1. Introduction

We are firmly committed to privacy, that’s why personal data protection is important to us.

We process data in accordance with the provisions of Regulation (EU) 2016/679 General Data Protection, Organic Law 3/2018 on Protection of Personal Data and Guarantee of Digital Rights and other regulations on the matter.

This Privacy Policy was revised in October 2022 to comply with the duties to provide information and act with transparency for the website and data controller, to make the data controller’s general terms and conditions on the matter available to any data subject and not solely the users of the website. There may be variations prior to its next revision.

These terms and conditions are applicable both on the part of the aforementioned data controller or main data processor and other controllers / joint controllers who are part of the main processor’s business structure.

  1. Who is the data controller?

Main data controller:

Data Controller: GP LIMITE ANDAMUR S.L.

Tax Identification Number/Tax Code: B30424162


Email address:

Other controllers / joint controllers who apply these same terms and conditions in the same manner as the main processor:

Data Controller: ROAD SOLUTION S.L.U.

Tax Identification Number/Tax Code: B01910677


Email address:


Data Controller: ANDAMUR EUROPE S.A.

Tax Identification Number/Tax Code: A04181640


Email address:

  1. What is the source and type of data we process?

The source of the data we process may be any of the following categories:

  • Paper, electronic, or digital forms.
  • Computing and messaging systems: email and messaging applications, telephone, etc.
  • Other lawful sources and origins of information.

The different categories of data that we may process depending on the type of data subject (user, client, supplier, employee, etc.) and the nature of the controller’s activities and different data processing are:

  • Identifying data: for example, name and surname(s), image.
  • Identification codes or keys: for example, username, employee code.
  • Postal or email contact addresses: for example, telephone, email, social media profile.
  • Personal and professional data: for example, age, date of birth, qualifications, professional experience, curriculum.
  • Economic, financial, and insurance data: for example. bank details, credit card, etc.
  • Economic and non-economic payroll data and other employment information: for example, position, payslip, etc.
  • Transaction data: for example, goods and services supplied and received.
  • Special category data: for example, health, trade union membership, racial origin.
  • Other data necessary to or involved in the performance of our activities, services, and purposes.
  1. For what purpose do we process your personal data?

Generally, data are processed to successfully conduct the activities involved in the normal running and management of the controller’s business activity. Although, we may specify different processing purposes depending on the possible categories of data subjects:

  • Clients and potential clients: managing and maintaining commercial, precontractual, and contractual relationships; internal administration; economic management; advertising and marketing, customer service.
  • Partners, creditors, and suppliers: managing and maintaining commercial relationships; internal administration and economic management.
  • Workers: managing, developing, and maintaining the employment relationship; human resource management; training activities; workplace health and safety; timesheets; and other purposes arising from legal obligations and the development of employment relationships.
  • Candidates: managing curriculums, managing job postings, and recruitment.
  • Website and social media users: customer service and managing communications between the parties.
  • Visitors: visitor management and control of access to the facilities.
  • Existing information on any other category of data subject will be processed by the data controller within the framework of their business activity, in strict compliance with the applicable regulations and under the general criteria laid out in this Privacy Policy.

Other general purposes the controller may implement are:

  • Creating a commercial profile to improve your experience with personalised offers and messages. Individualised decisions shall not be taken based on said profile and legitimate interest shall be the guiding principle in all actions.
  • Video surveillance for the security of goods and people, as well as pertinent workplace monitoring based on legitimate interest.
  • Telephone switchboard to record communications for the purposes of security, warranty, and quality in customer service based on legitimate interest.
  • Financial risk analysis and monetary obligations monitoring. To analyse a specifically requested service. In the case of debtors with certain outstanding, overdue, and enforceable payments, the controller may inform credit rating agencies, debt registers, and debt management or recovery services, and others, of said circumstance based on legitimate interest.
  • Messages and marketing: handling and sending messages using available contact data and methods (email address, instant messaging, etc.) with categories of internal (workers) and external (clients, potential clients, suppliers, etc.) data subjects. The purposes of said messages may be informational, organisational, commercial, and advertising, in accordance with informed consent and the legitimate interest of the controller. Other marketing activities may be undertaken aimed at publicising the controller’s activities, as well as building customer loyalty in the data subjects, for example, through prize draws, promotions, etc.

