PRIVACY AND DATA PROTECTION POLICY
The main purpose of the Privacy and Data Protection Policy of Montero Traducciones, S.L. (hereinafter, MONTERO TRADUCCIONES), with registered offices at calle de las Eras, 44, Brunete 28690 (Madrid), and Tax ID no. B83571448, is to establish the overall guidelines regarding the following objectives:
- Contribute to the harmonized interpretation and generalized, systematic and proper implementation of the provisions of the General Data Protection Regulation (hereinafter, GDPR) and other applicable laws and regulations of this subject matter.
- Ensure the rights of the owners of the data and contribute to maintaining their trust in the entity’s ability to ensure said rights in harmony with the legitimate interests of MONTERO TRADUCCIONES.
- Ensure that the risks are appropriately mitigated for the rights and freedoms of natural persons, as well as an ability to effectively respond to possible incidents or data security breaches.
2. SPECIFIC RULES
2.1. GENERAL FRAMEWORK
Economic, cultural, social and technological development entails significant risks and challenges to the privacy of citizens. In this context, and as a response to these risks, but also with the aim of ensuring a coherent regulatory framework for personal data protection throughout all of the European Union, in April 2016, the Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons (General Data Protection Regulation – “GDPR”) was approved. This regulation revoked Directive 95/46/EC, and has been applicable to all Member States since 25 May 2018, although it could be supplemented on a national level through specific rules and legislation.
Personal data is essential for the development of the activity of MONTERO TRADUCCIONES, and the protection thereof becomes of vital importance to the development of its business, i.e provision of translation services to clients, in order to fulfill legal and regulatory obligations and to manage its human resources.
Personal data protection pertains to the Internal Control System of MONTERO TRADUCCIONES, and it is governed by the general principles and rules defined in this scope, adapted and adjusted in accordance with the applicable legislation and that which is defined in this policy and others that are applicable to this subject matter.
In accordance with the best international practices and the legislation and regulation in question, this Policy establishes the general principles and describes the way in which they should be understood and applied by the recipients. It is applicable to all personal data that is under the responsibility of MONTERO TRADUCCIONES, regardless of the format that the information may adopt and the stage of its life cycle, thereby fulfilling the principle of privacy by default.
2.2. APPLICABILITY AND TIMELINESS
This policy, together with the resulting corporate guidelines should be understood as an overall reference framework, subject to progress and review, being contextualized and applied according to the operating business model of MONTERO TRADUCCIONES and in compliance with the laws and regulations applicable to each case.
This policy is supplemented with the other policies and procedures in effect at MONTERO TRADUCCIONES, ensuring the proper harmonization and complementarity thereof.
3. DATA PROTECTION PRINCIPLES
In personal data processing operations, MONTERO TRADUCCIONES shall respect the following principles:
- Principle of lawfulness: personal data shall be processed to the extent that there is, at least, one of the foreseen conditions for lawful processing: (i) when the owner of the data has expressed his/her consent; when processing is necessary for (ii) performing and managing a contract, (iii) fulfilling a legal obligation, or (iv) pursuing a legitimate interest of the company or of third parties.
- Principle of good faith and purpose limitation: personal data shall be collected and processed for specific purposes communicated to the interested party and, in no case, for other purposes.
- Principle of minimization and storage limitation: only personal data that is adequate, relevant and not excessive shall be processed, and only for the time strictly necessary for their respective purposes.
- Principle of transparency: the owners of the data shall be clearly informed of the main characteristics and measures for protecting their personal data, in particular, regarding the respective purposes of processing and eventual transmission to third parties.
- Principle of need for access: only employees and collaborators whose duties so require shall have access to the personal data processed by MONTERO TRADUCCIONES.
4. PERSONAL DATA PROCESSED BY MONTERO TRADUCCIONES
The entity only proceeds to collect and process the personal data needed to provide a personalized, high quality service, in accordance with the principle of data minimisation established in the GDPR regulation.
In providing services, it proceeds to process different categories of personal data which are ultimately conditioned by the purpose and scope of the translation services required by the clients who will act as Procedure Controllers.
These data categories can only be processed in the context of the scope of the contract established with the client, thereby fulfilling the principle of the purpose of processing.
In the scope of providing services to clients, it is possible that MONTERO TRADUCCIONES processes special categories of personal data such as Procedure Processor, and based on the scope and purpose of the translation services provided.
