Data protection policy

At Azkoyen VPS and its subsidiaries, we are committed to protecting the privacy and personal data of users of our websites, services and digital platforms, in accordance with current data protection regulations, in particular Regulation (EU) 2016/679 (GDPR) and the applicable legislation in each country. 

This privacy policy describes how we process personal data. 

WHO IS THE DATA CONTROLLER FOR YOUR PERSONAL DATA? 

Data controller: Azkoyen Vending & Payment Solutions, S.L.U. 

Tax ID: B71541411 

Registered office: Avda. San Silvestre s/n, 31350, Peralta (Navarra, Spain) 

Email: responsableseguridad@azkoyen.com 

FOR WHAT PURPOSE AND ON WHAT LEGAL BASIS DO WE PROCESS YOUR PERSONAL DATA? 

  • Management of requests for general corporate information, as well as information regarding our products and services. Legal basis: legitimate interest (Art. 6(1)(f) GDPR). 
  • Exercise of rights and privacy management. Legal basis: compliance with a legal obligation (Art. 6(1)(c) GDPR). 
  • Drafting and execution of commercial contracts (sale and purchase, distribution, maintenance services, etc.): the processing of the professional contact details of persons involved in the formalisation and performance of contracts – whether they are sole traders or persons acting in a representative or management capacity for legal entities to which they provide services – will be processed on the legal basis of legitimate interest (Art. 6(1)(f) GDPR). 
  • Compliance with legal obligations in tax, accounting and administrative matters arising from the contractual relationship established with the data subject. Legal basis: compliance with a legal obligation (Art. 6(1)(c) GDPR). 
  • Management of the corporate whistleblowing channel, joint responsibility for the processing carried out by the subsidiaries comprising the Azkoyen Group as indicated in the Whistleblowing Channel. Legal basis: compliance with a legal obligation (Art. 6.1(c) GDPR). 
  • Sending commercial information from Azkoyen VPS to its own customers, by any means – including electronic communications – regarding products and/or services similar to those previously contracted. Legal basis: legitimate interest (Art. 6.1(f) GDPR). 
  • Management of the technical support service (SAT). Should you need to access the SAT platform, you may register by providing your email address, first name and surname. Legal basis: existence of a legitimate interest (Art. 6.1(f) GDPR), linked to the performance of a contract (Art. 6.1(b) GDPR). 
  • Where your express consent is obtained, Azkoyen VPS may send you commercial information by any means, including electronic means. Legal basis: Consent of the data subject (Art. 6(1)(a) GDPR). 
  • Where consent is given for the use of “non-exempt” cookies, information regarding browsing on our website will be collected in order to measure activity on the site and, where appropriate, to improve the user experience and the functioning of the website. Legal basis: Consent of the data subject (Art. 6(1)(a) GDPR). 
  • Access to guest Wi-Fi: information regarding IP address, MAC address and browsing history will be collected during the connection in order to provide the service. Legal basis: Legitimate interest (Art. 6(1)(f) GDPR). 
  • In the context of relations with job applicants, Azkoyen VPS may process personal data contained in the CVs it handles. Legal basis: implementation of pre-contractual measures at the data subject’s request (Art. 6(1)(b) GDPR). 
  • Incident management/maintenance of Azkoyen VPS products and services. The data subject may contact Azkoyen VPS’s technical support service. Please be advised that the call will be recorded for quality control and incident management purposes. Legal basis: Legitimate interest (Art. 6(1)(f) GDPR). 

To demonstrate that processing based on the Organisation’s legitimate interest in accordance with Art. 6(1)(f) GDPR does not prejudice the data subject’s interests in the protection of their personal data, a “legitimate interest balancing test” has been carried out. The data subject has the right to obtain further information regarding these processing activities and the nature of this legitimate interest, as well as to object to the processing of their data for this purpose by contacting our DPO via responsableseguridad@azkoyen.com. 

TO WHOM WILL WE DISCLOSE YOUR PERSONAL DATA? 

Your personal data may be disclosed to external auxiliary service providers with access to personal data contracted by Azkoyen VPS, such as IT service providers with access to personal data (technical/IT maintenance service providers, cybersecurity, hosting), environmental management companies, consultancy firms, administrative agencies, recruitment agencies, advertising and marketing companies, and other auxiliary service providers who will act as data processors under the instructions of the contracting entity. 

