Information security and privacy policy
Version 6
INTEGRACIÓN AGENCIA DE VIAJES S.A., hereinafter IAG7 VIAJES, is a company dedicated to providing travel, conference, convention & incentive services to companies.We are oriented to well differentiated branches:
- Business trips: Corporate Business Travel.
- Incentive and conference trips: MICE.
- Trips for individuals: Leisure Travel.
- An aerial consolidator: Cogeloalvuelo.
- And own product development: Mayorista
Information is essential for efficient decision-making in our services and decision-making, which is why there is a commitment from the Management of IAG7 Viajes to improve the Information Security Management System and protect its most significant properties as a strategy for business continuity, risk management and the consolidation of a security culture.
Our objective is to protect IAG7 Viajes's information resources and the technology used for their processing against internal or external threats, deliberate or accidental, in order to ensure the confidentiality, integrity, availability, traceability and authenticity of the information and always in accordance with risk acceptance criteria.
Mission and legal and regulatory framework
Royal Decree 311/2022, of January 8, which regulates the National Security Scheme (ENS), requires us to protect the services we provide to our interested parties. With the implementation of an ISMS under the UNE ISO/IEC 27001 Standard integrated with the MEDIUM category ENS in accordance with the criteria established in Annex I of RD 311/2022, and the application of the requirements described in the CCN Guides and Technical Instructions, the security of our services is strengthened, as well as the information and data they include and that are necessary for their correct and adequate provision.
IAG7 Viajes processes certain personal data that must be registered and kept updated through the document “Registration of Processing Activities” in order to facilitate the control, management and protection of rights by applying specific security measures to comply with REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of April 27, 2016, relating to the protection of natural persons with regard to the processing of personal data and the free circulation of these data and which repeals Directive 95/46/EC (General Data Protection Regulation), equivalent to Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights, which was created to facilitate application and compliance in Spain.
The regulations applicable to the organization are the following:
- REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of April 27, 2016 regarding the protection of natural persons with regard to the processing of personal data and the free circulation of these data.
- Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights.
- Royal Legislative Decree 1/1996, of April 12, Intellectual Property Law.
- Law 2/2019, of March 1, which modifies the consolidated text of the Intellectual Property Law, approved by Royal Legislative Decree 1/1996, of April 12, and by which Directive 2014/26/EU of the European Parliament and of the Council, of February 26, 2014, and the Directive (EU) are incorporated into the Spanish legal system. 2017/1564 of the European Parliament and of the Council, of September 13, 2017.
- Law 34/2002 of July 11 on Information Society Services and Electronic Commerce (LSSI).
- Law 40/2015, of October 1, on the Legal Regime of the Public Sector.
- Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations.
- Royal Decree 4/2010, of January 8, which regulates the National Interoperability Scheme in the field of Electronic Administration.
- Resolution of October 13, 2016, of the Secretary of State for Public Administrations, which approves the Technical Security Instruction in accordance with the National Security Scheme.
- Resolution of October 7, 2016, of the Secretary of State for Public Administrations, which approves the Technical Security Instruction for the State of Security Report.
- Resolution of March 27, 2018, of the Secretary of State for Public Function, which approves the Technical Security Instruction for the Security Audit of Information Systems.
- Law 6/2020, of November 11, regulating certain aspects of electronic trust services.
- Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 (link tohttps://www.boe.es/doue/2014/257/L00073-00114.pdf), relating to electronic identification and trust services in electronic transactions in the internal market and repealing Directive 1999/93/EC (eIDAS regulation).
- Law 37/2007, of November 16, on reuse of public sector information.
- Royal Decree 1553/2005, of December 23, which regulates the national identity document and its electronic signature certificates.
- Law 25/2007, of October 18, on the conservation of data related to electronic communications and public communications networks.
- Royal Decree 1494/2007, of November 12, which approves the Regulation on the basic conditions for the access of people with disabilities to technologies, products and services related to the information society and social media.
- Law 9/2014, of May 9, General Telecommunications (In force in the sections indicated in the Sole Repealing Provision of Law 11/2022, of June 28.
- Royal Decree 311/2022, of May 3, which regulates the National Security Scheme. In particular, IAG7 Viajes undertakes to comply with the basic principles of Chapter II, which includes articles 5 to 11, regulates the basic principles that must govern the ENS and which is listed in article 5: comprehensive security; risk-based security management; prevention, detection, response and conservation; existence of defense lines; continuous monitoring and periodic reassessment; and differentiation of responsibilities.
