Privacy and Data Protection Policy

The Ministry of the Interior of Spain, through the Secretary of State for Security, responsible for the SIMASC information system, undertakes to adopt the necessary technical and organizational measures, according to the level of security appropriate to the recording of the data collected.

This Privacy Policy explains practices regarding the collection, use, disclosure, and protection of information that is collected through SIMASC, as well as possible options regarding the collection and use of information.

The SIMASC Service is available in the European Economic Area, Switzerland or the United Kingdom.

Before accessing or using SIMASC, Users must ensure that they have read and understood how SIMASC collects, stores, uses and discloses their personal information.

Laws included in this Privacy Policy

This Privacy Policy is adapted to current Spanish and European regulations on the protection of personal data on the internet. Specifically, it respects the following rules:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation - GDPR).
  • Organic Law 3/2018, of December 5, on the Protection of Personal data and guarantee of digital rights (LOPD-GDD)
  • Royal Decree 1720/2007, of December 21, which approves the regulations for the development of Organic Law 15/1999, of December 13, on the Protection of Personal Data (RDLOPD)
  • Law 34/2002, of July 11, on Information Services and Electronic Commerce (LSSI-CE)

Identity of the Data Controller

The responsible for the processing of the personal data collected by SIMASC is: the Secretary of State for Security (hereinafter, also Responsible for the treatment). Their contact details are as follows:

Address: Calle Amador de los Ríos, 2 CP 28010, Madrid
Phone: +34 91 839 80 00
Email: alertcops@interior.es

Data Protection Delegate (DPD)

Data Protection Delegate (DPD) is responsible for ensuring compliance with the data protection regulations to which SIMASC is subject. The User can contact the DPD designated by the Data Controller through the following contact information:

MINISTERIO DEL INTERIOR - SECRETARíA DE ESTADO DE SEGURIDAD GABINETE DE COORDINACIÓN Y ESTUDIOS - AREA DE NORMATIVA E INFORMES.
Address: Calle Amador de los Ríos, 2 CP 28010, Madrid
Email: ses.normativa@interior.es
Phone: +34 91 537 19 29
Fax: +34 91 537 19 44

Registration of personal data:

In accordance with the provisions of the Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and the free circulation of these data (GDPR), repealing Directive 95/46 / EC, and Organic Law 3/2018, of December 5, on the Protection of Personal data and guarantee of digital rights (LOPD-GDD)the Spanish Ministry of the Interior, through the Secretary of State for Security, responsible for the SIMASC information system, in compliance with the provisions of art. 11 and 6 of the aforementioned Organic Law, informs all users of the AlertCops website and mobility application that they provide or will provide their personal data, that these will be incorporated into an automated treatment file called SIMASC whose responsible is the owner of the General Sub-Directorate of Information Systems and Communications for Security.

Moreover, in accordance with the provisions of the GDPR and the LOPD-GDD, unless the exception provided for in article 30.5 of the GDPR applies, a record of treatment activities is kept that specifies, according to their purposes, the treatment activities carried out and the other circumstances established in the GDPR. For more information, the content of the file contained in this record can be consulted on the following web page:
http://www.interior.gob.es/web/servicios-al-ciudadano/participacion-ciudadana/proteccion-de-datos-de-caracter-personal/tutela-de-los-derechos#registro

Principles applicable to the processing of personal data

All the data requested in the user registration process through the mobility application are provided voluntarily by the user or, where appropriate, with the consent of their father or mother, legal guardians or legal representatives, being necessary for the better provision of an optimal service. In the event that all the data are not provided, the provider does not guarantee that the service provided will be completely adjusted to your needs. The user agrees to the veracity of the data provided.

The processing of the User's personal data will be subject to the following principles set out in article 5 of the GDPR:

  • Principle of legality, loyalty and transparency: The Owner will always require consent for the processing of your personal data which may be for one or more specific purposes about which he will inform you in advance with absolute transparency.
  • Principle of purpose limitation: personal data will be collected for specific, explicit and legitimate purposes.
  • Data minimization principle: The Holder will only ask you for the data strictly necessary for the purpose or purposes for which it is requested.
  • Principle of accuracy: personal data must be accurate and always up to date.
  • Principle of conservation period limitation: The data shall be kept for the time strictly necessary for the purpose(s) of the processing. The Data Subject will inform you of the corresponding conservation period according to the purpose. In the case of subscriptions, the Data Subject will periodically review the lists and delete those records that have been inactive for a considerable time.
  • Principle of integrity and confidentiality: Your data will be treated in such a way that its security, confidentiality and integrity is guaranteed. You should know that the Holder takes the necessary precautions to prevent unauthorized access or misuse of their users’ data by third parties.
  • Principle of proactive responsibility: the Data Controller will be responsible for ensuring that the above principles are met.

