Skip to main content
QMSQMS
QMS
  • Welcome to your QMS
  • Quality Manual
  • Procedures
    • GP-001 Control of documents
    • GP-002 Quality planning
    • GP-003 Audits
    • GP-004 Vigilance system
    • GP-005 Human Resources and Training
    • GP-006 Non-conformity, Corrective and Preventive actions
    • GP-007 Post-market surveillance
    • GP-008 Product requirements
    • GP-009 Sales
    • GP-010 Purchases and suppliers evaluation
    • GP-011 Provision of service
    • GP-012 Design, Redesign and Development
    • GP-013 Risk management
    • GP-014 Feedback and complaints
    • GP-015 Clinical evaluation
    • GP-016 Traceability and identification
    • GP-017 Technical assistance service
    • GP-018 Infrastructure and facilities
    • GP-019 Software validation plan
    • GP-020 QMS Data analysis
    • GP-021 Communications
    • GP-022 Document translation
    • GP-023 Change control management
    • GP-024 Cybersecurity
    • GP-025 Corporate Governance
    • GP-050 Data Protection
      • Templates
      • Specific procedures
        • SP-050-001 Data protection officer manual
        • SP-050-002 Manual of functions and obligations of the staff
        • SP-050-003 Data sharing
    • GP-051 Security violations
    • GP-052 Data Privacy Impact Assessment (DPIA)
    • GP-100 Business Continuity (BCP) and Disaster Recovery plans (DRP)
    • GP-101 Information security
  • Records
  • TF_Legit.Health_Plus
  • Licenses and accreditations
  • External documentation
  • Procedures
  • Records
  • Procedures
  • GP-050 Data Protection
  • Specific procedures
  • SP-050-002 Manual of functions and obligations of the staff

SP-050-002 Manual of functions and obligations of the staff

Scope​

This document is a brief informative guide on the functions and obligations of our staff regarding data processing.

Introduction​

info

When we say we, we are talking about the company registered under the name AI Labs Group SL, with ID number B95988127 and address in Bilbao, 48013 (Vizcaya).

We perform data processing in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, regarding the protection of natural persons with regard to the processing of personal data and the free circulation of these data and by which directive 95/46/CE is repealed, (hereinafter, GDPR). As such, we are committed to implementing a culture of privacy in the organization, which is why we need the team members authorized to process personal to be informed of the data processing and are responsible for it.

Any person authorized to process personal data is required to read, understand, comply with and enforce this Security Policy in order to protect the data that is part of the processing entrusted to them.

This Security Policy establishes the obligations and procedures to be followed by the organisation's staff, both internal and external, who process personal data in the development of their activity and is based on the provisions of Regulation (EU) 2016/679 of 27 of April 2016 (GDPR) and Organic Law 3/2018, of December 5 (LOPDGDD).

In this sense, to ensure and enforce this Policy, the organization has appointed a Security Manager who will be available to all staff and will be in charge of coordinating, controlling, developing and verifying compliance with the aforementioned regulations.

The Controller has been implementing significant measures in relation to the processing of personal data under his responsibility. To a large extent, these measures affect the personnel of the Controller, either because the information related to the employees themselves is likely to be considered personal data, or because the processing of the data is almost always carried out directly by the personnel. .

As a consequence of the foregoing, through this Manual of Personnel Functions and Obligations, the Responsible party informs and disseminates among its personnel those functions and obligations that must be taken into account when working with data that is the responsibility of the company. . Personal data is understood from the name and surname of a person to their date of birth, their postal or email address, their telephone number, their ID, their image, etc. All this identifies or allows the identification of a person, so it will be considered personal data.

Prior to getting into the matter, it is convenient to clarify some general aspects and basic concepts related to the processing of personal data, based on the fact that data protection has been considered by our jurisprudence as a fundamental right of individuals.

