Contact Nialum

English/spanish

Contact Nialum

Hello 👋 How can I help you? Hola 👋 ¿En qué puedo ayudarte?

18:28

messenger_opener

Personal Data Processing Policy

1. GENERAL INFORMATION

Between NIALUM, with NIF/CIF __________, registered office at __________ and email __________, hereinafter referred to as the Data Processor. And The Educational Center, with NIF/CIF __________, registered office at __________ and email __________, hereinafter referred to as the Data Controller. It is agreed That the Data Processor commits to process the personal data of the Data Controller in accordance with the following Provisions First. Purpose of the data processing The processing will consist of: Renting customized software for managing the Alumni community. Specific treatments to be performed: preservation, registration, communication, and access. Access will only be granted when necessary for the maintenance of the software and the provision of the service, and will be done in a controlled and secure manner, respecting the established security measures. Second. Identification of the affected information The types of personal data and categories of interested parties being processed are as follows: • Identifying and contact data of students, alumni, teachers, and staff of the educational center. • Academic and professional data of students and alumni. • Billing and payment data of the educational center. Third. Duration The duration of this contract will extend from the date of acceptance until the end of the service contracted by the Data Controller, or until the Data Controller requests the deletion or return of the personal data. Fourth. Obligations of the Data Processor The Data Processor is obliged to: • Process personal data only following the documented instructions of the Data Controller, unless there is a legal obligation that requires otherwise, in which case the Data Processor will inform the Data Controller of that legal requirement prior to processing, unless that law prohibits it for important public interest reasons. • Not disclose data to third parties, unless it has the express authorization of the Data Controller, or in legally admissible cases. If the Data Processor has to transfer data to a third party for the correct provision of the service, it must inform the Data Controller in advance and in writing, identifying the transferee and the purpose of the transfer. The transferee will be bound, by virtue of a contract, to the same obligations as the Data Processor, and the Data Processor will be responsible for the actions of the transferee as if they were its own. • Maintain the duty of confidentiality regarding the personal data to which it has access under this contract, even after it ends. The Data Processor guarantees that it has informed the personnel involved in the data processing of these obligations, and that it has obtained their commitment to confidentiality or that they are subject to a legal obligation of confidentiality. • Ensure that authorized persons to process personal data commit, expressly and in writing, to respect confidentiality and comply with the corresponding security measures, of which they must be adequately informed. • Provide the Data Controller with all necessary information to demonstrate compliance with its obligations, as well as to allow and contribute to the audits or inspections carried out by the Data Controller or another auditor authorized by it. Fifth. Security measures The Data Processor commits to apply appropriate technical and organizational security measures to protect the Platform and the personal data stored and processed therein, in accordance with the GDPR and applicable national legislation. These measures include: • Use of HTTPS encryption in data transmissions • Perimeter firewalls • Intrusion detection systems (IDS) • Antivirus software on all systems • Daily backups with a retention period of 30 days • Authentication via username and password • Profile-based authorization • Annual internal audits • Business continuity policy with server redundancy and backup center • Access control policy with customized permissions Sixth. Obligations of the Data Controller The Data Controller is obliged to: • Provide the Data Processor with the necessary personal data for the proper provision of the contracted service, ensuring that they are adequate, relevant, and limited to what is necessary for the purposes of processing. • Ensure that the personal data have been obtained lawfully, fairly, and transparently, and that they have the consent of the interested parties or another legal basis that legitimizes the processing. • Inform the Data Processor of any limitation, condition, or modification affecting the processing of the data, for example, the revocation of consent from the interested parties, the exercise of their rights, or the rectification or deletion of the data. • Supervise the compliance with the GDPR and this contract by the Data Processor, and make any inquiries it deems appropriate to verify it. • Respond to the interested parties and the supervisory authorities for any damages resulting from processing that infringes the GDPR, without prejudice to the responsibility that corresponds to the Data Processor. Seventh. Subcontracting The Data Processor may subcontract other data processors to carry out specific processing activities, provided it has the prior written authorization of the Data Controller. The Data Processor must inform the Data Controller of any planned changes regarding the incorporation or substitution of other data processors, giving them the opportunity to oppose such changes. The subcontracted data processor will be bound, by virtue of a contract, to the same obligations as the Data Processor, and the Data Processor will be responsible for the actions of the subcontractor as if they were its own. Eighth. International data transfers The Data Processor may carry out international data transfers, that is, transfer personal data to a country or international organization located outside the European Economic Area, provided it has the prior written authorization of the Data Controller, and that the conditions established in the GDPR are met. The Data Processor must inform the Data Controller of the countries or international organizations to which the data are transferred, and of the guarantees offered to ensure an adequate level of protection, such as the existence of an adequacy decision by the European Commission, adherence to the Privacy Shield between the European Union and the United States, or the signing of standard contractual clauses approved by the European Commission. The rest of the data processing contract is as follows: Ninth. Rights of the interested parties The Data Processor must cooperate with the Data Controller to ensure that it can guarantee the exercise of the rights of access, rectification, deletion, limitation, opposition, and portability of the data, as well as the right not to be subject to automated decisions, when applicable. The Data Processor must respond to requests received from interested parties within a maximum period of 10 days, and must communicate to the Data Controller the requests it receives, along with any other information that may be relevant for their resolution. Tenth. Personal data security breaches The Data Processor must notify the Data Controller, without undue delay, of any personal data security breaches of which it becomes aware, along with all relevant information for documenting and communicating the incident. Likewise, the Data Processor must provide the Data Controller with the necessary collaboration so that it can fulfill its obligation to notify the supervisory authority and the interested parties, when applicable, of such security breaches. Eleventh. Liability The Data Processor will be liable to the Data Controller, the interested parties, and the supervisory authorities for any damages resulting from processing that infringes the GDPR or this contract, without prejudice to the liability that corresponds to the Data Controller. Twelfth. Applicable law and competent jurisdiction This contract will be governed by Spanish law and the GDPR. Any dispute arising between the parties in relation to this contract will be submitted to the Courts of the city of Madrid, unless the applicable law provides otherwise. Thirteenth. Acceptance of the contract This contract is accepted by checking the corresponding box in the service contracting form on the NIALUM website. Acceptance implies knowledge and agreement with all the clauses of the contract. The contract will come into force on the date of acceptance.