* These Terms have been originally drafted in the Spanish language, which shall be considered as the official and legally binding text for all parties involved. Any translation or version of these Terms into another language is provided solely for the convenience of the parties and shall have no legal effect. In the event of any discrepancy or conflict between the Spanish version and its translations, the Spanish version shall always prevail.
Processing of Personal Data Derived from Service Provision: For the provision of the Service, Tiralíneas may have access, due to application service provision (ASP/SaaS) reasons, to personal data for which the Client is responsible. For the purposes of this clause, the following definitions apply: (i) Data Controller or “controller”: the Client, a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing; (ii) Data Processor or “processor”: Tiralíneas, a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.
The operational context of the “Sensitive Data” Application involves the provision of a SaaS service by Tiralíneas. Under these circumstances, it is determined that the Client acts as the Data Controller for the personal data that may be handled, collected, processed, or stored in the course of using the said Application and/or by the provision of the Service. As such, the Client assumes full responsibility for ensuring that the processing of personal data is carried out in strict compliance with the provisions established in the GDPR and other applicable data protection legislation.
The Client commits to establishing and maintaining all necessary measures, both technical and organizational, to protect the rights and freedoms of the data subjects, ensuring that any processing of personal data is carried out with due respect to legality, fairness, and transparency. This includes, but is not limited to, the obligation to inform data subjects about the collection and use of their personal data, obtain appropriate consent when necessary, and respond to requests for access, rectification, deletion, or limitation of the processing of personal data.
Tiralíneas, in its role as Data Processor, will act only under the documented instructions of the Client, ensuring that all persons authorized to process personal data commit to respect confidentiality or are subject to a statutory obligation of confidentiality.
Physical Location of Servers: Generally, Tiralíneas declares that its servers, systems, and facilities are located within the European Union and carry out all data processing in accordance with the General Data Protection Regulation, offering sufficient guarantees to apply appropriate technical and organizational measures. Specifically, the storage (database) and processing of data (software application) synchronized by the “Sensitive Data” Application are carried out in the Azure CPD known as "France Central," located in the Paris region.
DATA PROCESSOR AGREEMENT (DPA): In application of the current personal data protection regulations, this clause establishes the conditions enabling Tiralíneas to process personal data derived from the use of the Service by the Client, as provided for in EU Regulation 2016/679, delineating the obligations of the Data Controller and the Data Processor. This Agreement is an integral part of the Terms and Conditions of Use of the “Sensitive Data” Application provided by Tiralíneas.
Purpose of the Processing Assignment: The Controller authorizes the Processor to process on its behalf the personal data that it incorporates into the resources assigned by the Processor under the use of the Service by the Registration Client. The authorized processing operations will be strictly necessary to achieve the purpose of the contracted Service, involving, in any case, hosting and transmission in a telecommunications network of data, not performing any other processing such as collection, structuring, dissemination, etc., of the personal data of the Controller.
Identification of the Affected Information: The Controller carries out, in the resources assigned by the Processor for the provision of the service, the data processing and categories of personal data that derive from the operation of the contracted Service and always according to its own instructions, being the sole responsible for determining the purposes, objectives, and means of the treatments carried out.
In any case, the Controller declares and guarantees to the Processor that, if personal data contemplated in Article 9, paragraph 1, of the Regulation (EU) 2016/679 of the European Parliament and of the Council —that is, data revealing ethnic or racial origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for unique identification, health data, or data concerning a natural person's sex life or sexual orientation— are processed through the Service, such processing is legitimized according to the conditions stipulated in paragraph 2 of the same Article 9 of Regulation (EU) 2016/679, expressly exempting the Processor from any liability arising from the breach of this guarantee.
Duration of the Processing Assignment: The duration of this processing assignment will be the same as that of the provision of the Service of which this assignment is an inseparable part, so that, once the former is finished, this will be considered equally finished. Once this assignment ends, the Processor must return to the Controller or transmit to another processor designated by the latter, the personal data, and delete any copy in its possession. However, it may keep the data blocked to attend to possible administrative or jurisdictional responsibilities.
Obligations of the Controller (Client): In addition to those established in general in the data protection regulations, the following correspond to the Controller, in relation to this processing assignment: (i) Verify that the technical and security conditions of the hosting service offered by the Processor are suitable for the nature, context, scope, and/or purposes of the data or treatments for which it is responsible, according to its own data protection impact assessments and/or risk analyses carried out. (ii) Provide the Processor with access to the data to be processed or deliver them in the manner appropriate for the correct provision of the service. (iii) Inform, according to the data protection regulations, the data subjects whose data are subject to processing and have lawfully obtained their express consent or have legitimate and verifiable reasons for the same. (iv) Have simple mechanisms for data subjects to exercise their rights according to the data protection regulations. (v) Have risk assessments, a record of treatments, and impact assessments if necessary due to the nature of the data processed. (vi) Carry out the corresponding prior consultations. (vii) Appoint a data protection officer in cases where it is mandatory and communicate their identity to the Processor. (viii) Communicate data security breaches to the Data Protection Authority and/or data subjects, when appropriate.
