DATA PROTECTION POLICY

BOOMERANG TV, S.A.

Introduction

The Spanish Constitution, in its Article 18 guarantees the right to honour, to personal and family privacy and to the own image. In particular, in section 4, it establishes the need to protect those fundamental rights in the field of information technologies. Thus, Article 18.4 of the Spanish Constitution stipulates:

“The law shall restrict the use of data processing in order to guarantee the honour and personal and family privacy of citizens and the full exercise of their rights.”.

To comply with this order and expand its content, the Organic Law on Regulation of the Automated Processing of Personal Data (5/1992, 29 October), known as the LORTAD, was enacted.

Subsequently, the European Union enacted the Directive 95/46/EC on the protection of natural persons with regard to the processing of personal data and on the free movement of data.

In compliance with that Directive, Spain enacted the Organic Law on the Protection of Personal Data (L.O. 15/1999, 13 December), hereunder LOPD, which meant the transposition of the Directive 95/46/EC to the Spanish legal frame, and the Royal Decree 1702/2007, 21 December, which approves the development regulation of the LOPD.

However, in order to ensure a consistent level of protection for natural persons throughout the Union and to prevent divergences hampering the free movement of personal data within the internal market, a Regulation was necessary to provide legal certainty and transparency for economic operators, including micro, small and medium-sized enterprises, and to provide natural persons in all Member States with the same level of legally enforceable rights and obligations and responsibilities for controllers and processors, to ensure consistent monitoring of the processing of personal data, and equivalent sanctions in all Member States as well as effective cooperation between the supervisory authorities of different Member States.

That is why the UE approved in 25 May 2016 the Regulation (UE) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

Currently, the General Data Protection Regulation of the European Union in force has repealed Directive 95/46/EC and it is fully and directly applicable throughout the territory of the European Union.

Article 24 of the GDPR sets the obligation of accountability of the controller to implement appropriate data protection policies to ensure and to be able to demonstrate that processing is performed in accordance with that regulation.

One of the basic obligations of the controller is the training of staff involved in processing operations and awareness-raising of the staff in the importance and necessity to obey the regulation.

Based on these assessments, and aware of how important it is for the staff to know the current regulation in relation to data protection, this internal regulation for data protection has been approved as mandatory for every employee.

Scope of application

The present policy applies to BOOMERANG TV, S.A. (hereunder, BOOMERANG TV).

Compliance

The compliance with the present policy is mandatory for all departments and employees of BOOMERANG TV and affects personal data processed both via electronic media or paper.

Purpose of the policy

The purpose of the present policy is to provide training and information to the employees of BOOMERANG TV in relation to data protection to take into account in the fulfilment of their duties.

This policy is addressed to every Department, and specifically to those intervening in the processing of personal data, as well as the head directors of such Departments, internal units, the staff authorized to access and inform of the policy and the development staff.

Definitions

For the purposes of the current regulation and the GDPR:

'personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
'processing' means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
'restriction of processing' means the marking of stored personal data with the aim of limiting their processing in the future;
'profiling' means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
'pseudonymisation' means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
'filing system' means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;
'controller' means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
'processor' means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
'recipient' means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
'third party' means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
'consent' of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
'personal data breach' means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
'genetic data' means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;
'biometric data' means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;
'data concerning health' means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;
'enterprise' means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;
'group of undertakings' means a controlling undertaking and its controlled undertakings;
'binding corporate rules' means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity;
'supervisory authority' means an independent public authority which is established by a Member State pursuant to Article 51;
'supervisory authority concerned' means a supervisory authority which is concerned by the processing of personal data because: (a) the controller or processor is established on the territory of the Member State of that supervisory authority; (b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or (c) a complaint has been lodged with that supervisory authority;
'cross-border processing' means either: (a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or (b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.
'information society service' means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council (19);
'international organisation' means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.

Data Protection Officer (DPO) of BOOMERANG TV

BOOMERANG TV’s data protection officer has the following tasks, among others:

a. to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to data protection provisions;
b. to monitor compliance with the current data protection regulation and BOOMERANG TV’s data protection policies;
c. the assignment of responsibilities, awareness-raising and training of staff involved in processing operations;
d. the execution of the related audits;
e. to provide advice about the data protection impact assessment and monitor its performance;
f. to cooperate with the supervisory authority, in specific with the Spanish Data Protection Agency;
g. to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation, where appropriate, with regard to any other matter

BOOMERANG TV’s data protection officer’s data are the following:

Name: Sandra Torrillas Rodríguez; Email: dpd@boomerangtv.com

General principles of data protection

Principle of fairness, which implies the compliance with the general or sector legislation applicable to processing, as well as the policies and guidelines of BOOMERANG TV.

