The Policy is intended to answer any questions you may have regarding the processing of your Personal Data as a Data Subject, although in case you need more information, you can contact: email@example.com
It is important for you to read this Policy carefully in order for you to make an informed choice when providing us with your Personal Data.
What definitions do I need to know in order to better understand the Policy?
We would like to provide you with the definition of some of the terms that you will find throughout this document:
- “Activities, Products and/or Services” – Refers to invitations to commercial, informative, sports or recreational events, promotions, contests, raffles and commercial information on energy solutions, mobility, automotive assistance, insurance, finance, leisure, travel, home, sports, gastronomy, loyalty programs, payment means and services, or telecommunications of third parties and through different channels.
- “Anonymization” – use of a set of techniques aimed at removing the ability to associate data with an identified or identifiable natural person by means of a “reasonable” effort. This “reasonableness test” must take into account both objective aspects (time, technical means) and contextual elements, which may differ from case to case (exceptional nature of a phenomenon taking into account, for example, the density of the population and the nature and volume of the data).
- “Communication of data” – means any disclosure of data to a natural or legal person, public authority, service or other body, whether or not it is a Third Party.
- “Standard Contractual Clauses” – a mechanism that makes it possible, through the signing of a contract based on the model approved by the European Commission, to regulate international transfers of Personal Data to countries outside the European Economic Area.
- “Consent” – free, unequivocal, specific and informed manifestation of will to the processing of Personal Data.
- “Cookies” – Cookies are small files or devices that are installed in the user’s browser in order to store, retrieve or update information. Through them, the editor of a website can try to know the preferences of users when browsing its website and customize the services offered based on those preferences. You can find more information in the Repsol Cookies Policy.
- “Personal Data”– any information about a natural person that identifies him/her or makes him/her identifiable (first and last name, address, telephone number, e-mail address, etc.).
- “Data Protection Officer” – data protection specialist who informs and advises the Repsol group on the processing of Personal Data and related obligations under the GDPR.
- “Recipient” – means a natural or legal person, public authority, service, or other body to whom Personal Data is disclosed, whether or not it is a Third Party.
- “Profiling” – means any form of automated processing of Personal Data consisting of using Personal Data to evaluate certain personal aspects of a natural person, to analyze or predict aspects relating to that natural person’s professional performance, financial situation, health, personal preferences, interests, reliability, behavior, location or movements.
- “Repsol group companies with commercial activity assignees of Personal Data” – those Repsol group companies included in the list of www.repsol.info/cesioncomercial, to which the assignment of customers’ Personal Data is limited.
- “Data processor” – a natural or legal person, public authority, service, or body that carries out a processing operation on behalf of a third party (the Data Controller). Sometimes it is Repsol, SA for all its subsidiaries or third-party suppliers since we have a centralized management of most of the matters related to organization and business.
- “Geolocation” – means any data processed in an electronic communications network that indicates the geographic position of a Data Subject’s terminal equipment of a publicly available electronic communications service.
- “Repsol Group” – group of companies for the purposes of Article 42 of the Commercial Code. More information at www.repsol.info/estructura
- “Data Subject” – for the purposes of this Policy, shall mean any natural person who is the owner of the processed data.
- “Binding Corporate Rules” – Personal Data protection policies undertaken by a controller or processor established in the territory of a Member State for transfers or a set of transfers of Personal Data to a controller or processor in one or more third countries, within a corporate group or a union of undertakings engaged in a joint economic activity.
- “Pseudo-anonymization” – means the processing of Personal Data in such a way that they can no longer be attributed to a Data Subject without the use of additional information, provided that such additional information is separately identified and is subject to technical and organizational measures designed to ensure that the Personal Data are not attributed to an identified or identifiable natural person.
- “Repsol” – Repsol group company that acts as Data controller.
- “Data controller” – means the natural or legal person, public authority, service or body that decides what data to process, why and how. For the purposes of this Policy, any of the companies of the Repsol group.
- “Online Services” – includes any site environment, website, channels, applications, promotions.
- “Third Party” – natural or legal person, public authority, service or body other than the Data Subject, the Controller, the Processor and the persons authorized to process the Personal Data under the direct authority of the Controller and/or the Processor.
- “International Transfers” – those cases where Personal Data is processed outside the European Economic Area (EEA).
