Seahouse S.L. (the "Company") is an organization engaged in activities involving the processing of personal data, which places significant responsibility on it to design and organize procedures aligned with legal compliance in this area.
In exercising these responsibilities, and to establish the general principles governing the processing of personal data within the Company, this Personal Data Protection Policy is approved, communicated to employees, and made available to all stakeholders.
1. Purpose
The Personal Data Protection Policy is a proactive responsibility measure aiming to ensure compliance with applicable data protection legislation, as well as respect for the right to honor and privacy in the processing of personal data of all individuals interacting with the Company. To fulfill the provisions of this Personal Data Protection Policy, principles governing data processing in the organization are established, along with procedures and organizational and security measures that persons affected by this Policy commit to implementing within their scope of responsibility.
To this end, Management will assign responsibilities to personnel involved in data processing operations.
2. Scope
This Personal Data Protection Policy applies to the Company, its directors, executives, and employees, as well as all persons associated with it, explicitly including service providers with data access ("Data Processors").
3. Principles of Personal Data Processing
As a general principle, the Company will scrupulously comply with personal data protection legislation and must be able to demonstrate compliance ("principle of proactive responsibility"), paying particular attention to processes that may pose higher risks to the rights of affected individuals ("risk-based approach").
In relation to the above, Seahouse S.L. ensures compliance with the following principles:
- Lawfulness, fairness, transparency, and purpose limitation. Data processing must always be communicated to the data subject through clauses and other procedures. Processing will only be legitimate if consent is provided (with special attention to consent provided by minors) or if another valid legal basis exists, and the processing purpose aligns with relevant regulations.
- Data minimization. Processed data must be adequate, relevant, and limited to what is necessary for the processing purposes.
- Accuracy. Data must be accurate and updated if necessary. Measures will be adopted to promptly delete or rectify inaccurate personal data related to processing purposes.
- Storage limitation. Data will be maintained to allow identification of data subjects no longer than necessary for processing purposes.
- Integrity and confidentiality. Data will be processed to guarantee adequate personal data security, including protection against unauthorized or unlawful processing and accidental loss, destruction, or damage, through appropriate technical and organizational measures.
- Data transfers. Acquisition or obtaining personal data from illegitimate sources or when data collection or transfer breaches the law or does not sufficiently guarantee legitimate origin is prohibited.
- Contracting suppliers with data access. Only suppliers providing sufficient guarantees for applying appropriate technical and security measures in data processing will be contracted. An agreement to this effect will be documented with these third parties.
- International data transfers. Any processing of personal data subject to European Union regulations involving data transfers outside the European Economic Area must strictly comply with applicable legal requirements.
- Rights of data subjects. The Company will facilitate the exercise of rights of access, rectification, erasure, restriction of processing, objection, and portability, establishing necessary internal procedures and appropriate models for exercising these rights, ensuring compliance with applicable legal requirements.
The Company will promote consideration of the principles outlined in this Personal Data Protection Policy: (i) in designing and implementing all work procedures, (ii) in products and services offered, (iii) in all contracts and obligations formalized or assumed, and (iv) in implementing systems and platforms enabling access by employees or third parties and/or the collection or processing of personal data.
4. Employee Commitment
Employees are informed of this Policy and acknowledge that personal data is a valuable asset of the Company, committing to:
- Undertaking data protection awareness training provided by the Company.
- Applying user-level security measures relevant to their roles, notwithstanding responsibilities related to designing and implementing measures that may correspond to their specific roles within Seahouse S.L.
- Using established formats to facilitate the exercise of rights by data subjects and immediately notifying the Company to ensure effective responses.
- Promptly reporting deviations from this Policy, especially "personal data security breaches," using the designated format.
5. Control and Evaluation
Verification, evaluation, and annual assessment, or whenever significant changes occur in data processing activities, will be conducted to ensure the effectiveness of technical and organizational measures for guaranteeing processing security.