This right supposes the possibility of each person to decide on the use of the information that concerns them personally, so that anyone (except natural persons provided it is for personal or domestic purposes) who collects, in one way or another, personal data personal nature, must comply with a series of obligations and technical and organizational measures aimed at guaranteeing citizens the right to the protection of their data.

Definitions​

Treatment structure​

To provide a better understanding of data protection, we define the main basic concepts:

  • Personal data: Information relating to a natural person by which their identity can be determined.
  • Treatment: Any operation carried out on personal data: obtaining, access, intervention, transmission, conservation and deletion.
  • Interested party: Natural person subject to the processing of their personal data.
  • File: Structured set of personal data susceptible to treatment for a specific purpose.
  • Responsible for the treatment: Organization that determines the purposes and means of the treatment.
  • Authorized personnel: Person authorized by the Controller to carry out data processing through a confidentiality commitment.

Data categories​

  • Basic: Data that does not correspond to Criminal or Special categories, for example: name, address, email, telephone, age, sex, signature, image, hobbies, assets, bank details, academic, professional, social, commercial, financial information, etc. .
  • Criminal: Data related to the commission of administrative or criminal offenses, or those that can offer a definition of personality characteristics, etc.
  • Special: Data related to ethnic or racial origin, political opinions, religious or philosophical convictions, union membership, genetic or biometric data that allow the unequivocal identification of a person, data related to health or sexual life and orientation.

Data protection principles​

The fundamental principles for data processing are:

  • Legality: loyalty and transparency with the interested party.
  • Limitation of purposes: treaties for specific purposes.
  • Data minimization: only the data necessary to achieve the purposes should be obtained.
  • Accuracy: up to date.
  • Limitation of the conservation period: kept for no longer than necessary to achieve the purposes.
  • Integrity and confidentiality: application of security measures for the protection of data in all phases of treatment.
  • Proactive responsibility: it must be possible to demonstrate compliance with all data protection principles

Consent to carry out data processing:​

To process data we must obtain the explicit consent of the interested party and keep the probative document that proves it.

When we obtain the data from third parties, we must ensure that the communication is lawful and keep the probative document that proves it.

It is not necessary to obtain the consent of the interested party when the treatment is based on a legal obligation (for example, to issue an invoice).

Information on the treatment of the interested party​

In general, the following information must be provided to the interested party:

  • The identity and contact details of the Data Controller
  • The purposes of the treatment.
  • The legal basis of the treatment.
  • The period of conservation of the data or the criteria that determine it.
  • The rights that assist the interested party.
  • And if they exist:
  • The recipients or categories of recipients of the data.
  • The transmission of data to countries or organizations established outside the EU.

Responsibility for treatment​

Data processing may be carried out by external organizations as long as there is express authorization from the Responsible Party and a contract has been signed to carry out said processing in accordance with current legislation. To find out which companies or third parties are authorized to transfer data, they should contact the Security Manager.

External organizations can be:​

  • Processors: Organization that processes personal data on behalf of the Controller.
  • Data recipients: Organization other than the Processor, which receives a communication of personal data from the Controller.

Security measures​

The organization has implemented technical and organizational measures to guarantee a level of security appropriate to the risks that the treatment may have as a result of accidental or illegal destruction of data, loss, alteration or unauthorized communication and access to data when they are transmitted, conserved or object of some other type of treatment.

The staff must ensure the security of the data processed by the organization and will notify the Controller of any processing operation that may pose a risk that affects data protection or the interests and freedoms of the interested parties.

Any design of a new treatment operation or update of an existing operation must guarantee, before its implementation, the protection of personal data and the exercise of the rights of the interested parties in all phases of the treatment: obtaining, access, intervention, transmission, preservation and deletion.

Functions and obligations​

All personnel who access personal data must be aware of the measures, norms, procedures, rules and standards that affect the functions they perform when these are related to personal data.

These functions and obligations will have, in general, application to the personal data processed by AI Labs Group, S.L. as responsible for them.

