Cepsa App Privacy Policy

ESP

WHO IS THE DATA CONTROLLER?

In compliance with current legislation on the protection of personal data, with special attention to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter, “RGPD” ) and Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter, “LOPDGDD”), the User is hereby informed that the personal data will be processed in its capacity as Data Controller of personal data by CEPSA COMERCIAL PETRÓLEO, S. A.U. (hereinafter, “CEPSA”), with tax identification number A-80298896, and registered address: Paseo de la Castellana, 259 A, 28046-Madrid (Spain) Data Protection Delegate: dpo@cepsa.com.

WHAT DATA ARE PROCESSED, FOR WHAT PURPOSE AND ON WHAT BASIS OF LEGITIMACY?

The personal data provided by the User when accessing the Platform, as well as those provided in the future as a result of its development, will be included in a processing register owned by CEPSA for the following purposes:

1) User registration in the DoGood App

  • Purpose: To manage the creation of the User ID to access the DoGood App.
  • Type of data: Identifying and contact data (authentication via Microsoft Azure).
  • Basis of legitimacy: GDPR – art. 6.1.b) Processing necessary for the performance of a contract to which the data subject is a party, specifically stating the need to access the application through identity federation.

2) Management of the User’s participation in the activities proposed on the Platform.

  • Purpose: To manage the participation of Users in the functionalities and activities proposed through the DoGood App;
  • Type of data: Identifying and contact data.
  • Basis of legitimacy: GDPR – art. 6.1.b) Processing necessary for the performance of a contract to which the data subject is a party or for the application of pre-contractual measures at the request of the data subject.

3) Sending transactional communications.

  • Purpose: To send emails to the User in relation to the DoGood App and the programme they are carrying out;
  • Type of data: Identifying and contact data.
  • Basis of legitimacy: GDPR – art. 6.1.b) Processing necessary for the performance of a contract to which the data subject is a party or for the implementation at the request of the data subject of pre-contractual measures.

4) Management of queries and incidents.

  • Purpose: To manage queries that may be made through the contact forms;
  • Type of data: Identifying and contact data.
  • Basis of legitimacy: RGPD – art. 6.1.b) Processing necessary for the performance of a contract to which the data subject is a party or for the application of pre-contractual measures at the request of the data subject.

5) Compliance with applicable regulations.

  • Purpose: Compliance with those legal obligations imposed on CEPSA in any order. This may involve, depending on the case, responding to judicial and administrative orders.
  • Type of data: Identification and contact data; Data derived from the use of the service.
  • Basis of legitimacy: RGPD – 6.1.c) Processing necessary for compliance with a legal obligation applicable to the data controller.

HOW LONG WILL PERSONAL DATA BE KEPT?

The personal data provided by the User will be kept for as long as the contractual relationship with DoGood is maintained, or when the User ceases to be a user of the DoGood App.

If the User exercises the rights of cancellation or deletion, their data will be kept blocked at the disposal of the Administration of Justice for the legally established periods in order to attend to possible liabilities arising from the processing of personal data.

Once any applicable legal retention period has expired and any actions that may arise from the relationship maintained, your data will be completely deleted.

WHAT IS THE ORIGIN OF THE PERSONAL DATA?

The personal data to be processed by CEPSA have been provided by the User himself/herself when filling in the fields in the DoGood App, such as name, surname, email, or in certain cases, telephone number. The User is responsible for their accuracy and updating.

In the event that, on the occasion of the User’s participation in the activities proposed on the platform, data are collected from third parties other than the User, it will be the responsibility of the User to ensure that he/she has obtained their consent.

TO WHOM ARE PERSONAL DATA COMMUNICATED? ARE THEY TRANSFERRED INTERNATIONALLY?

In compliance with the aforementioned purposes, Users’ personal data may be transferred to the following recipients depending on the legitimate basis of the communication:

  • TARGET 1: If necessary, to companies of the CEPSA GROUP that can be consulted at www.cepsa.com, for administrative purposes and management of the relationship with the User, based on CEPSA’s legitimate interest for this purpose. The legitimate interest for the aforementioned purpose of the communication would consist of guaranteeing better organisation and optimisation, as well as unified management of the resources of the business group in those cases in which, internally, it is necessary for the effective execution of the activity carried out.
  • TARGET 2:Public Administrations and the Administration of Justice.
  • TARGET 3:Where applicable, to CEPSA suppliers contracted for the purposes described above.

Within the framework of such communications, international transfers to third countries may be carried out. Such transfers will be carried out in accordance with the criteria and requirements of the regulations in force, through the adoption of appropriate legal safeguards, which may consist of the formalisation with the recipient of the data of (i) Standard Contractual Clauses approved by the European Commission to legitimise the international transfer of data to third countries or (ii) another valid legal instrument that ensures an adequate level of protection equivalent to that of the European Economic Area.

Further information on international transfers can be obtained by contacting our DPO at dpo@cepsa.com.

WHAT RIGHTS DOES THE USER HAVE?

We remind you that as a User you may exercise before CEPSA, if applicable, the rights of access, rectification or deletion, limitation of processing, opposition, portability and to oppose automated individual decisions. Users may revoke their consent in the event that they have granted it for a specific purpose, and may modify their preferences at any time.

The User may exercise his/her rights at the following e-mail address: derechos.arco@cepsa.com, or at CEPSA’s registered office at Paseo de la Castellana, nº 259A – Torre Cepsa, (28046) Madrid-Spain. The User is informed that he/she may address any type of complaint regarding the protection of personal data to the Spanish Data Protection Agency www.aepd.es, the Spanish Supervisory Authority.