Commitment to the principles of the ENS
Following these principles, the organization undertakes to comply with them as follows:
a) Security as an integral process
At IAG7 Viajes, security is an inherent aspect of all our operations. We have integrated security into every phase of our processes, from the implementation of new systems to the daily management of information. Through ongoing training and promoting a culture of security, we are ensuring that all of our employees understand their role in protecting our information assets.
b) Risk-based security management
We are currently conducting a comprehensive risk analysis to identify the most likely threats and their potential impacts. We have cataloged our information assets and evaluated their value to the organization. With this information, we design specific security controls to mitigate each risk, prioritizing those that represent the greatest threat to our business continuity.
c) Prevention, detection, response and conservation
To prevent security incidents, we have implemented multiple security measures, such as firewalls, intrusion detection systems, and secure access policies. Additionally, we have a detailed incident response plan that allows us to quickly detect and respond to any threats. In the event of an incident, we retain all the evidence necessary to conduct a thorough investigation and learn from the experience.
d) Existence of lines of defense
We have established defense in depth, implementing multiple layers of security to protect our systems and data. These layers include physical, logical, and administrative controls. For example, we control physical access to our facilities, protect our systems with antivirus and firewalls, and have implemented robust password policies.
e) Continuous surveillance
Our systems are constantly monitored for any suspicious activity. We use log analysis tools to identify unusual patterns and possible threats. Additionally, we conduct regular security audits to evaluate the effectiveness of our controls.
f) Periodic reevaluation
We recognize that the threat landscape is constantly evolving. Therefore, we conduct regular risk assessments to identify new threats and adjust our security controls accordingly. We also review our security policies and procedures to ensure they remain relevant and effective.
g) Differentiation of responsibilities
We have clearly assigned security responsibilities to different areas of the company. Each department has specific roles and responsibilities in protecting information. For example, the IT department is responsible for the security of computer systems, while the human resources department is responsible for access management.
By implementing these ENS principles, IAG7 Viajes is significantly strengthening its security posture and proactively protecting its information assets.
Furthermore, at IAG7 Viajes the Intellectual Property Law is complied with and respected regarding the use of the software, as well as the rest of the applicable regulations included in the “Regulatory Framework” document.
Leadership and commitment of Management
The Management of IAG7 Viajes is committed to facilitating and providing the necessary resources for the establishment, implementation, maintenance and improvement of the entity's ISMS/ENS, as well as to demonstrate its leadership and commitment through the establishment of the Security Committee.
This policy is understood, implemented and kept up to date at all levels of the company and has the full commitment and support of the IAG7 Viajes Management, who establishes, develops and applies it through the Information Security Management System implemented, according to the international standard UNE-ISO IEC27001 and the R.D. 311/2022 of the National Security Scheme.
Information security objectives
They will be established in the relevant functions and levels, focused on improvement and using as a reference framework:
- Managing information security within the organization and establishing a framework to control its implementation.
- Classification and control of assets aimed at maintaining adequate protection of these.
- Personnel safety, reducing the risks of human error, commission of crimes against the organization or inappropriate use of facilities.
- Physical and logical security aimed at preventing unauthorized access, damage and interference to the company's headquarters and information.
- Communications and operations management to ensure the correct and secure operation of information processing facilities and media.
- Management and monitoring of access controls, aimed at controlling logical access to information.
- Manage and ensure the continuity of IAG7 Viajes activities, counteracting business interruptions and protecting critical processes from the effects of significant failures or disasters.
- Compliance with current law, preventing infractions and violations thereof.
Establishment, implementation, maintenance and improvement of the ISMS/ENS and guidelines for documentation management
The deployment of the IAG7 Viajes ISMS/ENS is carried out based on the “Security Risk Map”, which allows determining the level of security required by the organization and identifying the controls necessary to treat the risk and bring it to an acceptable level, in accordance with Annex I of RD 311/2022 and Annex A of the ISO 27001 standard. The security controls must be implemented, maintained and continually improved and be available as documented information that must be reviewed. and approved by the Information Security Committee on behalf of the General Directorate.
