PARTIES:
TALENOM S.L.U., with tax identification number B-66461351, officially registered in the Barcelona Registry, volume 48422, folio 106, page B-466053, and with address at Avenida Diagonal, 532, 7th floor, 08006 Barcelona, hereinafter “TALENOM” or “DATA PROCESSOR” or “PROCESSOR“.
The Client identified in the Contract, hereinafter referred to as the “CLIENT” or “DATA CONTROLLER“.
Collectively, simply “PARTIES” or, individually, “PARTY“.
Both Parties mutually acknowledge that they have sufficient legal capacity to enter into this DATA PROCESSING AGREEMENT TALENOM 2023 (the “Data Processing Agreement“) and to be bound in the representation in which they respectively act, under the terms agreed upon herein.
WHEREAS:
I. That both parties have signed a contract for the provision of services by which TALENOM undertakes to provide the CLIENT with the services indicated in the Service Proposal, according to the terms of the Terms and Conditions and their Annexes. These documents collectively constitute the “Contract“.
II. Within the framework of the Contract, TALENOM processes personal data on behalf of the CLIENT.
III. This Data Processing Agreement describes the way in which Talenom will handle the personal data provided by the CLIENT.
IV. The Data Processing Agreement supplements and forms an integral part of the Contract. In the event of any conflict or inconsistency in the terms of the Contract or other associated documents, the terms of this Data Processing Agreement shall prevail. For more information on the specific processing activities carried out by Talenom, refer to the updated Register of Processing Activities, available on the official Talenom website.
In this regard, both parties acknowledge compliance with data protection laws and agree to regulate the processing of personal data in accordance with the following:
PROVISIONS
- Definitions. The definitions below form an integral part of this Data Processing Agreement and shall apply in all sections and provisions hereof. In the event of any inconsistency or ambiguity in the interpretation of the terms used, these definitions shall prevail.
1.1. Personal Data. The term "personal data" means any information relating to an identified or identifiable natural person (‘Data Subject’); that directly or indirectly identifies the individual.
1.2. Data Processing Activities. The term "processing of personal data" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
1.3. Functions in data processing. As far as the processing of personal data is concerned, the Client is the "Data Controller". Therefore, it is up to the Client to decide why and how the personal data will be processed. Talenom is the “Data Processor” and therefore will processes the personal data on behalf of the Client.
1.4. Data Protection Laws. These laws refer to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 ("GDPR") on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation), as well as the Spanish Organic Law 3/2018, of 5 December, on the protection of personal data and guarantee of digital rights and the Spanish Law 34/2002, of 11 July, on information society services and electronic commerce.- Purpose of the Data Processing Agreement. This agreement allows the DATA PROCESSOR to process, on behalf of the DATA CONTROLLER, the Personal Data necessary for the provision of the contracted services.
- Identification of Affected Information. To perform the services agreed in the Contract the DATA CONTROLLER authorises the PROCESSOR to process the Personal Data described below, according to the activities described in the Service Proposal:
| Activity | Purposes of the Processing | Collective | Categories of Personal Data |
| Litigation Legal Advisory Service | Provide legal advice and representation services in litigation to clients. This involves1. Legal Representation.2. Defence of Interests.3. Legal Advice.4. Negotiation.5. Management of Legal Documents.6. Representation in Hearings and Proceedings.7. Confidentiality.8. Case Resolution. | Clients (plaintiffs or defendants) and their counterparties | Identification Data: Name and surname, ID card or equivalent. Contact Details: Address, telephone number and e-mail. Other: Data provided by customers, depending on the need of the case. |
| Legal Advice Service for Clients | Preparation of reports, opinions, attention to legal queries. | Clients, natural persons, legal representatives of clients, legal persons, their employees, collaborators, suppliers and their customers. Agents involved in real estate, financial, administrative and corporate transactions. Data of Clients’ relatives. | Identification Data: Name and surname, ID card or equivalent. Contact Details: Address, telephone number and e-mail. Other: Data provided by customers, depending on the need of the case. |
| Commercial Advisory Service for clients | Incorporation and dissolution of companies, mergers, acquisitions, shareholders’ agreements, keeping of corporate books, commercial contracts, powers of attorney, beneficial ownership acts, due diligences. | Clients, natural persons, legal representatives of clients, legal persons, their employees, collaborators, suppliers and their customers. Agents involved in operations. Data of Clients’ relatives. | Identification Data: Name and surname, ID card or equivalent. Contact Details: Address, telephone number and e-mail. Personal characteristics data: Gender, marital status, nationality, residence, age, date and place of birth and family data. Data on family circumstances: matrimonial regime. Academic and professional data: Occupation. Economic and financial data: Bank Certificate. Data on movable and real estate properties in general. Bank transfers. |
