Global Privacy Policy

This Privacy Policy applies to any processing of Personal Data carried out by Repsol, S.A. or any companies of its group (hereinafter "Repsol" and the “Policy" respectively). The Policy is intended to be worldwide, although it may be further supplemented by local provisions in relation to the processing of data carried out by Repsol group companies located or operating in certain countries.

The Policy is intended to answer any questions you may have regarding the processing of your Personal Data as a Data Subject, although in case you need more information, you can contact: protecciondedatos@repsol.com

It is important for you to read this Policy carefully in order for you to make an informed choice when providing us with your Personal Data.

 

What definitions do I need to know in order to better understand the Policy?

We would like to provide you with the definition of some of the terms that you will find throughout this document:

  • "Activities, Products and/or Services" - Refers to invitations to commercial, informative, sports or recreational events, promotions, contests, raffles and commercial information on energy solutions, mobility, automotive assistance, insurance, finance, leisure, travel, home, sports, gastronomy, loyalty programs, payment means and services, or telecommunications of third parties and through different channels.
  • "Anonymization" - use of a set of techniques aimed at removing the ability to associate data with an identified or identifiable natural person by means of a "reasonable" effort. This "reasonableness test" must take into account both objective aspects (time, technical means) and contextual elements, which may differ from case to case (exceptional nature of a phenomenon taking into account, for example, the density of the population and the nature and volume of the data).
  •  "Communication of data" - means any disclosure of data to a natural or legal person, public authority, service or other body, whether or not it is a Third Party.
  • "Standard Contractual Clauses" - a mechanism that makes it possible, through the signing of a contract based on the model approved by the European Commission, to regulate international transfers of Personal Data to countries outside the European Economic Area.
  • "Consent" - free, unequivocal, specific and informed manifestation of will to the processing of Personal Data.
  • "Cookies" - Cookies are small files or devices that are installed in the user's browser in order to store, retrieve or update information. Through them, the editor of a website can try to know the preferences of users when browsing its website and customize the services offered based on those preferences. You can find more information in the Repsol Cookies Policy
  • "Personal Data"- any information about a natural person that identifies him/her or makes him/her identifiable (first and last name, address, telephone number, e-mail address, etc.).
  • "Data Protection Officer" - data protection specialist who informs and advises the Repsol group on the processing of Personal Data and related obligations under the GDPR.
  • "Recipient" - means a natural or legal person, public authority, service, or other body to whom Personal Data is disclosed, whether or not it is a Third Party.
  • "Profiling" - means any form of automated processing of Personal Data consisting of using Personal Data to evaluate certain personal aspects of a natural person, to analyze or predict aspects relating to that natural person's professional performance, financial situation, health, personal preferences, interests, reliability, behavior, location or movements.
  • "Repsol group companies with commercial activity assignees of Personal Data" - those Repsol group companies included in this list , to which the assignment of customers' Personal Data is limited.
  • "Data processor" - a natural or legal person, public authority, service, or body that carries out a processing operation on behalf of a third party (the Data Controller). Sometimes it is Repsol, SA for all its subsidiaries or third-party suppliers since we have a centralized management of most of the matters related to organization and business.
  • "Geolocation" - means any data processed in an electronic communications network that indicates the geographic position of a Data Subject’s terminal equipment of a publicly available electronic communications service.
  • "Repsol Group" - group of companies for the purposes of Article 42 of the Commercial Code. More information at www.repsol.info/estructura
  • "Data Subject" - for the purposes of this Policy, shall mean any natural person who is the owner of the processed data.
  • "Binding Corporate Rules” - Personal Data protection policies undertaken by a controller or processor established in the territory of a Member State for transfers or a set of transfers of Personal Data to a controller or processor in one or more third countries, within a corporate group or a union of undertakings engaged in a joint economic activity.
  • "Pseudo-anonymization" - means the processing of Personal Data in such a way that they can no longer be attributed to a Data Subject without the use of additional information, provided that such additional information is separately identified and is subject to technical and organizational measures designed to ensure that the Personal Data are not attributed to an identified or identifiable natural person.
  • "Repsol" - Repsol group company that acts as Data controller.
  • "Data controller" - means the natural or legal person, public authority, service or body that decides what data to process, why and how. For the purposes of this Policy, any of the companies of the Repsol group.
  • "Online Services" - includes any site environment, website, channels, applications, promotions.
  • "Third Party" - natural or legal person, public authority, service or body other than the Data Subject, the Controller, the Processor and the persons authorized to process the Personal Data under the direct authority of the Controller and/or the Processor.
  • "International Transfers" - those cases where Personal Data is processed outside the European Economic Area (EEA).
  • "Processing" - operation or set of operations performed on Personal Data or sets of Personal Data, whether or not, by automated procedures, such as collection, recording, organization, structuring, storage, adaptation or modification, retrieval, consultation, use, communication by transmission, dissemination or any other form of enabling access, alignment or interconnection, restriction, erasure or destruction.
  • "Repsol Single User" - is the user that you create when you register in the Repsol Single Registry to access the Online Services of any of the entities of the Repsol group and whose content is included in your user account in the Single Registry ("Your Account").

