Personal data protection

At TuComex we collect personal data for the following purposes:

Subscribe to our newsletter for people who request it, through the form provided for this purpose: in this case, the personal data collected are name and email address. That is, the minimum data to be able to get the newsletter to interested people.
We do not process any of the data collected, apart from including them in files to keep them organized.

CUSTOMER DATA:

The data collected will be kept for the duration of the business relationship with the client, or the term stipulated by current legislation. They will not be transferred to third parties in any case, except by legal mandate.

SUBSCRIBER DATA:

They will be stored in our files as long as subscribers do not request their withdrawal, at which point their data will be deleted.

The data of the subscribers to our newsletter is transferred to the Mailchimp platform (www.mailchimp.com), which allows us to send our own newsletters in email campaigns.

Data of the person responsible for the treatment:

Identity: TuComex Servicios de Internacionalización – ID: B-04951091

Postal address: C/ Calnuevas, 2, 19001 Guadalajara

Telephone: 605454567 – Email: info@tucomex.com 

You have the right to obtain information about whether TuComex is treating your personal data, so you can exercise your rights of access, rectification, deletion and portability of data and opposition and limitation to its treatment before TuComex Servicios de Internacionalización, C / Calnuevas, 2 – 19001 Guadalajara, or at the email address info@tucomex.com, attaching a copy of your ID or equivalent document. Likewise, and especially if you consider that you have not obtained full satisfaction in the exercise of your rights, you may file a claim with the national control authority by addressing this purpose to the Spanish Agency for Data Protection, C / Jorge Juan, 6 – 28001 Madrid.

Whenever they want to collect personal data, the user’s consent will be requested.

Article 5.1.f of the General Data Protection Regulation (hereinafter, GDPR) determines the need to establish adequate security guarantees against unauthorized or illicit treatment, against the loss of personal data, destruction or accidental damage. At TuComex we establish the necessary technical and organizational measures aimed at ensuring the integrity and confidentiality of personal data: protected data is protected by passwords in all cases: access to computers, access to cloud storage or third-party platforms (always organizations with proven competence and guarantee, who manage their own passwords). The protected data is not extracted in memory units type pendrive, printed on paper, … nor is any other operation carried out with them in which there may be risk of loss, deterioration or theft.

In addition, we establish visible, accessible and simple mechanisms for the exercise of rights and we have defined internal procedures to guarantee the effective attention of the requests received.

The rights for users of our website, regarding their personal data, are:

RIGHT OF ACCESS: In the right of access, the interested parties will be provided with a copy of the personal data that is available together with the purpose for which they have been collected, the identity of the recipients of the data, the expected retention periods or the criteria used to determine it, the existence of the right to request the rectification or deletion of personal data as well as the limitation or opposition to its treatment, the right to file a claim with the Spanish Agency for Data Protection and if the data has not been obtained from the interested party, any available information about its origin. The right to obtain a copy of the data cannot adversely affect the rights and freedoms of other interested parties.

Form for the exercise of the right of access.

RIGHT OF RECTIFICATION: In the right of rectification, the data of the interested parties that were inaccurate or incomplete will be modified according to the purposes of the treatment. The interested party must indicate in the request what data they refer to and the correction to be made, providing, when necessary, supporting documentation of the inaccuracy or incompleteness of the data being processed. If the data has been communicated by the person in charge to other controllers, he must notify them of the rectification of these unless it is impossible or requires a disproportionate effort, providing the interested party with information about said recipients, if requested.

Form for the exercise of the right of rectification

RIGHT OF SUPPRESSION: In the right of suppression, the data of the interested parties will be eliminated when they express their refusal to treatment and there is no legal basis that prevents it, they are not necessary in relation to the purposes for which they were collected, they withdraw consent provided and there is no other legal basis that legitimizes the treatment or it is illegal. If the deletion derives from the exercise of the interested party’s right of opposition to the processing of their data for marketing purposes, the identifying data of the interested party may be kept in order to prevent future processing. If the data has been communicated by the person in charge to other managers, they must notify them of the deletion of these unless it is impossible or requires a disproportionate effort, providing the interested party with information about said recipients, if requested.

Form for the exercise of the right of deletion.

RIGHT OF OPPOSITION: In the right of opposition, when the interested parties express their refusal to treat their personal data before the person in charge, the latter will stop processing them as long as there is no legal obligation to prevent it. When the treatment is based on a mission of public interest or on the legitimate interest of the person in charge, upon a request to exercise the right of opposition, the person in charge will stop processing the data unless compelling reasons that prevail over the interests, rights and freedoms of the interested party or are necessary for the formulation, exercise or defense of claims. If the interested party opposes the treatment for direct marketing purposes, the personal data will no longer be processed for these purposes.

Form for the exercise of the right of opposition.

PORTABILITY RIGHT: In the portability right, if the treatment is carried out by automated means and is based on consent or is carried out within the framework of a contract, the interested parties may request to receive a copy of their personal data in a structured format, of common use and machine reading. Likewise, they have the right to request that they be transmitted directly to a new person in charge, whose identity must be communicated, when technically possible.