Category of personal data

The categories of data that are processed in SIMASC are identifying data except in the cases expressed in the application, in which special categories of personal data will be processed in the sense of article 9 of the GDPR, for the reasons set out in section 2 letter a ) and c), the explicit consent of the interested party being necessary for the processing of said personal data for the specific purpose of protecting vital interests of the interested party or another natural person.

Legal basis for the processing of personal data

The legal basis for the processing of personal data is consent. The Secretary of State for Security undertakes to obtain the express and verifiable consent of the User for the processing of their personal data for one or more specific purposes.

The User will have the right to withdraw their consent at any time. It will be as easy to withdraw consent as it is to give it.

On the occasions in which the User must or can provide their data through forms to make inquiries, request information or for reasons related to the content of SIMASC, they will be informed in the event that the completion of any of them is mandatory due to that they are essential for the correct development of the operation carried out.

Purposes of the processing for which the personal data are used

Purposes of the processing for which the personal data is used. The personal data are collected and managed by SIMASC in order to facilitate, speed up and fulfil the commitments established between SIMASC and the User or to maintain the relationship established in the forms filled in by the latter or to attend to a request or query.

By checking this box, users over 14 expressly, freely, unmistakably accept that their personal details will be processed by the State Secretariat for Security in order to perform the following:

  • Receipt and forwarding to the Emergency Management Centres of the State Security Forces (091 or 062) of the communications of the registered user in the face of a situation of insecurity or emergency, listed among the situations predefined in the system, sending automatically the user information, which will be defined during the registration, with his/her location and emergency situation.
  • Performing statistical studies.
  • Forwarding alerts and security notices according to the personal details and location information provided by the user.
  • Forwarding communications important for the citizen security through email, fax, SMS, MMS, social networks or any other, current or future, electronic or physical means that make this communication possible. Such communications will be associated to the services offered by the provider, as well as by other bodies of the State Administration, Autonomous Communities or Local Authorities with responsibility for citizen security, with which the service provider had reached an agreement. In this case, third parties will never have access to the personal details. In any case, the communications will be performed by the provider and they will be about services related to the citizen security sector.

Retention periods for personal data

Personal data will only be retained for the minimum time necessary for the purposes of their processing and in accordance with legal obligations or until the User requests their deletion.

Recipients of personal data

Your personal information will be shared by SIMASC with the following parties:

  • Emergency Management Centres of the State Security Forces and Corps (091 or 062).
  • Bodies of the General State Administration, Autonomous Communities or Local Bodies with competence in matters of public safety, with which the service provider has reached an agreement.

The provider expressly informs and guarantees users that their personal details will not be disclosed in any case to third parties not belonging to the State Security Forces, only with the prior specific, informed and unequivocal consent of the holders of such personal data.

In case the provider intends to transfer personal data to a third country or international organisation, the User shall be informed at the time the personal data are obtained about the third country or international organisation to which the data are intended to be transferred, as well as about the existence or absence of an adequacy decision of the Commission.

Personal data of minors

In accordance with the provisions of articles 8 of the RGPD and 13 of the RDLOPD, only persons over the age of 14 may give their consent to the lawful processing of their personal data by SIMACS. In the case of a minor under 14 years of age, the consent of the parents or guardians is required for the processing, and this will only be considered lawful to the extent that they have authorised it.

Secrecy and security of personal data

Secrecy and security of personal data. The State Secretariat for Security undertakes to adopt the necessary technical and organisational measures, according to the level of security appropriate to the risk of the data collected, so as to guarantee the security of personal data and prevent the accidental or unlawful destruction, loss or alteration of personal data transmitted, stored or otherwise processed, or the unauthorised communication or access to such data, as well as to guarantee that the age of the minor and the authenticity of the consent provided, where applicable, by the parents, guardians or legal representatives have been effectively verified.

However, because the State Secretariat for Security cannot guarantee the integrity of the Internet or the total absence of malicious or other actors fraudulently accessing personal data, the Data Controller undertakes to notify the User without undue delay when a breach of security of personal data occurs that is likely to result in a high risk to the rights and freedoms of natural persons. In accordance with Article 4 of the GDPR, a breach of security of personal data means any breach of security resulting in the accidental or unlawful destruction, loss or alteration of personal data transmitted, stored or otherwise processed, or the unauthorised disclosure of or access to such data.

