Information Management Regulation

913344900LocationContact
Logo of Hotel Chamartin The One **** MADRID - logo-xs
Es|En
EspañolEnglish
Logo of Hotel Chamartin The One **** MADRID - logo

Address

Hotel Chamartin The One****C.Agustin de Foxa S/N28036 MADRIDSpain
Tel.:913344900Email

Information Management Regulation

REGULATIONS FOR THE IMPLEMENTATION AND DEVELOPMENT OF THE INTERNAL INFORMATION SYSTEM OF THE COMPANY INVERSIONES GOAC CHAMARTIN, S.L., WITH TAX NUMBER B87053914 IN ACCORDANCE WITH THE PROVISIONS OF LAW 2/2023, OF 20 FEBRUARY, REGULATING THE PROTECTION OF PERSONS WHO REPORT REGULATORY INFRINGEMENTS AND THE FIGHT AGAINST CORRUPTION.

Introduction.-

Law 2/2023 transposes into Spanish law Directive (EU) 2019/1937 on the whistleblower regime within both public and private entities. This is intended to protect citizen whistleblowers from reprisals when they report violations of the law in the context of an employment or professional relationship.

The aforementioned law establishes the obligation to implement an internal information system which must be based on the following:

  • The implementation of an effective communication system based on a mailbox or channel to receive information from the complainant.
  • Designate an Information System Manager.
  • Establish a procedure for receiving and handling complaints.

The Law establishes that whistleblowers must have a specific regime of protection against reprisals or that, directly or indirectly, entail unfavourable treatment that places the persons who suffer them at a particular disadvantage with respect to another in the labour or professional context, solely because of their status as whistleblowers.

The set-up of the Internal Reporting System should meet certain requirements, including affordability, confidentiality guarantees, good monitoring practices, investigation and whistleblower protection. It is also essential for the effectiveness of the internal information system to designate a person in charge with sufficient knowledge and capacity to ensure its proper functioning.

In another area, Organic Law 3/2018, of 5 December, on the Protection of Personal Data and the guarantee of digital rights, establishes that: "The creation and maintenance of information systems through which an entity governed by private law may be made aware, even anonymously, of the commission within it or in the actions of third parties contracting with it, of acts or conduct that could be contrary to the general or sectoral regulations applicable to it, shall be lawful."

The European standard imposes on the Member States the obligation to establish appropriate channels of communication, so that their action is governed by the principles of independence and autonomy in the receipt and processing of information on infringements.

On the basis of the above, the address INVERSIONES GOAC CHAMARTIN, S. L., hereinafter "Hotel Chamartín The One" or "Company", after consultation with the legal representatives of the workers, proceeds to the drafting and publication of the present Internal Information System Regulations, which must be complied with by all company personnel and related third parties, and which will come into force on the 1st of December of 2023.

Article 1.- Purpose

The purpose of this information document is to provide adequate protection against reprisals that may be suffered by individuals who report any of the actions or omissions referred to in the legislation in force, through the procedures provided for therein.

It also aims to strengthen the information culture, the integrity infrastructure of the Company and the promotion of information or communication culture as a mechanism to prevent and detect threats of any kind.

Article 2.- Scope and application

The content of this document protects natural persons who report, through any of the procedures provided for in the Company of:

a) Actions or omissions that could constitute a serious or very serious criminal or administrative offence. In any case, all serious or very serious criminal or administrative offences involving financial loss for the Public Treasury and for the Social Security will be understood to be included.

b) The protection for workers who report breaches of labour law, criminal law, occupational health and safety law or any other unlawful act is without prejudice to that laid down in their specific regulations.

c) This protection shall not apply to information relating to classified information. Nor does it affect the obligations resulting from the protection of the professional secrecy of the medical and legal professions, the duty of confidentiality of the Security Forces and Corps in the scope of their actions, as well as the secrecy of judicial deliberations.

Article 3.- Personal scope of application

1. It shall apply to whistleblowers working at the Hotel Chamartín The One or third parties who have obtained information on infringements in a work or professional context, including in any case:

a) Persons having the status of employed persons

b) The self-employed

c) Shareholders, unitholders and persons belonging to the administrative, management or supervisory body of the Company, including non-executive members

d) Any person working for or under the supervision and direction of contractors, subcontractors and suppliers.

2. It shall also apply to whistleblowers who communicate or publicly disclose information on infringements obtained in the framework of an employment or statutory relationship which has already ended, trainees, whether or not they receive remuneration, as well as to those whose employment relationship has not yet started, where the information on infringements has been obtained during the recruitment process or pre-contractual negotiation.

