References

Video surveillance warning sign

Informative clauses

Data processor contracts

Records of processing activities

Informative annex

ROMA Arquitectura – 74851260Z

ROMA Arquitectura

Calle Océano Atlántico 68. Torre A. Planta 15 Módulo A4. 11379 Palmones, Cádiz

info@romaarquitectura.com

Purpose: Security and access control

Data subject: Persons who access or try to access the facilities

Recipients: Law-enforcement Authorities

Retention period: _______ calendar days

DOCUMENTATION TO REVIEW

This document contains the informative clauses to be included in the information request forms and contractual clauses pertaining to data protection to be annexed to each of the service provision contracts subscribed with processors, the record of processing activities and an annex with directives to observe the requests pertaining to data protection received from data subjects, the recommendations on the minimum security measures that must be implemented in the organisation and the requirements to follow for the correct processing of images captured from video surveillance cameras together with video-surveillance warning sign already completed with the details of the data controller.

The documentation generated is adapted to the information provided for each of the forms of processes selected upon complying with the application.

WARNING: Don’t forget to sign the final page of each of the contracts obtained.

ANNEX

GENERAL INTEREST INFORMATION

This document has been designed for the processing of low-risk personal data and it may not be used for the processing of personal data including data relating to ethnic or racial origin, political or religious or philosophical ideology, trade union affiliation, genetic and biometric data, data regarding the health or sexual orientation of persons and any other form of data processing that entails high risk for the rights and freedoms of the persons in question.

Article 5.1 f of the General Data Protection Regulation (hereinafter, GDPR) determines the need to establish adequate security guarantees against the unauthorised or illegal processing against the loss of personal data, destruction or accidental damage. This involves establishing technical and organisational measures geared towards ensuring the integrity and confidentiality of the personal data and the possibility of demonstrating, as established in Article 5.2, that these measures have been implemented (proactive responsibility).

Moreover, it must establish viable, accessible and simple mechanisms for the exercise of rights and define internal procedure to guarantee effective facilitation of the requests received.

FACILITATING THE EXERCISE OF RIGHTS

The controller shall inform all employees regarding the procedure for facilitating the exercise of rights on the part of data subjects, defining clear mechanisms through which the rights can be exercised and taking into account the following:

• Subject to presentation of the national identification document or passport, the owners of the personal data (the data subjects) may exercise their rights to access, rectification, erasure, opposition, portability and limitation of processing. The exercise of rights is free.
• The controller must respond to data subjects without undue delay and in a concise, transparent and intelligible manner with clear and simple language and retain proof of compliance with the duty to respond to requests for the exercise of fundamental rights.
• If the request is presented by electronic means, the information will be facilitated by these means where possible, except where the data subject requests otherwise.
• Requests must be responded to within a term of 1 month from receipt and may be extended another two months taking into account the complexity or the number of requests but in this case one must inform the data subject of the extension within a term of one month from receipt of the request, providing reasons for such delay.

RIGHTS TO ACCESS: For the right to access, data subjects will be provided a copy of personal data available together with the purpose for which they have been collected, the identity of the recipients of the data, the terms of retention provided and the criteria used to determine these, the existence of the right to request the rectification or erasure of personal data and the limitation of, or opposition to, processing, the right to lodge a complaint with the Spanish Data Protection Agency and if the data of the data subject have not been obtained, any information available regarding their origin. The right to obtain a copy of the data cannot negatively affect the rights and freedoms of the data subjects.

• Form for the exercise of the right to access.

RIGHT TO RECTIFICATION: In the right to rectification the data of the data subject that were incorrect or incomplete shall be changed in accordance with the purposes of the processing. The data subject may indicate in the request what data are referred to and the correction to be made, providing, where necessary, the supporting documentation of the inaccuracy or incomplete nature of the data processed. If the data have been communicated by the controller to other processors, they must notify them of the rectification unless it is impossible to do so or requires disproportionate effort, providing the data subject with information regarding such recipients upon request.

• Form for the exercise of the right to rectification

RIGHT TO ERASURE: In the case of the right to erasure, the data of the data subjects shall be erased where they oppose processing and no legal basis impedes it, where not necessary in relation to the purposes for which they were collected, they withdraw the consent provided and there is no legitimate legal basis for the processing or where it is illegal. If the erasure arises from the exercise of the right to opposition to the processing of their data for marketing purposes on the part of the data subject, the identification data of the data subject may be retained for the purpose of preventing future processing. If the data have been communicated by the controller to other processors, they must notify them of the erasure unless it is impossible to do so or requires disproportionate effort, providing the data subject with information regarding such recipients if they request same.

• Form for the exercise of the right to erasure.