How will the Personal Data be processed?

Your Personal Data will be processed in accordance with the provisions of current Personal Data protection regulations and, particularly:

(i) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data and repealing Directive 95/46/EC - General Data Protection Regulation (hereinafter referred to as "GDPR");

(ii) Organic Law 3/2018, of December 5, 2018, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter, "LOPDGDD");

(iii) any national legislation, of any country, that regulates the processing of Personal Data;

(iv) or any regulation that modifies, develops, or replaces the previous ones.

Who is the Data controller of the Personal Data?

In general, the Repsol Group company with which you have dealings will be the Data controller. However, there may be processing where the Data controller is another Repsol Group company, which will be indicated at all times by means of the corresponding informative clause.

Whenever we collect your Personal Data, we will inform you of the Data controller for the processing, including its identification and contact details. 

Is there a Data Protection Officer?

The Data Protection Officer is a position defined by the GDPR, who assists the Data controller in Data Processing and with ensuring compliance with privacy regulations.

 

Repsol Group companies in Spain that have a Data Protection Officer   Repsol Group companies in Portugal that have a Data Protection Officer
Repsol, S.A.   Repsol Portuguesa, LDA
Bios Avanzados Tratados del Mediterráneo, S.L.   Repsol Gás Portugal, Lda
Campsa Estaciones de Servicio, S.A.   Gespost - Gestão e Administração de Postos de Abastecimento, Unipessoal, Lda 
Petróleos del Norte, S.A.   Repsol Directo Lda 
Klikin Deals Spain, S.L.   Repsol Polímeros, Lda
Polidux, S.A.    
Regsiti Comercializadora Regulada, SLU    
Relkia distribuidora de electricidad, S.L.    
Repsol Butano, S.A.    
Repsol Comercializadora de Electricidad y Gas, SL    
Repsol Comercial de Productos Petrolíferos, S.A.    
Repsol Directo, S.A.    
Repsol Electricidad y Gas, SA    
Repsol Exploración, S.A.    
Repsol Generación Eléctrica, SL    
Repsol Investigaciones Petrolíferas, S.A.    
Repsol Lubricantes y Especialidades, S.A.    
Repsol Petróleo, S.A.    
Repsol Química, S.A.    
Repsol Renovables, S.L    
Repsol Trading, S.A.    
Servicios de Seguridad Mancomunados, S.A.    
Solred, S.A.    
Solgas Distribuidora de Gas, S.L.     
Valdesolar Hive, S.L.    

 

To communicate with the Data Protection Officer of the above companies, simply send an e-mail to proteccióndedatos@repsol.com, except in the case of Klikin Deals Spain, which contact details are dpd@waylet.es and except for the Portuguese companies which contact details are: privacidades@repsol.com

What is the Repsol Single Registry (Your Account)?

