Data Protection Policy

MI CANESU BEBE S.L. (the “Company”) is an organization in which personal data processing activities occur. This gives it an important responsibility in the design and organization of procedures, so that they are aligned with legal compliance in this matter. In the exercise of these responsibilities, and in order to establish the general principles that should govern the processing of personal data, the Company approves this Personal Data Protection Policy, which it makes available to its Employees and all interested parties.

  1. Purpose

The Personal Data Protection Policy is a measure of productive responsibility that has the purpose of ensuring compliance with applicable legislation in this matter and in relationship to it; respect for the right to honor; and privacy in the processing of personal data of all individuals related to the Company.

In the development of the provisions of this Personal Data Protection Policy, the Principles governing the processing of data in the organization, and in consequence the procedures and organizational and security measures that the individuals affected by this Policy undertake to implement in their area of ​​responsibility, are established. To this end, the Directorate will assign responsibilities to the personnel involved in data processing operations. 

  1. Scope of Application

This Personal Data Protection Policy will be applicable to the Company, its administrators, managers and other employees, and all people who interact with it, with the express inclusion of service providers with access to data (“Data Processors”). 

  1. Principles for Processing of Personal Data

As a general principle, the Company shall scrupulously comply with the legislation on the protection of personal data, and must be capable of proving this compliance (Principle of “pro-active responsibility”), while paying special attention to any form of processing which could entail a greater risk to the rights of the affected parties (Principle of “risk approach”).

In relation to the above, MI CANESU BEBE S.L. will ensure compliance with the following Principles:

  • Lawfulness, fairness, transparency, and purpose limitation. Personal data processing shall always be informed to the interested party, through contracts and other procedures, and will only be considered lawful if there is consent for the data processing (with special attention to that provided by minors), or has another valid legitimacy and the purpose thereof is in accordance with the Regulations.
  • Data minimization. Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
  • Accuracy. Personal data shall be accurate and, if necessary, kept up to date. In this regard, necessary measures will be taken to ensure that any personal data that may be inaccurate, with respect to the purposes for which they are processed, be deleted or rectified without delay.
  • Storage limitation. Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
  • Integrity and confidentiality. Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
  • Transfer of data. It is prohibited to purchase or obtain personal data from illegitimate sources, or to collect or transfer said data in contravention of the law, or if the legitimate origin of said data is not sufficiently guaranteed.
  • Hiring of suppliers with access to data. Only suppliers that offer sufficient guarantees to apply appropriate technical and security measures in the processing of data will be chosen for contracting. Due agreement will be documented with these third parties in this regard.
  • International data transfer. All processing of personal data that is subject to European Union regulations, and that implies a transfer of data outside the European Economic Area, must be carried out in strict compliance with the requirements established in the applicable law.
  • The rights of those affected. The Company will provide those affected with the exercise of rights of access, rectification, deletion, processing limitation, opposition and portability, and will establish internal procedures for these purposes, in particular providing necessary and timely models for their exercise, which must meet at least the minimum legal requirements applicable in each case. The Company will require that the principles contained in this Personal Data Protection Policy be taken into account (i) in the design and implementation of all work procedures, (ii) in the products and services offered, (iii) in all contracts and obligations that it formalizes or assumes, and (iv) in the implementation of however many systems and platforms that allow employee or third-party access and/or the collection or processing of personal data.
  1. Commitment of Workers

Workers are informed of this Policy, and declare themselves aware that personal information is a Company asset. In this regard, they will adhere to it and commit to the following:

  • Undergo any training aimed at raising awareness of data protection that the Company may put at their disposal.
  • Apply security measures at the user level that apply to their job, without prejudice to any design and implementation responsibilities that could be attributed to them, according to their role within MI CANESU BEBE S.L.
  • Use the format established for the exercise of Rights by those affected, and to inform the Company immediately, so that a response may be made effective.
  • Inform the Company, as soon as it becomes apparent, of deviations from the provisions of this Policy, in particular of “Violations of security of personal data”, using the format established for this purpose.
  1. Control and Evaluation

Verification, evaluation and assessment will be carried out annually (or whenever there are significant changes in data processing) of the effectiveness of technical and organizational measures to guarantee the security of the processing of personal data.