TERMS AND CONDITIONS

At ESTUDIO CACTUS MEDIA, S.L. we care about privacy and transparency.

Below you will find details of the processing of personal data that we carry out, as well as all the information relating to such processing.

Processing of data on potential users and contacts

Complete information on Data Protection

1. Who is responsible for the processing of your data?

ESTUDIO CACTUS MEDIA, S.L.

B12962957

Ronda Circunvalación, núm. 188, puerta 9, despacho 9, CEEI2 - 12003 - CASTELLON DE LA PANA - CASTELLÓN

964238412

info@estudiocactus.com

1. For what purposes do we process your personal data?

ESTUDIO CACTUS MEDIA, S.L. processes the information provided by interested parties in order to manage potential users who are interested in our products and/or services, as well as other commercial contacts and, where appropriate, to send promotional communications, including by electronic means. If you do not provide your personal data, we will not be able to fulfil the purposes described.

No automated decisions will be made on the basis of the data provided.

1. How long will we keep your data?

The data will be kept for the time necessary to fulfil the request.

1. What is the legitimacy for the processing of your data?

We indicate the legal basis for the processing of your data:

• Execution of a contract: Management of potential users who have expressed an interest in our products and/or services (RGPD, art. 6.1.b).
• Consent of the data subject: Send promotional communications, including by electronic means (RGPD, art. 6.1.a, LSSICE art.21).
• Legitimate interest of the Data Controller: Management of professional contact data (LOPDGDD art.19, RGPD art. 6.1.f).

1. To which recipients will your data be communicated?

No data will be passed on to third parties, unless legally obliged to do so.

1. Data transfers to third countries

There are no plans to transfer data to third countries.

1. What are your rights when you provide us with your data?

Any person has the right to obtain confirmation as to whether or not ESTUDIO CACTUS MEDIA, S.L. is processing personal data concerning them.

Interested parties have the right to access their personal data, as well as to request the rectification of inaccurate data or, where appropriate, to request its deletion when, among other reasons, the data is no longer necessary for the purposes for which it was collected. You also have the right to the portability of your data.

In certain circumstances, data subjects may request that we restrict the processing of their data, in which case we will only retain the data for the purpose of exercising or defending claims.

In certain circumstances and for reasons related to their particular situation, data subjects may object to the processing of their data. In this case, ESTUDIO CACTUS MEDIA, S.L. will stop processing the data, except for compelling legitimate reasons, or the exercise or defence of possible claims.

You may materially exercise your rights as follows: by writing to the address of the controller

Where commercial communications are sent using as a legal basis the legitimate interest of the controller, the data subject may object to the processing of his or her data for that purpose.

If you have given your consent for a specific purpose, you have the right to withdraw your consent at any time, without affecting the lawfulness of the processing based on your consent prior to its withdrawal.

In case you feel that your rights concerning the protection of your personal data have been violated, especially when you have not obtained satisfaction in the exercise of your rights, you can lodge a complaint with the competent Data Protection Supervisory Authority via its website: www.aepd.es.

1. How did we obtain your data?

The personal data that we process at ESTUDIO CACTUS MEDIA, S.L. comes from: The interested party.

Processing of supplier data

Complete information on Data Protection

1. Who is responsible for the processing of your data?

ESTUDIO CACTUS MEDIA, S.L.

B12962957

Ronda Circunvalación, núm. 188, puerta 9, despacho 9, CEEI2 - 12003 - CASTELLON DE LA PANA - CASTELLÓN

964238412

info@estudiocactus.com

1. For what purpose do we process your personal data?

ESTUDIO CACTUS MEDIA, S.L. processes the information provided by interested parties in order to carry out the fiscal, accounting and administrative management of suppliers as well as professional contact details. If you do not provide your personal data, we will not be able to fulfil the purposes described.

No automated decisions will be made on the basis of the data provided.

1. How long will we keep your data?

The data will be kept for as long as the data subject does not request their deletion and, where appropriate, for the years necessary to comply with legal obligations.

1. What is the legitimacy for the processing of your data?

We indicate the legal basis for the processing of your data:

• Execution of a contract: To carry out the administrative, accounting and tax management of the contracted services (RGPD art. 6.1.b).
• Legitimate interest of the Data Controller: Management of professional contact data (LOPDGDD art.19, RGPD art. 6.1.f).

