•         1. Personal data controller (*)

CEPSA COMERCIAL PETRÓLEO, S.A.U., (hereinafter CCP or Cepsa, indistinctly), with tax ID No.: A80298896, with registered office: Paseo de la Castellana, 259 A, 28046-Madrid (Spain) data protection delegate: dpo@cepsa.com.

(*) If you have contracted products and/or services with COMPAÑÍA ESPAÑOLA DE PETRÓLEOS, S.A. (CEPSA), NIF: A28003119 and registered office at  Paseo de la Castellana, 259 A, Postal Code 28046 Madrid (Spain), this company will be considered Data Controller.

•         2. Purpose of personal data processing

The personal data provided at contracting time, as well as those provided in the future as a result of their development, will be incorporated in a CEPSA personal data protection registry for the following purposes:

1.     a) To provide, manage, control and maintain the contractual or commercial relationship requested;
2.     b) Manage the creation of a unique User ID within the Cepsa Group;
3.     c) Maintain a direct relationship with the client for advertising, promotional and/or statistical purposes (including the creation of profile segmentation to adapt the offers and marketing activities to each client), regarding the activities that CEPSA performs by conventional and/or electronic means(e-mails, SMS, purchase ticket…). These communications will also refer to benefits or advantages of third party companies, always communicated through Cepsa, which will be based on partnership agreements regarding the following sectors: Leisure, travel, culture, credit cards and means of payment, automotive, transportation, insurance, distribution and financing, gifts, fashion, home, technology.
4.     d) Perform market segmentation and customer profiling through analysis of the use of the services offered, with the aim to adapt the offers and marketing activities to each customer, offering customized products and services.
5.     e) To provide the requested services and information, whether by the web, ordinary mail or by telephone. Record telephone conversations made to customer Service, in order to ensure a better service quality. Additionally, e-mails may receive a receipt and reading confirmation.
6.     f) Address any potential incidents that may occur, as well as develop satisfaction surveys on the contracted product or service. The customer may be contacted if any fraud or identity theft is detected or suspected.
7.     g) Analyze the risk and compare or cross-check your data in order to verify the accuracy and truthfulness of the data in relation to the companies providing capital solvency, credit and fraud prevention services.
8.     h) Where appropriate, manage the cash obligations compliance regarding non-payments that may occur from the customer. To this end, this economic information may be included in a Cespa Group companies shared file, available at www.cepsa.com, for the same purposes. In this respect, the consultation of files relating to the non-compliance of cash obligations may lead Cepsa as a marketing company to take decisions with legal effect which may affect the client, and may result in the non-entry into force of the contract or condition the same to a payment guarantee. Nevertheless, CEPSA will always give the customer the possibility to allege everything he deems relevant in order to defend his right or interest.
9.     i) Manage customer data as a website User.
10.     j) Manage and maintain, if applicable, customer data, through the promotional benefits and advantages system “Porque TU Vuelves” as well as control, manage and maintain its inherent services. (For more information of “Porque TU Vuelves” view the conditions at www.porquetuvuelves.com).
11.     k) In cases where the customer has registered on the website through social networks, validated his personal data, contact the customer if any fraud or identity theft is detected or suspected in the social networks, contact him and forward any personal communications and/or offers through customer profiling and/or conduct market segmentation, conduct behavioral advertising studies or to obtain statistical samples that can help the company improve the customization of the products and services offered to the same.

•         3. Third party personal data

In the event that the provided personal data was of a third party, the customer guarantees that he has informed the third party of this privacy policy and obtained his permission to provide Cepsa his data for the stated purposes. It also ensures that the data provided is accurate and up-to-date, it being responsible for any loss or damage, direct or indirect, that might arise as a result of the non-compliance of such obligation.

•         4. Personal data storage period

The personal data provided shall be kept until the contractual relationship is maintained, its deletion is not request by the interested party and should not be deleted for the fulfilment of a legal obligation or for the formulation, exercise and defense of claims.

If the customer revokes his consent or exercises his rights of cancellation or deletion, his data shall be kept blocked at the disposal of the administration of justice within the time limits legally established to meet the possible responsibilities derived from the processing of the same.

•         5. Legitimacy for personal data processing

Authentication for data processing is based on:

1.     a) The customer has provided his personal data for precontract or contractual relations, and therefore the processing is necessary for the maintenance of this relationship.
2.     b) The legal obligations applicable to Cepsa that require the processing of personal data according to the services provided.
3.     c) CEPSA legitimate interest in processing the same is the strictly necessary for the prevention of fraud during the duration of the contract, or to send commercial communications directly related to the contracted services.
4.     d) The User’s consent for all other scenarios, including sending commercial communications for third party products, services, benefits and/or advantages, always through Cepsa, for advertising or promotional purposes, for the installation of tracking systems that report on navigation habits according to the Cookies Policy, or for the use of information related to his geographical location. The withdrawal of this consent will never affect the performance of the main contract.

