Privacy Policy

Applicable law

This service provision agreement shall be governed by Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter, the ‘LOPDGDD’), Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter, the ‘Regulation’), and any other Union or Member State data protection provision.

2. Purpose of the Data Processor

To provide the SaaS services, CODEOSCOPIC S.A. is authorized under the following clauses as the Data Processor, to process on behalf of its clients, the Data Controllers, the necessary personal data.

Specifically, the processing shall consist of the following functions.

The specific processing operations to be carried out shall consist of those specified in the section for each of the services:

• Avant2 Sales Manager
• Tesis Broker Manager
• Bcover Risk Management
• Integra API Rest

3. Identification of the Affected Information

For the execution of the services derived from the fulfillment of the purpose of this assignment, the controller shall make available to the processor all information concerning clients and employees that is essential for the proper performance thereof. Likewise, if necessary, the processor may connect to the equipment owned by the controller via remote connection applications, subject at all times to the prior authorization of the controller.

4. Duration

This agreement shall have an indefinite term, linked to the duration of the subscription of the service provided. Upon termination of the current provision of services, the processor must return the personal data to the controller or to the company designated by the latter and delete any copies in the Processor’s possession. Notwithstanding the foregoing, the processor may retain all data that are not defined as personal data under the regulation and the LOPDGDD for the purpose of conducting market research.

5. Obligations of the Processor

The processor and all its personnel undertake to:

1. Use the personal data subject to processing, or the data collected for inclusion, solely for the purpose of this assignment. Under no circumstances may the data be used for their own purposes.
2. Process the data in accordance with the instructions of the data controller. If the processor considers that any of the instructions infringes the LOPDGDD, the GDPR, or any other data protection provisions of the European Union or its Member States, the processor shall immediately inform the controller.
3. Where applicable, keep a written record of all categories of processing activities carried out on behalf of the controller, which shall include: – 3.1 The name and contact details of the processor(s) and of each controller on behalf of whom the processor acts, and, where applicable, the representative of the controller or processor and the data protection officer. – 3.2 The categories of processing carried out on behalf of each controller. – 3.3 Where applicable, transfers of personal data to a third country or an international organization, including identification of such third country or organization and, in the case of transfers referred to in Article 49(1), second paragraph of the GDPR, documentation of appropriate safeguards. – 3.4 A general description of the technical and organizational security measures.
4. Not disclose the data to third parties, unless expressly authorized by the controller or in legally permissible cases. The processor may communicate the data to other processors of the same controller, in accordance with the controller’s instructions. In this case, the controller shall identify, in advance and in writing, the entity to which the data must be communicated, the data to be communicated, and the security measures to be applied for the communication. If the processor must transfer personal data to a third country or an international organization under Union or Member State law applicable to it, it shall inform the controller of this legal requirement in advance, unless such law prohibits it for important reasons of public interest.
5. Maintain confidentiality regarding the personal data accessed under this assignment, even after its purpose has been completed.
6. Ensure that individuals authorized to process personal data explicitly commit in writing to confidentiality and to comply with the corresponding security measures, of which they must be properly informed.
7. Keep available to the controller the documentation demonstrating compliance with the obligation established in the previous paragraph.
8. Ensure that authorized personnel receive the necessary training in personal data protection.
9. Support the controller in carrying out data protection impact assessments, where applicable.
10. Support the controller in carrying out prior consultations with the supervisory authority, where applicable.
11. Make available to the controller all information necessary to demonstrate compliance with its obligations, as well as for audits or inspections conducted by the controller or another auditor authorized by it.

6. Subcontracting

The processor is authorized to subcontract certain services to a third party, such as application hosting services, necessary for the subscription to the service covered by this contract. The servers are located within the European Union.

The subcontractor, who also holds the status of processor, is likewise obliged to comply with the obligations established in this document for the processor and with the instructions issued by the controller. It is the responsibility of the initial processor to regulate the new relationship so that the new processor is subject to the same conditions (instructions, obligations, security measures, among others) and the same formal requirements as the initial processor, regarding the proper processing of personal data and the safeguarding of the rights of the data subjects. In the event of non-compliance by the sub-processor, the initial processor shall remain fully liable to the controller with respect to the fulfillment of the obligations.

7. Identification of the Affected Information

The processor must assist the controller in responding to the exercise of the following rights:

1. Right of access, rectification, erasure, and objection.
2. Right to restriction of processing.
3. Right to data portability.
4. Right not to be subject to automated individual decisions (including profiling).

When data subjects exercise their rights of access, rectification, erasure, objection, restriction of processing, and/or data portability, or the right not to be subject to automated individual decisions, with the processor, the processor must immediately notify the controller. Such communication must be made without delay and in any case no later than the next business day following receipt of the request, together, where applicable, with any other information that may be relevant to resolve the request.

