DATA PROTECTION POLICY

DATA PROTECTION POLICY

PERSONAL DATA PROTECTION POLICY BÉSAME TONTO is a brand of CELOFAN AUDIOVISUAL S.L. (the “Company”). This Company engages in activities related to the processing of personal data, which gives it significant responsibility in designing and organizing procedures aligned with legal compliance in this matter. In the exercise of these responsibilities and with the aim of establishing general principles governing the processing of personal data within the Company, this Personal Data Protection Policy is approved, notifying its Employees and making it available to all stakeholders.

  1. Purpose The Personal Data Protection Policy is a proactive measure aimed at ensuring compliance with applicable legislation in this area and, in relation to this, respecting the right to honor and privacy in the processing of personal data of all individuals associated with the Company. In line with this Personal Data Protection Policy, the principles governing data processing within the organization are established. Consequently, procedures and organizational security measures are defined, which the individuals affected by this Policy commit to implementing within their area of responsibility. For this purpose, the management will assign responsibilities to personnel involved in data processing operations.
  2. Scope This Personal Data Protection Policy applies to the Company, its administrators, executives, employees, as well as all individuals associated with it, including service providers with access to data (“Data Processors”).
  3. Principles of Personal Data Processing As a general principle, the Company will rigorously comply with legislation regarding the protection of personal data and must be able to demonstrate this (Principle of “proactive responsibility”), paying special attention to treatments that may pose a higher risk to the rights of affected individuals (Principle of “risk-based approach”). In light of the above, BÉSAME TONTO, represented by CELOFAN AUDIOVISUAL S.L., will ensure compliance with the following Principles:
  • Lawfulness, loyalty, transparency, and limitation of purpose: Data processing must always be informed to the affected individuals through clauses and other procedures. It will only be considered legitimate if there is consent for data processing (with special attention to consent provided by minors) or if it has other valid legal grounds, and the purpose aligns with regulations.
  • Data minimization: Processed data must be adequate, relevant, and limited to what is necessary for the intended purposes.
  • Accuracy: Data must be accurate and, if necessary, updated. Measures will be taken to promptly rectify or delete inaccurate personal data.
  • Limitation of retention period: Data will be retained only for as long as necessary for the purposes of processing.
  • Integrity and confidentiality: Data will be treated in a way that ensures adequate security, protecting against unauthorized or unlawful processing, loss, destruction, or accidental damage through appropriate technical or organizational measures.

    Data Transfers: The purchase or acquisition of personal data from illegitimate sources is strictly prohibited. Additionally, data should not be collected or shared in violation of the law, and the legitimate origin of such data must be sufficiently guaranteed.

    Engaging Data Access Providers: Only providers that offer sufficient guarantees for applying appropriate technical and security measures in data processing will be selected for engagement. Adequate agreements will be documented with these third parties.

    International Data Transfers: Any processing of personal data subject to European Union regulations that involves transferring data outside the European Economic Area must strictly comply with the requirements established by applicable law.

    Rights of Data Subjects: The Company will facilitate the exercise of rights by data subjects, including access, rectification, erasure, restriction of processing, objection, and data portability. Internal procedures, including necessary and appropriate models, will be established to meet at least the applicable legal requirements.

    The Company will promote the principles outlined in this Personal Data Protection Policy by considering them:

    • In the design and implementation of all work procedures.
    • In the products and services offered.
    • In all contracts and obligations formalized or assumed.
    • In the implementation of systems and platforms allowing access by employees or third parties and/or the collection or processing of personal data.

    Employee Commitment: Employees are informed of this Policy and declare awareness that personal information is an asset of the Company. They commit to the following:

    • Participate in data protection awareness training provided by the Company.
    • Apply user-level security measures relevant to their job roles, without prejudice to additional responsibilities based on their roles within BÉSAME TONTO and/or CELOFAN AUDIOVISUAL S.L.
    • Use established formats for data subject rights requests and promptly inform the Company to enable effective responses.
    • Report deviations from this Policy, particularly regarding “Personal Data Security Violations,” using the designated format.

    Control and Evaluation: An annual verification, evaluation, and assessment (or whenever significant changes occur in data processing) will be conducted to evaluate the effectiveness of technical and organizational measures ensuring data security.

    BÉSAME TONTO