Who is responsible for the processing of MDF customer data?
MDEF GESTEFIN S.A. SGIIC, a management company of Collective Investment Institutions with registered office in Madrid, Calle Serrano, 1, 3rd floor, CP:28001 (hereinafter “MDF”) will be responsible for the processing of your data. For this purpose, MDF has a Data Protection Officer in charge of monitoring compliance with data protection, whose email address is: dpo@mdffp.com
How does MDF obtain customer data?
MDF may obtain personal data: (i) directly provided by its clients, either those provided when contacting us or through the contractual relationship itself arising from the information necessary for advisory services, (ii) through public records or other public means of information such as social media or the internet, (iii) browsing data when visiting our Website, and finally (iv) from third party databases for money laundering and fraud prevention purposes.
In the course of our contractual relationship, the customer may provide MDF with data of third parties, such as legal representatives, shareholders, beneficiaries or family members. In this regard, you confirm that you have informed and, where applicable, obtained the consent of any other individuals whose personal data you will provide to us.
What does MDF process your data for?
MDF, as Data Controller, processes the personal data of its customers, their legal representatives, shareholders, employees, agents, or other collaborators for the management of the contractual relationship with them, such as: (i) the identification of contact details for the management of the relationship, maintenance of meetings, telephone and email contact, (ii) billing management and (iii) sending relevant information and monitoring of contracted services. MDF also processes personal data in order to comply with legal obligations, such as issues of prevention of money laundering or requirements arising from tax regulations.
MDF GESTEFIN may obtain personal data: (i) directly provided by you about yourself, as well as from third parties that you provide us (legal representatives, shareholders, relatives, etc.), either those provided when you contact us or through the contractual relationship itself arising from the information necessary for the contracted services, (ii) through public records or other public means of information such as social media or internet, (iii) navigation data when visiting our Website, and finally (iv) from third party databases for money laundering and fraud purposes. You confirm that you have informed and, where appropriate, obtained the consent of any other individuals whose personal data you provide to us.
Communication of personal data
MDF may disclose personal data to: (i) regulatory authorities and (ii) in order to prevent fraudulent conduct, personal data may be forwarded to individual MDF Group companies or centralised information systems. In addition, MDF has third party service providers who may access personal data in the course of providing their services, such as auditors, consulting services, advisors, IT maintenance, potential buyers or investors, administrative services and document destruction, among others. MDF pre-selects these suppliers based on data protection compliance criteria, has signed data protection contracts with all of them and monitors their compliance with their data protection obligations.
Retention period of personal data
Personal data to which access is gained will be processed for as long as the contractual relationship is maintained. In this regard, MDF will retain personal data after the end of the contractual relationship, duly blocked, for the period of limitation of actions that may arise from the relationship with customers. In any case, MDF shall retain the information that it is required by the Prevention of Money Laundering and Terrorist Financing regulations to obtain for a period of 10 years from the termination of the business relationship or the execution of the transaction.
Security Measures
MDF will establish security measures for personal data, so as to avoid its alteration, loss, unauthorized access or processing, given the state of technology, the nature of the data stored and the risks to which they are exposed, whether from human action or from the physical or natural environment. Specifically, MDF undertakes to adopt, update and maintain all organizational and technical measures necessary to ensure the security and confidentiality of personal data, preventing any alteration, loss, treatment, processing or unauthorized access. Specifically, MDF has implemented the following measures:
- Appointment of a Data Protection Officer (DPO), who ensures continuous compliance with applicable regulations.
- Definition of roles and responsibilities of personnel who process personal data.
- Communication among staff of the defined roles and responsibilities associated with compliance with data protection regulations. Specifically, all employees are aware of their duty of secrecy commitments, their functions in terms of data protection and confidentiality. To this end, secrecy, data protection and confidentiality clauses have been included in the contracts with its staff and with all collaborators, such as consultants or external advisors who may have access to the data.
- All employees know how to act when receiving requests for the exercise of rights from the holders of personal data, the terms of compliance to meet the rights of data subjects, the form and procedure in which such rights will be met.
- Annual training is provided to employees regarding their data protection and information security obligations. Employees are made aware of these matters and disciplinary processes are established in relation to data protection and information security violations.
- Definition of roles, profiles and permissions for users of the applications and systems where such data are processed according to established functions and responsibilities, in order to prevent access to data or resources other than those authorized. This access control system guarantees adequate user identification and authentication mechanisms, thus preventing identity theft in the identification process.
- An updated list of users and user profiles, and the authorized accesses for each of them, as well as the establishment of the necessary mechanisms to prevent a user from accessing resources other than those authorized.
- Passwords are guaranteed for access to personal data stored in electronic systems. Passwords have at least 8 characters, a mixture of numbers and letters and are renewed periodically, automatic user blocking in the event of successive failed access attempts, etc.
- Automated measures that limit access to information for unauthorized users or outside the specified retention period, such as through data erasure techniques.
- Procedures that limit physical access by unauthorized personnel to facilities where information systems or physical media are located.
- Control records on media (including removable media and mobile devices) and assets involved in the processing of personal data, which have limited access mechanisms. MDF will not apply or use personal data for purposes other than those contained in this contract, nor communicate them, even for storage, to others.
- Procedures for the recovery of personal data in the event of its possible destruction, loss or alteration.
- Whenever any document or support containing personal data is to be discarded, it shall be destroyed or erased, adopting the necessary measures to prevent access to the information contained therein or its subsequent recovery.
- There is an updated system of protection against malicious code and similar.
- There are procedures for the detection, evaluation and notification, if necessary, of security incidents that may affect the rights and freedoms of interested parties.
- Execution of periodic compliance reviews and definition and execution of action plans for the mitigation of detected risks. Physical security mechanisms are established (controlled and restricted access measures, identified and accompanied visits, existence of video surveillance…), environmental and equipment security (maintenance, location and protection, security outside the facilities).
MDF will not apply or use personal data for purposes other than those set out in this contract and this policy, nor will it communicate them, even for storage purposes, to other persons.
Confidentiality and duty of secrecy
The parties agree that any proprietary information, regardless of the medium in which it is held, will be considered as confidential information and will be treated as secret, confidential and restricted, and will be processed in accordance with the provisions of this contract.
MDF will at all times ensure that the above personal data are accurate, complete and up to date, are not used for purposes other than those related to this contract and are kept strictly confidential.
Exercising data protection rights
The client may exercise their rights of access, rectification, suppression, opposition, as well as request that the processing of their personal data be limited, portability of their data, and not being subject to automated individual decisions, in relation to the data provided at any given time, by writing to the Data Protection Delegate in Madrid, Calle Serrano, 1, 3rd floor, CP: 28001 (enclosing a copy of their ID card or official identification document), or via the address dpo@mdffp.com.
To whom can you lodge data protection complaints?
In the event that the customer’s data protection rights have been violated or if they have any complaint regarding their personal information, they may contact the Data Protection Delegate by e-mail at dpo@mdffp.com. In any case, interested parties may contact the Spanish Data Protection Agency, the supervisory authority for data protection at http://www.agpd.es. C/ Jorge Juan 6, 28001, Madrid. Tel. 901.100.099/91.266.35.17..
For more information, please visit:
Legal Notice and Privacy Policy
Michavila de Fernando Family Partners, S.A., Data Protection Policy
