English   |   Catal�   |   Espa�ol   |   Fran�ais   |   Portugu�s

Log of client activities: COLEGIO PROFESIONAL. DE DIPLOMADOS EN ENFERMERÍA DE BURGOS

Field Content
1 - Name of the activity
2 - Responsible for the treatment / DPO COLEGIO PROFESIONAL. DE DIPLOMADOS EN ENFERMERÍA DE BURGOS /
3- Purpose of the processing
4- Legal grounds for the processing
5- Categories of data subjects
6- Origin of the data
Categories of personal data
7 - Identification data
8 - Processing system
9- Data transfers
International Transfers
10- Country
11 – Category of recipients
12- Company
13- Legal grounds
14- Data erasure timeframes
15- General description of the technical and organizational security measures
FUNCTIONS AND OBLIGATIONS Deliver to all users in accordance with their user profiles, their functions and obligations relating to the security measures to be complied with and the consequences of any breach.
IDENTIFICATION AND AUTHENTICATION Individual identification and authentication Procedure for assigning and distributing passwords Password complexity and changes.
ACCESS CONTROL Updated list of authorised users and access. Access control allowed in keeping with the functions assigned and systems to prevent non-authorised access. Granting of access permits only for authorised personnel. Physical access control to the premises where the information systems are located.
BACKUP COPIES Frequency of backups Procedures for generating backup copies and data recovery. Remote backup copies systems.
MEDIA MANAGEMENT Inventory management and identification of media. Media stored under lock and key Log of incoming and outgoing media. Media destruction measures.
INCIDENT LOG Log containing the type, time detected, person reporting, effects and corrective measures of the incident. Notification procedure and incident management Data recovery procedures
OTHER TECHNICAL MEASURES Use of antivirus and firewalls.
Screen savers.
Remote access control
Standards of use of email and the internet.
Use of peripherals (printers, photocopiers and multi-function devices).
NON-AUTOMATED PROCESSING Application of document filing criteria to facilitate consulting, locating and handling of Rights. Use of storage devices with locking systems (key, codes...). Custody of active documents to prevent non-authorised access.
DATA PROCESSORS List of data processors. Description of services rendered. Adoption of warranties by processors.

Field Content
1 - Name of the activity Video-surveillance management
2 - Responsible for the treatment / DPO COLEGIO PROFESIONAL. DE DIPLOMADOS EN ENFERMERÍA DE BURGOS /
3- Purpose of the processing

Security management of the facilities and persons using video-surveillance systems

4- Legal grounds for the processing GDPR: 6.1. e) and 6.1 f): Legitimate, public interest in protecting the safety of persons and facilities.
5- Categories of data subjects Persons entering the facilities
6- Origin of the data Security system (cameras and/or alarms that capture images)
Categories of personal data

Identification and contact details.

7 - Identification data

Identification and contact data: image (photographs or videos) of persons entering the facilities or registration plates.

8 - Processing system Automated
9- Data transfers

State Security Forces

International Transfers
10- Country
11 – Category of recipients
12- Company
13- Legal grounds
14- Data erasure timeframes One month as from personal data collection
15- General description of the technical and organizational security measures
FUNCTIONS AND OBLIGATIONS Deliver to all users in accordance with their user profiles, their functions and obligations relating to the security measures to be complied with and the consequences of any breach.
IDENTIFICATION AND AUTHENTICATION Individual identification and authentication Procedure for assigning and distributing passwords Password complexity and changes.
ACCESS CONTROL Updated list of authorised users and access. Access control allowed in keeping with the functions assigned and systems to prevent non-authorised access. Granting of access permits only for authorised personnel. Physical access control to the premises where the information systems are located.
BACKUP COPIES Frequency of backups Procedures for generating backup copies and data recovery. Remote backup copies systems.
MEDIA MANAGEMENT Inventory management and identification of media. Media stored under lock and key Log of incoming and outgoing media. Media destruction measures.
INCIDENT LOG Log containing the type, time detected, person reporting, effects and corrective measures of the incident. Notification procedure and incident management Data recovery procedures
OTHER TECHNICAL MEASURES Use of antivirus and firewalls.
Screen savers.
Remote access control
Standards of use of email and the internet.
Use of peripherals (printers, photocopiers and multi-function devices).
NON-AUTOMATED PROCESSING Application of document filing criteria to facilitate consulting, locating and handling of Rights. Use of storage devices with locking systems (key, codes...). Custody of active documents to prevent non-authorised access.
DATA PROCESSORS List of data processors. Description of services rendered. Adoption of warranties by processors.

