Close menu
Accessibility Menu
Bigger text
bigger text icon
Text Spacing
Spacing icon
saturation icon
big cursor icon
Dyslexia Friendly
dyslexia icon

Personal Data Protection Corporate Policy

  1. Introduction.

    SOFTTEK respects the fundamental rights and freedoms of individuals, including the right to the protection of their personal data, and is committed to protecting the privacy of its customers, employees and business partners, and the processing of their personal data. To this end and as part of its corporate responsibility, SOFTTEK will carry out all its activities in accordance with personal data protection regulations at all points where it operates.

    As a global organization operating in numerous countries, SOFTTEK needs to ensure that information, including personal data, is treated securely across all SOFTTEK companies, groups, affiliates and/or subsidiaries, with an adequate and uniform level of protection, for which it establishes common behavioral guidelines that are defined in this policy.

    The purpose of this Corporate Policy for the Protection of Personal Data is to establish the common and general principles and guidelines of action that must govern all entities related to SOFTTEK in matters of personal data protection, guaranteeing, in any case, compliance with the applicable legislation.

  2. Scope.

    This Policy is applicable to all companies that make up SOFTTEK, to the investee companies not integrated into the group over which SOFTTEK has effective control, within the legally established limits, as well as to all people who are related to the companies. entities belonging to the group. In those investee companies in which this Policy is not applicable, SOFTTEK will promote the alignment of this policy with those of said companies. In addition, this Policy is also applicable, where applicable, to joint ventures, temporary unions of companies and other equivalent associations, when SOFTTEK assumes their management.

    Without prejudice to the provisions of the previous paragraph, SOFTTEK companies, under their own framework of autonomy, may establish an equivalent policy, which must be in accordance with the principles compiled in this Policy.

    The Personal Data Protection Policy applies to all departments, operational areas, as well as their administrators, directors, employees, and all people who are related to the entities belonging to SOFTTEK and must be known and complied with by all members of the group.

    This personal data protection policy applies to all data processing carried out by SOFTTEK in its relations with its employees, former employees, contacts, job applicants, clients, potential clients, suppliers, as well as in the provision of the services that SOFTTEK facilitates third-party companies and organizations and involves access and processing of data on behalf of third parties.

    All people linked to SOFTTEK will promote that the principles compiled in this policy are taken into account (i) in the design and implementation of all procedures that involve the processing of personal data, (ii) in the products and services offered by them, (iii) in all contracts and obligations formalized with natural persons and (iv) in the implementation of any systems and platforms that allow access by SOFTTEK professionals or third parties to personal data and its collection or processing.

    This policy covers the entire life cycle of personal data: Generation or capture, data collection, data maintenance and processing, data use, data sharing, data archiving and data destruction. This Policy does not apply to the processing of anonymous data (for example, information that includes random names without directly or indirectly identifying a real person).

  3. References.

    • GDPR: The General Data Protection Regulation is the European regulation relating to the protection of natural persons regarding the processing of their personal data and the free circulation of this data in the EU and the European Economic Area.
    • LFPDPPP: The 'Federal Law on Protection of Personal Data Held by Private Parties' is a regulatory body of Mexico, approved by the Congress of the Union on April 27, 2010, which aims to regulate the right to informational self-determination.
    • CCPA: It is the first comprehensive modern data protection law in the United States. California Consumer Privacy Act is a statewide privacy law that regulates how organizations can manage the personal information of California residents.
    • LPDP: Personal Data Protection Law or Law 1581 of 2012, recognizes and protects the right of all individuals to know, update and rectify the information that has been collected about them in databases or files that are subject to processing by public or private entities.
    • LGPD: The General Law on Personal Data Protection (Law No. 13,709/2018), also known as LGPD, created rules for the protection of personal data of all Brazilians, with the aim of guaranteeing the rights of freedom, privacy, and free development of personality.
    • Information Security Policy: It is the document approved by management, which includes its commitment to guaranteeing the security of the information and establishes the measures and controls that the company will adopt to ensure the confidentiality, integrity, availability, and privacy of the information.

  4. Application of the Policy.

    The Information Security Office, together with the Legal Services, will develop and keep updated the Corporate Personal Data Protection Policy, which will be implemented by the afore-mentioned Office.

    Likewise, the Information Security Office and Legal Services of each country will establish local internal procedures that develop the principles compiled in this Policy and that specify its content based on the applicable law in their respective jurisdictions.

    The Legal Department of each country will be responsible for reporting to the Information Security Office on the developments and regulatory developments that occur in the field of personal data protection.