Form for the exercise of data portability.

RIGHT OF LIMITATION TO TREATMENT: In the right of limitation of treatment, the interested parties may request the suspension of the processing of their data to challenge its accuracy while the person in charge performs the necessary verifications or in the event that the treatment is carried out based on interest legitimate authority of the person in charge or in compliance with a mission of public interest, while verifying if these reasons prevail over the interests, rights and freedoms of the interested party. The interested party can also request the conservation of the data if he considers that the treatment is illegal and, instead of the deletion, requests the limitation of the treatment, or if the person in charge for the purposes for which they were collected is no longer needed, the interested party You need them for the formulation, exercise or defense of claims. The circumstance that the treatment of the data of the interested party is limited must be clearly stated in the systems of the person in charge. If the data has been communicated by the person in charge to other controllers, he must notify them of the limitation of the processing of these unless it is impossible or requires a disproportionate effort, providing the interested party with information about said recipients, if requested.

Form for the exercise of the limitation of the treatment.

If the interested party’s request is not acted upon, the data controller will inform them, without delay and at the latest after one month from receiving the request, of the reasons for their non-action and the possibility of filing a claim with the Agency. Spanish of Data Protection and to exercise legal actions.

SECURITY MEASURES

The security measures that we have implemented in TuComex are the following:

ORGANIZATIONAL MEASURES

INFORMATION THAT SHOULD BE KNOWN BY ALL PERSONNEL WITH ACCESS TO PERSONAL DATA

All personnel with access to personal data must be aware of their obligations in relation to the processing of personal data and will be informed about said obligations. The minimum information that will be known by all staff will be the following:

DUTY OF CONFIDENTIALITY AND SECRET
Unauthorized access to personal data is prevented. To this end, it is avoided to leave personal data exposed to third parties (unattended electronic screens, paper documents in public access areas, supports with personal data, etc.). This consideration includes the screens that are used to display images from the video surveillance system. When you are absent from work, the screen will be locked or the session will be closed.
Paper documents and electronic media will be stored in a safe place (cabinets or restricted access rooms) 24 hours a day.
Documents or electronic media (CDs, pen drives, hard drives, etc.) with personal data will not be discarded without guaranteeing their effective destruction.
Personal data or any other information of a personal nature will not be communicated to third parties, paying special attention not to disclose protected personal data during telephone consultations, emails, etc.
The duty of secrecy and confidentiality persists even when the worker’s employment relationship with the company ends.

SECURITY VIOLATIONS OF PERSONAL DATA
When personal data security violations occur, such as, for example, theft or improper access to personal data, the Spanish Data Protection Agency will be notified within 72 hours of said security violations, including all the information necessary to clarify the facts that have given rise to improper access to personal data. The notification will be made by electronic means through the electronic headquarters of the Spanish Agency for Data Protection at the address https://sedeagpd.gob.es/sede-electronica-web/.

TECHNICAL MEASURES

ID

When the same computer or device is used for the processing of personal data and personal use purposes, there are several different profiles or users for each of the purposes. The professional and personal uses of the computer are kept separate.
There are profiles with administration rights for the installation and configuration of the system and users without privileges or administration rights for access to personal data. This measure will prevent access privileges from being obtained or modifying the operating system in the event of a cybersecurity attack.
The existence of passwords for access to personal data stored in electronic systems is guaranteed. The password will have at least 8 characters, a mixture of numbers and letters.
When personal data are accessed by different people, for each person with access to personal data, there will be a specific username and password (unequivocal identification).
The confidentiality of passwords must be guaranteed, preventing them from being exposed to third parties. In no case will passwords be shared or recorded in a common place and access by people other than the user.

DUTY OF SAFEGUARD

The minimum technical measures to guarantee the safeguarding of personal data are set out below:

UPDATING OF COMPUTERS AND DEVICES: The devices and computers used for the storage and processing of personal data are kept updated as much as possible.

MALWARE: In the computers and devices where the automated processing of personal data is carried out, there is an antivirus system that guarantees as far as possible the theft and destruction of personal information and data. The antivirus system is updated periodically.

FIREWALL OR FIREWALL: To prevent improper remote access to personal data, it will be ensured that there is an activated and correctly configured firewall on those computers and devices on which personal data is stored and / or processed.

DATA ENCRYPTION: When it is necessary to extract personal data outside the premises where its treatment is carried out, either by physical means or by electronic means, the possibility of using an encryption method to guarantee the confidentiality of the data should be assessed. personal in case of improper access to information.

BACKUP COPY: Periodically a backup copy will be made on a second medium different from the one used for daily work. The copy will be stored in a safe place, different from the one where the computer with the original files is located, in order to allow the recovery of personal data in case of loss of information.

The security measures will be reviewed periodically, the review may be carried out by automatic mechanisms (software or computer programs) or manually. Consider that any computer security incident that has happened to anyone you know can happen to you, and guard against it.