Agreement for the processing of personal data

This Data Processing Agreement (“DPA”) applies to all processing of personal data that Numintec carries out on behalf of its customers as a data processor.

This Data Processing Agreement (“DPA”) is an agreement between Numintec Comunicaciones S.L. (“NUMINTEC”) and the entity that contracts its services and sets out the obligations of both parties with respect to the processing and security of personal data for which the Client is the controller in relation to the use of Numintec’s services.

This ATD complements the Terms and Conditions of Contract for Numintec’s services, available in https://www.numintec.com/en/agreement-for-the-processing-of-personal-data/ or other agreement between the Client and Numintec governing the use by the Client of the services provided by Numintec when Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”).

DEFINITIONS

For the purpose of this Data Processing Agreement:

“Applicable Data Protection laws” means the applicable laws and regulations where data processing takes place, which apply to the terms of this DPA and which may vary over time.  It comprises both Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”), as well as the applicable local laws where the processing takes place,  such as, for example, in Spain is Ley Orgánica 3/2018, de 5 de diciembre, de Protección de Datos Personales y garantía de los derechos digitales (“LOPD GDD”).

“Controller” means the natural or legal person, public authority, agency or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data.

“Processor” means a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller;

“Data subject” means an individual who is the subject of personal data;

“DPA”, “this DPA”, “this DPA agreement” is this Personal Data Processing Agreement;

“Personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

“Supervisory authority” means an independent authority established by a Member State which is responsible for supervising the processing of personal data in order to protect the fundamental rights and freedoms of natural persons with regard to the processing of their data;

“Customer Data” means all personal data  (including all text, sound, video or image files) that the Client’s authorized persons incorporate into the databases and hosting systems of each service, as well as those that can be generated and kept through the use of NUMINTEC’s services.  The Customer is the controller of the processing of this personal data.

“Service Agreement” means the Acceptance of the order and the Terms and Conditions of Contract together with the corresponding order Form, the Description(s) of the Service, any applicable Service Specific Terms and Conditions and the Service Level Agreement, in any case in the version existing on the date of the Order;

“Numintec”, “we”, “our(s)” and all the derivations of these words mean Numintec Comunicaciones S.L., a company incorporated in accordance with the laws of Spain, with CIF n° B63003636 and registered office at C/ Diputació, 279-283, Entlo. 2º, 08007 – Barcelona (Spain);

“Services”, “NUMINTEC Services” are Software as a Service (SaaS) services. These are the services provided through the internet by NUMINTEC in favor of the Client, in relation to the use of the contracted service, through the NUMINTEC platform and within the cloud computing infrastructure

“Sub-processors” are those processors that NUMINTEC uses to process Customer Data,  as described in Article 28 of the GDPR.

TERMS

SECTION I

Clause 1. Finality and scope

  1. The purpose of this Data Processing Agreement (DPA) is to ensure compliance with Article 28(3) and (4) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR).
  2. The controllers and processors listed in Annex I have agreed to these Clauses in order to ensure compliance with Article 28(3) and (4) of Regulation (EU) 2016/679.
  3. This DPA applies to the processing of personal data as specified in Annex II.
  4. Annexes I to IV are an integral part of the DPA.
  5. The clauses of this DPA are without prejudice to obligations to which the controller is subject by virtue of Regulation (EU) 2016/679.
  6. The clauses of this DPA do not by themself ensure compliance with obligations related to international transfers in accordance with Chapter V of Regulation (EU) 2016.
  7. The clauses of this DPA are aligned with the Commission Implementing Decision (EU) 2021/915 of 4 June 2021 on standard contractual clauses between controllers and processors
  8. This DPA, including its definitions, recitals and schedules, is a free-standing document that does not incorporate commercial business terms established by the parties under separate commercial arrangements.

Clause 2. Invariability of the list of clauses

  1. The Parties undertake not to modify the Clauses, except for adding information to the Annexes or updating information in them.
  2. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a broader contract, or from adding other clauses or additional safeguards provided that they do not directly or indirectly contradict the Clauses or detract from the fundamental rights or freedoms of data subjects.