RIGHT TO OPPOSITION: In the case of the right to opposition, where the data subjects refuse to provide consent for the processing of their personal data before the controller, the controller shall cease processing them provided that no legal obligation prevents them from doing so. Where the processing is based on a mission of public interest or legitimate interest of the controller, before a request to exercise the right to opposition, the controller must cease processing the data except where overriding reasons prevail above the interests, rights and freedoms of the data subject or are necessary for their formulation, exercise or defence of the claims. If the data subject opposes the processing for the purposes of direct marketing, the personal data shall no longer be processed for these purposes.

• Form for the exercise of the right to erasure.

RIGHT TO PORTABILITY: In the case of right to portability, if the processing is carried out by automated means and is based on consent or is carried out within the framework of a contract, the data subject may request a copy of their personal data in a structured, commonly used and electronically readable format. Thus, they have the right to request that they are transmitted directly to a new controller whose identity must be communicated where technically possible.

• Form for the exercise of the right to portability of data.

RIGHT TO LIMITATION OF PROCESSING: In the case of the right to limitation of processing, the data subjects may request the suspension of processing of their data to impugn the inaccuracy while the controller carries out the necessary verifications or, in the event that the processing is carried out based on the legitimate interest of the controller or in compliance with a mission of public interest, while it is verified if these reasons prevail over the interests, rights and freedoms of the data subject. The data subject may also request the retention of the data if it is considered that the processing is illegal and, rather than suspension, request the limitation of processing or if the controller no longer needs the data for the purposes for which they were collected, the data subject needs them for the formulation, exercise or defence of complaints or claims. In the event that the processing of the data subject’s data is limited this must be clearly stated in the controller’s systems. If the data have been communicated by the controller to other processors, they must notify them of the rectification unless it is impossible to do so or requires disproportionate effort, providing the data subject with information regarding such recipients on request.

• Form for the processing of the limitation of treatment.

If the data subject’s request is not granted, the controller shall inform them without delay and no later than one month after receipt of same, of the reasons for not granting the request and the possibility of presenting a claim before the Spanish Data Protection Agency and of taking legal action.

SECURITY MEASURES

Given the type of processing demonstrated when this form was completed, the minimum security measures to be taken are the following:

ORGANISATIONAL MEASURES

INFORMATION THAT MUST BE KNOWN BY ALL PERSONNEL WITH ACCESS TO PERSONAL DATA

All personnel with access to personal data must have knowledge of the obligations in relation to the processing of personal data and shall be informed in relation to said obligations. The minimum information which personnel must know shall be the following:

• DUTY OF CONFIDENTIALITY AND SECRECY
• Any access to the personal data by unauthorised persons must be avoided. In order to achieve this, the disclosure of personal data to third parties (unattended screens, paper documents left in public access areas, supports with personal data, etc.) must be avoided. This consideration includes the screens that are used for viewing images of the video surveillance system. When you leave your work station, ensure that you lock your screen or log out.
• Paper documents and electronic media must be stored in a secure place (in a press or in restricted access rooms) 24 hours a day.
• Documents and electronic media with personal data may not be discarded (cd, USB storage devices, hard drives, etc.) without ensuring their effective destruction
• Personal data or any other information of a personal nature will not be revealed to third parties, taking special care not to disclose protected personal data for the duration of the telephone consultation, email, etc.
• The duty of confidentiality and secrecy remains in effect even after the employment relationship between the employee and the company has come to an end.

• PERSONAL DATA SECURITY VIOLATIONS
• Where a violation of the security of personal data occurs, for example, the theft or unauthorised access to the personal data, the Spanish Data Protection Agency must be notified within 72 hours of said security violations, including all the information necessary for clarifying the facts that have given rise to the unauthorised access to personal data. This notification will be made electronically through the website of the Spanish Data Protection Agency, to the address https://sedeagpd.gob.es/sede-electronica-web/.

TECHNICAL MEASURES

IDENTIFICATION

• When the same computer or device is used for processing personal data and for personal use it is advised that different profiles are created for each of these uses. Professional and personal uses of the computer should be kept separate.
• The creation of a profile with administration rights is recommended for the installation and configuration of the system and users without administration rights or privileges for accessing personal data. In the event of cyber attack, this prevents attackers from obtaining the rights or privileges to access or modify the operating system.
• Passwords will be used for access to personal data stored in electronic files. The password must have 8 characters and a combination of numbers and letters.
• When different people access personal data, a specific username and password (unequivocal identification) must be kept.
• The confidentiality of passwords must be maintained, avoiding any disclosure to third parties. For managing password’s, you can consult The Guide to Privacy and Security (Spanish) produced by the Spanish Data Protection Agency (AEPD) and the National Cybersecurity Institute (INCIBE). Under no circumstances shall they share passwords or leave notes in common areas accessed by persons other than the user.

