With this privacy policy, we inform you about the processing of personal data that you provide or will provide during your browsing, in case you continue browsing. It also includes our data protection policy for cases where there is an explicit reference to it.
In compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR), as well as Organic Law 3/2018, of 5 December, on the Protection of Personal Data and guarantee of digital rights, we inform you of the following:



The Data Controller is the business entity GRUPO HAFESA SUMINISTROS ENERGÉTICOS , S.L. with

Tax ID (CIF) B95840583 and registered in the Mercantile Registry of Madrid, Folio 159, Volume 34623, Sheet M- 622897 Registration NA, for the processing of personal data handled through the website:

Contact details for data protection purposes:

Address: Calle Orense 34, Edificio Norte, Planta 1a izda 28020 Madrid (Spain)

Phone: +34 917839410




The processing of your data pursues the following purposes, with their corresponding
legitimization as outlined below. (*) In cases where it is necessary to fill out a form and click the send button to make a request, completing the form will necessarily imply that you have been informed and have expressly given your consent and acceptance of the privacy policy.
All our forms have checkboxes that must be marked in order to access the services offered..

1. Website contact:

Purpose: Send you the requested information and answer any questions you may have asked through the contact sections provided on the website.

Legal basis: The legal basis is the consent given.

2. Curriculum:

Purpose: To participate in selection processes that we may carry out. If we receive your resume through the website’s form, we may include it in our staff selection processes. For this purpose, you authorize us to analyze the documents you submit with the goal of evaluating your candidacy and, if applicable, offering you a job position. If you are not selected, we may store your Resume to include it in future calls for up to one year, unless you indicate otherwise.

Legal basis: Express consent when you send us your curriculum.

3. Use of Cookies:

Purpose: While browsing our website, we may collect information through cookies embedded in it. The purpose is to gain insights into how users use our website, which allows us to improve it and/or perform performance analytics. The aforementioned data is stored using cookies and is subject to objections to the processing of this data, as detailed in the Cookie Policy. You can consult the Cookie Policy in the corresponding section of our website.

Your browsing information may be stored using Google Analytics, so we refer to Google’s Privacy Policy, as it collects and processes such information:

Similarly, our website may provide the utility of Google Maps, which could access your location, if you allow it, in order to provide you with more specific details about the distance and/or routes to our establishments. In this regard, we refer to the privacy policy used by Google Maps, in order to understand the use and processing of such data:

Legal basis:

  • The legal basis for the processing of data through cookies, in the case of technical cookies, that is, those that are essential for navigating this website and receiving the service offered through it, the legal basis for their use is the agreement through which you decide to use this website and utilize its services.
  • The legal basis for the use of the rest of the cookies is the user’s consent, which is requested at the time of accessing this website, and can be revoked at any time. The withdrawal of such consent will not affect the ability to navigate this website and use its services, but the data processing carried out previously will not lose its legality by the fact that the consent has been revoked.

4. Social media Contacts:

Purpose: The website may host other applications or social networking services with the purpose of facilitating content sharing. Any personal information provided by the user may be shared with other users of that service, over whom we have no control.

We process your personal data with the purpose of (i) answering your inquiries and requests, (ii) managing the requested service, interacting with you, and creating a community of followers.

The website may offer functionalities to share content through third-party applications such as LinkedIn, Twitter, Facebook, and YouTube. These applications may collect and process information related to the user’s navigation on different websites. Any personal information that is collected through these applications may be used by third-party users of them. Your interactions are subject to the privacy policies of the companies that provide these applications.

Legal basis:The legal basis for the processing of your data is the acceptance of the contractual relationship with the corresponding social network provider, manifested when you register in their application and in accordance with their privacy policies, which are external to us and beyond our control.

5. Exercise of data protection rights or claims:

Purpose:When your inquiry is related to the exercise of data protection rights, which we will inform you about later, or to claims related to our services, it is to address the user’s request or claim. In fulfilling these obligations, we may communicate your data to Public Administrations and courts, provided that such information is required in accordance with established legal processes.

