DAVANTIS DATA PROTECTION POLICY
In compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and the applicable data protection regulations, you are hereby informed that the data processor is:
DAVANTIS TECNOLOGIES, S.L.
CIF (TAX CODE): B63967103
Registered address in UAB, Edificio Eureka, 08193 Bellaterra,
DAVANTIS hereby informs you that your data of a personal nature will be processed for contractual purposes, to offer interested parties and DAVANTIS customers information about activities, products and services related to DAVANTIS:
- Supply our products and services.
- Offer and provide ongoing product support.
- Supply our products and services.
- To provide training and education days about our products.
- Information days and sector trade fairs. Product launches and dissemination.
- Manage the products and services purchased and the applicable administrative tasks.
- Communicate with you, including marketing messages and managing relationships with customers.
- Improve the algorithms and performance of our video analytics products and services.
- Help to manage and improve our company; for example, to improve our products, services or security.
- Fulfil our legal obligations.
- Accountancy and other administrative purposes.
- We may also use your personal data for other purposes and, therefore, we will provide you with specific alerts when compiling such data and will obtain your consent when necessary.
Messages about activities, products and services may be issued by any means, including electronic means. The data subject may authorise the sending of marketing messages explicitly by marking the corresponding boxes, in any of the data request forms, for example those included on our website.
2. DATA PROCESSED
The data processed by DAVANTIS in the framework of the relationship with the data subject and for the purposes for which consent has been given, are included in the following categories:
- Information about your identity and your contact details, including, but not limited to your name, surnames, telephone or email address.
- Commercial information according to the information received.
- CCTV footage from sites using Davantis products or services.
Data and images will be processed with confidentiality and may be stored and used to improve the algorithms and performance of our video analytics products and services. Davantis anonymises data before processing so that no individual or organization can be identified.
3. DATA STORAGE
The personal data you provide will be stored for as long as required to fulfil contractual obligations, to respond to requests and claims, and in any case until the data subject requests it be deleted, and for the necessary time to comply with the corresponding legal obligations according to each type of data.
4. RECIPIENTS OF THE DATA.
The data subject’s data may be shared with:
- DAVANTIS group companies, for the purposes stated only.
- Service suppliers with contractual links to DAVANTIS as data processors who will process the data in accordance with DAVANTIS’ instructions.
- The competent authorities when we have are legally bound to do so.
5. LEGAL GROUNDS FOR PROCESSING YOUR DATA AND STORAGE TIMES
The legal grounds for managing the relationship with the customer and other interested parties and to offer information about DAVANTIS activities, products and related services such as performance of a contract are the unequivocal consent of the data subject in the absence of an existing contractual relationship.
The personal data you provide to comply with the obligations derived from the contractual relationship between you and DAVANTIS will be kept on file for the duration our the contractual relationship; and on termination of the contractual relationship the data shall be stored until expiry of the legal limitation period.
The personal data obtained through the contact form shall be stored solely for the time necessary to deal with your request for information.
However, if you give your express consent to being sent information and marketing messages, your data will be stored until you express your wish to revoke that consent.
6. SECURITY MEASURES APPLIED TO THE DATA SUBJECT’S PERSONAL DATA
The personal data furnished by the data subject will be processed using technical and organisational measures necessary to avoid the loss, misuse, alteration and unauthorised access thereto, taking into account the state of the technology, the nature of the data and the risk analysis performed.
7. RIGHTS OF THE DATA SUBJECT
All persons are entitled to obtain confirmation as to whether or not DAVANTIS is processing their personal data. Interested parties and customers are entitled to access their personal data, to request correction of inaccurate data or, in the event, request that their data be erased when, among other reasons, the data is no longer necessary for the purposes for which it was gathered.
In certain circumstances, and for reasons related to their specific situation, interested parties may object to the processing of their data, in which case DAVANTIS will stop processing your data except for prevailing legal reasons, or to enforce or defend itself in case of claims.
In certain circumstances, the interested parties may request restricted processing of their information, meaning that DAVANTIS may only store and use them in circumstances established by law.
When data is gathered in a structured manner, interested parties may ask DAVANTIS to transmit the data directly to other data controllers or to receive their data in electronic format, to store them in their own devices, without the need to transmit them to other data controllers.
Interested parties may exercise their rights by sending an email to the address firstname.lastname@example.org, attaching a photocopy of their identity documents and clearly stating the right they wish to exercise. Likewise, you may send your request by ordinary mail to the address stated above.
DATA PROCESSING AGREEMENT
DAVANTIS will process the personal data subject to the contract as the data processor (hereinafter referred to as the “Processor“). On the other hand, the CLIENT will act as the data controller of the personal data (hereinafter referred to as the “Controller“).
The Controller and the Processor shall be jointly referred to as the “Parties.”
The access to personal data by the Processor on behalf of the Controller is subject to the legal provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation or GDPR), as well as Organic Law 3/2018 of 5 December on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter “LOPDGDD”).
In compliance with the GDPR, both Parties agree to freely regulate the access and processing of personal data in accordance with the following
The purpose of this Contract is to authorize the Processor to process, on behalf of the Controller, the personal data necessary to provide maintenance and continuous improvement of the software to offer better services to customers. This Contract also establishes the conditions under which the Processor will process the personal data to which it has access during the provision of the services.
