Data protection policy

Who is the controller of your personal data?

The personal data that is provided when interacting with Azkoyen, S.A. (NIF A-31065618), whether through the corporate websites or within the scope of a contractual or pre-contractual relationship with said company, will be processed by them in their capacity as Data Controller.
What is the basic legislation applicable in spain regarding the protection of personal data?
In the private sector, the basic regulations that apply are:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the General Protection of Personal Data (GDPR).
  • Organic Law 3/2018 of 5 December on the Protection of Personal Data and the Guarantee of Digital Rights (LOPD-GDD).


For what purpose and on what legitimate basis do we process your personal data?

Within the scope of commercial relations, Azkoyen, S.A. will process personal data for the following purposes and legitimate reasons:

  • Management of requests for general corporate information, as well as information about our products and services. Basis of legitimacy: express consent of the data subject linked to the sending of a query (art. 6.1 a) GDPR).
  • Formalisation and execution of commercial contracts (purchase and sale, distribution, maintenance services, software licensing, etc.): the processing of the professional contact data of the people involved in the formalisation and execution of contracts (whether they refer to individual entrepreneurs or to people acting as representatives or managers of the legal entities to which they provide their services) shall be processed by Azkoyen on the basis of legitimate interest (art. 6.1 f) GDPR and 19.1 LOPD-GDD).
  • The fulfilment of legal obligations in tax, accounting and administrative matters arising from the contractual relationship established with the data subject. Legal basis for legitimacy: fulfilment of legal obligation (Art. 6.1 c) GDPR).
  • Analysis of IoT records from devices manufactured by Azkoyen and linked to retail outlets the owners of which are natural persons (individual entrepreneurs). It should be emphasised that this is essentially aggregated information and that in no case does Azkoyen process personal data relating to end users/consumers. Basis for legitimacy: execution of contract (Art. 6.1 b) GDPR).
  • Management of the complaints channel as part of the implementation of the Azkoyen, S.A. criminal compliance programme with Legal basis for legitimisation: existence of legitimate interest (art. 6.1 f) GDPR) in relation to article 31 bis 1b) of the Criminal Code.
  • Sending of Azkoyen, SA marketing information to its own customers, by any means (including electronic communications) about products and/or services similar to those previously purchased. Legal basis: Legitimate interest (Art. 6.1.f) GDPR.
  • In the event of obtaining an express consent, the sending of marketing information, by any means, including electronic, by other Azkoyen Group companies and, where appropriate, by third parties that have signed a commercial collaboration agreement with Azkoyen, S.A. Legal basis for legitimisation: Consent of the data subject (Art. 6.1 a) RGPD).
  • In the event of express consent, interaction with social networks in which Azkoyen, S.A. has a user profile (Linkedin, Facebook and Twitter). Legal basis for legitimacy: Consent of the data subject given through the use of the "social buttons or plugins" (Art. 6.1 a) GDPR).
  • In the event of consent to the use of analytical and/or advertising cookies, information will be collected about the browsing habits on our website in order to measure activity on the site and, where appropriate, to send personalised advertising. + cookie policy info Basis of legitimacy: Consent of the data subject (Art. 6.1 a) GDPR).

Within the context of relations with job candidates, Azkoyen, S.A. may process personal data included in the CVs it receives directly or through the e-Preselec platform or other similar platforms. The purpose of this processing is to manage the personnel selection processes and the candidate pool. Basis of legitimacy: application of pre-contractual measures at the request of the data subject (Art. 6.1 b) GDPR), express consent of the data subject linked to the fact that the CV has been submitted (art. 6.1 a) GDPR).
Furthermore, based on the existence of legitimate interest (art. 6.1 f) RPD), Azkoyen may carry out due diligence checks to verify the veracity of the qualifications, certifications and other relevant employment information included in the CVs provided.

To whom will we communicate your personal data?

Your personal data may be provided to external ancillary service providers, with access to personal data, engaged by Azkoyen, S.A., such as IT service providers with access to personal data (technical/computer maintenance service providers, cybersecurity, hosting), environmental management companies, accountancy firms, administrative agencies, personnel recruitment companies, advertising and marketing companies and other auxiliary service providers who will act as data processors under the instructions of Azkoyen, S.A.
The purchase of our products and services will normally be carried out through our distribution network. Your personal data will therefore be passed on to the official distributor nearest to your headquarters/work centre and, where applicable, to the transport or courier companies hired to deliver the products.
If you give your express consent, your data may be transferred for marketing purposes to the other companies of the Azkoyen Group and to organisations that have signed a marketing partnership agreement with Azkoyen, S.A.

