Aula virtual VHIR
AGREEMENT ON DATA PROTECTION, PROCESSING OF THE INFORMATION, PRIVACY AND INTELLECTUAL PROPERTY
This document is an internal regulation mandatory for all workers, interns and students of FUNDACIÓ HOSPITAL UNIVERSITARI VALL D'HEBRON - INSTITUT DE RECERCA (hereinafter "the Foundation").
In compliance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR) on Data Protection and the rest of the applicable Rules, the Fundació as a Data Processing Controller, establish that every person who participate in any phase on the processing of Personal Data on which he could have access, has to try them following your instructions and are obliged to maintain confidentiality of such data and to the duty to protect them; obligations that will last even after the end of his relationship with the owner of the file or, if it is the case, with the head of the same.
Also, this Annex contains the rules for using the computer resources, intellectual property, data processing and confidentiality that must be respected at our institution.
User ID and passwords
1. It is forbidden to communicate to another person the user ID and password. If the user suspects someone else knows their identification and access data, they must enable password change mechanisms. Similarly, it is forbidden to use the ID and password of another user.
2. The user is required to use the corporative network and the Foundation's Intranet and their data without incurring in activities that might be considered illicit or illegal, violating the rights of the company or third parties, or infringe upon moral or ethical standards of telecommunication networks.
3. Are expressly prohibited the following activities:
- Sharing or facilitating user ID and password provided by the Foundation to another person or entity, including the staff of the Hospital. In case of breach of this prohibition, the user will be solely responsible for the acts performed by the person or entity that uses a non-authorized user identification.
- Trying to decipher the passwords, encryption algorithms or systems and any other security element involved in electronic processes of the Foundation.
- Attempting to read, delete, copy or modify emails or files from other users (this activity may constitute an offense of interception of telecommunications (revelation of secrets), under Article 197 of the Criminal Code) .
- Trying to distort or falsify system log records.
- Using the system to attempt to access restricted areas of the computer systems of the Foundation or third parties.
- Trying to increase the level of user privileges on the system.
Use of computer systems
Are expressly prohibited the following activities:
1. Destroy, alter, disable or any other form damaging data, programs or documents of the Foundation or third parties (these acts may constitute a crime of damages, under Article 264.2 of the Criminal Code).
2. Deliberately obstruct electronic access from other users to the network through the massive consumption of computer and telematic resources of the Foundation, as well as actions that spoil, interrupt or generate errors in these systems.
3. Send emails in bulk or with commercial or advertising purposes without the consent of the recipient, outside the scope of professional activity.
4. Voluntarily introduce programs, viruses, macros, applets, ActiveX controls or any other logical device or sequence of characters that cause or are likely to cause any type of alteration in the computer systems of the Foundation or third parties. In this regard, remember that the system automatically executes programs and antivirus updates to prevent the entry of any element system designed to destroy or corrupt computer data.
5. Enter, download from the Internet, reproduce, use or distribute software not expressly authorized by the Foundation or any other type of work or materials which non available authorization of the intellectual property of third parties.
6. Install illegal copies of any program, including those which are standardized.
7. Remove any programs installed legally.
8. Send or forward chain or pyramid messages.
9. Using electronic resources of the Foundation, including the Internet network, for activities that are not directly related to the workplace of the user.
10. Enter obscene, offensive or immoral contents and, in general, lacking usefulness for the purposes of the Foundation, to the corporate network.
11. Remove temporary files or working copies that were created for performing auxiliary or temporary jobs, according to Article 87 of Royal Decree 1720/2007.
Confidentiality of information:
1. It is forbidden to send information outside that has not been declared as non-confidential by the Foundation, with support materials, or through any means, including the simple display or access to it.
2. The users of corporate Information Systems have to keep indefinitely maximum discretion, and not disclose directly or through other people or companies the data, documents, methodologies, keys, analysis, programs and other information to which they have access during their employment relationship with the Foundation, in terms of both material and electronic support. This obligation will continue to be in force after the termination of the employment contract.
3. No collaborator can have for particular uses, any materials or information owned by the Foundation, both now and in the future.
4. In the event that, for reasons directly related to the workplace, the worker, intern, student or external collaborator get information that has not been declared as non-confidential by the Foundation, must understand that the possession of such information is strictly temporary, with the obligation of secrecy and without this occasioning any right of possession or ownership or copy of this information. However, the worker, intern, student or external collaborator will be returning these materials to the Foundation after the completion of the tasks that have caused this temporary use of them and in any case at the conclusion of the contract. The continued use of information in any format or medium differently as agreed and without the knowledge of the Foundation, will not, in any case, a modification of this clause.
