At LANTEK SHEET METAL SOLUTIONS, S.L.U. is concerned about the personal data we process and about the exact compliance with current regulations on the protection of personal data, among others, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC and Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights.
In accordance with this, the following issues are reported regarding the processing of personal data that we carry out at LANTEK SHEET METAL SOLUTIONS, S.L.U:
Identity: LANTEK SHEET METAL SOLUTIONS, S.L.U.
Tax ID code: B01395698
Postal address: Calle Ferdinand Zeppelin, No. 2
01510 Miñano (Álava).
Phone: +34 945 771 700
Email: info@lantek.es
Contact details of the Data Protection Officer: dpo@lantek.es.
Notwithstanding the foregoing and as appropriate, the aforementioned company and other subsidiaries of the group may also be responsible for the processing of the data collected through this website and/or other domains, subdomains and landing pages: Lantek Systèmes, SARL (Lantek France), Lantek Systemtechnik GmbH (Lantek Germany), Lantek Systems, Inc. (Lantek, USA), Lantek Systems, Ltd. (Lantek, UK), Lantek Mexico, S.A de C.V. (Lantek, Mexico), Lantek Polska Sp. Zoo. (Lantek Poland), Lantek Yazilim Ticaret Ltd. Sti (Lantek Turkey), Lantek System Korea LLC (Lantek, Korea), Lantek Shanghai Trading Co Ltd (Lantek China) and Lantek Australia Pty. Ltd. (Lantek, Australia) and Lan Tek Services S.R.L. and Lantek Lantek Sistemi s.r.l. (Lantek, Italy)
This privacy policy shall also apply to such websites, domains, subdomains and landing pages of the aforementioned companies.
Hereinafter, the reference to LANTEK shall be understood as referring to LANTEK SHEET METAL SOLUTIONS, S.L.U. and to any of the aforementioned companies of the Group.
The principles required by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter referred to as GDPR) are respected in the processing of personal data carried out therein:
Information collected through this website
On this On this website we have several forms for the collection of data for different purposes, depending on their purpose. The categories of personal data collected on this website are:
All the personal data requested in each of the forms is mandatory, so if the user fails to provide any of this data, we will not be able to attend to their request and, therefore, we will not be able to comply with the purpose associated with each form.
Personal data that are classified as special categories of data (racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data intended to uniquely identify a natural person, data relating to health or data relating to sex life or sexual orientation) or data relating to criminal convictions and offences are not collected.
Furthermore, cookies collect information about the use that users make of the website, pages visited, origin, geographical location, IP addresses, although this information will be collected in aggregate form, that is, without identifying the users. You can find information about the cookies used in the Cookie Policy.
With regard to the sending of the Lantek magazine and the newsletter, as Hubspot is used to manage such mailing, its use implies the installation by the provider of the aforementioned service in these mailings of devices to monitor the activity of the recipients, in order to control the opening of the emails and the clicking on the links contained in the emails and to be able to use the information collected to prepare monitoring reports for the campaigns.
For what purpose do we use your personal data (whether or not you are a user of the website)?
Customer data: for the proper maintenance, development, compliance and control of the contractual relationship with customers and the provision of the services they demand.
We will also use your identification and contact details to carry out satisfaction surveys and to send, by electronic means, commercial information about news and about our products and services as well as those of other companies in the Lantek Group.
In relation to this type of mailing, we inform you that, in order to manage in a more efficient, dynamic and operational way and to be able to better control the commercial communications that we send by email, we use HubSpot, a platform developed by HubSpot, Inc., a company that acts as a data processor and that, despite being outside the European Union and the European Economic Area, the international transfer of data involved in its use also has the appropriate guarantees contemplated in article 46.2 c) of the General Data Protection Regulation (standard contractual clauses adopted by the European Commission), and is also certified in the EU-US Data Privacy Framework.
You are informed that the use of this platform involves the installation by the provider of the aforementioned service in these mailings of devices to monitor the activity of the recipients, in order to control the opening of the emails and the clicking on the links contained in the emails, and to be able to prepare campaign monitoring reports with the information collected.
Data of potential customers: to carry out commercial prospecting, management of budgets and commercial offers, follow-up of the same and carry out commercial management to attract customers.
Supplier data: for the proper maintenance, development, fulfilment and control of the contractual relationship with our suppliers and the services they provide to us.