Where legally applicable, your data may also be disclosed to public administration bodies, auditors, notaries, legal experts, lawyers, solicitors, courts and tribunals and law enforcement agencies in the performance of their duties.

 How long will we keep your personal data?

Your personal data will be kept only for as long as is necessary to fulfil the purpose for which it was collected. In this regard, when your personal data is no longer necessary for the fulfilment of these purposes, it will be deleted. However, they may be blocked beforehand, remaining exclusively at the disposal of Judges, Courts, Public Prosecutors' Offices or the competent Public Administrations, in particular the personal data protection authorities, for the purpose of dealing with possible liabilities deriving from the processing and only for the applicable statutory period.

  • The personal data obtained through the contact form will be kept only for the time necessary to deal with the request for information.
  • The personal data obtained through the registration form during personnel selection processes will be kept while these processes are open and for a maximum period of three years after their inclusion in the recruitment pool.
    They will then be blocked/deleted, except in the case of candidates who are finally recruited and whose CVs will be included in the employment file (in which case the data protection policy applicable to the employment domain will apply).
  • Personal data obtained through the complaints channel will be kept in the system of that channel for a maximum period of three months, after which the data will be deleted or made anonymous, without prejudice to the fact that in the event of an investigation the data may be processed in the information system of those assigned the functions of control and compliance.
  • Personal data relating to business transactions with customers and suppliers operating as self-employed persons, as well as data relating to the legal and commercial representatives of customers and suppliers will in all cases be kept for the duration of the contractual relationship and for six years after its termination, and this period may be extended for as long as the limitation period for legal proceedings is applicable.
  • Personal data of a professional nature that has been included in databases for commercial purposes will be retained unless we are informed of your objection or if we are informed that the data has become out of date or if the database is purged.


What security measures will be applied to your personal data?

The processing of the personal data provided will be carried out applying the necessary physical, logical and organisational security measures to prevent the loss, improper use, alteration and unauthorised access to the data, taking into account the state of technology, the nature of the data and the risk analysis carried out.
Furthermore, Azkoyen carries out its business activities in accordance with a management model based on continuous improvement, in line with the ISO 27001 standard.


Will there be international transfers of personal data?

Azkoyen has two corporate Data Processing Centres (DPC) which are located in Navarra (Spain). International transfers of personal data, i.e. outbound transfers of personal data from the EU to territories or international organisations outside the European Economic Area (EEA), may occur only in certain cases.
In cases where this applies, Azkoyen will always ensure that one of the following conditions is met: (i) an Adequacy Decision exists which attests to an adequate level of protection (ii) standard clauses have been drawn up in accordance with the Commission's Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the international transfer of personal data to a third country (iii) neither of the above two conditions applies, but one of the exceptions set out in art. 49 GDPR is applicable. In this regard, it should be clarified that some Azkoyen services involve the hosting of personal data in the Microsoft Azure cloud, which entails transfers of personal data to the United States, which, following the cancellation of the Privacy Shield, cannot rely on the formalisation of standard clauses, so until the EU and the United States reach a new agreement, it is necessary to resort to the application of the exceptions of Art. 49 RGPD; and more specifically in the application of the conditions established in Art. 49.1 b) and c) GDPR:
b) the transfer is necessary for the performance of a contract between the data subject and the controller or for the performance of pre-contractual measures adopted at the request of the data subject;
c) the transfer is necessary for the conclusion or performance of a contract, in the interest of the data subject, between the controller and another natural or legal person.”

How can you exercise your rights in relation to your personal data and contact our data protection officer?

To revoke the consents granted, where applicable, as well as to exercise the rights of access, rectification, deletion, opposition, limitation, portability and non-submission to automated individual decisions, you may send a written request to:

Avda. San Silvestre s/n, 31350, Peralta (Navarra-Spain)

If the data subject considers it opportune, they may contact our Data Protection Officer (DPO) via the same e-mail account shown above, as well as submit the appropriate claim for the protection of rights to the Spanish Data Protection Agency.


Obligatory or optional nature of the data requested

The obligatory data in each form are identified as such by means of an asterisk (*). The refusal to provide such information will prevent communication with the user and, if applicable, the impossibility to provide the requested information and/or service.