Data may be processed via methods and applications provided to users for the purpose of improving service quality, maintaining commercial relationships, and marketing activities. Such processing may include some of the purposes detailed herein.

  • Prize draws, competitions, and promotions: running and managing promotional activities, prize draws, and competitions that collect data subject data, where collecting contact data is a compulsory condition of participation in said activities. User data subjects accept that their participation compulsorily means providing their contact details which the activity promoter will subsequently use to send commercial information. In any case, said messages can be withdrawn and point 10 of these terms and conditions shall be applied.
  • Geolocation using systems leased for this purpose for reasons of security, monitoring, and human and material resource optimisation.
  • Other purposes related to the nature of the data controller’s activities occurring in the normal performance and exercise of their activities based on a valid legitimate basis.
  1. For how long will we store your data?

Generally, personal data will be kept for at least the duration of the relationship with the data subject, until a request is made to delete it, whilst responsibilities may arise from it, or whilst there is some legal obligation to keep it.

With regard to candidate and job applicant data, data will be deleted immediately when they are no longer of interest to the controller. On the contrary, if they are of interest to the business, they will be kept with all due protection and restrictions and will only be processed when recruitment processes are in effect.

If clients have stopped a commercial relationship, data may be kept to offer them conditions or services provided that it is legitimate to do so.

Data captured by video surveillance systems shall be kept for a period of up to thirty (30) days after they were captured, excluding exceptions set forth in Law that allow for the restricted preservation of files until a corresponding ruling is issued.

Data from the visitor register, access control, and other processing for the purposes of private security will be kept for up to thirty (30) days or for another longer period in the event of some responsibility arising due to which they must be kept for a longer period. During this period, the information shall remain restricted at the disposal of the competent authorities.

The data controller has a data protection plan with a record of preservation periods that they follow in the management of the various applicable preservation periods.

In any case, data shall be deleted to ensure confidentiality.

  1. What is the legal basis for the processing of your data?

The data controller follows and applies the various existing legitimate bases that are applicable to each processing purpose. These are:

  1. The informed consent of the data subject.
  2. Precontractual or contractual agreements.
  3. The legitimate interest of the data controller or third party.
  4. Applicable legal obligations.
  5. Other legitimate bases stipulated by law.
  1. With which recipients will your data be shared?

The personal data of data subjects shall not be disclosed to any third-party by default. However, there are various exceptions: a) categories of subsidiary companies, which the partners have a stake in or belong to the same business group as the data controller, who may act as data controllers, joint controllers, or processors, as applicable; b) banks where payments are deposited; c) businesses which the data controller engages for credit rating services, risk reports, and commercial reports, including the services that manage files relating to the fulfilment or non-fulfilment of monetary obligations; d) authorised data processers and auxiliary services involved in the provision of the business’ goods and services; e) other legitimate interested parties and/or third parties provided for by law; f) public authorities and bodies exercising their competences.

For data processors (suppliers, auxiliary services, etc,) involved in the handling of our services who are registered in a third country, transfers are conducted within the European Economic Area with the proper appropriate guarantees and agreements between the parties to follow and comply with the provisions of European privacy regulations.

  1. What are your rights when you provide us with and/or we process your data?

As a data subject, at any time you may ask to exercise any of your following data protection rights:

  • Access to the personal data of data sujects to confirm whether or not data on them is being processed and obtain more information about said processing.
  • Rectification or Erasure of personal data concerning the data subject when, amongst other reasons, they are incorrect or are no longer necessary for the purposes for which they were collected.
  • Restrict processing of the data subject’s personal data in specific circumstances, in which case they will only be kept for the purpose of presenting or responding to claims, to protect the rights of other people, or for reasons of public interest.
  • Receive the personal data concerning you, which you have previously provided to us, in a structured format, where possible. (Data portability).
  • Object to the processing of your data in certain circumstances and for reasons linked to your personal situation. The company will stop processing your data, except for legitimate compelling reasons, or in the presentation of or response to possible complaints.
  • Withdraw your consent, which may lead to the annulment or cancellation of the existing business or contractual relationship, if applicable, without prejudice to the processing conducted prior to the withdrawal of consent.

