Information is provided in this policy of how García-Munté Energía, S.L. (GME) processes the personal data of natural persons, whether or not they are companies’ legal representatives and/or contact persons, with the utmost respect for the principles of lawfulness, fairness, transparency and limitation in the purpose, and only data that are adequate, relevant and limited to what is required in relation to the relevant purposes will be processed. Likewise, all processing will be subject to organisational and technical measures to guarantee the security of the personal data, which will ensure they are accurate and not processed for longer than is required to fulfil the intended purpose.
At GME we apply all the required measures to ensure compliance at all times with the obligations set out in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, as well as in Spanish Act 3 of 5 December 2018 on personal data protection and guarantee of digital rights and in Act 34 of 11 July 2002 on information society services and e-commerce.
In the following points we will clearly and accessibly inform you about the different aspects that affect your privacy and how, at GME, we always aim to fulfil current legislation and deal with any request or petition that you may send us.
There are many technical terms involved in the field of privacy. The following is a simple and clear description of the most relevant ones.
- Personal data: This means any information relating to an identified or identifiable natural person (hereinafter referred to as the "data subject"). An identifiable natural person is any person whose identity can be directly or indirectly determined, in particular by means of an identifier, such as a name, an identification number, location data, an online identifier or one or more elements of such person's physical, physiological, genetic, mental, economic, cultural or social identity.
- Processing: This means any operation or set of operations that is performed with personal data or sets of personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or data made available by any other means, alignment or combination, restriction, erasure or destruction.
- Supervisory authorityThis means the supervisory authority that monitors implementation of the European Regulation in order to protect the fundamental rights and freedoms of natural persons with regard to data processing and to facilitate the free movement of personal data within the Union.
- Data controller: This means the party that independently or jointly determines the purposes and means of the processing.
- Data processor: This means the party that processes personal data on behalf of the controller.
- Recipient: his means the party to whom the personal data are disclosed, except for public authorities within the scope of an investigation.
- The data subject’s consent: This means any freely given, specific, informed and unambiguous statement by virtue of which the data subject agrees to the processing of his/her personal data, either by a statement or clear affirmative action.
- Breach of personal data security: This means any security breach leading to the accidental or illegal destruction, loss or alteration, or unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed.
- A company’s legal representative or attorney-in-fact: This means a person who acts on behalf of a company and legally represents it.
2. Who processes your personal data?
The data controller is
García-Munté Energía, S.L.
Tax Identification Code (CIF): B61474540
Registered office: Calle Selva 12, 08820, El Prat de Llobregat, Barcelona, Spain
Phone number: (+34) 93 247 91 60
Recorded in the Commercial Registry of Barcelona in volume 30137, folio 197, sheet B-166.026
GME has appointed a Data Protection Officer (DPO) who is responsible for supervising that the company complies with its data protection obligations and offers you the rights and guarantees set out in current legislation.
You can contact our DPO via email at email@example.com.
3. What data do we process?
The data that you could provide to us through any means of communication with GME that you have at your disposal, such as the website form, email, a phone call, etc. These data include contact details, such as your full name, e-mail address, telephone number, among others. Likewise, browsing data is also obtained through cookies when you access our website www.garciamunte.com.
Similarly, we also process the data initially provided to us by customers that are companies to manage the agreement, and during its valid term. These data include the personal data of their legal representative or signatory (National Identity Card number (DNI), full name and details of the power of attorney), personal data of their contact persons and/or representatives (full name, landline and/or mobile phone number and e-mail address), as well as the company's data (company name, postal address, registered office and, if applicable, landline and mobile numbers, economic and/or business sector, shareholder composition, bank details) and other data that may be required to record a customer in accordance with GME's internal regulatory compliance policies in force.
4. For what purposes do we process your data?
The data provided will be processed in order to respond to queries, doubts, claims or issues that you may submit through the various communication channels made available by GME.
GME also has a whistleblowing channel on its website and you may contact us through the email address firstname.lastname@example.org purpose of this processing is to investigate and deal with inappropriate actions or conduct, especially related to criminal and regulatory compliance cases, as well as to deal with queries, doubts and/or proposals for improvement of GME’s existing systems.
When managing the services or products contracted, your data will be processed to execute the agreement and fulfil the possible legal obligations arising from the service contracted.
No automated decisions that could affect you will be made on the basis of the personal information provided.
Those who send a notification through the aforementioned communication channels will be solely responsible for ensuring that the personal data provided are true, accurate, complete and up-to-date and must hold GME harmless from any liability that could be claimed from failure to comply with these representations and guarantees.
The legitimating basis on which we process data not related to the whistleblowing channel or the execution of an agreement is legitimate interest.
This basis is applicable bearing in mind the data subject's reasonable expectation that GME will process the data provided in order to achieve the purposes set out above, an expectation based on the data subject's relationship with GME as a person interested in the company’s products, services and functioning.
Therefore, among the data mentioned in the previous section, GME may process those that are relevant and necessary to deal with the request, query, petition or complaint that the data subject could submit.
Regarding the processing of personal data related to communications received through any of the GME's ethical whistleblowing channels, the legal basis for the data processing is to comply with the legal obligation to resolve the queries submitted, applicable by virtue of the provisions in Act 10 of 23 November 1995 on the Spanish Criminal Code.
The legal basis is the execution of the agreement regarding the personal data received for managing the contracting and maintenance of customer relationships.