Repsol has established a single registration system to facilitate your access to all our Online Services. The Single Registry system shall allow you to access our Online Services and be requested exclusively to complete those data which are strictly necessary for the service and have not been previously submitted. This means that you shall not be requested to submit those Personal Data you may have provided for a previous service when registering in a new Online Service.

Remember that Your Account is unique for all Repsol Online Services, which means that Repsol, S.A., owner of this processing operation, has knowledge of all the Online Services in which you have registered.

What Personal Data are processed and where does it come from?

The Data controller will access and process all data that the Data Subject has provided directly throughout the Single Registry, throughout the relationship with Repsol Group or provided by third parties, as long as there is a legitimate reason for data communication. This data may fall into one of the following categories, depending on the country’s legal requirements:

 

Data collected directly from the Data Subject including but not limited to:

Data generated over the course of the relationship with Repsol group companies or that provided by third parties, including but not limited to

Identification and contact details

Full name, National ID/Foreigner’s ID, address, telephone number, email address, signature, image/voice.

Commercial information details

Level of risk or possible non-payment

Personal details

Age, gender, nationality, marital status, profession.

Transaction details of goods and services

Received goods and services, promotions launched by the Data controller where Data Subject participates.

Social circumstances details

Properties, asset ownership, licenses, titles, permits, and other rights and properties of the Data Subject.

 

Location data

One-time location

Economic, financial, and insurance data

Account number to debit payments.

Browsing details

IP address or information derived from Cookies, if any, as well as those corresponding to your profiles on social networks in case you use them.

Special data

Biometric data in case of access to certain facilities of Repsol Group companies and/or to identify you in case you want to make certain telephone transactions in some of the Repsol Group companies.

Geolocation data

Continuous location tracking of Data Subject

Third party data

Identification and contact details of the Data Subject’s family members or relatives.

Solvency details

Information obtained from credit information systems regarding the existence of unpaid debts with other entities (amount of the installment, age, sector of the entity reporting the debt).

 

Data from other Repsol Group companies

Contracts or relationships entered with other Repsol Group companies and transactions carried out.

What is the purpose of Personal Data processing and what is the lawful basis?

The Data controller will provide when colleting Personal Data which are the purposes and legitimate basis for such data processing as well as the Data Subject’s rights. Find below a description of the generic purposes for the data processing by the Data controller as well as its correlative lawful basis for the Processing duly identified:

There are several data processing activities that are necessary for the performance and development of the contractual relationship and/or derive from the relationship itself. Without the processing of your Personal Data for said purposes, the existence of such contractual relationship would not be possible because it is inherent to it.

Purpose

Management of the contractual relationship

Develop, control and maintain the contractual relationship, manage the signature -including electronic signature  and if necessary, by the issuance of electronic signature certificates-, perform and manage the agreed transactions, contact, billing, debt and collection management, customer service (including the possibility of recording telephone calls), sending of non-commercial information related to the contract, managing complaints, requests, suggestions and attention to possible incidents.

Single Registry Management

In the case of Online Services, we process your data in order to create and manage your access credentials, Your Account, as well as to provide you with the Online Services you applied for. Remember that Your Account is unique for all Repsol Online Services, which means that Repsol, S.A. as owner of this processing holds the knowledge of each one of the Online Services you have registered for.

An Online Service is any electronic service available to customers and users of the Repsol Group that requires access credentials for its use (services accessible through web pages, mobile applications or similar that require registration).

Verification of the member group you belong to

In case you belong to a group that may benefit from specific conditions, we will ask you for this information to confirm your membership status and apply the corresponding benefits.

 

There are data processing activities that are necessary for the Data controller to comply with the applicable legal obligations. As a result of different national and international regulations, the Data controller is required to carry them out, otherwise it would be incurring in an omission of its responsibilities.

Purpose

Compliance with accounting, legal, tax and administrative obligations.

Fulfill the legal obligations that correspond to the Data Controller, including attending the data Subject exercised rights as result of the Data Protection Regulations for the Personal Data processing.

These data processing activities are necessary for the performance of a task carried out in the public interest on the basis of the law of the European Union or its Member States. In particular, they are processing operations intended to ensure national security conditions and to prevent the commission of unlawful acts.