- “Processing” – operation or set of operations performed on Personal Data or sets of Personal Data, whether or not, by automated procedures, such as collection, recording, organization, structuring, storage, adaptation or modification, retrieval, consultation, use, communication by transmission, dissemination or any other form of enabling access, alignment or interconnection, restriction, erasure or destruction.
- “Repsol Single User” – is the user that you create when you register in the Repsol Single Registry to access the Online Services of any of the entities of the Repsol group and whose content is included in your user account in the Single Registry (“Your Account”).
How will the Personal Data be processed?
Your Personal Data will be processed in accordance with the provisions of current Personal Data protection regulations and, particularly:
(i) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data and repealing Directive 95/46/EC – General Data Protection Regulation (hereinafter referred to as “GDPR”);
(ii) Organic Law 3/2018, of December 5, 2018, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter, “LOPDGDD“);
(iii) any national legislation, of any country, that regulates the processing of Personal Data;
(iv) or any regulation that modifies, develops, or replaces the previous ones.
Who is the Data controller of the Personal Data?
In general, the Repsol Group company with which you have dealings will be the Data controller. However, there may be processing where the Data controller is another Repsol Group company, which will be indicated at all times by means of the corresponding informative clause.
Whenever we collect your Personal Data, we will inform you of the Data controller for the processing, including its identification and contact details.
Is there a Data Protection Officer?
The Data Protection Officer is a position defined by the GDPR, who assists the Data controller in Data Processing and with ensuring compliance with privacy regulations.
|Repsol Group companies in Spain that have a Data Protection Officer||Repsol Group companies in Portugal that have a Data Protection Officer|
|Repsol, S.A.||Repsol Portuguesa, LDA|
|Bios Avanzados Tratados del Mediterráneo, S.L.||Repsol Gás Portugal, Lda|
|Campsa Estaciones de Servicio, S.A.||Gespost – Gestão e Administração de Postos de Abastecimento, Unipessoal, Lda|
|Petróleos del Norte, S.A.||Repsol Directo Lda|
|Klikin Deals Spain, S.L.||Repsol Polímeros, Lda|
|Regsiti Comercializadora Regulada, SLU|
|Relkia distribuidora de electricidad, S.L.|
|Repsol Butano, S.A.|
|Repsol Comercializadora de Electricidad y Gas, SL|
|Repsol Comercial de Productos Petrolíferos, S.A.|
|Repsol Directo, S.A.|
|Repsol Electricidad y Gas, SA|
|Repsol Exploración, S.A.|
|Repsol Generación Eléctrica, SL|
|Repsol Investigaciones Petrolíferas, S.A.|
|Repsol Lubricantes y Especialidades, S.A.|
|Repsol Petróleo, S.A.|
|Repsol Química, S.A.|
|Repsol Renovables, S.L|
|Repsol Trading, S.A.|
|Servicios de Seguridad Mancomunados, S.A.|
|Solgas Distribuidora de Gas, S.L.|
|Valdesolar Hive, S.L.|
To communicate with the Data Protection Officer of the above companies, simply send an e-mail to proteccióndedatos@repsol.com, except in the case of Klikin Deals Spain, which contact details are firstname.lastname@example.org and except for the Portuguese companies which contact details are: email@example.com.
What is the Repsol Single Registry (Your Account)?
Repsol has established a single registration system to facilitate your access to all our Online Services. The Single Registry system shall allow you to access our Online Services and be requested exclusively to complete those data which are strictly necessary for the service and have not been previously submitted. This means that you shall not be requested to submit those Personal Data you may have provided for a previous service when registering in a new Online Service.
Remember that Your Account is unique for all Repsol Online Services, which means that Repsol, S.A., owner of this processing operation, has knowledge of all the Online Services in which you have registered.
What Personal Data are processed and where does it come from?
The Data controller will access and process all data that the Data Subject has provided directly throughout the Single Registry, throughout the relationship with Repsol Group or provided by third parties, as long as there is a legitimate reason for data communication. This data may fall into one of the following categories, depending on the country’s legal requirements:
|Data collected directly from the Data Subject including but not limited to:||Data generated over the course of the relationship with Repsol group companies or that provided by third parties, including but not limited to|
|Identification and contact details
Full name, National ID/Foreigner’s ID, address, telephone number, email address, signature, image/voice.
|Commercial information details
Level of risk or possible non-payment
Age, gender, nationality, marital status, profession.
|Transaction details of goods and services
Received goods and services, promotions launched by the Data controller where Data Subject participates.
|Social circumstances details
Properties, asset ownership, licenses, titles, permits, and other rights and properties of the Data Subject.
|Economic, financial, and insurance data
Account number to debit payments.