5. PURPOSES OF THE DATA PROCESSING
MONTERO TRADUCCIONES only processes personal data for the following purposes:
5.1. PERFORMANCE OF A CONTRACT
In the scope of the services offered to clients, it is possible that personal data processing is carried out representing the figure of the Procedure Processor.
In this case, the purpose of processing is focused on the translation of provided content, duly fulfilling the instructions received from the clients as Procedure Controllers.
Likewise, processing arising from the relationsip established with the client is carried out (maintenance of the data related to client contact persons).
5.2. FULFILLMENT OF LEGAL OBLIGATIONS TO WHICH MONTERO TRADUCCIONES IS SUBJECT
The entity is subject to numerous legal and regulatory obligations, the fulfillment of which may imply the need to proceed to process personal data. This occurs, for example, in relation to:
- Fulfillment of obligations of retention, payment or declaration for tax purposes;
- Fulfillment of the current regulations on the subject of occupational risk prevention.
- Fulfillment of the current regulations on the subject of personal data protection.
5.3. LEGITIMATE INTEREST OF MONTERO TRADUCCIONES
The entity can use the client contact informtion to carry out marketing and communication actions for its own services.
Likewise, there is data processing for the following purposes:
- Improve the quality of the service (such as analysis and processing of information related to quality in the provision of services and management of possible client complaints in the context of performing translation services).
- Personal data protection and security (such as implementation of logical and physical security measures for information, such as backup, restore and disaster recovery copies and regularly assessing the implementation of security measures, monitoring the use of cooperative tools such as computer applications, e-mail service or web browsing made available to employees in their professional field).
- Physical security and video surveillance (such as implementation of physical security measures and monitoring assessments of the implementation of measures).
- Monitoring and control of the implementation of procedures needed to perform the contract or fulfill legal oblications (such as procedures for ensuring the correct operation of the internal control system).
5.4. ADDRESSING THE CONSENT GIVEN BY THE INTERESTED PARTIES
In cases where MONTERO TRADUCCIONES requires the consent of the interested party to process personal data, the proper request shall be carried out according to the foreseen purpose.
6. RECIPIENTS OF THE DATA
In order for MONTERO TRADUCCIONES to fulfill all obligations arising from the contractual relationship, it may have to share the personal data with other entities.
MONTERO TRADUCCIONES shall only share personal data with the following entities:
- Providers that offer services on behalf of MONTERO TRADUCCIONES (for example, IT services, external translation services, etc.).
- Public authorities, such as Tax Authorities and Social Security Organisms).
7. DATA STORAGE PERIODS
MONTERO TRADUCCIONES shall only process personal data for the purposes mentioned above.
Regarding the services provided to clients, data shall be stored during the time the services are provided. Afterwards, the data shall be blocked for two (2) years in order to address possible complaints arising from the provision of services.
Once said period has passed, the personal data shall be definitively removed.
8. RIGHTS OF OWNERS
The rights of owners of the data are ensured from the time the data is collected, the underlying purpose for processing being lawful, and the appropriate technical and organizational measures related to the confidentiality and integrity thereof being adopted.
MONTERO TRADUCCIONES has the means needed to address the requests made by the owners of the data when exercising their rights.
Regarding personal data processing, the owner of the data has the following rights:
8.1. RIGHT OF ACCESS
Whenever requested, the owner shall have the right to obtain confirmation regarding whether his/her personal data are processed by MONTERO TRADUCCIONES.
Likewise, he/she shall have the right to access his/her personal data, as well as obtain the following information:
- Reasons why his/her data is processed;
- Types of personal data that are processed;
- Entities to which his/her personal data can be transmitted, including entities located in countries outside the European Union or international organizations, in this case being informed of the guarantees applied to the transfer of his/her data;
- Data storage periods or, if this is not possible, the criteria for establishing said periods;
- Rights that he/she enjoys in relation to the processing of his/her personal data;
- If the personal data was not facilitated by the owner, information on the origin thereof;
- Existence of automated individual decision-making, including profiling, and, in this case, information on the underlying logic of this processing, as well as the importance and foreseen consequences thereof.
The owner of the data has the right to obtain a copy of his/her personal data that is subject to processing by MONTERO TRADUCCIONES.