Principle of proportionality, which implies that the right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality.

Principle of lawfulness, which implies that any processing shall be lawful only if and to the extent that at least one of the following applies:

The subject has given consent to the processing of their personal data for one or more specific purposes;
Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
Processing is necessary for compliance with a legal obligation to which the controller is subject;
Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
Processing is necessary for the purposes of the legitimate interests pursued by BOOMERANG TV or by a third party directly related to BOOMERANG TV, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

Principle of transparency, which implies that the subject shall be informed of the extent of the processing in a fair, unequivocal, specific and express manner.

Principle of purpose and limitation of purpose, which implies that processing shall always be carried out with explicit, lawful and specific purposes.

Principle of compatibility, which forbids the processing of personal data for purposes incompatible with those for which the personal data were initially collected Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purpose will not be considered incompatible.

Principle of data minimisation, which implies that the data processed will be adequate, relevant and limited to the minimum amount of data necessary in relation to the purposes for which they are processed.

Principle of accuracy, which implies that personal data will be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.

Principle of storage due date, which implies that the data will be kept in a form which allows identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

Principle of integrity, confidentiality and security, which implies that the data are processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Data protection by design and by default keeping the processing of personal data at a minimum in relation to (i) the amount of personal data collected, (ii) the extent of their processing, (iii) the period of their storage and (iv) their accessibility

Principle of accountability, which implies that the controller shall be responsible and be able to demonstrate compliance with the principles mentioned.

Conditions for consent

Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.

If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.

Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding, and the subject will have the right to withdraw their consent at any time.

The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

Prior to giving consent, the data subject shall be informed thereof.

Moreover, it shall be as easy to withdraw as to give consent.

When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

Special categories of data

Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.

The former shall not apply if one of the following applies:

a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;
b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
e) processing relates to personal data which are manifestly made public by the data subject;
f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;
h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards established in the GDPR;
i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;
j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the GDPR, based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

Processing of personal data relating to criminal convictions and offences

Processing of personal data relating to criminal convictions and offences or related security measures shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of official authority.

Information to be provided where personal data are collected from the data subject

Where personal data relating to a data subject are collected directly from the data subject,the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:

a) the identity and the contact details of the controller and, where applicable, of the controller's representative;
b) the contact details of the data protection officer, where applicable;
c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
d) where the processing is based on legitimate interest, the legitimate interests pursued by the controller or by a third party;
e) the recipients or categories of recipients of the personal data;
f) the controller’s intention to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or, where applicable, in reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.
g) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
h) the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
i) where the processing is based on consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
j) the right to lodge a complaint with a supervisory authority;
k) whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;
l) the existence of automated decision-making, including profiling and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject
m) if subsequent treatment of personal data is projected for a purpose which is different than purpose of their collection, information about this purpose and any other relevant information will be given to the subject prior to the treatment.

Where personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information:

a) apart from te information contained in the previous section;
b) the categories of personal data concerned
c) from which source the personal data originated, and if applicable, whether it came from publicly accessible sources.

The information referred to in te previous sections will be provided to the subject:

a) within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed;
b) if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to that data subject;or
c) if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed.

However, the former shall not apply where and insofar as:

a) the data subject already has the information;
b) the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and safeguards referred to in Article 89 (1) of the GDPR, or in so far as the obligation referred to in paragraph 1 of this Article is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases the controller shall take appropriate measures to protect the data subject's rights and freedoms and legitimate interests, including making the information publicly available;
c) obtaining or disclosure is expressly laid down by Union or Member State law to which the controller is subject and which provides appropriate measures to protect the data subject's legitimate interests; or
d) where the personal data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy.

The subject will be informed of the following rights, which will also be dealt with and managed as far as they are object of the exercise:

Right of access: the data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

a. the purposes of the processing;
b. the categories of personal data concerned;
c. the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
d. where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
e. the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
f. the right to lodge a complaint with a supervisory authority;
g. where the personal data are not collected from the data subject, any available information as to their source;
h. the existence of automated decision-making, including profiling and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
i. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 of the GDPR relating to the transfer.

Right to rectification which will grant the data subject the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Right to erasure ('right to be forgotten') which grants the data subject the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

a. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
b. the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
c. the data subject objects to the processing for reasons related to their particular situation and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing with a marketing purpose;
d. the personal data have been unlawfully processed;
e. the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
f. the personal data have been collected in relation to the offer of information society services when the subject was under age.

