Contract in charge of the data processing

PERSONAL DATA ACCESS AGREEMENT

This agreement is entered into between AENOR CONOCIMIENTO SLU (hereinafter, AENOR or the Processor ) and the Organization that accepts these terms (hereinafter the Controller ).

By clicking “I agree,” you are accepting this Personal Data Access Agreement on behalf of the Organization. You must have the authority to bind the Organization to this agreement; otherwise, you should not register for the services.

This agreement sets out the conditions for the processing of data by the Data Processor, in accordance with the provisions of Organic Law 3/2018, of December 5, on the Protection of Personal Data and the guarantee of digital rights, as well as Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and consequently the following are subscribed

CLAUSES

1. PURPOSE OF THE DATA PROCESSOR

These clauses enable AENOR to process, on behalf of the data controller, the personal data necessary to provide the service whose purpose is to provide training services to natural persons employed by the data controller.

Treatments that will be carried out : Registration, viewing, (if the training is subsidized, certain data may be communicated to FUNDAE), storage, deletion.

Specifically, the data will be used for:

  • Control of attendance at the training activity.

  • Issuance of titles and diplomas.

  • In their case, management of subsidized training.

  • Attend to the corresponding requirements in case of inspection (FUNDAE).

  • If the Data Controller requests it, the training will be recorded.

2. IDENTIFICATION OF THE AFFECTED INFORMATION

For the execution of the services derived from the fulfillment of the purpose of this commission, the entity responsible for the processing makes available to AENOR, by way of example but not limitation, the information described below:

Employees
Identifying information, professional or academic qualifications, employment details. If the data controller requests the recording of the training, the image and voice will be processed.
Suppliers (only if the client requests training from their suppliers)
Identifying information, professional or academic qualifications, employment details. If the data controller requests the recording of the training, the image and voice will be processed.

3. DURATION

The duration of this agreement is directly linked to the validity of the service provision contract.

4. OBLIGATIONS OF THE DATA PROCESSOR

The data controller and all its staff are obliged to:

  • a. Use the personal data being processed, or collected for inclusion, only for the purpose of this engagement. Under no circumstances may the data be used for personal purposes.

  • b. Process the data in accordance with the instructions of the data controller. If the data processor considers that any of the instructions infringe the LOPDGDD, the GDPR or any other data protection provision of the Union or of the Member States, the processor shall immediately inform the controller.

  • c. Keep a written record of all categories of processing activities carried out on behalf of the controller, which contains:

  1. The name and contact details of the processor(s) and of each controller on whose behalf the processor acts and, where applicable, of the representative of the controller or the processor and of the data protection officer.
  2. The categories of processing carried out on behalf of each controller.
  3. In your case, transfers of personal data to a third country or international organization, including the identification of that third country or international organization and, in the case of transfers referred to in Article 49(1), second subparagraph of the GDPR, documentation of appropriate safeguards.
  4. An overview of the technical and organizational security measures.

  • d. Not to disclose the data to third parties, unless expressly authorized by the data controller, in legally permissible cases. The processor may disclose the data to other processors of the same controller, in accordance with the controller's instructions. In this case, the controller will identify, in advance and in writing, the entity to which the data must be disclosed, the data to be disclosed, and the security measures to be applied for the disclosure.

    If the processor has to transfer personal data to a third country or to an international organisation, pursuant to Union or Member State law to which it is subject, it shall inform the controller of that legal requirement in advance, unless such law prohibits it for important reasons of public interest.

  • e. Subcontracting.

    If it becomes necessary to subcontract any processing, the controller authorizes this, which, if it occurs, must be communicated to the controller in advance and in writing, indicating the processing to be subcontracted and clearly and unambiguously identifying the subcontractor and its contact details. The subcontractor, who will also be considered a data processor, is likewise obligated to comply with the obligations established in this document for the data processor and the instructions issued by the controller. It is the responsibility of the initial controller to regulate the new relationship so that the new processor is subject to the same conditions (instructions, obligations, security measures, etc.) and the same formal requirements as the original controller, with regard to the proper processing of personal data and the guarantee of the rights of data subjects. In the event of non-compliance by the sub-processor, the initial controller will remain fully liable to the controller with regard to compliance with the obligations.