DUTY TO SAFEGUARD

Below are the minimum technical measures required to guarantee the safeguarding of personal data:

• UPDATING COMPUTERS AND DEVICES The devices and computers used for the storage and processing of the personal data must be maintained up to date insofar as possible.
• MALWARE: Th computers and devices on which automated data processing is performed must have an antivirus system that will ensure, insofar as possible, the prevention of possible theft and destruction of the information and personal data. The antivirus system must be updated regularly.
• FIREWALLS: To prevent unauthorised remote access to personal data, firewalls will be activated and correctly configured on those computers and devices where personal data are stored and/or processed.
• ENCRYPTED DATA: Where personal data are required off the premises where they are processed, whether by physical or electronic means, the possibility of using a method of encryption to guarantee confidentiality of the personal data in the event of unauthorised access to the information must be assessed.
• BACKUP COPY Periodically, backup copies will be made on a second device, different from that used for day-to-day work. The copy will be stored in a secure place, different from that where the computer and original files are stored, in order to allow for data recovery in the event of the loss of information.

The security measures shall be reviewed periodically. The review may be carried out by automatic mechanisms (IT software or programs) or manually. Consider that any IT security incident that has occurred to anyone might occur to you, and try to prevent it.

If you would like more information or technical guidance on how to ensure the security of personal data and other information processed by your company, the Spanish National Cybersecurity Institute (INCIBE) offers a number of tools on its website www.incibe.es, intended for companies. You can find them in the «Protect your business»  including, among others:

• A section on training with a videogame, incident response challenges and interactive sectoral training videos.
• Awareness pack for employees,
• Different tools for helping the business improve cybersecurity, including policies for the employer, technical personnel and other employees, a catalogue of companies and security solutions and a risk analysis tool.
• Themes dossiers accompanied by videos, infographics and other resources
• guides for entrepreneurs,

What’s more, through the Internet User Security Office, it offers additional free IT and informative tools that can be useful for the companies and the professional activity.

CAPTURE OF IMAGES USING CAMERAS AND SECURITY PURPOSES

(VIDEO SURVEILLANCE)

A person’s image, insofar as are they are or may be identified, constitutes a piece of personal data that may be subject to processing for various purposes. While the most common method consists of using cameras to ensure the security of persons and facilities, they can also be used for the purposes of controlling the workplace provision of workers. Included below are basic directives to be observed for the processing of images obtained from video surveillance cameras are in line with data protection regulation. Nevertheless, it is recommended that you consult the Guide on use of video cameras for security and other purposes for more exhaustive knowledge of the obligations.

• LOCATION OF THE CAMERAS: The capture of images from areas intended for workers’ rest should be avoided, as should the capture of the public thoroughfare if outdoor cameras are being operated. Only the capture of the minimum area possible to maintain the security of persons, assets and facilities shall be permitted.

• LOCATION OF MONITORS: The monitors where the images from cameras are viewed will be located in a restricted-access area so that they are not accessible to third parties. The images recorded shall only be accessed by authorised personnel.

• RETENTION OF IMAGES: The images will be stored for a maximum period of one month, with the exception of the images that show acts that violate the integrity of persons, assets or facilities. In this case, they must be provided to the competent authority within 72 hours of becoming aware of the existence of the recording.

• DUTY TO INFORM Information must be provided on the use of cameras and video recording via an informative sign placed in an area and sufficiently prominently visible spot, identifying at a minimum the identity of the controller and the data subjects possibilities of exercising their rights. The sign itself must also include a connection conde or web address where this information is displayed. The Agency’s website has templates of both the sign and the text.
  • Template of video surveillance warning sign.

• EMPLOYMENT CONTROL: Where cameras are to be used for the purpose of employment control in accordance with the provisions of Article 20.3 of the Employment Act, the employee and their trade union representatives shall be informed by any means that ensured receipt of the information in relation to the control measures established by the company with express indication for the purpose of employment control of images captured by the cameras.

• RIGHT OF ACCESS TO IMAGES: To facilitate data subjects’ right to access recordings of the video surveillance system, a recent photograph and a copy of the National Identification Document of the data subject shall be requested to verify their identity and the date and time to which the right of access refers. Data subjects will not be given direct access to the camera images showing images of third parties. Where it is not possible for the data subject to view the images without revealing third parties, they will be provided a document in which the existence of the images of the data subject is confirmed or rejected.

For more information, you can consult the video surveillance guide and files and legal reports published by the Spanish Data Protection Agency under the section Video Surveillance.