Personal data will be treated as confidential by the Data Controller, who undertakes to inform and to ensure by means of a legal or contractual obligation that such confidentiality is respected by his employees and any other person to whom he makes the information accessible.

The Controller has taken appropriate technical and organisational protection measures and these measures have been applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person not authorised to access them, such as encryption.

Data is encrypted at two levels: at the network level, the https TLS1.2/1.3 protocol is used, and at the application level with the AES/CBC/PKCS5 padding encryption algorithm. Data is also encrypted at the storage level.

Personal information collected

SIMASC collects personal information that you voluntarily submit directly when you use the service. This may include information you provide when you register for the service by registering your user profile, creating or editing your user profile, updating your preferences, registering at a particular location, communicating by phone, SMS, email or otherwise, or using any other feature offered by SIMASC.

SIMASC indicates to the user where he/she requires to provide personal information necessary to provide you with certain features of the Service. If the user choose not to provide such personal information, we may not be able to offer you the Service or respond to your other requests.

The categories of personal information that SIMASC collects about the user and how that information is used, as well as the legal basis for processing personal information, are described within this Policy, summarised in the following tables:

Category of personal information How does SIMASC use personal information? Legal basis for processing Third parties with whom the information is shared
Contact information such as email or phone numbers. SIMASC can use this information for user account authentication The processing is necessary for the registration of the user, as well as to carry out the necessary processes prior to the registration of the user. Emergency Management Centres of the State Security Forces (091 or 062).

Bodies of the General Administration of the State, Autonomous Communities or Local Entities with competence in matters of citizen security, with which the service provider has reached an agreement.
SIMASC may use this information to deal with queries and complaints made by or about the user related to the service. The processing is necessary to serve the legitimate interests of SIMASC, to manage the service, and to communicate with the user effectively.
SIMASC may use this information to communicate with the user, including sending messages and communications related to the service. The processing is necessary for the execution of the service provided by SIMASC.
SIMASC can use this information to send service messages requested by the user according to their preferences. SIMASC will only use the user's personal information when they express their consent to do so.
User information such as phone number, date of birth, gender, disability, nationality SIMASC may use this information to operate, maintain and provide the user with the service functionalities. The processing is necessary for the service execution offered by SIMASC
SIMASC can use this information to interact and be recognized by the “Guardians” voluntarily selected by the user or by the emergency centers of the Law Enforcement Agencies in charge of dealing with alerts.
Information on geolocation of the user's device SIMASC may use this information to operate, maintain and provide the user with the service functionalities. The processing is necessary for the execution of the service offered by SIMASC.

The information will only be used when citizens express their consent to do so.
Emergency Management Centres of the State Security Forces (091 o 062).

Bodies of the General Administration of the State, Autonomous Communities or Local Entities with competence in matters of citizen security, with which the service provider has reached an agreement.

SIMASC can also share this information with other users that the user has designated as "Guardian"
Multimedia content sent by the user to the application SIMASC may use this information to operate, maintain and provide the user with the service functionalities. The processing is necessary for the service execution offered by SIMASC. Emergency Management Centres of the State Security Forces (091 o 062).

Bodies of the General Administration of the State, Autonomous Communities or Local Entities with competence in matters of citizen security, with which the service provider has reached an agreement.


SIMASC also automatically collects indirect personal information from the user about Service access and use or information about the device they use to access the Service.

SIMASC may link or combine the personal information it collects from the user and the information it collects automatically. This allows to provide personalized services regardless of how the user interacts with the Service.

SIMASC may anonymize the personal information it collects (and thus make it not possible to directly identify the user) and use it for purposes that include testing its own IT systems, research, data analysis, improving the Service and developing new features.

Geolocation Data

Location services. To provide location services, SIMACS may collect, use and share exact location data, including the real-time geographic location of your device. Unless the user unequivocally offers his consent, these location data will not be collected. If the user does not give their consent, they may not be able to receive the service provided by SIMASC.

SIMASC collects information about the location of the user's device in order to provide the functions of services described in this Policy based on location, as well as for the fulfillment of the legitimate interests of SIMASC.

The user can deactivate at any time the shared location with any of the persons or organizations established by the user as their "Guardians"; if you do, you may not be able to receive the service provided by SIMASC.

