment activities carried out under its responsibility. This record must contain all the information indicated below:

  • The name and contact information of BODEGAS BORDOY SL and, where appropriate, the co-responsible person, the representative of BODEGAS BORDOY SL, and its Delegate for the Protection of Data
  • The purposes of treatment
  • A description of the categories of stakeholders and the categories of data personal
  • The categories of recipients to whom personal data have been communicated or communicated, including recipients in third countries or organizations international
  • Where applicable, transfers of personal data to a third country or an international organization, including the identification of said third country or organization international
  • Whenever possible:
    • The deadlines set for the elimination of the different categories of data
    • A general description of the technical and organizational measures of security

In order to comply with this obligation, BODEGAS BORDOY SL has designed and implemented a record of the personal data processing activities for which it is responsible, it is kept updated by means of the updates provided in Annex E ” Registration of treatment activities “of the present Measures and Procedures.

The data processing activities, which are listed below, are the responsibility of BODEGAS BORDOY SL, with address at CL INDUSTRIA, 10 07013, PALMA DE MALLORCA (ILLES BALEARS),

Legal responsible of which is GUILLERMO ROSSELLO AMENGUAL with DNI 43084646B and telephone number 971780100.

In Annex E “Registration of treatment activities”, BODEGAS BORDOY SL has documented and keeps updated the record of the categories of treatment activities for which it is responsible, providing the following information:

The purposes of treatment

  • Description of the categories of the interested A) Yes as of the categories of data personal to try
  • The categories of recipients of data Transfers of data to a third country
  • The deadlines set for the deletion of the data categories
  • A description of the technical and organizational security measures applied to the data categories

6.1. Normative of security

BODEGAS BORDOY SL has carried out an Impact Assessment and its respective risk map of its personal data processing procedures. Considering the results thereof, it has applied the appropriate technical and organizational measures to guarantee a level of security appropriate to the risk expressed in the Impact Assessment. These security measures consider, in particular, the following aspects:

  • In particular, the risks presented by the data processing have been taken into account, in accordance with the treatments provided in Annex E “Register of treatment activities”, in particular as a consequence of the destruction, loss or accidental or unlawful alteration of personal data. transmitted, conserved or otherwise processed, or unauthorized communication or access to said data
  • BODEGAS BORDOY SL has taken all necessary measures to ensure that anyone who acts under their authority and has access to personal data can only treat such data following the instructions provided in this document

In order to guarantee the adequate level of protection and required by current regulations on data protection, BODEGAS BORDOY SL will apply the following standards, procedures and standards related to the data security of BODEGAS BORDOY SL systems.

6.2.1 Access to data through communication networks

When in BODEGAS BORDOY SL there are Treatment Managers who have remote access to their information systems, these connections must allow the application of the same security measures, equivalent to a connection in a local area, measures described in these Measures and Procedures .

In Annex B “Access to Data through Communication Networks” all the Treatment Managers who have an authorized remote access to the information systems of BODEGAS BORDOY SL are listed.

6.2.2 Special categories of data

BODEGAS BORDOY SL does not deal with special categories of data through public networks or wireless electronic communications networks, which will not require the encryption of data in this regard. Likewise, at the time BODEGAS BORDOY SL treats personal data of a special nature, it will encrypt this data or use any other mechanism that guarantees that the information can not be understood or manipulated by third parties.

6.2.3 Regime of work outside the premises of location of the systems of treatment

In BODEGAS BORDOY SL there are no portable devices. In the event that portable devices are incorporated in BODEGAS BORDOY SL and that data processing is processed in their logical units, these treatments must be previously authorized by the Data Protection Delegate, and these will be related and authorized in the Annex H “Work Regime Outside the Location Locations of the treatment systems” and following the aforementioned policy continuation.

Employees of BODEGAS BORDOY SL that have a portable device assigned, will be informed of the prohibition, except authorized exceptions, of storing personal data in the logical units of the portable devices and of the obligation to work with personal data only. on the logical units defined in the local server. In addition, they will apply the security measures implemented in BODEGAS BORDOY SL, which are defined in the current security regulations.

It will be mandatory that in portable devices, the same established criteria for identification, authentication and access control are defined, defined in the security regulations, provided that they connect to the local network or access remotely.

In any case, the recording of special categories of data or of high level in the logical units of the portable devices will be allowed without their prior authorization.

