Back to top

PRIVACY POLICY ON DAMM’S OFFICIAL SOCIAL MEDIA

In accordance with the provisions of the European General Regulation (EU) 2016/679 ("GDPR") and the Organic Law 3/2018 on Data Protection ("LOPDGDD"), this document sets out the way in which S.A. Damm shall treat the personal data of social media users who interact with S.A. Damm's profile.

This policy provides all the legal information regarding how we shall use the personal data of social media users who interact with us: the purposes for which we intend to process it, the legal bases that allow us to do so, the periods of time for which we shall retain it, the third parties outside the Company with whom we may, where applicable, have to share it, and the rights that users may exercise, among other matters.

1. Who is the Data Controller of your personal data?

The entity legally responsible for processing your personal data is the company S.A. Damm (hereinafter, the “Company” or the “Data Controller”), with registered office in Barcelona, calle Rosselló, 515, CP 08025.

If you have any questions regarding your personal data, please contact us at privacidad@damm.com or at the above postal address.

2. What personal data is processed?

In accordance with the GDPR and the LOPDGDD, the Company shall process the personal data of those social media users who interact with the official accounts under which the Company has registered its profile (the “data subject” or the “user”, interchangeably).

For this purpose, the Company shall process your username, name and surname, email address and profile picture.

3. How have we obtained your personal data?

The personal data that the Company shall collect and process from the data subject are:

  • those that the data subject provides directly when contacting our social media profile,
  • those collected during any prize draw and/or promotion,
  • those that the data subject may provide when submitting any query, request, complaint or claim.

4. For what purpose and on what legal basis do we process your personal data?

The GDPR and the LOPDGDD set forth that information about a person (their “personal data”) may only be processed if one of the legal bases expressly provided for in those regulations applies. More specifically, Article 6 of the GDPR sets out an exhaustive list of the legal bases that may justify and legitimise the processing of personal data. The application of one legal basis or another depends mainly, in essence, on the purpose for which the personal data is to be processed.

Having said that, at the Company we shall process the data of our data subjects for the purposes and on the legal bases detailed below:

4.1. Processing based on the data subject’s consent

  • If the data subject gives their consent, we shall send them commercial communications about promotions, products and services of the Company and/or third parties that may be of interest to them.
  • If the data subject consents to the capture and use of his or her image, the Company shall use the image for dissemination via social media for promotional purposes.

4.2. Processing based on the Data Controller’s legitimate interest

The Data Controller shall carry out additional processing activities on the basis of the legitimate interest provided for in Article 6.1(f) of the aforementioned GDPR, as it considers that such processing does not override the data subjects’ right to the protection of their personal data. It authorises processing operations which are "necessary for the purposes of the legitimate interests pursued by the controller or by a third party, provided that such interests are not overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child".

With regard to such processing, the data subject has the right to (i) obtain further information about what this “legitimate interest” consists of, (ii) know how the Company has concluded that such processing does not adversely affect the protection of their personal data, or (iii) object to such processing directly. You may do so through the channels set out in section 8, indicating the specific processing to which you object and the grounds on which you base your request.

For this purpose, the Company has carried out what is known as a "balancing test". This is an internal analysis to confirm that the legitimate interest of the Company does not harm the interests of its data subjects in the protection of their personal data. If the data subject would like further information about this test, they may request it via the email address privacidad@damm.com.

  • Manage and resolve any queries, requests, complaints, incidents or suggestions that the data subject may submit through social media. Depending on the nature of the request, the Company shall process the personal data that the data subject provides in order to manage and resolve their request, as well as to address any complaint, incident, suggestion or query submitted through their social media profile.
  • The Company may conduct surveys in order to learn the user’s opinion and thus improve our procedures and products.
  • Analysis and creation of commercial profiles based on the information provided, in order to identify content that may be of interest to the user, using profiling techniques to carry out targeted advertising and direct marketing. The creation of these profiles shall be based on information from both internal Company sources and external sources, such as social media, public sources, other companies within the group or partner companies. The above shall only take place where the data subject has given prior and express consent.

With regard to the personal information that the user may share with the Company through this social network, they shall do so freely, voluntarily and knowingly. If they do so, such information shall be subject both to this policy and to the Rules and Conditions of Access and Use of the relevant social network.

5. Responsibility and data quality

The Company warns that no user may use another person’s identity or communicate personal data of third parties without having obtained their prior authorisation. Therefore, users must at all times ensure that they only provide personal data corresponding to their own identity and that such data is adequate, relevant, up to date, accurate and truthful. In any case, the user must respect the privacy of third parties, whether or not they are users of the Company’s social network.

6. How long shall the Data Controller retain your data?

The personal data of the data subjects shall be kept by the Company until the purpose for which they were collected is fulfilled. After this, and before proceeding to their destruction, the Company shall keep them duly blocked, in order to deal with possible claims and to have them at the disposal of the competent authorities, during the legally established limitation periods. In such cases, the Company shall take the necessary technical and organisational measures to ensure that they are only used for this purpose.

7. To whom shall we disclose your data?

The Data Controller shall only disclose the data subject's personal data to third parties, competent public bodies and institutions, regional and local administrations, including the jurisdictional bodies to which it is legally obliged to provide them.

In addition to the foregoing disclosures, the Company shall rely on third-party service providers who may have access to personal data and who shall process such data on behalf of and for the Company as a result of the services they provide.

The Company follows appropriate criteria for selecting service providers in order to comply with its data protection obligations and undertakes to sign the corresponding data processing contract therewith, whereby it shall require them, among others, to comply with the following obligations: to implement appropriate technical and organisational measures; to process personal data for the agreed purposes and only in accordance with the Company's documented instructions; and to delete or return the data to the entity once the provision of the services has been completed.

In particular, the Company may engage third-party service providers operating, by way of example, in the following sectors: logistics services, legal advisory services, IT service providers, physical security companies, courier services – including instant messaging services – and infrastructure management and maintenance companies.

On the other hand, personal data of data subjects shall not be transferred internationally. However, should personal data be transferred internationally as a result of the Company’s relationship with its service providers, the Company shall inform data subjects of such transfers. These transfers shall be carried out in accordance with the applicable data protection regulations and, in particular, subject to adequate safeguards ensuring that providers offer a level of protection equivalent to that required within the European Union.

8. What are your rights?

The data subject may exercise, if they wish, their rights of access, rectification and erasure, as well as request restriction of processing of their personal data, object to such processing, request data portability, and not be subject to automated individual decision-making, by sending a written communication to the Company’s Privacy Office at Calle Rosselló, 515, 08025 Barcelona, or to the email address privacidad@damm.com, providing an official document proving their identity where necessary.

You may also file a complaint with the Spanish Data Protection Agency (https://www.aepd.es/) in relation to the response received to your exercise of rights. In any case, the data subject may first contact the Company’s Privacy Office, reachable via email at privacidad@damm.com, in order to resolve any complaint so that we can assist you in this regard.

9. Who is the Data Protection Officer of the Data Controller?

The Company has appointed a person within its organisation as Data Protection Officer to ensure that the personal data of data subjects are duly protected and to guarantee that the Company complies with all legal requirements regarding the protection of personal data.

This person shall be responsible for providing all requested information on data protection. You may contact them at the following address: Calle Rosselló, 515 08025 Barcelona or at the e-mail address dpo@dammcorporate.com.