Requested data and purposes of data collection
When the user fills any of our forms it will be necessary to provide certain personal data, and it will be included in files belonging to BEABLOO, S.L. to carry out the user’s request.
BEABLOO, S.L. will comply with its duty of secrecy, as required by the personal data legislation, with all the collected data.
Exercise of the rights of access, rectification, erasure and objection
The data subject can exercise, at any time, the rights of access, rectification, erasure and objection with respect to any data included about him or herself in the data files belonging to BEABLOO, S.L..
User rights can be exercised:
- By e-mail to firstname.lastname@example.org including in the subject “Ref DATA PROTECTION”
- By writing to BEABLOO, C/PUJADES, 350 8º A2 08019 BARCELONA (BARCELONA)
The data subject has to attach to the request a photocopy of a valid ID.
Veracity of data, updating data
The user must fill the forms with real, exact, complete and up-to-date data. The user will not enter data about other people; BEABLOO will presume that the data has been entered by the data subject him or herself. The user will be the only responsible for any harm or damage, direct or indirectly caused to another individual, derived from providing false, inexact, incomplete, or outdated data or data referring to another person.
The user must communicate any changes in the provided data in order to keep it up-to-date.
Information Security Policy
BEABLOO has taken all the measures required by law to protect personal data; likewise, BEABLOO has adopted the technical measures available to prevent data loss, unfair use, alteration, unauthorized access or data theft. Nevertheless, the user will take into account that security measures in Internet are not completely unbreachable.
In response to the new technological atmosphere where the convergence of information technology and communication is creating a new productivity paradigm for companies, BEABLOO is committed to maintaining a competitive service. Its offering includes app hosting services in a quality environment in which best practice in security is the key to ensuring the confidentiality, integrity, and availability of all processed information, as well as compliance with the existing legislation.
BEABLOO has consequently defined the following guidelines for implementing its Information Security Management System (ISMS):
- Confidentiality: Information processed by BEABLOO will be made available or disclosed exclusively to authorized persons at the time and by the means established.
- Integrity: Information processed by BEABLOO will be complete, accurate and valid and the content will be as furnished by the parties concerned and subject to no manipulation whatsoever.
- Availability: Information processed by BEABLOO will be accessible to and usable by authorized persons at any given time, guaranteeing its persistence against any eventuality.
- Compliance: BEABLOO guarantees compliance with any and all applicable laws and more specifically with the regulations in effect on the processing of personal data.
Company management assumes responsibility for supporting and furthering the establishment of the organizational, technical and control measures necessary to comply with the above security guidelines.
All policies and procedures included in the ISMS will be reviewed and approved and their application encouraged by BEABLOO’s management.
This security policy will be maintained, updated and adapted to the organization’s needs and aligned with its strategic risk management principles. To that end, it will be reviewed at planned intervals or whenever significant changes arise to ensure its suitability and effectiveness. To manage the risks confronting BEABLOO itself, the company has defined a formal risk assessment procedure.
BEABLOO forbids the use of this website to individuals under 14 years unless specific consent has been given by the parents of guardians.
Minors are not allowed to provide with data about other household members, like the title or job of its parents, economic data, sociological characteristics or any other kind of information, without the consent of the data subjects themselves.
This website deploys web analytics in order to gain some understanding on how user search for, access and navigate it. These analytics can entail the collection of personal data like the user IP address, conection location, browsing software and hardware features, etc. This information is not associated to the user and is exclusively used for statistical analysis.
Use of third-party functions and plug-ins
This website may deploy functions and plug-ins provided by third parties. These functions serve several purposes like:
- Third-party web analytics
- Third-party maps
- Third-party video streaming
- Sharing contents in social networks
- “Fav”, “Like”, “+1” and similar buttons
A function or plugin provided by a third party establishes a direct connection between the user browser and internet domains owned by the third party, allowing to download and execution of the function.
Most third-party plugins collect information about the websites visited by the user in order to know his or her interests and to provide targeted advertisements.
Use of the Google Analytics function provided by Google, Inc.
The user consent for the processing performed by Google is implied from the use of this website.
Use of functions provided by Google, Inc.
This website deploys functions provided by Google Inc (1600 AMPHITHEATRE PARKWAY, MOUNTAIN VIEW, CALIFORNIA, USA) like Youtube videos, maps and social buttons “+1”. These functions can entail the collection of user activity tied to his or her IP address. When the user loads this website, the user browser makes a connection to Google domains like google.com enabling Google to know that the user is accessing the website. Google collects usage data for several purposes including targeted advertisements according to Google’s privacy policies http://www.google.es/intl/en/policies/privacy/
The user consent for the processing performed by Google is implied from the use of this website.