Purpose

Legal basis

Video surveillance and security

Image capture through security cameras for the security purposes of the facilities and other security actions (smoke detection).

Public interest provided for in the LOPDGDD.

Internal investigations

Management of complaints or internal investigations due to a suspected breach by the Data Subject of internal regulations or of the Code of Ethics and Business Conduct, which requires a report to be drawn up and consultation with the relevant areas.

Public interest provided for in the LOPDGDD.

There are data Processing activities required to fulfil the legitimate interest of the Data controller or of Third Parties. In such Processing, the Data controller has conducted a balancing test and analyzed how it affects the rights and freedoms of the Data Subject and concluded that the Processing is necessary and proportional to its purpose, without involving a collision with the rights of the Data Subject and, therefore, being compatible. The Data Subject has the right, at any time, to object to such Processing and to request, from the Data Controller, information on the balancing test conducted.

Purpose

Legitimate basis

Surveys addressed to the Data Subject

Conducting surveys on aspects related to the quality of communications, Data controller’s processes, as well as the products and services of the Repsol Group.

Legitimate interest of the Data controller. This processing arises from the interest of the Data Controller in improving the procedures for user service and updating the catalog of products and services, understanding the way in which the user interacts with the Repsol Group, as well as detecting their level of satisfaction.

Archive

To have a historical file of the Data controller.

Legitimate interest of the Data controller in keeping a record of its activities for possible liability or as a historical memory.

Anonymization/pseudo-anonymization processes for statistical purposes

Processing information by applying data anonymization or pseudo-anonymization techniques in order to process data for statistical purposes for the issuance of conclusions regarding their behavior.

Legitimate interest of the Data controller to carry out internal analysis and elaborate studies for statistical purposes that allow the Repsol Group to adapt its activity, products and services to the demands of users.

Data processing of representatives and contact persons

To identify the persons representing the customer or acting as contact for the purposes of the contracting. This processing is only applicable in case the customer is a legal entity.

Legitimate interest of the Data controller in accordance with Article 19 of the LOPDGDD.

Third party due diligence process

Carry out the due diligence processes implemented by the Repsol Group in its relations with third parties.

Legitimate interest of the Data controller in avoiding fraudulent actions and risks in contracting.

Consultation of and communication to asset solvency files

To the extent necessary, to assess the financial solvency of the user and to carry out credit risk assessments (prior to and during the contract), the Data controller may check and process information obtained from common creditworthiness files. The Data controller may process, where appropriate, data obtained from different reporting entities regarding your financial solvency. On the basis of these consultations, it may make profiles of your creditworthiness. The Data controller will always give the user the possibility to argue whatever it deems relevant in order to defend its right or interest. Similarly, and subject to the regulations in force, the user is informed that failure to comply with the monetary obligations assumed under this contract may result in the inclusion of its Personal Data in a file relating to the fulfillment or non-fulfillment of monetary obligations.

Legitimate interest of the Data controller in accordance with article 20 of the LOPDGDD. Without being able to make these profiles, the Data controller will not be able to assess the user's creditworthiness and avoid fraudulent behavior that affects the fulfillment of the contract.

Profiling for the management of contract conditions and the offer applicable to the customer according to his consumptions

Create simple customer profiles based on their consumption in order to provide them with product and service offers and conditions more adapted to their profile.

Legitimate interest of the Data controller in improving the strategy and commercial offer of the products and services offered by the Repsol Group. Such profiling is carried out based on the analysis and aggregate association of the information obtained through media or our different points of sale, our own knowledge of the market and its evolution, as well as the sales process of products or services of the Repsol Group. This information is only obtained from the Data controller and not from other entities of the Repsol Group.

Commercial communications of Repsol Group products and/or services.

To send commercial information about products and services of Repsol Group companies with commercial activity assignees of Personal Data given its condition of multi-energy group, because they are similar to those contracted by the customer.