The user can stop sharing their location with SIMASC at any time by updating their mobile device settings to limit the application's access to their location information. In this case, SIMASC may not be able to provide all the functionalities of its Services by disabling access to location data.

If the user no longer wishes to continue using the Service, uninstalling the SIMASC application will prevent their location from being collected.

Rights derived from the personal data processing

The User has the following rights recognized in the RGPD over SIMASC and may, therefore, exercise them against the Data Controller:

  • Right of access: It is the right of the User to obtain confirmation of whether or not the Secretary of State for Security is treating their personal data and, if so, obtain information about their specific personal data and the treatment that the Secretary of State of Security has made or carries out, as well as, among other things, the information available on the origin said data and the recipients of the communications made or planned.
  • Right of rectification: It is the right of the User to have their personal data modified that turns out to be inaccurate or, taking into account the purposes of the treatment, incomplete.
  • Right of deletion: It is the right of the User, provided that current legislation does not establish otherwise, to obtain the deletion of their personal data when they are no longer necessary for the purposes for which they were collected or processed; The User has withdrawn his consent to the treatment and this does not have another legal basis; the User opposes the treatment and there is no other legitimate reason to continue with it; the personal data has been unlawfully processed; personal data must be deleted in compliance with a legal obligation; or the personal data have been obtained as a result of a direct offer of services from the information society to a person under 14 years of age. In addition to deleting the data, the Data Controller, taking into account the available technology and the cost of its application, must adopt reasonable measures to inform those responsible for processing the personal data of the interested party's request to delete any link to those personal information.
  • Right to limitation of treatment: It is the right of the User to limit the processing of their personal data. The User has the right to obtain the limitation of the treatment when he disputes the accuracy of his personal data; the treatment is unlawful; The Responsible for the treatment no longer needs the personal data, but the User needs it to make claims; and when the User has opposed the treatment.
  • Right to data portability: In the event that the treatment is carried out by automated means, the User will have the right to receive from the Person in charge of the treatment their personal data in a structured format, of common use and mechanical reading, and to transmit them to another person in charge. treatment. Whenever technically possible, the Data Controller will directly transmit the data to that other controller.
  • Right of opposition: It is the right of the User not to carry out the processing of their personal data or to cease the processing of them by the Secretary of State for Security.
  • Right not to be subject to a decision based solely on automated processing, including profiling: It is the User's right not to be the subject of an individualized decision based solely on automated processing of their personal data, including profiling. , existing unless current legislation establishes otherwise.

Thus, the User may exercise their rights by written communication addressed to the Responsible for the treatment specifying:

  • Name, surname of the User and copy of the DNI for Spanish citizens or official document valid in the European Union that proves their personal identification. In cases where representation is admitted, identification by the same means of the person representing the User, as well as the document proving the representation, will also be necessary. The photocopy of the DNI may be replaced, by any other legally valid means that proves the identity.
  • Request with the specific reasons for the request or information to which you want to access.
  • Address for notification purposes.
  • Requestor date and signature.
  • Any document that proves the request made.

This request and any other attached document may be sent to the following address and / or email:

Subdirección General de Sistemas de Información y Comunicaciones para la Seguridad, C/ Cabo López Martínez, s/n – 28048 El Pardo - Madrid.
Email: alertcops@interior.es

Further information about the exercise of your rights on the following website:
http://www.interior.gob.es/web/servicios-al-ciudadano/participacion-ciudadana/proteccion-de-datos-de-caracter-personal/tutela-de-los-derechos#

Links to third party websites

The Website may include hyperlinks or links that allow access to web pages of third parties other than the Secretary of State for Security, and that therefore are not operated by it. The owners of these websites will have their own data protection policies, being themselves, in each case, responsible for their own files and their own privacy practices.

Claims before the supervisory authority

In the event that the User considers that there is a problem or violation of current regulations in the way in which their personal data is being processed, they will have the right to effective judicial protection and to file a claim with a control authority, in particular, in the State in which you have your habitual residence, place of work or place of the alleged offense. In the case of Spain, without prejudice to any other resource or claim that he deems appropriate, he has the right to claim before the Spanish Agency for Data Protection.

Prior to making a complaint to the Spanish Data Protection Agency, if you consider that the Data Controller has not correctly satisfied your rights, in this case you can request an assessment from the Data Protection Officer indicated in this information.