8.2. RIGHT OF RECTIFICATION
Whenever the owner considers that his/her personal data is incomplete or incorrect, he/she may request rectification thereof or that they be completed.
8.3. RIGHT OF CANCELATION
The owner of the data has the right to request the cancelation his/her personal data when it is verified that any of the following situations has occurred:
- That the personal data is no longer necessary for the purpose that motivated the collection or processing thereof.
- That the consent on which the data processing is based and on which there are no other legal grounds is withdrawn;
- That there is objection to data processing and there are no prevailing legitimate interests that justify processing or that the data be processed for the purposes of direct marketing;
- That the personal data have been unlawfully processed;
- That the personal data has to be canceled under a legal obligation to which MONTERO TRADUCCIONES is subject; or
- That the personal data has been collected in the context of the services offered by the information society.
The right to cancelation shall not be applicable when processing is needed for the following purposes:
- The exercise of the freedom of expression and information;
- Fulfillment of a legal obligation that requires processing and that is applicable to MONTERO TRADUCCIONES;
- Reasons of public interest in the scope of public health;
- Archiving purposes of public interest, scientific or historical research purposes or statistical purposes, to the extent to which the exercise of the right to cancelation seriously undermines the achievement of the objectives of this processing; or
- The declaration, exercise or defense of a right in legal proceedings.
8.4. RIGHT TO RESTRICTION OF PROCESSING
The owner can request the restriction of processing of his/her personal data in the following cases:
- If the accuracy of the personal data is contested, for a period of time that allows MONTERO TRADUCCIONES to verify the accuracy thereof;
- If the processing is unlawful and the owner objects to the cancelation of his/her personal data and requests the restriction of processing instead;
- If MONTERO TRADUCCIONES no longer needs the personal data for the purposes of the processing, but it is required for the establishment, exercise or defense of a right in legal proceedings; or
- If there is objection to processing, until it is verified that the legitimate interests of MONTERO TRADUCCIONES override those of the owner.
8.5. RIGHT TO PORTABILITY
The owner has the right to receive his/her personal data in a structured, commonly used and machine-readable format.
Likewise, he/she has the right to request MONTERO TRADUCCIONES to transmit those data to another procedure controller, provided that it is technically possible.
The right to portability shall only be applied in the following cases:
- When processing is based on the express consent or on the performance of a contract; and
- When the processing in question is carried out by automated means.
8.6. RIGHT TO OBJECT
The owner has the right to object the processing of his/her personal data at any time on grounds relating to his/her particular situation, in the following cases:
- When processing is based on the legitimate interest of MONTERO TRADUCCIONES; or
- When processing is carried out for purposes other than those for which the data was collected, but which are compatible with them.
In these cases, MONTERO TRADUCCIONES shall no longer process his/her personal data, unless it has legitimate reasons to carry out this processing and that they prevail over the interests of the owner.
Likewise, the owner can object the processing of his/her data for purposes of direct marketing, including profiling related to this marketing, at any time and without justification.
8.7. RIGHT TO NOT BE SUBJECT TO AUTOMATED INDIVIDUAL DECISION-MAKING
The owner has the right to not be subject to decision-making exclusively based on automated data processing, including profiling, when said decisions produces legal effects concerning him/her or similarly significantly affects him/her.
Decision-making could be based on the automated processing of his/her data when authorized by national law or European Union law.
In cases where the data processing in question (i) is necessary for entering into or performance of a contract with MONTERO TRADUCCIONES or (ii) based on the explicit consent of the owner of the data, this owner could likewise be subject to decision-making based on the automated processing of his/her personal data. In these cases, however, the owner of the data shall have the right to:
- a. Obtain human intervention on the part of MONTERO TRADUCCIONES;
- Express his/her point of view; and
- Contest the decision taken.
Decision-making based on the automated processing of personal data shall not be based on the processing of special categories of data (such as data concerning health, genetic data or data concerning one’s racial or ethnic origin), except when the owner of the data has given his/her explicit consent for that purpose, or said processing is necessary for reasons of significant public interest, in the legally applicable terms. In these cases, MONTERO TRADUCCIONES shall take all appropriate measures to ensure the rights and freedoms, as well as the legitimate interests.
8.8. RIGHT TO WITHDRAW CONSENT
In the case that data processing is carried out based on the consent of the owner, said owner may withdraw his/her consent at any time.
