Your browser is out of date. Updated

Data Protection Policy


THIS DOCUMENT HAS BEEN TRANSLATED AUTOMATICALLY. FOR LEGAL PURPOSES THE ONLY VALID CONTRACT IS THE SPANISH VERSION

1. Responsible

In compliance with Regulation (EU) 2016/679, of the European Parliament and of the Council, of 27 April 2016 (hereinafter RGPD) TITIBATE, with NIF: B26541987 and registered office at C/Piquete,2 - 5ºJ, Logroño, La Rioja (Spain) and complementary regulations informs you of its data protection policy which is applicable to the interested party in its various forms when you provide TITIBATE with personal data by any means.

2. Category of data being processed

  • Identifying data: name, surname, ID card, postal and e-mail address, telephone.
  • User and/or client identification codes or keys.
  • Navigation data, IP address.
  • In the event that the User provides data from third parties, he/she declares to have their consent and undertakes to pass on the information contained in the Privacy Policy, exempting Titibate from any responsibility in this regard.

3. Legitimacy for the treatment and its purpose

The basis of legitimacy of the different data processing of Titibate depends on the case, so:

The consent through the consent or contract, in order to provide the service requested, billing for it, responding to your queries, as well as commercial communications on the same or similar by Titibate through any qualified for the purpose, unless it expressly states its opposition.

The client can modify his decision at any time. In the case of sending an email or a communication of personal data through any other means, the purpose of the collection and processing of such data by Titibate is to respond to queries and requests for information that arise.

In relation to the "cookies" that Titibate uses in the navigation through its web pages (https://titibate.com), they are stored in the terminal equipment of the user and they gather information when visiting these web pages, with the purpose of improving the usability of the same ones, to know the habits or necessities of navigation of the users to be able to adapt to them, as well as to obtain information with statistical purposes.

In the case of those users who are already clients of Titibate, the information obtained with the cookies will also serve for their identification when accessing the different tools that Titibate makes available to them for the management of the services. In any case, users can configure their browser in such a way that it disables or blocks the reception of all or some of the cookies.

4. Assignments and Transfers

The data will not be transferred to third parties except in cases where there is consent or legal obligation. In this sense and in compliance with the provisions of Law 25/2007, of 18 October, on the conservation of data relating to electronic communications and public communications networks, Titibate informs the user that it will proceed to retain and conserve certain traffic data generated during the development of communications, as well as where appropriate, to communicate such data to the competent bodies provided that the legal circumstances provided for in the Act concur.

The addressees of the personal data collected by Titibate, in addition to that indicated in the previous paragraph, will be the following:

  • The employees or collaborators themselves in the performance of their duties.
  • Providers involved in the provision of services, where this is necessary for the provision of services.
  • The judicial or administrative bodies, as well as the State Security Forces and Corps, in the event that Titibate is required under current legislation to provide information related to its clients and their services.
  • Any others who due to the nature of the service must access the data provided with it.

Titibate works with partner companies, i.e. third parties acting as providers, to offer you a better quality of service; some of these providers, such as Google, have their domicile or infrastructures outside the EU. The user knows and expressly accepts in his case via authorization or contract the realization of international transfer of data to this organization and in his case other necessary ones. At any time, the client may contact Titibate to find out the identity of the subcontracted entities for the provision of the services indicated.

5. Data retention

The data provided will be kept for as long as the business relationship is maintained or for as long as necessary to comply with legal obligations. Titibate may keep such data duly blocked during the period in which responsibilities may arise from its relationship with the client.

6. Users' rights and complaints procedure

The holders of the data may at any time exercise the following rights recognized by the RGPD:

  • Right of access. Users have the right to obtain from Titibate information on the processing of data concerning them and to obtain a copy of the same.
  • Right of rectification. Users have the right to have their personal data rectified by Titibate in the event that they are inaccurate or incomplete.
  • Right of suppression. Users have the right to have their data deleted when they are no longer necessary for the purpose for which they were provided, or when the rest of the legally stipulated circumstancesconcur.
  • Right to limit treatment. Users have the right to request a limitation on the processing of their personal data, so that the processing operations that should correspond in each case are not applied to them, in those cases provided for in art. 18 of the RGPD.
  • Right to portability. Users have the right to receive their personal data in a structured format, provided that such data are the sole responsibility of the user and have been provided by the user. Users may exercise their rights by sending a request accompanied by their DNI or valid document proving their identity, addressed to Titibate C/ Piquete, 2 - 5ºJ Logroño (La Rioja) Spain, for the attention of the Commercial Department, specifying the right they wish to exercise or via e-mail to the mailbox info@titibate.com

Users and/or clients may contact the relevant local control authority if they consider that the processing of their personal data has not been carried out in accordance with current legislation. In Spain it is the Spanish Data Protection Agency, whose contact details are available on its website https://www.aepd.es/.

