ANNEX I

1. Purpose of the data processing assignment

By these clauses, HEGOPLAC S.A. (hereinafter "HEGOPLAC"), the data processor, is authorized to process, on behalf of the data controller (data controller), the personal data necessary to provide the service of managing, registering, and communicating license plates to the DGT (General Data Protection Agency).

The processing will consist of: storing and recording the data provided to provide the contracted service and communicating them to the DGT in compliance with a legal provision.

Details of the processing to be carried out:

  • Storage

  • Consultation

  • Transfer

2. Identification of the affected information

For the performance of the services derived from the fulfillment of the purpose of this assignment, the entity, the data controller, and the data controller, makes available to HEGOPLAC, the data processor, the information described below:

  • Vehicle owner data, vehicle registration applicant data, and vehicle data.

3. Duration

This agreement has a duration equal to the service provision contract. Once this contract ends, the data processor will retain the license plate data for the period established by law.

4. Obligations of the data processor

The data processor and all its personnel undertake to:

  • a. Use the personal data processed, or those collected for inclusion, only for the purpose of this assignment. Under no circumstances may they use the data for their own purposes.

  • b. Process the data in accordance with the data controller's instructions. If the data processor considers that any of the instructions infringe the GDPR or any other data protection provisions of the Union or the Member States, the data processor shall immediately inform the controller.

  • c. Keep a written record of all categories of processing activities carried out on behalf of the controller, containing:

    1. The name and contact details of the processor(s) and of each controller on behalf of whom the processor acts and, where applicable, of the controller's or processor's representative and the data protection officer.

    2. The categories of processing carried out on behalf of each controller.

    3. Where applicable, transfers of personal data to a third country or international organization, including the identification of that third country or international organization and, in the case of transfers referred to in the second subparagraph of Article 49(1) of the GDPR, documentation of appropriate safeguards.

    4. A general description of the technical and organizational security measures relating to:

      • a) The pseudonymization and encryption of personal data.

      • b) The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.

      • c) The ability to restore the availability and access to personal data quickly in the event of a physical or technical incident.

      • d) The process of regularly verifying, evaluating, and assessing the effectiveness of the technical and organizational measures to ensure the security of the processing.

  • d. Not to communicate the data to third parties, unless expressly authorized by the controller and in legally permissible cases. The processor may communicate the data to other processors of the same controller in accordance with the controller's instructions. In this case, the controller shall identify, in advance and in writing, the entity to which the data must be communicated, the data to be communicated, and the security measures to be applied to proceed with the communication. If the processor must transfer personal data to a third country or an international organization, pursuant to Union or Member State law applicable to it, it shall inform the controller of this legal requirement in advance, unless such law prohibits it on important grounds of public interest.

  • e. Subcontracting: No services that are part of the purpose of this contract and involve the processing of personal data may be subcontracted, except for the ancillary services necessary for the normal operation of the data processor's services.

    If it is necessary to subcontract any processing, this fact must be communicated in advance and in writing to the data controller, with one month's notice, indicating the processing to be subcontracted and clearly and unequivocally identifying the subcontracting company and its contact information. Subcontracting may be carried out if the data controller does not express its objection within the established period.

    The subcontractor, who will also have the status of data processor, is also obliged to comply with the established obligations.

  • f. Maintain the duty of confidentiality regarding personal data to which they have had access pursuant to this assignment, even after its purpose has ended.

  • g. Ensure that the persons authorized to process personal data expressly agree, in writing, to respect confidentiality and comply with the corresponding security measures, of which they must be duly informed.

  • h. Keep the documentation proving compliance with the obligation established in the previous section available to the controller.

  • i. Ensure the necessary training on personal data protection for persons authorized to process personal data.

  • j. Assist the data controller in responding to the exercise of the rights of:

    1. Access, rectification, erasure, and objection

    2. Restriction of processing

    3. Data portability

    4. Not to be subject to automated individualized decision-making (including profiling)

    When data subjects exercise their rights of access, rectification, erasure, objection, restriction of processing, data portability, and not to be subject to automated individualized decision-making before the data processor, the latter must notify the data controller by email to the address provided by the controller. This notification must be made immediately and in no case later than the business day following receipt of the request, together, where applicable, with other information that may be relevant to resolving the request.

  • k. Right to information. The data controller is responsible for providing the right to information at the time of data collection.

  • l. Notification of data security breaches: The data processor shall notify the data controller, without undue delay and in any case within a maximum period of 72 hours, via email provided by the controller, of any personal data security breaches under its responsibility of which it becomes aware, together with all relevant information for documenting and communicating the incident. Notification shall not be required when the breach is unlikely to constitute a risk to the rights and freedoms of natural persons.

    If available, at least the following information shall be provided:

    1. Description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects affected, and the categories and approximate number of personal data records affected.

    2. The name and contact details of the data protection officer or other point of contact where further information can be obtained.

    3. Description of the possible consequences of the personal data breach.

    4. Description of the measures taken or proposed to remedy the personal data breach, including, where appropriate, measures taken to mitigate potential negative effects.

    If and to the extent that it is not possible to provide the information simultaneously, the information shall be provided gradually without undue delay.

    It is the responsibility of the data processor to communicate data breaches to the Data Protection Authority.

    The communication shall contain, at a minimum, the following information:

    1. Description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects affected, and the categories and approximate number of personal data records affected.

    2. Name and contact details of the Data Protection Officer or other point of contact where further information can be obtained.

    3. Description of the possible consequences of the personal data breach.

    4. Description of the measures taken or proposed to remedy the personal data breach, including, where appropriate, the measures taken to mitigate any potential negative effects.

    If and to the extent that it is not possible to provide the information simultaneously, the information shall be provided gradually without undue delay.

  • m. Support the controller in conducting data protection impact assessments, where appropriate.

  • n. Support the controller in conducting prior consultations with the supervisory authority, where appropriate.

  • o. Make available to the controller all necessary information to demonstrate compliance with its obligations, as well as for audits or inspections carried out by the controller or another auditor authorized by it.

  • p. Implement the following security measures:

    The following security measures, in accordance with the risks identified by HEGOPLAC:

    • Backup copies

    • System access passwords

    • Confidentiality agreements

    In any case, mechanisms must be implemented to:

    • a) Guarantee the permanent confidentiality, integrity, availability, and resilience of the processing systems and services.

    • b) Restore the availability and access to personal data promptly in the event of a physical or technical incident.

    • c) Regularly verify, evaluate, and assess the effectiveness of the technical and organizational measures implemented to ensure the security of the processing.

    • d) Pseudonymize and encrypt personal data, where appropriate.

  • q. Data Disposition

    Return the personal data and, where applicable, the media on which they are stored to the data controller once the service has been provided.

    The return must entail the complete deletion of the data on the computer equipment used by the data processor.

    However, the data processor may retain a copy, with the data duly blocked, as long as liability may arise from the performance of the service.

5. Obligations of the data controller

The data controller is responsible for:

  • a) Providing the data processor with the data referred to in clause 2 of this document.

  • b) Conducting an assessment of the impact on personal data protection of the processing operations to be carried out by the data processor.

  • c) Conducting any appropriate prior consultations.

  • d) Ensuring, beforehand and throughout the processing, that the data processor complies with the GDPR.

  • e) Supervising the processing, including conducting inspections and audits.