1. To which recipients will your data be communicated?

The data will be communicated to the following recipients:

• Tax Administration, in order to comply with legal obligations (legal requirement).
• Financial institutions, in order to make the corresponding payments (contractual requirement).

1. Data transfers to third countries

There are no plans to transfer data to third countries.

1. What are your rights when you provide us with your data?

Any person has the right to obtain confirmation as to whether or not ESTUDIO CACTUS MEDIA, S.L. is processing personal data concerning them.

Interested parties have the right to access their personal data, as well as to request the rectification of inaccurate data or, where appropriate, to request its deletion when, among other reasons, the data is no longer necessary for the purposes for which it was collected. You also have the right to the portability of your data.

In certain circumstances, data subjects may request that we restrict the processing of their data, in which case we will only retain the data for the purpose of exercising or defending claims.

In certain circumstances and for reasons related to their particular situation, data subjects may object to the processing of their data. In this case, ESTUDIO CACTUS MEDIA, S.L. will stop processing the data, except for compelling legitimate reasons, or the exercise or defence of possible claims.

You may materially exercise your rights as follows: by writing to the address of the controller

Where commercial communications are sent using as a legal basis the legitimate interest of the controller, the data subject may object to the processing of his or her data for that purpose.

If you have given your consent for a specific purpose, you have the right to withdraw your consent at any time, without affecting the lawfulness of the processing based on your consent prior to its withdrawal.

In case you feel that your rights concerning the protection of your personal data have been violated, especially when you have not obtained satisfaction in the exercise of your rights, you can lodge a complaint with the competent Data Protection Supervisory Authority via its website: www.aepd.es.

1. How did we obtain your data?

The personal data that we process at ESTUDIO CACTUS MEDIA, S.L. comes from: The interested party.

Processing of user data

Complete information on Data Protection

1. Who is responsible for the processing of your data?

ESTUDIO CACTUS MEDIA, S.L.

B12962957

Ronda Circunvalación, núm. 188, puerta 9, despacho 9, CEEI2 - 12003 - CASTELLON DE LA PANA - CASTELLÓN

964238412

info@estudiocactus.com

1. For what purposes do we process your personal data?

ESTUDIO CACTUS MEDIA, S.L. processes the information provided by the interested parties in order to provide the requested service, carry out the administrative, accounting and tax management of the requested services, as well as send promotional communications about our products and services. If you do not provide your personal data, we will not be able to fulfil the purposes described.

No automated decisions will be made on the basis of the data provided.

1. How long will we keep your data?

The data will be kept for the duration of the provision of the service and, where appropriate, for the years necessary to comply with legal obligations.

1. What is the legitimacy for the processing of your data?

We indicate the legal basis for the processing of your data:

• Execution of a contract: Provision of the service (provision of the SaaS platform and maintenance), fiscal, accounting and administrative management of users (RGPD art. 6.1.b).
• Legitimate interest of the Data Controller: Sending promotional communications, including by electronic means (RGPD Recital 47, LSSICE art. 21.2).

1. To which recipients will your data be communicated?

The data will be communicated to the following recipients:

• Tax Administration, in order to comply with legal obligations (legal requirement).
• Financial institutions, in order to issue the corresponding receipts (contractual requirement).

1. Data transfers to third countries

There are no plans to transfer data to third countries.

1. What are your rights when you provide us with your data?

Any person has the right to obtain confirmation as to whether or not ESTUDIO CACTUS MEDIA, S.L. is processing personal data concerning them.

Interested parties have the right to access their personal data, as well as to request the rectification of inaccurate data or, where appropriate, to request its deletion when, among other reasons, the data is no longer necessary for the purposes for which it was collected. You also have the right to the portability of your data.

In certain circumstances, data subjects may request that we restrict the processing of their data, in which case we will only retain the data for the purpose of exercising or defending claims.

In certain circumstances and for reasons related to their particular situation, data subjects may object to the processing of their data. In this case, ESTUDIO CACTUS MEDIA, S.L. will stop processing the data, except for compelling legitimate reasons, or the exercise or defence of possible claims.

