Furthermore, we hereby inform you that your data will be processed in accordance with current personal data protection legislation, in particular Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
You must read this Policy carefully, as it contains the information you need to make an informed choice about providing us with your personal data.
This Policy applies to the processing of all the personal data you provide as a result of your participation in Fundación Repsol's programmes or activities.
This Policy may be supplemented by additional local regulations if the country where you are located requires that these measures be taken. This Policy does not apply to third-party websites, including those that you may access via a link on the Fundación Repsol website.
We hope that you find this information useful. However, if you have any additional questions, please do not hesitate to contact us.
What definitions do I need to know to understand the Policy better?
Firstly, here are the definitions for some terms that you will find in this document:
“Personal data"- this refers to any information that identifies natural persons or makes them identifiable (i.e. that makes it possible to identify them in some way).
“User” or “data subject”- unless you provide us with third party data, you, as the holder of the data, are understood to be the user or data subject.
“Data controller”- the natural or legal person, public authority, service, or organisation that, alone or jointly, determines the purpose and means of processing.
“Data processor”- the natural or legal person, public authority, service, or organisation that processes the data on behalf of the data controller.
“Third party”- any other natural or legal person, public authority, service or organisation; apart from the data subject, data controller, data processor, or other person authorized to process personal data under the direct authority of the controller or processor.
“Recipient”- the natural or legal person, public authority, service, or other organisation that receives the personal data, regardless of whether they are a third party.
“Consent”- any demonstration of free, unequivocal, specific, and informed consent to the processing of your data; whether through a statement or a clear affirmative action.
"Personal data processing"- any operation or series of operations carried out on personal data or personal data sets — whether with automatised procedures or not — such as collection, registration, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, disclosure by transfer, dissemination or any othermeans of enabling access, collation or interconnection, limitation, deletion, or destruction.
“Transfer” or “Communication of data”- all disclosure of data to a natural or legal person, public authority, service, or other organisation, regardless of whether they are a third party.
“Fundación”- a shorter way to refer to Fundación Repsol, who is the Data controller in all cases.
1. Does Fundación Repsol have a Data Protection Officer?
Fundación Repsol does not have a Data Protection Officer. This is not a legal requirement as the data is not processed for commercial purposes and is limited to what is strictly necessary for the purposes and objectives contained in its Articles of Association.
However, in case you have doubts about the processing of your personal data, you can contact us to resolve them by means of an email to the following address: firstname.lastname@example.org
2. Who is the data controller?
Every time we collect your personal data, we will inform you of why we collect data, for what purpose they will be used, the lawful basis for processing, your rights, and contact details.
3. ¿Qué datos personales tratamos y cómo los obtenemos?
The personal data we process includes, but is not limited to, the following:
- data that you provide voluntarily,
- data resulting from access to or use of a service, or your relationship with Fundación Repsol. This may include your image when you have been informed that you may be photographed,
- data resulting from your communications with us,
- your image when processing video surveillance footage, or if you are involved in an event that has a high public impact. In this case, you will be informed that you may be recorded,
- data that we may lawfully infer from the data we process,
- data obtained from your use of our website, including your IP address or other data collected through cookies or other similar technologies (find more information in the Cookies Policy on our website),
- data on your Social Media profiles,
- data that we could lawfully access as it is available from a publicly accessible source,
- third-party data that you provide, with their prior consent,
- data provided by third parties with your prior consent, or when there is a lawful basis.
4. For what purposes do we process your personal data, and which lawful basis applies in each case?
1. Managing application requests for all Fundación Repsol programmes
You must register to participate in our programmes. To this end, we ask you to provide only the data that is strictly necessary depending on the programme. We process this data in accordance with the information we provide when you register. If you would like to be reminded of this information, please consult our Policy or get into contact with us.
Your request and the consent provided by registering is the lawful basis for processing.
2. Managing your relationship with Fundación Repsol
The main purpose for which we process your personal data is to manage your relationship with us as an intern, volunteer, project participant (including the Entrepreneurs Fund), user, or data subject with a link to Fundación Repsol. It may also be processed to respond to any complaints, questions, or suggestions that you submit.
The actions required to manage our relationship constitute the lawful basis which enables us to process data.
3. Managing the volunteering programme
If you want to register for one of our volunteering programs, we will process your data to manage your participation, provide you with the training you need, and allow you to participate in volunteering activities. As an entity that organises volunteering activities, we are legally obliged to perform a criminal record check. Therefore, we may ask you for documents regarding this matter. We will only process this data to fulfil our legal obligations.
Furthermore, you may sometimes be allowed to bring a guest to the volunteering activities. Remember that you must obtain your guest's consent before providing us with their data.
The lawful basis for processing for this purpose is the execution of the volunteering activities for which you register.