Legal basis: The legal basis to process your data is compliance with legal obligations.

6. ETHICAL CHANNEL: If you use our ethical channel in an identified manner, the entity will process your personal data to handle your complaint within the framework of the Internal Information System management, in compliance with Law 2/2023 on Whistleblower Protection.

Legitimation: it is the consent of the interested party when voluntarily filing the complaint, and the fulfillment of a legal obligation.
In case of the existence of services or applications, these will contain their specific conditions with specific provisions regarding the protection of personal data. Reading and accepting them prior to requesting the service in question is essential.


For the purposes outlined in the previous section, a set of personal data is processed which we can divide into the following sources:


  • Data provided directly by the user: As sent through the different forms available on the website or any other means at their disposal.The user guarantees that the data provided for the delivery of the requested services truthfully reflects their actual situation and will communicate any modification affecting them. Consequently, the user will be liable to the Provider for any damages caused as a result of failing to fulfill the obligations assumed in this clause.
  • Data collected indirectly: All those data which, if consent has been given, are collected by the Provider from external sources.
  • Data derived from the provision of the service itself: All those data collected during the provision of the service.
  • Data derived from the Ethical Channel: It is informed that data may be collected either anonymously or identified, at the choice of the complainant, providing the required data. For more information, you can read our MANAGEMENT PROCEDURE OF THE INTERNAL INFORMATION SYSTEM.


The data you provide will generally be kept as long as there is a relationship that binds us or you do not exercise your right to erasure, opposition, and/or limitation of the processing, in which case, the information will be blocked without further use beyond its conservation, while it may be necessary for the exercise or defense of claims or some type of liability that needs to be addressed.

Once this period has passed, the data will be deleted in accordance with the data protection regulations, which implies their blocking, being available only at the request of judges and courts, the Public Prosecutor’s Office, or the competent Public Administrations, particularly the Data Protection Authority, during the limitation period of the actions that could arise, to be subsequently eliminated.

The limitation periods vary depending on the type of service; for illustrative purposes, generally, the limitation period for most personal civil actions is 5 years.
In addition to the general treatment mentioned in the previous point, the following specifics regarding data retention will be observed:
Customer Data: retention period of 4 years (Art. 66 and subsequent of the General Tax Law), and 6 years for accounting books and invoices (Art. 30 of the Commercial Code).

  • Data contained in curricula vitae: a maximum of one year for future selection processes unless stated otherwise.
    Data supplied for the purpose of receiving communications of interest: from the time the User gives their consent until it is withdrawn.

Ethical Channel:
The data must be retained only for the time necessary to investigate the facts, unless from this investigation certain measures against the accused are derived, in which case it would be possible to keep the data for a longer period. However, generally, the data will be deleted three months after the complaint is filed, except for an extension of the investigation period by another three months, the purpose being to preserve evidence of the operation of the ethical channel, or if judicial proceedings or investigations by competent authorities arise from it.


Data protection regulations grant you a number of rights related to the data processing our services involve, which can be summarized as follows:

  • Right of access: Know the type of data we are processing and the characteristics of the processing we are carrying out.
  • Right to rectification: Be able to request the modification of your data due to their being inaccurate or untrue.
  • Right to portability: Be able to obtain a copy in an interoperable format of the data that are being processed.
  • Right to restriction of processing, in those cases defined in the Law.
  • Right to erasure: Request the erasure of your data when the processing is no longer necessary.
  • Right to object: Request not to be sent commercial communications in the stated terms.
  • Right to withdraw the consent given.
  • In the case of cookies, these rights may be exercised subject to the limitations derived from the nature of these files.