In this case, his/her personal data shall no longer be processed, unless there is another ground for the processing that allows it, such as the contractual relationship or the legitimate interest of MONTERO TRADUCCIONES.
8.9. RIGHT TO FILE A COMPLAINT WITH THE SUPERVISORY AUTHORITY
The owner of the data has the right to file a complaint with the Spanish Data Protection Agency (competent supervisory authority on data protection).
8.10. EXERCISING RIGHTS
The owner of the data may exercise his/her rights free of charge through communication to the e-mail address firstname.lastname@example.org, attaching a copy of his/her Spanish ID card or passport.
MONTERO TRADUCCIONES shall address the requests for exercising rights by the owners of the data, without undue delays and without exceeding the period of response of one month.
The response to the petitions shall be facilitated by means identical to those used for the petition, provided that the use thereof is possible or that the owner does not request different means.
9. RECORDS OF PROCESSING ACTIVITIES
MONTERO TRADUCCIONES established an internal record (inventory) of the different existing processes for personal data processing and keeps it up to date.
This record contains, at least, the information requested by Article 30 of GDPR: name and contact of the procedure controller, purposes of the processing, description of the categories of owners of data, description of the categories of processed personal data, period of retention/period for the removal of the data, categories of the recipients of the data, appropriate safeguards in the cases of transfer outside of the EU and description of the technical and organizational measures in the scope of privacy.
10. DUTY OF INFORMATION AND CONSENT
MONTERO TRADUCCIONES clearly and transparently communicates to the owner of the data the types of processing carried out in relation to his/her personal data, with the details of the purposes and lawful grounds in accordance with the provisions of the GDPR. This duty of information is addressed in the following cases:
- When the personal data is facilitated by a third party, in which case the duty of information is addressed within a reasonable period after collection thereof, which does not exceed one month.
- Cuando los datos personales son facilitado por un tercero, en cuyo caso, se atiende el deber de información en un plazo razonable tras su recogida, que no excede un mes.
MONTERO TRADUCCIONES obtains consent from the owners of the personal data for the purposes and processing carried out, except for processing based on any of the following lawful grounds: legal, contractual and legitimate interest of the entity.
The entity ensures that for the current scope of natural persons to which it relates:
- It facilitates precise information related to the processing carried out.
- It obtains the proper consent, when applicable, in accordance with the provisions of GDPR.
- It defines the action strategy needed when the owner of the data does not respond to the request for consent made.
11. SAFEGUARDING AND PROTECTING PERSONAL DATA
Provided that they are not contradictory or insufficent, the existing policies and means regarding the personal data security under the power of MONTERO TRADUCCIONES shall be implemented.
11.1. ANONYMIZATION AND PSEUDONYMIZATION
In cases where MONTERO TRADUCCIONES proceeds to anonymize the data such that it is not possible to identify the owner from it; said data is no longer considered personal data and, as a result, the GDPR regulation is not applicable to it. In this way, provided that it is possible, MONTERO TRADUCCIONES proceeds to anonymize the data.
On the other hand, in cases where it is not possible to anonymize the data, MONTERO TRADUCCIONES always considers the processes of pseudonymization or encryption of personal data with the aim of mitigating the security risks that may rise from access by unauthorized third parties.
Thus, the techniques of anonymization, pseudonymization and encryption are considered by MONTERO TRADUCCIONES in the following cases:
- As part of the privacy by design strategy to ensure the protection of the owner’s data.
- As part of the risk mitigation stratey in the exchange of personal data with third parties.
- As part of the strategy to reduce the impact of a data security breach in the situations of access by unauthorized third parties.
- As part of the data minimization strategy.
11.2. PRIVACY BY DESIGN AND PRIVACY BY DEFAULT
With the aim of addressing the principle of privacy by design, MONTERO TRADUCCIONES considers the risks related to personal data protection from the very conception of the processing. Thus, it anticipates and prevents events interferring with privacy from occuring, as well as the existence of breaches of the rights of the owners.
The principle of privacy by design mitigates the possibility that the risks to privacy materialize. The purpose of this principle is not to identify solutions for security breaches, but rather to prevent them from occurring in advance.
On the other hand, the principle of privacy by default formalized by MONTERO TRADUCCIONES establishes that privacy must be an initial concern in the conception of processing, ensuring that, by default, only the processing of data strictly necessary for each specific purpose for processing is carried out.