Personnel data: for the proper maintenance, development, compliance and control of the contractual relationship with our employees, as well as compliance with the applicable regulations on labour, Social Security and Occupational Risk Prevention.
Candidate data: to manage the participation of interested parties in the personnel selection processes carried out by the company itself and other subsidiaries of the Lantek Group. This implies that when a candidate provides a curriculum vitae to Lantek Sheet Metal Solutions, S.L.U., it will be used to manage their participation in both personnel selection processes carried out by this company and other companies of the Lantek Group, identified in the section on who is responsible for the processing.
Visitor control data: to control entry to and exit from the company’s premises, for security reasons.
Data collected through the registration and magazine request form: to manage the sending of the Lantek magazine and, with this, the subscription of users to our newsletter and, consequently, the sending by e-mail of newsletters or informative bulletins about the company, our products, services, novelties, articles, news, offers or promotions as well as other information of commercial content that may be of interest.
As mentioned above, in relation to this type of mailings, we inform you that, in order to manage and keep better control of the informative communications we send by e-mail in a more efficient, dynamic and operative way, we use HubSpot, a platform developed by HubSpot, Inc, a company that acts as a data processor and that, despite being outside the European Union and the European Economic Area, the international transfer of data involved in its use also has the appropriate guarantees contemplated in article 46.2 c) of the General Data Protection Regulation (standard contractual clauses adopted by the European Commission), and is also certified under the EU-United States Data Privacy Framework.
You are informed that the use of this platform involves the installation by the provider of the aforementioned service in these mailings of devices to monitor the activity of the recipients, in order to control the opening of the emails and the clicking on the links contained in the emails, and to be able to prepare campaign monitoring reports with the information collected.
Data collected through the contact form: to manage and respond to queries and requests for information or services that are required through it.
Data collected through the member registration form: as registration requires a Lantek product licence, the personal data of the members will be used to manage their registration and allow them to have access, through the private area, to different functionalities related to it, such as (but not limited to) software incident tracking, plant indicators of machines with Lantek software, manuals, training or subscription of new applications.
User data of our social media profiles: to interact with our users, mainly by responding to their comments on the posts we make on the profiles we have on different social networks.
What is the legal basis for the processing of your personal data?
Customer data: The legal basis that legitimises the processing of your personal data is that it is necessary for the performance of the contract to which you are a party.
With regard to satisfaction surveys and the sending of our own commercial information or that of other companies of the Lantek Group, the legal basis that legitimises such processing is that it is necessary for the satisfaction of legitimate interests pursued by the data controller and/or third parties (other companies of the Lantek Group) as contemplated in article 6.1. f) of the GDPR. This shall be without prejudice to the data subject’s right to object to the sending of such commercial information and to the carrying out of satisfaction surveys.
Data of potential customers: the legal basis that legitimises the processing of your personal data is that it is necessary for the execution of the pre-contractual and commercial relations maintained between both companies.
Supplier data: the legal basis that legitimises the processing of suppliers’ personal data is that it is necessary for the performance of the contract to which they are a party.
Personnel data: the legal basis that legitimises the processing of employees’ personal data is that it is necessary for the execution of the employment contract between the company and its workers.
Candidate data: the legal basis that legitimises the processing of the personal data of the data subjects is that it is necessary for the application of pre-contractual measures at the request of the data subject.
Visitor control data: the legal basis that legitimises the processing of personal data provided to us by people who access our facilities is that it is necessary for the satisfaction of our legitimate interest in controlling the persons entering and leaving the facilities, for security reasons.
Data collected through the registration and magazine request form: the legal basis that legitimises the processing of the personal data provided by the interested parties when completing the form is the consent given when registering to receive the Lantek magazine and thus subscribing to our newsletter and, therefore, the need for such processing in order to attend to and respond to the request for the magazine and your subscription to it.
Data collected through the contact form: the legal basis that legitimises the processing of the personal data provided to us by the data subjects when filling in the form is that it is necessary to manage the legal execution that arises when contacting us through the contact form and, therefore, the need for such processing to attend to and respond to the queries or requests made to us.
Data collected through the member registration form: insofar as it is necessary to have a Lantek software license in order to register, the legal basis that legitimises the processing of personal data is that it is necessary for the execution of the license agreement to which they are a party, as well as the consent they give when requesting registration.
