The aim of the Policy is to clear up any doubts you may have regarding the processing of your personal data as a data subject, although if you need more information on this matter, you are welcome to get in touch with us at the following address: firstname.lastname@example.org
It is important that you read this Policy as it will give you the information you need to make an informed decision when providing us with your personal data.
Definitions to better understand the Policy
Here are the definitions of some of the terms that you will find throughout this document:
“Activities”: social action, volunteering, educational and entrepreneurial programs, as well we actions and events aimed at spreading knowledge.
“Anonymization”: the use of a set of techniques aimed at removing personally identifiable information from data sets using “reasonable” means. This “reasonableness” test must consider both the objective aspects (time, technical resources) and the contextual elements that depend on each specific case (circumstantial factors, bearing in mind, for example, the population density and the nature and volume of the data).
“Communication of data”: disclosure of data to a natural or legal person, public authority, agency, or other body, whether or not they are a Third Party.
“Standard Contractual Clauses”: a mechanism for regulating the international transfer of personal data to countries outside of the European Economic Area by signing a contract based on a model that has been approved by the European Commission.
“Consent”: any freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of their personal data.
“Cookies”: small text files that websites place on the user’s device as you are browsing to store, retrieve or update information. They are used by website editors to better understand user preferences while browsing their website and to personalize the services offered based on those preferences. You can find more information on this in the Repsol Foundation Cookies Policy here:https://www.fundacionrepsol.com/en/cookies-policy
“Personal data”: any information relating to an identified or identifiable natural person (name and surname, address, phone number, email address, etc.)
“Recipient”: a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a Third Party or not.
“Profiling”: any kind of automated processing of personal data consisting of using personal data to determine certain personal aspects of a natural person, particularly to analyze or predict aspects relating to their professional performance, financial situation, health, personal preferences, interests, reliability, behavior, location or the movements of that person.
“Data processor”: a natural or legal person, public authority, agency or other body which processes personal data on behalf of a third party (the Controller).
“Data Subject”: for the purposes of this Policy, this refers to any natural person to whom the data being processed pertains.
“Binding Corporate Rules”: the data protection policies adhered to by a data controller or a data processor established in the EU for transfers or a set of transfers of personal data to a data controller or data processor outside the EU within a group of undertakings or enterprises engaged in a joint economic activity.
“Pseudoanonymization”: the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and subject to technical and organizational measures to ensure non-attribution to an identified or identifiable individual.
“Data Controller”: a natural or legal person, public authority, agency or other body which decides what data to process, how, and why. For the purposes of this Policy, the Repsol Foundation.
“Third Party”: a natural or legal person, public authority, agency or body other than the Data Subject, Controller, Processor and persons who, under the direct authority of the Controller or Processor, are authorized to process personal data.
“International Transfers”: cases in which personal data are transferred outside of the European Economic Area.
“Processing”: any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
How will the Personal Data be processed?
Your personal data will be processed in accordance with the provisions of current privacy regulations. In particular, and without limitation, this includes:
(i) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC - General Data Protection Regulation (hereinafter, “GDPR”);
(ii) Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter, “LOPDGDD”);
(iii) any national regulation, of any country, that regulates the Processing of personal data;
(iv) or any regulation that modifies, develops, or replaces the aforementioned.
Who is the Data Controller or the person responsible for the Personal Data?
The Data Controller is Repsol Foundation, with registered address at, calle Méndez Álvaro, 44, 28045, Madrid (Spain).
What personal data is subject to Processing and where does it come from?
The Data Controller will access and process any data that the Data Subject may have provided them with directly, or those provided by third parties, as long as there is a legal basis for the communication of such data. This data may correspond to any of the following categories:
- Identification and contact details (full name, national ID/foreigner’s ID, address, telephone number, email address, signature, image/voice.)
- Personal details (age, gender, nationality, marital status, profession, relationship with the volunteer (in the case of volunteers).)
- Academic and professional data (academic record, position, organization.)
- Economic, financial, and insurance details (bank details, income in the case of potential grand beneficiaries.)
- Special data (criminal record (in the case of volunteering that, given its nature, so requires this), disability level, health information.)
- Browsing details (IP address or information from cookies or similar devices, where applicable, as well as information on their social media if used as part of the Data Subject’s relationship with us.)