5. The worker, intern, student or external collaborator undertakes not to use or disclose to any person or entity other than the Foundation, in their own benefit or the benefit of third parties, any information regarding the procedures, methods, research, "know how" clients, operations, facilities of the Foundation, of the public or private bodies in a relationship with it, or of its clients, or of any other aspect of the activity of the entities in which the worker, intern, student or external collaborator could know because of their relationship with the Foundation, which could be considered confidential or of scientific, commercial or industrial value for the Foundation, its customers or suppliers.
6. All those matters that have not been specifically declared as non-confidential are considered confidential.
7. This pact remains fully effective and valid after the end of services.
8. All documents, written, files or whatever its medium (computer files, emails ...) made by the worker, intern, student or external collaborator, in relation to the Foundation activities, will always continue to be owned by that, being obliged to return them when it is requested and, in any case, once you have completed the relationship with the Foundation.
9. The breach of this obligation may constitute a crime of revealing secrets, provided in Articles 197, 278 and 279 of the Criminal Code and entitles the Foundation to seek corresponding criminal and/or civil liability.
Incidents
1. It is the obligation of all staff of the Foundation to communicate any incident that occurs on the information systems to which they have access to the Security Manager.
2. It is understood by incident any abnormality that affects or may affect the security of the data.
3. This communication will have to be made in a period of no more than one hour from the time in which it occurs the incident.
Data Protection
1. The Foundation, as the Controller of the processing of personal data, has a record of the processing activities, with the information demanded by the current legislation on data protection.
2. The Foundation, as the Controller, will notify:
- Its identity and its contact data:
Fundació Hospital Universitari Vall d’Hebron-Institut de Recerca -”VHIR”-, with NIF G-60594009, registered office in Barcelona -08035-Passeig Vall d’Hebron 119-129, Edifici Mediterrània, 2ª floor, and phone (34) 934 89 30 00.
- Contact data of the Data Protection Officer:
According to the Regulation (EU) 2016/679, VHIR designated a Data Protection Officer, being possible to contact him through: dpd@ticsalutsocial.cat.
The Foundation Legal Unit will resolve the doubts, complaints, questions, suggestions, and they will attend the exercise of rights through e-mail: lopd@vhir.org, or by mail post in the address ut supra.
- Purpose of data collection and the legal basis of the processing:
The legal basis of the processing is the execution of a contract in which the interested party is part or for the application of measures prior to entering into a contract at the request of this, not being able to grant the contract if the interested party does not facilitate their data.
The aim of the processing is the data management of the workers, scholars, and anyone hired.
- Recipients of information.
Public bodies (Social Security and Tax), mutual insurance companies for work accidents and occupational diseases, entities that manage the prevention of labour risks, trade unions, financial institutions, service providers flexible compensation, speakers of the training activities and/or the training centres, travel agencies and other suppliers for the Organization and management travel with a work or commercial purpose for the entity.
- Their intention, if it is the case, to transfer personal data to a third country or international organisation.
It is not planned, excepting if any loan relative to banks to proceed to the payment of the salaries, the speakers of training activities and/or training centres, or at travel agencies and other suppliers for the Organization and management of travel in connection with employment or commercial entity purposes, must necessarily be in the European economic area.
- The period during which Personal Data will be kept or, when possible, the criteria used to determine this period.
Will remain as long as necessary to fulfil the purpose for which they were collected, and in any case they will be kept as long as the contractual relationship will be kept, and the interested party does not request its deletion.
- The possibility for the interested party to exercise the rights of access, rectification, deletion, limitation, and portability.
Interested parties could exercise their rights of access, rectification, deletion, limitation, opposition and portability at any time.
- When the processing is based on the consent, the existence of the right to withdraw this consent at any time.
- The right to file a complaint against a control authority.
Those interested can raise a complaint before the competent Control Authority in the field of Data Protection, AEPD and APDCAT.
- If the communication of personal data is a legal or contractual requirement, or a requirement necessary to subscribe a contract, and if the interested party is obliged to provide the personal data and is informed of the possible consequences of not providing such data.
Taking as a legal basis a contract, this contract may not be awarded if the necessary Personal Data are not provided for this.
- The existence of automated decisions, including the profiles.
No automated decisions will be taken, including profiles elaboration.
3. The collection of personal data, will require the express, free, specific, unequivocal and informed consent in writing of the affected, those who were requested data, including the availability of the same.
4. There will be assignments or communications of personal data in accordance with the following requirements:
- With prior express consent.
- Fulfilling purposes directly related to the legitimate functions of the Foundation.
5. They are considered prohibited acts:
- Use personal data for purposes incompatible with those for which the data have been collected or for purposes other than those communicated, without the express authorization of the processing Controller.