User data of our social media profiles: the legal basis that legitimises the processing of the personal data of our followers and users of our social networks is the consent they give by following us on them, although they may stop doing so at any time.
How did we obtain your personal data?
All the personal data that we process at LANTEK is provided to us by the data subjects themselves or their legal representatives.
The personal data that we collect through this website has been collected through the different forms provided or through the email address provided to contact us.
The personal data requested through the forms are necessary to meet the purposes corresponding to each one of them, so it is mandatory to provide all the data in such a way that if in case of not doing so, we shall not be able to meet the indicated purpose.
To which recipients will your personal data be disclosed?
The personal data of customers, suppliers and employees will be communicated, where appropriate, to the tax administration for compliance with legal and tax obligations, as well as to the financial institution(s) through which we manage collections (in the case of customers) and payments (in the case of suppliers and employees).
The personal data of customers, potential customers, suppliers, employees and candidates may be communicated to other companies of the Lantek business group for internal administrative purposes, although in the case of the newsletter and the contact form, the personal data may be communicated to other companies of the Group to manage the request or for sending the requested information. This will depend in each case on the company that has to manage the request or sending of the information, being the companies that make up the Lantek Group and, therefore, the potential transferees, those listed in the final paragraph of the section "Who is responsible for the processing of your personal data?" of this Privacy Policy.
Likewise, in accordance with the legitimacy based on legitimate interests pursued by Lantek and/or companies of the Lantek Group, the Customer’s data may be communicated to any of them in order for them to send commercial information similar to products or services that the Customer has contracted.
For all other processing, the data will not be communicated to third parties unless it is necessary to comply with legal obligations.
In addition, for certain other matters we use the services of third parties, who act as data processors, with whom we have signed the corresponding data processing contract in accordance with the provisions of Article 28.3 of the GDPR.
Transfers of personal data to third countries
For some information management issues, we use the services of third parties that act as data processors and that, despite being outside the European Union and the European Economic Area, the international transfer of data involved in its use has the appropriate guarantees contemplated in article 46.2 c) of the General Data Protection Regulation (standard contractual clauses adopted by the European Commission) and, where applicable, they may be certified under the EU-US Data Privacy Framework.
Similarly, as already indicated above, in order to manage in a more efficient, dynamic and operational way and to be able to better control the informative communications we send by email, we use HubSpot, a platform developed by HubSpot, Inc., a company that also acts as a data processor and which, despite being outside the European Union and the European Economic Area, the international transfer of data involved in its use also has the appropriate guarantees contemplated in article 46.2 c) of the General Data Protection Regulation (standard contractual clauses adopted by the European Commission), and is also certified in the EU-US Data Privacy Framework.
In any case, as LANTEK has a presence in different countries around the world, it is possible that, if the customer’s request so requires, international data transfers will be made to the Group company required to respond to said request. In this case, these transfers have the guarantees required by the General Data Protection Regulation, either because there is an adequacy decision by the European Commission, or because there are standard contractual clauses or, where appropriate, binding corporate rules.
How long will we keep your personal data?
Customer, supplier and employee data: personal data is kept for the duration of the relevant contractual relationship and, once terminated, for the periods necessary to comply with legal obligations.
In relation to the sending of commercial information to customers, their personal identification and contact data will be kept until they express their refusal to continue receiving it, for which they will be offered a simple and free means to do so in each communication sent to them.
Data of potential customers: in this case and to the extent that regular contacts are made with potential customers to carry out an adequate commercial follow-up, their personal data will be kept until the moment a contract for the provision of services is signed or, where appropriate, until consent is revoked.
Candidate data: candidates’ personal data will be kept for the periods necessary to fulfil the purpose for which they are collected.
Visitor control data: visitors’ personal data is kept for the periods necessary to fulfil the purpose that justifies their collection.
Data collected through the registration and magazine request form: the personal data provided to us will be kept as long as the interested parties do not revoke their consent by requesting to unsubscribe.
Data collected through the contact form: the personal data provided by users when filling in the form will only be kept during the management of the queries and requests they make to us, so that, once their processing has been completed, they will be deleted.
Data collected through the member registration form: since it is necessary to have a license for a Lantek product in order to register, the personal data of the members will be used during the validity of the license or, where appropriate, until the moment in which the interested party requests their cancellation. Subsequently, the personal data will be kept for the periods necessary to comply with legal obligations.