Legitimate interest of the Data controller in maintaining the relationship with the customer by registering new products, improving the conditions of the products and / or services that have been contracted and offering information about similar products and / or services that may be of interest to the customer, allowing the Data controller to continue its business and grow within its sector.

When we contact you by e-mail, SMS or similar electronic means, we rely on the exception provided for in Article 21.2 of Law 34/2002 ("LSSI").

 

Fraud management and control

Filing of complaints and representation in court in case of non-payment or leakage of vehicles from service stations.

 

Legitimate interest of the Data controller in preventing fraudulent acts at our service stations.

Additionally, certain Processing cannot be done without the consent of the Data Subject. Consent can be revoked at any time, as described in section What are the Data Subject’s rights?

Purpose

Data Subject to processing

Transfer the data to Repsol Group with commercial activity that are assignees of the Personal Data.

To transfer the data of the Data Subject to Repsol Group companies with commercial activity assignees of the Personal Data so that they can combine all this information with other data of the Data Subject that they may have on-line or off-line, in order to complete the profile and, in the event that they are legitimized, to send advertising, by any means including electronic, about the Activities, Products, and/or Services .

Identification and contact information

Commercial information data

Transaction data for goods and services

Location and/or geolocation data, with respect, in any case, to the regulations in force.

 

 

 

Third party commercial communications for products and/or services

To send commercial information, by any means, including electronic means, about the activities, products and services of third parties.

Identification and contact information

 

Contests, raffles, promotions and events

Manage the action in question, from registration to the development of the action.

Data provided in the forms provided by the Data controller for this purpose.

Management of visits and events at our facilities

Manage the visits of educational centers and organizations wishing to visit our facilities.

Identification and contact information

Image

Management and recording of your social network data

Process the information you share with us through your social media profile and maintain a history of these interactions.

Your profile data

Information you share with us to fulfill the requested purpose.

For more information, see the section "How do we process your data in social networks?”

Recording of calls received by the person in charge through the toll-free customer service telephone number.

Provide information in every call of the possibility of have it recorded for quality control purposes so that the user, by continuing with the call, consents to such recording.

Identification and contact information

voice

Customer identification through voice biometrics on customer service calls

Verify your identity, using biometric data through voice recognition technologies to univocally guarantee the identity of the person without the need to answer security questions.

Voice. 

Voice biometric data.

These Processing is necessary where there is a need to protect an interest essential to the life of the Data Subject. Particularly, these are Processing activities that may serve both important public interest purposes and the vital interests of the Data Subject, such as when the processing is necessary for humanitarian purposes, including the control of epidemics and their spread, or in humanitarian emergencies, in particular in the event of natural or man-made disasters.

Purpose

Essential supplies.

In order to be able to maintain the supply -even in case of non-payment-, the Data controller may request specially protected data from the Data Subject in order to justify the need to maintain the supply in case of medical emergencies, such as the need for maintenance of oxygen machines or similar.

 

Additionally, throughout the relationship with the Data Subject, the Data controller may request the Data Subject's consent for new processing and purposes, which will be accordingly informed in each case.

With whom will we share the Personal Data?

As a general rule, the Data controller will not share your Personal Data with third parties.

When we identify that we will be required to communicate your Personal data to a Third Party, we will inform you at the time of collection about the identity or categories of the potential Recipients to whom we may need to communicate your Personal data. Generally speaking, we will be referring to the following Recipients:

 i. Competent authorities and bodies, courts, tribunals, or any other legitimate Third Parties according to applicable regulations;

ii. Third party holders of files for the fulfillment of monetary obligations, when the client incurs in a default of payment, and the legitimizing requirements established in article 20 of the LOPDGDD are met;

iii. Third Parties that own services or products that the Data Subject voluntarily requests, (e.g., when the user wants to take advantage of an offer from another company of the Repsol group or a partner or request financing);

iv. Other Repsol group companies for profiling, and/or sending commercial communications, provided that the Data Subject has consented or there is a legitimate interest as described in the section. As mentioned above, such profiling is carried out based on the aggregate analysis and association of the information obtained by our own means or through our points of sales, our own knowledge of the market and its evolution, as well as the sales process of products or services of the Repsol Group.