IP address or information derived from Cookies, if any, as well as those corresponding to your profiles on social networks in case you use them.
Health data, biometric data in case of access to certain facilities of Repsol Group companies.
Continuous location tracking of Data Subject
|Third party data
Identification and contact details of the Data Subject’s family members or relatives.
Information obtained from credit information systems regarding the existence of unpaid debts with other entities (amount of the installment, age, sector of the entity reporting the debt).
|Data from other Repsol Group companies
Contracts or relationships entered with other Repsol Group companies and transactions carried out.
What is the purpose of Personal Data processing and what is the lawful basis?
The Data controller will provide when colleting Personal Data which are the purposes and legitimate basis for such data processing as well as the Data Subject’s rights. Find below a description of the generic purposes for the data processing by the Data controller as well as its correlative lawful basis for the Processing duly identified:
With whom will we share the Personal Data?
As a general rule, the Data controller will not share your Personal Data with third parties.
When we identify that we will be required to communicate your Personal data to a Third Party, we will inform you at the time of collection about the identity or categories of the potential Recipients to whom we may need to communicate your Personal data. Generally speaking, we will be referring to the following Recipients:
i. Competent authorities and bodies, courts, tribunals, or any other legitimate Third Parties according to applicable regulations;
ii. Third party holders of files for the fulfillment of monetary obligations, when the client incurs in a default of payment, and the legitimizing requirements established in article 20 of the LOPDGDD are met;
iii. Third Parties that own services or products that the Data Subject voluntarily requests, (e.g., when the user wants to take advantage of an offer from another company of the Repsol group or a partner or request financing);
iv. Other Repsol group companies for profiling, and/or sending commercial communications, provided that the Data Subject has consented or there is a legitimate interest as described in the section. As mentioned above, such profiling is carried out based on the aggregate analysis and association of the information obtained by our own means or through our points of sales, our own knowledge of the market and its evolution, as well as the sales process of products or services of the Repsol Group.
The Data Subject may check the list of companies of the Repsol Group to which we will transfer the data for profiling and commercial offers above in the definitions section under Companies of the Repsol group that are assignees of the Personal Data.
Furthermore, it is also possible that Third-Party suppliers may have access to the Data Subject’s Personal Data in order to provide services to the Data controller, related to the purposes about which you are being informed (including, but not limited to, companies operating in the following sectors: technology, legal advice, marketing, multidisciplinary professional services, IT services, etc.). These suppliers will only access the Personal Data to carry out their services on behalf of the Data controller, under obligation of confidentiality and always following the Data controller’s instructions, without at any time using such data for their own purposes and/or unauthorized purposes.
Finally, and during an internal investigation, the data may be communicated to the Ethics and Conduct Committee of the Repsol Group.
Will Personal Data be subject to international transfer?
The Personal Data may be internationally transferred as a result of the Data controller’s relationship with service providers, especially technical support services and with Repsol Group companies to fulfil the purposes (e.g., purposes relating to international assignment). In any case, international data transfers will be carried out with the adequate safeguards described below and in accordance with any local legal requirements. You can request more information about data transfer and the appropriate safeguards applied by contacting the local Compliance or Legal Services divisions.
Your Personal data will not be transferred to countries located outside the European Economic Area, unless the European Commission has issued an adequacy decision stating that the recipient country provides a level of Personal data protection equivalent to that provided at the European level. This consists of a declaration by the European Commission that a non-EU country offers an adequate level of Personal data protection equivalent to that provided by European regulations, making it possible to transfer the Personal Data to a Third Party established in that country outside the EU without Repsol, as the data exporter, having to offer further guarantees or being subject to additional conditions. In other words, transfers to an “adequate” third country will be assimilated to a transmission of data within the EU. In the absence of an adequacy decision, your Personal Data may only be transferred to a third country with the provision of adequate safeguards. Such adequate safeguards include, but are not limited to:
- Binding Corporate Rules (also known as “BCR” or “Binding Corporate Rules”) in the case of corporate groups or the union of companies engaged in a joint economic activity, which enables the flow of Personal data on the basis of a self-regulation accepted and assumed by each of the signatory entities.
