Taptap Digital | Corporate Privacy Policy

cyber-security-concept-digital-art (1).jpg

Corporate Privacy Policy

1. Responsable del tratamiento

Los datos personales que nos facilite serán tratados por Taptap Digital, S.L. (“Taptap”), con CIF B85914182 y domicilio en calle del Poeta Joan Maragall nº 1, planta 14, 28020 - Madrid, como responsable del tratamiento del sistema interno de información. Para cualquier comunicación relativa a su privacidad, puede contactar con Taptap en el correo privacy@taptapnetworks.com, o con DWF-RCD como delegado de protección de datos de Taptap en el correo dpoprivacy@dwf-rcd.law.

2. Finalidad del tratamiento

Trataremos sus datos al amparo de la Ley 2/2023, de 20 de febrero, reguladora de la protección de las personas que informen sobre infracciones normativas y de lucha contra la corrupción (la “Ley de Protección del Informante”), con el fin de gestionar las notificaciones que recibamos en nuestro Canal Interno de Información sobre los hechos denunciados, para realizar la investigación de dichos hechos o para adoptar las medidas correctivas pertinentes e informarle, una vez concluida la investigación, sobre el resultado de las investigaciones realizadas.

En particular, los datos que trataremos podrán incluir las siguientes categorías: datos de carácter identificativo, datos referentes a sus características personales y circunstancias sociales, datos de contacto, datos académicos y profesionales, datos económicos, financieros y de seguros. Los datos personales tratados pueden haber sido aportados tanto por el propio interesado como por terceros.

3. Base de legitimación

Conforme al artículo 6.1.c del RGPD, el tratamiento de datos es necesario para el cumplimiento de las obligaciones previstas en la Ley de Protección al Informante.

La información recibida que contenga datos considerados de categoría especial será suprimida de forma inmediata, sin que se registre y se proceda al tratamiento de estos, siempre que dichos datos no sean necesarios para llevar a cabo la investigación y salvo que el tratamiento se realice por razones de interés público esencial, en virtud del artículo 9.2.g) del RGPD.

En el caso de aquellas denuncias que versen sobre asuntos relacionados con conductas de acoso, los datos personales serán tratados en base a la Ley Orgánica 10/2022, de 6 de septiembre, de garantía integral de la libertad sexual.

4. Plazo de conservación de los datos

Los datos personales relativos a las informaciones recibidas y a las investigaciones internas realizadas al efecto solo se conservarán durante el período previsto en la Ley de Protección al Informante. En particular, se tendrá en cuenta lo previsto en los apartados 3 y 4 del artículo 32 de dicha Ley. En ningún caso podrán conservarse los datos por un período superior a diez años en el correspondiente libro registro.

No obstante, de forma extraordinaria, Taptap se reserva la posibilidad, con la finalidad de poder ejercer con todas las garantías sus derechos de defensa, de conservar debidamente bloqueados los expedientes de denuncias por un periodo máximo equivalente al plazo de prescripción que aplique en cada caso al presunto ilícito penal o a la supuesta infracción administrativa denunciada.

5. Destinatarios de los datos

Los datos personales serán tratados de forma confidencial salvo que se realicen de forma anónima, en cuyo caso no se producirá tratamiento de datos personales.

El acceso a los datos quedará limitado exclusivamente a los responsables del Sistema Interno de Información, así como a los responsables de la adopción de medidas disciplinarias derivadas de los hechos que sean objeto de investigación.

Con pleno respeto a la identidad del denunciante en los términos previstos en la Ley de Protección al Informante, sus datos personales podrán ser comunicados a (i) autoridades y/o administraciones públicas, en el ejercicio de sus funciones legales; o (ii) terceros en los que Taptap se pueda apoyar para la gestión de su Canal Interno de Información (plataformas de alojamiento de datos, proveedores en los que se pueda delegar la investigación, abogados u otro tipo de asesores o consultores externos).

