The Management / Governing Body of HERRAJES NESU, SL (hereinafter, the data controller), undertakes the maximum responsibility and commitment to the establishment, implementation and maintenance of this Data Protection Policy, ensuring the continuous improvement of the data controller with the aim of achieving excellence in relation to compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the free movement of such data and repealing Directive 95/46/CE (General Data Protection Regulation) (OJEU L 119/1, 04-05-2016), and Spanish legislation on protection of personal data (Organic Law, specific sector legislation and its standards of implementation).

The Data Protection Policy of HERRAJES NESU, SL lies on the principle of proactive responsibility, according to which the data controller is responsible for compliance with the regulatory and jurisprudential framework that governs said Policy, and is able to show proof of it to the competent control authorities.

In this sense, the data controller shall be governed by the following principles that should serve all its personnel as a guide and frame of reference in the processing of personal data:

  1. Data protection from the design: The data controller shall apply, both at the time of determining the means of processing and at the time of the processing, appropriate technical and organisational measures, such as pseudonymisation, designed to effectively apply the principles of data protection, such as minimisation of data, and integrate the necessary guarantees in the processing.
  2. Data protection by default: The data controller shall apply the appropriate technical and organisational measures in order to ensure that, by default, only the personal data necessary for each specific purpose of the processing are processed.
  3. Data protection in the information life-cycle: The measures ensuring the protection of personal data shall be applicable throughout the information life-cycle.
  4. Legality, loyalty and transparency: The personal data shall be processed in a lawful, loyal and transparent manner in relation to the party concerned.
  5. Limitation of the purpose: The personal data shall be collected for specific, explicit and legitimate purposes, and shall not be further processed in a manner incompatible with said purposes.
  6. Data minimisation: The personal data shall be suitable, relevant and limited to what is necessary in relation to the purposes for which they are processed.
  7. Accuracy: The personal data shall be accurate and, if necessary, updated; all reasonable measures shall be taken so that personal data that are inaccurate with respect to the purposes for which they are processed are deleted or rectified without delay.
  8. Limitation of the storage period: The personal data shall be kept in a way that allows the identification of the parties concerned for no longer than necessary for the purposes of processing personal data.
  9. Integrity and confidentiality: The personal data shall be processed in such a way as to ensure appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, through the application of appropriate technical or organisational measures.
  10. Information and training: One of the keys to ensure the protection of personal data is the training and information that is provided to the personnel involved in the processing thereof. During the information life-cycle, all personnel with access to data shall be properly trained and informed about their obligations in relation to compliance with data protection regulations.

The Data Protection Policy of HERRAJES NESU, SL is communicated to all personnel of the data controller and made available to all parties concerned.

Accordingly, this Data Protection Policy involves all the personnel of the data controller, who must know and undertake it, considering it as their own, and each member shall be responsible for applying it and verifying the data protection rules applicable to their activity, as well as identifying and contributing the opportunities for improvement deemed appropriate with the aim of achieving excellence in relation to compliance.

This Policy shall be reviewed by the Management / Governing Body of HERRAJES NESU, SL, as many times as deemed necessary, to adapt it, at all times, to current provisions on the protection of personal data.