6.2.4 Identification and authentication

The procedure followed in BODEGAS BORDOY SL for the identification and authentication of the users when they try to access the system, the network or the applications is based on the combination of a user identification code and a password that the computer system will collate in each attempt of access in order to verify that said access is authorized or not.

Each user has been assigned a unique and non-transferable identification for both access to the system and access to applications.

In BODEGAS BORDOY SL there is a policy of allocation, distribution and storage of users and passwords that guarantees their confidentiality and integrity, establishing in this policy also the periodicity in which the change of passwords will be required. This policy is found in Annex D “Identification and Authentication”.

6.2.5 Control of access

The users of BODEGAS BORDOY SL will receive their access rights following the policy of minimum privilege, assigning them a unique identification code. That is, they will only access those data and computing resources they need to carry out their functions.

The Privacy Manager or those employees that have been assigned this task, will determine the applications that will be accessible to each user.

Annex D “Identification and Authentication” indicates the procedure to be followed in order to obtain the list of users with authorized access to the network and the applications, as well as the rights granted to them.

In Annex D “Identification and Authentication”, the list of users with authorized access to each information system is included. In addition, the type of authorized access for each of them is included. This list will be updated by the Privacy or Security Manager, or by the staff to whom this task has been thin, each time a user receives new privileges or each time a new user is registered with access to data of a character personal.

When for the provision of a service to BODEGAS BORDOY SL by personnel of third companies, these personnel have access to the resources of BODEGAS BORDOY SL, will be subject to the same conditions and security obligations as the own personnel of BODEGAS BORDOY SL.

6.2.6 Management supports

In BODEGAS BORDOY SL, media containing personal data will be labeled allowing identification. In the same way, they will be inventoried and stored in the facilities where the information systems are located (servers and communication equipment). This place will be considered restricted access and can only be accessed by the personnel authorized by the Treatment Manager.

Likewise, BODEGAS BORDOY SL has different employee profiles. All employees who require access to computer media that contain personal data, is authorized at the time of signing the employment contract with the company. Even for the sending and receiving of emails with attached documents.

In this way, access to media will be understood as authorized from the moment the employee signs the employment contract with BODEGAS BORDOY SL.

This authorization will be understood as valid, provided that the employment contract remains in force. When the employment relationship with the employee ceases, the authorization will be understood as terminated.

6.2.7 Backup and recovery procedures

BODEGAS BORDOY SL has established a procedure for making backup copies with weekly minimum periodicity, unless in that period there was no update of the data.

The mentioned procedure for the recovery of the data must guarantee at all times its reconstruction in the state in which they were at the time of the loss or destruction.

Only, in the event that the loss or destruction, affect data categories or partially automated treatments and provided that the existence of documentation to achieve the objective referred to in the previous paragraph, will be manually recorded data.

The procedure establishes a verification at least every six months to ensure the correct definition, operation and application of the backup and recovery procedures of the data.

The architecture of the backup procedure is detailed in Annex I “Backup and Recovery Procedures”.

6.2.8 Inventory of computer applications

BODEGAS BORDOY SL has developed an inventory of computer applications in order to be able to manage and indicate the location of the existing data categories within the computer systems.

In Appendix J “Inventory of computer applications” is the list of computer applications used by BODEGAS BORDOY SL. This inventory will be updated by the Privacy or Security Manager, or by the personnel to whom this work has been thin, insofar as computer applications are replaced, deleted or added within the information management systems of the data categories.

6.2.9 Non- automated processing procedures

Non-automated treatment is understood as any set of personal data organized in a non-automated and structured manner according to specific criteria relating to natural persons, which allow disproportionate access to your personal data, whether centralized, decentralized, functionally distributed or geographic. In a generic way, non-automated treatment will be considered any document in which personal data are found in a non-computer format (invoices, budgets, delivery notes, contracts, CVs, etc.).

The security measures described above for the automated data categories will apply to the non-automated data categories. Additionally, Annex M “Non-automated treatment operations” describes the security measures applicable only to processing operations performed exclusively on paper.

6.2.10 Contracts for the provision of services

BODEGAS BORDOY SL has hired different service providers that perform data processing under their responsibility, BODEGAS BORDOY SL has documented in Annex G “Relationship of Treatment Managers” the updated list of all those service providers, that for the services that are being provided, have access to personal data under the responsibility of BODEGAS BORDOY SL.