- Any other activity expressly forbidden in this document or in data protection rules and in the instructions of the Data Protection Agency and any other Control Authority.
6. The Foundation shall notify the Control Authority, any violation of the Personal Data security, as soon as possible and as maximum in 72 hours after having known of it.
In the cases established in the current regulations, the Fundation shall notify the interested parties.
7. The Fundation has designated a Data Protection Officer, whose contact is: dpd@ticsalutsocial.cat.
The Fundation Legal Unit will answer all the questions, complaints, clarifications, suggestions and they will respond to the exercise of the rights through e-mail: lopd@vhir.org, or by post mail to: Passeig Vall d’Hebron 119-129, Edifici Mediterrània 2ª Floor, 08035 Barcelona.
Use of e-mail
1. The computer system, the corporate network and the terminals used by each user are on a general basis owned by the Foundation.
2. No email is considered private. It will be considered email both internal, mail between terminals on the corporate network, and as external, directed or from other private or public networks, especially the Internet.
3. The Foundation reserves the right to review without notice, any email of the corporate network and server log files users, in order to verify compliance with these standards and prevent activities that could affect the Foundation as subsidiary civil responsible.
4. Any files introduced to the corporate network or the user's terminal via email, from external networks, must comply with the requirements of these regulations, particularly relating to the intellectual and industrial property, and virus control.
Internet access
1. The use of the computer system of the Foundation to access public networks like the Internet, will be limited to issues directly related to the activity of the Foundation and the duties of the workplace of the user.
2. Access to discussions in real time (Chat/IRC) is especially dangerous, as it facilitates the installation of utilities that allow unauthorized access to the system, so their use is strictly prohibited.
3. Access to web pages (www), Newsgroups, and other sources of information such as FTP, are limited to those that contain information related to the activity of the Foundation or with the duties of the workplace of the user.
4. The Foundation reserves the right to monitor and check, randomly and without prior warning, any Internet access session initiated by a user from the corporate network.
5. Any file introduced to the corporate network or in the terminal of the user from the Internet, will need to comply with the requirements set forth in these rules and, in particular, the referring to intellectual property, industrial property and to the virus control.
Intellectual and Industrial Property
1. The transfer of rights
1.1. Will be understood as exclusively transferred in favour of the Foundation to everyone, for the maximum time established in laws and/or international treaties in force that may apply and for its exploitation through any format and/or form of exploitation, all rights, including those of operation on any discovery, invention, creation, work, procedures, idea, technique, drawing, design, image or any other right of intellectual or industrial property (except those inalienable moral rights that correspond to the author(s) or inventor(s) of the intellectual or industrial property) generated, raised or acquired as a result of the work carried out by the worker, intern, student or external collaborator during the term of the contract, grant, cooperative agreement or contract (hereinafter , "Intellectual and/or Industrial Property"), and that derived directly or indirectly from the relationship between the Foundation and the worker, intern, student or external collaborator.
1.2. The worker, intern, student or external collaborator is obliged to inform the Foundation of any discovery, creation, invention, idea or any other element which constitutes or is likely to constitute an Industrial and/or intellectual property right and that is developed partially or totally during the term of the contract. In the event that the worker, intern, student or external collaborator discovers or develops any creation of intellectual or industrial property, it is understood that the mentioned find or development constitutes confidential information of the Foundation.
1.3. The worker, intern, student or external collaborator is obliged to sign all those public and/or private documents that may be necessary, in the discretion of the Foundation, in order to allow the accreditation of the property of the Foundation or the appropriate protection of Intellectual and/or Industrial property rights relating to this or any third party designated by this.
1.4. The worker, intern, student or external collaborator authorise the Foundation for the transformation, modification, publication, public communication and exploitation by any means of the works developed as a result of the stay at the Foundation. Likewise, states that he or she knows the purposes of the activities of the Foundation and do not have any moral conviction contrary to these purposes or that prevent the publication, edition or public communication of the work developed.
2. Publication of the results of the project
2.1. In the event that the worker, intern, student or external collaborator want to use, either partially or totally, the results obtained in the development of their stay for the publication of an article, for the realization of a lecture, or by any other act of distribution of analogous nature, they will need to apply for and obtain the consent of the person responsible for your stay at the Foundation expressly and in writing.
2.2. The person responsible for your stay at the Foundation will respond to such request within forty-five (45) days of receipt, informing the worker, intern, student or external collaborator of the authorization, reservations or disagreement about the information contained in the article or conference.
2.3. In these publications and dissemination events, the mention of the rest of the authors who have participated in obtaining the results will always be respected and will mention explicitly that the work was carried out during their stay at the Foundation.