    The Local Security Committees or equivalent bodies, together with those responsible for Technological Infrastructure (IT), will be responsible for implementing the appropriate computer controls and developments in the information systems of the companies of the group to ensure compliance with the internal regulations for global data protection management and will ensure that these developments are always updated.

    Additionally, SOFTTEK companies must: (i) designate the people responsible for the data (Local Personal Data Privacy Manager), who will act in coordination and under the supervision of the Information Security Office; and (ii) coordinate with the Information Security Office any activity that implies or entails the management of personal data, respecting in all cases the framework of autonomy of the companies.

    It is the responsibility of the Audit area to supervise compliance and effectiveness of the provisions of this Policy by each Group Company. The foregoing will be understood, in any case, without prejudice to the responsibilities that correspond to other bodies and management of the Company and, where appropriate, to the administrative and management bodies of the SOFTTEK companies. To verify compliance with this Policy, information security audits will be carried out, with internal and/or external auditors, and other controls.

    The Information Security Office will review and evaluate, at least once a year, this Policy and will keep the Local Security Committees or equivalent bodies informed about risks, events or incidents that may arise related to the privacy of the information. information or any breach related to this Policy, it will also provide education and awareness content on Personal Data Protection.

  5. Personal Data Privacy Officers.

    The Corporate Personal Data Privacy Officer is responsible for ensuring that SOFTTEK complies with all applicable local and international data protection regulations. He is also responsible for defining and updating the Corporate Personal Data Protection Policy and ensuring its compliance.

    The Corporate Data Privacy Officer, as designated by the Executive Security Committee, is the director of the Information Security Office.

    Each SOFTTEK group company must designate people responsible for the security of personal data in its company or location (Local Personal Data Privacy Managers), who will act in coordination and under the supervision of the Information Security Office. and they will define the communication channels with the companies under their charge, according to local regulations, so that the owners of the data that require it can contact them to exercise their rights.

  6. Principles of processing Personal Data.

    Any activity within the life cycle of personal data that can be carried out by SOFTTEK, both for processing activities within the different business processes, for the administration and management of personnel, economic, accounting and tax management, actions commercial and marketing and communication, as well as the management of clients, suppliers and potential clients carried out at SOFTTEK, will be carried out in accordance with the following general principles of personal data processing:

    • Principle of legality, equity, and transparency. The personal data collected will be processed in a lawful, fair, and transparent manner. Only the information that is required will be requested, clearly indicating the uses and purposes of the treatment that is planned to be carried out, during the treatment said personal data will only be used for the purposes for which they have been collected.
    • Purpose limitation principle. The personal data collected will only be for specific, explicit, and legitimate purposes, and will not be subsequently processed in a manner incompatible with such purposes.
    • Data minimization principle. The data collected will be those strictly necessary to fulfill the purposes for which they are required.
    • Precision principle. The personal data collected must be kept complete, correct and up to date. The data will be updated every time the owner requests it or because they have direct knowledge of the outdatedness of a specific data.
    • Storage limitation principle. Personal data will be stored for the legal periods applicable to each processing activity carried out. Once they are no longer needed for the purposes for which they were collected, they must be deleted or destroyed, unless there are other reasons to retain them in which case a minimum legal retention period in accordance with the available processing authorizations.
    • Principle of integrity and confidentiality. Personal data collected must be subject to technical, organizational and security measures to ensure that our business activities, information, documentation, and processes in which it is used are protected against unauthorized or unlawful access, loss, destruction, or accidental damage.
    • Principle of legitimacy of the source. The personal data collected must not be obtained from illegitimate sources, from sources that do not guarantee its origin or from sources whose data have been collected or transferred in violation of the law.
    • Principle of proactive responsibility. Technical and organizational privacy measures will be established from the design and by default, appropriate to ensure compliance with personal data legislation and the traceability of the decision-making processes related to their processing will be ensured.