8. Right to Information

It is the responsibility of the controller to provide the right to information at the time of data collection.

9. Notification of Security Breaches or Incidents

The processor shall notify the controller without undue delay and, in any case, within a maximum period of 72 hours and by any means, of any personal data security breaches under its responsibility of which it becomes aware, together with all relevant information for the documentation and communication of the incident. Notification is not required when it is unlikely that the security breach poses a risk to the rights and freedoms of natural persons. If it is not possible to provide all the information simultaneously, it shall be provided gradually without undue delay to the extent that it is not available immediately.

It is the responsibility of the processor to communicate personal data security breaches to the Data Protection Authority. In both cases, the communication shall contain at least the following information:

• a) Description of the nature of the personal data security breach, including, where possible, the categories and approximate number of data subjects affected, and the categories and approximate number of personal data records affected.
• b) Name and contact details of the data protection officer or another point of contact where more information can be obtained.
• c) Description of the possible consequences of the personal data security breach.
• d) Description of the measures taken or proposed to remedy the personal data security breach, including, where applicable, measures taken to mitigate potential adverse effects.

10. Security Measures

The processor shall implement mechanisms to:

1. Ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.
2. Restore the availability and access to personal data promptly in the event of a physical or technical incident.
3. Regularly verify, evaluate, and assess the effectiveness of the technical and organizational measures implemented to ensure processing security.
4. Pseudonymize and encrypt personal data, where appropriate.

In this regard, the processor undertakes to ensure the security of processing carried out at its facilities with the controller’s data, adopting the appropriate technical and organizational measures to guarantee a level of security adequate to the risk, taking into account the state of the art, implementation costs, the nature, scope, context, and purposes of the processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons. The determination of the specific measures to be implemented is specified in the section corresponding to each service in this document.

11. Data Protection Officer

The processor shall notify the controller, if appointed, of the identity and contact details of the Data Protection Officer (DPO).

Codeoscopic informs that the functions of the Data Protection Officer are carried out by the company Explotación de Software Integral S.L., which has the capacity to perform these functions and is registered with the Spanish Data Protection Authority (AEPD) as such. The DPO can be contacted for any needs at the email address:

12. Termination of the Service

Once the subscription to the services has ended, the processor shall return to the controller, or to another processor designated by the controller, the personal data and, if applicable, the media on which it is stored.

The return shall include the complete deletion of the data stored on the processor’s IT equipment, except for any data that is not defined as personal data under the GDPR and the LOPDGDD, which may be retained for the purpose of conducting market studies.

However, the processor may retain a copy of the data, properly blocked, as long as any liabilities arising from the execution of the subscription may exist.

13. Obligations of the Controller

The controller shall:

• a) Provide the processor with the data referred to in clause 2 of this document.
• b) Conduct a data protection impact assessment regarding the processing operations to be carried out by the processor.
• c) Conduct the necessary prior consultations.
• d) Ensure, before and during the entire processing, compliance with the GDPR by the processor.
• e) Supervise the processing, including conducting inspections and audits.

14. Mutual Duty of Information

Both parties mutually inform each other that the personal data of the individuals listed in the heading of this document will be processed by each of them for the purpose of managing the object of this document and for the sending of commercial information by the processor regarding products and services similar to those contracted by the controller. The legal basis for the processing of the data is the execution of a contract and the legitimate interest of the processor in the case of commercial communications. The data will not be disclosed to third parties, except when required by law or when necessary for the development, fulfillment, and control of the existing relationship. The personal data provided will be retained as long as the contractual relationship is maintained. Once the commercial relationship ends, the data will be kept as long as necessary to comply with legal obligations, in order to respond to possible incidents arising from the services provided. Once the responsibilities arising from such legal obligations have expired, the data will be deleted.

The signatories have the right to access their personal data, request the correction of any inaccurate data, and request deletion when, among other reasons, the data are no longer necessary for the purposes for which they were collected. Under certain circumstances, they may also request the restriction of processing, in which case the data will only be retained for the exercise or defense of claims. They may also withdraw their consent and request the portability of their data. For reasons related to their particular situation, they may object to the processing of their data, in which case the other party shall cease processing, unless there are compelling legitimate grounds or the exercise or defense of possible claims. They may exercise their rights at the registered office of the controller indicated above, attaching a copy of their ID and specifying the right they are exercising.

Both parties, expressly waiving any jurisdiction to which they may be entitled by law, submit to the jurisdiction of the Courts of Madrid for the resolution of disputes arising from the interpretation or execution of this contract.

Download Privacy Policy