Protection of Personal Data

Direction / Board of Directors of both UshuaÏa Entertainment SL and The Night League SL (hereinafter, the joint controllers), hereby act with the utmost responsibility and commitment to set up, implement and upkeep this Data Protection Policy, ensuring the continuing improvement of the joint controllers in order to achieve excellency regarding the compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJEU L 119/1, 04-05-2016), and with Spanish Data Protection regulations (Act, specific sectoral legislation and their implementing rules).

Data Protection Policy of the joint controllers’ rests on the principle of accountability, according to which the controller shall be responsible for compliance with the regulatory and jurisprudential framework governing such Policy and able to demonstrate it before competent supervisory authorities.

In this sense, the joint controllers shall be guided by the following principles, which should become the guide and reference framework on personal data processing for all their staff:

1. Data protection by design: the joint controllers shall, both when determining the means of processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner, and to integrate the necessary safeguards into the processing.

2. Data protection by default: the joint controllers shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.

3. Data protection during information life cycle: measures ensuring personal data protection shall be applicable during the whole life cycle of the information.

4. Lawfulness, loyalty and transparency: personal data shall be processed in a lawful, loyal and transparent manner in relation to the data subject.

5. Purpose limitation: personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

6. Data minimisation: personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

7. Accuracy: personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.

8. Storage limitation: personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

9. Integrity and confidentiality: personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

10. Information and training: one of the keys to ensuring personal data protection is the training of all staff involved in processing operations as well as the information provided to them. During the information life cycle, all staff who have access to personal data shall be properly trained and informed on their obligations regarding compliance with personal data regulations.

Data Protection Policy of the joint controllers shall be informed to all the staff and put at the disposal of all data subjects.

Consequently, this Personal Data Protection Policy involves all the staff of the joint controllers, who shall both know and assume it, considering it as their own. Each staff member shall be responsible for implementing and verifying data protection measures applicable to their activity, as well as both identify and include any improvement opportunity they see fit for the purpose of achieving excellency regarding its compliance.

This Policy shall be reviewed by Direction / Board of Directors of Ushuaïa Entertainment SL, as many times as it is necessary, to adjust it to the existing provisions on personal data protection.