- Third-party data (identification and contact details of the Data Subject’s family members or next of kin.)
What is the purpose of the personal data processing and what is the legal basis for said processing?
The Data Controller will state the purposes and lawful bases when collecting the personal data, as well as stating the Data Subject’s rights in this regard. The general purposes for which the Data Controller will process the data of the Data Subjects are as follows: For each of them, the legal basis for the Processing is identified:
1. Processing based on the execution of the contract
Certain Processing is necessary for the execution and development of the contractual relationship. Without the processing of your Personal Data for said purposes, said contractual relationship would be impossible because the latter is inherent to said processing.
|Managing the contractual relationship|
To enter into, oversee and maintain the contractual relationship, to manage the signing of documents even via electronic signature platforms, including the issuing of electronic signature certificates, and managing complaints, requests, suggestions and providing support in the event of incidents.
Managing identifiable of the volunteers for them to be able to take part in different activities, as well as providing them with the required training, and in general, making the volunteering activity possible. When organizing volunteering activities, a criminal record certificate may be required in order to meet our legal obligations.
Managing identifiable data of participants in educational programs in order to manage their registration on the Zinkers educational platform and promote educational activities aimed at fostering learning.
|Actions and events aimed at spreading knowledge|
Managing identifiable data in order to manage the registration and participation of the data subject in the different events organized by the Open Room community.
|Managing images and videos for sharing information about the programs|
Managing images of students, teachers and/or assistants either via photos or videos, by first requesting their consent and the transfer of rights, in order to spread awareness about Repsol Foundation programs.
|Entrepreneurs Fund Acceleration Program|
Managing identifiable data of different parties in order to manage the participation of startups that provide technological solutions to take on the challenges of the energy transition as part of the acceleration programs.
Assessing candidates and managing participation in Repsol Foundation scholarship programs.
|Managing applications to participate in Repsol Foundation selection processes|
2. Processing based on legal compliance
Certain processing is necessary so that the Data Controller may comply with the applicable legal obligations, which may be of various kinds. Due to different national and international regulations, the Data Controller is required to process certain data, and would be failing to meet its responsibilities if said processing were not to occur.
|Complying with accounting, legal, tax and administrative obligations|
To comply with legal obligations corresponding to the Data Controller, including attending to the rights of the Data Subject through the application of personal data processing regulations.
|Managing the complaints channel and the compliance mailbox|
Processing data from the complaints channel / compliance mailbox, in the case of ex-employees and/or volunteers.
|Prevention of money laundering|
Collecting data relating to the prevention of money laundering (beneficial ownership certificates, powers of attorney, etc.).
|Criminal record certificate|
A criminal record certificate and/or a certificate of sexual offences is requested when legally required for the volunteering activity.
3. Processing based on public interest
This kind of Processing is required to fulfil a mission of public interest on the basis of Union or Member State law. Specifically, this Processing is aimed at guaranteeing security and preventing illicit acts.
|Video surveillance and security|
Image capture using security cameras for the purposes of securing the facilities and other security measures (smoke detection).
|Public interest as provided for in the LOPDGDD.|
To manage reports or internal investigations due to a breach by the Data Subject of internal regulations or of the Code of Ethics and Business Conduct, which requires a report to be drawn up and consultation with the relevant areas.
|Public interest as provided for in the LOPDGDD.|
4. Processing based on the legitimate interest of the Data Controller
Certain types of Processing are required to fulfil the legitimate interest of the Data Controller or of third parties. In such Processing, the Data Controller has conducted a balancing test and analyzed how it affects the privacy of the Data Subject and concluded that the Processing is necessary and proportionate to the purpose, without entering into conflict with the rights of the Data Subjects, and, therefore, is deemed compatible. The Data Subject has the right, at all times, to object to said Processing, and to request information from the Data Controller on the balancing test conducted.
