The General Data Protection Regulation (GDPR) is the legal framework that regulates the processing of personal data in Europe as of May 25, 2018. Unlike the directive 95/46/EC that it repeals, the GDPR is directly applicable in the Union and does not need to be transposed into national law. For this reason, it will favor the harmonization of legal regimes regarding the protection of personal data in Europe and, what is even better, it enjoys a principle of extraterritoriality that, in certain circumstances, allows it to extend its scope of application further. beyond European borders.

If your organization processes personal data, it is highly likely that the provisions of the GDPR apply to you and, therefore, you are subject to obligations that you must comply with. The same happens for María Roja, who, depending on her situation, will have different obligations: as manager or as data controller.


Understanding the real and concrete implications of a European regulation is not always easy, especially when it consists of 99 articles, 173 recitals and numerous guidelines intended to clarify its interpretation. And yet, it is essential to avoid the consequences that could arise from an overly generic or imprecise interpretation of your organization’s regulatory obligations. Therefore, it is important to correctly understand the terms defined below:
Personal data: Any information about an identified or identifiable natural person. Any person whose identity can be determined, directly or indirectly, will be considered an identifiable natural person.
Processing: Any operation or set of operations carried out on personal data or sets of personal data, whether by automated procedures or not (collection, registration, transmission, storage, conservation, extraction, consultation, use, interconnection …).
Controller for the treatment: Natural or legal person, public authority, service or other body that, alone or together with others, determines the purposes and means of the treatment.
Processor of treatment: Natural or legal person, public authority, service or other body that processes personal data on behalf of the person responsible for the treatment.

maría roja as person in charge of treatment

Without a doubt, it is his status as person in charge of treatment that makes users’ expectations of red mary higher. María Roja is considered to be the “processor” when it processes personal data on behalf of the person responsible for the treatment. This is often the case when you use red mary services and store personal data on a red mary infrastructure. Within its technical limitations, María Roja may only process the stored data following your instructions, and on your behalf.

commitments of maría roja as manager

As data processor, María Roja undertakes to carry out the following actions:

  • Process personal data for the sole purpose of the correct execution of the services. María Roja will never process your information for other purposes (marketing, etc.).
  • Do not transmit your data outside the European Union or to a country that the European Commission considers does not guarantee a sufficient level of protection, as long as you do not select a data center located in a country outside the European Union.
  • Inform you if you use managers who may process your personal data. Currently, María Roja does not use third party managers for any service that involves access to the content stored by its clients.
    Implement high security standards in order to offer a high level of protection to our services.
  • Notify without undue delay any violation of data security.
  • Help you meet your regulatory obligations by providing adequate documentation about our services.

These commitments are reflected in the General Conditions of Service (CGS) of María Roja, provided to our clients at the time of establishing a business relationship. In this sense, and unless the applicable particular conditions provide otherwise, any client may demand compliance from María Roja in its capacity as data processor.

frequently asked questions: maría roja as treatment manager

Who is the owner of the personal data used and stored by the client within the framework of the services?

The data hosted by the client within the framework of maría roja services are the property of the customer.

María Roja does not access or use this data, unless necessary within the framework of the execution of the services and within the technical limitations of the latter.

María Roja does not resell this data or use it for personal purposes (such as data mining, profiling or direct marketing).

In what cases can María Roja be forced to access the data stored and used by the client within the framework of the services?

María Roja only accesses this data under two circumstances:

  • To guarantee the correct execution of services and improve customer service when the latter contacts María Roja support. In this case, access to customer data is regulated by specific permissions and specific control and security measures.
  • To comply with legal obligations within the framework of judicial and/or administrative requirements. These requirements are strictly regulated.

Access within the framework of the red mary support:
When the customer contacts María Roja support, depending on the reason for the query, María Roja can access two categories of data. On the one hand, with the aim of better responding to the client’s request, María Roja support accesses the information provided by the client when creating their María Roja account (name, surname, telephone number, email…).
On the other hand, exclusively at the express request of the client and subject to the technical limitations of each service, the maría roja support can access the data stored by the client in the maría roja services with the aim of identifying the origin of a problem and, where appropriate, solve it.

