This document sets out how SA DAMM shall process the personal data of our customers and website users in compliance with the applicable data protection regulations.
Here we provide all the legal information regarding how we shall use your personal data: the purposes for which we intend to process it, the legal bases that allow us to do so, the periods of time for which we shall retain it, the third parties outside SA DAMM with whom we may, where applicable, have to share it, and the rights that our customers and users may exercise, among other matters.
1. Who is the Data Controller of your personal data?
The entity legally responsible for processing your personal data is the company SA DAMM (hereinafter, the “Data Controller”), with registered office at Barcelona, calle Rosselló, 515, 08025, Tax ID No. A08000820 and email address privacidad@damm.com.
2. What personal data is processed?
The Data Controller shall process the personal data of natural persons (customers, potential customers or users of our websites, hereinafter all referred to as "the data subject”) who provide such data to us for the purposes described in section 4 of this Privacy Policy.
For this purpose, the Data Controller shall process the following personal data:
| Category | Personal data |
| Identification data | Name and surname, ID number (DNI), contact telephone number |
| Contact details | Email address, contact telephone number and postal address |
3. How have we obtained your personal data?
The personal data that the Data Controller shall collect and process from the data subject are:
- those that the data subject provides directly when registering on our website,
- those collected during any purchase process, and
- those that the data subject may provide during their commercial and contractual relationship with us, or when submitting any query, request, complaint or claim.
Broadly speaking, the Data Controller does not collect personal information from external sources, but only directly from the data subjects themselves. In this regard, the data subject guarantees that all information and/or documentation provided to the Data Controller is truthful and that they are the rightful owner of it. In exceptional cases where a third party provides us with personal information about a data subject (such as when arranging a visit for a group of several people), it shall be expressly stated that (i) the third party must be duly authorised to provide such personal information to the Data Controller and (ii) the manner in which the data subjects shall receive this legal information.
4. For what purpose and on what legal basis do we process your personal data?
The Data Controller shall process the data of data subjects for the purposes and on the legal bases detailed below:
4.1. Processing necessary for compliance with legal obligations
The Data Controller shall need to process personal data of the data subjects in order to comply with the various legal obligations that may be applicable at any given time. These obligations shall exist and shall be fulfilled even after the termination of your contractual relationship with them, as the case may be.
As a consequence of such legal obligations, the following processing activities shall be carried out, by way of example:
- Compliance with legal, tax, accounting and judicial requirements. The Data Controller shall process the personal data of data subjects in order to comply with accounting, legal, tax and administrative obligations, as well as to respond to requests from Courts and Tribunals, Law Enforcement Authorities or any other competent Public Authority to which the Data Controller is legally obliged to respond.
- Customer service. The Data Controller shall process the personal data of its customers (name, telephone number and contact email address) to manage requests, enquiries, questions or complaints submitted through its Customer Service department. Similarly, the Data Controller shall also process the personal data of social media users who interact with its official accounts (username, name and surname, email address and profile picture) in order to handle any query, request, complaint or claim.
4.2. Processing based on the data subject’s consent
Where the data subject has given their consent, the Data Controller may carry out the following processing activities:
- Sending commercial communications about promotions, products and services,which may be sent by post, email, SMS, instant messaging systems or any other equivalent electronic communication method. For this purpose, your personal data may be processed to create profiles based on internal sources, the results of which allow the design and analysis of personalised products, through segmentation into different groups according to common consumption patterns.
The data subject may at any time refuse to give consent (or give it initially and later withdraw it), without this affecting their relationship with the Data Controller or causing any detriment. However, the data subject should be aware that if consent is withdrawn, this shall not affect the lawfulness of the processing carried out by the Data Controller up to that point, as it does not have retroactive effect.
4.3. Processing necessary for the performance of the contractual relationship between the Data Controller and the Data Subject
The Data Controller may carry out the processing necessary for the formalisation, management and fulfilment of the contractual relationship between the Data Controller and the data subject:
- If the data subject makes an online purchase, we shall manage the purchase and delivery of the acquired products, processing the personal data provided when placing the order (name, surname, telephone number, email address, legal age and postal address).