User data from our social media profiles: the retention periods for the personal data of our social media followers depend on the policies of each social network, although we will only process it until they stop following us.
What are your rights when you provide us with your personal data?
How to exercise your data protection rights:
To exercise your rights, you must send us a written request addressed to LANTEK SHEET METAL SOLUTIONS, S.L.U. at calle Ferdinand Zeppelin, nº 2 C.P. 01510, Miñano (Álava) or by sending an email to dpo@lantek.es. LANTEK may request an official document proving the applicant’s identity if this is required.
LANTEK will respond to all requests within the deadlines and conditions required by current regulations on the protection of personal data.
How to file a complaint with the Spanish Data Protection Agency: if you consider that we have not properly processed your personal data or that we have not duly attended to the exercise of your data protection rights, you can file a complaint with the Spanish Data Protection Agency, either through its electronic office or at your address at Calle Jorge Juan, nº 6, C.P. 28001, Madrid.
Find out more about your data protection rights and complaints to the Supervisory Authority in www.aepd.es
Security
In accordance with the provisions of Article 32 of the GDPR, LANTEK has adopted the appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
In order to assess the adequacy of the level of security, particular account has been taken of the risks presented by data processing, in particular as a result of accidental or unlawful destruction, loss or alteration of personal data transmitted, stored or otherwise processed, or unauthorised disclosure of or access to such data.
Duty of secrecy
LANTEK has adopted measures to ensure that any person acting under its respective authority and having access to the personal data provided to us by users, can only process them following instructions from the company, and must also maintain the corresponding professional secrecy over them, which will last indefinitely.
To this end, our employees have signed a confidentiality and duty of secrecy document with respect to the information and personal data they process in connection with the company.
Use of the website by minors
We kindly ask users to read the policies on the use of the website by minors that we have published in the "Legal Notice" of our website.
Social Media
Social media profiles: LANTEK has profiles on some of the main social networks that currently exist, so that personal data of our followers, people who appear in the publications we make (for example, photographs) and people who send us private messages may be processed.
Data processing and purpose: the data processing that LANTEK will carry out is limited and conditioned to the policies and functionalities of each social network.
When a user follows us on a social network, they authorise their personal data to be used only within the scope of the corresponding social network for the management of our page or profile and the communications that we maintain in a two-way fashion with our followers through chat, messages or other means of communication that the Social Network allows currently and in the future. This means that we will have access to their profile information that appears in the comment, such as but not limited to, their username, picture (if the user has put a photograph on their profile), and comments made.
We would also like to inform that, when a user follows us, the news we publish may also appear on their wall and that, if they comment on ours, both their comment and the name of their profile and, if applicable, the photograph they have on it will be accessible to other followers. In any case, the use made of the Social Network is the responsibility of the user.
We will not use users’ personal data for purposes other than those indicated in previous paragraphs or to send them information through an environment other than the social network.
Unless the interested party gives their consent or requests it to us to respond to a request they make to us, we will not extract their personal data from the environment of the social network.
Legitimacy of the processing: the legal basis that legitimises the processing of the personal data of our followers is the consent they give when following us.
Recipients of the data: we will not communicate to third parties or make international transfers of the personal data of our followers unless it is necessary to comply with a legal obligation. This is without prejudice to the fact that the public comments made on our social networks by followers and our responses will be seen by the rest of the followers.
Data retention period: the retention periods for the personal data of our social media followers depend on the policies of each social network, although we will only process it until they stop following us.
Data protection rights: with respect to the rights of access, rectification or deletion, limitation of processing, opposition and portability of your personal data, we can only act in accordance with the possibilities allowed for this purpose by each social network. FISIO2, S.C. will provide all possible assistance to the interested party so that they can exercise the aforementioned rights.
Any of our followers may unsubscribe from our page or profile at any time so that we no longer have access to their personal data, although the social network may keep the comments they have previously made on our wall.
In any case, the use made of the Social Network is the responsibility of the user, therefore, LANTEK does not assume any type of responsibility in this regard.
