CERTIFIED NOTIFICATIONS
Online burofax

Certified Email

Certified SMS

Certified web publications

Certified WhatsApp

ELECTRONIC CONTRACTING
Electronic signature

Virtual Signature Room

CERTIFIED DIGITAL IDENTIFICATION
Verification

Authentication

DNI Wallet

Video-identification

SOLUTIONS FOR REGULATORY COMPLIANCE
GDPR – Consent Management

IDD Regulations

REGTECH PLATFORMS

CertySign
PostaMail
OneSpan
TRANSACTIONAL
Transpromo

Dynamic communications

E-Invoice

Archiving

MARKETING
Direct and promotional marketing

Customized videos

Mobile game marketing

SERVICES
Customer Communications Management

Data Quality

Data Analytics

Tech-Agency

Document digitization

Printing and finishing

OMNICHANNEL PLATFORMS

Communicalia
Quadient
MailShop PHYGITAL
ABOUT OUR COMPANY

MailComms Group

Team

Certifications

Sustainability

Alliances

Sectors

Events

Privacy Policy

In accordance with the provisions of both Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (RGPD), and the Organic Law 3/2018 of 5 December on the Protection of Personal Data and Guarantee of Digital Rights (LOPD-GDD) and other data protection regulations in force, the users of the website, who have voluntarily expressed their consent in a free, clear and unequivocal manner for the processing of personal data by accepting the “Data Protection Policy” box, are informed that their data will be processed, depending on the company with which they have contacted, either the company MAILTECK, S.A. or the company CUSTOMER COMMUNICATIONS TECKNALIA, S.L., which will be jointly referred to as MAILCOMMS GROUP within this Privacy Policy.

Responsible 1: MailTecK, S.A.

Responsible 1: MailTecK, S.A.

Identity: MailTecK, S.A.
NIF: A-31501901
Address: Avenida de la Recomba nº 12-14 – 28914 Leganés (Madrid)
Telephone: 91 304 49 41
E-mail: info@mailteck.com
Contact with the DPO: dpo@mailteck.com

Responsible 2: Customer Communications Tecknalia, S.L.

Responsible 2: Customer Communications Tecknalia, S.L.

Identity: Customer Communications Tecknalia, S.L.
NIF: B-86414000
Address: Avenida de la Recomba nº 12-14 – 28914 Leganés (Madrid)
Telephone: 91 689 56 65
E-mail: info@customercomms.com
Contact with the DPO: dpo@customercomms.com

Purpose: To provide requested information and to manage contact with potential customers.

Purpose: To provide requested information and to manage contact with potential customers.

In MAILCOMMS GROUP we process the data collected for:

  • Web user data:
    They will be treated only for statistical purposes and navigation analysis, to optimize and improve the user experience, all in accordance with the provisions of our Cookies Policy. In any case, these are non-invasive analyses that allow the improvement of services and the technology applied to them.
  • Data collected through the contact form:
    The data will be processed in order to manage, process and respond to the request made through the contact forms made available on the website.
  • Subscription data to our Newsletter:
    The data of subscribers to the Newsletter will be processed for the sole purpose of sending information about the activity of MAILCOMMS GROUP, as well as to inform them of news, promotions, events organized or discounts applicable to our products or services.

MAILCOMMS GROUP will only process the data provided for the purposes described above and will not be further processed in a manner incompatible with those purposes. The personal data provided will be kept for the legal periods applicable in each case, taking into account the type of data, as well as the purpose of processing, provided that the user has not exercised his right of deletion. No automated decisions will be made on the basis of this profile.

Legitimation: Consent of the interested party.Legitimate interest.

Legitimation: Consent of the interested party.Legitimate interest.

  • Web user data:
    Legitimate interest, consisting of the continuous improvement of the business model offered on the website, as well as the correction of any deficiencies that may be detected in the delivery of the service.
  • Data collected through the contact form:
    Consent of the person concerned by providing their data directly through the contact forms provided.
  • Subscription data to our Newsletter:
    Consent of the person concerned by ticking the box provided for this purpose.

Target audience: Collaborating companies

Target audience: Collaborating companies

  • Collaborating and participated companies for commercial purposes.
  • By legal requirement when required by law.

Rights: You may exercise your rights in the manner and within the time limits provided by law.

Rights: You may exercise your rights in the manner and within the time limits provided by law.

