Privacy Policy


This document contains the Personal Data Processing Policy of the Exolum Group. Any doubt that may arise may be handled via the corporate mailbox:

The Exolum Group processes data pursuant to that set forth in the data protection regulations in force and, specifically, pursuant to that which is established in Regulation (EU) 2016/679 of 27 April 2016 (GDPR) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

The Exolum Group comprises several companies that perform their activity in various countries and the data may be transferred between such companies. Said disclosure may involve the sending of your personal data to countries that do not guarantee the same level of protection as that which is safeguarded in Europe. In such cases, data will only be transferred to a third country that has been declared by the European Commission to offer an adequate level of protection or, in default thereof, with which the standard data protection clauses adopted by the Commission have been signed. The purpose of these disclosures is the internal management and administration of the group. The different entities that make up the Exolum Group can be consulted on the following link: DocumentoSociedades.pdf

Data controller.

The Exolum Group is the data controller via the specific entity that collects the data at any time. This policy affects all the companies of the group to which the GDPR is applicable.

Origin of the data subject to processing

  • Data transmitted voluntarily by data subjects to group companies.
  • Data necessary in order to maintain the relationship with the group companies or to
  • comply with the legal reporting obligations deriving from the group’s activity.
  • Data compiled by the systems of the Exolum Group and for which advance notification is provided by signage, such as the obtaining of images or recording of conversations. Both the images and the recordings may be used by the Exolum Group to perform internal audits and they may be used as evidence in legal or outofcourt proceedings.
  • Data originating in communications between group companies and their stakeholders (employees, shareholders, customers, suppliers, etc.).
  • Data relative to browsing in the group’s systems, including the IP address or information deriving from cookies or similar devices.
  • Data included in public profiles, such as those which appear in social media.
  • Data originating in public or commonly accessible filing systems or sources, regarding solvency or credit rating, debtor registers, breach of monetary obligations, etc.
  • Information available in public sources and legally accessible.
  • Data originating from third parties and transferred by the data subjects to the EXOLUM Group, provided that they have previously obtained the consent of such third parties.
  • Data provided by third parties, subsequent to the consent thereof, or when there is a legal basis for such processing.

Purpose and legal basis of the processing.

  • Processing

  • Purpose
  • Legal Basis
  • Compliance with the legal obligations deriving from the activity of the group companies in Spain.
  • Compliance with obligations deriving from the Law 34/1998, of 7 October, on the Hydrocarbons Sector and concordant regulations, as well as the legal reporting duties required by the excise regulations and the regulations regarding the transport of dangerous goods on land, applicable to group companies with the condition of taxpayer of Hydrocarbons Tax as loader/consignor, respectively.
  • Compliance with legal obligations.
  • Management of contracts inherent to the activity of EXOLUM.
  • Performance of contracts deriving from the activity of the group.
  • Performance of the contracts relative to the activity of the
  • Accounting, tax and administrative management.
  • Compliance with the obligations imposed by the legislation in force.
  • Compliance with legal obligations.
  • Submission of communications.
  • Submission of communications regarding activities, events, occurrences or simply news regarding the different entities that make up the group.
  • Legitimate interest or consent.
  • Sending of data to other group companies.
  • Internal management of the data of employees, suppliers, customers, contacts, etc.
  • Legitimate interest.
  • Management of contact details.
  • Maintenance of a database of the representatives of third parties and contact persons.
  • Legitimate interest and consent.
  • Supplier management.
  • Ensuring the quality of the service provided by the supplier, facilitating access to the facilities of the group and preventing possible liabilities vis‐à‐vis the Social Security General Treasury or those deriving from the Workers’ Statute.
  • Legitimate interest and performance of contracts with suppliers.
  • Employee and social benefit management.
  • Management of contractual relationships of an employment nature with the employees of group companies, as well as the voluntary provisions deriving from social benefits offered by the group, including voluntary training activities.
  • Performance of contracts of employment and collective bargaining agreements as well as the consent of the beneficiaries of voluntary benefits.
  • Code of conduct mailbox.
  • Management of communications sent to the Ethics Committee.
  • Consent and legitimate interest.
  • Asset security.
  • Surveillance of the facilities and assets of the group.
  • Legitimate interest.
  • Access control.
  • Control of the individuals who access the facilities of the group.
  • Legitimate interest.
  • Training.
  • Management of the training activities of group companies.
  • Consent.
  • Selection processes.
  • Management of selection processes.
  • Consent and legitimate interest at the time of sending of the curriculum vitae
    of the candidate.
  • Social media monitoring.
  • Search for false information and investigation of threats to the intellectual property of the Exolum Group.
  • Legitimate interest

Individual automated decisionmaking will not take place when this may produce legal effects concerning the data subjects.

Safeguards regarding processing

The Exolum Group processes personal data pursuant to the applicable national, European Union and international legislation, with the technical, organisational and procedural security measures necessary to safeguard their security.

Data disclosure

  • –  Owing to a legal obligation to legal organisations and administrative public authorities, such as the Tax Agency, Social Security General Treasury, State Security Forces, etc.

  • –  To verify an individual’s membership of a society, organisation, etc.

  • –  To entities that subsidise training activities, when the data subject has requested the

    training activities.

  • –  When required in order to perform the activity that forms the subject of a contract, with both customers and suppliers.

  • –  Between the companies that make up the EXOLUM Group, mentioned at the beginning of this policy, when appropriate.

  • –  When consent has been given to do so. In the case of employees, they will be communicated to the entities that manage the voluntary provisions deriving from the social benefits offered by the group, when the data subject has requested any of such benefits.

Storing of personal data.


EXOLUM will store the data for the duration of the situation that gave rise to their collection and provided that erasure has not been requested by the data subject.

After cessation of the situation that gave rise to the processing, the data will be blocked and held during the period required for any legal liabilities that may arise.

Rights in relationship with personal data.

  • Right of access: The data subject is entitled to know the information relative to the processing of personal data performed by the Exolum Group.
  • Right of rectification: The data subject may correct or modify inaccurate or incomplete data.
  • Right of erasure (o right to be forgotten): Erasure of the data may be requested in the event that processing is inappropriate.
  • Right of objection: Objection to data processing may be requested where applicable.
  • Right to restriction of processing: In the necessary conditions, restriction of processing
  • may be requested.
  • Right of portability: The data subject may request the transmission of data to another entity when appropriate.


For the exercise of his or her rights, the data subject may contact us on:, attaching a copy of his or her National Identity Card or equivalent document, or by ordinary mail at the following address: Calle Titán 13, 28045 Madrid (Spain). In all cases, the data subject must state the right that he or she wishes to exercise and the processing to which it applies.

Where the processing of personal data is based on the consent of the data subject, the consent may likewise be withdrawn at any time.

A complaint may also be presented to the data protection supervisory authority concerned.

Personal data of minors.

When data are collected from individuals under 18 years of age, their consent will always be requested. In the event of individuals of under 14 years of age, the consent will be granted with the authorisation of their parents or legal guardians.

The rights of dependent minors may be exercised at any time by evidencing the legal standing to do so.

Amendments to the data protection policy.

The Policy of the Exolum Group may be modified or updated at any time, pursuant to new requirements according to the legislation or regulations, for security reasons or in order to adapt said policy to the instructions of the data protection supervisory authorities. When significant changes occur, such changes will be communicated via the web page of the Exolum Group to offer all data subjects the possibility to review the changes and, if applicable, to accept them before they take effect.