In accordance with the provisions of the applicable personal data protection regulations, we inform the User:
1. Personal Data Controller(*)
CEPSA COMERCIAL PETRÓLEO, S.A.U., (hereinafter CCP or Cepsa, indistinctly), with tax ID No.: A80298896, with registered office: Paseo de la Castellana 259 A, 28046 Madrid, Spain.
(*) If you have contracted products and/or services with COMPAÑÍA ESPAÑOLA DE PETRÓLEOS, S.A. (CEPSA) (Tax ID No.: A28003119), COMPAÑÍA ESPAÑOLA DISTRIBUIDORA DE PETRÓLEOS, S.A. (CEDIPSA) (Tax ID No.: A28354520), RED ESPAÑOLA DE SERVICIOS, S.A.U. (RESSA) (Tax ID No.: A25009192), CEPSA GAS Y ELECTRICIDAD, S.A.U. (CGE) (Tax ID No.: A-28142552), or CEPSA GAS COMERCIALIZADORA, S.A. (CGC) (Tax ID No.: A-82485335, (any of them referred to hereinafter as “Cepsa”, indistinctly), which registered offices located at Paseo de la Castellana, 259 A, CP 28046 Madrid (Spain), each of the above-mentioned companies will be considered as the Data Controller.
- 2. Purpose of personal data processing
The personal data provided at contracting time, as well as those provided in the future as a result of their development, will be incorporated in a CEPSA personal data protection registry for the following purposes:
- To provide, manage, control and maintain the contractual or commercial relationship requested;
- Manage the creation of a Customer ID that is unique within the Cepsa Group.
- Maintain a direct relationship with the client for advertising, promotional and/or statistical purposes (including the creation of profile segmentation to adapt the offers and marketing activities to each client), regarding the activities that CEPSA performs by conventional and/or electronic means(e-mails, SMS, receipt…). These communications may also refer to benefits or advantages relating to Cepsa or third-party companies, will always be communicated through Cepsa and will be based on partnership agreements in the following sectors: Leisure, travel, culture, credit cards and means of payment, automotive, transportation, insurance, distribution and financing, gifts, fashion, home, technology.
- Perform market segmentation and customer profiling through analysis of the use of the services offered, with the aim to adapt the offers and marketing activities to each customer, offering customized products and services.
- Provide the requested services and information, whether by means of the Internet, regular mail or telephone. Record telephone conversations made to customer Service, in order to ensure a better service quality. Additionally, emails may have delivery and read receipts.
- Address any potential incidents that may occur, as well as develop satisfaction surveys on the contracted product or service. The customer may be contacted if any fraud or identity theft is detected or suspected.
- Analyze the risk and compare or cross-check your data in order to verify the accuracy and truthfulness of the data in relation to the companies providing capital solvency, credit and fraud prevention services.
- Where appropriate, manage the cash obligations compliance regarding non-payments that may occur from the customer. To this end, this economic information may be included in a Grupo Cepsa companies shared file, available at www.cepsa.com, for the same purposes. In this respect, the consultation of files relating to the non-compliance of cash obligations may lead Cepsa as a marketing company to take decisions with legal effect which may affect the client, and may result in the non-entry into force of the contract or condition the same to a payment guarantee. Nevertheless, CEPSA will always give the customer the possibility to allege everything he deems relevant in order to defend his right or interest.
- Manage customer data as a website User.
- Manage and maintain Customer data, if applicable, through the promotional benefits and advantages scheme, "Porque TU Vuelves," as well as control, manage and maintain the relevant services. (For more information, read the "Porque TU Vuelves" terms and conditions aT www.porquetuvuelves.com).
- In cases where the customer has registered on the website through social networks, validated his personal data, contact the customer if any fraud or identity theft is detected or suspected in the social networks, contact him and forward any personal communications and/or offers through customer profiling and/or conduct market segmentation, conduct behavioral advertising studies or to obtain statistical samples that can help the company improve the customization of the products and services offered to the same.
- 3. Third party personal data
4. Personal data storage period
The personal data provided shall be kept until the contractual relationship is maintained, its deletion is not request by the interested party and should not be deleted for the fulfillment of a legal obligation or for the formulation, exercise and defense of claims.
If the customer revokes his consent or exercises his rights of cancellation or deletion, his data shall be kept blocked at the disposal of the administration of justice within the time limits legally established to meet the possible responsibilities derived from the processing of the same.
- 5. Legitimacy for personal data processing
Legitimacy for data processing is based on:
- The customer has provided his personal data for precontract or contractual relations, and therefore the processing is necessary for the maintenance of this relationship.