In order to provide resources for contacting the Data Protection Officers of the Responsible, the contact details of those responsible for data protection are provided below:

Identifying information
Company nameAudens Legal, S.L.P.
AddressCalle del Marqués de Cubas 12, 5ºC, 28014 Madrid
ID Number(ES)B85808954
AddressGran Via, BAT Tower, 48001, Bilbao, Spain
Telephone+34 910 099 875
Emailrgpd@audens.es
Website https://audens.es

Each user will be included in a category determined by the Controller according to their functions in relation to the processing of personal data, both proprietary to the company and on behalf of third parties (customer data) and depending on the type of permissions that must be granted. provide.

As a general rule, the functions regarding the protection of personal data of users will correspond in any case to the usual and normal functions of their job. Likewise, it will be necessary to comply with the appropriate diligence to perform its functions in accordance with the compliance of the regulations by the Responsible.

Accesses allowed​

Not all users need to have access to all data. The access permissions of each user are reflected in a user registry, and must be respected in any case, avoiding unauthorized access.

In the event that a user requires access for which they do not have permissions, they must request authorization from the Security Manager to whom these functions have been delegated as established in the previous table.

Obligation of confidentiality​

Personal data must be kept and treated with special diligence by the staff, keeping them secret. In this way, they cannot be made available to anyone outside the company and, even if they belong to the company, to someone who does not have defined permissions to access said information. In any case, the loss or leakage of data and their disposal must be avoided without taking the correct measures for their destruction.

Safeguarding and protection of personal passwords​

Users will have a unique username and password to be able to access the computer equipment that can be used to access or process personal data.

New users are assigned a name and password when they are registered in the system to access the computers. This password must be changed the first time the user enters their username into the system.

Each user will be responsible for the confidentiality of their password and, in the event that it is found by accident or fraudulently by unauthorized persons, they must notify the Responsible Party who will ensure that the previous one is deleted and a new one is granted.

Under no circumstances should the password be written down on supports of any kind, whether analog or digital (paper, notebooks, mobile phones, tablets, etc.).

Passwords must be changed at least once a year and must have characteristics that make them difficult to find out: the number of characters must be greater than at least 8 digits, set numbers and letters and characters together in upper and lower case. The more different elements, the greater the security.

Job positions​

The jobs will be under the responsibility of each authorized user with access to it. This must guarantee to the extent possible that the information that is processed in the workplace cannot be seen by unauthorized persons.

When the person in charge of a job leaves it, either temporarily or at the end of his work shift, he must leave it in a state that prevents the visualization of the protected data. This will be done by manually locking the system (for example, in the Windows operating system, closing the user session), forcing the user to enter the password again.

For printers, scanners, and copiers, you'll need to make sure there are no printed documents left in the output tray that contain protected data. If the printers are shared with other users who are not authorized to access the personal data being processed, those responsible for each position must remove the documents as they are being printed.

The connection from networks or external systems of the workstations from which access to the personal data subject to treatment is made is expressly prohibited. The revocation of this prohibition may be authorized by the Responsible.

The jobs from which you have access to personal data will have a fixed configuration in their applications and operating systems, which can only be changed with the authorization of the Responsible.

Management of incidents​

An incident is considered any breach of security that causes the accidental or unlawful destruction, loss, alteration, or unauthorized access or communication of personal data.

Thus, an incident is any event that may occur sporadically and that may pose a danger to the security of the data or data processing systems that are the responsibility of a client, understood under its three aspects of confidentiality, integrity and availability of the data.

In addition, any breach by the staff of the security measures established by the Controller will be considered as a security incident, among others.

The staff has the obligation to notify without undue delay, any incident that is known to the Responsible for its knowledge and application of corrective measures to remedy and mitigate the effects that it could have caused. Incidents must be documented by the person notifying them with a detailed description of the incident and the date and time it occurred or became known.

For this reason, any user who becomes aware of an incident is responsible for notifying it in accordance with the procedure for sending an email to the person in charge and to the Data Protection Officer. The aforementioned email must contain at least the following points:

  • User name.
  • Date and Time.
  • Reason for the Incident.
  • Type of data, nature and treatments affected.
  • Possible causes or consequences.
  • Possible measures adopted to minimize or correct the damage.