  • General confirmation: Any person has the right to obtain confirmation as to whether MAILCOMMS GROUP is processing personal data concerning them.
  • ARCO Rights: Interested parties have the right to access their personal data, as well as to request the rectification of inaccurate data or, where appropriate, request its deletion when, among other reasons, the data is no longer necessary for the purposes for which it was collected.
  • Limitation of processing: In certain circumstances, the interested parties may request the limitation of the processing of their data, in which case we will only keep them for the exercise or defense of claims.
  • Opposition to processing: In certain circumstances and for reasons related to their particular situation, data subjects may object to the processing of their data.
    Therefore, MAILCOMMS GROUP will stop processing the data, except for compelling legitimate reasons, or the exercise or defense of possible claims.
  • Data portability: In certain circumstances and for reasons related to their particular situation, data subjects may request to receive the personal data provided in the contact form, in a structured, commonly used and machine-readable format, as well as to transmit such data to another data controller without hindrance.
  • Claim before a public body: If you consider that your right to personal data protection has been violated, you may file a claim before the Spanish Data Protection Agency (www.aepd.es).
  • Channel to exercise the rights: Interested parties may exercise the rights recognized in the regulations against, and against, each of the responsible parties, before the addresses enabled as DPO in the “Responsible” section.

Additional information: More information about Data Protection.

Additional information: More information about Data Protection.

  • The personal data have been obtained by the interested party by directly providing their data through the contact forms provided.
  • The categories of data to be processed are identification data (name, surname, corporate e-mail, corporate telephone, position, company where you provide your services).
  • MAILCOMMS GROUP does not process specially protected data.

Security and Privacy Policy MailComms Group, You can consult the Security and Privacy Policy based on the ISO 27001 Standard

Security and Privacy Policy MailComms Group, You can consult the Security and Privacy Policy based on the ISO 27001 Standard

Version: 8 | DATE: 26 November 2024

ANNEX I: INFORMATION SECURITY, CONTINUITY AND PRIVACY MANAGEMENT SYSTEM POLICY

This Information Security, Continuity and Privacy Policy shows the Management’s commitment by providing the organisation with resources, duties and procedures to guarantee compliance with current regulations, as well as the integrity, confidentiality and availability of information and systems, which is crucial for the security, privacy and continuity of our organisation, as well as that of our clients.

MailComms Group, aware that the security, continuity and privacy of information relating to our clients is a valuable resource, has established an Information Security, Continuity and Privacy Management System in accordance with the requirements of the ISO/IEC 27001, ISO/IEC 27701 and ISO 22301 Standards to guarantee the continuity of information systems, minimise the risk of damage and ensure compliance with set objectives.

Additionally, for the Electronic Registered Delivery Service, based on the nature of the service provided, the provisions established in the European eIDAS Regulation governing Trusted Services have been followed, and specifically the ETSI 319 401 and ETSI 319 521 Standards for Electronic Registered Delivery Services Providers, which contain specific precepts for the provision of this type of service. In this regard, the Policy governing this service shall be the Practice Statement of Electronic Registered Delivery Trust Service (hereinafter “Practice Statement”).

Furthermore, in compliance with European cybersecurity regulations, the entities forming part of the Group, in their capacity as Qualified Trust Service Providers, undertake to comply with Directive (EU) 2022/2555 on measures to ensure a common high level of cybersecurity throughout the Union, as essential entities of the European digital infrastructure.

The objective of the Security, Continuity and Privacy Policy is to establish the framework for action required to protect information resources against threats, whether internal or external, deliberate or accidental, in order to ensure compliance with the confidentiality, integrity and availability of information.

The effectiveness and implementation of the Information Security, Continuity and Privacy Management System is the direct duty of the Information Security and Privacy Committee, which is responsible for the approval, dissemination and compliance with this Security, Continuity and Privacy Policy. In its name and on its behalf, an Information Security and Privacy Management System Manager has been appointed who has sufficient authority to play an active role in the Information Security and Privacy Management System, supervising its implementation, development and maintenance.

Moreover, and in order to comply with current data protection regulations, a Data Protection Officer (DPO) has been appointed to guarantee the security and privacy of personal data, especially taking into account the company’s activity.

The Information Security and Privacy Committee shall develop and approve the risk analysis methodology used in the Information Security, Continuity and Privacy Management System.

