DATA PROTECTION POLICY

In terms of data protection, we must take into account the provisions of both the GDPR and the LOPDGDD. The GDPR establishes that the processing of personal data of data subjects must be lawful, and for this purpose, it must be based on any of the legal bases provided in Article 6, with consent being the most common one. This consent must be a freely given, specific, informed, and unambiguous indication of the data subject's agreement to the processing of their personal data, either by a statement or a clear affirmative action. The consent of the data subject must be given separately for each purpose of the processing. The data subject has the right to withdraw their consent at any time, and withdrawing consent should be as easy as giving it. The GDPR also provides, in Article 13, the duty of information, which means that, at the time when data is collected, the following information must be provided to data subjects, among others:

• Identity and contact details of the controller.
• Contact details of the data protection officer, if designated.
• Purposes of the processing and legal basis for the processing.
• Recipients or categories of recipients of the personal data.
• Intention of the controller to transfer personal data to a third country or international organization and the existence or absence of an adequacy decision by the Commission, or reference to appropriate safeguards and the means to obtain a copy of such safeguards or where they have been made available.
• Retention period for the personal data or, if not possible, the criteria used to determine this period.
• Existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject, and the right to data portability.
• Existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
• Right to lodge a complaint with a supervisory authority.

The LOPDGDD, on the other hand, establishes in its Article 11 that the duty of information may be fulfilled by providing the data subject with basic information and indicating another means that allows easy and immediate access to the remaining information. The basic information must include, at least, the following:

• Identity of the data controller and their representative, if applicable.
• Purpose of the processing.
• Possibility to exercise the rights established in the GDPR.

Furthermore, it is required that the information be provided in a concise, transparent, easily accessible manner, and in clear and simple language. All of the above means that, prior to processing personal data, the consent of users must be obtained. This consent must be freely given, specific, informed, and unambiguous. In addition, users must be informed of the terms and in the manner mentioned above, and the consent of users should be as easy to withdraw as it is to give. To achieve this, it is common to use the formula provided by the LOPDGDD, which was also recommended by the AEPD in its September 2018 report on Privacy Policies on the Internet. This formula is based on the following principles:

• Provide the user with an initial information at the bottom of the form itself called FIRST LAYER in which the basic information mentioned above is provided and, subsequently, include one or more check boxes so that they can give their consent for each processing operation as shown in the following image.
• Include a direct link to the location where the user can access additional information, which will be the Privacy Policy or "SECOND LAYER," as shown in the following images.