The Data Subject may check the list of companies of the Repsol Group to which we will transfer the data for profiling and commercial offers above in the definitions section under Companies of the Repsol group that are assignees of the Personal Data.

Furthermore, it is also possible that Third-Party suppliers may have access to the Data Subject's Personal Data in order to provide services to the Data controller, related to the purposes about which you are being informed (including, but not limited to, companies operating in the following sectors: technology, legal advice, marketing, multidisciplinary professional services, IT services, etc.). These suppliers will only access the Personal Data to carry out their services on behalf of the Data controller, under obligation of confidentiality and always following the Data controller’s instructions, without at any time using such data for their own purposes and/or unauthorized purposes.

Finally, and during an internal investigation, the data may be communicated to the Ethics and Conduct Committee of the Repsol Group.

Will Personal Data be subject to international transfer?

The Personal Data may be internationally transferred as a result of the Data controller’s relationship with service providers, especially technical support services and with Repsol Group companies to fulfil the purposes (e.g., purposes relating to international assignment). In any case, international data transfers will be carried out with the adequate safeguards described below and in accordance with any local legal requirements. You can request more information about data transfer and the appropriate safeguards applied by contacting the local Compliance or Legal Services divisions. 

Your Personal data will not be transferred to countries located outside the European Economic Area, unless the European Commission has issued an adequacy decision stating that the recipient country provides a level of Personal data protection equivalent to that provided at the European level. This consists of a declaration by the European Commission that a non-EU country offers an adequate level of Personal data protection equivalent to that provided by European regulations, making it possible to transfer the Personal Data to a Third Party established in that country outside the EU without Repsol, as the data exporter, having to offer further guarantees or being subject to additional conditions. In other words, transfers to an "adequate" third country will be assimilated to a transmission of data within the EU. In the absence of an adequacy decision, your Personal Data may only be transferred to a third country with the provision of adequate safeguards. Such adequate safeguards include, but are not limited to:

  • Binding Corporate Rules (also known as "BCR" or "Binding Corporate Rules") in the case of corporate groups or the union of companies engaged in a joint economic activity, which enables the flow of Personal data on the basis of a self-regulation accepted and assumed by each of the signatory entities.
  • Standard Contractual Clauses (also called "SCC" or "Standard Corporate Rules") signed between the exporter of Personal Data from any of the EEA countries and a third country. It is a contractual agreement whose model has been approved and published by the European Commission and aligned with the provisions of the GDPR.
  • Adherence to a code of conduct or a certification mechanism together with binding and enforceable commitments made by the recipient in relation to the implementation of appropriate safeguards for the protection of the Personal Data transferred.
  • In the lack of an adequacy decision, or of the adequate safeguards detailed above, your Personal Data may exceptionally be transferred to a third country or international organization, in application of the mechanisms that may be recognized by applicable legislation.

Repsol, in order of preference, will carry out the International Transfer under the following safeguards:

 

Safeguard        

Criteria used by Repsol

Adequacy decision issued ECC

Measure included as preferred by Repsol. You can find the list of countries subject to an adequacy decision at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en  

Binding Corporate Rules

In the absence of an Adequacy Decision, it will be the preferred safeguard measure that Repsol will request from the data importer. You can find the list of entities that have BCR here: https://edpb.europa.eu/our-work-tools/accountability-tools/bcr_en?page=1 

Standard Contractual Clauses

As a secondary safeguard mechanism in the absence of the above, we will proceed to subscribe and/or request a copy, as appropriate, from the data importer of the signed version of the Standard Contractual Clauses aligned with the European Commission's models.

 

How long will the Data controller process Personal Data?

In general, the Data controller will process Data Subject’s Personal Data for as long as the commercial and/or contractual relationship remains in force. However, each Processing will be properly informed when the collection takes place including in a timely and specific manner the retention period, including those defined by law such as video surveillance activities or internal complaints.