3. The measures for the protection of the whistleblower shall also apply, where appropriate, specifically to the employees' legal representatives in the exercise of their functions of advising and supporting the whistleblower.

4. They shall also apply, where appropriate, to:

a) Natural persons who, within the organisation in which the respondent provides services, assist the respondent in the process.

b) Natural persons who are related to the whistleblower and who may suffer reprisals, such as co-workers or relatives of the whistleblower.

c) Legal persons, for whom he/she works or with whom he/she has any other relationship in an employment context or in which he/she has a significant shareholding.

Article 4.- Internal information system

1. The management body of the Company is responsible for the implementation of the Internal Information System, after consultation with the legal representatives of the workers, and shall be responsible for the processing of personal data in accordance with the provisions of the RGPD and the LOPDGDD.

2. The Internal Information System, in any of its management formulas, shall allow:

a) To all persons to communicate information about any infringement.

b) Be designed, established and managed in a secure manner, so as to guarantee the confidentiality of the identity of the whistleblower and of any third party mentioned in the communication, and of the actions carried out in the management and processing of the communication, as well as data protection, preventing access by unauthorised personnel.

c) Allow submissions to be made in writing or orally, or both.

d) Integrating the various internal information channels that may be established within the Company.

e) Ensure that the communications submitted can be dealt with effectively within the Company with the objective that the first to know about the possible irregularity is the Company itself.

f) Have a person responsible for the system in accordance with the terms set out in the regulation.

g) have a policy that sets out the general principles of the internal information system and defence system and that is well publicised within the Company.

h) Have a procedure for handling complaints received.

i) Establish guarantees for the protection of whistleblowers within the scope of the Company itself, respecting, in all cases, the provisions of the regulations.

Article 5.- Management of the internal information system by an external party

1. The management of the Internal Information System may be carried out in-house or by an external third party. For these purposes, the receipt of information shall be considered as management of the System.

2. The management of the system by an external third party shall, in any case, require that the third party provides adequate guarantees of respect for independence, confidentiality, data protection and secrecy of communications.

3. The processing of data by third parties (Processors), requires the prior subscription of the agreement regulated in Article 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), and in Organic Law 3/2018 of 5 December on the Protection of Personal Data and guarantee of digital rights.

4. The management of the Internal Information System by a third party may not entail any impairment of the guarantees and requirements established by law for such system, nor any attribution of responsibility for the same to a person other than the System Manager.

Article 6.- Internal information channel

1. The company's internal information channel to enable the submission of information regarding the infringements provided for in the regulations in force shall be integrated within the Internal Information System.

2. The internal channel shall support both written and oral communications. Information can be provided either in writing, by post or by any electronic means provided for this purpose.

3. At the request of the whistleblower, it may also be submitted by means of a face-to-face meeting within a maximum of seven days. Where appropriate, the whistleblower will be warned that the communication will be recorded and will be informed of the processing of his or her data in accordance with the provisions of the GDPR. In addition, those who make the communication through internal channels shall be informed, in a clear and accessible manner, of the external reporting channels to the competent authorities.

4. When making the communication, the whistleblower may indicate an address, e-mail address or safe place for the purpose of receiving notifications. Verbal communications, including those made through a face-to-face meeting, by telephone, shall be documented in one of the following ways, after having obtained the consent of the whistleblower:

a) By a recording of the conversation in a secure, durable and accessible format.

b) Through a complete and accurate transcript of the conversation made by the staff responsible for dealing with it. Without prejudice to his or her rights under data protection regulations, the whistleblower shall be given the opportunity to verify, rectify and agree by signature to the transcription of the conversation.

5. Internal reporting channels will even allow for the submission and subsequent processing of anonymous communications.

Article 7.- Internal information system manager

INVERSIONES GOAC CHAMARTIN, S.L., is responsible for the appointment of the natural person responsible for the management of this system or "System Manager", and for his or her dismissal or cessation.

2. The System Manager shall perform his or her functions independently and autonomously from the rest of the entity's bodies, and may not receive instructions of any kind in the exercise thereof, and must have all the personal and material means necessary to carry them out.

Article 8.- Information management procedure

1. The Company shall approve the information management procedure. The System Manager, whether internal or external, shall be responsible for its diligent handling.

2. The procedure shall set out the necessary provisions to ensure that the Internal Information System and the existing internal information channels comply with the requirements laid down.

