Privacy Policy

The personal data you provide to us on this website by any of the means enabled for this purpose will be processed in accordance with this privacy policy.

1. IDENTITY OF THE JOINT CONTROLLERS

All the processing referred to in this privacy policy is carried out jointly by the following organisations of the Zabala Group (hereinafter the JOINT CONTROLLERS):

Name ID Address Email   Phone
ZABALA INNOVATION, S.A. A31419773. Paseo Santxiki, 3 bis – E- 31192 Mutilva (Navarra), gdpr@zabala.es  +34 948 198 000
ZABALA BRUSSELS SPRL, BE069279775 Rue Belliard, 20 -4ème – B-1040 Bruxelles info@zabala.eu  +32 2 5138122
GBA ZABALA conseil en innovation SAS, SIRET 818 995 649 00022 – Nº TVA FR45818995649 35 rue d’Artois – F-75008 Paris info@zabala.fr  +33 01 53 53 09 27
ZABALA INNOVATION PORTUGAL, SOCIEDADE UNIPESSOAL LDA NIPCF: 517030500 R Rua Castilho nº 39, 8º E – Lisboa (Concelho de Lisboa) contacto@zabala.pt  +34 948 198 000
Proyecta Mejora
Empresarial, S.L.
B54643770 Avd. Juan Gil Albert, nº1 (Edificio Alcoy Plaza) Planta 6, puerta 6, 03804 Alcoy (Alicante) info@proyectainnovacion.com +34 966 440 326

In accordance with Article 26 of Regulation (EU) 2016/679 of 27 April 2016 (GDPR), the joint controllers have signed an agreement regulating joint data processing, from which the following information on its essential elements is provided:

  • Contact point: Although you can contact any of the companies at any time, we inform you that we have designated ZABALA INNOVATION, S.A. as the main organisation responsible for handling any queries through the following address: gdpr@zabala.es.
  • Compliance with the duty to inform: The organisations have protocols for collecting information, the application and dissemination of which is the responsibility of ZABALA INNOVATION, S.A.
  • Data security: The organisations have developed joint security protocols, the observance of which by each joint controller is supervised by ZABALA INNOVATION, S.A. They also have a joint security breach management procedure to ensure a coordinated response in the event of security breaches.
  • Exercise of rights: The joint controllers have defined a joint procedure for the exercise of rights. They have designated ZABALA INNOVATION, S.A. as the entity responsible for handling this matter.

2. DATA PROCESSING

This privacy policy details the processing of personal data, including the legal basis in accordance with the GDPR and the specific retention period of the data. These periods will be extended by the time necessary to comply with legal obligations and address any liabilities that may arise in relation to the fulfilment of the purpose for which the data were collected. If at any time your authorisation is requested for the processing of your data for a purpose of which your consent is required, the lack of granting (or its subsequent withdrawal) will have no consequences for you.

 

DATA RELATING TO OUR RELATIONSHIP WITH YOU

Processing and purposes Data we collect about you Legal basis (GDPR) Retention period
Requests for information or queries (by any means you use, including collection at fairs, events and phone calls): We will use your data to respond to your requests for information, queries or complaints and manage what is necessary. We will also use them to prepare service or collaboration proposals.  Name, Email, Company, Telephone, Geographical location (region, country), Tracking URLs (web addresses that allow us to know how you found our website) and any other information you voluntarily share with us in the forms.  6.1.a) GDPR. The data subject has given consent to the processing. 6.1.b) GDPR Processing is necessary for the performance of pre-contractual measures at the request of the data subject.  For the time necessary to address and manage your request and/or complaint. 
Provision of services: We will use your data to manage and process the services you have contracted with our company.  Name, ID or passport, Email, Company, Telephone, Postal address, Financial information and any other data you provide to us to fulfill the purpose of the contracted services.  Art. 6.1.b) GDPR Processing is necessary for the performance of a contract to which the data subject is a party.  The duration of the relationship and/or service. 
Use of our websites, social media profiles and marketing emails: We will use the data from your visit to our websites to show you relevant content (including targeted advertising), analyse metrics and web traffic to improve our platforms and understand how you interact with us. We may also see how you interact with marketing communications to assess the quality of the content, interest and improve it.  IP address, Tracking URLs, Identifiers about the device you access from, Approximate geographical location, How you interact with the website, email or similar, and any other data through cookies, in accordance with our cookie policy Art. 6.1.a) GDPR. Explicit consent of the data subject.  Provided you do not object and the Controller is authorized to process it. 
In-person events and webinars: Manage your participation in them. In cases where your image/voice is processed during the event (if the event is held online, for example).  Name, Email, Organisation, Interests, Attendance, Participation in the webinar, Dietary preferences (in offline events), Voice, Image, Tracking URLs.  Art. 6.1.b) GDPR. Processing is necessary for the performance of a contract to which the data subject is a party. Art. 6.1.a) GDPR. Explicit consent of the data subject.  Provided the contractual relationship is in force and the Controller is authorized to process it. 
Commercial communications: We will use your data to send you commercial communications that we consider may be of interest to you. These may include information or advertising, publications or newsletters (periodic newsletter).  Name, Email, Company, Telephone, Interests, Geographical location (region, country), Any other information you voluntarily share with us in the forms, Tracking URLs, Identifiers that allow us to know how you interact with our campaigns.  Art. 6.1.a) GDPR. Explicit consent of the data subject.  As long as you do not withdraw your consent. 
Natural persons acting on behalf of legal entities: We will use your data to manage and address the representation situation.  Full name, ID or passport, Address.  Art. 6.1.f) GDPR. Legitimate interest of the Controller based on Art. 15 to 22 of the GDPR Directive Provided the contractual relationship with the represented legal entity is in force and we are authorised to process it. 