Information regarding data protection regulations for BEABLOO clients
Information about General Data Protection Regulation (EU) 679/2016 and Organic Law 15/1999 on personal data protection
1 – Introduction
This section lays out the information regarding compliance with the current legislation on personal data protection as it relates to use of multichannel digital communication services provided by BEABLOO. These include, among others, digital signage and analytics services (Content Analytics, Radio Analytics, Video Analytics, beacons and myBloo.)
Organic Law 15/1999 on personal data protection (LOPD) regulates personal data processing to guarantee the fundamental right to data protection set out in the European Charter of Fundamental Rights.
The General Data Protection Regulation (EU) 679/2016 (GDPR) regulates personal data protection in the European Union. It is directly applicable in all member states of the European Economic Area and is mandatory from the implementation date, May 25, 2018.
2 – Position of the CLIENT and BEABLOO as controller and processor, respectively
BEABLOO offers personal data processing services as the data PROCESSOR, while the CLIENT takes on the role of data CONTROLLER.
Below are different aspects that the CLIENT must consider to comply with its obligations as the data controller. For more information, see the Spanish Data Protection Agency website, http://www.agpd.es
3 – The CLIENT’s obligations derived from the GDPR (from May 25, 2018)
Create a record of data processing activities in accordance with article 30 of the GDPR. In this data processing activity record, the CLIENT must include a processing activity with the following information in accordance with article 30.1 of the GDPR:
- Controller: identification of the CLIENT as the data controller
- Purposes of the processing: multichannel digital communication and analytics services in establishments through pseudonymized Wi-Fi device tracking, local facial analysis and beacon detection. Analytics services performed with pseudonymized and anonymized data.
- Categories of data subjects and categories of data: visitors to the establishments. For Video Analytics, the facial recognition software analyzes a person’s face to infer certain parameters, such as gender or age range, without generating identifying data or storing any images of faces. These images are analyzed then discarded immediately. For Radio Analytics, the processed data includes: a hash calculated from the MAC address of the device (which allows for the detection, but not the identification, of unique devices), the approximate position/location of a device, the type of device and/or its operating system. Beacons store data relative to the detection of a nearby beacon, which is associated with a specific location. They also store data relative to content views on a unique device.
- Data recipients: the data is only used for statistical and analytic purposes. Identifying data is never sent to third parties under any circumstances. The recipient of the statistics is the Controller.
- Transfer: no data transfer outside of the European Economic Area is expected.
- Time limits: pseudonymized data will be kept for the length of time required to successively identify unique devices (beacons and Radio Analytics). Images captured for Video Analytics are discarded immediately.
- Security measures: to guarantee the security of devices and online infrastructure, BEABLOO has implemented an Information Security Management System in accordance with ISO 27001:2013 that includes yearly external audits of the systems among other aspects.
Analyze the legal basis for treatment. To facilitate compliance with this obligation, BEABLOO has established the following legitimizing bases:
- Beacons service: based on consent from interested parties, which must be requested by the CLIENT from APPS compatible with beacons. Consent must be informed and through a clear, affirmative response from the user.
- Radio and Video Analytics services: based on the legitimate interest of the Controller in accordance with article 6.1.f of the GDPR and following recommendations from verdict 6/2014 from the Working Party of article 29 on legitimate interest (WP217).
Inform interested parties about data processing in accordance with articles 13 and 14 of the GDPR. To facilitate compliance with this obligation, the CLIENT must request the following forms from BEABLOO:
- Informative sign regarding the use of Radio Analytics and Video Analytics
- Informative note to include in all of the CLIENT’S beacon-compatible APPS
- Optionally, an informative note that BEABLOO recommends the CLIENT include on its website
Attend to the rights of the interested parties in relation to their rights to:
- access (article 15 of the GDPR)
- rectification and erasure (article 16 and 17 of the GDPR)
- restriction of processing (article 18 of the GDPR)
- data portability (article 20 of the GDPR)
- objection and automated individual decision-making (articles 21 and 22 of the GDPR)
To facilitate compliance with the obligation, the CLIENT must request the forms from BEABLOO to attend to these requests.
Sign a data processor contract in accordance with article 28 of the GDPR. To facilitate compliance with this obligation the CLIENT can request a copy of the processor contract form from BEABLOO.