In particular, the procedure shall comply with the following minimum content and principles:

a) Identification of the internal information channel(s) with which it is associated.

b) Acknowledgement of receipt of the communication to the whistleblower, within seven calendar days of receipt, unless this would jeopardise the confidentiality of the communication.

c) Determination of the maximum time limit for responding to the investigation, which may not exceed three months from receipt of the communication, except in cases of particular complexity requiring an extension of the time limit, in which case it may be extended by up to a maximum of three additional months.

d) Provision for the possibility to maintain communication with the whistleblower and, if deemed necessary, to request additional information from the whistleblower.

e) Establishment of the right of the person concerned to be informed of the acts or omissions attributed to him or her, and to be heard at any time. Such communication shall take place at such time and in such manner as is deemed appropriate to ensure the proper conduct of the investigation.

f) The presumption of innocence and the honour of the persons concerned must be respected.

Article 9.- Obligated entities in the private sector

Natural or legal persons in the private sector who employ fifty or more workers are obliged to have an internal information system in accordance with the terms of Law 2/2023 of 20 February.

Legal entities in the private sector that have between fifty and two hundred and forty-nine employees and that so decide, may share among themselves the internal information system and the resources destined to the management and processing of communications, whether the management is carried out by any of them or whether it has been outsourced, respecting in all cases the guarantees provided for in the law.

Article 10.- Instruction

1. The investigation shall include all those actions aimed at verifying the plausibility of the facts reported in the complaint.

2. It shall be ensured that the person concerned by the information is informed of the information and of the facts as succinctly as possible, provided that the communication does not affect the investigation. In addition, they will be informed of their right to submit written complaints and of the processing of their personal data.

3. In no case shall the identity of the whistleblower be communicated to the data subjects nor shall access to the communication be given. During the investigation, the person under investigation shall be informed succinctly of the list of facts. This information may be provided at the hearing if it is considered that its provision in advance could facilitate the concealment, destruction or alteration of evidence.

4. Without prejudice to the right to make written allegations, the investigation shall, whenever possible, include an interview with the person or persons concerned in which, always with full respect for the presumption of innocence, they shall be invited to explain their version of the facts and to provide such evidence as they consider appropriate and relevant.

5. The time limit for completing the proceedings and providing a response to the whistleblower, where applicable, may not exceed three months from the date of entry of the information in the register. Whatever the decision, it shall be communicated to the whistleblower, unless the whistleblower has waived this or the communication is anonymous.

Article 11.- Information on internal and external information channels

Subjects within the scope of Law 2/2023 of 20 February shall provide appropriate information in a clear and easily accessible form on the use of any internal information channel they have set up, as well as on the essential principles of the management procedure.

In the case of a website, this information should be placed on the homepage in a separate and easily identifiable section.

Article 12. -Register of information

The company shall keep a register of the information received and the internal investigations to which they give rise, guaranteeing, in all cases, the confidentiality requirements provided for in the regulations in force.

This register shall not be public and only at the reasoned request of the competent judicial authority, by means of an order, and within the framework of judicial proceedings and under the guardianship of that authority, may all or part of the contents of the said register be accessed.

The personal data relating to the information received and the internal investigations referred to in the previous section will only be kept for the period necessary and proportionate for the purposes of complying with the RGPD and the LOPDGDD.

Article 13.-Legal regime of the processing of personal data

The processing of personal data arising from the application of the law shall be governed by the provisions of the RGPD, the LOPDGDD and Organic Law 7/2021 of 26 May on the protection of personal data processed for the purposes of the prevention, detection, investigation and prosecution of criminal offences and the execution of criminal penalties.

Personal data shall not be collected where it is manifestly not relevant to the processing of specific information or, if collected by accident, shall be deleted without undue delay.

Article 14.-Information on personal data protection and exercise of rights

1. When personal data are obtained directly from data subjects, they shall be provided with the information referred to in Articles 13 of the GDPR and 11 of the LOPDGDD. Whistleblowers and those who make a public disclosure shall also be expressly informed that their identity shall in all cases be kept confidential and that it shall not be communicated to the persons to whom the facts reported refer or to third parties.

2. The person to whom the facts reported relate shall in no case be informed of the identity of the whistleblower or of the person who made the public disclosure.

3. Data subjects may exercise the rights referred to in Articles 15 to 22 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.

4. In the event that the person to whom the facts referred to in the communication refer exercises the right to object, it shall be presumed that, in the absence of proof to the contrary, there are compelling legitimate grounds that legitimise the processing of his or her personal data.