Field Content
1 - Name of the activity
2 - Responsible for the treatment / DPO COLEGIO PROFESIONAL. DE DIPLOMADOS EN ENFERMERÍA DE BURGOS /
3- Purpose of the processing
4- Legal grounds for the processing
5- Categories of data subjects
6- Origin of the data
Categories of personal data
7 - Identification data
8 - Processing system
9- Data transfers
International Transfers
10- Country
11 – Category of recipients
12- Company
13- Legal grounds
14- Data erasure timeframes
15- General description of the technical and organizational security measures
FUNCTIONS AND OBLIGATIONS Deliver to all users in accordance with their user profiles, their functions and obligations relating to the security measures to be complied with and the consequences of any breach.
IDENTIFICATION AND AUTHENTICATION Individual identification and authentication Procedure for assigning and distributing passwords Password complexity and changes.
ACCESS CONTROL Updated list of authorised users and access. Access control allowed in keeping with the functions assigned and systems to prevent non-authorised access. Granting of access permits only for authorised personnel. Physical access control to the premises where the information systems are located.
BACKUP COPIES Frequency of backups Procedures for generating backup copies and data recovery. Remote backup copies systems.
MEDIA MANAGEMENT Inventory management and identification of media. Media stored under lock and key Log of incoming and outgoing media. Media destruction measures.
INCIDENT LOG Log containing the type, time detected, person reporting, effects and corrective measures of the incident. Notification procedure and incident management Data recovery procedures
OTHER TECHNICAL MEASURES Use of antivirus and firewalls.
Screen savers.
Remote access control
Standards of use of email and the internet.
Use of peripherals (printers, photocopiers and multi-function devices).
NON-AUTOMATED PROCESSING Application of document filing criteria to facilitate consulting, locating and handling of Rights. Use of storage devices with locking systems (key, codes...). Custody of active documents to prevent non-authorised access.
DATA PROCESSORS List of data processors. Description of services rendered. Adoption of warranties by processors.

Field Content
1 - Name of the activity
2 - Responsible for the treatment / DPO COLEGIO PROFESIONAL. DE DIPLOMADOS EN ENFERMERÍA DE BURGOS /
3- Purpose of the processing
4- Legal grounds for the processing
5- Categories of data subjects
6- Origin of the data
Categories of personal data
7 - Identification data
8 - Processing system
9- Data transfers
International Transfers
10- Country
11 – Category of recipients
12- Company
13- Legal grounds
14- Data erasure timeframes
15- General description of the technical and organizational security measures
FUNCTIONS AND OBLIGATIONS Deliver to all users in accordance with their user profiles, their functions and obligations relating to the security measures to be complied with and the consequences of any breach.
IDENTIFICATION AND AUTHENTICATION Individual identification and authentication Procedure for assigning and distributing passwords Password complexity and changes.
ACCESS CONTROL Updated list of authorised users and access. Access control allowed in keeping with the functions assigned and systems to prevent non-authorised access. Granting of access permits only for authorised personnel. Physical access control to the premises where the information systems are located.
BACKUP COPIES Frequency of backups Procedures for generating backup copies and data recovery. Remote backup copies systems.
MEDIA MANAGEMENT Inventory management and identification of media. Media stored under lock and key Log of incoming and outgoing media. Media destruction measures.
INCIDENT LOG Log containing the type, time detected, person reporting, effects and corrective measures of the incident. Notification procedure and incident management Data recovery procedures
OTHER TECHNICAL MEASURES Use of antivirus and firewalls.
Screen savers.
Remote access control
Standards of use of email and the internet.
Use of peripherals (printers, photocopiers and multi-function devices).
NON-AUTOMATED PROCESSING Application of document filing criteria to facilitate consulting, locating and handling of Rights. Use of storage devices with locking systems (key, codes...). Custody of active documents to prevent non-authorised access.
DATA PROCESSORS List of data processors. Description of services rendered. Adoption of warranties by processors.

Field Content
1 - Name of the activity RH management
2 - Responsible for the treatment / DPO COLEGIO PROFESIONAL. DE DIPLOMADOS EN ENFERMERÍA DE BURGOS /
3- Purpose of the processing

Personnel (permanent): Management of the employment relationship and workers’ files; processing of registrations and de-registrations with the Social Security, issuance and payment of payrolls; evaluation, follow-up and control of the performance of professional activities; access and presential control and recording of work day/timetable (including, if applicable, biometric data, applications with geolocation and identity cards); promote and offer training activities, including discounted activities; occupational risk prevention; promotions, raises and/or changes in professional category. Processing of occupation accident reports (with a description of the accident and its consequences, which may involve access and processing of health data). Maintenance of a historic log of permanent workers.