  7. Data Owner Rights.

    The Group companies must allow interested parties to exercise the rights that apply in each location, establishing, for this purpose, the internal procedures that are necessary to satisfy, at least, the legal requirements applicable in each case. SOFTTEK also undertakes to respect at least the following rights:

    • Right of access. The right of the data subject to obtain information on whether his/her own personal data is being processed, the categories of data being processed, the purpose of the processing, available information on the origin of the data when the data was not originally received from the data subject, the period of retention of the data and any communications made or planned to be made.
    • Right of Rectification. Right of the data subject to correct or modify any personal data that is found to be inaccurate or incomplete. The applicant's request must indicate what data it refers to and the correction that must be made. It must include, when necessary, documentation that justifies the inaccuracy or incompleteness of the data being processed.
    • Right of deletion. Right of the owner to delete their data when the following circumstances occur:
      • Personal data is not necessary for the processing carried out.
      • The data owner withdraws consent for the processing of the data, if no other legitimate purpose is applicable (legal relationship or contract, legitimate interest, legal obligation).
      • When the personal data of the owners have been unlawfully processed by SOFTTEK.
      • The data owner objects to the processing for profiling, based on a legitimate interest.
    • Right to limitation of treatment: Right of the data owner to limit the processing of SOFTTEK data when:
      • The owner challenges the accuracy of their personal data, for a period that allows their accuracy to be verified, or
      • When the treatment is illegal, but the owner opposes the deletion of personal data, they may request that the treatment be limited, or
      • When they are no longer necessary for the treatment, the affected person may request a limited deletion to use the data to file a claim, or
      • When the data owner objects to a profiling process based on legitimate interest.
    • Right to data portability. Right of the data owner to receive the data provided (name, surname, postal and email address, telephone number, Identification Document Number), in a structured and commonly used format, data that has been obtained with express consent or in a contract, and of which the treatment is carried out by automated means. Furthermore, the owner may authorize the data to be transmitted directly to another party if this is technically possible.
    • Right not to be subject to a decision based solely on automated processing. Right of the data subject not to be subject to a decision, with legal effects, based solely on automated processing, including profiling.
    • Right to object to data processing. Right of the owner to avoid the processing of his personal data or to cease if consent for the processing will not be necessary because the legitimate interest is the legitimizing basis, or when the data is used for direct marketing.
    • Right to be forgotten. Right of the data owner to request the deletion of their data made public by SOFTTEK and to delete any link to them. This right assumes that the data has been published on the internet, social networks, blogs and/or comments.

    The properties common to all these rights are:

    1. Very personal rights: This means that they can only be exercised by the owner of the data, by his legal representative, in the case of minors or people with disabilities, or by his voluntary representative specifically designated to exercise any of these rights. Therefore, SOFTTEK will deny the exercise of these rights if they are requested by a person who is not the owner of the data or who does not adequately certify that they are acting on their behalf.
    2. Independent rights: This means that it is not necessary to exercise any of them previously to exercise another, each one is exercised separately and independently.
    3. Obligations: SOFTTEK undertakes to facilitate the exercise of these rights to those affected and to respond to their request within the legally established deadlines, regardless of the procedure used by the interested party and even if the person responsible for the file does not have personal data of said data owner, this person must be able to support the response to the applicant.
    4. Procedure: The exercise of these rights must be carried out through simple and free procedures that SOFTTEK must make available to interested parties.
    5. Claims before the Control Authority: If a right request cannot be attended to, SOFTTEK must communicate the reasons for not acting and the possibility of filing a claim with the Control Authority. This notification must be made within the deadlines established by the legislation of the country where the claim is presented or, in cases where no deadlines are established, a maximum of one month from receipt of the request.

  8. Personal data processing purposes.

    The collection, processing, and use of personal data within SOFTTEK is only permitted for the following purposes:

    1. Processing of customer data for a contractual relationship. The personal data of our potential clients, customers, partners, and suppliers may be processed only to establish a commercial or contractual relationship, manage it over time, execute or comply with contractual, tax and/or accounting obligations, as well as resolve a contract. Thus, personal data may be processed to:
      1. Track pre-sales and sales activities. To improve user service procedures and update the catalog of products and services, understanding the way in which the user interacts with the Repsol group, as well as detecting their degree of satisfaction.
      2. To prepare offers or orders. To send commercial information about activities, products, and services, as well as to have fluid communication with our clients and to be able to provide the best offer or service.
      3. To send commercial information. Identify the people who represent the client or who intervene as contacts for the purposes of contracting. This treatment is only applicable in the case where the client is a legal entity.
      4. For the execution of contracts with suppliers and clients.There are a series of treatments that are necessary for the execution and development of contractual relationships. Without the processing of personal data for these purposes, the existence of said contractual relationships would not be possible because it is inherent to it. Develop, control and maintain the contractual relationship, manage the signature even through electronic signature platforms including the issuance of an electronic signature certificate, carry out and manage the transactions that have been contracted, contact, billing, collection and debt management, services customer service (even with the possibility of recording telephone calls), sending non-commercial information related to the contract and managing complaints, requests, suggestions and attention to possible incidents.
      5. For compliance with legal obligations.Customer data may be processed according to the legitimate basis for processing. Sometimes, the basis that legitimizes the processing is the fulfillment of contractual obligations or the fulfillment of a legal obligation, as is the case of data processing for accounting and tax purposes; In other cases, the treatment will be legitimized solely based on consent. In such cases, before the client or potential client consents, they must be informed according to the privacy and data protection policy. The declaration of consent must be obtained electronically or in writing for the purposes of management, conservation, and traceability of consent. In some circumstances, such as telephone conversations, consent can be given verbally. In these cases, SOFTTEK recommends the use of call recording systems.
      6. Treatments of general interest.These Treatments are necessary to fulfill a mission carried out in the public interest. Specifically, they are Treatments aimed at guaranteeing security conditions and avoiding the commission of illegal acts. Such as: Capturing images through security cameras for facility security purposes and other security actions or Managing complaints or internal investigations due to violation by the Interested Party of internal regulations or the Code of Ethics, which implies management of the file and the consultation of the areas that are necessary for this.
      7. For advertising and marketing/communication purposes. To maintain the relationship with the client by registering new products, improving the conditions of the products and/or services that have been contracted and offering information about similar products and/or services that may be of interest to the client. Cases like:
        1. If the interested party contacts SOFTTEK to request information (for example, a request to receive advertising material about a product), data processing is permitted to fulfill this request.

          The specific instructions and policies adopted by SOFTTEK must be followed for the different advertising actions and use of means of contact with potential customers, given that advertising actions are subject to additional legal requirements.
        2. The data may be processed for advertising, market, or opinion purposes, if the data has been collected with valid consent and for these specific purposes. Any potential client or client must be informed about the use of their data for advertising purposes
        3. In the case of planning any action related to advertising campaigns or communication to potential professional contacts (professional contacts in their capacity as representative or point of contact of a client or potential client), you will be asked for consent to process the data for advertising purposes. and advertising during the first communication. If the interested party rejects the use or does not authorize the use of their data for advertising purposes, these data can no longer be used for such purposes and their use must be blocked.

    2. Processing of customer data for the fulfillment of SOFTTEK's legitimate interests. Personal Data may also be processed if it is necessary to:
      1. Fulfill the legitimate interests of SOFTTEK. Legitimate interests are generally legal in nature (i.e. collection or recovery of amounts owed) or satisfaction surveys for the improvement of products and services.
        1. Personal data cannot be processed based on a legitimate interest of SOFTTEK if there is evidence that the interests and rights of an individual person prevail over the legitimate interests of SOFTTEK.
        2. Therefore, the application of SOFTTEK's legitimate interest as a legitimate basis for processing is not always appropriate. For each case, an analysis of the prevalence between the legitimate interests and the rights of the people must be carried out.
      2. Historical Archive. Keep an archive of activities in the face of possible responsibilities or as historical memory for the time defined by law.
      3. Automated individual decisions. This is data processing carried out in an automated manner, used to evaluate certain aspects (for example, solvency), this type of data processing must be communicated to the interested party.
      4. Processing of data derived from accesses and visits to a website If personal data is collected, processed, and used on websites or applications, interested parties must be informed of these purposes in a privacy statement and, where appropriate, in a cookie use policy. This information must be easily identifiable, directly accessible, and constantly available to interested parties. If tracking profiles are created to evaluate the use of websites and applications, data subjects should always be informed. Monitoring can only be carried out if it is permitted by the country's legislation or with the consent of the interested party.

    3. Processing data of employees, former employees, and candidates. At SOFTTEK we carry out various data processing derived from the relationship with our employees, thus, we use personal data to:
      1. Hiring and onboarding management.
      2. Identification within the organization and granting access to facilities and information systems.
      3. The allocation of work resources, such as computer equipment, email, applications, telephones, other resources.
      4. Management and monitoring of labor relations by the human resources department, such as vacations and permits.
      5. Payment of salaries and compensations, payroll advances, expenses, withholdings, subsidies, benefits, and other remuneration in kind.
      6. Occupational risk prevention programs.
      7. Management of health, safety, and occupational health services; hiring and termination, absenteeism.
      8. To participate in training.
      9. Other social benefits for the interested party (restaurant vouchers, travel management...)
      10. Management of the “offboarding” process.
      11. Management of obligations with former employees.
      For certain data processing needs, especially sensitive data will be needed, such as health data, for the management of health treatments and the prevention of occupational risks.