It is strictly forbidden to use, reproduce, transfer, process or communication of any kind of intervention or work protected by intellectual property.
Regarding non-compliance of the above, this is specified in the "Consequences of non-compliance" document attached to this Annex.
Information and consent of the workers, interns, students
The Foundation in compliance with the Data Protection rules, has a processing Record, as well as a documentary called Human Resources File, in where personal data will be integrated and that has as its purpose the development and execution of the contractual relationship or relationship training, according to the Data Protection rules.
In the case of the workers, their Data will be communicated by legal obligation to Public bodies (Social Security and Tax…), mutual insurance companies for work accidents and occupational diseases, entities that manage the prevention of labour risks, trade unions. Also, their data can be transferred to financial institutions to proceed to the payment of the salaries, service providers flexible compensation, speakers of the training activities and/or the training centres and also to other participants. They can also be transferred to travel agencies and other suppliers for the Organization and management travel with a work or commercial purpose for the entity. All of this, could suppose an international data transfer (if any of these assignments must necessarily be in the European economic area).
In the case of interns and/or students, the recipients of the information are the various training centres from which they come, as well as the Administrations and other official agencies acting within its powers.
You are responsible for the veracity and accuracy of the data and has the power to exercise the rights of access, opposition, portability, rectification, limitation and deletion of data as recognized by the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR) on Data Protection.
To exercise them, you will have to: lopd@vhir.org or by post mal to the Foundation to the address Pg. Vall d'Hebron, 119-129 08035-Barcelona Mediterrània Research Building, 2nd Floor.
Commitment as to professional secrecy
The undersigned, as collaborator in the whole process of processing of personal data undertakes to guarantee professional secrecy, obligation that will remain, even after the end of the employment or training relationship with our organization.
Will only have access to personal data for those tasks involving the execution of the activities of their functions, and in no case will serve a purpose other than that established in their employment contract or training agreement formalized with our Institution.
The undersigned is in accordance with the premises described in the two paragraphs submitted and undertakes to implement the security measures established by the Institution regarding the processing of personal data.
CONSEQUENCES OF NON-COMPLIANCE OF DUTIES AND OBLIGATIONS IN THE FIELD OF DATA PROTECTION, INTELLECTUAL PROPERTY AND USE OF COMPUTER RESOURCES
Workers, students and interns of the FUNDACIÓ HOSPITAL UNIVERSITARI VALL D’HEBRON – INSTITUT DE RECERCA with access to personal data must know the consequences that may arise and any liabilities that may be incurred in the event of non-compliance of the security regulations, which could lead to sanctions.
The non-compliance of the obligations set out in the safety regulations manual and in the internal regulations related to the protection of personal data, as well as committing the infringements typified in the Data Protection rules, shall be sanctioned in accordance with employment legislation, particularly the Workers' Statute, as well as the Implementation Labour Convention.
Infringements:
The GDPR establish for administrative fines up to 10 million.-euros or 20 million.-euros depending on the cases, or, in the case of companies, of amount equivalent to 2% or 4% as a maximum of total global annual turnover of the previous financial year, the one higher in amount.
Joining the dynamics of the founding principles of the Protection of Personal Data, acquires great importance from the time when the consequences of failure entail great responsibilities both for the Organization and for the staff treating or accessing personal data, i.e., sanctions are now not only administrative and directed at the Organization itself, but also they can result in civil, criminal and labour liability.
a) Administrative: Penalties under the GDPR and which are imposed by the Control Authority in the exercise of its functions, either of its own motion or upon request of a party. These are economic sanctions and the amount is between 10.000.000.- euros and 20.000.000.- euros, or, in the case of companies, of amount equivalent to 2% or 4% as a maximum of total global annual turnover of the previous financial year, the one higher in amount.
b) Civil: Articles of the Civil Code relating to the Contractual and Extra Contractual Liability (arts. 1902 and 1903 CC). So when certain service is contracted to a third party unrelated to the organization and involves access to personal data files, must be preceded by the Data Processor corresponding contract.
Compensation for damages suffered by those interested.
c) Criminal: The Criminal Code defines offenses against privacy and specifically the disclosure of secrets in articles 197 et seq.
d) Labour: The data leakage, an inadequate processing of personal data files, unauthorized access to file data, inadequate protection of files, can be derived from any workplace within the Organization. When a chain of errors resulting in the imposition of a sanction to the Organization, it is common to derive more work responsibilities.
Kind regards,
Fundació Hospital Universitari Vall d’Hebron - Institut de Recerca
Vall d'Hebron University Hospital Foundation - Research Institute