Acceptance and changes in this privacy policy

It is necessary that the User has read and agrees with the conditions on the protection of personal data contained in this Privacy Policy, as well as that they accept the processing of their personal data so that the Responsible for the treatment can proceed to the same in the form, during the periods and for the purposes indicated. Using SIMASC will imply acceptance of its Privacy Policy.

The Secretary of State for Security reserves the right to modify its Privacy Policy, according to its own criteria, or motivated by a legislative, jurisprudential or doctrinal change of the Spanish Agency for Data Protection. Changes or updates to this Privacy Policy will be explicitly notified to the User.

This Privacy Policy was updated on February 1, 2021 to adapt to Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016, regarding the protection of natural persons with regard to the processing of personal data and the free circulation of these data (RGPD) and Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (LOPD-GDD).


Use of cookies and activity file

Access to SIMASC may involve the use of cookies. Cookies are files sent to the browser through a web server in order to record the activities of the user during their browsing time.

The cookies used by the website are only associated with an anonymous user and her computer, and do not in themselves provide the user's personal data.

Through the use of cookies, it is possible that the server where the web is located, recognize the web browser used by the user in order to make browsing easier. They are also used to measure the audience and traffic parameters, control the progress and number of entries. The user has the possibility of configuring his browser to be notified of the reception of cookies and to prevent their installation on his computer. Please, consult the instructions and manuals of your browser to expand this information. To use the website, it is not necessary for the user to allow the installation of cookies sent by the website.

The cookies used are, in any case, temporary in nature with the sole purpose of making their subsequent transmission more efficient. In no case will cookies be used to collect personal information.

Cookies that allow you to identify a person are considered personal data. Therefore, the Privacy Policy described above will apply to them. In this sense, for the use of the same, the consent of the User will be necessary. This consent will be communicated, based on an authentic choice, offered through an affirmative and positive decision, before the initial treatment, removable and documented.

Own cookies

These are cookies that are sent to the User's computer or device and managed exclusively by the Secretary of State for Security for the better functioning of SIMASC. The information that is collected is used to improve the quality of SIMASC and its Content and your experience as a User. These cookies allow the User to be recognized as a recurring visitor to SIMASC and adapt the content to offer content that meets their preferences.

The entity (ies) in charge of the provision of cookies may transfer this information to third parties, as long as it is required by law or a third party is the one that processes this information for said entities.

Social media cookies

SIMASC incorporates social network plugins, which allow access to them from the Website. For this reason, social network cookies can be stored in the User's browser. The owners of these social networks have their own data protection and cookie policies, being themselves, in each case, responsible for their own files and their own privacy practices. The User must refer to them to find out about said cookies and, where appropriate, the processing of their personal data. For informational purposes only, the links where these privacy and / or cookie policies can be consulted are indicated below:

Geolocation cookies

These cookies are used to find out the location of the person when a help service or complaint is requested. This cookie is completely anonymous, and is only used to help guide content to your location, such as for the purpose of locating a person.

This geolocation data is directly provided by Google Maps (our map provider).

Disable, reject and delete cookies

The User can disable, reject and delete the cookies - totally or partially - installed on their device through their browser settings (among which are, for example, Chrome, Firefox, Safari, Explorer). In this sense, the procedures for rejecting and deleting cookies may differ from one Internet browser to another. Consequently, the User must refer to the instructions provided by the Internet browser they are using. In the event that you reject the use of cookies - totally or partially - you may continue to use the Website, although the use of some of its features may be limited.

Changes in the Cookies Policy

The SIMASC Cookies Policy may change or be updated, therefore it is recommended that the User review this policy each time he accesses the Website in order to be adequately informed about how and why we use cookies.


IP addresses

The website servers will be able to automatically detect the IP address and domain name used by the user. An IP address is a number automatically assigned to a computer or device when it connects to the Internet. All this information is registered in a duly registered server activity file that allows the subsequent processing of the data in order to obtain only statistical measurements that allow knowing the number of visits made to web services, the order of visits, the point access, etc.


Security

SIMASC uses information security techniques accepted in the industry, such as firewalls, access control procedures and cryptographic mechanisms, all in order to prevent unauthorized access to data. To achieve these purposes, the user accepts that the provider obtains data for the purposes of the corresponding authentication of access controls.

In accordance with Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights, any process that involves the introduction of personal data, with special mention if they are of a high level (violence of gender, health status, injuries…) will always be transmitted through a secure communication protocol (SSL, TLS…), in such a way that no unauthorized third party has access to the information transmitted electronically.