HR: Job pool and selection. When you apply for a position with the Controller or send us your CV, we will use your data to fill vacancies, collaborations, internships or scholarships. When you apply for a specific position, your application will be analysed in relation to it and, if you fit the profile, we will contact you. 

Full name, Date of birth, Address, Telephone, Email, Education and work experience, including types of contract and contribution group. Any other information you voluntarily share with us. 

Art. 6.1.a) GDPR. The data subject has given consent to the processing. Art. 6.1.b) GDPR. Processing is necessary for the performance of pre-contractual measures at the request of the data subject. 

Two years, in the case of the job pool, in the case of selection processes, the time it takes and an additional period until the extinction of any liability or obligation of the Controller. 

 

DATA ASSOCIATED WITH REGULATORY COMPLIANCE

Processing and purposes Data we collect about you Legal basis (GDPR) Retention period
Attention to the exercise of the rights of the data subjects: In the event that, as a data subject, you exercise any of the rights you have in relation to your personal data, we will use the data you provide to us to evaluate your request and address it.  Name, Email, Address and any other data necessary to prove your identity.  Art. 6.1.c) GDPR. Compliance with a legal obligation applicable to the Controller based on articles 15 to 22 of the GDPR. As long as necessary to address the exercise of rights communicated to the Controller. 
Information systems (whistleblowing channels): Manage the procedure referred to in directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law, regulating the protection of persons who report regulatory infringements and the fight against corruption as well as the register of information received and the internal investigations to which they have given rise.  We do not collect data, but if you voluntarily decide to provide us with personal information: – Name – Telephone – Voice –  
Any other information you voluntarily communicate to us. 
Art. 6.1.c) GDPR. Legal obligation (Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law, regulating the protection of persons who report regulatory infringements and the fight against corruption).   They will be kept for as long as necessary to fulfil the purpose for which they were collected and to determine any liabilities that may arise from that purpose and the processing of the data. 

 

COOKIES

If you have accepted to receive cookies when you start visiting this website, the website’s cookie policy, accessible through the following link, will apply to you.

 

3. RECIPIENTS. INTERNATIONAL DATA TRANSFERS

As a general rule, unless legally required, your data will not be communicated or transferred to any third party without your prior express consent. In any case, some communications and/or transfers of data to third parties may be imposed by certain regulations or to meet obligations with Public Administrations, the Public Prosecutor’s Office, Judges and Courts, and State Security Forces and Bodies. Other communications and/or transfers will be a necessary consequence of the provision of the requested service, event management or the result of your express consent to the communication. Below, we list the purposes for which it may be necessary to communicate your data to third parties and whether these involve international data transfers:

  • Website hosting: The data hosted on our website will be communicated to the company that provides us with the web hosting service.

Finally, we inform you that we use the following third-party services that involve international data transfers:

  • Google Ireland Limited: Web analytics service called “Google Analytics” and advertising service “Google Ads” according to the provider’s terms and conditions, involves international data transfers outside the EU economic area, and according to the provider’s statement, they comply with the applicable legal framework through the Standard Contractual Clauses established by the European Commission.
  • Microsoft: Email, data hosting, videoconferencing and advertising services (“Bing ads”). Microsoft is adhered to the “EU-U.S. Data Privacy Framework (EU-U.S. DPF)” instrument that allows international data transfers.
  • LinkedIn Ireland Unlimited Company: Social network service, online advertising based on interests and talent acquisition. According to the provider’s terms and conditions, involves international data transfers outside the EU economic area, and according to the provider’s statement, it is certified for the EU-U.S. Data Privacy Framework that allows international data transfers.
  • Drip Global, Inc.: Marketing service. According to the provider’s terms and conditions, involves international data transfers outside the EU economic area, and according to the provider’s statement, it is adhered to the “EU-U.S. Data Privacy Framework (EU-U.S. DPF)” instrument that allows international data transfers.

4. RIGHTS

Regarding the personal data collected for processing, you have the possibility to exercise the rights of access, rectification, deletion and portability. Likewise, in certain circumstances, you will have the right to request the limitation or opposition to the processing of your data, in which case the Joint Controllers will cease processing them and will only keep them if there is a legal obligation to do so or until the prescription of the actions that may arise.

For any query or exercise of your rights, we have designated ZABALA INNOVATION, S.A. as the contact point, which you can contact by any of the means indicated in the first section of this privacy policy. Notwithstanding the designation of the contact point, you can address your request to any of the organisations of the Zabala Group that act as joint controllers individually through any of the contact means indicated at the beginning of this data protection policy.

Finally, you can also contact the supervisory authority when you deem it appropriate to file a complaint (for example, in the country where you have your habitual residence, your place of work or where you consider the alleged infringement has occurred). For the appropriate purposes, we inform you that in Spain the Supervisory Authority is the Spanish Data Protection Agency, in France it is the Commission Nationale de l’Informatique et des Libertés, in Belgium it is the Data Protection Authority and in Portugal it is the National Data Protection Commission, and you can exercise your rights through the forms that each entity has enabled for this purpose.

 

5. MANDATORY OR OPTIONAL NATURE OF THE INFORMATION PROVIDED BY THE USER

Users, by ticking the corresponding boxes and entering data into the fields, on the various forms on the website, expressly, freely and unequivocally accept that their provided data is necessary to meet their request, by the provider, being voluntary the inclusion of data in the remaining fields. The user guarantees that the personal data provided to the JOINT CONTROLLERS is true and is responsible for communicating any changes to them.

Legal Department | Updated April 2025.