GENERAL INFORMATION ON DATA PROTECTION
PKF Attest is a multidisciplinary firm that provides professional services in different areas of the market through different companies. Without prejudice to the existence of these, it acts in the business arena as a sole organization in the provision of its services and, consequently, the data protection regulations are fully applicable to its activity. Specifically, it treats data with the following ends:
To adequately provide its services, PKF Attest accesses and processes information following its clients’ instructions, acting as the processing manager:
- Legal and fiscal services: legal and fiscal advisory services, official book keeping, preparation of payrolls, accounting and other administrative services.
- Financial services: financial and economic advisory and consultancy services, accounts auditing, teaching and training, insolvency administration, advice in M&A processes and restructuring and business reorganization processes, in the field of the capital markets and in planning for programmes and tenders for financial and fiscal aid for R&D&I.
- Consultancy services: design, development, marketing, implantation, maintenance, advisory and consultancy services for all types of IT solutions, Strategic, Organization, Commercial, Management Systems, Processes and Improvement, Development and People Management, Quality, Environment and Energy, Corporate Social Responsibility, Health and Safety at Work, teaching and training and Data Analytics consultancy services.
PKF Attest processes information on its staff and collaborators to correctly administer the group, to manage labour relations, to assess their professional work, to meet the legal obligations stemming from the labour relation to prevent money-laundering and to protect personal data.
PKF Attest treats its candidates’ data in order to manage the different selection processes involved in hiring.
PKF Attest also processes personal data to manage the dispatch of corporate information, the dissemination of information on organized events and/or activities, or events and activities in which it takes part.
In any event, the personal information provided by the interested parties will be treated lawfully, loyally and transparently. The treatments will be appropriate, pertinent and limited to what is necessary for the purposes for which the information is processed.
Legitimation for personal data treatment varies according to the purposes described above and the groups of interested persons and unequivocal consent is requested when necessary in compliance with what is established in current regulations on data protection. When legitimation is not consent, data will be treated in compliance with a contract or pre-contract to which the interested person is a party, or on the basis of the manager’s legitimate interest.
When data is collected on web forms, the fields marked with an asterisk are compulsory and, if it is not provided, the service in question cannot be managed.
For these purposes, PKF Attest, as a party to and with a commitment to the security and confidentiality of the information that it might store or the client’s personal data that might be processed (even temporarily), has taken the necessary measures to prevent the alteration, loss, treatment or unauthorized access to the said data, thanks to the measures periodically audited to guarantee:
- Confidentiality: through appropriate controls and administration of users with access to the systems. All PKF Attest’s staff have signed an appendix to their labour contract which includes confidentiality and the duty of secrecy as regards the access to information and personal data they may have in performing their work. Moreover, the application of encryption technologies has been implemented, both in storage and in the transmission of information. In addition, specific technologies are used to preserve confidentiality and access control or identification management solutions are applied, amongst others.
- Integrity: the information systems have security guidelines and password policies which limit and protect the information available through the assignation of access profiles both on local servers and in the Microsoft cloud.
- Availability: through guidelines for assigning resources and guidelines for backup copies which cover all the systems including the projects and services provided for clients. Systems data recovery trials are run for serious incidents that might limit data availability.
- Implementation of resilience mechanisms, which permit monitoring and rapid detection of incidents and guarantee the articulation of the foreseen recovery mechanisms.
- Application of protocols to respond to physical and logical incidents, which guarantees their rapid and efficient solution.
- Implementation of audit practices to periodically check the implementation of the different security measures and their efficiency.
Moreover, PKF Attest has become a Microsoft Gold Partner, which necessarily implies passing the audits Microsoft establishes in relation to software licences and their use.
PKF Attest has defined the actions to be taken to make it a consultancy service provider, which include:
- Risk analysis distinguished by treatment rather than the actual security system for the whole set of information systems.
- Organizational measures to bring the appendix to employee’s labour contract in line with what is required in the GPDR in respect of the obligations of staff with access to client data.
- Reinforcement of the current process for managing incidents to include the prevention of security gaps and their due notification to the control authority and/or the processing manager, as may be relevant.
In respect of the destination of the data: it will only be released in the conditions which were informed of in each case and in compliance with legal provisions.
In relation to the time of conservation, the data will be processed from the time it is collected until the purpose for which it was collected ends or until the time the consent given is revoked.
Interested persons are informed of the possibility of their rights to:
- Access their personal data and request the rectification of inaccurate data or, where relevant, request their suppression when, amongst other reasons, the data is no longer necessary for the purposes which justified its collection.
- The interested person has the right to exercise their right to forgetfulness and to the portability of their data provided that it is technically feasible.
- In some circumstances, interested persons may request the limitation of the treatment of their data, in which case it will only be kept to exercise the right to defence in possible claims.
- In some circumstances and for reasons related to their particular situation, interested persons may oppose the treatment of their data. PKF Attest will stop processing the data, unless there are overriding legitimate reasons or it is to exercise the right to defence in possible claims.
Interested persons may exercise the abovementioned rights through the email address firstname.lastname@example.org. If they do not agree with the assistance received in respect of their rights, they have the right to present a claim before the Spanish data protection agency on www.agpd.es.