- Principle of accuracy. Ensure the accuracy and updating, if necessary, of the personal data that is processed. Otherwise, delete or rectify it.
- Principle of storage limitation. Not keeping personal data beyond the period necessary to satisfy the purposes for which it was collected, except in those cases permitted by law.
- Principle of transparency and information. Process personal data in a transparent way in relation to the interested party by providing information about the processing of their data in an understandable and accessible way using simple and clear language.
- Principle of source legitimacy. Not obtaining personal data from illegitimate sources, from sources that do not guarantee the origin, or from sources whose data has been collected or transferred by infringing the law.
- Principle of integrity and confidentiality. Establish adequate technical and organizational methods that ensure the protection of the personal data and prevent its loss, destruction, or accidental damage.
- Principle of accountability. Establish adequate technical and organizational privacy measures by design and default to guarantee compliance with the legislation on personal data and ensure the traceability of decision-making processes related to its processing.
- Hiring processors. Prior to hiring, as well as for the duration of the term of the contractual relationship, certify the application of due diligence measures and ensure that the service provider who accesses personal data that is the responsibility of our companies has been adequately assessed, selecting exclusively those who offer the guarantees required by law.
- International transfers. Before an international data transfer3, carry out an evaluation of the impact on privacy and the local legislation of the country where the data is intended to be exported, in order to comply with the regulations of the European Union.
- Rights of the interested party. Allow the interested parties to exercise their rights of access, rectification, cancellation, limitation of treatment, portability, and opposition that are applicable in each jurisdiction by establishing the necessary internal procedures for this purpose.
1 Companies belonging to the Repsol Group: The companies over which Repsol S.A. has direct or indirect management control.
2 Business partners: partners, contractors, suppliers, agents, distributors, non-operated joint ventures, and other collaborating companies.
3 Processing of personal data subject to European Union regulations for data processed outside the European Union.