4- Legal grounds for the processing Structure: GDPR 6.1.b) Execution of employment contract, GDPR 6.1.c) Comply with a legal obligations (Workers’ Statute and applicable Collective Agreement) and GDPR 6.1.f) Legitimate interest in storing names and surnames, job position and dates as a historic record of workers. Interships: GDPR 6.1.b) Execution of internship agreement. Similar: GDP 6.1.b) Execution of commercial contract. Temp Agency: GDPR 6.1.b) Execution of supply contract between the Temp. Agency and the user company and GDPR 6.1.c) Compliance with a legal obligation (temporary employment agency law) External: GDPR 6.1.b) Execution of commercial contract with the employer. GDPR 6.1.c) Compliance with a legal obligation (Occupational Risk Prevention Law) and Royal Decree with regard to the coordination of business activities). Candidate: GDPR 6.1.a) Consent of the data subject. Additional processing; GDPR 6.1.a) Consent of the data subject and/or GDP 6.1.b) Eexecution of a contract to which the data subject is a party or for the application of precontractual measures and/or GDPR at their request.
5- Categories of data subjects Employees (general regime, self-employed and similar, interns); Temp. Agency works; external workers; candidates; former employees
6- Origin of the data Permanent/Similar: the data subjects themselves or their legal representative. Internships: the data subjects themselves or their legal representative and/or the training centres or entity to which they belong. ETT: Temporary employment agencies. External: External company responsible for the worker (employer) Candidates:: the data subjects themselves, job portals, personnel selection companies. When applicable: parent company and/or entities belonging to the corporate group
Categories of personal data

Identification and contact data; personal characteristics; social and family circumstances; personality-related; academic and professional; employment details; union; economic-financial and insurance; medical or health data; administrative; judicial; social; infrastructure; other special categories of data. 

7 - Identification data

Identification and contact details: Name, surnames; DNI/NIE or Passport, Social Security number, address, email, telephone no., signature, images and/or voice, IP address/MAC of devices. Personal characteristics: Date and place of birth, age, marital status, gender, nationality, mother tongue, physical or anthropometric characteristics. Social and family circumstances: Family situation, family responsibilities, licenses, permits, authorisations, hobbies and lifestyle. Personality: Assessment of profiles, behaviour and attitudes. Academic and professional: Education, qualifications, profession and professional experience, membership of professional associations, email, identification number, hierarchic data. Employment details: Job category, non-economic salary data, professional and employee record, experience in professional world. Unions: Union membership and/or membership of works council or trade groupings. Economic-financial and insurance: Bank, current account, income, rent, credit, loans, guarantees, pension and/or retirement plan, assets, economic salary data, tax/tax benefits, compensation, indemnity, insurance, mortgages, seizures, debts. Medical or health: occupational accidents, degree of disability or incapacity and/or degree of occupational disability and other health-related data. Administrative: administrative procedures, arbitration, claims, appeals, penalties. Judicial: judicial procedures, suits, penalties. Social: aid, subsidies, social welfare benefits, employment benefits and pensions. Infrastructure: video-surveillance images. Other data (special category): religious beliefs or convictions, fingerprint and/or other identifying biometric data or patterns.

8 - Processing system Mixed (IT systems and hardcopy documents).
9- Data transfers

Organisations or persons directly related to the controller. General Treasury of the Social Security and Public Employment Service (SEPE) and other Competente Public Administrations.. Banking and financial entities. Tax administration. Mutual societies and occupational risk prevention companies. Training companies or entities and processing of discounts before the National Foundation for Employment. Insurance companies Courts and tribunals. Court representatives. Notaries. State Security Forces Works councils and stewards. Entities, clients and/or suppliers to which employees or users must be identified. Public and private entities for the presentation of projects, tenders and subsidies. Such cases as legally provided. Parent company and/or other entities belonging to the corporate group as a result of corporate organisation and management of human resources. In the case of candidates: to increase possibilities of hiring. 