At the end of this period of Processing, the Data controller will keep the Personal Data blocked for the period of limitation of criminal, civil, commercial and/or administrative liabilities of any kind.

What are the Data Subject rights?

At any time, you may exercise a series of rights regarding the processing of your Personal data. We will inform you at the time of collection of the Personal data as they may be different according to the local regulations These rights are inherent to each person and, therefore, are inalienable and are as follows as long as they are recognized in accordance with local regulation:

 

Right of access

The right to access Personal data processed by the Data controller according to Article 15 of the GDPR.

Right to rectification

The right to request that the Data controller rectify certain personal of the Data Subject according to Article 16 of the GDPR.

Right to object

The right to object to Processing based on consent or on the existence of a legitimate interest (including, but not limited to, the sending of commercial communications), according to Article 21 of the GDPR. In cases that the Processing is based on the existence of a legitimate interest, the Data Subject will have the right to request the balancing test carried out by the Data controller. Furthermore, when the Processing is for the purposes of sending own or third-party commercial information, the Data Subject may opt-out free of charge and voluntarily to an advertising opt-out mechanism (more information can be found here: https://www.listarobinson.es/).

Right to erasure

The right to request that the Data controller deletes all or part of the Data Subject’s Personal data according to Article 17 of the GDPR.        Please note that while the commercial and/or contractual relationship that we maintain with you continues to be in force, there is a series of Personal Data that is necessary for us to process in order to comply with the contract, so while it lasts we cannot delete, block or cancel them, because otherwise it would prevent us from complying with the contract.

Right to the limitation to the processing

The right to limit the Data Controller’s processing of your Personal data, provided that one of the conditions established in Article 18 of the GDPR are met.

Right to data portability

The right to receive the data you have provided to the Data controller in a structured, commonly used and machine-readable format and to have it transmitted to another Data controller (or have it transferred directly to the new Data controller, where technically feasible), according to Article 20 of the GDPR.

Right to withdraw consent

For the types of processing identified in the section on Processing based on the consent from the Data Subject, without such withdrawal of consent having a retroactive effect, according to Article 7.3 of the GDPR.

The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or affects you significantly

The Data controller informs the Data Subject that, notwithstanding the fact that decisions are made based on automated systems, these decisions (i) either do not produce legal effects or significantly effect on the Data Subject; (ii) or are not taken exclusively in an automated manner.

 

These rights may be exercised by sending a communication to the address of the Data Controller or through the following address: rgpd.crc@repsol.com.

If you believe that we have processed your data inappropriately and in breach of Personal data processing regulations, or if you do not agree with how we attended to your wish to exercise your rights, please contact the corresponding Data Protection Officer, if the Data Controller company has one, or failing that: rgpd.crc@repsol.com. Likewise, you may, at any time, file a complaint with the relevant Supervisory Authority (in the case of Spain, the Spanish Data Protection Agency).

Please note that, given the different local regulations, there may be some of the rights described above that are not recognized by the country's local regulations and therefore may not apply to you. This is the case of the most recently incorporated in the GDPR, such as portability or the right not to be subject to a decision based only on automated processing, for example.

What is our policy regarding the Personal Data of children under legal age?

In most cases, the Data controller will only process the data of people of legal age (18 and over). However, there may be situations, for example, during a promotional action, where data of children under legal age is processed. In this case, Consent and authorization will be requested from parents or guardians if the minor has not yet reached the legal age of consent established in the relevant local data processing regulation. If you are a child and are not sure you understand anything we explain, please ask your parents or guardians for help.

Regarding the use of social networks, we recommend that parents or guardians regularly check and supervise their children's Internet activity. Please make sure that your children do not provide us with Personal Data without asking for your authorization and consent.

At any time, you can exercise the rights of children under under your care who are under the age of consent by proving your legitimacy as a parent or guardian.

 

What happens if you provide us with Third Party data?

In the event that, in the course of a relationship with us, you provide us with third-party data, please note that you are solely responsible for obtaining their prior consent to communicate their Personal Data to the Data controller for the purposes you are informed of in each case, as well as for having informed them of the content of this Policy.