To check the quality of Repsol Foundation programs.
|The Data Controller’s legitimate interest in knowing whether or not the programs run by Repsol Foundation are in line with participation conditions and if they have been carried out in accordance with the established procedures.|
|Managing institutional relations / journalists / education|
To identify those representing the collaborator or the person acting as a professional contact.
|The legitimate interest of the Data Controller regarding the processing in accordance with article 19 of the LOPDGDD.|
|Anonymization / pseudoanonymization processes for statistical purposes|
To process information by applying anonymization or pseudoanonymization techniques to data for statistical purposes in order to share the conclusions reached.
|The legitimate interest of the Data Controller in conducting internal analyses and studies for statistical purposes so that the Repsol Foundation may adapt its activity to the demands of those who take part in its programs.|
|Sending non-commercial communications|
Sending information about Repsol Foundation events and programs.
|The Data Controller’s legitimate interest in keeping you informed about Repsol Foundation events and programs.|
|Third-party due diligence processes|
To conduct due diligence processes that the Repsol Foundation implements with regard to its relations with third parties.
|The Data Controller’s legitimate interest in preventing fraudulent acts and risks when contracting third parties.|
|Actions to oversee website browsing|
Supervising the activity for security and auditing purposes in the event that there are reasonable suspicions of fraudulent, disloyal or illegal acts being carried out, or of work-related breaches that justify said access, always in accordance with current legal requirements and with the principle of proportionality, in line with the procedure created for that purpose.
|The Repsol Foundation’s legitimate interest in preventing possible security breaches on the network and IT systems, and potentially fraudulent, disloyal or illegal activities.|
5. Processing based on the Data Subject’s consent
Furthermore, we wish to process the Data Subject’s data for other purposes that require Consent, as the legal basis for processing. Nevertheless, the Data Subject may withdraw the Consent they gave at any time, as described in the section What are the Data Subject’s rights?
|Purpose||Data to be processed|
|Competitions, draws, promotions and events|
To manage the action in question, from the registration process until the end.
|Data provided in the forms that the Data Controller uses for that purpose.|
|Managing visits and events at our facilities|
To manage visits from educational centers and organizations that wish to come to our facilities.
|Identification and contact details.|
|Managing and archiving data on your social media|
To process the information that you share with us via your social media profiles and keep a record of those interactions.
|Datos de tu perfil Información que compartas con nosotros para cumplir con la finalidad solicitada Para más información, consulta el apartado “¿Cómo tratamos tus datos en las redes sociales?”|
|Managing images and videos for use by the foundation|
Managing images of data subjects and/or volunteers either via photos or videos, by first requesting their consent and the transfer of rights.
|Managing attendance to events and forms|
Managing data via forms for sending information and announcements regarding events and to manage attendance.
|Name, surname, contact details, position, organization.|
Furthermore, throughout the relationship with the data subject, the Data Controller may ask for the Data Subject’s consent for new processing and purposes, which the latter will be informed of every time.
With whom will we share the personal data?
As a general rule, the Data Controller will not transfer Data Subjects’ personal data, except in the following cases:
i. with competent authorities and bodies, courts, tribunals, or any other legitimate third parties in accordance with applicable regulations;
ii. With third parties, when the user voluntarily requests this (e.g., when a volunteer wishes to take part in a program or activity organized by a social organization);
Furthermore, it is also possible that third-party providers have access to the Data Subject’s personal data in order to provide services to the Data Controller relating to the purposes of which you are being informed (including, but not limited to, companies operating in the following sectors: technology, legal advice, miscellaneous professional services, IT services, etc.). Said providers will only access the Personal Data to provide their services on behalf of the Data Controller, and are obliged to ensure that confidentiality is maintained and to always follow the Controller’s instructions, without ever using said data for their own purposes and/or for unauthorized purposes.
Will the data be internationally transferred?
The personal data may be internationally transferred due to the Data Controller’s relationship with service providers, especially those providing technological services. In any case, international data transfers will be carried out with the guarantees described below.