  • f. Maintain the duty of secrecy regarding the personal data to which he/she has had access by virtue of this assignment, even after its purpose has ended.

  • g. Ensure that persons authorized to process personal data expressly and in writing commit to respecting confidentiality and complying with the corresponding security measures, which must be duly communicated to them.

  • h. Keep available to the responsible party the documentation proving compliance with the obligation established in the previous section.

  • i. Ensure the necessary training in personal data protection for persons authorized to process personal data.

  • j. Assist the data controller in responding to the exercise of the rights of:

  1. Access, rectification, erasure and objection

  2. Limitation of treatment

  3. Data portability

  4. Not to be subject to automated individual decision-making (including profiling)

    When data subjects exercise their rights of access, rectification, erasure, and objection, as well as the right to restriction of processing, data portability, and the right not to be subject to automated individual decision-making, the data processor must notify the data controller by email to the address provided by the data controller. This notification must be made immediately and in no case later than the next business day following receipt of the request, along with any other information that may be relevant to resolving the request.

  • k. Right to information.

    It is the responsibility of the data controller to provide the right to information at the time of data collection.

  • l. Notification of data security breaches.

    The data processor shall notify the data controller without undue delay, and in any event no later than 48 hours after the breach of personal data under its responsibility, of which it becomes aware, together with all relevant information for the documentation and communication of the incident. Notification shall not be required where it is unlikely that the breach poses a risk to the rights and freedoms of natural persons.

  • m. To support the data controller in carrying out data protection impact assessments, where appropriate.

  • n. To support the data controller in carrying out the necessary consultations with the supervisory authority, where appropriate.

  • o. Make available to the responsible party all the information necessary to demonstrate compliance with their obligations, as well as for the performance of audits or inspections carried out by the responsible party or another auditor authorized by them.

  • p. Implement mechanisms to:

  • a. Ensure the ongoing confidentiality, integrity, availability, and resilience of treatment systems and services.

  • b. Restore the availability and access to personal data quickly, in the event of a physical or technical incident.

  • c. Regularly verify, evaluate and assess the effectiveness of the technical and organizational measures implemented to ensure the security of the processing.

  • d. Pseudonymize and encrypt personal data, where applicable.

For reasons of confidentiality and security, the specific security measures are not published, so they can be requested by the Data Controller at any time through the email indicated in the following letter.

  • q. The email address datos@aenor.com is designated as the contact point for any communication relating to the protection of the same.

  • r. Destination of the data.

    The personal data covered by this contract may be communicated to the FUNDAE entity for the purpose of managing subsidized training, upon request of the data controller.

    The personal data of students who have completed training with AENOR will be kept until the interested party requests its deletion or exercises any other right recognized by current regulations.

    The data retention criteria are based on the following aspects:

  • To attend to the legitimate interests of the data subject, in the case of requests for reissue or duplicates of degrees or certificates of training completed.

  • Inform interested parties of regulatory and legislative updates related to the training courses they have taken.

  • For the purposes of historical or statistical research; and as evidence in internal quality procedures.

  • Respond to requests or inspections from administrative bodies related to subsidies for training courses.

5. OBLIGATIONS OF THE DATA CONTROLLER

  • a) Give the person in charge access to the data referred to in clause 2 of this document.

  • b) Where appropriate, carry out an assessment of the impact on the protection of personal data of the processing operations to be carried out by the processor.

  • c) Carry out the necessary preliminary consultations.

  • d) Ensure, before and throughout the processing, compliance with the LOPDGDD and the GDPR by the processor.

  • e) Monitor the treatment, including carrying out inspections and audits.

  • f) Inform the data subjects of the processing that will be carried out by the processor on behalf of the controller.

  • g) Anonymize all personal data that you do not consider necessary to provide the contracted service.

  • h) To communicate in writing any personal data processing that you consider necessary and that is not included in this document.

6. APPLICABLE LEGISLATION AND CONFLICT RESOLUTION

Any dispute relating to this Agreement and the relationship between the parties shall be governed by Spanish law, and the parties agree to submit to the competent Courts and Tribunals in accordance with the law.