General Information on Data Protection

PKF Attest is a multidisciplinary firm that provides professional services in different market areas through different companies. Without prejudice to the existence, it operates in the business sector as a single organisation in the provision of its services, thus legislation on data protection is fully applicable to its activities. In particular, it handles data with the following purposes:

To properly provide its services, PKF Attest accesses and handles information under the instructions of its clients, acting as a manager in the handling of:

Legal and tax services: legal and tax advice, keeping of official books, preparation of payroll, accounting and other administrative services.
Financial services: economic and financial advice and consulting, accounts auditing, education and training, bankruptcy administration, advice on corporate procurement processes and restructuring and reorganisation processes in the field of capital markets and in the planning of programs and calls for financial and fiscal aid for R+D+I.
Consulting services: design, development, marketing, implementation, maintenance, advice and consulting on all types of IT solutions, strategic, organisational, commercial, management systems, processes and improvement, development and management of personnel, quality, environment and energy, corporate social responsibility, occupational health and safety, education and training and data analytics.
PKF ATTEST handles the information of its workforce and collaborators to ensure the proper administration of the group, to manage the employment relationship and evaluate their professional performance, and to comply with legal obligations arising from the employment relationship, the prevention of money laundering and the protection of personal data. PKF Attest handles the data of its candidates in order to manage the various selection processes in the hiring of individuals. PKF Attest also handles personal data to manage the sending of corporate information, the sending of information about events and/or activities it organises or of which it is part. In any case, any personal information provided will be handled in a lawful, faithful and transparent manner in relation to the individuals concerned. Such handling shall be appropriate, pertinent and limited to that which is necessary to the purposes for which they are handled The legitimation for the handling of personal data varies according to the purposes described above and collective purposes of interested persons, obtaining unequivocal consent when necessary in accordance with the provisions of current regulations on data protection. When such legitimation is not consent-based, the data will be handled in compliance with a contract or precontract in which the interested party is a party, or on the basis of the legitimate interest of the person responsible. When data is collected through online forms, the fields marked with an asterisk are required, and if they are not provided, the service in question cannot be managed. In this sense, PKF ATTEST, as a party committed to the security and confidentiality of any personal data of the client that could be stored or handled (even temporarily), has taken the necessary measures to avoid the alteration, loss, unauthorised access or handling of such data thanks to periodically audited measures to ensure:

Confidentiality: through the appropriate controls and administration of users with access to the systems. All PKF Attest staff members have signed an annex to their employment contract that covers confidentiality and duty of secrecy regarding any access to the information and personal data that they may have in the performance of their work. In addition, the application of encryption technologies has been implemented in both storage and in the transmission of information. Use of confidentiality preservation technologies, applying access control or identity management solutions, among others.
Integrity: information systems feature security policies and password policies that limit and protect available information by mapping access profiles on both local and Microsoft cloud servers.
Availability: using resource allocation policies and backup policies that apply to all systems including projects and services provided to customers. Systematic data recovery tests are carried out in case of serious incidents that could limit the availability of data.
Implementation of resilience mechanisms, allowing the monitoring and rapid detection of incidents and guaranteeing the articulation of the planned recovery mechanisms.
Application of incident response protocols, both physical and logical, that guarantee the quick and effective resolution thereof.
Implementation of audit practices to periodically check the implementation of different security measures and their effectiveness.
In addition, PKF Attest has obtained the status of Microsoft’s Gold Partner that necessarily implies exceeding the audits that Microsoft establishes in relation to software licenses and their use. PKF Attest has defined the actions to be followed for its suitability as a consultancy services provider including:

Differentiated risk analysis by treatment instead of the current system of analysing the security of information systems as a whole.
Organisational measures to adapt the company employment contract annex to the requirements of the GDPR with respect to the obligations of personnel with access to client data.
Reinforcement of the current incident management process to include the prevention of security breaches and their due notification to the control authority and/or the person responsible for handling the data, as appropriate.
Regarding the use of the data: these will only be ceded in the conditions under which it has been reported in each case and in compliance with legal provisions. In relation to the time of the data’s preservation, these shall be handled in the time in which they are collected until the achievement of the purpose for which they were obtained or the moment when the consent given is revoked. Interested parties are informed of the possibility of exercising their rights to:

Access their personal data, as well as request the rectification of inaccurate data or, where appropriate, request their deletion when, among other reasons, the data is no longer necessary for the purposes that justified their collection.
The interested party is entitled to exercise the right to oblivion and to the portability of their data as long as it is technically feasible.
In certain circumstances, interested parties may request the limitation of the handling of their data, in which case they will only be retained for the exercise of the right of defence against possible claims.
In certain circumstances and for reasons related to their particular situation, interested parties may object to the handling of their data. PKF Attest shall cease handling the data, except for legitimate compelling reasons or the exercise of the right of defence against possible claims.
Interested parties shall be informed of the possibility of exercising the above mentioned rights from the email address dcmweb@pkf-attest.es. The party has the right to file a complaint with the Spanish Data Protection Agency www.agpd.es if they disagree with the attention received with regard to their rights.