4. Fulfilling our accounting, legal, administrative and tax-related obligations
Fundación Repsol is obliged to comply with the applicable regulations in accounting, legal, administrative, and tax-related matters. We will process your data to the extent necessary to fulfil our legal obligations.
The lawful basis in this case is compliance with legal obligations.
5. Managing user services
You will have access to our contact details regardless of the nature of your relationship with us; this includes our postal address, telephone, and/or email address should you wish to address any suggestions, complaints, or questions to us.
If you get in touch with our user/volunteer service through any of the available means and channels, your data will be processed to deal with your enquiry.
6. Analysing your browsing history
Your consent serves as the lawful basis in this case.
7. Gathering information from your Social Media profiles
Fundación Repsol processes the data you share with us through your Social Media profiles. For more information on this subject, go to the “How do we process your data on Social Media?” section.
8. Organising and managing draws, contests, and events
In these cases, any data subject who wishes to participate will voluntarily register by filling out the forms Fundación Repsol provides for this purpose. The data subject’s personal data will be processed to manage their participation, delivery of the prize, and, where applicable, any advertising that is related to these activities.
In this case, data will only be processed if the data subject has consented, demonstrated through their participation; for the management of their participation.
9. Managing contact details within the context of contracts, or sending non-commercial information or invitations to events
Fundación Repsol can process third-party contact information or that of representatives with whom we maintain a contractual relationship with, for the sole purpose of managing the aforementioned contractual relationship.
In this case, contract performance is the lawful basis for processing.
In addition to this, Fundación Repsol can process the contact details of potential clients, legal entities, institutional representatives, government body representatives, journalists, analysts, or investors who willingly transfer their data to us, with the purpose of providing said persons with non-commercial information and to invite them to Fundación Repsol events.
In this case, the data subject’s consent, which is expressed upon providing the contact details, serves as the lawful basis for processing.
10. Avoiding liability with the Spanish General Social Security Treasury and ensure the quality of the services rendered by providers
Fundación Repsol may process the personal data of provider employees which the provider, or the employee him/herself, has disclosed to Repsol. The purpose of this processing is to ensure the quality of the service rendered by the provider, provide access to Repsol Group facilities, and avoid possible liability with the General Social Security Treasury as a result of a provider's failure to meet their obligations in this regard within the context of articles 42 and 43 of the Spanish Worker’s Statute.
Our legitimate interest in controlling our relationships with our providers and all associated liabilities is the lawful basis for processing in this case.
11. Fundación Repsol Compliance Channel
Fundación Repsol has a compliance channel that can be accessed by any member of the public. It is used to deal with and manage enquiries and/or messages to guarantee compliance with our Code of Good Governance. It also allows Fundación Repsol to analyse and adopt the necessary actions to investigate and prosecute any crimes that take place within the framework of a relationship with Fundación Repsol. This channel ensures that the data provided by the person reporting the incident is kept confidential.
The subject data’s consent, provided upon reporting the incident, together with Repsol’s legitimate interest in prosecuting criminal offences which may affect it, is the lawful basis to process data in this case.
12. Security at Fundación Repsol facilities
Fundación Repsol has video surveillance cameras to ensure the security of its facilities.
The lawful basis for processing is Fundación Repsol's lawful interest in preventing or investigating, where appropriate, incidents that occur at their facilities.
Fundación Repsol may also process personal data of people who are invited or sign up to an event that is organized or sponsored by Fundación Repsol. Fundación Repsol may take photos to publicize events that take place. Subjects will be informed of this fact, as the case may be, so that they may decline the opportunity to attend the event or exercise their rights.
In this case, the consent of the data subject is the lawful basis for processing.
If you contact us to express your interest in joining the Fundación Repsol team, we will process your data and all the documents you send to assess your profile and take you into consideration to fill job vacancies in a possible hiring process.
5. How do we process your personal data?
We commit to processing your data in accordance with the applicable regulations and, in particular, using the appropriate organizational and technical measures to guarantee an appropriate level of security, ensuring the confidentiality, integrity, availability, and resilience of processing services and systems at all times.
6. Who will your data be shared with?
If we plan to lawfully transfer or communicate your personal data, we will inform you of the identity or category of recipient when collecting your data. These may include:
- Third parties to whom we are legally obliged to transfer your data, for example Social Security or administrative and tax authorities.
- Third parties with whom we must share your data to confirm that you belong to a certain group to enable you to participate (for example, the More Than Words programme).
- Third parties to whom we are obliged to provide your data, to fulfil the basic purpose of the relationship.
Lastly, we inform you that we maintain relationships with providers of certain services. When providing these services, the providers may access your data. They will handle this data as Data Processors, with the same guarantees that we apply when processing your data.