Any person whose activity may directly or indirectly be affected by the requirements of the Information Security, Continuity and Privacy Management System is obliged to strictly comply with the Security, Continuity and Privacy Policy and, additionally, for the Electronic Registered Delivery Service, must comply with the Practice Statement.

The MailComms Group shall implement all required measures to comply with the applicable regulations on security, continuity and privacy in general and on IT security, relating to IT policy, the security of buildings and facilities and the behaviour of employees and third parties associated with the MailComms Group in the use of IT systems and the processing of personal data. The measures required to ensure the security and privacy of information through the application of standards, procedures and controls shall ensure the confidentiality, integrity and availability of information, essential for:

  • Complying with current legislation, regulations and standards on continuity, privacy and information systems and with all contractual requirements regarding data protection and trusted electronic services, as well as those it deems appropriate to carry out with the goal of achieving ongoing improvement of the organisation and of the security, continuity and privacy management system.
  • Ensuring the confidentiality of the data managed by MailComms Group.
  • Ensuring the availability of information systems, both in the services offered to clients and in internal management.
  • Ensuring emergency response capability, restoring critical services to operation in the shortest possible time.
  • Avoiding undue alterations to information.
  • Promoting awareness and training in information security, continuity, privacy and trustworthy e-services.
  • Promoting and participating in achieving ongoing improvement of the information security, continuity and privacy management system and trusted e-services.
  • Establishing technical and methodological requirements for cybersecurity risk management measures, identifying risks and correcting detected vulnerabilities, cyber threats and cybersecurity incidents, in order to prevent the occurrence of incidents that compromise the business continuity of MailComms Group.
  • Updating the results of the risk assessment and risk processing plan at planned intervals and at least annually, and when there are significant changes in operations or significant risks or incidents.

The Information Security and Privacy Policy and the Practice Statement should be reviewed at planned intervals, at least annually and whenever significant changes occur in the organisation, to ensure that their suitability, adequacy and effectiveness are maintained.

Network and Information Systems Security Policy MailComms Group, You may consult Network and Information Systems Security Policy

Network and Information Systems Security Policy MailComms Group, You may consult Network and Information Systems Security Policy

Version: 4 | DATE: 4 December 2024

ANNEX II: NETWORK AND INFORMATION SYSTEMS SECURITY POLICY

The management of MailComms Group (formed by MAILTECK S.A. and CUSTOMER COMMUNICATIONS TECKNALIA S.L.), hereinafter “MailComms Group” or, specifically, “Mailteck” and/or “CCOMMS”, aware of the need to promote, maintain and improve the client focus in all its activities, has implemented an Integrated Management System (IMS) in compliance with several internationally recognised standards. The ultimate goal of the IMS is to ensure that we understand and share the needs and goals of our clients, striving to provide services that meet their expectations and working towards ongoing improvement. MailComms Group expressly states its commitment to enhance Information Security and Cybersecurity, specifically, to ensure, among other aspects, the security of networks and information systems that support the different business processes in such a way as to reinforce its digital operational resilience, as well as the continuity and availability of the service provided, aligning its practices with the applicable regulations in force.

In this regard, MailComms Group is committed to developing the highest cybersecurity capabilities, thereby reducing threats to the network and information systems used by MailComms Group in compliance with European cybersecurity regulations.

At the same time, it is committed to meet the needs and expectations of stakeholders, to maintain high competitiveness in services and products for the “Automated processing of multi-channel client communications and transactions, Issuance of electronic and paper documents, as well as Electronic Certification of security documents and Trust Services: Qualified Electronic Registered Delivery Service, Electronic Signature and Contracting; Electronic and Postal Notifications and Communications; Electronic Identification and Authentication and Digital Archiving”.

MAILCOMMS GROUP’S ROLE REGARDING DIRECTIVE (EU) 2022/2555

MAILTECK and CCOMMS, in their capacity as Qualified Trust Service Providers, are considered essential entities of the European digital infrastructure in accordance with Directive (EU) 2022/2555 on measures to ensure a high common level of cybersecurity throughout the Union, commonly referred to as the “NIS 2 Directive”, which entails their status as obliged entities.

For this reason, this Policy is part of the security strategy pursued by MailComms Group, with the objective of ensuring that the use of networks and information systems complies with the rights of interested parties and safeguards the highest standards of cybersecurity, taking into account the Group’s activities and structure.

MailComms Group will therefore become responsible for compliance with the obligations required by these regulations.

