Privacy Policy

1. Introduction to the Privacy Policy

Welcome to VELATIA’s privacy policy. Hereinafter, the name VELATIA refers to any of the companies that form part of VELATIA, a list of which can be found at here.

Contact details for any matter relating to data protection:

  • Business address: Plaza Euskadi 5, Planta 18-5  48009 Bilbao, Spain.
  • Email address for matters relating to the exercise of data protection rights: dataprivacy@velatia.com

For more information about contacting VELATIA or its companies, please read our legal note.

The aim of this website’s Privacy Policy is to comply with the duty to provide information and transparency as set out in Article 12 of Regulation (EU) 2016/679 on the protection of personal data. As well as in cases where the duty to provide information has been fulfilled through basic “first layer” information in accordance with Article 11 of Spanish Organic Law 3/2018 on Personal Data Protection and Guarantee of Digital Rights, this privacy policy corresponds to the additional information known as “second layer”, whose required elements are those described in Articles 13 and 14 of Regulation (EU) 2016/679 on personal data protection.

2. The Meaning of ‘personal data’

‘Personal data’ means any information relating to an identified or identifiable natural person. This means any person who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. an IP address – if it can be used to identify the person) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

In short, this includes data that, either by itself or with other data in our possession or available to us, can be used to identify you.

3. Processing of Personal Data

’Processing’ means any operation or set of operations performed on your personal data. VELATIA sets out below the detailed information on each processing operation in accordance with the guidelines established by the Spanish Data Protection Agency.

  1. A. Job Application Processing whose purpose is to manage the CVs of job applicants as well as the operations involved in the recruitment process.
    1. a. Data category: identifiers including contact details, national identification number and personal image; employment history.
    2. b. Legal basis: The data subject’s consent (art. 6.1.a GDPR) in the case of spontaneous applications and in all other cases, pre-contractual relationship (art. 6.1.b GDPR).
    3. c. Data validity period: The data remain valid for three years.
  1. B. Entry Control Processing whose purpose is to register the persons who wish to enter our premises.
    1. a. Data category: identifiers.
    2. b. Legal basis: Legitimate interest based on the need to maintain the safety of persons on the premises (Art. 6.1.f GDPR).
    3. c. Data validity period: The data remain valid for 30 days. Once this period has expired, the data are deleted.
  1. C. Contact Management Processing whose purpose is to record the details of the contact persons who work for our customers and suppliers, as well as those of the persons with whom we have a business or institutional relationship.
    1. a. Data category: identifiers such as first name and last name(s); contact details such as telephone and fax number, email address, postal address; professional details such as job title or position.
    2. b. Legal basis: Legitimate interest based on the need to maintain business relations (Art. 6.1.f GDPR).
    3. c. Data validity period: The data remain valid for the duration of the relationship that gave rise to their collection. Once the relationship has ended, the data may be kept blocked pursuant to Article 32 of Organic Law 3/2018 in the event that legal liabilities may arise.
  1. D. External Personnel Processing whose purpose is to perform the set of operations established in the coordination of business activities defined in Spanish Law 31/1995 on Prevention of Occupational Risks developed in Royal Decree 171/2004.
    1. a. Data category: identifiers such as first name and last name(s); professional details such as job title or position and type of contract; salary details included in Social Security forms TC1, TC2 and ITA; data relating to assigned PPE; data recorded on entering premises.
    2. b. Legal basis: fulfilment of legal obligations established for the prevention of occupational risks (Art. 6.1.c GDPR).
    3. c. Data validity period: The data remain valid for the duration of the relationship that gave rise to their collection. Once the relationship has ended, the data may be kept blocked pursuant to Article 32 of Organic Law 3/2018 in the event that legal liabilities may arise.
  1. E. Video Surveillance Processing whose purpose is to ensure the perimeter security of the facilities, as well as of the goods and persons located therein.
    1. a. Data category: images recorded using cameras.
    2. b. Legal basis: Legitimate interest based on the need to maintain the safety of the premises (Art. 6.1.f GDPR).
    3. c. Data validity period: The data remain valid for 30 days. Once this period has expired, the data are deleted.
  1. F. Communication and Marketing Processing whose purpose is to maintain business relations with customers, future customers, current or potential suppliers and anyone interested in the activities and products of VELATIA’s companies. Among the activities of this processing may be requests to receive newsletters, collecting data from a form to manage requests for information on VELATIA’s products or activities, sending commercial communications via email and any other activity considered to be within the scope of marketing and communication. In accordance with Spanish Law on Information Society Services, you may unsubscribe from commercial communications at any time without this affecting the validity of your personal data in the systems.
    1. a. Data category: identifiers such as first name and last name(s); contact details such as email address, phone number, work address and job title or position.
    2. b. Legal basis: Legitimate interest based on the marketing activities in which the data subject has shown an interest (art. 6.1.f GDPR) by requesting information via the website contact form; or by giving consent to receive newsletters and emails (art. 6.1.a GDPR).
    3. c. Data validity period: The data remain valid for the duration of the business relationship and provided that the data subject does not withdraw their consent or request the erasure of their data. Outdated or obsolete data will be erased as soon as this circumstance is detected.
  1. G. Website Browsing Information. There may be cookies used for monitoring purposes or to produce statistical information about the use of our platforms, as well as to analyse and improve its functionality. To find out more about the information collected, type of data and data validity periods, you should read our Cookies Policy.