MONTERO TRADUCCIONES has adopted the internal measures and rules necessary to ensure these principles. These rules must be implemented in the planning phase (defining the means of data collection), as well as during the life cycle associated with data processing (collection, maintenance, storage and destruction of the personal data).
In this sense, these principles are considered in the following cases:
- Design and construction of a new IT system that stores, processes and allows access to personal data.
- Creation of a policy or regulations with implications for privacy.
- Definition of a new operating process that involves personal data processing.
- Expansion of all purposes for processing set out for certain categories of data or interested parties.
Likewise, MONTERO TRADUCCIONES implements mechanisms with the aim of ensuring fulfillment of the principle of data storage. Under certain circumstances, and taking into consideration the purpose of processing, the data is immediately removed once the established purpose has ended, and provided that there is no legal obligation of storage that arises from the purpose and processing carried out.
By default, MONTERO TRADUCCIONES ensures that personal data is only accessed by people who need it given their professional competences.
Thus, in both the process for determining the means for processing data, as well as, subsequently, during the processing thereof, MONTERO TRADUCCIONES implements the appropriate technical and organizational measures, designed to effectively ensure the principles of data protection.
These measures have been defined taking into consideration:
- The most advanced techniques and tools available.
- The costs of implementation, taking into consideration the nature, scope, context and purposes of the data processing.
- The risks to the rights and freedoms of natural persons that arise from data processing.
On the other hand, and related to the efficiency of the technical and organizational measures, they must guarantee:
- The minimization of processing in relation to the amount, quality and storage periods of the data.
- The minimization of access, ensuring the implementation of the policy of least privilege.
- The pseudonymization of the data in an initial phase of the processing, provided that it is possible.
- The obtaining of guarantees regarding the principle of transparency in personal data processing.
- The implementation of mechanisms that ensure regular monitoring of the personal data processing, as well as the assessment in accordance with the principles, rights and obligations set forth in the GDPR regulation.
12. EXTERNAL SERVICE PROVIDERS (PROCESSORS)
Contracting of a provision of services that can involve access, by the provider, to personal data under the responsibility of MONTERO TRADUCCIONES.
In these cases, MONTERO TRADUCCIONES establishes safeguards so that the objective conditions under which the provider offers the service ensures the confidentiality and integrity of the personal data.
In this sense, the policies enabled for the contracting and control of the providers of affected services in data protection (procedure processors) allow for the consideration of the requirements deriving from the GDPR regulation.
MONTERO TRADUCCIONES assesses the guarantees offered by the procedure processor with regard to the principles, rights and obligations set forth in the GDPR regulation, either by the verification of codes of conduct, certification mechanisms or privacy audits carried out by independent third parties.
Without being exhaustive, MONTERO TRADUCCIONES considers adequate guarantees to be any of the following cases:
- Adherence to codes of conduct or certification of privacy management systems.
- Reports on specific privacy audits that demonstrate the implementation of good practices and the adoption of technical and organizational techniques that allow for effective fulfillment of the GDPR regulation, in particular, with reference to security in processing.
The data processing agreement between MONTERO TRADUCCIONES and the procedure controller shall include:
- The purpose of the provision of the service from which personal data processing arises.
- The duration of the provision of services.
- The nature and purpose of processing, including instructions referring to processing.
- The nature of the data that will be processesd, as well as the categories of owners of the data affected.
- The rights of MONTERO TRADUCCIONES related to the possible planning of audits to the procedure controller.
- The obligations of the procedure controller for due fulfillment of the GDPR regulation.
13. INTERNATIONAL DATA TRANSFERS
In the case of interantional transfers (outside of the European Union), provided that the European Commission has declared through an adequacy decision that the country in question located outside of the European Union ensures an equivalent level of protection for the personal data which results from the legislation of the European Union, the transfer of data shall be based on said adequacy decision.
The existing adequacy decisions can be viewed at www.eur-lex.europa.eu.
In cases where the transfer is made to countries or organizations located outside of the European Union where there is no adecuacy decision of the Commission, MONTERO TRADUCCIONES shall establish adequate guarantees to ensure the protection of their data, such as:
- The adoption of contractual clauses previously adopted or approved by the European Commission;
- The adoption of a certification process, previously approved and followed by binding commitments and with executive force by the country or organization in question.