•         6. Origin of the personal data

The personal data that Cepsa will process is for the provision of the contracted services which have been provided mainly by the customer during the contracting process, such as name, surname, address, contact data, means of payment data. The customer is responsible for its accuracy and updating.

Furthermore, Cepsa may also obtain information collected through the web, as well as the use of the contracted services, such as statistics or navigation data, or in its case, of interests and consumption through the Cepsa program “Porque TU Vuelves”.

Also, if the User has registered in the website through social networks, CEPSA will be able to obtain public information available on the internet such as his username, sex, date of birth, “likes” clicks, "tweets," number of followers, number of users followed, profile and location information (if it was declared by the User). In the case of Facebook, the customer may select from the requested permissions those that do not wish to provide.

CEPSA will use an authentication token system (a encoded security key that facilitates access to the network) for User identification or registration and can make the access to the private customer area easier.

In no case data from third parties will be collected from the User. The customer data will be entered by the same on the social networks and behavioral analysis and market segmentation will be obtained from comments or “tweets” automatically without human intervention. The User is informed of the possibility of editing the information he wants to share with CEPSA, allowing a wider access or restricting the information he wants to share, as well as the possibility to revoke the consent given at any given time.

Furthermore, data from the client’s device or terminal may be collected, provided that he has granted its consent for this, in order to facilitate the provision of services, to perform advertising activities and to provide him with personalized and appropriate information according to his location. The customer may at any time disable the access to geolocation data, as well as revoke the consent provided for his geolocation, by configuring the settings on his device or terminal. 

•         7. Transfers and recipients of personal data

All data assignments which Cepsa will perform are necessary for the fulfilment of the stated purposes, or are performed in order to fulfil a legal obligation regarding the following companies and public organizations:

1.     a) Cepsa Group companies, available at www.cepsa.com.
2.     b) Government agencies and the judicial administration system.
3.     c) Companies providing financial solvency services, credit and fraud prevention, for risk analysis and to collate or analyze data in order to verify the accuracy and veracity of the same and companies providing payment services.
4.     d) Insurance, reinsurance, guarantee funds companies or any other third party acting as a guarantor of the risk or transactions when the customer uses Cepsa means of payment, in case the issuer of the payment means has agreements with the companies indicated and for the sole purpose of identifying his registration as a Cepsa cardholder.
5.     e) Where appropriate, distribution companies, in order to manage access to the network, User’s identity, address, consumption and non-payment situations, said data being incorporated in the supply points information system file, under the responsibility of the distribution company.
6.     f) Companies and entities collaborating with Cepsa, for the organization, management and/or promotion of competitions, events, special offers, and prize draws, in the event that the Participant has decided to register and/or take part in them.
7.     g) Cepsa suppliers: Cepsa has arranged a contract with Amazon Web Services, Inc. and Salesforce.com Inc. for its IT infrastructure and customer management using the “cloud computing" model under the EU-US Privacy Shield agreement. Information available at: https://www.privacyshield.gov/Participant?id=a2zt0000000TOWQAA4

The European Union has authorized the Salesforce.com Inc. Binding Corporate Rules (BCR) that allows international data transfers to be made within the business group. However, the User gives his express and unequivocal consent to the international transmission of his personal data to companies domiciled in countries which do not have adequate data protection regulations.

1.     h) Cepsa has hired Google, Weborama Ibérica, S.L. and Salesforce.com Inc. as Suppliers for the purpose of measuring web traffic and customer behavior. Information on Cookies Policy from Cepsa and its suppliers available to the customer in their websites:

• Weborama Ibérica, S.L. - http://www.weborama.com/e-privacy/our-commitment/
• Google Analytics - https://support.google.com/analytics/answer/181881?hl=es
• Salesforce.com, Inc.- https://www.salesforce.com/company/privacy/full_privacy.jsp#nav_info

•         8. Customers’ Rights

The User may exercise before Cepsa Comercial Petroleo, S.A.U., if applicable, his access rights, rectification or suppression, data processing limiting, opposition, portability and opposition to automated individual decisions. He may also revoke his consent if he has granted it for any specific purpose, and may modify his preferences at all times.

The Customer may exercise his rights in the e-mail address: derechos.arco@cepsa.comm, or at the registered office of Cepsa Comercial Petroleo, S.A.U. (Ref.: Data Protection-Legal Advice), at Paseo de la Castellana, 259 A, 28046-Madrid (Spain). The Customer is informed that he can direct any claim regarding personal data protection to the Spanish Data Protection Agency www.agpd.es, Spain Control Authority.