- Standard Contractual Clauses (also called “SCC” or “Standard Corporate Rules”) signed between the exporter of Personal Data from any of the EEA countries and a third country. It is a contractual agreement whose model has been approved and published by the European Commission and aligned with the provisions of the GDPR.
- Adherence to a code of conduct or a certification mechanism together with binding and enforceable commitments made by the recipient in relation to the implementation of appropriate safeguards for the protection of the Personal Data transferred.
- In the lack of an adequacy decision, or of the adequate safeguards detailed above, your Personal Data may exceptionally be transferred to a third country or international organization, in application of the mechanisms that may be recognized by applicable legislation.
Repsol, in order of preference, will carry out the International Transfer under the following safeguards:
|Safeguard||Criteria used by Repsol|
|Adequacy decision issued ECC||Measure included as preferred by Repsol. You can find the list of countries subject to an adequacy decision at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en|
|Binding Corporate Rules||In the absence of an Adequacy Decision, it will be the preferred safeguard measure that Repsol will request from the data importer. You can find the list of entities that have BCR here: https://edpb.europa.eu/our-work-tools/accountability-tools/bcr_en?page=1|
|Standard Contractual Clauses||As a secondary safeguard mechanism in the absence of the above, we will proceed to subscribe and/or request a copy, as appropriate, from the data importer of the signed version of the Standard Contractual Clauses aligned with the European Commission’s models.|
How long will the Data controller process Personal Data?
In general, the Data controller will process Data Subject’s Personal Data for as long as the commercial and/or contractual relationship remains in force. However, each Processing will be properly informed when the collection takes place including in a timely and specific manner the retention period, including those defined by law such as video surveillance activities or internal complaints.
At the end of this period of Processing, the Data controller will keep the Personal Data blocked for the period of limitation of criminal, civil, commercial and/or administrative liabilities of any kind.
What are the Data Subject rights?
At any time, you may exercise a series of rights regarding the processing of your Personal data. We will inform you at the time of collection of the Personal data as they may be different according to the local regulations These rights are inherent to each person and, therefore, are inalienable and are as follows as long as they are recognized in accordance with local regulation:
|Right of access
The right to access Personal data processed by the Data controller according to Article 15 of the GDPR.
|Right to rectification
The right to request that the Data controller rectify certain personal of the Data Subject according to Article 16 of the GDPR.
|Right to object
The right to object to Processing based on consent or on the existence of a legitimate interest (including, but not limited to, the sending of commercial communications), according to Article 21 of the GDPR. In cases that the Processing is based on the existence of a legitimate interest, the Data Subject will have the right to request the balancing test carried out by the Data controller. Furthermore, when the Processing is for the purposes of sending own or third-party commercial information, the Data Subject may opt-out free of charge and voluntarily to an advertising opt-out mechanism (more information can be found here: https://www.listarobinson.es/).
|Right to erasure
The right to request that the Data controller deletes all or part of the Data Subject’s Personal data according to Article 17 of the GDPR. Please note that while the commercial and/or contractual relationship that we maintain with you continues to be in force, there is a series of Personal Data that is necessary for us to process in order to comply with the contract, so while it lasts we cannot delete, block or cancel them, because otherwise it would prevent us from complying with the contract.
|Right to the limitation to the processing
The right to limit the Data Controller’s processing of your Personal data, provided that one of the conditions established in Article 18 of the GDPR are met.
|Right to data portability
The right to receive the data you have provided to the Data controller in a structured, commonly used and machine-readable format and to have it transmitted to another Data controller (or have it transferred directly to the new Data controller, where technically feasible), according to Article 20 of the GDPR.
|Right to withdraw consent
For the types of processing identified in the section on Processing based on the consent from the Data Subject, without such withdrawal of consent having a retroactive effect, according to Article 7.3 of the GDPR.
|The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or affects you significantly
The Data controller informs the Data Subject that, notwithstanding the fact that decisions are made based on automated systems, these decisions (i) either do not produce legal effects or significantly effect on the Data Subject; (ii) or are not taken exclusively in an automated manner.
These rights may be exercised by sending a communication to the address of the Data Controller or through the following address: firstname.lastname@example.org.