6. Ejercicio de derechos

Podrá ejercer sus derechos de acceso, rectificación, supresión, oposición, limitación de la finalidad y portabilidad con respecto a los datos personales que nos haya facilitado a través del correo privacy@taptapnetworks.com.

En caso de considerar vulnerados sus derechos, podrá dirigirse al delegado de protección de datos de Taptap (dpoprivacy@dwf-rcd.law) o, si éste no atendiese su requerimiento, podrá interponer una reclamación ante la Agencia Española de Protección de Datos (www.aepd.com).

This policy was last updated on the 25th of January, 2025.

DOWNLOAD IN PDF

Our Objective

Taptap Digital SL and its associated entities ("Taptap") accord paramount importance to the protection and security of personal data. Our aim is for Taptap to set a standard in privacy safeguarding. Accordingly, it is fundamental to our operations to adhere to all statutory mandates when gathering and processing personal data. These mandates specifically encompass the stipulations of the EU Data Protection Regulation and any pertinent data protection statutes.

This data protection policy delineates the tenets and protocols that Taptap enacts to preserve the rights and liberties of natural persons in relation to the processing of their personal data.

2. Our principles for the processing of personal data

In the processing of personal data, we adhere to the following principles:

Lawfulness: The processing of personal data always requires a legal basis.
Transparency: Every data subject should be able to understand the processing of their personal data.
Purpose Limitation: The purposes for which personal data are processed must be clearly identified in advance and defined at the time of collection.
Data Minimisation: The processing of personal data shall be limited to what is appropriate, factual, relevant, and necessary for the purpose of the processing. This shall also apply to the access options.
Accurate and Up-to-Date: Personal data must be stored correctly and completely and kept up to date. Suitable measures should be taken to erase, correct, supplement, or update any data that are inaccurate, incomplete, or outdated.
Storage Limitation: Personal data should only be stored for the time necessary for the purpose of the processing or as permitted by other legal regulations.
Integrity and Confidentiality: In the processing of personal data, appropriate technical and organisational measures should be taken to adequately protect the data, particularly against unauthorised or unlawful processing, or against accidental loss and against accidental destruction or damage.

As part of the responsible execution of our commitment, we document the processing of personal data as proof of adherence to the aforementioned principles.

3. Lawfulness of data processing

Any processing of personal data is unlawful if it does not have a legal basis. Taptap processes personal data, particularly for the following legitimate reasons:

Execution of a contract or implementation of pre-contractual measures, for example, processing customer data based on a contracted service or employee data based on an employment contract.
Compliance with a legal obligation, for instance, data retention post-termination in accordance with tax law.
Legitimate interests, such as sending advertising for services similar to those contracted (provided advertising exemption has not been requested).
Consent of the data subject, for example, for profiling activities or processing health data.

Certain special categories of personal data, such as information on ethnic origin or religious beliefs, or health-related data, can only be processed with explicit consent or legal authorisation.

4. Rights of data subjects

Safeguarding the rights and liberties of natural persons in relation to the processing of their personal data is a paramount concern for Taptap. To ensure such protection, data subjects are entitled to, among others, the following rights:

Information: Data subjects shall be promptly and transparently informed about the processing of their data. This applies whether the personal data is obtained directly from the subject or through third-party collection.
Access: Data subjects may at any time request information about their stored/processed personal data, as well as a copy of such data.
Rectification: Data subjects may request the correction or completion of their personal data if it is incorrect or incomplete, such as an erroneous name or address.
Erasure: Data subjects may request the deletion of their personal data. This right is applicable unless it conflicts with existing obligations or rights, such as statutory storage obligations.
Restriction of Processing: Data subjects may request that the processing of their personal data be restricted, for instance, if the data is inaccurate.
Objection: Data subjects may object to the processing of their personal data for advertising purposes at any time. For other purposes, such objection is possible under certain conditions, depending on the data subject's particular personal circumstances.
Individual automated decision-making: In the context of efficient business transactions, data subjects are subject to automated decision-making on a case-by-case basis only if it is lawful, for instance, in fulfilling a contract. Data subjects will be informed about the corresponding automated processing procedures.

