Data protection policy

Purpose

The purpose of the astara´ data protection corporate policy is:

  • To be legally compliant with the regulations of personal data protection
  • To define principles in the organization that contribute to the protection of personal data.
  • To establish actions that ensure data privacy within the organisation
Principles

Astara’s personal data processing shall be:

  • Lawful, fair and transparent.
  • For specified, explicit and legitimate purposes.
  • Adequate, relevant and limited.
  • Accurate and kept up to date, when necessary.
  • During a limited period of time.
  • Appropriately and in a confidential manner.
Roles and Duties

Responsible:

  • Astara is responsible for the procesing of personal data of all subject persons, and will process personal data according to the legal regulations.

Corporate Privacy Comittee:

  • It is the point of contact for data subjects, employees, company management and authorities responsible for data protection in astara. You can contact the Corporate Privacy Committee at privacy.es@astara.com.
  • It is in charge training, advising, monitoring, controlling and reporting all maters related with data privacy.
Records of Processing Activities
  • The company keeps a register of all processing activities. The Corporate Privacy Committee has the responsibility to compile the necessary information for this purpose on the processing activities of the respective department and to document these in accordance with the legal requirements.
  • Upon request, the company shall make the directory available to the supervisory authority.
Complaint and Notification to the Privacy Committee
Every data subject has the right to:
  • Complain to the Corporate Privacy Committee about the processing of his or her data if he or she feels that his or her rights have been violated. Likewise, employees may contact the data protection advisor directly with information, suggestions or violations of this policy, whereby absolute confidentiality will be maintained upon request.
Handling Personal Data
When handling personal data, astara will:
  • Collect and process such data within the scope of what is legally permissible.
  • Fulfill the duty to inform in an adequate manner.
  • Use complete and accurate data.
  • Enforce all the special measures to protect the rights and interests of the data subjects in the case of a data transmission abroad.
Rights of the Data Subject

Astara Group, as data controller, will: 

  • Facilitate the exercise of the data subjects' rights of access, rectification, erasure, limitation of processing, portability and objection, establishing the necessary internal procedures to satisfy the applicable legal requirements.
  • Make it possible to submit requests in a simple manner.
  • Inform within 30 days at the latest of any measures taken at the request made by the data subject.
Training

The Corporate Privacy Committee will:

  • Train those employees who have permanent or regular access to personal data, collect such data or develop systems for processing such data, according to the requirements of the applicable data protection regulation.
Data Secrecy
  • Astara’s personnel are prohibited from collecting, processing or using personal data without authorization.
  • All employees must strictly observe the principles of data protection legislation.
Audits
Astara ensures that:
  • Relevant processes are reviewed through regular audits by internal bodies or by external auditors, in order to ensure a high level of data protection. In the event that potential for improvement is identified, immediate corrective measures will to be taken.
Internal Investigations

Internal Investigations shall be done to:

  • Clarify the facts and to avoid or uncover criminal offences or serious breaches of duty in the employment relationship. Only necessary data will be collected, in an appropriate and proportionate manner, to achieve the purpose of the investigation.
Data Security
Regarding data security astara:
  • Is committed to safeguard the confidentiality, availability, integrity and traceability of data.
  • Has drawn up a general security concept which is binding for all procedures, and takes into account the state of the art, as well as means and measures for encryption and data protection.
Data Protection Impact Assesment
For those operations which entail a high risk to the personal rights or fundamental rights of the data subject a data protection impact assessment is carried out, according to all descriptions required by law, and particularly in the case of:
  • A systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing.
  • Processing on a large scale of special categories of data, or of personal data relating to criminal convictions and offences
  • A systematic monitoring of a publicly accessible area on a large scale.
Data Breach
In the event of a data breach:
  • Every employee is obliged to immediately report malfunctions, security incidents and emergencies in the area of information security and incidents in the area of data protection to the Privacy Point of Contact and to the CISO (ciso@astara.com).
  • Astara will fulfill de duty to inform the supervisory authority in accordance with the legal regulations.
Download the astara Data Protection Corporate Policy

Data Protection Corporate Policy