Clause 3. Interpretation

  1. Where these DPA clauses use the terms defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.
  2. This DPA shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.
  3. These DPA clauses shall not be interpreted in a way that runs counter to the rights and obligations provided for in Regulation (EU) 2016/679 or in a way that prejudices the fundamental rights or freedoms of the data subjects.

Clause 4. Hierarchy

In the event of a contradiction between clauses in this DPA and the provisions of related agreements between the Parties existing at the time when this DPA is agreed or entered into thereafter, clauses in this DPA shall prevail.

SECTION II. OBLIGATIONS OFTHE PARTIES

Clause 5. Description of the treatment or treatments

The details of the processing operations, in particular the categories of personal data and the purposes of processing for which the personal data is processed on behalf of the controller, are specified in Annex II.

Clause 6. Obligations ofthe parties

6.1.Instructions

  1. The controller shall instruct the processor to process the Personal Data in any manner that may reasonably be required in order for the processor to carry out the processing in compliance with this DPA and in accordance with Regulation (EU) 2016/679.
  2. The processor shall process personal data only on documented instructions from the controller in accordance with the terms established in the service contract of which this DPA is part, unless required to do so by Union or Member State law to which the processor is subject. In this case, the processor shall inform the controller of that legal requirement before processing, unless the law prohibits this on important grounds of public interest. Subsequent instructions may also be given by the controller throughout the duration of the processing of personal data. These instructions shall always be documented.
  3. The controller shall refrain from providing instructions which are not in accordance with applicable laws including Regulation (EU) 2016/679, and, in the event that such instructions are given, the processor is entitled to resist carrying out such instructions
  4. The processor shall immediately inform the controller if, in the processor’s opinion, instructions given by the controller infringe Regulation (EU) 2016/679 or the applicable Union or Member State data protection provisions.
  5. The processor shall not disclose any Personal Data to a third party in any circumstances other than at the specific written request of the controller, unless such disclosure is necessary in order to fulfill the obligations of the Service Agreement or is required by law.

6.2. Purpose limitation

The processor shall process the personal data only for the specific purpose(s) of the processing, as set out in Annex II, unless it receives further instructions from the controller.

6.3.   Duration of processing of personal data

Processing by the processor shall only take place during the period specified in Annex II.

6.4. Treatment

  1. The processor shall at least implement the technical and organizational measures specified in Annex III to ensure the security of the personal data. This includes protecting the data against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to the data (personal data breach). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purposes of processing and the risks involved for the data subjects.
  2. The processor shall grant access to the personal data undergoing processing to members of its personnel only to the extent strictly necessary for implementing, managing and monitoring of the contract. 
  3. The processor shall ensure that persons authorized to process the personal data received have committed themselves, expressly and in writing, to confidentiality or are under an appropriate statutory obligation of confidentiality. The processor shall maintain at the disposal of the controller all documented records of compliance with the obligation of confidentiality.
  4. The processor shall ensure that all persons authorized to process personal data undergo the necessary training in personal data protection.

6.5. Sensitive data

If the processing involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offenses (“sensitive data”), the processor shall apply specific restrictions and/or additional safeguards.

6.6. Documentation and Compliance

  1. The Parties shall be able to demonstrate compliance with the clauses of this DPA.
  2. The processor shall deal promptly and adequately with inquiries from the controller about the processing of data in accordance with these Clauses.
  3. The processor shall appoint in Annex I a contact point within its organization authorized to respond to enquiries concerning the processing of the Personal Data and will cooperate with the controller, the Data Subject and the Supervisory Authority concerning all such enquiries within a reasonable time
  4. The processor shall make available to the controller all information necessary to demonstrate compliance with the obligations that are set out in these Clauses and stem directly from Regulation (EU) 2016/679. 
  5. At the controller’s request, the processor shall also permit and contribute to audits of the processing activities covered by this DPA, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or an audit, the controller may take into account relevant certifications held by the processor.