Article 15.-Processing of personal data in the internal information system

1. Access to personal data contained in the Internal Information System shall be limited, within the scope of its competences and tasks, exclusively to:

a) The System Manager and whoever manages it directly.

b) the human resources manager, only when disciplinary action against an employee may be appropriate.

c) The person in charge of the legal services of the entity or body, if legal action should be taken in relation to the facts described in the communication.

d) The Processors that may be appointed from time to time.

2. The processing of data by other persons, or even their communication to third parties, shall be lawful when it is necessary for the adoption of corrective measures in the entity or the processing of any disciplinary or criminal proceedings that may be appropriate.

3. Data undergoing processing may be kept in the information system only for such time as is necessary to decide whether an investigation should be opened into the facts reported. If it is established that the information provided or part of it is not truthful, it must beimmediately deleted as soon as this circumstance comes to light, unless this lack of truthfulness may constitute a criminal offence, in which case the information shall be kept for the time necessary during the legal proceedings.

4. In any case, if three months have elapsed since receipt of the communication and no investigation has been initiated, the communication shall be deleted, unless the purpose of the retention is to leave evidence of the operation of the system. Communications that have not been processed may only be recorded in anonymised form, without the obligation to block provided for in Article 32 of the LOPDGDD being applicable.

5. Employees and third parties shall be informed about the processing of personal data within the framework of the Information Systems.

Article 16.-Preservation of the identity of the whistleblower and the persons concerned:

1. A person who makes a communication or makes a public disclosure has the right not to have his or her identity disclosed to third persons.

2. Internal information systems, external channels and those receiving public disclosures shall not obtain data that allow the identification of the whistleblower and shall have appropriate technical and organisational measures in place to preserve the identity and ensure the confidentiality of the data pertaining to the persons concerned and any third parties mentioned in the information provided, especially the identity of the whistleblower in case he/she has been identified.

3. The identity of the whistleblower may be communicated to the competent authority only in the context of a criminal, disciplinary or disciplinary investigation.

Article 17.-Protection conditions

1. Persons who report or disclose breaches of the rules shall be entitled to protection in the following circumstances:

a) they have reasonable grounds to believe that the information is true at the time of communication or disclosure, even if they do not provide conclusive evidence, and that the information falls within the scope of Law 2/2023.

b) the communication or disclosure has been made in accordance with the requirements of Article 4 of this document.

2. Persons communicating or disclosing the data are expressly excluded from the protection provided for by the law:

a) Information contained in communications that have been rejected by any internal information channel or for any of the reasons provided for in Article 18.2.a) of Law 2/2024 of 20 February. The rejection shall be communicated to the whistleblower within five working days.

b) information relating to claims concerning interpersonal conflicts or concerning only the whistleblower and the persons to whom the communication or disclosure relates.

c) Information which is already fully available to the public or which constitutes mere hearsay.

d) information relating to acts or omissions not covered by Article 4 of this document.

e) Persons who have communicated or publicly disclosed information on actions or omissions referred to in Article 4 above anonymously but who have subsequently been identified and who meet the conditions provided for in the law shall be entitled to the protection contained therein.

Article 19.- Prohibition of retaliation

1. Acts constituting retaliation, including threats of retaliation and attempts at retaliation against persons making a communication as provided for by law, are expressly prohibited.

2. Retaliation means any act or omission that is prohibited by law, or that directly or indirectly results in unfavourable treatment that places the persons subjected to it at a particular disadvantage compared to another person in the employment or professional context, solely because of their status as whistleblowers, or because they have made a public disclosure.

3. For the purposes of this document, by way of example, reprisals are considered to be reprisals in the form of:

a) Suspension of the employment contract, dismissal or termination of the employment or statutory relationship, including non-renewal or early termination of a temporary employment contract beyond the probationary period, or early termination or cancellation of contracts for goods or services, imposition of any disciplinary measure, demotion or denial of promotion and any other substantial modification of working conditions and failure to convert a temporary employment contract into a permanent one, where the worker had legitimate expectations that he/she would be offered a permanent job; unless these measures were carried out as part of the regular exercise of managerial powers under the relevant labour or public employee statute legislation, due to circumstances, facts or breaches that are proven and unrelated to the submission of the communication.

b) Damage, including reputational damage, or economic loss, coercion, intimidation, harassment or ostracism.

c) Negative evaluation or references regarding work or professional performance.

d) Blacklisting or disseminating information in a particular sectoral area, which hinders or prevents access to employment or the contracting of works or services.