      We may also process employee data within SOFTTEK's corporate management, in accordance with authorizations granted by national authorities regarding international transfers and protection of personal data.

  9. Data processing on behalf of the client in the provision of SOFTTEK services. 

    The processing of data in the name and on behalf of the CLIENT means that SOFTTEK has been contracted to provide a service that may involve access and processing of personal data. In these cases, access to the data must be limited to the service provided to the CLIENT, following the instructions provided by the CLIENT himself and previously signing the data access contract model for third parties at the start of the service, defined by the Legal Services of each country and validated by the Local Data Privacy Officer.

    During the provision of services that involve or may involve access to data that is the responsibility of the client, all SOFTTEK personnel in charge of this provision of services and SOFTTEK resources that are used for the same provision of services, will be subject to the following principles:

    • The data will not be removed from the CLIENT's environment unless it is stipulated in the contract or notified in writing by the CLIENT, in which case what is defined by the CLIENT will prevail.
    • The data will only be processed according to the instructions given by the CLIENT and for the correct provision of the services contracted by the CLIENT to SOFTTEK.
    • Personal data will not be used for any other purpose than to provide the service.
    • Personal data will be returned to the CLIENT once the contracted services have been completed, following the instructions received from the CLIENT.
    • In the case of subcontracting of services, the subcontracting will be regulated in accordance with the authorizations granted by the CLIENT.
    • Security measures will be implemented in the devices and resources to ensure the security of personal data to prevent alteration, loss, unauthorized access, or processing, considering the state of technology, the nature of the data stored and the risks of exposure, whether from human action or environmental hazards.

  10. Processing of personal data under SOFTTEK's responsibility by service providers.

    In the event of contracting external suppliers for the processing of personal data under SOFTTEK's responsibility, the guidelines established in this Policy must be followed, as well as any instructions or directives provided for such purpose by the Legal Services of each country or by the Local Data Privacy Officer.

    • The area or department responsible for any data that may include personal data, sent for processing to an external provider, shall notify the Information Security Office (security@softtek.com) or the area determined by the Information Security Office, the identity of the service provider, type of service, categories of data or information to which the provider has access, technology, and any other considerations.
    • A contract/annex/annex regulating the access and processing of data for the provision of the service will be signed between SOFTTEK and the provider.
    • The Data Processor may only access and process the data, following SOFTTEK's instructions.
    • The data processing provider shall be obliged to submit information on its ability to meet the technical and organizational needs required by the contracted service. Consideration must be given to protection.
    • Prior to initiating any data processing, the Service Provider shall share any documentation evidencing the adoption of technical and organizational security measures on the processes, procedures, applications, and persons who will access and process SOFTTEK's information.
    • If the data processing is carried out by subcontractors, the provider is obliged to enter data processing contracts with such subcontractors based on standard contractual clauses defined by SOFTTEK's legal department in the country for the processing of personal data.
    • Upon termination of the contracted services, the Supplier shall follow SOFTTEK's instructions for the return of the data still in the Supplier's facilities, certifying in writing the total return of the data.
    • Contractual obligations and responsibilities will be established for data breaches by the Provider, expressly assuming all liability to the data subjects and to the Supervisory Authorities.
    • SOFTTEK may request evidence from the supplier of compliance with personal data protection policies.

  11. General obligations of employees in relation to the processing of personal data.

    Personal data is classified as restricted. Any unauthorized collection, processing, or use of data by employees is prohibited.

    Any processing of data by an employee that he/she has not been authorized to carry out as part of his/her job duties and functions is prohibited.

    Authorized employees may have access to information, data, and documentation necessary for the fulfillment and development of their job functions within SOFTTEK. Therefore, our organization has implemented measures and resources for the implementation of roles and responsibilities of users.

    Employees are prohibited from using personal data for private or commercial purposes, disclosing it to unauthorized persons or making it available in any other way.

    SOFTTEK's privacy and data protection policy must be published and available to all employees and must inform all employees of the obligation to protect the confidentiality of data, an obligation that will remain in force even after the employee has terminated his or her relationship with SOFTTEK if local laws permit.