The documented information will be classified as: Public, Internal and Confidential, giving appropriate use in accordance with said classification and according to the criteria established in the Information Classification and Labeling Procedure. The documented information on security controls must be communicated to the personnel working in the entity (internal and external personnel) who will have the obligation to apply it in the performance of their work activities.
In compliance with article 12 of the Royal Decree of the ENS, this Security Policy will be developed applying the following minimum requirements and will be included in the system documentation:
Audits will be carried out to review and verify compliance of the ISMS/ENS of IAG7 Viajes with the requirements of the ISO/IEC 27001 Standard for the ISMS and with Royal Decree 311/2022, of January 8, which regulates the National Security Scheme, so the personnel affected by the scope of said audits must be collaborative for their effectiveness, as well as in the application of corrective actions. that are derived for continuous improvement.
Our management system has the following structure: Security Policy, regulations and internal procedures and records.
The management of our system is entrusted to the person responsible for the information.
- Organization and implementation of the security process.
- Risk analysis and management.
- Personnel management.
- Professionalism.
- Authorization and access control.
- Protection of facilities.
- Product acquisition.
- Security by default.
- System integrity and updating.
- Protection of information stored and in transit.
- Prevention against other interconnected information systems.
- Activity log.
- Security incidents.
- Continuity of activity.
- Continuous improvement of the security process.
Information Security Roles and Responsibilities
The Information Security Committee will proceed to review and propose the approval of this Information Security Policy to the General Directorate, which is Responsible for Information.
In addition, the Security Committee will centralize the coordination and conflict resolution mechanisms between the responsible parties indicated below, which will be discussed through debate during the meetings of the members of said Committee and which will be moderated by the General Directorate:
The Security Committee, representing the General Management, will be the body in charge of approving the Policy and will be responsible for authorizing its modifications, as well as all the documented information from the entity's ISMS/ENS.
The Information Security Manager will be in charge of notifying this Policy to the entity's staff and of the changes that may occur therein, as well as coordinating the implementation, maintenance and improvement actions of the entity's ISMS/ENS (including the signing of the Declaration of Applicability that formalizes the list of applicable security measures derived from the Risk Analysis), and its audits, with the Systems Manager who will be in charge of managing the technical security requirements of the systems. of information, and with the Responsible for the Service, whose figure falls on the directors of the areas of the entity, who will be in charge of managing the security requirements of the activities of their area for the provision of services.
The person responsible for each information and/or service affected by the risk analysis and management will be indicated in the ISMS/ENS Risk Map, which will include the criteria that will determine the level of security required, within the framework established in article 40 and the general criteria prescribed in Annex I of the Royal Decree of the ENS.
The Data Protection Manager, in collaboration with the Security Committee, undertakes to deal with the risks arising from the processing of personal data and will therefore be responsible for ensuring that personal data is processed and protected in accordance with the General Data Protection Regulation (GDPR EU 2016/679), and will therefore work in coordination with the Information Security Manager and the Systems Manager.
All personnel of the organization, both internal and external, will be responsible for complying with this Information Security Policy within their work area, as well as for applying all the documented information of the controls and security measures of the ISMS/ENS of IAG7 Viajes in their work activities that affects their performance in information security.
Review of the Information Security Policy
This Information Security Policy will be examined in system reviews by Management through the Information Security Committee whenever significant changes occur and at least once a year.
Approval, dissemination and application of the Information Security Policy
This Information Security Policy will be approved by the General Directorate of IAG7 Viajes by signature and disseminated to the interested parties.
Likewise, the General Directorate will provide the necessary resources for the effective application of this policy, and for its proper development, both in implementation activities.
Document structure and access to information
IAG7 Viajes has the duty to structure our management system in a way that is easy to understand. Our management system has the following structure: POLICIES, PROCEDURES AND RECORDS.
The management of our system is entrusted to the person responsible for the information and the system will be available in our information system in a repository, which can be accessed according to the access profiles granted according to our current access management procedure.
Conflict resolution
Differences in criteria that could lead to a conflict will be dealt with within the Security Committee and the criteria of the General Management will prevail in all cases.
Analysis of risks related to personal data in IAG7 trips.
The main data protection risks for IAG7 Viajes are:
To mitigate these risks, IAG7 Viajes has implemented the following measures:
- Security Breaches: The Company protects the personal data of its customers and employees against unauthorized access, loss, alteration or destruction.
