Privacy Policy

5.4 Purposes of the processing of personal data:

The personal data of the Interested Party will be processed in order to provide the Services that have been contracted and/or manage the contractual relations with the interested party(ies).

In particular, we process the data subject’s personal data in order to:

• To provide telecommunications services.
• Communicate with you and other third parties as part of our Services.
• Make non-automated decisions about whether to offer the Services to the Data Subject.
• Continually improve and test the quality of our Services (e.g., by conducting satisfaction surveys, research and analysis in connection with the Services).
• Protect our business against fraud or non-payment.
• Management of our operations and compliance with internal policies and procedures related to, for example, auditing, financial performance analysis and accounting, billing and collection, information systems, business continuity, as well as records, document and print management.
• Resolving complaints and handling requests.
• Compliance with legal obligations to which fibratel is subject, as well as the response to requests from public and governmental administrations and litigation.
• Establish and defend legal rights, protect our operations or those of any other fibratel group company, safeguard our rights, privacy,
  security and property, and/or those of our business group, the Stakeholder or others, and seek remedies or mitigate damages.

Data Recipients:

We may share the Data Subject’s personal data with third parties to the extent necessary for us to provide the Services to which the Data Subject is entitled or for the purposes described in this Data Protection Policy. The sharing of the Data Subject’s personal data means that the Data Subject’s personal data will be shared with and/or accessed by the following third parties:

• Entities of the fibratel Group.
• External advisors and collaborators: agencies, lawyers, consultants, financial entities…
• Our regulators and other governmental or public authorities, when necessary to comply with a legal or regulatory obligation.
• Police and other third parties or law enforcement agencies, courts, regulators, government authorities or other similar third parties, where necessary for the prevention or detection of crime or to comply with a legal or regulatory obligation, or to otherwise protect our rights or the rights of a third party.
• Other third parties, such as emergency service providers (fire, police and emergency medical services) and tour operators.

Depending on the nature of the services contracted by the Data Subject, his or her personal data may be shared with and/or accessed by third parties located in countries outside the European Economic Area, which have a different level of protection than Spain. In that case, when we transfer the Data Subject’s personal data to any of those countries, we will carry out such transfer in accordance with applicable data protection regulations. This would include adopting the necessary safeguards, such as contractual obligations, to protect the Data Subject’s personal data and his or her fundamental rights and freedoms, as well as the rights relating to his or her personal data.

Information Maintenance:

Generally speaking, we only keep the data subject’s personal data for as long as necessary to:

• Provide the Services.
• To comply with the purposes described in this Data Protection Policy.
• To comply with our legal obligations and/or protect our rights.

Upon termination of the provision of the Services, the Data Subject’s personal data will be protected, blocked or deleted once the retention period has expired in order to comply with our legal or regulatory obligations and/or to protect our rights. By default, our maximum retention period will be 6 years for business data and 4 years for employment data. CCTV recordings will be kept for 15 days.

In the event that the Data Subject wishes additional information regarding the terms of retention and storage of his or her personal data, he or she may use the contact details provided below in the “Contact” section of this Data Protection Policy.

Rights:

In accordance with data protection regulations, the Data Subject has certain rights in relation to the personal data that fibratel processes about him/her, which he/she may exercise by using the contact details provided below in the “Contact” section of this Data Protection Policy.

Stakeholder’s rights include:

• a) The right of access to personal data: The Data Subject has the right to obtain a copy of the personal data that fibratel stores about him/her and certain details about the manner in which such data is used. In general terms, such requests will be processed at no cost to the data subject.
  The data subject’s information will normally be provided in writing, unless the data subject requests that it be provided in another form, or the request is made by electronic means, in which case the information will be provided by electronic means if possible.
• b) The right to rectification: fibratel takes appropriate measures to ensure that the information stored about the data subject is accurate and complete. However, if the Data Subject considers that this is not the case, he/she may request that it be updated or corrected.
• c) The right of erasure: In some circumstances, the Data Subject has the right to request the erasure of his or her personal data. However, in some cases, exercising this right may mean that the Services cannot be provided to the Data Subject.
• d) The right to object and to restrict processing: In certain circumstances, the Data Subject has the right to object to the processing of his or her personal data, or to request that it not be used. However, in some cases, exercising these rights may mean that the Services cannot be provided to the Data Subject.
• e) The right to portability: In some circumstances, the Data Subject has the right to request his or her personal data in a commonly used electronic format, and to have it transmitted to another third party of his or her choice.
• f) The right to object to marketing activities: The data subject has the right to request that his or her personal data not be used for marketing activities.
• g) The right not to be subject to an automated decision (including profiling): The Data Subject has the right not to be subject to a decision based solely on automated processing. However, our decisions will never be based solely on automated means.
• h) The right to revoke consent: The Interested Party has the right at any time to revoke the consent previously granted.
• i) The right to file a complaint with the Spanish Data Protection Agency:
  The Data Subject has the right to file a complaint with the Spanish Data Protection Agency if he/she considers that any processing of his/her personal data by fibratel is in breach of the applicable data protection regulations.

The filing of a claim shall not affect any other rights or actions of the Stakeholder.

Information security:

To protect the Data Subject’s personal data, appropriate technical, physical, legal and organizational measures will be taken that are consistent with applicable data protection regulations.

Changes in the privacy and data protection policy:

We may update this Privacy Policy from time to time to ensure its accuracy. Therefore, it is recommended that the Data Subject consult it each time he or she provides personal data. Where changes to the Policy will have a material impact on the processing of the Data Subject’s personal data, or otherwise significantly impact the Data Subject, we will notify the Data Subject in sufficient time to give the Data Subject an opportunity to exercise his or her rights in relation to his or her personal data.

This Data Protection Policy was last updated in September 2019 to comply with the European Union’s General Data Protection Regulation, applicable as of May 25, 2018.

Contact us:

In case the Data Subject has any doubts or questions about the way in which fibratel collects, stores or uses his/her personal data, he/she can contact us as follows:

Grupo fibratel
c/ Xaudaró, 11
28034 Madrid
Att. Data Protection Dept.
protecciondatos@fibratel.com

Data collection:

As of 25/05/18, the collection of personal data must be done through a clause of express acceptance to the processing of the same. According to the regulation, such acceptance must be express, unequivocal and informed, so internally we will implement it as follows, depending on the origin and treatment to be carried out with such data:

1. Customers and contacts (potential customers):
   There are two options:
2. Preferably by filling out the customer registration form, which you will find at the following SharePoint address. Corporate Client File: http://shr-fe01/Documentacion%20Corporativa/FICHA%20DE%20CLIENTE%20V01.14.doc
3. Redirecting it to the website in the section contact us and filling in your data, marking the option that expressly accepts the treatment of the same: https://www.fibratel.com/contacta-con-nosotros/
   
   Suppliers and Subcontractors:
   Following the same procedure as with clients, we either redirect them to the web page so that they can fill in and accept the processing of their data on our web page, or we send them the following supplier file, without which they cannot register in the system, as they do not have the authorization to do so (the first hyperlink is for fibratel Catalunya and the second is for fibratel):
   Fibratel Catalunya supplier file: http://shrfe01/Documentacion%20Corporativa/FICHA%20PROVEEDOR%20Fibratel%20Catalunya.docx
   Fibratel supplier file: http://shr-fe01/Documentacion%20Corporativa/FICHA%20PROVEEDOR%20Fibratel.docx
   Resumes and job applications:

   As previously stated, no company of the fibratel Group will accept CVs delivered by hand. Anyone wishing to submit an unsolicited application must do so through our website in the section “Work with us “: https://www.fibratel.com/trabaja-con-nosotros/

In this section the candidate is required to accept the privacy policy, a requirement demanded by the Regulation, and we centralize this type of data in a single entry point.

