Privacy Policy

In accordance with the provisions of the applicable personal data protection regulations, we inform the User:

1. Personal Data Controller (*)

CEPSA COMERCIAL PETRÓLEO, S.A.U., (hereinafter CCP or Cepsa, indistinctly), with tax ID No.: A80298896, with registered office: Paseo de la Castellana 259 A, 28046 Madrid, Spain.

(*) If you have contracted products and/or services with COMPAÑÍA ESPAÑOLA DE PETRÓLEOS, S.A. (CEPSA) (Tax ID No.: A28003119), COMPAÑÍA ESPAÑOLA DISTRIBUIDORA DE PETRÓLEOS, S.A. (CEDIPSA) (Tax ID No.: A28354520), RED ESPAÑOLA DE SERVICIOS, S.A.U. (RESSA) (Tax ID No.: A25009192), CEPSA GAS Y ELECTRICIDAD, S.A.U. (CGE) (Tax ID No.: A-28142552), CEPSA GAS COMERCIALIZADORA, S.A. (CGC) (Tax ID No.: A-82485335, or GASIB SOCIEDAD IBÉRICA DE GAS LICUADO S.L. (Tax ID No.: B01668110), (any of them referred to hereinafter as “Cepsa”, indistinctly), which registered offices located at Paseo de la Castellana, 259 A, CP 28046 Madrid (Spain), each of the above-mentioned companies will be considered as the Data Controller.

2. Purpose of personal data processing

The personal data provided at contracting time, as well as those provided in the future as a result of their development, will be incorporated in a CEPSA personal data protection registry for the following purposes:
a) To provide, manage, control and maintain the contractual or commercial relationship requested;
b) Manage the creation of a Customer ID that is unique within the Cepsa Group.
c) Maintain a direct relationship with the client for advertising, promotional and/or statistical purposes (including the creation of profile segmentation to adapt the offers and marketing activities to each client), regarding the activities that CEPSA performs by conventional and/or electronic means (e-mails, SMS, receipt…). These communications may also refer to benefits or advantages relating to Cepsa or third-party companies, will always be communicated through Cepsa and will be based on partnership agreements in the following sectors: Leisure, travel, culture, credit cards and means of payment, automotive, transportation, insurance, distribution and financing, gifts, fashion, home, technology.
d) Perform market segmentation and customer profiling through analysis of the use of the services offered, with the aim to adapt the offers and marketing activities to each customer, offering customized products and services.
e) Provide the requested services and information, whether by means of the Internet, regular mail or telephone. Record telephone conversations made to customer Service, in order to ensure a better service quality. Additionally, emails may have delivery and read receipts.
f) Address any potential incidents that may occur, as well as develop satisfaction surveys on the contracted product or service. The customer may be contacted if any fraud or identity theft is detected or suspected.
g) Analyze the risk and compare or cross-check your data in order to verify the accuracy and truthfulness of the data in relation to the companies providing capital solvency, credit and fraud prevention services.
h) Where appropriate, manage the cash obligations compliance regarding non-payments that may occur from the customer. To this end, this economic information may be included in a Grupo Cepsa companies shared file for the same purposes. In this respect, the consultation of files relating to the non-compliance of cash obligations may lead Cepsa as a marketing company to take decisions with legal effect which may affect the client, and may result in the non-entry into force of the contract or condition the same to a payment guarantee. Nevertheless, CEPSA will always give the customer the possibility to allege everything he deems relevant in order to defend his right or interest.
i) Manage customer data as a website User.
j) Manage and maintain Customer data, if applicable, through the promotional benefits and advantages scheme, “Porque TU Vuelves,” as well as control, manage and maintain the relevant services. (For more information, read the “Cepsa GOW Club” terms and conditions at www.cepsagow.es).
k) In cases where the customer has registered on the website through social networks, validated his personal data, contact the customer if any fraud or identity theft is detected or suspected in the social networks, contact him and forward any personal communications and/or offers through customer profiling and/or conduct market segmentation, conduct behavioral advertising studies or to obtain statistical samples that can help the company improve the customization of the products and services offered to the same.

3. Third party personal data

In the event that the provided personal data was of a third party, the customer guarantees that he has informed the third party of this privacy policy and obtained his permission to provide Cepsa his data for the stated purposes. The Participant also confirms that the data provided is accurate and up-to-date, and assumes liability for any loss or damages, whether direct or indirect, that may be incurred as a result of non-compliance with this obligation.

4. Personal data storage period

The personal data provided shall be kept until the contractual relationship is maintained, its deletion is not request by the interested party and should not be deleted for the fulfillment of a legal obligation or for the formulation, exercise and defense of claims.