Where we have your express consent, your data may be transferred for commercial purposes to other subsidiaries of Azkoyen VPS. 

For the purpose of managing the procurement of our products and services, your data will be disclosed to subsidiaries of Azkoyen VPS; likewise, to official distributors of the responsible entity who have signed a commercial collaboration agreement. 

Where legally required, your data may also be disclosed to public authorities, auditors, notaries, court experts, lawyers, solicitors, courts and tribunals, and law enforcement agencies in the course of their duties. 

HOW LONG WILL WE RETAIN YOUR PERSONAL DATA? 

Your personal data will be retained only for as long as is necessary to fulfil the purpose for which it was collected. In this regard, once your personal data is no longer necessary for the fulfilment of such purposes, it will be deleted. However, it may be blocked beforehand, remaining available only to judges, courts, public prosecutors or the competent public authorities – in particular the data protection authorities – for the purpose of addressing any potential liabilities arising from the processing, and only for the duration of the applicable limitation period. 

  • Personal data obtained via the contact form will be retained only for the time necessary to respond to the request for information. 
  • Personal data obtained via the registration form for recruitment processes will be retained whilst such processes are ongoing. Thereafter, it will be retained for a period of two years, except in the case of candidates who are ultimately hired, whose CVs will be incorporated into their employment file (in which case the data protection policy applicable to the employment context will apply). 
  • Personal data obtained via the whistleblowing channel will be retained in that channel’s system for a maximum period of three months, after which the data will be deleted or anonymised, without prejudice to the fact that, should an investigation be initiated, the data may be processed in the information system of those assigned control and compliance functions. 
  • Personal data relating to commercial transactions with customers and suppliers operating as self-employed individuals, as well as the data of the legal and commercial representatives of customers and suppliers, will in all cases be retained for the duration of the contractual relationship and for six years following its termination, with this period being extendable whilst limitation periods for legal actions remain in force. 
  • Personal data of a professional nature that has been included in databases for commercial purposes will be retained until we are notified of your objection or withdrawal of consent. 
  • Personal data recorded (voice, identifying details or other) through call recording will be retained for a period of one month. The call recording will then be deleted. 

WHAT SECURITY MEASURES WILL BE APPLIED TO YOUR PERSONAL DATA? 

The processing of the personal data provided will be carried out by adopting the necessary physical, logical and organisational security measures to prevent loss, misuse, alteration and unauthorised access to such data, taking into account the state of technology, the nature of the data and the risk analysis carried out. 

WILL INTERNATIONAL TRANSFERS OF PERSONAL DATA TAKE PLACE? 

International transfers of personal data may only occur in certain cases; that is, transfers of personal data from the EU to territories or international organisations located outside the European Economic Area (EEA). 

Where this occurs, Azkoyen VPS will always ensure that one of the following conditions is met: (i) there is an Adequacy Decision certifying an adequate level of protection; (ii) standard contractual clauses have been formalised in accordance with Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the international transfer of personal data to third countries; (iii) neither of the above conditions applies, but one of the exceptions set out in Article 49 of the GDPR is applicable. 

 HOW CAN YOU EXERCISE YOUR RIGHTS IN RELATION TO YOUR PERSONAL DATA AND CONTACT OUR DATA PROTECTION OFFICER? 

To withdraw any consent you may have given, or to exercise your rights of access, rectification, erasure, objection, restriction, data portability and not to be subject to automated individual decision-making, you may submit a written request to: 

Avda. San Silvestre s/n, 31350, Peralta (Navarra, Spain), or 

responsableseguridad@azkoyen.com 

Should the data subject deem it appropriate, they may contact our Data Protection Officer (DPO) via the email address provided above, as well as lodge the relevant complaint regarding the protection of their rights with the competent data protection authority. 

MANDATORY OR OPTIONAL NATURE OF THE DATA REQUESTED 

The mandatory fields on each form are marked with an asterisk (*). Refusal to provide this information will prevent communication with the user and, where applicable, make it impossible to provide the requested information and/or service.