Marketing Actions:
Prior informed consent must be obtained, indicating also for what purpose and by what means the person agrees to be contacted. This will also be done through the web form in the “Contact Us” section.

Other Contacts:
As in the previous cases, any new contact of any kind (consultants, auditors, partners, etc…), must expressly accept the use of their data, so we recommend that they send them to us through the Contact Us section of our website, so that we will have a single point of entry of data (apart from the customer and supplier files that will be kept by the Administration, to have available the evidence of compliance.

The consent forms will be stored by the Administration Department in digital form in the following SharePoint addresses by years, since we need to know exactly the date on which the consent was granted:

Customers in fibratel:
http://shr-fe01/administracion/Fibratel Madrid/Clients/Customers/Customer Registration Form/2018

Customers in fibratel Catalunya:
http://shr-fe01/administracion/Fibratel Catalunya/Clients/Customers/Customer Registration Form/2018

Suppliers at fibratel:
http://shr-fe01/administracion/Fibratel Madrid/Suppliers/SUPPLIER SHEETS/2018

Suppliers in fibratel Catalunya:
http://shr-fe01/administracion/Fibratel Catalunya/Providers/Suppliers/Supplier Sheets/2018

No client or supplier who has not checked the “YES” option on the informed consent form will be discharged.

Action to be taken in the exercise of rights:

The rights over personal data are very personal, and must be exercised by the data subject against the data controller, so it is necessary to prove his identity to the data controller.

However, the legal representative of the data subject may act (with prior accreditation) when the owner of the data is in a situation of incapacity or minority of age that makes it impossible for him/her to personally exercise the same.

fibratel shall reply to the request addressed to it, regardless of whether or not the personal data of the data subject is contained in its files, within the same deadlines defined for each type of right.

In the event that the application does not meet the specified requirements, fibratel shall request the correction of the same.

Fibratel shall be responsible for the proof of the fulfillment of the duty to respond, and shall keep the accreditation of the fulfillment of the aforementioned duty.

The receipt of the Request to exercise rights must be made through the following e-mail address or postal address:

Fibratel Group

c/ Xaudaró, 11
28034 Madrid
Att. Data Protection Dept.
protecciondatos@fibratel.com

This request will be received by our monitoring service through the OTRS tool and escalated to the Data Protection area, by opening a ticket and assigning a responsible person and owner, who, as responsible persons, will verify that the request contains the following:

• The name of the Data Subject, telephone number, as well as e-mail or other means to communicate the response to your request. Valid document proving the identity of the Data Subject.
• A clear and precise description of the personal data and/or the reasons in respect of which you are seeking to exercise any of the rights and the name(s) of the fibratel Group company(ies) in respect of which you wish to exercise the right(s).
• Any other element or document that facilitates the location of personal data.
• In the case of a request for RECTIFICATION of personal data, the holder must also indicate the modifications to be made and provide the documentation supporting his request.
  If the request meets all the requirements of form, the process will continue according to the following procedure:
• Those responsible for the Protection of Personal Data will communicate to the Data Subject or his/her Legal Representative, within a maximum period of 20 (twenty) working days, counted from the date on which the request was received, the determination adopted, through the means indicated by the Data Subject in his/her request or through the same means by which the request was received from the Data Subject.
• If the request is granted, it will be effective within 15 (fifteen) business days following the date on which the response is communicated.
• In the case of requests for ACCESS to personal data, delivery shall be made upon proof of the identity of the applicant or legal representative, as applicable, which must be made in person and in person by the Data Subject or his legal representative.
• The obligation of ACCESS to the information shall be deemed fulfilled when the personal data is made available to the Data Subject; or by issuing simple copies, electronic documents or any other means. Access to the Holder of the personal data may be denied, or the rectification or cancellation or opposition to the processing thereof may be granted, in the following cases:
• When the applicant is not the owner of the personal data, or the legal representative is not duly accredited to do so;
• When the applicant’s personal data is not found in its database;
• When there is a legal impediment, or the resolution of a competent authority, which restricts access to personal data, or does not allow the rectification, cancellation or opposition thereof, and
• When the rectification, cancellation or opposition has already been previously made. Those responsible for the Protection of Personal Data must inform the reason for their decision and communicate it to the Data Subject, or if applicable, to the legal representative, within the deadlines established for such purpose, by the same means established in the request, accompanying, if applicable, the evidence that may be relevant.