You can consult the privacy policy of the social network where LANTEK has a page or profile below:
Cookies
Cookies are small text files that are stored on the hard drive or in the memory of the computer that accesses or visits the pages of certain websites, so that the user’s preferences can be known when they reconnect. Cookies stored on the user’s hard drive cannot read the data contained therein, access personal information, or read cookies created by other providers.
See information about the cookies used on this website in the section "Cookie Policy”.
Intervention of Lantek as data processor
In the event that the Customer requests Lantek to carry out any support action or intervention, he/she must avoid sending personal data, having to delete or dissociate them prior to sending them to Lantek. However, if the action or intervention requested by the Customer from Lantek necessarily requires the sending of personal data, Lantek will process them on behalf of the Customer, thus acting as data processor, in which case, the following conditions will apply:
1. – Purpose of the processing order: by means of the present clauses, Lantek, the data processor, is authorised to process the personal data necessary to provide the service requested by the Customer, the data controller, on behalf of the Customer.
The processing will consist, according to the request made by the data controller, of the remote connection by Lantek to the latter’s systems in order to manage the personalisation, technical incident reported or, where appropriate, to customise the program or certain functionalities.
To this end, the connection by Lantek will be carried out by means of remote connection programs, either its own, those of third parties or even those of the data controller itself, always upon request and authorisation from the owner. In this case, Lantek will not incorporate the data into its systems or supports, other than those of the data controller.
However, it is possible that the correct solution of the personalisation or technical incident requires a special analysis, which could imply that the data controller provides Lantek with the affected database through the private area of the latter’s website, in which case the latter will incorporate it into its systems, other than those of the data controller. It must be recorded in the Register of Processing Activities and the corresponding security measures must be adopted.
In either case, the processing to be carried out by Lantek with the personal data accessed as a result of the provision of the contracted service will be, at all times, those necessary for the execution of the order, and may include in such processing, as appropriate and required, the collection, registration, organisation, structuring, conservation, etc., adaptation or modification, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, collating or interconnection, restriction, deletion or destruction, copying, analysis or sending.
2. – Identification of the affected information: for the execution of the services derived from the fulfilment of the object of the order, the data controller will make available to the data processor, the categories and personal data that are strictly necessary for the execution of the service.
3. – Duration: the duration of this type of data processing will be the duration necessary for the fulfilment of the order carried out by the Customer. Once completed, the procedure shall be carried out in accordance with section "r" of the following paragraph.
4. – Lantek’s obligations as data processor: The data processor and all its staff undertake to:
a. Use the personal data that is the subject of processing, or those that it collects for its inclusion, only for the purpose that is the object of this assignment. Under no circumstances may the data be used for its own purposes or for purposes other than those contemplated in the execution of the service.
b. Process the data in accordance with the instructions of the data controller. If the processor considers that any of the instructions infringe the General Data Protection Regulation or any other data protection provision of the Union or the Member States, the processor shall immediately inform the controller.
If you do not have clear instructions from the controller on how the processor should act with respect to the personal data to which they have access, before processing any data, they must contact the person responsible for the file and clarify the aforementioned instruction.
c. Keep a written record of all categories of processing activities carried out on behalf of the controller, containing the aspects required by article 30.2 of the General Data Protection Regulation.
d. Not communicate the data to third parties, unless expressly authorised by the data controller, in the legally admissible cases.
The processor may communicate the data to other processors of the same controller, in accordance with the instructions of the controller. In this case, the responsible party will identify, in advance and in writing, the entity (company name, Tax ID code and address) to which the data must be communicated, the data to be communicated and the security measures to be applied to proceed with the communication.
If the processor is required to transfer personal data to a third country or to an international organisation under the law of the Union or of the Member States applicable to it, it shall inform the Controller of that legal requirement in advance, unless prohibited by such law for important reasons of public interest.
In this sense, the data processor has contracted different services offered by Microsoft Corporation, such as Azzure, among others, for information hosting. In this case, this company acts as a sub-processor although, despite being outside the European Union and the European Economic Area, the international transfer of data involved in its use has the appropriate guarantees contemplated in article 46.2 c) of the General Data Protection Regulation (standard contractual clauses adopted by the European Commission). It is also certified in the EU-US Data Privacy Framework.
Microsoft Data Protection Addendum (DPA)
e. Subcontracting. Not to subcontract any of the services that are part of the object of this contract that involve the processing of personal data, except for the auxiliary services necessary for the normal functioning of the services of the processor.