- The legal obligations applicable to Cepsa that require the processing of personal data according to the services provided.
- CEPSA legitimate interest in processing the same is the strictly necessary for the prevention of fraud during the duration of the contract, or to send commercial communications directly related to the contracted services.
- 6. Origin of the personal data
The personal data that Cepsa will process is for the provision of the contracted services which have been provided mainly by the customer during the contracting process, such as name, surname, address, contact data, means of payment data. The customer is responsible for its accuracy and updating.
Furthermore, Cepsa may also obtain information collected through the web, as well as the use of the contracted services, such as statistics or navigation data, or in its case, of interests and consumption through the Cepsa program “Porque TU Vuelves”.
Also, if the customer has registered in the website through social networks, CEPSA will be able to obtain public information available on the internet such as his username, sex, date of birth, “likes”, clicks, "tweets", number of followers, number of users followed, profile and location information (if it was declared by the User). In the case of Facebook, the customer may select from the requested permissions those that do not wish to provide.
CEPSA will use an authentication token system (an encoded security key that facilitates access to the network) for User identification or registration and can make the access to the private customer area easier
In no case data from third parties will be collected from the User. The customer data will be entered by the same on the social networks and behavioral analysis and market segmentation will be obtained from comments or “tweets” automatically without human intervention. The customer is informed of the possibility of editing the information he wants to share with CEPSA, allowing a wider access or restricting the information he wants to share, as well as the possibility to revoke the consent given at any given time.
Furthermore, data from the client’s device or terminal may be collected, provided that he has granted its consent for this, in order to facilitate the provision of services, to perform advertising activities and to provide him with personalized and appropriate information according to his location. The customer may at any time disable the access to geolocation data, as well as revoke the consent provided for his geolocation, by configuring the settings on his device or terminal.
- 7. Transfers and recipients of personal data
All data assignments which Cepsa will perform are necessary for the fulfilment of the stated purposes, or are performed in order to fulfil a legal obligation regarding the following companies and public organizations:
- The Cepsa group of companies, available a www.cepsa.com.
- Government agencies and the judiciary.
- Companies providing financial solvency services, credit and fraud prevention, for risk analysis and to collate or analyze data in order to verify the accuracy and veracity of the same and companies providing payment services.
- Insurance, reinsurance, guarantee funds companies or any other third party acting as a guarantor of the risk or transactions when the customer uses Cepsa means of payment, in case the issuer of the payment means has agreements with the companies indicated and for the sole purpose of identifying his registration as a Cepsa cardholder.
- Where appropriate, distribution companies, in order to manage access to the network, customer's identity, address, consumption and non-payment situations, said data being incorporated in the supply points information system file, under the responsibility of the distribution company.
- Companies and entities collaborating with Cepsa, for the organization, management and/or promotion of requests, competitions, events, special offers, and prize draws, in the event that the Participant has decided to register and/or take part in them.
- Cepsa suppliers: Cepsa has contracted its “cloud computing” model IT infrastructure and customer management with Amazon Web Services, Inc. so Binding Corporate Rules (BCRs), Standard Contractual Clauses or any of the exceptions provided by law shall apply for international transfers.
- Cepsa has hired Google, Weborama Ibérica, S.L. and Salesforce.com Inc. as Suppliers for the purpose of analyzing website traffic and customer behavior. Information on cookies policy from Cepsa and its suppliers available to the customer in their websites:
Initiative Media, LLC - https://initiative.com/es/privacidad/
Hotjar, Ltd. - https://www.hotjar.com/legal
Google Analytics - https://support.google.com/analytics/answer/181881?hl=es
Salesforce.com, Inc. - https://www.salesforce.com/company/privacy/full_privacy.jsp#nav_info
Customers may exercise before Cepsa, where applicable, their rights to access, rectification, erasure, restrict processing, object, portability and objection to automated decision making and profiling. He may also revoke his consent if he has granted it for any specific purpose, and may modify his preferences at all times.
Customers may exercise their rights through the following email address: firstname.lastname@example.org, or at the registered offices of Cepsa. (Ref.: Data Protection-Legal Advice), at Paseo de la Castellana, 259 A, 28046-Madrid (Spain). Customers are likewise informed that Cepsa has appointed a Data Protection Officer (DPO) who can be contacted by email email@example.com and who can address any type of complaint regarding personal data protection before the Spanish Data Protection Agency www.aepd.es, the Spanish Control Authority.