You may materially exercise your rights as follows: by writing to the address of the controller

Where commercial communications are sent using as a legal basis the legitimate interest of the controller, the data subject may object to the processing of his or her data for that purpose.

If you have given your consent for a specific purpose, you have the right to withdraw your consent at any time, without affecting the lawfulness of the processing based on your consent prior to its withdrawal.

In case you feel that your rights concerning the protection of your personal data have been violated, especially when you have not obtained satisfaction in the exercise of your rights, you can lodge a complaint with the competent Data Protection Supervisory Authority via its website: www.aepd.es.

1. How did we obtain your data?

The personal data that we process at ESTUDIO CACTUS MEDIA, S.L. comes from: The interested party.

Also, through the use of our software, users can enter data of their customers, employees and/or suppliers, in which case, ESTUDIO CACTUS MEDIA, S.L., will act in its capacity as data processor, in relation to the aforementioned data. In addition, if the user consents, geolocation data can be processed in a limited area (port) to verify where it is located, avoid accidents and perform a more efficient logistics management and, where appropriate, to receive notifications about the activity of the port. 

In any case, the user has the right to withdraw the consent given at any time, without affecting the lawfulness of the processing based on the consent prior to its withdrawal.

AGREEMENT ON THE PROCESSING OF PERSONAL DATA

Both parties recognise that they have sufficient legal capacity to enter into this agreement for the purposes of which they establish that in accordance with Article 28 of REGULATION (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter, GDPR), and Article 33 of Organic Law 3/2018, of 5 December, on the Protection of Personal Data and guarantee of digital rights, both parties agree to enter into this Agreement taking into account that:

1. The controller has contracted the services provided by the data processor as detailed below.
2. The services shall be provided (i) at the premises of the processor; (ii) by remote connection. In addition, the processor may incorporate data of the controller into its systems.
3. The controller has decided to choose this processor because it offers sufficient guarantees to apply appropriate technical and organisational measures to the information provided, ensuring that the processing assignment complies with the regulations in force on the protection of personal data and that the rights and freedoms of data subjects are protected.

Both parties expressly agree to be bound by the following:

CLAUSES

1. Purpose of the order

The data processor is hereby authorised to process, on behalf of the data controller, the personal data necessary to provide the service(s) of: Provision and maintenance of software.

The processing shall consist of: Provision, software maintenance, as well as technical support and assistance.

Specification of the operations to be carried out: recording; structuring; preservation; consultation; interconnection; collation.

1. Identification of the information concerned

For the performance of the services deriving from the fulfilment of the object of this assignment, the controller makes available to the processor the information described below:

1. Data entered by the user in the software and, where applicable, geolocation of the user on the site.

The above information may be made available either by providing the processor with the above information, or by giving the processor access to it, or by the controller storing such information in systems and/or facilities of the processor.

1. Duration

The duration of this agreement is: subject to a service contract.

1. Obligations of the processor

The data processor, and all its staff, undertakes to:

1. Use the personal data that are the subject of the processing, or that it collects for inclusion, only for the purpose of this order. Under no circumstances may it use the data for its own purposes.
2. To process the data in accordance with the instructions of the data controller.

If the processor considers that any instructions are in breach of the GDPR or any other Union or Member State data protection provisions, the processor shall immediately inform the controller.

1. Keep, in writing, a record of all categories of processing activities carried out on behalf of each controller, containing:
   1. The name and contact details of the processor(s) and of each controller on whose behalf the processor is acting and, where applicable, of the representative of the controller or processor and of the data protection officer.
   2. The categories of processing operations carried out on behalf of each controller.
   3. Where applicable, transfers of personal data to a third country or international organisation, including the identification of such third country or international organisation and, where applicable, for transfers referred to in the second paragraph of Article 49 of the GDPR, the documentation of appropriate safeguards, taking into account, in particular, the possible hosting of data on cloud computing services.
   4. A general description of the technical and organisational security measures relating to:
      1. Pseudonymisation and encryption of personal data.
      2. The ability to ensure the continued confidentiality, integrity, availability and resilience of processing systems and services.
      3. The ability to restore availability and access to personal data quickly, in the event of a physical or technical incident.
      4. The process of regular verification, evaluation and assessment of the effectiveness of technical and organisational measures to ensure the security of processing.
2. Not to communicate data to third parties (including transfers of personal data to third countries or international organisations), except with the express authorisation of the data controller, in the legally admissible cases. In order to obtain the controllers authorisation to transfer personal data to a third country or an international organisation, the processor must indicate the following items in the request for authorisation to the controller:
   1. the entity to which the data are to be transferred,
   2. the purpose of such a transfer,
   3. the identification of that third country or international organisation,
   4. the existence or absence of a Commission adequacy decision, or,
   5. in the case of transfers referred to in Articles 46, 47 or the second subparagraph of Article 49(1) of the GDPR, reference should be made to adequate or appropriate safeguards and the means of obtaining a copy of them or access to the text and means of implementation of those safeguards.