Data subjects will receive all information related to the processing of their personal data in clear and simple language.

In the event of a personal data security breach, data subjects will be informed of the incident if legal requirements concerning risks to their rights and freedoms are met.

Data subjects are free to lodge a complaint with Taptap, contact its Data Protection Officer, the data protection supervisory authority, or a court of law to exercise their rights concerning the processing of their personal data. This policy does not restrict or affect the legal rights or legitimate claims of the data subjects.

5. Third-party processing and data transfer

Should personal data be processed by service providers or external collaborators on behalf of Taptap, appropriate data protection measures (dependent on the scope of activity) shall be enforced, for instance:

Third-party personal data processing: In accordance with Article 28 GDPR, Taptap has the requisite data processing agreement in place with service providers who access personal data. Likewise, when Taptap acts as a data processor, the necessary data processing contracts are being established.
Transfer of functions: If a third party is entrusted with tasks beyond personal data processing, which require their decision-making authority regarding data usage, data protection agreements (comparable to those for third-party data processing) shall be formalised with such parties. These will mandate appropriate technical and organisational measures, akin to those necessary for third-party data processing.
Confidentiality agreement: If there is a risk of improper disclosure of personal data in individual cases, a confidentiality agreement will be formalised with the provider for security reasons.

Personal data may only be processed outside of the EU or viewed from outside the EU if adequate guarantees and verifications are established to ensure the security of the processing, for example, by formalising standard data protection clauses.

6. Data security, impact assessment, and technical protection measures

We implement all requisite technical and organisational measures to safeguard the processing of personal data. These particularly include mechanisms to ensure the confidentiality, integrity, and availability of personal data, as well as the resilience of systems and services.

In every data processing activity, we carefully assess any risks to the individuals' rights and privacy to choose the most suitable technical and organisational safeguards. If we identify high risks, we'll implement extra controls and measures to mitigate them effectively.

In processing personal data, the principle of 'data protection through technological design and appropriate pre-emptive data protection measures' (privacy by design/default) is observed, for instance, by pseudonymisation or data minimisation.

Technical and organisational measures are regularly reviewed for effectiveness and adjusted as necessary, in light of the latest technical advancements. This also applies to measures when involving service providers or external partners.

7. Compliance actions

This section lists the principal actions undertaken to comply with data protection regulations:

a. Personal data processing activities have been identified and inventoried with a proper register of data processing activities.

b. Risk assessments have been conducted on data processing activities to implement appropriate technical and organisational security measures commensurate with the risk level.

c. For processes likely to pose a high risk to the rights and liberties of data subjects, specific impact assessments have been carried out by Taptap.

d. In line with the principle of transparency and in accordance with Articles 13 and/or 14 of the GDPR, Taptap provides relevant information to data subjects regarding the processing conditions affecting them and their rights, through various types of privacy notices.

e. Following the principle of proactive accountability and to ensure compliance with regulations, Taptap has, among others, the following protocols and standards:

- A Security Protocol detailing necessary measures for continuous protection, confidentiality, integrity, availability, and resilience of processing systems and services; a rapid restoration of data availability and access in the event of a physical or technical incident; regular evaluation of the effectiveness of implemented technical and organisational measures to ensure processing security; and where appropriate, pseudonymisation and encryption of personal data.

- An Incident Security Protocol establishing procedures for reporting and communicating security breaches.

- A Rights Response Protocol outlining procedures to address the exercise of data subjects' rights.

- A Data Erasure and Retention Protocol setting data retention periods and data erasure responsibilities, in accordance with the principle of limiting the retention period of personal data.

8. Responsibilities and Organisation in Data Protection Matters