5. Data storage terms
Data not related to the ethical whistleblowing channel
The data will be processed solely and exclusively for the time required and for the purposes for which they have been collected from time to time. Therefore, the data subjects’ data will be stored and processed for a period of 24 months, counted from the time they are obtained, unless the data were collected for executing an agreement and that extends beyond such term.
Once this period has elapsed, the data will be blocked until the statute of limitation expires for any possible actions of any kind that may arise from the processing carried out. After this period, the data will be erased.
Data related to the ethical whistleblowing channel
GME will keep the personal data for the time strictly necessary to decide whether or not to initiate an investigation into the facts that are the object of the notification and, once decided, they will be kept duly blocked in order to comply with the legal obligations that may be applicable in each case.
In any case, the personal data will be erased within a maximum period of three months, counted from the time they are recorded through the ethical channel, unless they are kept for the purpose of proving the functioning of GME's crime prevention model. After this period has elapsed, the data may continue to be processed for as long as necessary in order to investigate the facts reported through the notification, providing they are not kept in the ethical channel itself.
6. With whom do we share your data?
Data not related to the ethical whistleblowing channel
GME will not carry out any international transfers of your personal data to third countries outside the European Union or to an international organisation
Under no circumstances will the personal data of the representative and/or contact person of a customer company be disclosed to third-party companies without obtaining your prior consent, unless the transfer of your data is required to ensure the maintenance of the contractual relationship with the customer company, as well as in the cases stipulated in the regulations in force from time to time.
GME may disclose your personal data to the various public authorities, whenever there is a legal obligation to do so, such as the tax and customs authorities, judicial authorities and any other authorities that may be applicable in accordance with current legislation.
We would also like to inform you that the invoices issued by GME may be subject to factoring transactions with various financial institutions, therefore the credit to be collected by GME may be assigned to a specific financial institution.
Data related to the ethical whistleblowing channel
Your personal data will only be disclosed to third parties to whom GME is legally or contractually obliged to provide them and to those companies in the legal sector and its group of companies to which, when applicable, it has entrusted consulting and advisory services to be rendered in relation to the management of the ethical whistleblowing channel on behalf of GME, whenever this is necessary in order to render these services.
Under no circumstances will GME carry out international transfers of your personal data to third countries outside the European Union or to an international organisation.
Only in the event that the reported event gives rise to administrative or judicial proceedings, the data provided may be disclosed by GME to the competent authorities for investigation and sanction, if applicable.
7. What measures do we take to protect the security of your data?
At GME, the security and confidentiality of personal data are crucial and all processing is subject to technical and organisational measures to guarantee them, while at the same time preventing their loss, misuse or unauthorised access thereto.
All GME staff who process personal data do so by observing the utmost confidentiality and ensuring at all times their contents are kept secret, always applying measures to prevent any alteration, loss and unauthorised processing or access, always respecting the measures required by current data protection legislation.
In the event of a personal data security breach, GME has internal procedures in place to manage such breaches, aimed at remedying and terminating the breach as quickly as possible and through mitigation actions to limit the potential negative effects. When required by the data protection regulations in force, GME will notify any security breaches to the supervisory authority and/or the data subjects, providing such actions have not been assigned to a data processor by virtue of a contractual relationship with the latter.
8. Your rights
According to the current data protection regulations, GME guarantees that you can exercise the following rights:
- Access: You are entitled to know if we are processing your personal data at GME and, if so, to know which data is being processed and the information related thereto.
- Rectification: You may request rectification of your personal data if they are inaccurate or incomplete.
- Erasure: You can request for personal data to be erased and to no longer be processed by GME, unless there is a legal obligation to keep them and/or providing there are no other legitimate reasons for GME to process them.
- Objection: You may object at any time to the processing of your personal data on the basis of public or legitimate interests sought by GME or a third party, for reasons relating to your particular situation. GME will then stop processing your data, except when there are compulsory legitimate reasons to do so or reasons related to filing or defending possible claims.
- Restriction: In the cases stipulated by law, you are allowed to mark personal data so that GME cannot process them in the future. This will not be applicable in certain situations, such as when the data subject’s consent has been given for data storage, drawing up, filing and defending claims, protecting the rights of another natural or legal person or based on public interest.
- Portability: You are allowed to obtain the personal data you have provided to GME in a structured, commonly used, machine-readable and interoperable format and to request GME to transfer your data directly to another data controller.
GME provides you with various templates to help you exercise the aforementioned rights, which you can access here.
We also assure you that exercising these rights will be free of charge, except in cases they are excessively exercised as stipulated in the regulations in force.
Likewise, in accordance with current legislation, GME undertakes to respond to your request to exercise rights within a maximum period of one month. This period may be extended by a further two months in cases where the increased complexity or number of applications makes this necessary. GME may refuse to respond to requests that clearly have no grounds or are excessive.
You can exercise your rights by sending your request along with a copy of your National Identity Card (DNI) to:
- Calle la selva 12, 08820, El Prat de Llobregat, Barcelona, Spain, for the attention of García-Munté Energía, S.L
You are also entitled to file a claim with the national supervisory authority by contacting the Spanish Data Protection Agency:
C/ Jorge Juan, 6 – 28001 Madrid
Telephone numbers: 901 100 099/91 266 35 1
GME may amend this policy at any time. If this is carried out, the modification will be posted on the same website for your information.