These must include the following information:

  • Manager Treatment
  • Reason Social
  • CIF
  • Purposes of the treatment
  • Categories of interested parties and categories of personal data
  • Technical and organizational security measures

7. Protocols of communication with the DPO

In accordance with the Privacy Roles established in point 5 of these Measures and Procedures, and in order to establish a fluid communication channel with the DPO, a procedure has been established for this. In this sense, any person of the company may contact the Data Protection Delegate to suggest, communicate or consult any matter that makes reference to the Security Measures and Procedures established and that affect the personal data that they want to protect in BODEGAS BORDOY SL .

Such communication with the DPO will be optional if there are suspicions or indications that there has been a breach or breach of the security of the personal data that may give rise to a high risk for the rights and freedoms of the interested parties and which could be likely to produce any of the following situations:

  • Discrimination problems
  • Identity theft or fraud
  • Economic losses
  • Unauthorized change of pseudonymisation
  • Impairment of reputation
  • Loss of confidentiality of data subject to secrecy professional
  • Any other significant economic or social damage

In the case of one of these situations, it will also be contemplated in the section “Registration and management of incidents, violations or security breaches “.

In Annex C “Procedure for communication with the DPO”, the procedure for communication with the Delegate for Data Protection is established .

8. Training plan for the application of the RGPD

The continuous training of the personnel of the entity in matters of protection of personal data is a key element for the correct implementation of the RGPD.

Considering that currently the data represent one of the greatest assets that a company can possess, it is necessary that the personnel have the necessary knowledge in the field of data protection, as well as to make them aware of their functions and obligations within the company.

In this document are transcribed those aspects that will be necessary to inform the employee of compliance with current regulations by the DPO, which should take into account that the training should be customized to the type of data processing performed by of the Treatment Manager.

In this sense and in order to proceed with an appropriate transition, during the two years of coexistence of the RGPD and the LOPD, in Annex K “Training Plan”, the main axes and the content of the training plan approved by BODEGAS are established BORDOY SL, and that will be imparted to all those personnel that proceed to the processing of data under the responsibility of BODEGAS BORDOY SL.

9. Protocol for the design of data processing flows

Any of the new treatments, foreseen or not foreseen in particular if using new technologies, due to their nature, scope, context or purposes, entail a high risk for the rights and freedoms of natural persons, will require that BODEGAS BORDOY SL proceed to the realization of an Impact Evaluation prior to this new treatment operation.

For a correct development of the Impact Evaluation, BODEGAS BORDOY SL will proceed to document the data processing procedure.

Annex L “Procedure for generating data processing processes” establishes the model that BODEGAS BORDOY SL will follow in order to execute new procedures for the processing of personal data.

In any case, these procedures will be supervised and approved by the Delegate of Data Protection, or in its absence by the Privacy or Security Manager.

10. Procedure for the management of incidents and violations or gaps of data security

Incidents and violation of data security will be considered any situation that compromises the security of the personal data object of treatment, which causes the accidental or unlawful destruction, loss or alteration of personal data transmitted, conserved or otherwise processed, or unauthorized communication or access to said data.

In this sense, BODEGAS BORDOY SL will record the incidents that may affect the security of the information systems and that affect the personal data being processed. However, BODEGAS BORDOY SL will review any development regulations that could affect the current regulations in order to proceed to communicate these situations to the relevant Control Authority, without undue delay and, if possible, no later than 72 hours after having record of it; If it is not carried out within this period, it must be accompanied by a reasoned justification.

This communication must contain at least the following points:

  • Description of the nature of the breach of security of personal data, including, where possible, the categories and approximate number of affected stakeholders and the categories and approximate number of data records of that data. try
  • Name and contact information of the Data Protection Delegate and, in his absence, of the Privacy Manager
  • Description of the possible consequences of the breach of security of personal data
  • Description of the measures adopted or proposed by BODEGAS BORDOY SL, in order to correct this fall in security of the information systems, including, if necessary, those adopted to mitigate the possible negative effects
  • If this is not possible, or to the extent that it is not possible to provide the information simultaneously, the information should be provided in stages without undue delay

In any case BODEGAS BORDOY SL will proceed to document any incident, breach or breach of security of the personal data, indicating its context, its effects and the corrective measures adopted. This documentation will be available to the Spanish Agency for Data Protection. This work will fall on the Delegate of Data Protection and, failing that, the responsibility of Privacy or Security will be held responsible.