International Transfers
10- Country
11 – Category of recipients
12- Company
13- Legal grounds
14- Data erasure timeframes Permanent/Similar/Interns: The data will be stored during the life of the relationship. Once terminated, the work data will be stored and blocked during the legally required periods to address potential liabilities; except for name and surnames, job positions and dates of hiring and departure which will be stored as a historic log of permanent workers based on the entity’s legitimate interest. Temporary workers: Data will be stored for the duration of the engagement with the temporary employment agency (ETT) and, upon termination, will be stored and blocked for the legally required periods to address potential liabilities or enter into a new contract. The company shall, based on a legitimate interest, store the name and surnames, job position, reason for termination and dates as a historic log of workers for an indefinite period based on the entity’s legitimate interest. External: Data will be stored for the duration of the commercial contract with the entity (employer) and, upon termination, will be stored and blocked for the legally required periods to address potential liabilities. Candidates: Throughout the personnel selection processes and upon termination, for 1 year for future processes. Business information: until unsubscription is requested. Images/voice: while published in the media described and are used for the purpose for which they were obtained, unless your consent is withdrawn.
15- General description of the technical and organizational security measures
FUNCTIONS AND OBLIGATIONS Deliver to all users in accordance with their user profiles, their functions and obligations relating to the security measures to be complied with and the consequences of any breach.
IDENTIFICATION AND AUTHENTICATION Individual identification and authentication Procedure for assigning and distributing passwords Password complexity and changes.
ACCESS CONTROL Updated list of authorised users and access. Access control allowed in keeping with the functions assigned and systems to prevent non-authorised access. Granting of access permits only for authorised personnel. Physical access control to the premises where the information systems are located.
BACKUP COPIES Frequency of backups Procedures for generating backup copies and data recovery. Remote backup copies systems.
MEDIA MANAGEMENT Inventory management and identification of media. Media stored under lock and key Log of incoming and outgoing media. Media destruction measures.
INCIDENT LOG Log containing the type, time detected, person reporting, effects and corrective measures of the incident. Notification procedure and incident management Data recovery procedures
OTHER TECHNICAL MEASURES Use of antivirus and firewalls.
Screen savers.
Remote access control
Standards of use of email and the internet.
Use of peripherals (printers, photocopiers and multi-function devices).
NON-AUTOMATED PROCESSING Application of document filing criteria to facilitate consulting, locating and handling of Rights. Use of storage devices with locking systems (key, codes...). Custody of active documents to prevent non-authorised access.
DATA PROCESSORS List of data processors. Description of services rendered. Adoption of warranties by processors.

Field Content
1 - Name of the activity Supplier management
2 - Responsible for the treatment / DPO COLEGIO PROFESIONAL. DE DIPLOMADOS EN ENFERMERÍA DE BURGOS /
3- Purpose of the processing

Tax, accounting and administrative management of suppliers 

4- Legal grounds for the processing Provision of the service: GDP 6.1. b) execution of contract
5- Categories of data subjects Suppliers, contact persons and/or legal representatives.
6- Origin of the data The data subjects themselves or their legal representative.
Categories of personal data

Identification and contact data; economic-financial and insurance.

7 - Identification data

Identification and contact details: Name, surnames, identification documents (DNI, NIE or passport), address, telephone no., email. Name, surnames, telephone no. of contact persons. Name, surnames and signature of legal representatives

Economic-financial and insurance: Bank data.

8 - Processing system Mixed (IT systems and hardcopy documents).
9- Data transfers

Organisations or persons directly related to the controller. Competente Public Administrations.. Tax administration. Banking entities. Such cases as legally provided.

International Transfers
10- Country
11 – Category of recipients
12- Company
13- Legal grounds
14- Data erasure timeframes Data will be stored for the duration of the relation and, upon termination, will be stored for the legally required periods to address potential liabilities.
15- General description of the technical and organizational security measures
FUNCTIONS AND OBLIGATIONS Deliver to all users in accordance with their user profiles, their functions and obligations relating to the security measures to be complied with and the consequences of any breach.
IDENTIFICATION AND AUTHENTICATION Individual identification and authentication Procedure for assigning and distributing passwords Password complexity and changes.
ACCESS CONTROL Updated list of authorised users and access. Access control allowed in keeping with the functions assigned and systems to prevent non-authorised access. Granting of access permits only for authorised personnel. Physical access control to the premises where the information systems are located.
BACKUP COPIES Frequency of backups Procedures for generating backup copies and data recovery. Remote backup copies systems.
MEDIA MANAGEMENT Inventory management and identification of media. Media stored under lock and key Log of incoming and outgoing media. Media destruction measures.
INCIDENT LOG Log containing the type, time detected, person reporting, effects and corrective measures of the incident. Notification procedure and incident management Data recovery procedures
OTHER TECHNICAL MEASURES Use of antivirus and firewalls.
Screen savers.
Remote access control
Standards of use of email and the internet.
Use of peripherals (printers, photocopiers and multi-function devices).
NON-AUTOMATED PROCESSING Application of document filing criteria to facilitate consulting, locating and handling of Rights. Use of storage devices with locking systems (key, codes...). Custody of active documents to prevent non-authorised access.
DATA PROCESSORS List of data processors. Description of services rendered. Adoption of warranties by processors.