Article 20.- Measures for the protection of affected persons

During the processing of the file, the persons affected by the communication shall have the right to the presumption of innocence, the right of defence and the right of access to the file under the terms established by law, as well as the same protection established for whistleblowers, preserving their identity and guaranteeing the confidentiality of the facts and data of the procedure.

Article 21.- Deadline for the establishment of the internal information system

The maximum deadline for the establishment of Internal Information Systems and adaptation of existing ones, in the case of private sector legal entities with two hundred and forty-nine employees or less, shall be until 1 December 2023.

Article 22.- Management of the Internal Information System

By means of the present regulation, and in accordance with the established in the article 1709 and following of the Civil Code, special mandate is granted, as wide as in law it is required and necessary, to the legal representative of DORDIO ASSOCIATES, S.L., so that, in accordance with the provisions of the regulations in force, in addition to the actions that must be carried out as a result of the provisions of the regulations for the implementation and development of the internal information system of the company INVERSIONES GOAC CHAMARTIN, S.L., to carry out, in the necessary conditions and forms, as many actions as are legally relevant to ensure the protection of the company's assets.

This special mandate covers all aspects necessary for the implementation of the actions for which it is issued, including the corresponding controls of products and persons that may be necessary directly or indirectly, with the only limit established by the legislation in force.

That, likewise, this special mandate authorises the trustee to appear, if necessary, before the police and/or judicial authorities as a consequence of the actions carried out.

Article 23.- Protection of personal data

In accordance with the provisions of Article 5 of these regulations, and in order to comply with the provisions of Article 28 of Regulation (EU) 2016/679 of 27 April 2016 (RGPD) and Organic Law 3/2018 of 5 December (LOPDGDD), the following is hereby placed on record:

a) That INVERSIONES GOAC CHAMARTIN, S.L., Data Controller (hereinafter, the Controller), has contracted the services of DORDIO ASSOCIATES, S.L., Data Processor (hereinafter, the Processor), to implement and develop the company's internal information system, in accordance with the provisions of Law 2/2023 of 20 February.

b) That, for the performance of the aforementioned service, the Processor will have access to the personal data under the responsibility of the Controller.

c) That, in compliance with the provisions of Article 28 of the GDPR, the Processor offers sufficient guarantees to implement appropriate technical and organisational policies to apply the security measures established by the regulations in force and to protect the rights of data subjects, for which both parties agree to enter into this contract subject to the following instructions for data processing.

1. Object, nature and purpose of the assignment

a) The purpose of the assignment is the Management of the internal information system in accordance with the provisions of Law 2/2023 of 20 February.

b) The duty to inform the data subject of the processing shall be incumbent exclusively on the Processor.

c) Data processing will occur at the Controller's premises or at the Processor’s presmises with the Controller's authorisation to integrate the data into its systems.

2. Type of personal data and category of data subjects

d) The type of personal data to which the Processor will have access will be DNI/NIF/NIE/Passport, name and surname, postal or e-mail address, telephone, manual signature.

e) Other types of data will be personal, academic and professional characteristics, employment, economic, financial and insurance details, goods and services transactions.

f) The category of data subjects shall be employees or external whistleblowers.

g) The authorised processing operations are those which are strictly necessary to achieve the purpose of the order.

3. Obligations and rights of the Controller

The Controller guarantees that the data provided to the Processor have been lawfully obtained and that they are adequate, relevant and limited to the purposes of the processing. The Controller shall make available to the Processor all information necessary for the performance of the services that are the object of the assignment.

The Controller warns the Processor that, if it determines the purposes and means of processing on its own, it will be considered the controller and will be subject to compliance with the provisions of the applicable regulations in force as such.

4. Obligations and rights of the Processor

The Processor is obliged to respect all the obligations that may correspond to him/her in accordance with the provisions of current legislation and any other provision or regulation that may also be applicable to him/her.

The Processor shall not use, apply or make use of the data to which it has access for any purpose other than the purpose for which it was commissioned or in breach of this contract.

The Processor shall make available to the Controller the information necessary to demonstrate compliance with the contract, allowing for inspections and audits necessary to assess the processing.

5. Personnel authorised to carry out the processing

The Processor ensures that authorised personnel have formally committed in writing to maintain data confidentiality or are legally obligated to do so.

The Processor shall take steps to ensure that any person acting under its authority who has access to personal data may process them only on the instructions of the Controller or is required to do so by applicable law.

The Processor guarantees that the personnel authorised to carry out the processing has received the necessary training to ensure that the protection of personal data will not be compromised.