You are responsible for holding all Repsol Group harmless from any liability arising from the lack of information and/or consent to the Third Party.

 

What happens to my Personal Data when I share any content from an Online Service with someone else?

Some of our Online Services may give you the option to share some content with others, although you should know that you will be the one to perform this action by your own means. Repsol does not send or use any Third Party recipient’s information or data to whom you may be sharing any information.

 

How can you cancel Your Account in the Repsol Single Registry and/or in an Online Service?

You can cancel Your Account by sending an e-mail to sacportal@repsol.com.

Be aware that if you cancel your account, you will no longer be a Repsol Single User, so you will no longer be able to access any of the Online Services you were registered. Remember, any application for any Online Service shall require you to have Your Account, meaning to previously have obtained you Repsol Single User.

You may unsubscribe from any Online Service by following the instructions provided by us and/or specified in the applicable terms and conditions. If you unsubscribe from a particular Online Service, you will simply stop enjoying and benefitting from the use of that Online Service as  stated in its particular terms and conditions. Your Account will remain in effect if any Online Service is active.

What happens when I decide to create my Repsol Account through my social media accounts with the Social Login?

In certain cases, when you decide to create Your Repsol Account you can do so without having to complete all the fields of the registration form through the so-called "Social Login" by using your registration in social networks; simply by clicking on the corresponding logo to allow the social network to provide your Personal Data linked to your profile (your name, surname, profile image, email) to Repsol for creating Your Repsol Account. In other words, during the registration process you will be redirected to a federated authentication service that checks the credentials and, if they are correct, returns the information to the requested service, in this case, Your Repsol Account space. You can find more information about how the different federated identity systems work in the following links:

This Personal Data will be processed together with those generated from the use of Your Account for the purposes informed by Repsol in the registration of our Online Services. In any case, the social network allows you to select your privacy preferences to avoid certain exchanges of Personal Data. For more information, you may consult each social network privacy policy.

 

How do we process your data in social networks?

We recommend that you avoid including Personal Data -yours or Third Parties'- when you interact with us on social networks. However, if you choose to include personal information, you should be aware that your Personal Data will be processed by us in accordance with this Policy.

Specifically, the data you provide us through any social network will be processed by Repsol, S.A. as Data controller, with registered office in Madrid, Calle Méndez Álvaro 44, 28045, in order to relate and interact with you in different social networks for the purpose of you knowing us better, as well as our activities and values. This channel is not the one we recommend you for filing complaints or suggestions, however, in the event you decide to use it, we shall request your consent to share your minimum Personal Data to the company of the Repsol Group you are inquiring for and have its customer services to attend your request properly.

The legitimate basis for this processing is your consent and its processing and duration will be limited to the strictly necessary to provide you with a response. Please note that, any interaction with us through social networks is subject to the social network terms of use, meaning that such terms of use are beyond our control and as such, not covered by this Policy. Make sure when logging through a social network, that you are aware of the social media applicable privacy policy and legal terms, before providing any Personal Data.

This Policy does not apply to those data processing that may be carried out from Third Party websites even though you may access clicking on a web link from our environment.

 

Can we change the terms of the Policy?

We may modify this Policy at any time, but we will always inform you of any significant change sending you a notice. Whenever we make minor changes to our Privacy Policy, we will update it with a new effective date that will be included in the document. Modifications will not apply retroactively and will be effective as of the date of publishing. We recommend that you regularly check the Policy that you can find on our websites.

 

What are your responsibilities?

You are responsible for all of the data you provide to us, for the veracity, accuracy, validity, updating, and authenticity of said data, as well as for the consent you give us so that your data may be used/processed. You are also responsible for third-party data you provide to us and for which, you undertake to obtain their consent and making available the information we usually provide our users for any data processing as well as our privacy policy.

You are responsible for regularly checking this Policy and any updates made to it.  Further, if your job involves the processing of Personal Data, you are responsible for ensuring that you do so in accordance with the applicable privacy regulations and local legislation.

Last updated: January 7, 2024