These audits will be requested with reasonable notice and will be conducted during normal business hours. The request might be subject to any necessary consent or approval from a regulatory or supervisory authority within the country of the Data Controller

  1. The controller may choose to conduct the audit by itself or mandate an independent auditor selected by the controller and not reasonably objected to by the processor. Audits may also include inspections at the premises or physical facilities of the processor and shall, where appropriate, be carried out with reasonable notice.
  2. The Parties shall make the information referred to in this Clause, including the results of any audits, available to the competent supervisory authority/ies on request.
  3. The processor shall cooperate with the Supervisory Authority in connection with any activities performed by the processor
  4. The processor shall notify the controller of any request for information by the Supervisory Authority.
  5. The processor shall notify the controller of any complaint, notice or communication received which relates directly or indirectly to the processing of the Personal Data, or other connected activities, or which relates directly or indirectly to the compliance of the processor and/or the controller with relevant applicable law including Applicable Data Protection law.

6.7. Use of sub-processors

  1. The processor has the controller’s authorisation for the engagement of sub-processors from an agreed list documented in the Annex IV. The processor shall specifically inform in writing the controller of any intended changes of that list through the addition or replacement of sub-processors at least 1 month in advance, thereby giving the controller sufficient time to be able to object to such changes prior to the engagement of the concerned sub-processor(s). The processor shall provide the controller with the information necessary to enable the controller to exercise the right to object.
  2. Where the processor engages a sub-processor for carrying out specific processing activities (on behalf of the controller), it shall do so by way of a contract which imposes on the sub-processor, in substance, the same data protection obligations as the ones imposed on the data processor in accordance with these Clauses. The processor shall ensure that the sub-processor complies with the obligations to which the processor is subject pursuant to these Clauses and to Regulation (EU) 2016/679.
  3. At the controller’s request, the processor shall provide a copy of such a sub-processor agreement and any subsequent amendments to the controller. To the extent necessary to protect business secrets or other confidential information, including personal data, the processor may redact the text of the agreement prior to sharing the copy.
  4. The processor shall remain fully responsible to the controller for the performance of the sub-processor’s obligations in accordance with its contract with the processor. The processor shall notify the controller of any failure by the sub-processor to fulfill its contractual obligations.
  5. The processor shall agree a third party beneficiary clause with the sub-processor whereby – in the event the processor has factually disappeared, ceased to exist in law or has become insolvent – the controller shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.

6.8.   International Transfers 

  1. Any transfer of data to a third country or an international organization by the processor shall be done only on the basis of documented instructions from the controller or in order to fulfill a specific requirement under Union or Member State law to which the processor is subject and shall take place in compliance with Chapter V of Regulation (EU) 2016/679.
  2. The controller agrees that where the processor engages a sub-processor in accordance with Clause 6.7. for carrying out specific processing activities (on behalf of the controller) and those processing activities involve a transfer of personal data within the meaning of Chapter V of Regulation (EU) 2016/679, the processor and the sub-processor can ensure compliance with Chapter V of Regulation (EU) 2016/679 in which case it is done only where the sub-processor processes the data in countries that offer an adequate level of protection or that offer adequate safeguards such as binding corporate rules or using standard contractual clauses adopted by the Commission, in accordance with Article 46(2) of Regulation (EU) 2016/679, provided that the conditions for the use of those clauses are met.

Clause 7. Obligations of the controller

The Data Controller warrants and undertakes that:

  1. The Personal Data has been collected, processed and transferred in accordance with the Applicable Data Protection laws.
  2. The controller must perform an evaluation of the impact on the protection of personal data of the processing operations to be performed by the data processor where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons.
  3. It will have in place appropriate technical and organizational measures to protect the confidentiality of the Personal Data and to protect the Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected. 
  4. The controller will respond to enquiries from Data Subjects and the Supervisory Authority concerning the processing of the Personal Data as stipulated in Clause 8(b).
  5. Carry out prior inquiries that correspond to the supervisory authority where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk.

