The management board/governing body of MADRID & DARRACOTT S. L. (hereinafter referred to as the “data controller”) assumes full responsibility for and provides its full commitment to drafting, implementing and maintaining this Data Protection Policy, ensuring continuous improvement on the part of the data controller with a view to achieving excellence in compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data repealing Directive 95/46/EC (General Data Protection Regulation) (OJEU L 119/1, 04-05-2016) and with Spanish legislation on the protection of personal data (Spanish Organic Law, specific sector legislation and the implementing regulations).
The MADRID & DARRACOTT S. L. Data Protection Policy is based on the principle of proactive responsibility, according to which the data controller is responsible for ensuring compliance with the regulatory framework and case law that governs the Policy, and is able to prove this before the competent supervisory authorities.
The data controller is governed by the following principles that should serve as a guide and frame of reference for all of its staff, with regard to the protection personal data:
- Data Protection by design: when determining the means of processing and during processing itself, the data controller shall apply appropriate technical and organisational measures, such as pseudonymisation, designed to effectively implement the principles of data protection, such as processing the minimum amount of data required and incorporating the necessary guarantees into the processing.
- Data protection by default: the data controller shall apply appropriate technical and organisational measures with a view to ensuring that, by default, only personal data necessary for each specific purpose of processing is processed.
- Data protection in the data life cycle: measures to ensure that personal data is protected must be applied during the complete life cycle of the data.
- Lawfulness, fairness and transparency: the personal data must be processed in a lawful, fair and transparent manner in relation to the data subject.
- Purpose limitation: personal data must be collected for specific, explicit and legitimate purposes only, and must not be subsequently processed in any way that is incompatible with those purposes.
- Data minimisation: personal data must be adequate, relevant and restricted to what is necessary for the purposes for which it is processed.
- Accuracy: personal data must be accurate and updated where necessary; all reasonable steps must be taken to ensure that personal data which is inaccurate with regard to the purposes for which it is processed is rectified or erased without delay.
- Limiting the retention period: personal data must not be stored in any way that allows the data subject to be identified for any no longer than is necessary for the purposes of the processing of personal data.
- Integrity and confidentiality: personal data must be processed in such a way as to ensure adequate security of the personal data, including protection against unauthorised or unlawful processing, loss, destruction and accidental damage, by applying appropriate technical and organisational measures.
- Information and training: one of the keys to ensuring the protection of personal data is providing training and information to staff involved in processing the data. During the life cycle of the data, all staff with access to the data must be properly trained on and informed about their obligations in terms of compliance with data protection legislation.
The MADRID & DARRACOTT S. L. Data Protection Policy is distributed to all staff under the authority of the data controller and made available to anyone interested.
Consequently, the present Data Protection Policy involves all staff under the authority of the data controller, who must be familiar with the policy and take ownership of it; every single one of them is responsible for applying and verifying data protection regulations in their course of their work, as well as identifying and creating opportunities for improvement as appropriate with a view to achieving excellence in compliance. This policy will be reviewed by the management board/governing body of MADRID & DARRACOTT S. L. as often as necessary to ensure compliance with the provisions in force on the protection of personal data.