| Accounting and Tax Advisory Service for Clients | Tax filing, bookkeeping, tax advice. | Clients, natural persons, legal representatives of clients, legal persons, their employees, collaborators, suppliers and their customers. Agents involved in real estate, financial, administrative and corporate transactions. Data of Clients’ relatives. | Identification Data: Name and surname(s), ID card or equivalent, personnel registration number, Social Security/Mutual Society number. Contact Details: Address, telephone number and e-mail. Special categories of data: health data (sick leave, accidents at work and degree of disability, excluding diagnoses, maternity, paternity), trade union membership and professional associations (for the sole purpose of paying trade union and professional dues, where applicable). Criminal record. Personal characteristics data: Gender, marital status, nationality, residence, age, date and place of birth and family data. Data on family circumstances: Date of marriage, divorce, separation, widowhood. Academic and professional data: Qualifications, training and professional experience (CV, certificate of working life). Employment detail data. Incompatibilities. Entry and exit control data in the country: date and place of entry and exit, reason for absence. Economic-financial data: Economic data on payroll, credits, loans, guarantees, tax deductions, judicial withholdings (if applicable), other withholdings (if applicable). Bank details. Economic data relating to insolvency. Debt. Data relating to personal income and expenditure, both inside and outside the country. Taxes paid abroad. Ownership of assets both inside and outside the country. Economic data related to inheritances and donations. Scholarships and grants. Life insurance, pensions. corporate shareholdings, movable properties and real estate in general. Other data: data relating to social action. Customs data. |
| Digital Certificate Issuance and Management Service | Registration and management of applications for the issuance of digital certificates. Management of the issuance of digital certificates. Management of Talenom’s customers’ digital certificates. | Collaborators, employees, customers | Identification Data: Name and surname, ID or equivalent, user code, signature, fingerprint. Contact Details: Address, telephone number and e-mail. Academic and professional data: Department, company Personal characteristics data: Place and date of birth Technology data: IP address, logs. |
| Labor Management Service for Clients | Activate companies or freelancers so that they can operate and hire employees. Hiring and management of payrolls and contracts of workers. Sick leave, benefits management. | Employees of the clients and their families, legal representatives of the companies and their relatives. Lawyers for clients and legal representatives of their previous consultancies. Trade union representatives. | Identification Data: Name and surname(s), ID card or equivalent, user code, signature, fingerprint, personnel registration number, Social Security/Mutual Society number. Contact Details: Address, telephone number and e-mail. Special categories of data: health data (sick leave, accidents at work and degree of disability, excluding diagnoses, allergies, food intolerances), trade union membership (for the exclusive purpose of paying trade union dues, if applicable), trade union representative (if applicable), proof of attendance from own and third parties. Personal characteristics data: Gender, marital status, nationality, age, date and place of birth and family data. Data of family circumstances: Date of registration and cancellation, licenses, permits and authorizations. Academic and professional data: Qualifications, training and professional experience (CV). Employment detail data. Incompatibilities. Professional references. Time and attendance data: date/time in and out, reason for absence. Economic and financial data: Economic data on payroll, credits, loans, guarantees, tax deductions, cancellation of salaries corresponding to the previous job (if applicable), judicial withholdings (if applicable), other withholdings (if applicable). Bank details. Other data: data relating to social action, images, photos of staff. |
| Immigration Service for clients | Obtaining, renewing, terminating residence permits. Communication to immigration or police authorities. | Individual customers and their family members. Company workers with their families. | Identification Data: Name and surname, ID card or equivalent, signature, fingerprint, Social Security/Mutual Society number. Contact Details: Address, telephone number and e-mail. Personal characteristics: Gender, marital status, nationality, age, date and place of birth and family data, name of father and mother. Family Circumstances Data: Date of marriage, divorce/separation. Academic and professional data: Qualifications, training and professional experience (CV). Employment detail data. Incompatibilities. Professional references. Travel control data: date of entry and departure from Spain, reason for absence. Economic-financial data: Economic payroll data, debt certificates from the tax agency and social security. Bank details. Other data: data from the municipal register. Images, personal photos. |