Clause 8. Assistance to the controller

  1. The processor shall promptly notify the controller of any request it has received from the data subject. It shall not respond to the request itself, unless authorized to do so by the controller.
  2. The processor shall assist the controller in fulfilling its obligations to respond to data subjects’ requests to exercise their rights, taking into account the nature of the processing. In fulfilling its obligations in accordance with (a) and (b), the processor shall comply with the controller’s instructions. In such event:
    • The Data Subject must first direct the request to the controller;
    • Then, the controller, after receiving the request, will ask the processor to carry out any actions necessary to the contact point informed in the Annex I;
    • Once the processor has received the petition from the controller, the processor will respond to the controller within a period of ten (10) workable days.
    • In the event of a data subject contacting the processor directly, it will ask the data subject to address its request to the controller. At the same time, the processor will make the controller aware of this issue.
  3. In addition to the processor’s obligation to assist the controller pursuant to Clause 8(b), the processor shall furthermore assist the controller in ensuring compliance with the following obligations, taking into account the nature of the data processing and the information available to the processor:
    1. The obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (a ‘data protection impact assessment’) where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons;
    2. The obligation to consult the competent supervisory authority/ies prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk;
    3. The obligation to ensure that personal data is accurate and up to date, by informing the controller without delay if the processor becomes aware that the personal data it is processing is inaccurate or has become outdated;
    4. The obligations in Article 32 of Regulation (EU) 2016/679 regarding Security of processing.
  4. The Parties shall set out in Annex III the appropriate technical and organizational measures by which the processor is required to assist the controller in the application of this Clause as well as the scope and the extent of the assistance required.

Clause 9. Notification of personal data breaches

In the event of a personal data breach, the processor shall cooperate with and assist the controller for the controller to comply with its obligations under Articles 33 and 34 of Regulation (EU) 2016/679 taking into account the nature of processing and the information available to the processor.

9.1   Breach of the security of personal data processed by the controller

In the event of a personal data breach concerning data processed by the controller, the processor shall assist the controller:

  1. In notifying the personal data breach to the competent supervisory authority/ies, without undue delay after the controller has become aware of it, where relevant/(unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons);
  2. In obtaining the following information which, pursuant to Article 33(3) of Regulation (EU) 2016/679, shall be stated in the controller’s notification, and must at least include:
    • The nature of the personal data including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
    • The likely consequences of the personal data breach;
    • The measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

  1. In complying, pursuant to Article 34 of Regulation (EU) 2016/679, with the obligation to communicate without undue delay the personal data breach to the data subject, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.

9.2   Data breach concerning data processed by the processor

In the event of a personal data breach concerning data processed by the processor, the processor shall notify the controller without undue delay after the processor having become aware of the breach. Such notification shall contain, at least:

  1. A description of the nature of the breach (including, where possible, the categories and approximate number of data subjects and data records concerned);
  2. The details of a contact point where more information concerning the personal data breach can be obtained;
  3. Its likely consequences and the measures taken or proposed to be taken to address the breach, including to mitigate its possible adverse effects.

Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

The Parties shall set out in Annex III all other elements to be provided by the processor when assisting the controller in the compliance with the controller’s obligations under Articles 33 and 34 of Regulation (EU) 2016/679.

SECTION III. FINAL PROVISIONS

Clause 10. Non-compliance with the Clauses and termination

  1. Without prejudice to any provisions of Regulation (EU) 2016/679, in the event that the processor is in breach of its obligations under these Clauses, the controller may instruct the processor to suspend the processing of personal data until the latter complies with these Clauses or the contract is terminated. The processor shall promptly inform the controller in case it is unable to comply with these Clauses, for whatever reason.
  2. The controller shall be entitled to terminate the contract insofar as it concerns processing of personal data in accordance with these Clauses if:
  1. The processing of personal data by the processor has been suspended by the controller pursuant to point (a) and if compliance with these Clauses is not restored within a reasonable time and in any event within one month following suspension;
  2. The processor is in substantial or persistent breach of these Clauses or its obligations under Regulation (EU) 2016/679;
  3. The processor fails to comply with a binding decision of a competent court or the competent supervisory authority/ies regarding its obligations pursuant to these Clauses or to Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.
  1. The processor shall be entitled to terminate the contract insofar as it concerns processing of personal data under these Clauses where, after having informed the controller that its instructions infringe applicable legal requirements in accordance with Clause 6.1 (b), the controller insists on compliance with the instructions.
  2. Following termination of the contract, the processor shall, at the choice of the controller, delete all personal data processed on behalf of the controller and certify to the controller that it has done so, or, return all the personal data to the controller and delete existing copies unless there is a legitimate interest pursued by the processor or Union or Member State law requires storage of the personal data. Until the data is deleted or returned, the processor shall continue to ensure compliance with these Clauses.
  3. Other reasons and conditions of termination will be subject to the General Terms and Conditions of Contract of the NUMINTEC services, of which this agreement is a part, or another agreement signed between the parties.