What’s more, your personal data will not be transferred to countries located outside of the European Economic Area, unless the European Commission has issued the corresponding adequacy decision stating that the country to which the data is due to be transferred provides a level of privacy protection that is equivalent to what is offered in the European Economic Area. This decision consists of a declaration by the European Commission stating that a non-EU country offers an adequate level of data protection that is equivalent to what is provided for under European regulations, making it possible to transfer the personal data to a third party based in a non-EU country without the Repsol Foundation (as an exporter of that data) having to offer any more guarantees or being subjected to additional conditions. In other words, transfers to an adequate third-party country will be given the same consideration as data transferred within the EU. In the absence of an adequacy decision for a non-EU country, the transfer may take place once adequate guarantees are given, and provided that people have enforceable rights and can take effective legal action. These guarantees include, but are not limited to:
- Binding Corporate Rules (BCR), in the case of a group of undertakings or enterprises engaged in a joint economic activity, which allows for the flow of personal data based on an accepted self-regulation and borne by each of the signing entities;
- Standard Contractual Clauses (SCC) signed between the exporter of the Personal Data from any country in the European Economic Area and a third-party country, consisting of a contractual agreement, the model for which has been approved and published by the European Commission and is in line with the provisions of the GDPR;
- Adherence to a code of conduct or a certification mechanism together with binding and enforceable commitments borne by the recipient in relation to the application of adequate guarantees for the protection of the transferred data; and
- In the absence of an adequacy decision or of the guarantees detailed above, your personal data may, under exceptional circumstances, be transferred to a third-party country or international organization due to the application of mechanisms required under the applicable legislation.
In order of preference, the Repsol Foundation will conduct International Transfers with the following guarantees:
|Guarantee||Criteria used by the Repsol Foundation|
|Adequacy decision issued by the European Commission.||Measure included as preferential by the Repsol Foundation. In this list you can find the countries subject to an adequacy decision: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en|
|Binding Corporate Rules||In the absence of an Adequacy Decision, this will be the preferred guarantee measure that the Repsol Foundation will request from the Personal Data importer. The list of entities that have Binding Corporate Rules can be found here: https://edpb.europa.eu/our-work-tools/accountability-tools/bcr_en?page=1|
|Standard Contractual Clauses||As a secondary guarantee mechanism in the absence of the above-mentioned measures, we will proceed to sign and/or request a copy, if applicable, from the Personal Data importer of the signed version of the Standard Contractual Clauses that are in line with the models provided by the European Commission.|
The Repsol Foundation requires the collaboration of previously selected technological service providers that render the services included in its activity and that, occasionally, must be provided outside of the European Economic Area. The personal data may be internationally transferred, particularly those related to tech support services to comply with the purposes. In any case, international data transfers will be carried out with the guarantees described below.
|Service||Type of Personal Data||Recipients||Guarantee|
|Human Resource Management||Workday Inc.||Canada Adequacy Decision|
Binding Corporate Rules
|Storage of personal data||Salesforce.com Inc. (USA)||Standard Contractual Clauses|
For how long with the Data Controller process my personal data?
In general, the Data Controller will process the Data Subject’s personal data as long as the contractual relationship remains in force. Nevertheless, for every Processing Activity, the information we provide you with when collecting your Personal Data will specifically indicate the period during which your Personal Data are to be processed, including those with a statutory limitation period, such as those relating to video surveillance activities or internal complaints.
Once this Processing Period is complete, the Data Controller will keep the Personal Data duly blocked for the time-barring of any civil, criminal, commercial and/or administrative proceedings.
What are the Data Subject’s rights?
You may, at any time, exercise a series of rights regarding the processing of your Personal Data. These rights are inherent to each Data Subject and, therefore, are indisputable and are as follows:
Right of access.
The right to access personal data processed by the Data Controller in accordance with article 15 of the GDPR.
Right to rectification.
The right to request that the Data Controller correct certain personal data pertaining to the Data Subject in accordance with article 16 of the GDPR.
Right to object.
The right to object to Processing based on consent or on the existence of a legitimate interest (including, but not limited to, the sending of commercial communications), in accordance with article 21.2 of the GDPR. In the event that the Processing is based on the existence of a legitimate interest, the Data Subject will have the right to request the balancing test carried out by the Data Controller. Furthermore, when the Processing is for the purposes of sending own or third-party commercial information, the Data Subject may freely and voluntarily invoke a mechanism to exclude advertising (more information can be found here: https://www.listarobinson.es/).
Right to erasure.
The right to request that the Data Controller deletes all or part of the Data Subject’s Personal Data in accordance with article 17 of the GDPR.
Please remember that, as long as our commercial and/or contractual relationship with you remain in force, there are a series of Personal Data that we need to process to fulfil the contract. Therefore, while said relationship continues, we will be unable to delete, block or erase them, as otherwise, we would be unable to fulfil the contract.
Right to restrict processing.
The right to limit the Data Controller’s processing of your Personal Data, provided that one of the conditions indicated in article 18 of the GDPR are met.