7. Security measures

TITIBATE, as the responsible party, implements the technical and organisational security measures necessary to guarantee the confidentiality, integrity, availability and permanent resilience of the treatment systems and services; the following are not exhaustive:

  • There is a policy of secure passwords for access to personal data stored in systems which, in addition to guaranteeing the confidentiality of the same, preventing them from being exposed to third parties, guarantees the univocal identification of the user.
  • The software and devices are constantly updated, with firewalls and anti-virus software that guarantee, as far as possible, the theft and destruction of information and personal data.
  • There are profiles with administration rights for the installation and configuration of the system and users without privileges or administration rights for access to personal data. This measure will prevent that in case of a cybersecurity attack, access privileges can be obtained or the operating system can be modified.
  • Backups are made to ensure data availability.
  • Periodically, a backup copy will be made in a second support different from the one used for the daily work. The copy will be stored in a secure place, different from the one in which the computer with the original files is located, in order to allow the recovery of personal data in the event of loss of information, thus guaranteeing the availability of the data.
  • An inventory is made of media and registration of their entry and exit.

Each party shall be liable for its own breach of contractual obligations and its own rules.

Titibate warns that, except with legal authorization, no client can use the identity of another person or communicate their personal data, so the data provided must correspond to their own identity and be current, accurate and true. In this sense, the client will be solely responsible for any direct or indirect damage caused to third parties or to Titibate for failing to comply with this clause.

The user who communicates personal data to Titibate declares to be of legal age, in accordance with Spanish legislation, abstaining otherwise from providing data to Titibate. Any data provided about a minor will require the prior consent or authorization of their parents, guardians or legal representatives, who will be considered responsible for the data provided by the minors in their care.

8. Acting as a processor

In accordance with article 28 RGPD and concordant, Titibate will process the personal data with respect to which the client holds the condition of responsible or in charge of the treatment, when this is necessary for the adequate provision of the contracted services. In the event that Titibate and all of its personnel act as the person in charge of the treatment, they do so in accordance with the terms indicated below:

  • Uses the personal data object of treatment, or those that it collects for its inclusion, only for the purpose object of this order. Under no circumstances may you use the data for your own purposes. The object, duration, nature and purpose of the existing data processing in the customer-Titibate relationship will be similar to that indicated in this contract in relation to the provision of the service.
  • It processes the data in accordance with the instructions of the controller.
  • a) The name and contact details of the processor(s) and of each controller on whose behalf the processor is acting. b) The categories of processing carried out on behalf of each controller. c) A general description of the appropriate technical and organisational security measures being implemented
  • It will not communicate the data to third parties, unless it has the express authorisation of the data controller, in the legally admissible cases. If the person in charge wants to subcontract, he must inform the person in charge and request his prior authorization. In this sense, the client authorizes Titibate, in its capacity as treatment provider, to subcontract when necessary to enable the provision of contracted services in compliance with the obligations imposed by the RGPD. At any time, the client may contact Titibate to find out the identity of the subcontracted entities.
  • The client knows and accepts that Titibate may carry out any of the following actions in its capacity as data processor, when they are necessary for the execution of the services: processing the data on portable devices, entry and exit of the supports and documents containing personal data, as well as in its case to subcontract with third parties, in the name and on behalf of the client, the services of storage, custody of backup copies, security and execution of the data recovery procedures is in the obligation to carry out.
  • You maintain the duty of secrecy with regard to personal data to which you have had access by virtue of this order, even after the contract has ended.
  • It guarantees that the persons authorised to process personal data undertake, expressly and in writing, to respect confidentiality and to comply with the corresponding security measures, of which they must be duly informed.
  • When the affected persons exercise their rights of access, rectification, suppression and opposition, limitation of the processing and portability of data before the Titibate, the latter must communicate this by e-mail to the address indicated by the data controller. The communication must be made without undue delay, together, where appropriate, with other information that may be relevant to resolving the request.
  • The data processor shall notify the data controller without undue delay and, where appropriate, the holder of the data via the e-mail address indicated by the data controller, of any breaches of the security of the personal data in his charge of which he has knowledge, together with all the relevant information for the documentation and communication of the incident.
  • The operator shall make available to the operator all information necessary to demonstrate compliance with his obligations.
  • The manager shall implement the technical and organisational security measures necessary to ensure the continued confidentiality, integrity, availability and resilience of the processing systems and services, including but not limited to the following:
    • Data encryption is used when it is necessary to extract personal data outside the environment where the processing is carried out.
    • There is a policy of secure passwords for access to personal data stored in systems which, in addition to guaranteeing the confidentiality of the same, preventing them from being exposed to third parties, guarantees the univocal identification of the user.
    • The software and devices are constantly updated, with firewalls and anti-virus software that guarantee, as far as possible, the theft and destruction of information and personal data.
    • There are profiles with administration rights for the installation and configuration of the system and users without privileges or administration rights for access to personal data. This measure will prevent that in case of a cybersecurity attack, access privileges can be obtained or the operating system can be modified.
    • Backups are made to ensure data availability.
    • Periodically, a backup copy will be made in a second support different from the one used for the daily work. The copy will be stored in a secure place, different from the one in which the computer with the original files is located, in order to allow the recovery of personal data in the event of loss of information, thus guaranteeing the availability of the data.
    • An inventory is made of media and registration of their entry and exit.
  • The data processor must return to the data controller the personal data and, if applicable, the media on which they are stored, once the service has been provided. The return must include the total erasure of the existing data in the computer equipment used by the person in charge. However, the processor may keep a copy, with the data duly blocked, as long as responsibilities for the execution of the service may arise.