Privacy Policy

DATA PROTECTION POLICY OF THE EXOLUM GROUP

 

This document contains the Personal Data Processing Policy of the Exolum Group. Any doubt that may arise may be handled via the corporate mailbox: info@exolum.com.

The Exolum Group processes data pursuant to that set forth in the data protection regulations in force and, specifically, pursuant to that which is established in Regulation (EU) 2016/679 of 27 April 2016 (GDPR) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

The Exolum Group comprises several companies that perform their activity in various countries and the data may be transferred between such companies. Said disclosure may involve the sending of your personal data to countries that do not guarantee the same level of protection as that which is safeguarded in Europe. In such cases, data will only be transferred to a third country that has been declared by the European Commission to offer an adequate level of protection or, in default thereof, with which the standard data protection clauses adopted by the Commission have been signed. The purpose of these disclosures is the internal management and administration of the group. The different entities that make up the Exolum Group can be consulted on the following link: DocumentoSociedades.pdf

Data controller

 

The Exolum Group is the data controller via the specific entity that collects the data at any time. This policy affects all the companies of the group to which the GDPR is applicable.

Origin of the data subject to processing

 

  • Data transmitted voluntarily by data subjects to group companies.
  • Data necessary in order to maintain the relationship with the group companies or to
  • comply with the legal reporting obligations deriving from the group’s activity.
  • Data compiled by the systems of the Exolum Group and for which advance notification is provided by signage, such as the obtaining of images or recording of conversations. Both the images and the recordings may be used by the Exolum Group to perform internal audits and they may be used as evidence in legal or out‐of‐court proceedings.
  • Data originating in communications between group companies and their stakeholders (employees, shareholders, customers, suppliers, etc.).
  • Data relative to browsing in the group’s systems, including the IP address or information deriving from cookies or similar devices.
  • Data included in public profiles, such as those which appear in social media.
  • Data originating in public or commonly accessible filing systems or sources, regarding solvency or credit rating, debtor registers, breach of monetary obligations, etc.
  • Information available in public sources and legally accessible.
  • Data originating from third parties and transferred by the data subjects to the EXOLUM Group, provided that they have previously obtained the consent of such third parties.
  • Data provided by third parties, subsequent to the consent thereof, or when there is a legal basis for such processing.

 

Purpose and legal basis of the processing

  • Processing

  • Purpose
  • Legal Basis
  • Compliance with the legal obligations deriving from the activity of the group companies in Spain.
  • Compliance with obligations deriving from the Law 34/1998, of 7 October, on the Hydrocarbons Sector and concordant regulations, as well as the legal reporting duties required by the excise regulations and the regulations regarding the transport of dangerous goods on land, applicable to group companies with the condition of taxpayer of Hydrocarbons Tax as loader/consignor, respectively.
  • Compliance with legal obligations.
  • Management of contracts inherent to the activity of EXOLUM.
  • Performance of contracts deriving from the activity of the group.
  • Performance of the contracts relative to the activity of the
    group.
  • Accounting, tax and administrative management.
  • Compliance with the obligations imposed by the legislation in force.
  • Compliance with legal obligations.
  • Submission of communications.
  • Submission of communications regarding activities, events, occurrences or simply news regarding the different entities that make up the group.
  • Legitimate interest or consent.
  • Sending of data to other group companies.
  • Internal management of the data of employees, suppliers, customers, contacts, etc.
  • Legitimate interest.
  • Management of contact details.
  • Maintenance of a database of the representatives of third parties and contact persons.
  • Legitimate interest and consent.
  • Supplier management.
  • Ensuring the quality of the service provided by the supplier, facilitating access to the facilities of the group and preventing possible liabilities vis‐à‐vis the Social Security General Treasury or those deriving from the Workers’ Statute.
  • Legitimate interest and performance of contracts with suppliers.
  • Employee and social benefit management.
  • Management of contractual relationships of an employment nature with the employees of group companies, as well as the voluntary provisions deriving from social benefits offered by the group, including voluntary training activities.
  • Performance of contracts of employment and collective bargaining agreements as well as the consent of the beneficiaries of voluntary benefits.
  • Code of conduct mailbox.
  • Management of communications sent to the Ethics Committee.
  • Consent and legitimate interest.
  • Asset security.
  • Surveillance of the facilities and assets of the group.
  • Legitimate interest.
  • Access control.
  • Control of the individuals who access the facilities of the group.
  • Legitimate interest.
  • Training.
  • Management of the training activities of group companies.
  • Consent.
  • Selection processes.
  • Management of selection processes.
  • Consent and legitimate interest at the time of sending of the curriculum vitae
    of the candidate.
  • Social media monitoring.
  • Search for false information and investigation of threats to the intellectual property of the Exolum Group.
  • Legitimate interest

Individual automated decision‐making will not take place when this may produce legal effects concerning the data subjects.