Right to data portability.
The right to receive the data provided to the Data Controller in a structured, commonly used and machine-readable format, and to transfer said data to another controller (or have it transferred directly to the new controller when this is technically possible), in accordance with article 20 of the GDPR.
Right to withdraw consent for the types of Processing identified in the section titled Processing based on the Data Subject’s consent, without said withdrawal of consent having a retroactive effect, in accordance with article 7.3 of the GDPR.
The right to not be subject to a decision based solely on automated processing, including profiling, which produces legal effects or affects you significantly.
The Data Controller informs the Data Subject that, notwithstanding the fact that decisions are made based on automated systems, said decisions (i) do not produce legal effects or significantly affect the Data Subject; (ii) are not solely automated.
These rights may be exercised by informing the Data Controller at their registered address or by emailing: email@example.com, where you may also receive additional information regarding the processing of your personal data.
If you believe that we have processed your Personal Data inappropriately and in breach of personal data processing regulations, or if you do not agree with how we attended to your wish to exercise your rights, please contact us at: firstname.lastname@example.org. Likewise, you may, at any time, register a complaint with the corresponding control authority (in the case of Spain, this is the Spanish Data Protection Agency).
What is our policy regarding the personal data of minors?
In the majority of cases, the Data Controller will only process the data of people of legal age (18 and over). Nevertheless, there will occasionally be times when the data of minors must be processed, for example for promotional or volunteering actions or events, and in which case, Consent and authorization will be requested from the parents or legal guardians if the minor is less than 14 years of age. If you are a minor and you are not sure if you correctly understand something we have explained to you, ask your parents or guardians to help you out.
With regard to the use of social media, we recommend that parents or guardians regularly check and supervise their children’s online activity. Please ensure that your children do not provide us with Personal Data without first getting your approval and Consent. In this regard, there are IT programs that let you filter and block access to certain online content, so that as a parent or legal guardian, you may decide what content and internet services the minors under your care have access to.
You can exercise the rights of minors under 14 years of age at any time by certifying your legitimate right to do so.
What happens if you provide us with the data of a Third Party?
In the event that, during your relationship with us, you provide us with Third-party Personal Data, please note that you are solely responsible for obtaining their prior consent to communicate their Personal Data to the Data Controller for the purposes you are informed of in each case, and also for informing them of the contents of this Policy.
You are responsible for holding the Repsol Foundation harmless from any responsibility deriving from the lack of information provided to the Third Party and/or their lack of consent.
How do we process your data on social media?
We recommend that you avoid including Personal Data―both yours and that of Third Parties―when interacting with us on social media. Nevertheless, should you decide to include personal information, please note that your Personal Data will be processed by us in accordance with this Policy.
More specifically, the data that you provide us with via any form of social media will be processed for the purposes of interacting with you so that you may know more about us, the activities we do and the values we represent. This channel is not the best way of sending us complaints or suggestions. However, if you were to send us any kind of request, complaint, suggestion or grievance via social media, we will ask for your Consent to process the minimum Personal Data required for us to be able to attend to you and process your request.
The legal basis for this Processing is your Consent, provided via an authorization message that you sent to us via the means of interaction included in the social network in question. The processing and duration will be limited to only what is necessary for providing you with a response. It is important that you bear in mind that, by interacting with us via social media, the conditions of use established by the owner of the social media tool are out of our control. This means that they are not covered by the contents of this Policy. We recommend that you make sure that you are aware of and are in accordance with the legal terms and conditions and the privacy regulations before continuing to use such sites and before providing them with any kind of personal information.
In this regard, please remember that this Policy does not apply to Processing carried out by Third-party websites that you may access via a link on our own site.
Can we change the terms of the Policy?
What are your responsibilities?
You are responsible for all of the Personal Data you provide us with, as well as for the veracity, accuracy, validity, updating, and authenticity of said data, including your consent so that your data may be used/processed. Furthermore, you are responsible for any Third-party Data that you provide us with, and regarding which you agree to obtain their Consent once you have shared with them the privacy information provided for this specific case by the Repsol Foundation, given the fact that we do not have direct contact with that third party. And please also note that you are responsible for regularly checking this Policy and any updates made to it.
Version 2.1 Last updated: 21 June 2022