14. PRIVACY IMPACT ASSESSMENT (PIA)
MONTERO TRADUCCIONES formalized a model for the privacy impact assessment of the different personal data processing operations that exist.
MONTERO TRADUCCIONES ensures the execution of the impact assessments on the processes of data processing that can involve a high risk to the rights and freedoms of natural persons.
These assessments are carried out with the purpose of identifying the appropriate preventative measures for mitigating the risks identified, being subject to review and regular updates.
15. DATA SECURITY BREACH
The GDPR regulation imposes rigorous control of the security incidents that arise in data protection (cases of data breach).
The process that is implemented in this scope is an integral part of the process of managing security breaches at MONTERO TRADUCCIONES.
In this sense, it is essential to identify the requirements and measures that must be adopted with the aim of communicating the security incidents in order to minimize the impact on the rights and freedoms of natural persons (material or non-material damage to natural persons, as well as the loss of control over their own data or the restriction of their rights, discrimination, identity theft, loss of confidentiality of personal data or any other significant economic or social disadvantage for the natural person in question).
MONTERO TRADUCCIONES has the obligation to notify the Supervisory Authority (Spanish Data Protection Agency) of any security incident regarding data protection (cases of data security breach) that implies a risk to the rights and freedoms of natural persons.
Likewise, MONTERO TRADUCCIONES must notify the owner of the data if the personal data security breach may imply a high risk to his/her rights and freedoms. In this regard, the entity takes into consideration the criteria defined in the GDPR regulation, as well as other legal and regulatory guidance regarding the criteria for the classification of the severity of the incident.
The personal data security breaches are recorded and documented by any person that detects a security incident. However, MONTERO TRADUCCIONES willl be the one to communicate the incident to the Supervisory Authority (Spanish Data Protection Agency), as well as to the owners of the personal data affected, in the case that this need is verified.
The period for notifying the Supervisory Authority shall not exceed 72 hours from the time when there is knowledge of the data security breach. If the notification is not transmitted within the period of 72 hours, it must be accompanied by the reasons for the delay.
This notification shall be carried out through the mechanism established by the Supervisory Authority (Spanish Data Protection Agency).
On the other hand, notification to the owners of the personal data, in the case it is possible, shall be carried out individually to each of the affected parties, through direct communication means such as e-mail, a phone call or through postal mail. This communication must be demonstrated, although the confirmation of receipt by the owners of the data is not necessary. In the case that the notification implies disproportionate effort, MONTERO TRADUCCIONES shall adopt alternative measures. In any case, the entity shall consult the Supervisory Authority (Spanish Data Protection Agency) to formalize the criteria for action.
In the case that the processing is carried out by an external provider, this provider shall notify the security incident to MONTERO TRADUCCIONES once it has knowledge of it. This obligation has been formalized in the contract for the provision of services formalized between the parties.
Regardless of whether the data security breaches are communicated to the Supervisory Authority (Spanish Data Protection Agency) and the affected parties, as appropriate, MONTERO TRADUCCIONES shall document said breaches, including the effects and corrective measures adopted.
16. AUTOMATED DECISION-MAKING AND PROFILING
The owner of the data has the right to not be subject to automated decision-making, in the case that these decisions have a significant impact concerning him/her or similarly significantly affects him/her, except if:
- It is necessary for entering into or performance of a contract betweeen the owner of the data and MONTERO TRADUCCIONES.
- It is authorized by right of the Union or of the Member State to which MONTERO TRADUCCIONES is subject, and in which appropriate measures are also provided to safeguard the rights and freedoms and the legitimate interests of the owner of the data.
- It is based on the explicit consent of the owner of the data.
The GDPR regulation does not allow the use of the special categories of personal data (sensitive data) in automated decision-making, except in cases where appropriate measures for safeguarding the rights and freedoms and the legitimate interests of the owner of the data are implemented.
MONTERO TRADUCCIONES ensures that, provided that it is necessary and applicable, it shall clearly and concisely explain to the owners of the data how profiling or the automated decision-making process works.
17. REVIEW OF THE PRIVACY AND DATA PROTECTION POLICY
This Privacy and Data Protection Policy shall be reviewed annually or whenever there are significant modifications to the applicable legislation, business strategy or information systems of MONTERO TRADUCCIONES.