Global Omnium Idrica S.L.U, with address at Plaza de la Legión Española, number 4, 46010 of Valencia and holder of C.I.F.: B-44527141 (hereinafter, “IDRICA”), as developer of the Work Orders application (hereinafter, the “App”), hereby informs you that:
- Who is responsible for the processing of personal data handled in the App.
- Principles and rationale with regard to data processing.
- What personal data is processed through the App for.
- What security measures are applied to the processing of the data.
- What types of data are processed and for how long.
- What the user’s rights are in this respect and how they can exercise them.
IDRICA, as the entity responsible for the development of the App, does not act as the entity responsible for the processing of personal data through the App, except in those cases where IDRICA uses the App for internal use with its own staff. Our App is a corporate application used by those entities that have contracted it as a complement to the software suite that we market.
The person responsible for the processing of personal data shall therefore be the company for which the user works or provides services and which has contracted with IDRICA a licence for the use of the App (hereinafter, the “Controller”).
(B) PRINCIPLES AND GROUNDS FOR DATA PROCESSING:
IDRICA, as developer of the App, has taken into account the following principles of personal data processing which it undertakes to respect:
- Lawfulness, fairness and transparency: The processing of data must always be legitimate and will be carried out with transparency and fairness towards the persons whose data is handled. The legitimacy of the processing is presumed by the existence of the contractual relationship between the user of the App and the company responsible for the processing.
- Minimisation and accuracy of personal data: The personal data handled through the App are strictly necessary for the management of work orders. The Data Controller must ensure that the personal data is current and accurate. If the user notices that the data is outdated or inaccurate, he/she should contact the Data Controller to correct it as necessary.
- Limitation of the retention period: Data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. In other words, they may only be processed for as long as the purpose for which they were collected or recorded remains valid.
- Data protection by design and by default: IDRICA is committed to applying privacy requirements and criteria by design and by default in order to ensure compliance with the principles set out herein at all times.
- Continuous improvement: IDRICA carries out periodic reviews and controls on the data processing in which it is involved and on the risk analyses carried out, all as part of a cycle of continuous improvement that reinforces and consolidates our obligations and commitments in terms of personal data protection.
- Security of processing: Personal data will be processed in a way that ensures an appropriate level of security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
(C) INFORMATION ON DATA PROCESSING:
Without prejudice to the information that the Controller may provide or has provided to the user, which prevails over the information detailed below, we provide below information on the data processing carried out in the context of the App:
a) Purposes and legitimacy of the processing: The data is processed for the management of work orders through the App, to show the user the assigned work orders and their location and to indicate the best route to reach the workplace from his position. This processing is legitimate because it is necessary for the performance of the user’s duties with respect to the contractual relationship between the user and the Controller.
b) Origin and conservation period of your data: The data handled in the App are obtained through the use of the App by the user or by the Data Controller. The data will be stored in the database of the Data Controller, never in the IDRICA environment, for the period of time designated by the Data Controller.
c) Types of data: The types of data handled in the App are identifying (access credentials) and other types of data (geolocation).
d) Communication of data: In general, personal data will not be disclosed to third parties, except to public bodies and authorities when this is strictly necessary for the defence of the rights and interests of IDRICA or the Data Controller or compliance with legal obligations.
e) International data transfers: They do not occur in the App environment.
(D) SECURITY APPLIED TO DATA PROCESSING:
Regardless of the security measures to be applied by the Controller, IDRICA has implemented appropriate technical and organisational security measures to ensure an adequate level of integrity, availability and confidentiality of personal information, taking into account the nature, scope, context and purposes of the data processing carried out, as well as, depending on the above, the likelihood of a risk occurring and the impact it would have if it were to occur for the individuals whose personal data is handled.
In particular, but not exclusively, the following security measures have been adopted for the App:
- Data protection and information security policies.
- Measures to control logical access to information, such as identity management process, user inventory and log recording, procedure for user registration, deletion and modification, management of secret user authentication information and updating of logical access credentials.
- Backup and recovery copies, provided that they have been previously contracted by the Data Controller.
- Restoration tests, provided that they have been previously contracted by the Data Controller.
- System and application management measures, such as secure login procedure, restrictions on software installation and maintenance, anti-malware measures, incident preparedness and response plan, and monitoring, detection and analysis of security incident events.
- All communications are secure using the https and wss protocols, which have our organisation’s digital certificates.
- The data stored in the App is stored in a local database on the user’s own device, encrypted with a strong AEAD_AES_256_CBC_HMAC_SHA512 encryption algorithm according to the FIPS 140-2 “Approved Security Features” standard.
- Organisational security measures: security incident logging, operational data protection protocols and confidentiality commitments.
(E) DATA PROCESSING OBLIGATIONS
For the correct functioning of the application, it will be essential to process the personal data of the users themselves. Given that the App contains field worker management functionalities, it is necessary to geolocate the user from time to time in order to be able to assign work orders correctly from the central system and, in the event of an emergency, to have an approximate situation of the location of the users. Without this information, it would not be possible to manage work orders correctly.
(F) USERS’ RIGHTS:
Any user of the App has the right to obtain information about the processing of their data, to access them, to have them rectified or, where appropriate, deleted. In certain circumstances, you also have the right to limit the processing of your data, in which case we will only keep it for the exercise or defence of claims, to object to its processing and to its portability.
To exercise any of these rights, the user must contact the Data Controller. However, if IDRICA receives any request from a user related to his or her personal data, we will inform the Data Controller as soon as possible so that the request can be dealt with correctly.
Likewise, if the user considers that any type of violation has occurred in relation to the processing of his/her personal data, he/she may file a complaint with the competent supervisory authority (in Spain, the Spanish Data Protection Agency or the body that replaces it in the future; for other European countries, please consult here).
(G) DATA PROTECTION OFFICER:
IDRICA informs that, in accordance with current legislation, it has appointed a Data Protection Delegate whose contact details are:
Address: Plaza de la Legión Española, número 4, 46010 de Valencia