Clause 11. Liability and indemnification 

  1. The processor shall not be liable for any claim brought by a Data Subject arising from any action by the processor to the extent that such action resulted directly from the controller’s instructions and malpractice in its implementation of its technical and organizational measures.
  2. In the event that any claim is brought against the processor by a Data Subject arising from any action or omission by the processor to the extent that such action or omission resulted directly from the controller’s instructions, or misapplication by the controller of its technical and organizational measures, in accordance with Clause 7(c) of this DPA, the controller shall indemnify and keep indemnified and defend at its own expense the processor against all costs, claims, damages or expenses incurred by the processor for which the processor may become liable due to any failure by the controller or its directors, officers, employees, agents or contractors to comply with any of its obligations under this DPA.

Clause 12. Legislation applicable to this DPA

This DPA shall in all respects be governed by and interpreted in accordance with the laws and regulations of Spain. The parties hereto hereby submit to the exclusive jurisdiction of Spain for all the purposes of this DPA.

Clause 13. Resolution of disputes with the interested parties or thes toutoridadis of supervision 

  1. In the event of a dispute or claim brought by a Data Subject or the Supervisory Authority concerning the processing of the Personal Data against either or both of the parties, the parties will inform each other about any such disputes or claims and will cooperate with a view to settling them amicably in a timely fashion.
  2. The parties agree to respond to any generally available non-binding mediation procedure initiated by a Data Subject or by the Supervisory Authority. If they do participate in the proceedings, the parties may elect to do so remotely (such as by telephone or other electronic means). The parties also agree to consider participating in any other arbitration, mediation or other dispute resolution proceedings developed for data protection disputes.
  3. Each party shall abide by the decision of the Supervisory Authority which is final and against which no further appeal is possible.

ANEXO I. List of parties

As the Data Controller: 

Name: The Client that contracts Numintec services as provided for in the services contract.

Address: As described in the services provision agreement or contract signed between the two parties.

Reference department/employee: As described in the services provision agreement or contract signed between the two parties

Name, position and contact details of the contact person: As described in the services agreement or contract signed between the two parties

Date of accession: Effective date of services provision agreement or contract signed by both parties

On behalf of NUMINTEC (Data Processor): 

Name: NUMINTEC COMUNICACIONES, S.L.

Address: C/ Diputació, 279-283, Entlo. 2º, 08007 – Barcelona (Spain)

Department/employee of reference: As specified in the agreement or service contract signed between both parties.

Name, title and contact details of the contact person:

Signature and date of accession: Effective date of services provision agreement or contract signed by both parties

ANNEX II. Description of the processing

Categories of data subjects whose personal data are processed

  • Staff, collaborators and others authorized by the Client who are users of the NUMINTEC technological platform
  • People whose contact details are collected in the agenda and communications services provided by NUMINTEC.
  • People who use the communication channels managed by NUMINTEC and that the Client makes publicly available to users.

Categories of personal data processed

As the controller, NUMINTEC will process the following data:

  • Information of users and agents necessary to access and make use of the services of the NUMINTEC platform
    • Identity of users, for example, their first and last name.
    • Professional contact details such as email address and telephone number. 
    • Authentication data for access (if nominal).
    • Logs of user activity in the use of the Services, which may include information from the IP address from which the NUMINTEC platform is accessed.
  • Contact details collected in the agenda service
  • Data that occasionally might be included in the contents exchanged by users through the chat service and other communication channels that are part of the services provided.
  • Call recordings when our customers activate this functionality.

