Privacy Policy

In accordance with applicable Data Protection Legislation by means of this Privacy Policy, the data subject is informed of the following:

 

1. Who is the Data Controller for the processing of the personal data?

2. Purposes of processing, categories of personal data and lawful bases

The Data Controller will process the information, manually or automatically, provided by the data subject, in a lawful, fair and transparent manner. To this end, it is important that the data subject informs of any changes that occur in his/her personal data, in order to keep them up to date.

Means of contact

The Data Controller will process the personal data of data subjects in order to manage and answer queries, doubts or requests made by them, through the means of contact made available to them.

The Data Controller will process, for this purpose, the following categories of data:

In the event that the data subject provides personal data related to a third party, the data subject declares that the provision of personal data is lawful and undertakes to pass on the information contained in this Privacy Policy to said third party.

The lawfulness for the processing of personal data for this purpose is EDPR’s legitimate interest in the correct management of the data subjects’ queries, doubts or requests and their due attention and, where applicable, response thereto.

Suppliers and business contacts as recipients of e-mail communications

The Data Controller will use the contact details of data subjects for the purposes of professional location, management of contractual and commercial relations with the recipient or with the entity in which the recipient provides services, as appropriate, as well as resolution of queries and, where appropriate, complaints addressed to EDPR by the recipient of such communications.

The Data Controller will process, for this purpose, the contact details of the data subjects. The lawfulness for this processing is the execution of the contact or pre-contract between the parties.

On the other hand, the Data Controller will also process the contact details of the data subjects for the purpose of maintaining commercial relations with the third parties. The lawfulness for this processing is the legitimate interest of the Data Controller in maintaining commercial relations. This processing contributes to the achievement of the purposes of the Data Controller, promoting economic activity and productivity in the sector and the interest of the suppliers and business contact in which the data subject provides their services for the initiation or maintenance of the commercial relationship between the parties. In any case, the data subject may object at any time to the processing of his/her data for the aforementioned purpose, in accordance with the provisions of the section on the exercise of rights.

Due diligence measures for sponsorships and/or donations

The Data Controller may conduct an analysis of the adequacy of the sponsorships and/or donations’ beneficiaries (hereinafter the “Beneficiary”) in line with the EDPR Group's due diligence procedures, in accordance with EDPR's legitimate interests in ensuring compliance with internal integrity requirements and policies in its relations with third parties on the occasion of sponsorships and/or donations, for which an assessment between EDPR's legitimate interests and the rights and freedoms of data subjects has been performed. In order to achieve this objective, the following checks will be carried out:

The checks described above are necessary to prevent the risk of committing certain offences and to maintain an adequate level of integrity among the people who maintain relations of any kind with EDPR.

However, in order to prevent damage and potential negative consequences arising from such processing, technical and organisational measures have been taken to guarantee the appropriate use of this information and to reinforce its confidentiality and security. The Beneficiary may object to this processing in accordance with the provisions of the section on the rights of data subjects with regard to data protection.

Relationship with third parties for Purchases, Non-Binding Offers and Confidentiality Agreements

The Data Controller shall use personal data relating to the legal representatives, shareholders, employees or collaborators of the counterparty (hereinafter collectively the "counterparty") for:

The processing of the counterparty's data for the purposes based on the performance of a contract is necessary to achieve these purposes, as EDPR will not be able to perform the contractual relationship with the counterparty if it does not provide its personal data.

3. How long do we store your personal data?

With regard to personal data arising from the means of contact, the data provided will be stored for as long as their processing is necessary for the purpose for which they were collected, unless you request us to erase them before that date and there is no legal or judicial mandate that obliges us to store the personal data.

With regard to personal data arising from the use of contact details of suppliers and business contacts, the data provided will be kept for as long as the relationship with the data subject subsists, unless you request us to erase them before that date and there is no legal or judicial mandate that obliges us to store the personal data or they serve to meet possible claims or exercise of rights, during the limitation period of the corresponding actions.

With respect to the personal data arising from the due diligence measures described above, these shall be stored for as long as the relationship with the data subject subsists, unless you request us to erase them prior to that date and there is no legal or judicial mandate that obliges us to store the personal data or they serve to meet possible claims or exercise of rights, during the limitation period of the corresponding actions.

With regard to personal data arising from contractual relationships with third parties for purchases, non-binding offers and confidentiality agreements described above, these will be stored for as long as the relationship with the data subject subsists, unless you request us to erase them prior to that date and there is no legal or judicial mandate that obliges us to store the personal data or they serve to meet possible claims or exercise of rights, during the limitation period of the corresponding actions in accordance with applicable law.

4. What security measures do we apply?

In order to safeguard the security of your personal data, the Data Controller has adopted all the technical and organisational measures necessary to guarantee the security of the personal data supplied, in order to prevent their alteration, loss and/or unauthorised processing or access, as required by law, although absolute security does not exist.

Likewise, all our staff, whatever the stage of processing in which they are involved, have undertaken to process your personal data with the utmost care, secrecy, and confidentiality and that it will be processed in accordance with current applicable Data Protection Legislation.

5. To which recipients will personal data be communicated?

The personal data of data subjects may be communicated to:

The Data Controller relies on the cooperation of third-party service providers who may have access to your personal data and who will process the data on behalf of and for the account of the Data Controller, as a consequence of their provision of services.

In this respect, the Controller follows strict criteria for the selection of service providers in order to comply with its data protection obligations and undertakes to enter into the corresponding data processing agreement with them, whereby it will impose on them, among others, the following obligations: to implement appropriate technical and organisational measures to ensure the security of personal data; to process personal data for the agreed purposes and only in accordance with the documented instructions of the Controller; and to erase and return the data to the Controller once the provision of the services has been completed.

6. International data transfers

Personal data of data subjects may be transferred to countries other than the Data Subject Territory and other than Data Controller Territory. In such cases, the data processing could involve international data transfers under the terms of the applicable personal data protection legislation from time to time.

For the purposes of this Privacy Notice, an international data transfer shall be deemed to take place in the following cases:

EDPR may transfer your personal data to countries with an adequate level of protection recognised by the competent authorities.

In the case of transfers to countries not considered to have an adequate level of protection according to the applicable Data protection Legislation and/or considered by the competent supervisory authority, EDPR has implemented appropriate and adequate safeguards to protect the personal data of data subjects and to ensure an adequate level of security. Accordingly, the personal data of data subjects will be transferred in accordance with the requirements and obligations established by the applicable Data Protection Legislation. In these cases, EDPR guarantees to have subscribed with the recipients, collaborators and/or suppliers who access to personal data, the corresponding Contractual Clauses and determined the additional guarantees, when necessary, for the best protection of your personal data.

For more information on appropriate and adequate security measures, data subjects may contact EDPR through the contact means of their Data Protection Officer at dataprotection@edpr.com.

7. What rights does the data subject have?

In accordance with data protection regulations, the data subject has the right to:

In order to exercise the aforementioned rights, you must send your request to the address indicated in the heading of this document, through the channel provided on the website www.edpr.com or through the DPO's e-mail address: dataprotection@edpr.com.

The Data Controller will respond to the right exercised within the legally stipulated period.

Finally, the data subject may, in addition, file a complaint with the competent Control Authority if he/she considers that the Controller has infringed the rights recognised by the applicable data protection regulations.

Last update: July 2024

[i] The term ‘Third Country’ refers to countries outside the European Economic Area.