  12. Transmission of Personal Data.

    In general, SOFTTEK will not transfer the data of the Interested Parties, except in the following cases:

    • To competent authorities and bodies, courts, tribunals or any other third parties legitimized in accordance with the applicable regulations. If the transmission of data is necessary for compliance with a legal or contractual obligation, the organizational unit performing the actual processing of the data will request assistance from the Local Data Privacy Officer for support in carrying out the actions and adopting the appropriate procedures.
    • To third parties holding common documents for the fulfilment of monetary obligations, when the client incurs a non-payment, and there are legitimate interests.
    • To third party owners of services or products that the user voluntarily requests (for example, when the user wants to take advantage of an offer from another company of the group or a partner).
    • To certain SOFTTEK companies to fulfill the contracted purposes. In all cases, the international transfer will be made with appropriate safeguards and on condition that the individuals have enforceable rights and effective legal remedies. With all of them there are Standard Contractual Clauses (also called "SCC" or "Standard Corporate Rules") signed between the members of the group to ensure compliance with the regulations of each country regarding Personal Data Protection.
    • It is also possible that third parties, suppliers of SOFFTEK, may have access to the personal data of the data subjects to provide services to SOFTTEK, (companies operating in the following sectors: technology, legal advice, marketing agencies, IT services, payment processing, administrative managers for solvency control, etc.). These suppliers will only access the Personal Data to carry out their services in the name and on behalf of Softtek, under the obligation of confidentiality and always following its instructions and without at any time using such data for their own purposes and/or unauthorized purposes.

  13. Security.

    Personal data must be protected against unauthorized access, unlawful processing, or unauthorized disclosure, as well as against accidental loss, alteration, or destruction. This applies regardless of whether the data is processed electronically or on physical media.

    Upon the introduction of new data processing methods at SOFTTEK, the Local Data Privacy Officer, together with the Information Security Office and the Information Technology area, will define and document the process to be performed, its characteristics and security measures to protect personal data. These measures must be based on current technology, potential processing risks and data protection requirements (as defined by SOFTTEK's data classification standard).

    Technical and organizational measures to protect personal data are part of SOFTTEK's Information Security Office and must be continuously adjusted to technological developments and organizational changes.

  14. Data protection control.

    SOFTTEK's compliance with the data protection policy and data protection laws is continuously verified through information security audits and other controls.

    These actions are the responsibility of the Corporate Data Privacy Officer, Local Data Privacy Officers, internal auditors, or external auditors contracted for this purpose. The results of the evaluation of these controls must be shared with the Local Security Committees or equivalent bodies.

    Upon request, the results of data protection checks shall be made available to the competent data protection authority. The data protection authority may conduct its own inspection of compliance with the rules of this Policy, as permitted by local law.

  15. Data protection incidents.

    All employees must immediately inform their leader and the Local Data Privacy Officer about cases of violation of this policy, as well as report the incident or event, depending on the case, in HELP.

    The following are, among others, data security incidents:

    • Accidental transmission of personal data to third parties,
    • Inappropriate access by third parties to personal data, or
    • Loss of personal data.

    The following are, among others, data security events:

    • In general, of any risky or improper processing of personal data.

    The Local Data Privacy Officer shall prepare a report together with the Information Security Office, the Technology Infrastructure department and other areas and departments involved in the security incident, to determine the actions to be taken.

    In the case of Data Privacy Incidents, they must be communicated and documented immediately, following SOFTTEK's Information Security Incident Management, so that the reporting obligations under local legislation to the Supervisory Authority can be fulfilled within the timeframe stipulated by the applicable laws from the date of knowledge of the incident.

  16. Sanctions and Liabilities.

    SOFTTEK's Management is responsible for the data processing carried out in its area of responsibility and is therefore obliged to ensure that the legal requirements and the contents defined in the Corporate Data Protection Policy (or equivalent local document) are complied with.

    The management team is responsible for ensuring that the organization, human and technical resources, have adequate controls in place to ensure that data processing is carried out in accordance with this data protection policy.

    Any department or area responsible for the development of processes and projects involving the collection of personal data must share this process with the Local Data Privacy Officer for review and approval. For any personal data to be processed, privacy and any other obligations to SOFTTEK must be considered from the initial design, including an initial assessment of the risks to the rights of individual data owners before any data is processed.

    If the information processing operations involve the collection and processing of particularly sensitive data, an additional risk assessment will be carried out by the Local Data Privacy Officer, which will analyze: the risks arising from the processing and compliance of the data and the security measures to be adopted to minimize the risks that may arise from the processing of these categories of data.

    Improper processing of personal data or other violations of data protection laws may be criminally prosecuted, including administrative sanctions or fines for violations, while allowing the data subject to claim damages.

Last modification: apr 2024.