The processor may not transfer the data until it has received the express consent of the controller. If there is any subsequent change to the data specified in the request, the processor must obtain the controllers authorisation again by submitting a new request for authorisation.

If the processor has to transfer personal data to a third country or to an international organisation under Union or Member State law applicable to it, it shall inform the controller of that legal requirement in advance, unless the law prohibits it for important reasons of public interest.

The processor may communicate data to other processors of the same controller, in accordance with the instructions of the controller. In this case, the controller shall identify, in advance and in writing, the entity to which the data are to be communicated, the data to be communicated and the security measures to be applied in order to proceed with the communication.

1. The data processor is not authorised to subcontract any of the services that form part of the object of this contract and that involve the processing of personal data, except for the auxiliary services necessary for the normal operation of the services of the data processor. Should it be necessary to subcontract any processing, the data controller must be notified in advance and in writing, 30 days in advance, indicating the processing to be subcontracted and clearly and unequivocally identifying the subcontracting company and its contact details. The subcontracting may be carried out if the controller does not express its opposition within the established period. The subcontractor, who shall also have the status of data processor, is also obliged to comply with the obligations set out in this document for the data processor and the instructions issued by the data controller. It is the responsibility of the initial processor to regulate the new relationship, so that the new processor is subject to the same conditions (instructions, obligations, security measures, etc.) and the same formal requirements as the initial processor, as regards the proper processing of personal data and the guarantee of the rights of the data subjects. In the event of non-compliance by the sub-processor, the initial processor shall remain fully liable to the controller for compliance with the obligations.
2. Maintain the duty of secrecy with regard to the personal data to which it has access by virtue of this assignment, even after the end of its object.
3. Ensure that the persons authorised to process personal data undertake expressly and in writing to respect confidentiality and to comply with the corresponding security measures, of which they must be duly informed.
4. Keep at the disposal of the person responsible the documentation accrediting compliance with the obligation established in the previous section.
5. Ensure the necessary training in personal data protection for persons authorised to process personal data.
6. Assist the controller in responding to the exercise of the rights of:
   1. Access, rectification, erasure and objection.
   2. Treatment limitation.
   3. Data portability.
   4. Not to be subject to automated individualised decisions (including profiling).

When the data subjects exercise their rights of access, rectification, erasure and objection, limitation of processing, data portability and the right not to be subject to automated individualised decisions before the data processor, the latter must communicate this by e-mail to the address indicated by the data controller. The communication must be made immediately and in no case later than the working day following receipt of the request, together, where appropriate, with other information that may be relevant for resolving the request.

1. It is the responsibility of the data controller to provide the right to information at the time of data collection.
2. Notification of data security breaches:

The processor shall notify the controller, without undue delay, and in any event not later than 24 hours, of any breach of security of the personal data under its responsibility of which it becomes aware, together with all relevant information for the documentation and communication of the incident. This communication shall be made in the following way: by sending an e-mail to the address indicated by the data controller.

Notification shall not be required where such a breach of security is unlikely to constitute a risk to the rights and freedoms of natural persons.