If you believe that we have processed your data inappropriately and in breach of Personal data processing regulations, or if you do not agree with how we attended to your wish to exercise your rights, please contact the corresponding Data Protection Officer, if the Data Controller company has one, or failing that: email@example.com. Likewise, you may, at any time, file a complaint with the relevant Supervisory Authority (in the case of Spain, the Spanish Data Protection Agency).
Please note that, given the different local regulations, there may be some of the rights described above that are not recognized by the country’s local regulations and therefore may not apply to you. This is the case of the most recently incorporated in the GDPR, such as portability or the right not to be subject to a decision based only on automated processing, for example.
What is our policy regarding the Personal Data of children under legal age?
In most cases, the Data controller will only process the data of people of legal age (18 and over). However, there may be situations, for example, during a promotional action, where data of children under legal age is processed. In this case, Consent and authorization will be requested from parents or guardians if the minor has not yet reached the legal age of consent established in the relevant local data processing regulation. If you are a child and are not sure you understand anything we explain, please ask your parents or guardians for help.
Regarding the use of social networks, we recommend that parents or guardians regularly check and supervise their children’s Internet activity. Please make sure that your children do not provide us with Personal Data without asking for your authorization and consent.
At any time, you can exercise the rights of children under under your care who are under the age of consent by proving your legitimacy as a parent or guardian.
What happens if you provide us with Third Party data?
In the event that, in the course of a relationship with us, you provide us with third-party data, please note that you are solely responsible for obtaining their prior consent to communicate their Personal Data to the Data controller for the purposes you are informed of in each case, as well as for having informed them of the content of this Policy.
You are responsible for holding all Repsol Group harmless from any liability arising from the lack of information and/or consent to the Third Party.
What happens to my Personal Data when I share any content from an Online Service with someone else?
Some of our Online Services may give you the option to share some content with others, although you should know that you will be the one to perform this action by your own means. Repsol does not send or use any Third Party recipient’s information or data to whom you may be sharing any information.
How can you cancel Your Account in the Repsol Single Registry and/or in an Online Service?
You can cancel Your Account by sending an e-mail to firstname.lastname@example.org.
Be aware that if you cancel your account, you will no longer be a Repsol Single User, so you will no longer be able to access any of the Online Services you were registered. Remember, any application for any Online Service shall require you to have Your Account, meaning to previously have obtained you Repsol Single User.
You may unsubscribe from any Online Service by following the instructions provided by us and/or specified in the applicable terms and conditions. If you unsubscribe from a particular Online Service, you will simply stop enjoying and benefitting from the use of that Online Service as stated in its particular terms and conditions. Your Account will remain in effect if any Online Service is active.
What happens when I decide to create my Repsol Account through my social media accounts with the Social Login?
In certain cases, when you decide to create Your Repsol Account you can do so without having to complete all the fields of the registration form through the so-called “Social Login” by using your registration in social networks; simply by clicking on the corresponding logo to allow the social network to provide your Personal Data linked to your profile (your name, surname, profile image, email) to Repsol for creating Your Repsol Account. In other words, during the registration process you will be redirected to a federated authentication service that checks the credentials and, if they are correct, returns the information to the requested service, in this case, Your Repsol Account space. You can find more information about how the different federated identity systems work in the following links:
How do we process your data in social networks?
We recommend that you avoid including Personal Data -yours or Third Parties’- when you interact with us on social networks. However, if you choose to include personal information, you should be aware that your Personal Data will be processed by us in accordance with this Policy.
Specifically, the data you provide us through any social network will be processed by Repsol, S.A. as Data controller, with registered office in Madrid, Calle Méndez Álvaro 44, 28045, in order to relate and interact with you in different social networks for the purpose of you knowing us better, as well as our activities and values. This channel is not the one we recommend you for filing complaints or suggestions, however, in the event you decide to use it, we shall request your consent to share your minimum Personal Data to the company of the Repsol Group you are inquiring for and have its customer services to attend your request properly.
This Policy does not apply to those data processing that may be carried out from Third Party websites even though you may access clicking on a web link from our environment.
Can we change the terms of the Policy?
What are your responsibilities?
You are responsible for regularly checking this Policy and any updates made to it. Further, if your job involves the processing of Personal Data, you are responsible for ensuring that you do so in accordance with the applicable privacy regulations and local legislation.
Last updated: June 8, 2022