Fundación Repsol only processes personal data within the European Union, and if it were to be taken outside the European Union to be accessed by our data processors, we would inform you of this through this Policy.
7. How long do we save your personal data for?
In each case, we will inform you of the period of time necessary to meet our obligations, both with you and the corresponding authorities. In any case, the personal data you provide will be stored for the duration of your relationship with Fundación Repsol, or until you request your data be deleted. Subsequently, when appropriate we may store your data until the statute of limitations for criminal, civil, commercial, and/or administrative liability has passed.
8. What are your rights when you provide us with your data?
You may execute a series of rights concerning the processing of your personal data at any time. Every person has these rights and, consequently, they are unwaivable. Below, we will describe and explain each of these rights:
- Right of access. By exercising this right, you can find out about how we process your personal data.
- Right to rectification You may correct or modify your data if they are inexact or incomplete, in order to ensure that we have the correct details.
- Right to erasure (or 'right to be forgotten') You may request that your data be deleted in one of the established cases. For example, unlawful data processing, or when the initial purpose for processing or collection no longer exists. However, there are also series of exceptions to which this right does not apply. For example, when the right to freedom of expression and information must prevail.
- Right to object Through this right, you may oppose the processing of your personal data: (i) when, for reasons related to your personal circumstances, your data must no longer be processed, except for when there is an accredited legitimate interest or it is necessary for the exercise or defence of legal claims, or (ii) when processing is carried out for direct marketing purposes.
- Right to restriction of processing. You may request that we restrict the processing of your personal data (i) while we are investigating the accuracy of data, when this accuracy has been contested (ii) when this processing is unlawful but you are opposed to your data being erased and, instead, request this limitation (iii) when you need your data for the exercise or defence of a legal claim (iv) and even when you have opposed the processing of your personal data to fulfil a mission of public interest or to satisfy a lawful interest, which must be checked. In these cases, we will only conserve data for the exercise or defence of legal claims.
- Right to data portability You can request the portability of your data in electronic format, as well as request they be transferred to another entity.
To exercise these rights, you can contact Fundación Repsol at the address email@example.com, attaching a copy of your DNI or equivalent national identity document and indicating the corresponding processing.
Furthermore, you can withdraw your consent at any time, without this affecting the lawfulness of any processing already carried out. A request to this effect should be sent to the address indicated in the previous paragraph. In this case, it is also necessary to send a copy of your DNI or equivalent national identity document.
Should you believe that your data has been processed improperly and not in compliance with personal data protection regulations, or should you believe that we have not acted accordingly when exercising your rights, you may contact the control authority. In Spain, this is the AGPD, or Spanish Data Protection Agency.
9. What is our policy concerning the personal data of minors?
In most cases, Fundación Repsol only processes the data of people over 18 years of age. Nevertheless, the case may arise in which the personal data of minors is used during a promotional activity, programme or event, in which case the consent and authorization of the parents or guardians will be requested if the minor is under the age of 14. If you are a minor and unsure whether you fully understand this explanation, you should ask for assistance from your parents or guardians.
Regarding Social Media, we recommend that parents and guardians regularly check and supervise their children's activity on the internet. Please make sure that your children do not give out their personal data without your authorization and consent.
You can exercise the rights of persons under 14 years of age at any time by certifying your legitimate right to do so.
10. What happens if you provide us with the data of a third party?
Should at any time, as part of your relationship with us, you facilitate third party data, we remind you that you are solely responsible for having obtained their prior consent to communicate their data to Fundación Repsol for the objective which you may be made aware of in each case, in addition to having informed said party of the existence and the content of this Policy.
You are responsible for holding Fundación Repsol harmless for any liability derived from the lack of information and/or consent from or to the third party.
11. How do we process your data on Social Media?
We recommend that you avoid including personal data — be it yours or that of third parties — when interacting with our Social Media accounts. However, you must be aware that, should you decide to include any personal information, it will be processed in accordance with this Policy.
Specifically, the data provided though any Social Network will be processed to engage and interact with you on various Social Media sites, in order to give you a better understanding of us, our activities, and our values. This is not the proper channel for communicating your complaints or suggestions, but should you use Social Networks to send us any kind of request, claim, suggestion, or complaint related to any of our programmes or activities, we will analyse the communication and send you a response.
12. Can we change the terms of the Policy?
We can modify this Policy at any time, and we will always inform you of any significant changes by sending the corresponding notification. In any event, changes will not apply retroactively and will enter into force on the date they are published. We recommend that you check the Policy regularly.
13. What are your responsibilities?
You are responsible for each piece of data that you provide and its veracity, inaccuracy, validity, and authenticity, as well as updating said data and your consent for its use and processing. You are likewise responsible for any third-party data that you provide and for which you must obtain consent. Do not forget that you are responsible for regularly consulting this Policy, as well as any future updates thereto.