4. Disclosure of Personal Data to Third Parties

We may disclose your personal data to third parties, including, among others, the following:

  1. Jointly responsible companies within our group, maintaining the purposes and legal bases of the processing.
  2. Third parties that provide us services and that help us and our group of companies to operate our business. For example, sometimes a third party may have access to your personal data in order to support our information technology or handle mail on our behalf. We have concluded appropriate data processor agreements with these third parties.
  3. Our legal advisers and other professional advisers and auditors.
  4. As and when necessary to meet a legal requirement, for the administration of justice, to protect vital interests, to protect the security or integrity of our databases or this website, to take precautions against legal liability.
  5. Regulatory authorities, courts and administrative bodies, in order to meet legal and administrative obligations, such as tax or labour obligations, for example.

International Transfers of Personal Data:
There are no plans to transfer personal data to countries outside Europe.

5. Security of personal data

We strive to use appropriate technical and physical security measures to protect the personal data transmitted, stored or otherwise processed from accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access thereto, in relation to our website. These measures include IT safeguards and protected files and facilities. Our service providers are also carefully selected and must use suitable protective measures. Industry-standard SSL encryption is used on the website to protect data transmissions. The majority of current browsers accept the level of security necessary to use these areas.

6. Your rights under current data protection legislation.

You have various rights under the data protection laws. These may include (where applicable). Anyone has the right to:

  • Obtain information as to whether or not VELATIA is processing personal data that concern them.
  • Request access to personal data, which means knowing which of your personal data we have.
  • Rectification, including the right to request that we correct inaccurate personal data.
  • Request restriction of data processing that concerns you or to object to the processing of your personal data.
  • Request erasure of your personal data when they are no longer necessary in relation to the purposes for which they were collected.
  • Object to the processing of your personal data unless you have given your prior consent and unless we demonstrate compelling legal grounds for the processing or for the defence of possible legal claims.
  • Data portability, which includes receiving your personal data in a commonly used and machine-readable format in certain circumstances, provided that the processing is carried out by automated means.
  • Withdraw your consent to any processing to which you previously gave that consent.

Please note that your ability to exercise some of these rights may be restricted in the event of legal or other limitations that the organisation must justify in responding to your request. You may apply to exercise your rights by writing to the email address provided for this purpose or by making an enquiry about your rights using the contact channels identified in the introduction.

In order to process your application, it will be necessary to check your identity and verify that you are the data subject, so your email or enquiry should include your first name, last name(s), national identification number, the specific application request, and the address where you wish to be notified of the response. If necessary, we may ask you for a copy of the document certifying your identity.

If you wish, we can send you a suitable form that will help you complete your application in accordance with Organic Law 3/2018 on Personal Data Protection and Guarantee of Digital Rights.

If your application were disregarded, you may contact the corresponding supervisory authority, the Spanish Data Protection Agency, whose website is www.aepd.es and postal address is Calle Jorge Juan 6, 28001 Madrid, Spain.

7. Links

The VELATIA website may include hyperlinks to other websites that are not operated or controlled by VELATIA. Therefore, VELATIA neither guarantees nor assumes liability for the legality, reliability, usefulness, accuracy and timeliness of the content of such websites or their privacy practices. Before supplying your personal information to such websites, please be aware that their data protection compliance may differ from ours.

8. Updates and Changes to this Privacy Policy

The text of this privacy policy was updated in March 2024.

VELATIA may amend its Privacy Policy without prior notice in accordance with the applicable laws in force at any given time and in keeping with any changes that may occur in its privacy management system.