2. Description of Processing.
The following are the processing operations and categories of personal data:
- Categories of data subjects whose personal data is processed: customers.
- Categories of personal data processed: identifying images and videos from security cameras.
- Nature of the processing: collection, storage, and use. Sensitive data is not processed under this contract.
- Data, images, and recordings of events and marketing activities organized by DAVANTIS.
3. Obligations of the Parties.
The Processor will always process the personal data under the framework of this Contract for the specified purpose or following documented instructions from the Controller, unless legally obligated otherwise under applicable Union or Member State law.
3.2. Purpose Limitation.
The Processor will only process the personal data for the specific purposes of the processing as indicated in the Purpose of this contract unless additional instructions are provided by the Controller.
3.3. Duration of Personal Data Processing.
The duration of data processing by the Processor will be determined by the purpose for which the data was acquired. The processing will continue until the purpose is no longer valid, or the Controller requests its termination in writing, after which the data will be securely deleted or anonymized.
3.4. Records of Processing Activities.
The Processor commits to maintain a written record of all categories of processing activities carried out on behalf of the Controller, containing at least the information required by the GDPR
3.5. Security of Processing.
a. The Processor will implement the necessary technical and organizational measures to ensure the security of personal data. Among others, the Processor will implement the following measures:
|Objetivo de la medida
|All treated information is categorized and treated as confidential data.
|Secure Data Transmission.
|Data is transmitted to and from data storage and processing systems using encryption or secure VPNs.
|There is a process for user registration, deactivation, and modifications. Password protection is required to access data storage and processing systems. Users are only granted access to the data necessary for their tasks. The system generates logs that allow traceability.
|Anonymization and Confidentiality.
|There is an architecture and pseudonymization process in place so that users will access anonymous data whenever possible and will not be able to identify the data’s origin.
|Systems and Data Recovery.
|Periodic backup process and restoration protocol are established.
|There is a protocol for tests and quality control.
a. The Processor will only grant access to the processed personal data to its personnel members to the extent strictly necessary for the execution, management, and monitoring of the contract.
3.6. Documentation and Compliance
The Processor will provide the Controller with all the necessary information to demonstrate compliance with the obligations established in this Contract, which directly derive from the GDPR. Upon the Controller’s request, the Processor will allow and contribute to conducting audits of the processing activities.
4. Assistance to the Data Controller
The Processor will promptly notify the Controller of any requests received from data subjects. The Processor will not respond to such requests on its own unless authorized by the Controller. The Processor will assist the Controller in fulfilling its obligations by responding to data subject requests to exercise their rights, taking into account the nature of the processing and the Controller’s instructions.
5. Notification of Personal Data Security Breaches
In the event of a personal data security breach, the Processor will collaborate with the Controller and assist in fulfilling GDPR obligations, considering the nature of the processing and the information available to the Processor. If there is a security breach of personal data processed by the Processor, the Processor will notify the Controller and provide the required documentation as soon as possible. This notification will include, at least:
- A description of the nature of the security breach (including, where possible, the categories and approximate number of data subjects and records affected).
- Contact details of a person from whom further information about the personal data security breach can be obtained.
- The likely consequences of the security breach and the measures taken or proposed to address the breach, including measures to mitigate potential adverse effects.
6. Controller’s Obligations
The Controller’s responsibilities include:
a) Providing or allowing access to the data specified in this Contract to the Processor.
b) Maintaining the corresponding record of processing activities.
c) Complying with the information obligation and applying appropriate legal bases for the processing of Personal Data, obtaining explicit consent when necessary.
d) Conducting a data protection impact assessment of the processing operations to be carried out by the Processor, where applicable.
e) Complying with the rest of the obligations established by the GDPR for the Data Controller.
a) The Processor requires subcontracting of third parties to process the personal data that is the responsibility of the Controller. Some of these subcontracting arrangements are necessary to fulfill the service as they are crucial for the operation of the Processor’s systems and the provision of certain services.
b) The Processor has contracts with all sub-processors that impose data protection obligations and guarantees the application of appropriate technical and organizational measures for the processing.
c) In any case, the data processing by the sub-processor must adhere to the Controller’s instructions. In the event of a sub-processor’s non-compliance with data processing, the Processor will be fully responsible to the Controller for fulfilling the obligations.
d) The Processor requires subcontracting the following third parties, approved by the Controller, to process the personal data that is the responsibility of the Data Controller:
|Description of the Processing and the Contracted Service
|Google Cloud EMEA Limited
|Velasco Clanwilliam Place Dublin 2 Ireland
8. International Transfers.
The Processor may carry out data transfers to a third country or an international organization, provided that these countries or institutions ensure adequate compliance with Data Protection regulations.
The Controller agrees that, when the Processor engages a sub-processor in accordance with clause 6 to perform specific processing activities on behalf of the Controller, and such activities involve a transfer of personal data, the Processor and the sub-processor shall ensure GDPR compliance using standard contractual clauses adopted by the Commission.
9. Contract Termination.
Upon termination of the Contract, the Processor shall delete or anonymize, at the request of the Controller, all personal data processed on behalf of the Controller and shall provide evidence to the Controller that this has been done. Alternatively, the Processor shall return all personal data to the Controller and delete any existing copies, unless Union or Member State law requires the storage of personal data. Until the data is destroyed or returned, the Processor shall continue to ensure compliance with this Contract.