Perform a risk analysis and, if necessary, an impact assessment. To facilitate compliance with these obligations, BEABLOO provides the main conclusions of the risk analysis of information security issues, as well as the impact asessment related to the use of analytics services.
Report security violations. It is the responsibility of the CLIENT to notify the data protection authorities and the persons whose data has been compromised by any data security violations (articles 33 and 34 of the GDPR). To that end, in case of any incident that poses a risk to the rights and freedoms of those affected, BEABLOO will notify the CLIENT as soon as possible and will help with the notifications.
Designate a data protection officer. In accordance with articles 37, 38 and 39 of the GDPR, the CLIENT must designate a data protection officer and report their identity to the data protection authorities. The CLIENT must also inform BEABLOO of the data protection officer’s contact information.
In accordance with article 37.1.b of the GDPR, BEABLOO will designate a data protection officer from May 25, 2018 and publish their contact information on the website.
4 – The CLIENT’s obligations derived from the LOPD (not applicable after May 25, 2018)
These obligations apply to CLIENTS with establishments in Spain and are no longer applicable after May 25, 2018.
Register a file with the Spanish Data Protection Agency. Although the GDPR eliminates the need to register a file with the Spanish Data Protection Agency from May 25, 2018, the obligation remains in force until then. While this obligation remains in force, the CLIENT must access the website of the Electronic Headquarters of the Agency (https://sedeagpd.gob.es/sede-electronica-web/) and begin the electronic process called “Inscripción de ficheros NOTA”.
As part of this process, the CLIENT must fill in its information under CONTROLLER and must provide the following information about BEABLOO in section 4, titled “ENCARGADO DE TRATAMIENTO”:
Name or company name: BEABLOO SL
Address: C/ PUJADES 350, PLANTA 8 A2
Zip code: 08019
Phone number: +34.93.518.22.07
Draw up a security document in accordance with Royal Decree 1720/2007, which must contain the CLIENT’s procedures related to:
- The scope of application of the document with detailed specifications of the protected resources.
- The measures, laws, operating procedures, rules and standards designed to guarantee the legal level of security.
- The functions and obligations of personnel related to the processing of the personal data included in the files.
- The structure of the files with personal data and a description of the information systems that treat them.
- The incident notification, management and response system.
- The procedures for creating backup copies and recovering data from files or automated processing.
- Adopting the measures necessary for transporting devices and documents, as well as the destruction of documents and devices and, if necessary, their reuse.
- The identification of the security officer(s).
- Periodic controls to verify compliance with the security measures mentioned in the security document.
The CLIENT can include anything related to BEABLOO’s data processing in their preexisting security document or they can draw up a specific one. To that end, it can be useful to download the security document template created by the Spanish Data Protection Agency found here:
Security measures in accordance with Royal Decree 1720/2007. BEABLOO guarantees the application of security measures in compliance with Royal Decree 1720/2007, including the following:
- Personnel functions and obligations: BEABLOO personnel have received the necessary training regarding IT systems security and have all of the necessary rules and procedures.
- Incident report: BEABLOO will report any incidents that occur that could affect personal data included in CLIENT documents, indicating the type of incident, the time it occurred, the person who made the report, who they reported it to and the possible effects of the incident.
- Identification and authentication: BEABLOO has implemented identification and authentication procedures based on passwords or similar mechanisms. There is a process for assigning, distributing and storing passwords that guarantees their confidentiality, integrity and individual identification for users. In regard to CLIENT personnel access to the web control panel, it is the responsibility of the CLIENT to maintain an updated list of the authorized persons and grant individual passwords confidentially, and to renew them at least once a year.
- Access control: BEABLOO personnel are only authorized to access the necessary resources to perform their duties. The CLIENT must only grant usernames and passwords to access the BEABLOO web control panel to those persons designated for management and supervision and no-one else.
- Physical access control: The infrastructure that provides the service is housed in a space equipped with access control and monitoring and control systems to guarantee that only authorized persons have access.
- Device management: BEABLOO performs the management and inventory of the devices necessary for the analytic infrastructure.
- Device destruction: Beabloo has implemented measures for the destruction of devices. These devices will only leave BEABLOO locations with prior authorization from the CLIENT.
- Backup copies and recovery: BEABLOO will make security backups of CLIENT information, which will be stored in its web infrastructure.
- Data protection audit: BEABLOO will provide the necessary data to the CLIENT to perform data protection audits related to files of which the CLIENT is the controller and always related to the verification of the requirements stipulated in the LOPD and their development in Royal Decree 1720/2007.