Privacy policy

According to regulation on personal data protection, we inform you of our Company Privacy Policy:

•         1. Personal data controller

CEPSA TRADING, S.A., (hereinafter Cepsa), with tax ID No.: A86597325, with registered office at Paseo de la Castellana, 259 A, 28046-Madrid (Spain), Data Protection Officer dpo@cepsa.com .

•         2. Purpose of personal data processing

The personal data provided at contracting time, as well as those provided in the future as a result of their development, will be incorporated in a CEPSA personal data protection registry for the following purposes:

1.               1. To provide, manage, control and maintain the contractual or commercial relationship requested;
2.               2. To provide the requested services and information, whether by the web, ordinary mail or by telephone. Record telephone conversations made to customer Service, in order to ensure a better service quality. Additionally, e-mails may receive a receipt and reading confirmation.
3.               3. Address any potential incidents that may occur, as well help Clients to perform Contracts at any time. The customer may be contacted if any fraud or identity theft is detected or suspected.
4.               4. Analyze the risk and compare or cross-check your data in order to verify the accuracy and truthfulness of the data in relation to the companies providing capital solvency, credit and fraud prevention services.
5.               5. Where appropriate, manage the cash obligations compliance regarding non-payments that may occur from the customer. To this end, this economic information may be included in a Cespa Group companies shared file, available at www.cepsa.com, for the same purposes. Manage customer data as a website User.

•         3. Third party personal data

In the event that the provided personal data was of a third party, the customer guarantees that he has informed the third party of this privacy policy and obtained his permission to provide Cepsa his data for the stated purposes. It also ensures that the data provided is accurate and up-to-date, it being responsible for any loss or damage, direct or indirect,  that might arise as a result of the non-compliance of such obligation.

•         4. Personal data storage period

Personal data provided shall be kept until the contractual relationship is maintained, its deletion is not request by the interested party and should not be deleted for the fulfilment of a legal obligation or for the formulation, exercise and defense of claims.

If the customer revokes his consent or exercises his rights of cancellation or deletion, his data shall be kept blocked at the disposal to Court of Justice within the time limits legally established to meet the possible responsibilities derived from the processing of the same.

•         5. Legitimacy for personal data processing

Authentication for data processing is based on:

1.               1. Customer has provided his personal data for precontract or contractual relations, and therefore the processing is necessary for the maintenance of this relationship.
2.               2. The legal obligations applicable to Cepsa that require the processing of personal data according to the services provided.
3.               3. CEPSA legitimate interest in processing the same is the strictly necessary for the prevention of fraud during the duration of the contract, or to send commercial communications directly related to the contracted services.
4.               4. The User’s consent for all other scenarios, for the installation of tracking systems that report on navigation habits according to the Cookies Policy, or for the use of information related to his geographical location. The withdrawal of this consent will never affect the performance of the main contract.

•         6. Origin of the personal data

Personal data that Cepsa will process is for the provision of the contracted services which have been provided mainly by the customer during the contracting process, such as name, surname, address, contact data, means of payment data. The customer is responsible for its accuracy and updating.

•         7. Transfers and recipients of personal data

All data assignments which Cepsa will perform are necessary for the fulfilment of the stated purposes, or are performed in order to fulfil a legal obligation regarding the following companies and Public Administrations and Courts of Justice:

1.               1. Cepsa Group Companies, available at www.cepsa.com.
2.               2. Government Agencies and Court of Justice.
3.               3. Companies providing financial solvency services, credit and fraud prevention, for risk analysis and to collate or analyze data in order to verify the accuracy and veracity of the same and companies providing payment services.
4.               4. Insurance, reinsurance, guarantee funds companies or any other third party acting as a guarantor of the risk or transactions when the customer uses Cepsa means of payment, in case the issuer of the payment means has agreements with the companies indicated and for the sole purpose of identifying his registration as a Cepsa cardholder.
5. Cepsa suppliers: Cepsa has arranged a contract with Amazon Web Services, Inc. and Salesforce.com Inc. for its IT infrastructure and customer management using the “cloud computing" model under the EU-US Privacy Shield agreement. Information available at: https://www.privacyshield.gov/Participant?id=a2zt0000000TOWQAA4

European Union has authorized the Salesforce.com Inc. Binding Corporate Rules (BCR) that allows international data transfers to be made within the business group. However, the User gives his express and unequivocal consent to the international transmission of his personal data to companies domiciled in countries which do not have adequate data protection regulations.

1. Cepsa has hired Google, Weborama Ibérica, S.L. and Salesforce.com Inc. as Suppliers for the purpose of measuring web traffic and customer behavior. Information on Cookies Policy from Cepsa and its suppliers available to the customer in their websites:

• Weborama Ibérica, S.L. - http://www.weborama.com/e-privacy/our-commitment/
• Google Analytics - https://support.google.com/analytics/answer/181881?hl=es
• Salesforce.com, Inc.- https://www.salesforce.com/company/privacy/full_privacy.jsp#nav_info
•         8. Customers’ Rights

The User may exercise before CEPSA TRADING, S.A., if applicable, his access rights, rectification or suppression, data processing limiting, opposition, portability and opposition to automated individual decisions. He may also revoke his consent if he has granted it for any specific purpose, and may modify his preferences at all times.

The Customer may exercise his rights in the e-mail address: derechos.arco@cepsa.com, or at the registered office of CEPSA TRADING, S.A. (Ref.: Data Protection-Legal Department), at Paseo de la Castellana, 259 A, 28046-Madrid (Spain). The Customer is informed that he can direct any claim regarding personal data protection to the Spanish Data Protection Agency www.agpd.es, Spain Control Authority.