A form is provided in Annex I to facilitate communication and to assist in making the request for the exercise of rights as established in the regulations. In the event that any interested party decides to exercise any right, the form may be sent to him/her to facilitate the management of his/her request.

All the steps related to the application until the final resolution and closing of the ticket will be carried out through OTRS, and all this information will be kept for at least 4 years as evidence before the interested parties and competent authorities.

Action in the event of security incidents and breaches:

The GDPR broadly defines “personal data breaches” as those that result in the accidental or unlawful destruction, loss or alteration of personal data transmitted, stored or otherwise processed, or the unauthorized disclosure of or access to such data.

Any person in the fibratel Group who detects an incident or security breach must immediately notify helpme@fibratel.com so that a ticket can be opened by the fibratel Technical Assistance Center (hereinafter CAT) and managed through the OTRS tool in the shortest possible time.

The CAT will appoint as owner/responsible for the ticket the ICT Director, who will coordinate and supervise the following actions:

1. Report the event to the data protection team by e-mail to the following address: protecciondatos@fibratel.com.
2. Appoint the person(s) in charge of managing the crisis and the initial measures to be taken, escalating the ticket generated in OTRS to them as a matter of URGENT.
3. Notify the incident within 72 hours to the Spanish Data Protection Agency.
4. Communication of the security breach to those affected.

In accordance with the GDPR, as soon as the controller becomes aware that a personal data security breach has occurred, it must notify the competent supervisory authority without delay and at the latest within 72 hours. Where at the time of notification it is not possible to comply with the obligation to provide all the required information, it shall be provided gradually, as soon as possible and without delay.

The data controller must, in addition, communicate the security breach to the affected parties in clear and simple language, in a concise and transparent manner. The communication of the security breach affecting personal data, which meets the criteria established by current legislation, shall be made following the online form published by the Spanish Data Protection Agency (AEPD) on its website.

If the incident could affect persons in more than one Member State, an assessment should be made as to which is the primary authority to be notified, although in case of doubt, the local authority where the breach has taken place should be notified.

When it must be communicated to the affected parties, the possibility that such communication could affect the investigation of the incident shall be analyzed, which may be communicated to the supervisory authority.

The communication must contain:

• DPO contact details, or point of contact for further information and queries
• General description of the incident and time of occurrence
• Potential consequences of the personal data breach
• Description of the personal data and information concerned
• Summary of measures implemented so far to control possible damages
• Other useful information for those affected to protect their data or prevent possible damages

The communication will be made directly to the affected party, by any of the following means:

• Phone
• E-mail address
• SMS
• Postal mail
• Other media

Only if direct contact is not possible, alternative channels such as corporate blogs, press releases, etc. can be used.
In any case, if it can be reliably demonstrated that the security breach does not pose a risk to the rights and freedoms of individuals, notification is not required.

This could occur under the following criteria:

• Appropriate technical and organizational measures have been taken to make data unintelligible, such as state-of-the-art encryption, minimization, data decryption, access to test environments without real data, etc.
• Whether measures have been taken, subsequent to the breach, that fully or partially mitigate the potential impact to those affected and ensure that the high risk is no longer likely to materialize.

Once the incident has been corrected, the ticket will be closed in the OTRS tool, and the entire history of actions carried out will be recorded in the system for any consultation and/or accreditation before the competent authorities.

RECORDS

Staff of the Systems Department:

• OTRS Security Incident Logging

Administration Department Staff Administration:

• Activity Log, when applicable
• Records related to the exercise of rights in OTRS
• Customer and Supplier registration forms

Law Exercise Form

Download