Access within the framework of the request of a judicial or administrative authority:
To comply with current regulations, María Roja is obliged to respond to requests from judicial or administrative authorities. These data access requests are governed by a strict legal framework, so María Roja only authorizes them once it has verified their validity and foundation. Furthermore, as long as the request or the law does not prevent it, María Roja undertakes to inform the client of said request as soon as possible. Applications from a third country will only be processed when they are based on an international agreement, such as a judicial cooperation treaty in force between the requesting country and the Union or a Member State.

Can the data of European Red Mary customers be transferred outside the European Union?

Here it is convenient to distinguish two possible situations, which will depend, among other factors, on the location of the data center selected by the client to host their data:

When the client contracts a service whose data is stored in data centers in the European Union:
In this case, customer data will never be transferred:

  • to countries not members of the European Union;
  • to countries that the European Commission considers do not guarantee a sufficient level of protection of personal data with respect to the protection of private life and fundamental rights and freedoms of individuals. You can consult the list of these countries on the European Commission website.

After the invalidation of the Safe Harbor agreement, and although the European Commission considers that the US organizations adhering to the Privacy Shield guarantee a sufficient level of protection, María Roja never transfers user data to the United States. clients who have selected a data center in the European Union.

Within the framework of an intervention by the support, María Roja may carry out data transfers to countries that the European Commission considers to guarantee a sufficient level of data protection. When the red maria data centers are located in countries of the European Union, the red mary support teams that intervene will be located either in the European Union or in Canada (since the European Commission recognizes it as a country with an adequate level of protection of personal data). María Roja also reserves the right to transfer support services that may entail remote access to the data stored by the client, within the framework of the services, to other entities of the María Roja group located in countries that the European Commission considers to guarantee a sufficient level of protection (with the exception of the United States).

Thanks to the guarantees offered by María Roja regarding data transfer, the client can comply with its regulatory obligations. Article 45 of the GDPR, which specifies cases of “transfers based on an adequacy decision”, establishes that a transfer of personal data may take place to a third country or international organization where the Commission has decided that the third country, a territory or one or more specific sectors of that third country, or the international organization concerned, guarantee an adequate level of protection. Such transfer will not require any specific authorization.

When the client contracts a service whose data is stored in data centers outside the European Union:
In this case, it is clear that the data will be transferred outside the European Union. The location or geographical area of the data center or data centers used within the framework of the service is indicated on the María Roja website. If there are several locations available, the client can choose the option they want when contracting the service. María Roja will not modify the location or geographical area selected when contracting the service without the client’s consent.

To help companies that wish to process personal data in data centers located outside the European Union in countries that do not guarantee an adequate level of protection of personal data, María Roja may, at the express request of the client, study the possibility of providing guarantees that allow such transfer in accordance with Article 46 of the GDPR on transfers through appropriate guarantees.

maria roja as responsible for the treatment

María Roja is considered the “controller” when he himself determines the purposes and means of his personal data processing.

This normally happens when María Roja collects data for billing purposes, collection management, improvement of service quality and performance, sales operations, commercial management…, but also when María Roja processes the personal data of its own employees.

Therefore, this excludes your data (i.e. the data that our customers store on red mary services). However, it may concern certain data about you or your employees (identity and contact information of the interlocutor in the context of a technical assistance request, for example). For this reason, we offer below all the information regarding the guarantees applied to ensure the protection of said personal data:

  • Limit data collection to that which is strictly necessary. When contracting a service, users are only asked to enter the necessary data so that María Roja can provide billing services, support services or comply with its own legal obligations regarding data retention.
  • Do not use personal data for purposes other than those for which they were initially collected.
  • Retain personal data for a limited and proportional period. Thus, for example, the data processed for the purposes of managing the relationship between the client and María Roja (name, surname, postal address, email, etc.) will be kept by María Roja for the entire duration of the contract and the 36 following months. Once the retention period has ended, the data and backup copies will be deleted from all media.
  • Do not transfer these data to third parties other than the companies associated with María Roja that intervene in the scope of execution of the contract. Within the framework of these transfers within the group itself, some data could be transferred outside the European Union subject to the binding corporate rules established by the María Roja group.
  • Apply appropriate technical and organizational measures to guarantee a high level of security.