In addition, in order to provide the contracted service, NUMINTEC will process the following categories of data as the controller:

  • Data and access credentials of the users of the platform
  • Call logs, including, source and destination numbers, duration and timing of the call, and other service history data.
  • Platform usage logs

Special category data:

  • This DPA does not consider the processing of data classified as “special category data” or requiring special protection measures. 
  • The processing of such data on behalf of the customer should only be carried out with a prior agreement between both parties and after having carried out an appropriate data protection impact assessment prior to its processing.

Purpose(s) of the processing of personal data 

  • As data controller
    • Manage access to and use of the cloud communications services platform.
    • Investigation and prevention of activities likely to constitute fraudulent use of the services.
    • Fulfillment of obligations that correspond to NUMINTEC by legal mandate.
    • Analysis of the use of the services to improve the service provided.
  • As processor
    • NUMINTEC will process the data only for the purpose of providing the contracted services and in accordance with the General Terms and Conditions of Contract of the Service

Nature of the processing

  • The provision of the services contracted by clients entails the processing of personal data that our clients have responsibility for. Numintec processes data under the instructions of its clients and in accordance with the features established in the product, and has no direct dealings with the individuals whose personal data it processes.
  • It involves the following activities:
    • Recording and storage of Customer’s information
    • Deletion or destruction of information when required by the Customer and upon termination of service
    • Restrict the processing of information at the request of the Client or competent authority.
  • The data is provided by the Client, as the data controller, when making use of the Services.
  • All data is stored on servers in the EU using services provided by third parties as stipulated in ANNEX IV List of Sub-Processors.
  • The processing in the cloud communications platform is automated, thus Numintec staff do not have access to the Client’s data. If necessary, this access will solely occur at the express request and under the supervision of the Client, for example, in the event that support is required for its use or resolution of an issue notified by the Client.
  • Numintec considers that it does not have instructions to process such other personal data that may occasionally be included in the content managed by the Client or by the communication channels, for example, the provided chat service.
  • Any additional personal data that is processed by Numintec on behalf of the Customer must be agreed as an amendment to this DPA.
  • It should be noted that NUMINTEC is responsible for the processing of all call records and information generated and that it must keep as a telecommunications operator, under Law 11/2022, of June 28, General Telecommunications and Law 25/2007, of October 18, on the conservation of data related to electronic communications and public communications networks.
  • Likewise, NUMINTEC, as the controller, may collect and keep information for the purpose of prevention, detection, investigation and limitation of those activities that may constitute a fraudulent use of the services, such as abusive use of calls, spoofing of numbering and others. The detection of these activities may involve the notification of the facts to the client and, if there are indications that they constitute a criminal activity, to the corresponding authorities.

Duration of the processing

  • This APD applies for as long as the service contract entered into by both parties is in force.
  • After the termination of the contract, Numintec shall maintain its obligations with respect to the processed data for which it is also responsible in accordance with current legislation.

Information retention periods

  • It is established that the controller will keep the data while the service contract signed by both parties is in force.
  • In accordance with the terms stipulated in the service contract and/or the General Terms and Conditions of Contract, after a period of ninety (90) days from the disconnection or, where appropriate, the term stipulated in the conditions of the service contract, Numintec will definitively delete the data contained in its databases, except in those circumstances in which legal obligations or responsibilities may arise from the execution of the  provision of the service, in which case Numintec may keep a copy, with the data duly blocked, until the cessation of said responsibilities or obligations.

ANNEX III.  Technical and organisational measures to ensure data security

Numintec applies the necessary technical and organizational security measures to ensure an adequate level of information security in order to protect the confidentiality of personal data, as well as protect them against accidental or unlawful destruction or accidental loss, alteration, disclosure or unauthorized access. taking into account the nature, scope, context and purpose of the processing, as well as the risks to the rights and freedoms of natural persons.

These measures are implemented under the framework of an Information Security Management System that has ISO 27001:2013 and ISO 27017:2015 certification.