If it is necessary to subcontract any processing, this fact must be communicated in advance and in writing to the responsible party, 15 days in advance, indicating the processing that is intended to be subcontracted and clearly and unequivocally identifying the subcontracting company and its contact details (at least, company name, corporate tax ID, address and corporate purpose). Subcontracting may be carried out if the responsible party does not express its opposition within the established period.
The subcontractor, who shall also have the status of processor, is also obliged to comply with the obligations set out in this document for the processor and the instructions issued by the controller. It is the responsibility of the initial processor to regulate the new relationship in such a way that the new processor is subject to the same conditions (instructions, obligations, security measures, etc.) and with the same formal requirements as the new processor, with regard to the proper processing of personal data and the guarantee of the rights of the persons concerned. In the event of non-compliance by the sub-processor, the original processor shall remain fully liable before the controller for the fulfilment of the obligations.
f. Maintain the duty of secrecy with respect to the personal data to which it has had access by virtue of this assignment, even after the end of its purpose.
g. Ensure that the persons authorised to process personal data undertake, expressly and in writing, to respect confidentiality and to comply with the corresponding security measures, of which they must be duly informed.
h. Make available to the controller the documentation accrediting compliance with the obligation established in the previous section.
i. Ensure the necessary training on the protection of personal data of the persons authorised to process personal data.
j. Assist the data controller in responding to the exercise of the rights of access, rectification, erasure and opposition, restriction of processing, data portability and not to be subject to automated individualised decisions (including profiling).
When data subjects exercise such rights vis-à-vis the data processor, the processor must notify them by email to the email address provided by the data controller. The communication must be made immediately and in no case later than 72 working hours following receipt of the request, together, where appropriate, with other information that may be relevant to resolve the request.
k. Right to information. It is the responsibility of the controller to provide the right to information at the time of data collection.
l. Notification of data security breaches. The processor shall notify the controller, without undue delay, and in any case within a maximum period of 48 hours, and through the email address indicated by the controller, of any personal data breaches of which it is aware, together with all relevant information for the documentation and communication of the incident. Notification shall not be required where such a security breach is unlikely to constitute a risk to the rights and freedoms of natural persons.
It is the responsibility of the controller to communicate data breaches to data subjects as soon as possible, where the breach is likely to pose a high risk to the rights and freedoms of natural persons.
m. Support the controller in carrying out data protection impact assessments, where appropriate.
n. Provide support to the controller in carrying out prior consultations with the supervisory authority, where appropriate.
o. Provide the controller with all the information necessary to demonstrate compliance with its obligations, as well as to carry out audits or inspections carried out by the responsible party or another auditor authorised by him/her.
p. Carry out an assessment of the risks to personal data involved in the processing of data that Lantek will carry out on behalf of the data controller and implement the appropriate technical and organisational security measures to guarantee a level of security appropriate to the risk.
q. Appoint a data protection officer and communicate their identity and contact details to the controller. In this regard, it is stated that Lantek has appointed a Data Protection Officer, having communicated his/her appointment to the Spanish Data Protection Agency. The data controller may contact him/her at the postal address indicated above and by e-mail at dpo@lantek.com
r. Destination of the data. Once the performance of the service has been completed, at the discretion of the data controller, the processor must return the personal data to the controller or transmit the personal data to another processor designated by the controller, and delete any copies in its possession. However, it may keep the data blocked in order to deal with possible administrative or jurisdictional responsibilities.
5. – Obligations of the Customer as Data Controller:
a) Deliver to the person in charge the data referred to in paragraph "2. – Identification of the affected information”.
b) Carry out, if necessary, an assessment of the impact of the processing operations to be carried out by the processor on the protection of personal data.
c) Carry out, if necessary, the corresponding prior consultations.
d) Ensure, prior to and throughout the processing, that the processor complies with the GDPR.
e) Supervise the processing, including conducting inspections and audits.
6. – Responsibilities of the data processor: in the event that the data processor, including its employees, uses the personal data for purposes other than those set out in this contract, communicates them to third parties or uses them in breach of the stipulations set out in the contract, they will be considered as the data controller, liable for any infringements they may have personally incurred.
However, the data processor shall not incur liability when, upon express indication of the data controller, it communicates the data to a third party designated by the data controller, to whom it has entrusted the provision of a service.