If the customer revokes his consent or exercises his rights of cancellation or deletion, his data shall be kept blocked at the disposal of the administration of justice within the time limits legally established to meet the possible responsibilities derived from the processing of the same.
5. Legitimacy for personal data processing

Legitimacy for data processing is based on:

a) The customer has provided his personal data for precontract or contractual relations, and therefore the processing is necessary for the maintenance of this relationship.
b) The legal obligations applicable to Cepsa that require the processing of personal data according to the services provided.
c) CEPSA legitimate interest in processing the same is the strictly necessary for the prevention of fraud during the duration of the contract, or to send commercial communications directly related to the contracted services.
d) The Customer’s consent for all other scenarios, including sending commercial communications for third-party products, services, benefits and/or advantages, always through Cepsa, for advertising or promotional purposes, for the installation of tracking systems that report on browsing habits according to the Cookie Policy, or for the use of information related to the Customer’s geographical location. The withdrawal of this consent will never affect the performance of the main contract.

6. Origin of the personal data

The personal data that Cepsa will process is for the provision of the contracted services which have been provided mainly by the customer during the contracting process, such as name, surname, address, contact data, means of payment data. The customer is responsible for its accuracy and updating.

Furthermore, Cepsa may also obtain information collected through the web, as well as the use of the contracted services, such as statistics or navigation data, or in its case, of interests and consumption through the Cepsa program “Cepsa GOW Club”.

Also, if the customer has registered in the website through social networks, CEPSA will be able to obtain public information available on the internet such as his username, sex, date of birth, “likes”, clicks, “tweets”, number of followers, number of users followed, profile and location information (if it was declared by the User). In the case of Facebook, the customer may select from the requested permissions those that do not wish to provide.
CEPSA will use an authentication token system (an encoded security key that facilitates access to the network) for User identification or registration and can make the access to the private customer area easier

In no case data from third parties will be collected from the User. The customer data will be entered by the same on the social networks and behavioral analysis and market segmentation will be obtained from comments or “tweets” automatically without human intervention. The customer is informed of the possibility of editing the information he wants to share with CEPSA, allowing a wider access or restricting the information he wants to share, as well as the possibility to revoke the consent given at any given time.

Furthermore, data from the client’s device or terminal may be collected, provided that he has granted its consent for this, in order to facilitate the provision of services, to perform advertising activities and to provide him with personalized and appropriate information according to his location. The customer may at any time disable the access to geolocation data, as well as revoke the consent provided for his geolocation, by configuring the settings on his device or terminal.

7. Transfers and recipients of personal data

All data assignments which Cepsa will perform are necessary for the fulfilment of the stated purposes, or are performed in order to fulfil a legal obligation regarding the following companies and public organizations:
1. If necessary, to companies of the Cepsa Group, which can be consulted at www.cepsa.com for administrative purposes and management of the relationship with the client, based on CEPSA’s legitimate interest to that effect. The legitimate interest for the aforementioned purpose of assignment would consist of guaranteeing better organization and optimization, as well as unified management of the resources of the business group in cases in which, internally, it is necessary for the effective execution of the activity undertaken in the Website.
2. Government agencies and the judiciary.
3. Companies providing financial solvency services, credit and fraud prevention, for risk analysis and to collate or analyze data in order to verify the accuracy and veracity of the same and companies providing payment services.
4. Insurance, reinsurance, guarantee funds companies or any other third party acting as a guarantor of the risk or transactions when the customer uses Cepsa means of payment, in case the issuer of the payment means has agreements with the companies indicated and for the sole purpose of identifying his registration as a Cepsa cardholder.
5. Where appropriate, distribution companies, in order to manage access to the network, customer’s identity, address, consumption and non-payment situations, said data being incorporated in the supply points information system file, under the responsibility of the distribution company.
6. Companies and entities collaborating with Cepsa, for the organization, management and/or promotion of requests, competitions, events, special offers, and prize draws, in the event that the Participant has decided to register and/or take part in them.
7. CEPSA suppliers who, where appropriate, are contracted to measure web traffic and user behavior by means of cookies and similar systems, in accordance with the Cookies Policy, and who will act as data processors.

No international transfer of users’ personal data is foreseen. However, in the event of any international transfer, it will be carried out in compliance with the criteria and requirements of the regulations in force, through the adoption of appropriate legal guarantees, which may consist of the formalization with the recipient of the data of (i) Standard Contractual Clauses approved by the European Commission to legitimize the international transfer of data to third countries or (ii) in another valid legal instrument that allows guaranteeing an adequate level of protection equivalent to that of the European Economic Area.
Further information on international transfers can be obtained by contacting our DPO at dpo@cepsa.com

8. Customers’ Rights

Customers may exercise before Cepsa, where applicable, their rights to access, rectification, erasure, restrict processing, object, portability and objection to automated decision making and profiling. He may also revoke his consent if he has granted it for any specific purpose, and may modify his preferences at all times.

Customers may exercise their rights through the following email address: derechos.arco@cepsa.com , or at the registered offices of Cepsa. (Ref.: Data Protection-Legal Advice), at Paseo de la Castellana, 259 A, 28046-Madrid (Spain). Customers are likewise informed that Cepsa has appointed a Data Protection Officer (DPO) who can be contacted by email dpo@cepsa.com and who can address any type of complaint regarding personal data protection before the Spanish Data Protection Agency www.aepd.es , the Spanish Control Authority.

Last update: July 2021