In compliance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 and Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights, we inform you that the data you provide will be incorporated into a database whose Data Controller is: ZENITH ESTEPONA B-19786896.

• Postal address: Algeciras (C.P.: 11201), calle Radio Algeciras núm. 9, 4th floor.
• Phone: 683 251 369
• Email: proteccion.datos@zenithestepona.com
• Any mention of “we” or “us” in this privacy notice refers to the above entity.

I.– What data do we process?

The execution of our business relationships requires the processing of data relating to our customers. If this data relates to a natural person (e.g. if you are a self-employed professional and enter into a relationship with us), it is considered personal data. Irrespective of the legal form of the contractual partner, we will process data relating to contact persons acting as a customer.

Please make this data protection information document available to persons in your organization who are involved in the business relationship with us (“contact persons“).

1. Basic Data: We process a certain amount of general data regarding our customers and contact persons and their working relationship with us, collectively the “basic data”. Basic data includes:
2. a) Any information provided to us during the establishment of the business relationship or requested by us from our customers or a contact person (e.g., name, address and other contact information; and
3. b) Any information collected or processed in connection with the establishment of the business relationship (e.g., details of agreements entered into).
4. Performance Data: As long as the business relationship is ongoing, we will collect personal data, beyond merely updating your basic data, which will be processed and referred to as “performance data”. Performance data includes:
5. a) Information on the fulfillment of the contractual obligations of our customers, in relation to the agreements entered into.
6. b) Information on the fulfillment of our contractual obligations, in relation to the agreements entered into.
7. c) Information that a customer or contact person has provided to us during the term of the business relationship, either on his or her own initiative or upon our request; and
8. d) Personal data provided to us in the course of a business relationship, by our customer, a contact person or third parties.
9. To the extent permitted by law, we may add personal data provided by third parties to the above basic and performance data. Such data may include information regarding the credit/trade rating of our customers, if required for financial risk assessment (e.g., late payments).
10. For what purposes and on what legal grounds do we process your personal data?
11. We process basic, performance and usage data for the performance of the contractual relationship with our customers or for pre-contractual measures in application of Article 6.1 (b) of the GDPR. Irrespective of the legal form of our customers, we process basic and performance data in relation to one or more contact persons for the purposes of our legitimate interest in the execution of the business relationship in application of Article 6.1 (f) of the GDPR.
12. We may also process basic, performance and usage data in compliance with our legal obligations; this processing is carried out pursuant to Article 6(1)(c) of the GDPR. Legal obligations may include, in particular, mandatory communication of personal data to (tax) authorities.
13. To the extent necessary, we carry out processing of personal data (other than processing on the grounds of a business relationship or to comply with our legal obligations) for the purposes of our legitimate interest or the legitimate interests of third parties, in accordance with Article 6(1)(f) of the GDPR. Legitimate interest may include:
14. a) Processes, at group level, for the internal management of customer data.
15. b) The filing of or defense against legal actions.
16. c) Crime prevention and investigation.
17. d) Maintaining the security of our computer systems.
18. e) Maintaining the security of our facilities and infrastructure.
19. f) Management and development of our business operations, including risk management.
20. If we present a natural person with the option to consent to the processing of personal data, we will process the personal data included in the consent for the purposes specified in the consent, pursuant to Article 6(1)(a) of the GDPR.

Please note that:

The declaration of conformity is voluntary. However, your lack of consent or subsequent revocation of consent may have consequences, of which we will inform you before presenting you with the option to declare your consent.

You may revoke your consent at any time with effect for the future, e.g. by notifying us by post, fax or e-mail, using the contact details given on the first page of this data protection notice.

III. Is there an obligation to provide personal data?

Submission of the basic and performance data specified in Section I hereof is necessary to initiate and maintain a business relationship with us, unless otherwise specified prior to the collection of such data. Without the provision of such data, we will not be able to initiate and maintain a business relationship.

If we request new information, we will inform you whether the request for information is based on legal or contractual obligations, or is necessary for the performance of a contract. We usually indicate which information is not required by law or contract, nor is it necessary for the performance of a contract, and can be provided voluntarily.