- Non-compliance with legislation: IAG7 Viajes complies with applicable data protection legislation, both nationally and internationally. We safeguard all data within the EU.
- Damage to reputation: A violation of the security of personal data can damage the reputation of IAG7 Viajes and affect its relationship with its clients and employees, which is why we guarantee the data protection guidelines regulated by the Spanish Data Protection Agency.
- Staff training and awareness: IAG7 Viajes trains its staff in data protection matters, so that they know and comply with the company's policies and procedures.
- Internal audits: IAG7 Viajes conducts regular security audits to evaluate the effectiveness of its data protection measures.
- Security breaches: IAG7 Viajes has a security breach action protocol to effectively manage any data security breach.
- Privacy Policy Review: IAG7 Viajes periodically reviews the privacy policy to ensure it is up to date and complies with applicable laws.
Privacy Policy
Following the principles of legality, loyalty and transparency, the relevant information regarding personal data collected from employees and clients is detailed below:
Who is responsible for the processing of your data?
- Responsable
- Integración Agencias de Viajes S.A. (en adelante IAG7 Viajes)
- NIF
- A84523505
- Domicilio social
- C/ Doctor Esquerdo 136, 28007 Madrid
- Correo electrónico
- dpo@iag7viajes.com
- Teléfono
- 917257270
Delegado de Protección de datos
Integración Agencias de Viajes S.A. (en adelante IAG7 Viajes)
For what purpose do we process your personal data?
At IAG7 Viajes, depending on the category of interested party in question, we process the information you provide us with the following purposes:
| Interesados | Finalidades del tratamiento |
|---|---|
| Potenciales clientes | Gestionar la potencial relación comercial y/o profesional, gestionar el envío de información solicitada y/o resolver las consultas planteadas, facilitar ofertas de nuestros servicios y/o productos de su interés. |
| Clientes | Gestionar la relación comercial y/o profesional, facilitar ofertas de nuestros servicios y/o productos de su interés. |
| Proveedores | Gestionar la relación comercial y/o profesional. |
| Candidatos | Gestionar el proceso de selección de personal. |
What is the legitimacy for the processing of your data?
The legal basis for the processing of your personal data, depending on the category of interested party in question, may be:
The data we request from you is adequate, relevant and strictly necessary and in no case are you obliged to provide it to us, but failure to provide it may affect the purpose of the service or the impossibility of providing it.
| Interesados | Base legal |
|---|---|
| Potenciales clientes |
|
| Clientes | Art. 6.1.b RGPD: ejecución de un contrato en el que el interesado es parte. |
| Proveedores | Art. 6.1.b RGPD: ejecución de un contrato en el que el interesado es parte. |
| Candidatos | Art. 6.1.a RGPD: consentimiento del propio interesado. |
| Usuarios web | Art. 6.1.a RGPD: consentimiento del propio interesado. |
How long will we keep your personal data?
Your data will be kept for the minimum time necessary for the correct provision of the service offered, as well as to meet the responsibilities that may arise from it and any other legal requirement.
To which recipients will your data be communicated?
Additionally, we inform you that certain data, by virtue of current regulations or the contractual relationship you maintain with IAG7 Viajes, may be communicated to:
- Banks and financial entities for the collection of contracted services and/or purchased products.
- Public administrations with jurisdiction in the activity sectors of Integración Agencias de Viajes S.A., when established by current regulations.
- Spanish Passenger Information Unit (UIP), for the purposes of complying with Organic Law 1/2020, of September 16, on the use of data from the Passenger Name Registry for the prevention, detection, investigation and prosecution of terrorist crimes and serious crimes.
- Service providers for whom the communication of your data is essential, such as hotels, airlines, shipping companies, etc. Those who will use the data exclusively to comply with the purpose of the contract.
Are international data transfers carried out?
As we have indicated previously, for the management of the purposes inherent to the development and fulfillment of the contracted service, it may be necessary and mandatory to communicate your data to certain suppliers such as airlines, shipping companies, hotels and other service providers. These providers, depending on the country of destination of your trip, may be located in third countries for which it is necessary to carry out an international data transfer and/or they may be located in countries that do not have adequate guarantees. In any case, we will ensure that any international transfer complies with the necessary guarantees, in order to guarantee the confidentiality of your information.