Sending communication to the Data Protection Officer​

Identifying information
Company nameAudens Legal, S.L.P.
AddressCalle del Marqués de Cubas 12, 5ºC, 28014 Madrid
ID Number(ES)B85808954
AddressGran Via, BAT Tower, 48001, Bilbao, Spain
Telephone+34 910 099 875
Emailrgpd@audens.es
Website https://audens.es

The knowledge and non-notification of an incident by a user will be considered as a breach against the security of the data by that user.

An unreported incident may pose a risk to the viability of the Responsible's operations, the systems or data of the company's customers, as well as an economic risk for the same, as it could lead to some sanction. For this reason, awareness and communication in the face of incidents is important.

Network data input and output​

As a general rule, with respect to the data processing of the Responsible: when the output of personal data is made by email, the shipments will be made, always and only, from an email address authorized for it. In any case, it will be the email account that the Controller has provided to the user and never from personal email accounts. In addition, these shipments will be recorded in the historical directory of that email address or in some other output registration system that allows knowing at any time the shipments made, to whom they were addressed and the information sent.

They must be registered by email or data transfer over the network, so that their origin, type of data, format, date and time of sending and recipient of the same can always be identified.

Likewise, they will comply with the security measures that the Responsible communicates.

In addition, it is prohibited to send data by email or any similar system that does not comply with the appropriate security measures to guarantee its security and confidentiality, such as the secure encryption of the data and that the sending of the same is recorded as and as specified in the general rules above.

Permissions management​

The entry and exit of supports (laptops, hard drives, pen drives...) with personal data outside the facilities may require special authorization from the Responsible.

In the event that the user intends to remove or introduce this type of media in the facilities, he must have these written permits, where appropriate.

Non-automated data management​

The personnel with access to personal data will be diligent and will prevent access to them by unauthorized personnel. The user who extracts documents from the filing or custody system for review or processing, is responsible for their custody and for preventing unauthorized access to them.

In the event of the need to discard or destroy a document with personal data, the discarded documentation must be destroyed in any case with due guarantees of effectiveness.

In the event that the personal data storage systems have user identification systems to control access to the data, as well as the actions carried out by the users who have accessed them, they must comply with the duty to identify themselves and complete the adequate information in such systems.

Likewise, in the event that the user becomes aware of an incident that may pose a danger to the security of the data, they will be responsible for its communication following the guidelines indicated in section "5. Incident management". The user, in case of needing to use any other type of non-automated document that requires their exit from the filing or custody system, must obtain written authorization from the Responsible.

Reuse and disposal of supports​

The user, in the event of the need to discard, destroy or delete to reuse any support with personal data, will have the obligation to contact the person in charge to discard these supports, guarantee their correct deletion and, where appropriate, the impossibility of recovery.

Input and output of supports and portable devices​

The entry of supports (USBs, portable hard drives, CDs or DVDs or any other storage device or that allows to contain personal data) or documents with personal data outside the facilities, is prohibited and for the user to do so, it will require of a written authorization from the person in charge.

The user must also request that the data contained in these media be encrypted and ensure that no third party outside the company or who is not the recipient of the media access the data on it.

Media and document management​

When temporary storage systems or working copies of documents are created, the functions and obligations contained herein must be taken into account, and they must be deleted once they are no longer useful for the purpose for which they were created. Maintaining an order in the labeling of supports, file nomenclatures is important so that personal data is protected and is not lost or ends up in the hands of unauthorized third parties.

The user must comply with the standards of management and inventory of supports and documents that the Responsible is indicated at all times. Only authorized personnel will be able to access them.

Data encryption​

In the event that files with personal data have to be sent to third parties through communication networks, they will be encrypted and password protected. The basic file protection protocol is established below.