1. Who has access to personal data?

Generally, the processing of personal data is carried out within our company. Depending on the categories of personal data involved, only certain specialized departments/divisions may have access to your personal data. Such divisions include, in particular, the Sales Department and – in case the processing is carried out via our IT infrastructure – also our IT department. Based on a role/rights management model, access to personal data is limited to the functions and to the extent necessary to fulfill the specific purpose of the processing.

To the extent permitted by law, we may transfer your information to recipients outside of our company. Such outside recipients may include:

• Subsidiaries of ZENITH ESTEPONA
• Service providers who (pursuant to individual contracts with us) provide services that may include the processing of personal data, as well as subcontractors of such service providers.
• Public and private bodies, insofar as we are obliged to transfer your personal data because of a legal obligation to which we are subject.

1. Do we use automated decisions?

We do not normally use automated decisions (including profiling).[1] during the term of the business relationship, within the meaning of Article 22 of the GDPR. Should we apply such procedures in the future, we will inform the data subjects individually, in accordance with the applicable legal provisions.

1. Is the data sent to countries outside the EU/EEA?

The processing of personal data is carried out within the European Union or within the European Economic Area.

Transfer of data to non-EEA countries

Where personal data is transferred to locations outside the European Union/EEA, we will ensure, as required by law, that your data protection rights are adequately protected, either because the European Commission has decided that the country to which the personal data is transferred ensures an adequate level of protection (Art. 45 of the GDPR) or because the transfer is subject to adequate safeguards (e.g. standard contractual clauses) of the European Union agreed with the recipient (art. 46 of the GDPR), unless the GDPR provides for an exception (art. 49 of the GDPR). In addition, where necessary, we intend to agree additional measures with recipients to ensure an adequate level of data protection. Copies of appropriate safeguards (where we rely on them) and a list of recipients outside the EEA are available upon request.

VII. How long is the data retained?

Normally, we retain personal data for as long as there is a legitimate interest in its retention and the data subject’s interest in refraining from processing does not prevail.

Even if there is no legitimate interest, we may retain data if there is a legal obligation (e.g., to comply with legal retention obligations). Even if no action is taken by the data subject, we delete personal data as soon as their retention is no longer necessary for the purposes for which the data were collected or otherwise processed or if, for some other reason, their retention is not permitted by law.

In general, basic data and all other data collected during your business relationship will be retained at least until the end of the relevant business relationship. The data will be deleted, in any case, if the purposes for which they were collected or processed have been fulfilled. This time will come after the end of your business relationship with us. In the event that personal data must be retained in order to comply with a legal obligation, such data will be retained until the end of the relevant retention period. Pursuant to the provisions of Law 10/2010, the retention period of documents relating to PBCyFT, will be retained for a period of 10 years.

In the event that personal data is processed solely to comply with a legal obligation, access to such data is usually restricted in such a way that the data is only available if it is required for the purposes of such obligation.

VIII. What are the rights of data subjects in the processing?

Those interested in the treatment may:

• Request access to your personal data, Article 15 of the GDPR.
• Request the rectification of erroneous personal data, Article 16 of the GDPR.
• Request the deletion of your personal data, Article 17 of the GDPR.
• Request the restriction of the processing of your personal data, Article 18 of the GDPR.
• Exercise your right to data portability, Article 20 of the GDPR.
• Oppose the processing of your personal data, Article 21 of the GDPR.

The aforementioned rights may be asserted against us, for example, by notifying us using the contact details listed on the first page of this data protection information document.

You are informed that ZENITH ESTEPONA has appointed a Data Protection Delegate (“DPD”) to whom you may report any issue regarding the processing of your personal data. You may contact the “DPD” through the following e-mail address: proteccion.datos@zenithestepona.com Or you can contact us by postal mail indicating: Data Protection Delegate. Algeciras (C.P.: 11201), Radio Algeciras street no. 9, 4th floor.

Moreover, the data subject may lodge a complaint regarding the management of his or her personal data with the competent supervisory authority, in accordance with Article 77 of the GDPR.