Privacy and Personal Data Protection Policy

Our aim is to guarantee the fundamental right to the protection of personal data of all natural persons who are related to the Repsol Group companies¹, ensuring respect for the right to honor and privacy in processing different types of personal data.

Our commitments

We are committed to protecting the privacy of our customers, employees, and business partners², and the processing of their personal data. We will carry out all our activities in accordance with the legislation of the countries in which we operate, taking into account the spirit and purpose of the law, and in complying with the following general principles for the processing of personal data:

Principle of lawfulness, legality, and fairness of personal data processing. Collect and process personal data for specific, explicit, and legitimate purposes, with any processing subsequent to its collection that is incompatible with such purposes being prohibited. In cases where it is mandatory to obtain explicit consent, the interested parties must give unequivocal, free, and specific consent before their data is collected.
Principle of minimization. Only process the personal data that is strictly necessary and suitable for the specific purpose or purposes for which it has been collected.

Principle of accuracy. Ensure the accuracy and updating, if necessary, of the personal data that is processed. Otherwise, delete or rectify it.
Principle of storage limitation. Not keeping personal data beyond the period necessary to satisfy the purposes for which it was collected, except in those cases permitted by law.
Principle of transparency and information. Process personal data in a transparent way in relation to the interested party by providing information about the processing of their data in an understandable and accessible way using simple and clear language.
Principle of source legitimacy. Not obtaining personal data from illegitimate sources, from sources that do not guarantee the origin, or from sources whose data has been collected or transferred by infringing the law.
Principle of integrity and confidentiality. Establish adequate technical and organizational methods that ensure the protection of the personal data and prevent its loss, destruction, or accidental damage.
Principle of accountability. Establish adequate technical and organizational privacy measures by design and default to guarantee compliance with the legislation on personal data and ensure the traceability of decision-making processes related to its processing.
Hiring processors. Prior to hiring, as well as for the duration of the term of the contractual relationship, certify the application of due diligence measures and ensure that the service provider who accesses personal data that is the responsibility of our companies has been adequately assessed, selecting exclusively those who offer the guarantees required by law.
International transfers. Before an international data transfer³, carry out an evaluation of the impact on privacy and the local legislation of the country where the data is intended to be exported, in order to comply with the regulations of the European Union.
Rights of the interested party. Allow the interested parties to exercise their rights of access, rectification, cancellation, limitation of treatment, portability, and opposition that are applicable in each jurisdiction by establishing the necessary internal procedures for this purpose.

^{1 Companies belonging to the Repsol Group: The companies over which Repsol S.A. has direct or indirect management control.}

^{2 Business partners: partners, contractors, suppliers, agents, distributors, non-operated joint ventures, and other collaborating companies.}

^{3 Processing of personal data subject to European Union regulations for data processed outside the European Union.}

Our companies will encourage that the principles included in this Policy be taken into account (i) in the design and implementation of all procedures that involve the processing of personal data, (ii) in the products and services offered by them, ( iii) in all contracts and obligations that they formalize with individuals, and (iv) in the implementation of any systems and platforms that allow access by Repsol Group or third party professionals to personal data and its collection or processing.

This Policy will be applicable to Repsol, S.A.; to the Group's other companies; to its administrators, managers, employees; as well as to everyone who is related to the entities belonging to it.