Safeguards regarding processing

 

The Exolum Group processes personal data pursuant to the applicable national, European Union and international legislation, with the technical, organisational and procedural security measures necessary to safeguard their security.

Data disclosure

 

–  Owing to a legal obligation to legal organisations and administrative public authorities, such as the Tax Agency, Social Security General Treasury, State Security Forces, etc.

–  To verify an individual’s membership of a society, organisation, etc.

–  To entities that subsidise training activities, when the data subject has requested the training activities.

–  When required in order to perform the activity that forms the subject of a contract, with both customers and suppliers.

–  Between the companies that make up the EXOLUM Group, mentioned at the beginning of this policy, when appropriate.

–  When consent has been given to do so. In the case of employees, they will be communicated to the entities that manage the voluntary provisions deriving from the social benefits offered by the group, when the data subject has requested any of such benefits.

Storing of personal data

 

EXOLUM will store the data for the duration of the situation that gave rise to their collection and provided that erasure has not been requested by the data subject.

After cessation of the situation that gave rise to the processing, the data will be blocked and held during the period required for any legal liabilities that may arise.

Rights in relationship with personal data

 

  • Right of access: The data subject is entitled to know the information relative to the processing of personal data performed by the Exolum Group.
  • Right of rectification: The data subject may correct or modify inaccurate or incomplete data.
  • Right of erasure (o right to be forgotten): Erasure of the data may be requested in the event that processing is inappropriate.
  • Right of objection: Objection to data processing may be requested where applicable.
  • Right to restriction of processing: In the necessary conditions, restriction of processing may be requested.
  • Right of portability: The data subject may request the transmission of data to another entity when appropriate.

 

For the exercise of his or her rights, the data subject may contact us on: info@exolum.com, attaching a copy of his or her National Identity Card or equivalent document, or by ordinary mail at the following address: Calle Titán 13, 28045 Madrid (Spain). In all cases, the data subject must state the right that he or she wishes to exercise and the processing to which it applies.

Where the processing of personal data is based on the consent of the data subject, the consent may likewise be withdrawn at any time.

A complaint may also be presented to the data protection supervisory authority concerned.

Video Surveillance

In accordance with Regulation (EU) 2016/679, the General Data Protection Regulation (GDPR), as well as other applicable personal data protection laws, the data subject is hereby informed that the images captured by the video surveillance system will be processed, as the data controller, by EXOLUM CORPORATION, S.A. (hereinafter, “EXOLUM”) for the purpose of ensuring security at its facilities and detecting and investigating potential incidents. The legal basis for this processing is EXOLUM’s performance of a task carried out in the public interest in the first case, and legitimate interest in the second.

Your data will be retained for a maximum period of thirty (30) days, unless it is necessary to keep them longer to clarify a security issue or unlawful act recorded. In this regard, your data may be disclosed to law enforcement authorities as well as to judges and courts.

You are informed that you have the right, free of charge and at any time, to:

  • Obtain confirmation as to whether EXOLUM is processing personal data concerning you.
  • Access your personal data, which will require providing an up-to-date photograph to allow EXOLUM to verify your presence in its records. To avoid compromising the image of third parties, EXOLUM may provide access via a certified written statement specifying, as precisely as possible and without affecting third-party rights, the data that have been processed.
  • Request the deletion of your data, without prejudice to the exception of retaining them for thirty (30) days as previously mentioned.
  • Request the restriction of processing when (i) the data processing is unlawful and the data subject opposes the deletion of their data and instead requests the restriction of their use, and (ii) EXOLUM no longer needs the data for processing purposes, but the data subject requires them for the establishment, exercise, or defense of legal claims.

To exercise the above rights, you must send an electronic communication to EXOLUM’s Data Protection Officer at the following email address: info@exolum.com, or by regular mail to the following address: Calle Titán nº 13, 28045, Madrid. You may also file a complaint with the Spanish Data Protection Agency if you believe EXOLUM has violated your rights under the applicable regulations, via its website www.aepd.es or at the address: C/ Jorge Juan, 6, 28001 Madrid.

Amendments to the data protection policy

The Policy of the Exolum Group may be modified or updated at any time, pursuant to new requirements according to the legislation or regulations, for security reasons or in order to adapt said policy to the instructions of the data protection supervisory authorities. When significant changes occur, such changes will be communicated via the web page of the Exolum Group to offer all data subjects the possibility to review the changes and, if applicable, to accept them before they take effect.