In accordance with the provisions of applicable legislation on the protection of personal data we inform the Data Subject:

1. The personal data controller

RED ESPAÑOLA DE SERVICIOS, S.A.U., RESSA, with Tax ID no.: A25009192 Registered Office: Paseo de la Castellana 259 A, 28046 Madrid, Spain. Data Protection Officer: dpo@cepsa.com.

2. Purpose of personal data processing

The personal data provided at the time the contract is arranged, as well as those provided in the future through the contract, will be added to a processing record owned by RESSA for the following purposes:

1. To provide the requested services and information, whether by the web, ordinary mail or by telephone. Telephone calls may be recorded in order to guarantee the quality of service.
2. To manage and maintain the contractual or commercial relationship requested, attend to any incidents that may arise, as well as carry out satisfaction surveys on the product or service contracted. The Data Subject may be contacted if there are signs of possible fraud or identity theft or they are suspected to exist.
3. Analyze the risk and compare or cross-check your data in order to verify the accuracy and truthfulness of the data in relation to the companies providing capital solvency, credit and fraud prevention services.
4. To manage the fulfillment of the monetary obligations with respect to the non-payments by the Data Subject. To this end, this economic information may be included in a file for shared use by the companies of the Cepsa Group, which can be consulted at www.cepsa.comfor the same purposes.
5. Manage the creation of a unique Customer ID within the Cepsa Group
6. Manage the Data Subject's data as a user of the Website.
7. Carry out segmentation and profiling through analyzing the use of the services offered, with the aim of adapting the offers and marketing activities to each Data Subject, offering tailor-made products and services. 
8. To maintain a direct relationship with the Data Subject for advertising, promotional and/or statistical purposes (including segmenting profiles to adapt offers and marketing activities to each Data Subject), related to the service contracted, and to the activities that RESSA carries out by conventional and/or electronic means (e-mails, SMS, purchase tickets, etc.). Also, such communications may refer to benefits or advantages of entities of the Cepsa Group or of third companies, always communicated through Cepsa Comercial Petróleo, S.A.U., which will be based on collaboration agreements related to the following sectors: Leisure, travel, culture, cards and means of payment, automobiles, transport, insurance, distribution and financing, gifts, fashion, home, technology, etc. You should be aware in order to send these commercial communications, your data will have to be transferred to Cepsa Comercial Petróleo S.A.U., which is responsible for customer management.

3. Third party personal data

If the data provided belonged to a third party, the Data Subject guarantees that he or she has informed the third party of this Privacy Policy and obtained his or her consent to furnish his/her data to Cepsa for the stated purposes. It also ensures that the data provided is accurate and up-to-date, it being responsible for any loss or damage, direct or indirect, that might arise as a result of the non-compliance of such obligation.

4. Personal data storage period

Personal data provided will be kept for as long as the contractual relationship is maintained and no request for its deletion is made by the data subject. They may also be retained where they are necessary for the performance of a legal obligation or to prepare, exercise and defend claims.

If the Data Subject revokes his/her consent or exercises the rights of cancellation or deletion, his/her data will be kept at the disposal of the Administration of Justice for the legally established periods in order to meet the possible responsibilities arising from the processing of personal data.

5. Legitimacy for personal data processing

Authentication for data processing is based on:

1. The fact that the Data Subject has provided his/her personal data for pre-contractual or contractual relations and therefore they have to be processed to maintain that relationship. 

2. The legal obligations applicable to RESSA that require the processing of personal data in accordance with the services provided.

3. The legitimate interest of RESSA for the processing strictly necessary for the prevention of fraud during the contracting process, or to send commercial communications directly related to the services contracted.

4. The consent of the Data Subject, for all other cases including the sending of commercial communications of products, services, benefits and/or advantages of entities of the Cepsa Group or of third parties, always through Cepsa Comercial Petróleo, S.A.U., for advertising or promotional purposes or to install tracking systems that report on browsing habits according to the Cookies Policy. The withdrawal of this consent will never affect the performance of the main contract. The withdrawal of this consent will never affect the performance of the main contract.

6. Origin of the personal data

The personal data that RESSA will process for the provision of services or the delivery of products, such as the name, surname, address, contact details and payment methods, have been provided in most cases directly by the Data Subject. The Data Subject is responsible for their accuracy and for updating them.

RESSA may also obtain information obtained through the use of services contracted by the Data Subject, the consumption of products or the analysis of the Data Subject's interests and habits.

7. Transfers and recipients of personal data

All transfers of personal data that RESSA will carry out are necessary for the fulfillment of the indicated purposes, or are carried out in order to comply with a legal obligation, with respect to the following Companies and Public Bodies:

1. Cepsa Group companies, available at www.cepsa.comand specifically to Cepsa Comercial Petróleo, S.A.U. as the current owner of the Customer System.

2. Government agencies and the judicial administration system.

3. Companies providing credit and capital solvency, credit and fraud prevention services, for risk analysis and for the comparison or contrast of their data in order to verify the accuracy and truthfulness of the same and to payment service providers..

4. Companies and entities collaborating with Cepsa, for the organization, management and/or promotion of competitions, events, special offers, and prize draws, in the event that the Participant has decided to register and/or take part in them. 

5. Insurance companies, reinsurance companies, guarantee funds, or any other third party acting as guarantor of the risk or transactions that the Data Subject carries out with Cepsa means of payment, in the event that the issuer of the means of payment has agreements with the aforementioned companies and with the sole purpose of identifying its registration as the Data Subject of a Cepsa card or means of payment.

6. Cepsa suppliers: Cepsa has arranged a contract with Amazon Web Services, Inc. and Salesforce.com Inc. for its IT infrastructure and customer management using the “cloud computing" model under the EU-US Privacy Shield agreement. Information available at: https://www.privacyshield.gov/Participant?id=a2zt0000000TOWQAA4

   The European Union has authorized the Salesforce.com Inc. Binding Corporate Rules (BCR) which allows international data transfers to be made within the business group. Notwithstanding the foregoing, the Data Subject gives his/her express and unequivocal consent for the international transfer of his/her personal data to companies domiciled in countries that do not have adequate data protection regulations.

• Cepsa has hired Google, Weborama Ibérica, S.L. and Salesforce.com Inc. as Suppliers for the purpose of measuring web traffic and customer behavior. Information available to the Data Subject in Cepsa's Cookies Policy on the Website and that of its Suppliers on their websites:

  Weborama Ibérica, S.L.
  http://www.weborama.com/e-privacy/our-commitment/
  

  Google Analytics
  https://support.google.com/analytics/answer/181881?hl=es>
  

  Salesforce.com, Inc
  https://www.salesforce.com/company/privacy/full_privacy.jsp#nav_info
  

  8. Customers’ Rights

  The Data Subject may exercise, if applicable, the rights of access, rectification or deletion, restriction of its processing, opposition, portability and to oppose individual automated decisions, before RED ESPAÑOLA DE SERVICIOS, S.A.U. The Data Subject may revoke his/her consent if having granted it for any specific purpose, such as sending commercial communications, and may modify his/her preferences at any time.

  The Data Subject may exercise his/her rights at the following e-mail address: derechos.arco@cepsa.com or at the registered office of Red Española de Servicios, S.A.U. (Ref.: Data Protection-Legal Advice), at Paseo de la Castellana, 259 A, 28046-Madrid (Spain). The Data Subject is informed that he may send any type of claim regarding the personal data protection to the Spanish Data Protection Agency www.agpd.es, Spanish Control Authority.