  1. Choose the document and click the right button.
  2. Compress it with the "Add to archive" option.
  3. Once the Winrar window appears, click on the "General" tab (you will have to previously have the Winrar program to compress documents).
  4. Then click on "Set password"
  5. Click on show password, enter it and accept. If you also want to encode the subject of the document, you will also click on "Encode file name", enter the password and accept it.

In order to open it, then, it will be necessary for the password to be sent to the addressee by another means.

Other prohibitions:​

The following activities are expressly prohibited:

  • The use of computer programs without the corresponding license, as well as the use, reproduction, assignment, transformation or public communication of any type of work or invention protected by intellectual or industrial property. Failure to comply may be cause for disciplinary, administrative, civil and criminal liability.
  • Destroy, alter, disable or in any other way damage the data, programs or electronic documents of the Responsible or third parties. These acts may constitute a crime of damages, provided for in article 264.2 of the Penal Code.
  • Voluntarily introducing programs, viruses, macros, applets, ActiveX controls or any other logical device or sequence of characters that cause or are likely to cause any type of alteration in the Computer Systems of the Responsible or third parties. In this regard, remember that the system itself automatically runs the antivirus programs and their updates to prevent the entry into the system of any element intended to destroy or corrupt computer data.
  • Introduce, download from the Internet, reproduce, use or distribute computer programs not expressly authorized by the Responsible. This prohibition includes any other type of work or material whose intellectual or industrial property rights belong to third parties, when there is no authorization to do so.
  • Install illegal copies of any program, including those that are standardized.
  • Delete any of the legally installed programs.
  • Introducing obscene, immoral or offensive content and, in general, lacking in utility for the objectives of the Responsible.
  • Encrypt information without being expressly authorized to do so.

Consultation with the Data Protection Officer​

Whenever a project is going to be planned, devised or executed or developed within the activities of the worker, the latter must ensure compliance with data protection, which implies that, in the event that such action implies the collection, treatment, use, storage, transfer, or any type of action that has to do with personal data of third parties (clients, users, suppliers, potential clients, workers...), you must notify the Data Protection Delegate of the Person in charge that has been designated, according to the data exposed in section 2 of this Manual or any update thereof.

Responsibilities​

Failure by staff to comply with the data protection regulations contained in this manual, as well as those established by the Responsible Party, may lead to responsibilities for the non-compliant party, being subject to disciplinary sanction by the Responsible Party depending on the severity.

In case of serious reiteration of non-compliance with the regulations, the responsibilities could lead to dismissal, as well as the adoption of legal actions tending to demand responsibilities and repair the damages caused, of all of which I have been informed of appropriate and understandable way.

Signature meaning

The signatures for the approval process of this document can be found in the verified commits at the repository for the QMS. As a reference, the team members who are expected to participate in this document and their roles in the approval process, as defined in Annex I Responsibility Matrix of the GP-001, are:

  • Author: JD-020, JD-004
  • Reviewer: JD-003
  • Approver: JD-001
Previous
SP-050-001 Data protection officer manual
Next
SP-050-003 Data sharing
  • Scope
  • Introduction
  • Definitions
    • Treatment structure
    • Data categories
    • Data protection principles
    • Consent to carry out data processing:
    • Information on the treatment of the interested party
    • Responsibility for treatment
    • External organizations can be:
    • Security measures
  • Functions and obligations
    • Accesses allowed
    • Obligation of confidentiality
    • Safeguarding and protection of personal passwords
    • Job positions
    • Management of incidents
    • Sending communication to the Data Protection Officer
    • Network data input and output
    • Permissions management
    • Non-automated data management
    • Reuse and disposal of supports
    • Input and output of supports and portable devices
    • Media and document management
    • Data encryption
    • Other prohibitions:
  • Consultation with the Data Protection Officer
  • Responsibilities
All the information contained in this QMS is confidential. The recipient agrees not to transmit or reproduce the information, neither by himself nor by third parties, through whichever means, without obtaining the prior written permission of Legit.Health (AI LABS GROUP S.L.)