| Insurance Service | Offering insurance services, which will finally be contracted with collaborating brokerages. | Clients and their legal representatives. | Identification Data: Name and surname, ID card or equivalent, signature, fingerprint. Contact Details: Address, telephone number and e-mail. Other data: those that are necessary for the preparation of an economic proposal for the insurance requested by customers. |
| Vehicle Ownership Change Traffic Service | Performance of the contract for the transfer of ownership of a vehicle | Customers of Talenom and their counterparties in the transfer of the vehicle (buyer and seller) | Identification Data: Name and surname, ID card or equivalent, driver’s license data, signature, fingerprint. Contact Details: Address, telephone number and e-mail. Personal characteristics data: Gender, marital status, nationality, age, residence, date and place of birth and family data. Other data: vehicle data. |
| Real Estate Services for Clients | Legal advice for the acquisition of a property related to facilitating and carrying out the real estate transaction in a legal and efficient manner. | Clients who are natural persons, representatives of clients who are legal entities. Agents and parties involved in the transactions (buyer, seller, financing entity, real estate, etc.). | Identification Data: Name and surname, ID card or equivalent, driver’s license data, signature, fingerprint. Contact Details: Address, telephone number and e-mail. Personal characteristics data: Gender, marital status, nationality, age, residence, date and place of birth and family data. Data of family circumstances: Date of marriage, divorce, separation, matrimonial regime. Academic and professional data: Training and professional activity. Economic and financial data: Economic data on payroll, credits, loans, guarantees, tax deductions, cancellation of salaries corresponding to the previous job (if applicable), judicial withholdings (if applicable), other withholdings (if applicable). Bank details. Other data: details of the property. |
- Rights and obligations of the DATA CONTROLLER. As the data controller, the CLIENT is responsible for delivering to the PROCESSOR the personal data of the Data Subjects referred to in clause 3, and must also:
4.1. Process personal data lawfully and reasonably and follow best practices for data processing. It should also ensure that the protection of the privacy of data subjects and other important privacy rights is not unnecessarily restricted unless there are valid legal grounds for doing so.
4.2. Specify the purposes for which the data will be processed, and the means used, communicating this to TALENOM in writing.
4.3. Carry out an assessment of the impact on the protection of personal data of the processing operations to be carried out by the PROCESSOR.
4.4. inform the PROCESSOR of all issues affecting the personal data provided, including but not limited to issues relating to the risk assessment and processing of special categories of personal data, as this information has an impact on the technical and organisational measures to be taken by the PROCESSOR.
4.5. Carry out the corresponding prior consultations.
4.6. Ensure, prior to and throughout the processing, compliance with Data Protection Laws;
4.7. Ensure that Data Subjects receive the necessary information and notifications required by law so that they are informed at all times of how their personal data will be used and processed.
4.8. Ensure that the rights of Data Subjects are respected, allowing, and encouraging them to exercise the rights established by the Data Protection Laws with respect to their personal data.
4.9. Provide the right to information to the Data Subjects at the time of collection of Personal Data.
4.10. Supervise the processing, including the performance of inspections and audits on the operations of TALENOM or its subcontractors, and may even appoint and authorize an external auditor to carry out such inspections and audits. In this case, the external auditor may not be a company competing with TALENOM. In addition, before commencing the inspection or audit, both parties will agree on the date, times, and details of the procedure to be followed. The audit will be carried out during working hours, without affecting the commitments that TALENOM has acquired with third parties.
Representatives and external auditors acting on behalf of the CONTROLLER must sign a standard confidentiality agreement to protect TALENOM’s rights.
All expenses related to the inspection and audit will be the responsibility of the CONTROLLER. In this sense, TALENOM reserves the right to charge for the assistance provided in the audit and any other additional work derived so that the resources invested are properly accounted for.
4.11. Immediately notify TALENOM of any corrections, deletions or changes relating to personal data to ensure that the data being processed is correct and up to date. - Rights and obligations of the DATA PROCESSOR. The Processor and all his/her staff undertake:
5.1. Purpose. Use Personal Data for the purposes set forth in the Contract and this Data Processing Agreement. Under no circumstances it is allowed the use of the data for the PROCESSOR’s own purposes.
5.2. Legality. To process Personal Data in a lawful and reasonable manner, in accordance with the instructions of the DATA CONTROLLER.
5.3. Authorized. Ensure that the persons or entities authorised to process Personal Data expressly undertake in writing to process the Personal Data in a lawful and reasonable manner, in accordance with the instructions of the CONTROLLER, as well as to respect confidentiality and comply with the corresponding security measures, of which they must be duly informed.
