Data protection

Objective

The purpose of this data protection policy is to establish the safeguards and responsibilities for those involved in the processing and use of information defined as personal data, which is stored and processed within AXIONLOG’s existing data sources. It also aims to ensure adequate protection and security, encouraging employees to integrate data protection into their daily work activities, and guiding the Information Security department regarding data processing when configuring all services for the company.

Personal Data and Sensitive Data

It is important to note the distinction between the two, as no individual can be compelled to provide sensitive data, and the collection of such information requires the consent of the data subject. Sensitive data may only be processed with the express written consent of the data subject. Therefore, it can only be collected and processed when justified by reasons of public interest authorized by law, or when the requesting entity has a legal mandate to do so. It may also be processed for statistical or scientific purposes, provided the data is anonymized so it cannot be linked back to the data subjects.

Conversely, according to the European Union’s General Data Protection Regulation (GDPR), personal data is considered to be any information relating to an identified or identifiable natural person. Under this regulation, personal data refers to anything containing: direct identification information, such as first name, last name, and phone number, as well as so-called pseudonymized data or indirect identification information. While the latter does not allow for the direct identification of users, it does make it possible to individualize behaviors—and occasionally, location and professional or employment-related information. This typically includes job title, job description, employer, location, and internet or other similar network activity, including information published on their LinkedIn profile or public networks in general, which are commonly collected.

Furthermore, no personal information will be collected from children and adolescents under eighteen (18) years of age.

Personal Data and Sensitive Data

It is important to note the distinction between the two, as no individual can be compelled to provide sensitive data, and the collection of such information requires the consent of the data subject. Sensitive data may only be processed with the express written consent of the data subject. Therefore, it can only be collected and processed when justified by reasons of public interest authorized by law, or when the requesting entity has a legal mandate to do so. It may also be processed for statistical or scientific purposes, provided the data is anonymized so it cannot be linked back to the data subjects.

Conversely, according to the European Union’s General Data Protection Regulation (GDPR), personal data is considered to be any information relating to an identified or identifiable natural person. Under this regulation, personal data refers to anything containing: direct identification information, such as first name, last name, and phone number, as well as so-called pseudonymized data or indirect identification information. While the latter does not allow for the direct identification of users, it does make it possible to single out behaviors—and occasionally, location and professional or employment-related information. This typically includes job title, job description, employer, location, and internet or other similar network activity, including information published on their LinkedIn profile or public networks in general, which are commonly collected.

Furthermore, no personal information will be collected from children and adolescents under eighteen (18) years of age.

Processing of Personal Data

Processing is lawful when the data subject has given their free, prior, express, and informed consent, which must be documented. Prior consent shall not be required when:

  • The data comes from public sources of information, such as public registries or publications in mass media.
  • The data is collected for the exercise of functions inherent to State authorities or by virtue of a legal obligation.
  • The data consists of listings limited to, in the case of natural persons: first and last names, identification document, nationality, address, and date of birth. In the case of legal entities: corporate name, trade name, unique taxpayer identification number, address, telephone number, and the identity of the persons in charge of the entity.
  • The data derives from a contractual, scientific, or professional relationship with the data subject and is necessary for its development or fulfillment.
  • The processing is carried out by natural persons for their exclusive personal, individual, or domestic use.

Data Collection

Data collection cannot be carried out by any unfair, fraudulent, abusive, or extortionate means, or in any manner contrary to national data protection regulations. At the time of collecting personal data, data subjects must be expressly and clearly informed in advance of:

  • The purpose for which the data will be processed and who the recipients or categories of recipients may be.
  • The existence of the archive, registry, data bank (electronic or otherwise) in question, as well as the identity and address of the data controller.
  • The mandatory or optional nature of the answers to any questionnaire presented to them.
  • The data subject’s possibility to exercise their rights of access, rectification, and erasure of their data.

Purpose of the Data

Data subject to processing may not be used for purposes other than or incompatible with those for which it was originally obtained. The goal is to establish the lawfulness of the collected data. In this regard, it is lawful to collect and process the personal data of data subjects on the basis of a contractual relationship or for the purpose of establishing such a relationship. Furthermore, the processing or use of personal data for marketing tasks or for market and opinion research may also be considered lawful, provided that this use is compatible with the purpose for which the data was originally collected.

In the event that the data is used for a different purpose, the data subject must be informed of the identity of the data controller, the purposes of the processing to which the data will be subjected, the third parties to whom the collected data may be transferred, and, no less importantly, the voluntary nature of participating in marketing campaigns or market and opinion research.

Data Storage

Data must be stored in a manner that allows the data subject to exercise their right of access. This is a right established by the previously mentioned applicable laws, which demonstrates how the data subject can have access to and/or knowledge of the information regarding data collection. This means that when personal data is collected, data subjects must be expressly, precisely, and unequivocally informed in advance of:

  • The purpose for which the data will be processed and who the recipients or categories of recipients may be.
  • The existence of the database (electronic or otherwise) in question, as well as the identity and address of the data controller.
  • The mandatory or optional nature of the answers to any questionnaire presented to them, particularly regarding sensitive data.
  • The consequences of providing the data, refusing to do so, or providing inaccurate information.
  • The data subject’s possibility to exercise their rights of access, rectification, and erasure of their data.

Aquí tienes la traducción de este último bloque, manteniendo la precisión técnica y el tono formal característico de las políticas corporativas de retención y eliminación de datos:

Data Destruction

Data must be destroyed when it is no longer necessary or relevant to the purposes for which it was originally collected.

The destruction of data that is no longer needed not only saves space and reduces storage costs, but also ensures that no unauthorized person can access the collected data, regardless of whether it is obsolete or not. This shall be taken into consideration when its use or update is no longer possible; therefore, its destruction is highly recommended to prevent unnecessary access or the theft of personal information.

The cancellation or erasure of data shall entail the blocking of such data—which consists of identifying and segregating it to prevent any further processing—except for making it available to Judicial Authorities to address any potential liabilities arising from its processing, and only for the duration of the applicable statute of limitations for such liabilities. Once this period has elapsed, the data must be permanently deleted.