Right to restriction of processing which will grant the data subject the right to obtain from the controller restriction of processing where one of the following applies:

a. the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
b. the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
c. the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
d. the data subject has objected to processing based on reasons related to their particular situation, pending the verification whether the legitimate grounds of the controller override those of the data subject.

Right to data portability which will grant the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:

the processing is based on consent or on a contract; and
the processing is carried out by automated means.

Right to object which will grant the data subject the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on a task carried out in the public interest or the purposes of the legitimate interests pursued by the controller, including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. Moreover, where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89 (1) of the GDPR, the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

The aforementioned rights shall be guaranteed and managed in the extent to which they are exercised by the subjects, always taking into account their reach, particularities and limitations.

The attention and management of these rights will be executed according to the internal proceeding via email address: protecciondedatos@boomerangtv.com, to which any employee must therefore notify the existence and reception of any kind of communication received in BOOMERANG TV by interested third parties.

Provision of services by third parties

Where processing is to be carried out on behalf of BOOMERANG TV, only processors providing sufficient guarantees to implement appropriate technical and organisational measures shall be used, in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject.

The processor shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.

Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.

That contract or other legal act shall stipulate, in particular, that the processor:

a. processes the personal data only on documented instructions from BOOMERANG TV, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
b. ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
c. takes all measures required relating security of processing pursuant to Article 32 of th GDPR;
d. respects the conditions referred to by the processor for engaging another processor;
e. taking into account the nature of the processing, assists BOOMERANG TV, by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights;
f. assists the controller in ensuring compliance with security obligation, including notification of data breach or security violations to the supervisory authority and to the subject, and will help the prior consultation of the Spanish Data Protection Agency, taking into account the nature of processing and the information available to the processor;
g. at the choice of BOOMERANG TV, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data;
h. makes available to BOOMERANG TV all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.

The processing contract referred to in the previous section, will be provided to any requestor by BOOMERANG TV’s Legal Department.

Records of Activities

BOOMERANG TV shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information:

a. the name and contact details of BOOMERANG TV and, where applicable, the joint controller, the controller's representative and the data protection officer;
b. the purposes of the processing;
c. a description of the categories of data subjects;
d. a description of the categories of personal data;
e. the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
f. the recipients in third countries or international organizations, meaning transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, where appropriate, the documentation of suitable safeguards
g. where possible, the envisaged time limits for erasure of the different categories of data;
h. where possible, a general description of the technical and organisational security measures.

Security measures

Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing.

A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.

Data will be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ('integrity and confidentiality').

Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities carried out by Boomerang. That record shall contain a general description of the technical and organisational security measures referred to in Article 30 of the General Data Protection Regulation.

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law.

In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent, unless the processor can prove, in attendance to the principle of accountability, that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay, making it possible to provide information in phases without undue delay.

Moreover, the controller should communicate to the data subject a personal data breach, without undue delay, where that personal data breach is likely to result in a high risk to the rights and freedoms of the natural person in order to allow him or her to take the necessary precautions. The communication should describe the nature of the personal data breach as well as recommendations for the natural person concerned to mitigate potential adverse effects. Such communications to data subjects should be made as soon as reasonably feasible and in close cooperation with the supervisory authority, respecting guidance provided by it or by other relevant authorities such as law-enforcement authorities. For example, the need to mitigate an immediate risk of damage would call for prompt communication with data subjects whereas the need to implement appropriate measures against continuing or similar personal data breaches may justify more time for communication.

In setting detailed rules concerning the format and procedures applicable to the notification of personal data breaches, due consideration should be given to the circumstances of that breach, including whether or not personal data had been protected by appropriate technical protection measures, effectively limiting the likelihood of identity fraud or other forms of misuse. Moreover, such rules and procedures should take into account the legitimate interests of law-enforcement authorities where early disclosure could unnecessarily hamper the investigation of the circumstances of a personal data breach.

The Company shall make a data protection impact assessment, the processor shall take into account the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data.

Obligation of secrecy

The obligation to keep professional secrecy in relation to personal data and safeguard it is a basic and personal principle for every person taking part in the processing of such data. Such obligations will remain even after ending the relation to the controller or, where applicable, the processor.

Therefore, personal information will not be revealed under any circumstances to any third parties different than the subject, even to relatives of the subject (not even verbally), unless it is stated by law or with the express authorization of the subject.

INTERNATIONAL TRANSFER OF PERSONAL DATA

Any Department with the intention to transfer personal data outside of the European Economic Area will previously consult with BOOMERANG TV’s Legal Department.

Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if the conditions laid down in the GPDR are complied with by BOOMERANG TV and other the controllers and processors involved in the transfer, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation.

Transfers will comply with the following rules:

A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation.

In the absence of a decision by the Commission, BOOMERANG TV may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available. The appropriate safeguards referred to in the GDPR may be provided for, without requiring any specific authorisation from a supervisory authority, by:

a. a legally binding and enforceable instrument between public authorities or bodies;
b. binding corporate rules approved by the supervisory authority in accordance with the consistency mechanism set out in Article 63 of the GDPR.
c. standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93(2) of the GDPR;
d. standard data protection clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure referred to in Article 93(2) of the GDPR;
e. an approved code of conduct pursuant to Article 40 of the GDPR together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights; or
f. an approved certification mechanism pursuant to Article 42 of the GDPR together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights.

Moreover, BOOMERANG TV may provide the appropriate safeguards subject to the authorisation from the competent supervisory authority, by:

a. contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation; or
b. provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.

In the absence of an adequacy decision of the Commission, or of appropriate safeguards, including binding corporate rules, a transfer or a set of transfers of personal data to a third country or an international organisation by BOOMERANG TV shall take place only on one of the following conditions:

a. the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;
b. the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request;
c. the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
d. the transfer is necessary for important reasons of public interest;
e. the transfer is necessary for the establishment, exercise or defence of legal claims;
f. the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent;
g. the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case.

Where a transfer could not be based on an act or a decision by the Commission or appropriate safeguards, including the provisions on binding corporate rules, and none of the derogations for a specific situation referred to in the previous paragraph is applicable, a transfer by BOOMERANG TV to a third country or an international organisation may take place only under the following conditions:

a. the transfer is not repetitive;
b. the transfer concerns only a limited number of data subjects;
c. the transfer is necessary for the purposes of compelling legitimate interests pursued by BOOMERANG TV which are not overridden by the interests or rights and freedoms of the data subject;
d. having assessed all the circumstances surrounding the data transfer, BOOMERANG TV has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data.

In these cases, BOOMERANG TV shall inform the supervisory authority of the transfer, and, in addition to providing the information referred to in Articles 13 and 14 of the GDPR, inform the data subject of the transfer and on the compelling legitimate interests pursued.

BOOMERANG TV shall document the assessment as well as the suitable safeguards referred to in the previous paragraphs.

Infractions and fines established in the current regulation

Infringements of the provisions referred to in the GDPR will be sanctioned by the supervisory authority, and be subject to administrative fines up to 10,000,000 EUR depending on the infraction, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher, and administrative fines up to 20,000,000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.

Action in relation to the Spanish Data Protection Agency

BOOMERANG TV’s Data Protection Officer is responsible for keeping institutional relations with the Spanish Data Protection Agency, without prejudice of the collaboration of the Direction of Legal Services, the Security Department and the internal Units responsible of each file.

As a consequence of the fulfilment of the duties of the Director of the Spanish Data Protection Agency established by law in relation to information requests and inspective action, and with the purpose of obtaining a sole dialogue with the Spanish Data Protection Agency, the Department receiving an inspection warning or an information request from the Spanish Data Protection Agency shall immediately notice the Data Protection Officer.

In the case of an inspection, the Data Protection Officer will be present during such act, and the inspection must not begin without the Data Protection Officer’s attendance.

In case of a procedure notification or an information request the Data Protection Officer will be notified of the original document from the Agency informing of the date of notification, as well as information about the requests made by the Agency. The Data Protection Officer will send the appropriate answer to the Agency.

Staff obligations

All the staff in BOOMERANG TV have the obligation of knowing and complying with the current policy and the guidelines, actions and proceedings resulting from it.

Failure to comply with the current Data Protection Policy or the guidelines, actions and proceedings resulting from it will lead to appropriate disciplinary actions and, when applicable, the resulting legal responsibilities.

Enquiries

Any enquiry in relation to the current policy shall be directed to the email address: protecciondedatos@boomerangtv.com Moreover, any modification proposal of the current policy will be directed to BOOMERANG TV’s Legal Department.

Effect

The current policy shall come into force the day of its publication in the corporate intranet, repealing any previous version, and its application and compliance will be mandatory for all employees.

Policy Approval

The present policy has been approved by the Corporate Director.

Modification and update of the Policy

The present policy can be modified and/or updated by the Corporate Direction of BOOMERANG TV when necessary, in order to adapt it to changes either legal or relative to the organization.