MISSION and OBJECTIVES:

  • Encourage ongoing improvement of client services and support.
  • Continue to position MailComms Group as a benchmark in the industry.
  • Implement, maintain and test our business continuity arrangements to ensure that vital information and services are available to our clients when required.
  • Provide clients with the most professional equipment and to have highly qualified technicians, experts in the required disciplines and accustomed to working as a team, available immediately and for as long as required.
  • Provide adequate resources that are required to implement this Policy, including the necessary staff, financial resources, processes, tools and technologies.
  • Provide service delivery based on our commitment to ongoing improvement of our systems, with security, cyber security and information continuity as a central pillar.
  • Encourage and promote a culture of cybersecurity among all its professionals and subjects bound by this Policy, either internally or among its clients and suppliers.
  • Implement an information security culture through training and awareness raising.

Our mission and objectives are achieved through:

  • A system of objectives, metrics and indicators for ongoing improvement, monitoring, measurement of our internal processes and client satisfaction. Establishing and monitoring compliance with contractual requirements to ensure an efficient and safe service.
  • Integrating indicators linked to the level of implementation and maturity of security measures into the ISMS metrics system.
  • Continuously training and raising the awareness of our team in order to offer the highest degree of professionalism and specialisation possible.
  • Maintaining our infrastructures in an adequately and in accordance with the requirements of our clients.
  • Organisation and implementation of security processes.
  • Staff management.
  • Authorisation and access control.
  • Security by default.
  • System integrity and upgrade.
  • Protection of information in storage and in transit.
  • Prevention against other interconnected information systems.
  • Implementing a secure product procurement management procedure.
  • Complying with the requirements of current legislation, especially regarding the Protection of Personal Data: GDPR and LOPDGDD.
  • Complying with the Policies and Procedures defined in our Security Documentation.
  • Introducing ongoing improvement processes that enable us to make permanent progress in our Information Security management.
  • Managing and developing plans for the management and processing of risks with a standards-based risk analysis and management methodology used.
  • Securely managing internal and external communications, as well as information stored and in transit.
  • Ensuring interconnection with other information systems.
  • Managing and monitoring activity with log management.
  • Daily management of measures aimed at the protection and security of networks and information systems, designing robust security measures that are aligned with the needs of the variety of stakeholders, as well as with the current regulations applicable in this area, for which MailComms Group approves the specific policies and/or procedures that develop the basic principles and requirements for the security of networks and information systems established in this Policy. The objective is to identify risks and correct detected vulnerabilities, cyber threats and cybersecurity incidents in order to prevent the materialisation of incidents that compromise the business continuity of MailComms Group.
  • Defining policies and procedures for security incident management.
  • Ensuring business and service continuity and availability.
  • Ensuring that our Assets and Services comply with ENS High Level measures for the dimensions of Confidentiality, Integrity, Availability, Authenticity and Traceability.
  • Establishing, implementing and applying security procedures and/or policies in the supply chain governing relations with direct suppliers and service providers and establishing the appropriate measures and controls in order to mitigate the risks detected arising from these third parties for the security of the Group’s networks and information systems.

Moreover, these principles should be addressed in the following security areas:

  • Physical: This includes the security of premises, facilities, hardware systems, media and any physical asset that processes or may process information, as well as physical access.
  • Logic: Including protection aspects of applications, networks, electronic communication, computer systems and logical access.
  • Corporate/policy: It consists of security aspects related to the organisation itself, internal rules, standards and legal regulations.

The ultimate goal of information security is to ensure that an organisation can meet its objectives using information systems. The following basic principles should be taken into account in security decisions:

  1. Organisation and implementation of security process.
  2. Risk analysis and management.
  3. Staff management.
  4. Professionalism.
  5. Authorisation and access control.
  6. Protection of facilities.
  7. Procurement of security products and contracting of security services.
  8. Minimal privilege.
  9. System integrity and upgrade.
  10. Protection of information in storage and in transit.
  11. Prevention against other interconnected information systems.
  12. Activity logging and detection of malicious code.
  13. Security incidents.
  14. Business continuity.
  15. Ongoing improvement of the security process.

All cybersecurity documentation developed in execution of the requirements set out in this point is managed, structured and maintained in accordance with the documented procedures that MailComms Group has developed taking into account national and international technical standards and regulations that apply in each case. A minimum retention period of 5 years has been established for the cybersecurity regulatory framework and evidence of compliance. Under the Qualified Electronic Delivery Service, the Practice Statements and the final Statement of Service will be retained for 15 years.