Obligations of the Processor (Tiralíneas): Regarding the use and communication of data instructions, the Processor undertakes to: (i) Use the personal data subject to processing only for the purpose of this assignment. In no case may it use the data for its own purposes. (iii) Process the data according to the instructions of the Controller, derived from the domain name registration services contract. If the Processor considers that any of the instructions infringes the GDPR or any other provision on data protection of the Union or the Member States, the processor will immediately inform the controller. (iv) Not communicate the data to third parties, unless it has the express authorization of the Controller, in legally admissible cases.
The Processor may communicate the data to other processors of the same Controller according to its instructions. In this case, the Controller will identify, in advance and in writing, the entity to which the data must be communicated, the data to be communicated, and the security measures to be applied to proceed with the communication. If the Processor must transfer personal data to a third country or an international organization, under the Law of the Union or the Member States applicable to it, it will inform the Controller of this legal requirement in advance, unless such Law prohibits it for important reasons of public interest.
Regarding the security measures applicable to the processing, the Processor has implemented the following measures: (i) Regular verification, evaluation, and assessment of the effectiveness of the technical and organizational measures to ensure the security of the processing. (ii) Ensure that any person acting under its responsibility and having access to personal data can only process such data following instructions from the Controller. The staff under the responsibility of the Processor receives periodic training in confidentiality and data protection, is aware of their obligations in the matter, and the consequences of non-compliance with the law. (iii) Keep professional secrecy regarding the personal data whose access is regulated by these clauses, committing not to communicate them, not even for their conservation, to other people, an obligation that will subsist even after ending their relations with the Controller. (iv) Keep, in writing, a record of all categories of processing activities carried out on behalf of the controller (when applicable), which contains: (a) The name and contact details of the processor and of each controller on whose behalf the processor acts and, where appropriate, of the representative of the controller or the processor and the data protection officer. (b) The categories of processing carried out on behalf of each controller. (c) Where appropriate, the transfers of personal data to a third country or international organization, including the identification of said third country or international organization and, in the case of the transfers indicated in Article 49, paragraph 1, second paragraph of the GDPR, the documentation of adequate guarantees.
In any case, it will be understood that the Controller, prior to the formalization of this processing assignment, has assessed and accepted as conforming to the purposes and means of the processing, the level of security measures implemented by the Processor in its organization and facilities.
Notification of Data Security Breaches: In accordance with Regulation (EU) 2016/679, it corresponds to the Data Controller to communicate data security breaches to the Data Protection Authority and/or the data subjects. The Processor will notify the Data Controller, without undue delay, and through the contact email, of the data security breaches of which it becomes aware that occur in the facilities, means, and technical resources assigned to the management and maintenance of the hosting service the Service, along with all relevant information for the documentation and communication of the incident by the Controller to the competent control authority and/or the data subjects. This notification by the Processor will not be necessary when it is unlikely that such a security breach constitutes a risk to the rights and freedoms of natural persons.
In cases where this notification is necessary, the following information will be provided, if available: (i) Description of the nature of the personal data security breach, including, where possible, the categories and approximate number of data subjects affected, and the categories and approximate number of personal data records affected. (ii) The name and contact details of the data protection officer or another contact point where more information can be obtained. (iii) Description of the possible consequences of the personal data security breach. Description of the measures taken or proposed to remedy the personal data security breach, including, where appropriate, the measures taken to mitigate the possible negative effects.
If it is not possible to provide the information simultaneously, and to the extent that it is not, the information will be provided gradually without undue delay.
Collaboration with the Controller: The Processor will collaborate in good faith with the Controller by (i) Supporting the file controller in carrying out data protection impact assessments, when appropriate. (ii) Supporting the Controller in carrying out prior consultations with the control authority, when appropriate. Make available to the Controller all the information necessary to demonstrate compliance with its obligations, as well as for the performance of the audits or inspections carried out by the controller or another auditor authorized by it. (iii) Communicate the identity and contact details of the Data Protection Officer to the Controller. (iv) Assist the Data Controller in responding to the exercise of the rights that assist the data subject: Access, rectification, deletion, opposition, limitation of processing, data portability, and not to be subject to automated individual decisions (including profiling).
When the affected persons exercise these rights before the Processor, it must communicate it by email to the address of the Controller. The communication must be made immediately and in no case later than the next working day after receiving the request, together, where appropriate, with other information that may be relevant to resolve the request.
SUBCONTRACTING: The Processor declares, and the Client expressly accepts this circumstance, that it has subcontracted the processing capacity and storage of the data synchronized through the “Sensitive Data” Application. in the Azure CPD known as "France Central," located in the Paris region.