To keep at the disposal of the RESPONSIBLE party the documentation accrediting compliance with the obligation assumed in the previous section.
5.4. Training. Ensure the necessary training on the protection of personal data of the persons authorized to process Personal Data.
5.5. Illegal instructions. If TALENOM considers that any of the instructions of the CONTROLLER infringe the Data Protection Laws or any other data protection provisions of the Union or the Member States, it will immediately inform the CONTROLLER.
5.6. Record of Processing Activities. Keep, in writing, a record of all categories of processing activities carried out on behalf of the CONTROLLER, in accordance with the provisions of Article 30 of the GDPR.
5.7. Duty of Secrecy and Confidentiality. Maintain a duty of secrecy with respect to the personal data to which it has had access under this Data Processing Agreement, even after its purpose ends. Ensure that persons authorised to process personal data agree to professional secrecy. Ensure that personal data is not transferred/disclosed to third parties without the prior written consent of the CLIENT, unless permitted by this Data Processing Agreement or the PROCESSOR is required to disclose the data by law or by order of an authority.
5.8. Notice of Disclosure. If an authority requests personal data, TALENOM will notify the CLIENT of the request as soon as possible before responding or taking any action in relation to the personal data. If the competent authority requires an immediate response and unless otherwise provided by law, TALENOM will notify the customer of the request as soon as possible after responding to the request.
5.9. DPO. Appoint a Data Protection Officer and communicate their identity and contact details to the DATA CONTROLLER.
5.10. Exercise of Rights. Assist the CONTROLLER in responding to the exercise of the rights of:
5.10.1. Access, rectification, deletion, and opposition.
5.10.2. Restriction of processing.
5.10.3. Data portability.
5.10.4. Not to be subject to automated individualised decisions (including profiling).
5.11. Communication of the Exercise of Rights. When the Data Subjects exercise the rights indicated in the previous section before the PROCESSOR, the latter must notify the CONTROLLER. The communication must be made immediately and in no case later than 5 working days following receipt of the request, together, where appropriate, with other information that may be relevant to resolve the request.
5.12. Impact Assessments. Provide support to the CONTROLLER in carrying out data protection impact assessments, where appropriate.
5.13. Available Information. To make available to the CONTROLLER all the information necessary to demonstrate compliance with its obligations, as well as to carry out audits or inspections carried out by the CONTROLLER, or another auditor authorised by him/her.
5.14. Extra services. TALENOM is entitled to issue additional invoices for the assistance, correction, and response measures to the requests of the CONTROLLER, as well as for assisting it with audits and with measures due to changes in its instructions. If these services require extra work or resources, TALENOM may charge additional fees.
5.15. Security. TALENOM establishes and maintains appropriate technical and organisational measures to ensure an appropriate level of security in the processing of Personal Data. This practice protects personal data from unlawful unauthorised processing and from accidental loss, destruction, damage, modification, or disclosure. TALENOM considers factors such as current technology and associated costs, the characteristics of data processing, the global context and purposes of the processing, as well as the rights of individuals and the potential risk to their freedoms, which may differ in terms of their likelihood and impact.
The data security principles followed by TALENOM in relation to this agreement are explained in detail in the current Register of Processing Activities, available on the official website of TALENOM (www.talenom.com/es-es). This documentation provides an overview of our specific data security practices. Data security measures are regularly assessed, reviewed, and updated.
5.16. Subcontractors. Talenom may include subcontractors in data processing activities in accordance with the provisions of this Data Processing Agreement. In this context, a “Subcontractor” is a processor that performs all or part of the data processing operations under this Data Processing Agreement.
It is the responsibility of TALENOM to regulate the new relationship with the Subcontractor, so that the latter is subject to the same (or equivalent) conditions and with the same formal requirements as the Subcontractor, regarding the proper processing of personal data and the guarantee of the rights of the Data Subjects. Subcontractors may only process Personal Data in accordance with the written agreement.
Upon request, TALENOM will notify you at the beginning of the Contract who will carry out the processing. Once the initial notification has been made, TALENOM will inform you in advance of any significant changes or substitutions of planned subcontractors. If the RESPONSIBLE PARTY does not agree with the changes, he/she may notify TALENOM of his/her intention to cancel the Contract, the cancellation being effective at the end of the period of thirty days from such notification.
This provision shall apply to specific services related to the processing of personal data affected by changes in subcontractors.
TALENOM shall be responsible for the acts carried out by the subcontractors as if they were its own.