In particular, and by way of summary, said Information Security Management System includes measures such as:

  1. individual users and passwords, applying the least privilege rules and limiting access to data to those employees who strictly require it to perform their work.
  2. Backup copies, where appropriate, of the personal data processed by the data controllers that require guarantees of availability and integrity.
  3. Encryption of information in transit and in storage.
  4. Continuous surveillance and monitoring of systems and networks to detect and minimize the impact of any malfunction or threat.
  5. Logging of events and activities of users and administrators.
  6. Security configurations and perimeter protection systems in the network to prevent intrusions, and antivirus protection of our computer systems.
  7. Hardening of systems and networks to limit services, ports and protocols to those strictly necessary and thus minimize exposure to attacks and vulnerabilities.
  8. Availability of a log of security incidents and mechanisms and procedures for reporting security breaches.
  9. Physical control of access and protection of the equipment, people and facilities where the data is processed.
  10. Servers hosted in external data centers that offer full security guarantees with the relevant ISO 27001 certifications.
  11. In the case of managing supports or documents with the personal data of the person responsible for the treatment, these are duly guarded under cabinets or spaces provided with locking devices.
  12. Regular surveillance, evaluation and assessment of the effectiveness of technical and organizational measures to ensure the security of the treatment within the framework of the periodic reviews and audits required by ISO 27001.
  13. A code of conduct that includes the prevention of criminal behavior and good practices in information security and privacy.
  14. Continuous training for NUMINTEC staff  on information security and data privacy issues
  15. A Continuity Plan that establishes the possibility of restoring the availability and access to personal data quickly, in case of physical or technical incident within the necessary deadlines to comply with the business commitments to which we are obliged by our service contract.
  16. Default configuration of applications that offers the highest level of security and privacy.
  17. Proactive liability measures, including recording processing activities, analyzing privacy risks and applying appropriate technical and organizational measures to address the identified risks.
  18. Contractual clauses of DPA and with all sub-processors that offer sufficient guarantees to implement appropriate technical and organizational measures in such a way that the processing complies with the requirements of this Regulation and ensures the protection of the rights of the data subject.
  19. Automated procedure to delete customer data once the stipulated retention period ends.

Numintec makes available to its customers the Security Policy of cloud services in which a greater detail of the measures implemented is provided.

On the other hand, the Client is responsible for the implementation and maintenance of the security and protection measures of the relevant personal data as a user of the Services in those aspects that are under its control.

ANNEX IV. List of sub-processors

Agreed list of sub-processors in accordance with Clause 6.7(a)

Name of the sub-processorAmazon Web Services Inc.
Description of the processingIaaS and PaaS Service Provider
Location of the processingEuropean Union  (Ireland)
Address and contact detailsAmazon Web Services EMEA SARL 38 Avenue John F. Kennedy, L-1855, Luxembourg Phone: +352 2789 0057
Guarantees providedhttps://aws.amazon.com/compliance/gdpr-center/

Other suppliers involved

Name of the supplierBITNAP (MBA DATACENTERS, S.L.)
Description of the processingExternal data center, provider of server collocation services
Location of the processingSpain
Address and contact detailsAddress: C/ Pablo Iglesias 56, L’Hospitalet de Llobregat, 08908 Barcelona Email:
Guarantees providedISO 27001:2013
https://bitnap.net/wp-content/uploads/2022/01/MBA_DATACENTERS_SL_BITNAP_IQNET_27001_ISO_9001.pdf
https://bitnap.net/wp-content/uploads/2022/01/MBA_DATACENTERS_SL_BITNAP_IQNET_27001_ISO_9001.pdf
Name of the supplierEvolution Cloud Enabler, S.A.U.
Description of the processingExternal data center, provider of server collocation services
Location of the processingSpain
Address and contact detailsAddress: C/ Isabel Colbrand 6-8; 28050 Madrid. Email:
Guarantees providedhttps://www.evolutio.com/wp-content/uploads/2022/01/CGContrataci%C3%B3n_Diciembre21.pdf
ISO 27001:2013 https://www.aenor.com/certificacion/certificado/?codigo=42390
ISO 20000-1:2018 https://www.aenor.com/certificacion/certificado/?codigo=201600
DC-040-Rev02 16/09/2024  Personal Data Processing Agreement 
NUMINTEC COMUNICACIONES SL, Telecommunications Services Company, registered in the Mercantile Registry, in the volume 35086, folio 126, general section, sheet 260483, 1′. – C.I.F. B- 63003636