6. Security measures

The Processor declares that it is up to date with its obligations under data protection regulations, in particular with regard to the implementation of the security measures for the different categories of data and processing set out in Article 32 of the GDPR.

The Processor ensures that such security measures will be properly implemented and will assist the Controller in complying with the obligations set out in Articles 32 to 36 of the GDPR, taking into account the nature of the processing and the information at the Processor's disposal. The Controller shall carry out an analysis of the possible risks arising from the processing in order to determine the appropriate security measures to guarantee the security of the processed information and the rights of data subjects and, if it determines that risks exist, it shall send a report with the impact assessment to the Processor so that it can proceed to implement appropriate measures to prevent or mitigate them.

The Processor shall analyse the possible risks and other circumstances that may have an impact on security that may be attributable to it, and shall inform the Controller, if any, in order to assess their impact.

In any event, the Processor ensures that, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing, it will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk represented by the processing, including, where applicable, inter alia:

a) Pseudonymisation and encryption of personal data.

b) Ensuring the continued confidentiality, integrity, availability and resilience of processing systems and services.

c) Restoring availability and access to data quickly in the event of a physical or technical incident.

d) Procedures for regular verification, evaluation and assessment of the effectiveness of technical and organisational measures to ensure the security of processing.

7. Security breach

Security breaches of which the Processor becomes aware shall be notified without undue delay to the Controller for its knowledge and implementation of measures to remedy and mitigate the effects caused. Notification shall not be required where it is unlikely to result in a risk to the rights and freedoms of natural persons.

The notification of a security breach shall contain, as a minimum, the following information:

e) Description of the nature of the breach.

f) Categories and the approximate number of stakeholders concerned.

g) Categories and the approximate number of data records concerned.

h) Possible consequences.

i) Measures taken or proposed to remedy or mitigate the effects.

j) Contact details where further information can be obtained (DPO, security officer, etc.).

8. Disclosure of data to third parties

The Processor may not communicate the data to third party recipients, unless he/she has obtained prior written authorisation from the Controller, which, if any, shall be annexed to this contract.

The transmission of data to public authorities in the exercise of their functions is not considered a communication of data, and therefore the Controller's authorisation is not required if such transmissions are necessary to achieve the purpose of the assignment.

9. International data transfers

The Processor may not transfer data to third countries or international organisations not established in the EEA, unless it has obtained prior written authorisation from the Controller, which, if any, shall be annexed to this contract.

10. Outsourcing of data processing

The Processor may not subcontract to a third party the performance of any processing of data entrusted to it by the Controller, unless the latter authorises this in advance and in writing, and the authorisation is recorded by annexing it to this contract.

11. Rights of data subjects

The Controller shall, where possible and taking into account the nature of the processing, create the necessary technical and organisational conditions to assist the Controller in its obligation to respond to requests for the data subject's rights.

In the event that the Processor receives a request for the exercise of these rights, he/she must inform the Controller immediately and, in no case, later than the working day following receipt of the request, attaching other information that may be relevant to resolve it.

12. Responsibility

Pursuant to Article 82 of the GDPR, the Controller shall be liable for any damage caused by any processing operation in which it is involved and which does not comply with the provisions of the GDPR, and the Processor shall only be liable for damage caused by processing where it has not complied with its obligations under the GDPR specifically addressed to the Processor or has acted outside or contrary to the lawful instructions of the Controller. Likewise, the operator shall be exempt from liability if he proves that he is in no way responsible for the event that caused the damage.

13. End of service provision

Upon termination of the provision of the services covered by this contract, if the Processor has stored personal data, or any other document and/or medium provided to it by any means, it shall return, delete or deliver them to a new Processor, at the option of the Controller, including existing copies. The Processor shall issue a certificate of return or destruction if so required by the Controller.

Data deletion will not occur if required by law; in such cases, the Processor will retain the data, restricting its processing to address potential liabilities related to the Controller.

The Processor shall maintain the duty of secrecy and confidentiality of the data even after the end of the relationship that is the object of this contract.

Single final provision

The address for communications by any means for the purpose of complying with Law 2/2023 of 20 February and Article 5 of these regulations on the management of the information system is as follows:

Legal Representative

DORDIO & ASSOCIATES, S.L.

Hermanos García Noblejas, 39

28037 Madrid

Telephone: 609 177 551

Email: dordio@dordio.es

The entry into force of this Internal Information Management Regulation is 1 December 2023.

Home
Contact
Location
Offers
Book now