5.17. Transfer of Personal Data. TALENOM may transfer personal data to countries outside the European Union or European Economic Area (EEA) or to other countries that the European Commission considers guaranteeing an adequate level of data protection. To transfer personal data outside the EEA or to countries that are not determined by the European Commission to ensure an adequate level of data protection, TALENOM will follow the requirements of applicable law by adopting appropriate safeguards. The personal data transfer agreement has been drafted in accordance with the standard contractual clauses approved by the European Commission. As an alternative to the use of standard contractual clauses, the transfer may be made using other legal bases approved by applicable law. In the event of any inconsistency between the Standard Contractual Clauses or other legal bases for transfer and this Agreement, the Standard Contractual Clauses and the alternative legal bases shall prevail over the Engagement Agreement and this Agreement as regards the order of application.
5.18. Notification of Personal Data Security Breaches. The term “personal data breach” means any incident or breach of security that results in the accidental or unlawful destruction, loss or alteration, or unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed.
In the event of a personal data security breach, TALENOM will notify the CONTROLLER without undue delay, of the breaches of the security of the personal data in its charge of which it becomes aware, together with all the relevant information for the documentation and communication of the incident.
TALENOM will inform the CONTROLLER. Notification shall not be required where such a breach of security is unlikely to constitute a risk to the rights and freedoms of natural persons.
(a) Description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects affected, and the categories and approximate number of personal data records affected.
b) The name and contact details of the data protection officer or other contact point from whom further information can be obtained.
c) Description of the possible consequences of the personal data breach.
d) Description of the measures taken or proposed to remedy the personal data breach, including, if applicable, the measures taken to mitigate potential negative effects.
If and to the extent that it is not possible to provide the information simultaneously, the information shall be provided gradually without undue delay.
5.19. Destination of Personal Data. At the end of this Data Processing Agreement, TALENOM will destroy or return to the CONTROLLER all Personal Data, deleting all existing copies, in accordance with what the CONTROLLER decides and indicates. If the PROCESSOR is required by law to take other measures, TALENOM shall implement them. Specific details regarding the destruction and return of data may be treated separately.
However, the PROCESSOR may keep a copy, with the data duly blocked, for as long as responsibilities may arise from the execution of the service.
- Talenom’s Limits of Liability. The limits of liability in the Contract shall apply to this Data Processing Agreement. If the Contract does not include limits of liability, the following provisions shall apply to this agreement:
a. TALENOM shall not be liable for any indirect damages, including but not limited to loss of revenue, profits or market value, interruption of production or service, or other similar damages suffered by the CONTROLLER.
b. TALENOM shall only be liable for direct damages caused by its negligence.
c. In the case of claims for compensation for damages brought by third parties against one of the parties in connection with the processing of personal data, the other party shall be informed immediately. If TALENOM pays damages to a third party, the CONTROLLER shall compensate TALENOM for the losses, provided that the damages are not the result of TALENOM’s errors or negligence in complying with the terms of the Data Processing Agreement.
d. The maximum amount for which TALENOM will be liable is EUR 10,000 per claim and EUR 20,000 in total for different claims occurring within the same financial year, unless a different maximum amount is expressly agreed in the Contract. Damage shall be considered a single loss, even if the same error occurs repeatedly or affects several financial years and shall correspond to a single financial year if it occurs mostly in that financial year, even if part of the damage occurs in a different financial year. Apart from those stated above, TALENOM will not pay any other penalties for breaches of contract, errors, or negligence.
e. Claims to TALENOM shall be made in writing as soon as possible. If the fault or error is detected or can be detected immediately, the claim will be made as soon as possible and within a maximum period of fourteen (14) days. If no claim is made against TALENOM within six (6) months after the damage is detected, TALENOM will not pay any compensation. It will also not pay any compensation if it occurs more than (3) years after the occurrence of the damages related to the treatment.
f. For the avoidance of doubt, the limits of liability agreed in this clause shall not apply if the parties (1) pay administrative penalties imposed by a supervisory authority or a court or (2) pay compensation to the data subject for a breach of their own. - Validity. The validity of this Data Processing Agreement shall be subject to the validity of the Contract and shall automatically terminate when the Contract terminates for any reason.
If the CONTROLLER breaches this agreement, TALENOM shall be entitled to terminate the Contract and the Data Processing Agreement, if the CONTROLLER fails to remedy the breach seven (7) days after TALENOM’s request or fails to take appropriate measures to avoid, correct and compensate for the effects of the breach.