In Annex C “Procedure for communication with the DPO”, there is the model for recording incidents and data security violations.

The procedure established by BODEGAS BORDOY SL will foresee those situations in which it is probable that the breach of security of the personal data will give rise to a high risk for the rights and freedoms of the interested parties. BODEGAS BORDOY SL will inform the interested party, without undue delay, of the breach of security of personal data.

It will describe in clear and simple language the nature of the breach of security of the personal data and will contain, at least, the information and the commented recommendations previously.

Likewise BODEGAS BORDOY SL will not proceed to this communication to the interested party when the following situations converge:

  • BODEGAS BORDOY SL has instituted appropriate technical and organizational protection measures and these measures have been applied to personal data affected by the breach of security of personal data, in particular those that make data unintelligible for anyone who is not authorized to access them, such as encryption
  • BODEGAS BORDOY SL has taken subsequent measures to ensure that it is no longer likely that the high risk caused by the security breach of the data

When this communication supposes a disproportionate work for BODEGAS BORDOY SL, it will opt for a public communication or a similar measure by means of which the interested parties are informed in an equally effective way.

11. Procedure for managing the rights of interested parties

The current data protection regulations regulate both the rights that can be exercised by the interested party and the mechanisms for exercising such rights before the person in charge of processing the data.

The rights that can be exercised by the data subject are the following:

  • Right of access: it is the right of the interested party to obtain from the Treatment Manager confirmation of whether personal data concerning him is being processed or not, and in case of confirmation the treatment he you must of to ease the access to the data Y to theinformation of what has
  • Right of rectification: the interested party shall have the right to obtain from the Person Responsible for Processing without unjustified delay the rectification of the personal data that concerns him when such data is inaccurate. In view of the purposes for which the data have been processed, the data subject will have the right to have personal data completed when they are incomplete, in particular through the provision of an additional declaration
  • Right to limitation of treatment: it is the right to obtain from the Data Controller the limitation of the processing of personal data
  • Right to deletion (“right to be forgotten”): refers to the right of the interested party to obtain from the Person Responsible for Processing the deletion of personal data concerning him without undue delay, and the Person Responsible for Processing will have the obligation to suppress personal data without unjustified delay when the requirements stipulated in Article 17 of the Regulation are met
  • Right to data portability: it consists of the right to receive the personal data that concern you, that has been provided to a Treatment Manager, in a structured format and of habitual use and of mechanical reading and to transmit them to another Person in charge of Treatment without that is prevented by the Treatment Manager to whom the data
  • Right of opposition: the interested party may object at any time, for reasons related to their particular situation, to the fact that personal data concerning him or her are subject to a treatment for the fulfillment of a public interest or for the satisfaction of a legitimate interest, including the profiling on the basis of those provisions

Response periods:

In this sense, during the transition period of 2 years for the full application of the RGPD, and as long as there are no national regulations in this regard, the rights of access, rectification, opposition and cancellation or deletion will be understood as valid. Likewise, the deadlines set by the Treatment Manager to resolve the exercise of the foregoing rights by the interested party are established. The terms are the following:

The Treatment Manager will provide the interested party with the exercise of their rights and information on the actions requested and carried out without delay and, at the latest, within one month for the right of access and ten days for the rights of rectification, opposition and cancellation or deletion, upon receipt of the request

The interested party may exercise their rights regarding data protection free of charge.

In these cases it will be BODEGAS BORDOY SL who will assume the burden of demonstrating the manifestly unfounded or excessive nature of the request.

In any case, any request must be accompanied by:

  • Name, last name of the interested party and copy of the DNI. In the exceptional cases in which the representation is admitted, it will also be necessary the identification by the same means of the person who represents him, as well as the document accrediting the representation. The photocopy of the DNI may be substituted provided that the identity is accredited by any other means valid in law
  • Petition in which the request is specified. (Exercise that is requested or information to which you want to access). If you do not refer to a specific file, you will be provided with all the information you have about the company in your name. If you request information from a specific file, only the information in this file. If you request information regarding a third party, it can never be provided. If you request it by phone you will be instructed to do so in writing and you will be informed of how you can do it and the address to which you have to send it. You will never be given information by phone
  • Address for notifications effect
  • Date and signature of applicant
  • Documents accrediting the petition that formulates