To exercise these rights, you must send an express request, together with a copy of your ID card or similar ID document (in case we are not able to identify you) using the means stated below. If once the request has been made, you do not receive an answer in due time and form from us, or you find it unsatisfactory, you are informed that the appropriate control authority is the Spanish Data Protection Agency (

  • E-MAIL to the address with subject Data Protection and Right you wish to exercise. This request must be sent from the email address that you included in our forms. Otherwise, it will not be displayed, due to our considering that your identity has not been sufficiently established.

On the website of the Spanish Data Protection Agency (AEPD) you will find a number of templates that will help you exercise your rights.


Users are expressly informed that their personal data will not be transferred to third parties, except as required by law. Any exception to this rule will require your prior informed and unequivocal express consent.


In fulfilling these obligations, we may communicate your data to Public Administrations and courts, provided such information is required in accordance with established legal processes.


If you contact our team through any of the social media profiles that GRUPO HAFESA makes available to users, in addition to providing us with your data, you will also be providing it to the entities responsible for that particular social network. To understand the use and processing that these entities make of your data, we advise you to carefully read the privacy policies of the active social networks you use.

Ethical Channel: Access to personal data contained in the Ethical Channel will be limited, within the scope of their competencies and functions, exclusively to

  • a) The person responsible for the Whistleblowing Channel and those who manage it directly.
  • b) The head of human resources or the competent body duly designated, only when disciplinary measures against a worker may be taken.
  • c) The head of the entity’s legal services, if legal measures need to be taken in relation to the facts reported in the communication.
  • d) The data processors that may be appointed.
  • e) The data protection officer.
  • f) Courts and Tribunals, Public Prosecutor’s Office, when the facts may potentially constitute a crime.

Furthermore, you are informed that the entity has service providers for the provision of its services with whom the corresponding data processing agreements have been signed, which regulate the processing of personal data by them, with the legally established limitations.


In accordance with the provisions in the regulations in force on personal data protection (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 and Organic Law 3/2018 of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights), we comply with all the provisions for the processing of the personal data we are responsible for as well as the principles described in Article 5 of the GDPR, under which personal data are processed in a lawful, fair and transparent manner with regard to the data subject, and  are adequate, relevant and limited to what is necessary in connection with the purposes for which they are processed.

The website uses HTTPS (secure connection). This is a security protocol that makes your data travel in a safe and secure manner, that is, the transfer of data between a server and the web user, as well as the feedback, is totally encrypted.

We guarantee that we have implemented appropriate technical and organizational policies to apply the security measures established in the GDPR and the LOPDGDD to protect your rights and freedoms, and provided all the necessary information for you to exercise your rights. We have installed all the means and technical measures available to us to prevent the loss, misuse, alteration, unauthorized access and theft of the personal data you provide to us. Nevertheless, you must be aware of the fact that security measures on the Internet are not impregnable.


Minors (children under 14) cannot use the services available through the website without the prior authorization from their parents, guardians or legal representatives, who will be solely responsible for all the actions carried out on the website by the minors in their care, including filling in forms with the personal data of said minors and checking, where appropriate, the boxes that go with them. We assume no responsibility for the truthfulness and accuracy of the data they may enter.

The processing of the personal data of a minor can only be based on their own consent when they are over fourteen years of age.

An exception is made in those cases in which the law requires the attendance of those who hold the parental authority or guardianship to carry out the legal action or transaction in whose context the consent for the processing is sought.

The processing of data of children under 14, based on consent, will only be lawful if it can be proved that it has been given by those who hold parental authority or guardianship, within the scope determined by those who hold parental authority or guardianship.


We reserve the right to modify this Privacy Policy, either totally or partially, by posting the changes on the Website. Likewise, we may change, delete or add, without prior notice, both the content and the services provided, as well as the way in which they are presented. Consequently, the general conditions/policies posted at the time you access the site will be understood as in force at that time; therefore, you should read them regularly.

Regardless of the above, we may terminate, suspend or interrupt at any time, with no prior notice, the access to the contents of the Website, without the User being entitled to any kind of compensation.