Privacy Policy
The personal data you provide to us on this website by any of the means enabled for this purpose will be processed in accordance with this privacy policy.
1. IDENTITY OF THE JOINT CONTROLLERS
All the processing referred to in this privacy policy is carried out jointly by the following organisations of the Zabala Group (hereinafter the JOINT CONTROLLERS):
In accordance with Article 26 of Regulation (EU) 2016/679 of 27 April 2016 (GDPR), the joint controllers have signed an agreement regulating joint data processing, from which the following information on its essential elements is provided:
- Contact point: Although you can contact any of the companies at any time, we inform you that we have designated ZABALA INNOVATION, S.A. as the main organisation responsible for handling any queries through the following address: gdpr@zabala.es.
- Compliance with the duty to inform: The organisations have protocols for collecting information, the application and dissemination of which is the responsibility of ZABALA INNOVATION, S.A.
- Data security: The organisations have developed joint security protocols, the observance of which by each joint controller is supervised by ZABALA INNOVATION, S.A. They also have a joint security breach management procedure to ensure a coordinated response in the event of security breaches.
- Exercise of rights: The joint controllers have defined a joint procedure for the exercise of rights. They have designated ZABALA INNOVATION, S.A. as the entity responsible for handling this matter.
2. DATA PROCESSING
This privacy policy details the processing of personal data, including the legal basis in accordance with the GDPR and the specific retention period of the data. These periods will be extended by the time necessary to comply with legal obligations and address any liabilities that may arise in relation to the fulfilment of the purpose for which the data were collected. If at any time your authorisation is requested for the processing of your data for a purpose of which your consent is required, the lack of granting (or its subsequent withdrawal) will have no consequences for you.
DATA RELATING TO OUR RELATIONSHIP WITH YOU
DATA ASSOCIATED WITH REGULATORY COMPLIANCE
COOKIES
If you have accepted to receive cookies when you start visiting this website, the website’s cookie policy, accessible through the following link, will apply to you.
3. RECIPIENTS. INTERNATIONAL DATA TRANSFERS
As a general rule, unless legally required, your data will not be communicated or transferred to any third party without your prior express consent. In any case, some communications and/or transfers of data to third parties may be imposed by certain regulations or to meet obligations with Public Administrations, the Public Prosecutor’s Office, Judges and Courts, and State Security Forces and Bodies. Other communications and/or transfers will be a necessary consequence of the provision of the requested service, event management or the result of your express consent to the communication. Below, we list the purposes for which it may be necessary to communicate your data to third parties and whether these involve international data transfers:
- Website hosting: The data hosted on our website will be communicated to the company that provides us with the web hosting service.
Finally, we inform you that we use the following third-party services that involve international data transfers:
- Google Ireland Limited: Web analytics service called “Google Analytics” and advertising service “Google Ads” according to the provider’s terms and conditions, involves international data transfers outside the EU economic area, and according to the provider’s statement, they comply with the applicable legal framework through the Standard Contractual Clauses established by the European Commission.
- Microsoft: Email, data hosting, videoconferencing and advertising services (“Bing ads”). Microsoft is adhered to the “EU-U.S. Data Privacy Framework (EU-U.S. DPF)” instrument that allows international data transfers.
- LinkedIn Ireland Unlimited Company: Social network service, online advertising based on interests and talent acquisition. According to the provider’s terms and conditions, involves international data transfers outside the EU economic area, and according to the provider’s statement, it is certified for the EU-U.S. Data Privacy Framework that allows international data transfers.
- Drip Global, Inc.: Marketing service. According to the provider’s terms and conditions, involves international data transfers outside the EU economic area, and according to the provider’s statement, it is adhered to the “EU-U.S. Data Privacy Framework (EU-U.S. DPF)” instrument that allows international data transfers.
4. RIGHTS
Regarding the personal data collected for processing, you have the possibility to exercise the rights of access, rectification, deletion and portability. Likewise, in certain circumstances, you will have the right to request the limitation or opposition to the processing of your data, in which case the Joint Controllers will cease processing them and will only keep them if there is a legal obligation to do so or until the prescription of the actions that may arise.
For any query or exercise of your rights, we have designated ZABALA INNOVATION, S.A. as the contact point, which you can contact by any of the means indicated in the first section of this privacy policy. Notwithstanding the designation of the contact point, you can address your request to any of the organisations of the Zabala Group that act as joint controllers individually through any of the contact means indicated at the beginning of this data protection policy.
Finally, you can also contact the supervisory authority when you deem it appropriate to file a complaint (for example, in the country where you have your habitual residence, your place of work or where you consider the alleged infringement has occurred). For the appropriate purposes, we inform you that in Spain the Supervisory Authority is the Spanish Data Protection Agency, in France it is the Commission Nationale de l’Informatique et des Libertés, in Belgium it is the Data Protection Authority and in Portugal it is the National Data Protection Commission, and you can exercise your rights through the forms that each entity has enabled for this purpose.
5. MANDATORY OR OPTIONAL NATURE OF THE INFORMATION PROVIDED BY THE USER
Users, by ticking the corresponding boxes and entering data into the fields, on the various forms on the website, expressly, freely and unequivocally accept that their provided data is necessary to meet their request, by the provider, being voluntary the inclusion of data in the remaining fields. The user guarantees that the personal data provided to the JOINT CONTROLLERS is true and is responsible for communicating any changes to them.
Legal Department | Updated April 2025.