- If the data subject participates in promotional campaigns, we shall manage their participation. In addition, in the event of winning, the Data Controller shall process your personal data (name, surname, email address and post code) in order to manage the delivery of the prize. If, for transparency reasons, we were to disclose a photograph of a contest winner or prize draw winner, this would be expressly indicated prior to registration, in the registration form itself.
4.4. Processing based on the Data Controller’s legitimate interest
The Data Controller shall carry out additional processing operations on the basis of the legitimate interest provided for in the data protection regulations in force.
With regard to such processing operations, the data subject has the right (i) to obtain further information on what this "legitimate interest" consists of, (ii) to know how the Data Controller has concluded that such processing does not adversely affect the protection of their personal data, (iii) or to object to such processing.
In all such cases, the Data Controller has carried out what is known as a “balancing test”. This is an internal analysis to confirm that its legitimate interest does not harm the interests of its data subjects in the protection of their personal data. If the data subject would like further information about this test, they may request it via the email address privacidad@damm.com.
The processing activities referred to above are as follows:
- Damm Group entities may have access to the data subject's data for internal administrative and accounting purposes.
- Where the data subject is a legal entity, the Data Controller shall process the identifying and contact details of its contact persons in order to satisfy its legitimate interest in maintaining contact.
The Data Controller shall also process the personal information of our users by applying anonymisation or pseudonymisation techniques, in order to use it for statistical purposes and to draw conclusions regarding user behaviour, thereby improving our services and, consequently, customer satisfaction.
4.5. Processing carried out on the basis of public interest
CCTV cameras are installed in the Data Controller’s establishments and facilities, which shall collect and process the image of any data subject who enters them.
The purpose of this processing is to protect the facilities and the assets located within them, as well as the safety and security of the persons present in those facilities. In accordance with the applicable data protection regulations, this processing is based on the performance of a task carried out in the public interest.
The images shall not be disclosed to any third party and shall only be retained for a period of one month from the date they were obtained. However, if requested by a competent authority (Courts and Tribunals, Law Enforcement Authorities), the Data Controller shall provide such images to that authority. In other cases, the aforementioned authorities may order the Data Controller to retain the images beyond the legally permitted period. The images may also be used by the Data Controller as evidence or proof where it needs to assert liability against a data subject for any unlawful conduct.
5. How long shall the Data Controller retain your data?
The personal data of data subjects shall be kept until the purpose for which they were collected has been fulfilled. After this, and before proceeding to their destruction, they shall be kept duly blocked, in order to deal with possible claims and to keep them at the disposal of the competent authorities, during the legally established limitation periods. In such cases, the necessary technical and organisational measures shall be taken to ensure that they are only used for this purpose.
6. To whom shall we disclose your data?
The Data Controller shall only disclose the data subject's personal data to third parties, competent public bodies and institutions, regional and local administrations, including the jurisdictional bodies to which it is legally obliged to provide them.
In addition to the foregoing disclosures, the Data Controller shall rely on third-party service providers who may have access to personal data and who shall process such data on its behalf as a result of the services they provide.
The Data Controller follows appropriate criteria for the selection of service providers in order to comply with its data protection obligations and undertakes to sign the corresponding data processing contract with them, whereby it shall impose on them the obligations established in the applicable regulations
On the other hand, personal data of data subjects shall not be transferred internationally. However, should personal data be transferred internationally as a result of the Data Controller’s relationship with its service providers, data subjects shall be informed of such transfers, which shall be carried out in accordance with the applicable data protection regulations and, in particular, subject to adequate safeguards ensuring that providers offer a level of protection equivalent to that required within the European Union.
7. What are your rights?
The data subject may exercise, if they wish, their rights of access, rectification and erasure, as well as request restriction of processing of their personal data, object to such processing, request data portability, not be subject to automated individual decision-making, and withdraw their consent, by sending a written communication to the Privacy Office of the Data Controller at the postal address Barcelona, calle Rosselló, 515, 08025, or to the email address privacidad@damm.com, providing an official document proving their identity where necessary.
You may also file a complaint with the Spanish Data Protection Agency in relation to the response received to your exercise of rights. In any case, the data subject may contact the Data Protection Officer, reachable via email at dpo@dammcorporate.com, in order to resolve any complaint so that we can assist you in this regard, as well as with any matter related to their functions.