INTEGRATION AGENCIA DE VIAJES could carry out international transfers of data derived from the acceptance of cookies from this website:
Google Llc and Google Ireland Limited transfer data to the United States based on the user's consent by accepting cookies.
By accepting cookies from these entities, the user consents that their personal data that may be collected through the loading and reading of cookies be transferred to the United States, a country in which a level of protection comparable to the European one is offered, only in those American companies included in the EU-US data privacy list, in what is known as the “Data Privacy Framework” (hereinafter, “DPF”). If American companies are not members of the DPF, it will be understood that they do not guarantee a level of protection comparable to the European one.
If the user does not consent to this international transfer of data to the United States, they must reject these cookies, not providing or obtaining the functionalities or services offered with these cookies.
You can find out about transfers to third countries that, where applicable, are carried out by the third parties identified in thecookie policyin their corresponding policies.
What are your rights when you provide us with your data?
The data protection rights that interested parties may exercise, when applicable, are:
You can use the following models to carry out your rights exercises:
The owners of the personal data obtained may exercise their personal data protection rights by sending a written communication to the registered office of Integración Agencias de Viajes S.A. or to the email enabled for this purpose,dpo@iag7viajes.com.
You have models, forms and more information available about your rights on the website of the national control authority, Spanish Data Protection Agency, hereinafter, AEPD, inwww.aepd.es
| Derecho | ¿En qué consiste? |
|---|---|
| Derecho de acceso | Consultar qué datos personales trata el Responsable del Tratamiento. Más información, aquí. |
| Derecho de rectificación | Modificar los datos personales que trata el Responsable del Tratamiento cuando sean inexactos, incorrectos o incompletos. Más información, aquí. |
| Derecho de oposición | Solicitar que Responsable del Tratamiento no trate sus datos personales para algunas finalidades concretas. Más información, aquí. |
| Derecho de supresión | Solicitar que el Responsable del Tratamiento elimine sus datos personales. Más información, aquí. |
| Derecho de limitación | Solicitar que el Responsable del Tratamiento limite el tratamiento de sus datos personales. Más información, aquí. |
| Derecho de portabilidad | Cuando el tratamiento se efectúe por medios automatizados, recibas tus datos personales en un formato estructurado, de uso común, de lectura mecánica e interoperable, y puedas transmitirlos a otro responsable del tratamiento. Más información, aquí. |
| Derecho a no ser objeto de decisiones individuales automatizadas | Este derecho pretende garantizar que no seas objeto de una decisión basada únicamente en el tratamiento de tus datos, incluida la elaboración de perfiles, que produzca efectos jurídicos sobre ti o te afecte significativamente de forma similar. Más información, aquí. |
| Derecho a presentar una reclamación ante la autoridad competente | Interponer una reclamación contra el Responsable del Tratamiento ante la Agencia Española de Protección de Datos (AEPD) si el Usuario considera que la entidad ha tratado sus datos personales infringiendo la normativa. |
- Access to the model to exercise the right of access.
- Access to the model to exercise the right of rectification.
- Access to the model to exercise the right of deletion.
- Access to the model to exercise the right to object.
- Access to the model to exercise the right to limit processing.
- Access to the model to exercise the right of portability.
- Access to the model to exercise the right not to be subject to automated individual decisions.
Can I withdraw consent?
You have the possibility and the right to withdraw consent for any specific purpose granted at the time, without affecting the legality of the treatment based on consent prior to its withdrawal.
Where can I complain if I believe that my data is not being processed correctly?
If any interested party considers that their data is not processed correctly by IAG7 Viajes or that the requests to exercise rights have not been satisfactorily attended to, they may file a claim with the corresponding data protection authority, the AEPD being the one indicated in the national territory,www.aepd.es.
Security and updating of your personal data
In order to safeguard the security of your personal data, we inform you that IAG7 Viajes has adopted all the necessary technical and organizational measures to prevent its alteration, loss, and/or unauthorized processing or access, as required by regulations, although absolute security does not exist.
It is important that, so that we can keep your personal data updated, you always inform us when there is a change to it.
Confidentiality
IAG7 Viajes informs you that your data will be treated with the utmost care and confidentiality by all personnel involved in any of the processing phases. We will not transfer or communicate your data to any third party, except in the cases legally provided for, or unless the interested party has expressly authorized us.