If available, at least the following information shall be provided:

1. Description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects affected, and the categories and approximate number of personal data records affected.
2. The name and contact details of the data protection officer or other point of contact where further information can be obtained.
3. Description of the possible consequences of the personal data security breach.
4. Description of the measures taken or proposed to be taken to remedy the personal data breach, including, where appropriate, measures taken to mitigate possible negative effects.
1. Support the controller in carrying out data protection impact assessments, where appropriate.
2. Support the controller in carrying out prior consultations with the supervisory authority, where appropriate.
3. Make available to the controller all information necessary to demonstrate compliance with his or her obligations, as well as for audits or inspections carried out by the controller or another auditor authorised by the controller.
4. Implement the following security measures:

Security measures in accordance with the risk assessment carried out by the controller:

1. Secure environment: the premises where data are processed must be equipped with minimum security measures such as fire extinguishers, alarms, etc.
2. Roles and responsibilities of staff: the roles and responsibilities of each user or user profile with access to data and systems shall be clearly defined and documented.
3. Access control: staff shall only access data and resources that they require for the performance of their duties. Mechanisms shall be put in place to prevent a user from accessing resources with rights other than those authorised.
4. Identification and authentication: a system shall be put in place to allow the unambiguous and personalised identification of any user attempting to access the information system, and proper authentication to verify the users identity.
5. Secure storage of media and documents: storage devices for media and documents containing personal data must have mechanisms to prevent them from being opened by means of keys or similar means.
6. Anti-malware software: computers and devices where automated processing of personal data is carried out shall have an anti-malware system that prevents, as far as possible, the theft and destruction of information and data.
7. Backup copies: backup copies shall be made on a regular basis, depending on the volume and frequency of data updates.
8. Destruction and re-use of equipment and media: IT waste of any kind that may contain personal data should be securely disposed of or destroyed to ensure that it is not accessible.
9. Secure transfer of media and documents: when media and/or documents leave the processing premises, measures shall be taken to prevent theft, loss or improper access to the information during transport.
10. Access through communications networks: access to personal data through communications networks, whether public or not, must be carried out in a secure manner.

In any case, it must put in place mechanisms to:

1. Ensure the continued confidentiality, integrity, availability and resilience of processing systems and services.
2. Restore availability and access to personal data quickly, in the event of a physical or technical incident.
3. Regularly verify, evaluate and assess the effectiveness of the technical and organisational measures implemented to ensure the security of the processing.
4. Pseudonymise and encrypt personal data, where appropriate.

In particular, the processor ensures that the personal data it integrates into its processing systems, on behalf of the controller, are hosted on its own or subcontracted servers, which:

1. They are safe, in accordance with the requirements detailed above.
2. They are located in the European Union (unless the controller has expressly authorised the transfer of the data to a third country or to an international organisation, as detailed in point IV(d) of this contract. In any case, the location outside the European Union must strictly respect and comply with the conditions provided for in this respect in this contract and in the GDPR).
   1. It shall not be necessary to appoint a data protection officer.
   2. Destination of the data after the end of the provision of the services:

Destroy the data, once the performance has been completed. Once destroyed, the processor must certify its destruction in writing and must deliver the certificate to the data controller. However, the processor may keep a copy, with the data duly blocked, for as long as liability may arise from the performance of the service.

1. Obligations of the controller

It is the responsibility of the controller:

1. Provide, or allow access to, the data processor the data referred to in clause II of this document.
2. Where appropriate, carry out an assessment of the impact on the protection of personal data of the processing operations to be carried out by the processor.
3. Conduct prior consultations as appropriate.
4. Ensure, before and during the processing, that the processor complies with the GDPR.
5. Overseeing treatment, including carrying out inspections and audits.
1. Information and rights

The parties to this contract hereby inform each other that the personal data included in this document are processed in accordance with the correct regulation of the provision of the agreed services with regard to personal data, the legal basis for the processing being the fulfilment of the legal obligation established by the regulations for the protection of personal data to conclude this contract for access to data on behalf of third parties (art. 6.1.c) of the GDPR.

The data will be kept for as long as the contract is in force and for as long as necessary to deal with possible liabilities in relation to the contract (this period will be four years if there is no claim in relation to the contract that requires it to be kept for a longer period).

The exercise of the rights of access, rectification, erasure, limitation of processing, opposition and portability of data may be exercised by any of the interested parties by means of a written request, accompanied by an official identification document, addressed to the e-mail address of the corresponding entity signing this contract.

In the event that any data subjects feel that their rights concerning the protection of their personal data have been violated, especially when they have not obtained satisfaction in the exercise of their rights, they may lodge a complaint with the Spanish Data Protection Agency through its website: www.aepd.es.