To do so, you have to contact us via the email or postal addresses stated at the beginning of this document.

You can also contact our designated data protection officer or the Data Protection Agency to find out more about your rights or request the supervisory authority safeguard said rights.

  1. Data security

In our IT system we implement the necessary technical and organisational measures to ensure an appropriate level of data confidentiality, integrity, availability, and resilience.

Nevertheless, as far as permitted by law, we do not bear any responsibility for the damages or harm caused by third-party interference in our IT system. Any breach of security will be suitably and immediately reported to the competent authority and/or State security forces or services.

  1. Sending communications or information

Our policy on the sending of information electronically (email, instant messaging, etc.) is limited to sending only messages which we deem may be of interest to our users and interested parties concerning the work and activities of the business or which you have given your consent to receive.

If you would prefer not to receive these messages, we offer you the option to exercise your right to cancel and withdraw from receiving these messages, in accordance with the provisions of Title III, article 22 of Law 34/2002 on Information Society Services and Electronic Commerce.

  1. Social media

The data controller may be active on social media through the relevant profiles. This section and any other legal terms and conditions and privacy terms and conditions on the website are applicable for the processing of data from users who follow or in some way connect with said profiles.

The data controller uses these profiles for the purposes of communication, business development, marketing, and advertising.

Users who follow and/or interact with out profiles shall abstain from:

  1. Publishing content or information that breach the Law, decency, and good faith. Any illegal, harassing, inappropriate use or behaviour that may create negative opinions of the profile or that threaten the rights of individuals are forbidden.
  2. Behaving in a manner that violates the principles of legality, integrity, responsibility, protection of human dignity, child protection, protection of public order, protection of private life, consumer protection, and intellectual and industrial property rights.

The data controller reserves the right to withdraw any content they deem inappropriate with no prior notice. Likewise, they exempt themselves from any responsibility linked to the relevant security measures on each platform. The user is responsible for making themselves aware of them and the platform’s legal terms and conditions of use.

  1. Controller’s Channel

The data provided by any data subject via the methods available on our Data Controller’s Channel shall be processed on the basis of informed consent, the controller’s legitimate interest, and compliance with legal obligations.

The purpose of processing will be the management and monitoring of possible messages and complaints pursuant to the conditions set forth for the operation of the Data Controller’s Channel.

The data of any data subject or affected party, who sends a message or files a complaint, of workers, and third parties will be kept solely for the time required to determine whether investigation is necessary. In any case, the information provided will be deleted to ensure confidentiality when the periods set out in law for the preservation or storage of evidence expire.

No automated decisions or profiles shall be made on the information and data collected.

The data may be disclosed to third parties when doing so is required to take disciplinary measures or to manage any legal proceedings, where appropriate.

Data subjects may exercise their data protection rights under the terms and conditions detailed in this privacy policy.

Users must be aware that the information and data they provide are confidential and reserved.

  1. Work with us

Any person wishing to access job postings may provide their details and professional information to the data controller via the various channels. The preferred option would be the “work with us” section.

These data shall be processed in accordance with the privacy terms and conditions in this document for the purpose of managing applications for any possible job postings by the controller’s organisation or subsidiaries or companies belonging to the same business organisation.

Processing shall be carried out based on the informed consent of the data subject and other valid legitimate bases.

Any data provided, if it is of no professional interest to the organisation or when it is no longer necessary for the purposes for which it was collected, shall be deleted to ensure the confidentiality thereof.

Data subjects may withdraw their consent and exercise their data privacy rights in accordance with the terms and conditions set out in this privacy policy.