Security roles or duties in the ENS framework:
Information Controller:
They shall determine the (security) requirements of the information processed according to the parameters of Annex I of the ENS.

  • They have the ultimate responsibility for the use of the information and, therefore, for its protection. They are ultimately responsible for any error or negligence leading to an incident of confidentiality or integrity (in terms of data protection) and availability (in terms of information security).

System Manager: They determine the requirements for the services provided.

  • They have the following duties:
    • Develop, operate and maintain the information system throughout its life cycle, including its specification, installation and verification of its correct operation.
    • Define the topology and management of the information system, establishing the criteria for its use and the services available in it.
    • Ensure that security measures are properly integrated into the overall security framework.

Information Security Officer: They determine decisions to meet information security and service requirements.

  • The two key duties of the Security Officer are:
    • Maintain the security of the information handled and the services provided by the information systems in the area they are responsible for, in accordance with the organisation’s Information Security Policy.
    • Promote information security training and awareness within the area they are responsible for.

Service Manager: They shall determine the (security) requirements of the services provided according to the parameters of Annex I of the ENS.

  • They have the power to establish the security requirements of the service. The determination of the levels in each security dimension is undertaken within the framework established in Annex I of the National Security Scheme and the assessment criteria are supported by the Security Policy.

MailComms Group’s Information Security and Privacy Committee (ISPC), with the objective of regulating and implementing information security and privacy measures and policies, as well as regulations aimed at adapting information systems to current personal data protection legislation, has the following duties, among others:

  • Appoint the IPSMS Manager and approve their duties.
  • Approve the start of the implementation of the IPSMS.
  • Review and approve the Security and Privacy Policy.
  • Approve the Information Security and Privacy System Documentation, as well as new editions or modifications.
  • Monitor the implementation and operation of the Information Security and Privacy System.
  • Analysis of client complaints.
  • Periodically assess the degree of exposure to risks affecting the Mailcomms Group’s information systems and personal data processing.

The following make up the IPSC:

  • CEO.
  • Head of Technology.
  • Head of IT Operations.
  • Head of Printing Operations.
  • Head of Finance, HR and Legal.
  • Head of MailComms Sales.
  • Head of Technical.
  • Head of Marketing.
  • Head of International Market.
  • Head of IPSMS.

Considering these guidelines, management confirms its firm commitment to join efforts to achieve these objectives, and therefore this policy is understood, implemented and kept up to date at all levels of the organisation.

Structuring system safety documentation

The system documentation follows the following structure:

Anex II

The classification of the information in the system is classified into the following categories, as set out in the PE-SGSPI 01-ERDS_Documentation Development and Control procedures:

  • Public Use
  • Internal Use
  • Confidential

Applicable legislation on the processing of personal data

With regard to the processing of personal data, the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals regarding the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC and the corresponding national legislation shall be taken into account.

The applicable legal and regulatory framework can be found in the RE01-PE_SGSPI18 Applicable Laws and Regulations document.

Monitoring, approval, publication and review

The IPSC shall approve the entity’s Security, Cybersecurity, Continuity and Privacy Policies, publish and/or distribute them to all its employees, as well as to third parties that may be involved in the implementation of information systems.

The IPSC manager, and the manager of the corresponding Service, regarding the specific policies of each service, shall be responsible for making them public or, where appropriate, communicating them and always maintaining them in the MailComms Group systems.

The Information Security, Cybersecurity, Continuity and Privacy Policies and service-specific policies should be reviewed at planned intervals, at least annually and whenever significant changes occur in the organisation, to ensure that their suitability, adequacy and effectiveness are maintained.

The list of Policies applicable in the framework of the ENS and IPSC-ERDS can be found in the “RE01-PE IPSC-ERDS 01 List of documents and records of the IPSC-ERDS” document.

On the other hand, the list of Policies applicable in the framework of ERDS:

  • MailTecK Practice Statement of Electronic Registered Delivery Trust Service.
  • Customer Comms Practice Statement of Electronic Registered Delivery Trust Service.
  • Annex I Policy IPSC-ERDS.

1 Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a common high level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972 and repealing Directive 2016/1148.

LEGAL FRAMEWORK: Royal Decree 311/2022, of 3 May, amending Royal Decree 3/2010, of 8 January, which regulates the Spanish Security Scheme in the field of Electronic Administration.