Privacy and Personal Data Protection Policy
Our aim is to guarantee the fundamental right to the protection of personal data of all natural persons who are related to the Repsol Group companies1, ensuring respect for the right to honor and privacy in processing different types of personal data.
Our commitments
Repsol is committed to protecting the privacy of its customers, employees, and business partners1, and the processing of their personal data. It will carry out all its activities in accordance with the legislation of the countries in which it operates, taking into account the spirit and purpose of the law, and in complying with the following general principles for the processing of personal data:
Collect and process personal data for specific, explicit, and legitimate purposes, with any processing subsequent to its collection that is incompatible with such purposes being prohibited.
In cases where it is mandatory to obtain explicit consent, the interested parties must give unequivocal, free, and specific consent before their data is collected.
Only process the personal data that is strictly necessary and suitable for the specific purpose or purposes for which it has been collected.
Ensure the accuracy and updating, if necessary, of the personal data that is processed. Otherwise, delete or rectify them.
Not keeping personal data beyond the period necessary to satisfy the purposes for which they were collected, except in those cases permitted by law.
Process personal data in a transparent way in relation to the interested party by providing information about the processing of their data in an understandable and accessible way using simple and clear language.
Not obtaining personal data from illegitimate sources, from sources that do not guarantee the origin, or from sources whose data has been collected or transferred by infringing the law.
Establish adequate technical and organizational methods that ensure the protection of the personal data and prevent its loss, destruction, or accidental damage.
Establish adequate technical and organizational privacy measures by design and default to guarantee compliance with the legislation on personal data and ensure the traceability of decision-making processes related to their processing.
Prior to hiring, as well as for the duration of the term of the contractual relationship, certify the application of due diligence measures and ensure that the service provider who accesses personal data that is the responsibility of the Repsol Group companies has been adequately assessed, selecting exclusively those who offer the guarantees required by law.
Before an international data transfer[1], carry out a evaluation of the impact on privacy and the local legislation of the country where the data is intended to be exported, in order to comply with the regulations of the European Union.
Allow the interested parties to exercise their rights of access, rectification, cancellation, limitation of treatment, portability, and opposition that are applicable in each jurisdiction by establishing the necessary internal procedures for this purpose.
The Repsol Group companies will encourage that the principles included in this Policy be taken into account (i) in the design and implementation of all procedures that involve the processing of personal data, (ii) in the products and services offered by them, ( iii) in all contracts and obligations that they formalize with individuals, and (iv) in the implementation of any systems and platforms that allow access by Repsol Group or third party professionals to personal data and their collection or processing.
This Policy will be applicable to Repsol, S.A.; to the Group's other companies; to its administrators, managers, employees; as well as to everyone who is related to the entities belonging to it.
This policy was approved by Repsol´s Executive Committee on November 22, 2022.
1Companies belonging to the Repsol Group: The companies over which Repsol S.A. has direct or indirect management control.
2Business partners: partners, contractors, suppliers, agents, distributors, non-operated joint ventures, and other companies with which it collaborates.
3Processing of personal data subject to European Union regulations for data processed outside the European Union.
See our sustainability reports