Confidentiality and Data Protection Policy

COMERCIAL IMPORTADORA GAFA, S.A. (hereinafter the Entity) is committed to due diligence and compliance with Data Protection regulations.

Below is detailed information on the Confidentiality and Personal Data Protection Policy in compliance with the provisions of Article 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation or GDPR) and Article 11 of Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights (LOPD GDD).

Details of the Data Controller and contact details of the Data Protection Officer / Data Protection Delegate (DPO / DPO):

  • Address / C. P.: Avda. Diagonal, 349 bis, 08035, Barcelona
  • Telephone: 934 584 504
  • E-mail:
  • DPO / DPO contact details:
  • Data Protection Channel:

Purposes of processing

The Entity will process the information provided by the interested parties for the following purposes:

  • Manage your attention, visit and meeting at our facilities.
  • To manage the provision and execution of the services and products contracted.
  • Manage any type of request, suggestion or request about our professional services made by the interested parties.
  • Informative and commercial communications: processing of your data in order to inform you about activities, articles of interest and general information related to our activity and the services / products contracted.
  • Manage data provided by candidates for a job through the Curriculum Vitae (CV) or other means for the purpose of the selection and recruitment process.
  • To guarantee the security of the offices, facilities and people through access controls, video surveillance systems and other access control/identification systems.
  • Comply with the legal provisions that apply to the Entity and its activities in terms of health, equality and occupational risk prevention.
  • Manage and control the functioning of the internal mechanisms, policies and protocols established by the Entity for the purposes of regulatory compliance and management of the complaints channels for this purpose.
  • All those treatments that are applicable to us for due compliance with the regulations and official / sectorial requirements to which our activity is subject.

For the proper purpose and development of your attention and management of the above purposes, the processing of your data for the purposes that correspond to those mentioned above will be carried out under the strictest compliance with the Data Protection regulations and the Policy that we are detailing. You may exercise your rights at any time (see specific section)

Data retention criteria

  • Management of services / products contracted with the Entity: the personal data provided in the contracts, offers and/or service proposals, as well as those of other persons whose intervention is necessary, will be kept for as long as the contracted services are in force. At the end of the provision of the contracted service/s, the personal data shall be kept in the event that liabilities may arise with the Entity and/or in compliance with other regulatory frameworks that are applicable to the Entity or a regulation with the status of law that requires the conservation of the same. The personal data will be kept in such a way as to allow the identification and exercise of the rights of those affected and under the legal and organisational technical measures necessary to guarantee the confidentiality and integrity of the same.
  • Curriculum Vitae Management: the Entity, as a rule, keeps its Curriculum Vitae for a maximum period of one year; at the end of this period, they will be automatically destroyed, in compliance with the principle of data quality.
  • Management of Employment Contracts: personal data will be kept, in any case, for as long as the employment relationship is in force and, at the end of the same, in those cases in which liabilities may arise between the parties and when required by a regulation with the status of law.
  • Others: the rest of the data and information provided by the user by any means will be kept for as long as is necessary to fulfil the purpose for which they were collected.


The legal basis that enables the Entity to process the personal data of users, customers, potential customers by virtue of the following titles:

  • The consent of the persons concerned for the processing and management of any request for information or enquiry about our services and products.
  • The consent given by job candidates for selection and recruitment purposes.
  • The framework for the provision and/or contracting of services/products with the Entity.
  • Legitimate interest in sending you information, commercial and/or promotional offers related to the Entity's activity and the services/products contracted via e-mail or any other means.
  • Compliance with legal obligations and internal regulatory compliance procedures.
  • Legitimate interest in guaranteeing the security of the offices, facilities and people.


No personal data will be passed on to third parties, except as provided for by law.


Personal data is collected directly from the persons concerned and from our partners. The categories of personal data provided to us are as follows:

  • Identification data.
  • Postal or e-mail addresses.
  • Data provided and/or consented to by the interested parties themselves related to and necessary for the management and performance of the service / product requested.


Right of Access, Rectification and Deletion: interested parties have the right to obtain confirmation as to whether or not the Entity is processing personal data concerning them. Interested parties have the right to access their personal data, as well as to request the rectification of inaccurate data or request its deletion when, among other reasons, the data is no longer necessary for the purposes for which it was collected.

Right to Restriction and Opposition: in certain circumstances, data subjects may request that we restrict the processing of their data, in which case we will only retain the data for the purpose of exercising or defending claims. In certain circumstances and for reasons related to their particular situation, data subjects may object to the processing of their data. The Entity will stop processing the data in this case, except for compelling legitimate reasons, or for the exercise or defence of possible claims.

Right to revoke consent: data subjects have the right to withdraw their consent at any time, except in the case of processing of personal data provided for in the Data Protection regulations or necessary for the provision of the contracted service, which does not require such consent. However, this withdrawal does not have retroactive effects, so it will not affect the lawfulness of the processing based on previously granted consent.

These rights may be exercised in our Data Protection Channel, whose access details are detailed at the beginning of this Policy.

Security and Control Measures


In compliance with data protection regulations, the Entity will process personal data by applying the appropriate technical, legal, organisational and security measures in order to guarantee the confidentiality and integrity of the information it manages in accordance with the provisions of the regulations in force.

Please inform the Data Protection Officer / Delegate by means of the contact details / Channel established in this Privacy Policy, of any security risk, of which you have indications or knowledge, which may compromise the integrity and confidentiality of personal data and/or confidential information, in order to be able to adopt the necessary measures to avoid its unauthorised processing, loss, destruction or accidental damage.


As a specific and complementary concept to the above, the Entity applies cybersecurity measures to prevent and manage possible attacks and fraud by cybercriminals that threaten the privacy and protection of the data that our Entity processes and accesses in the scope of its activities and operations.

In this regard, we would like to warn that in the event of possible situations of risk due to communications whose content and/or format generate doubts as to their authenticity, we recommend omitting them and contacting the Data Protection Officer / Delegate through the contact details indicated in this Privacy Policy.

Likewise, any request you receive from our Entity regarding changes in payment methods, requests for contact details or persons or confidential (non-public) information, bank and/or credit card details and/or other official details, should not be dealt with without direct confirmation from our Entity by an alternative means. We are grateful for and need your cooperation in communicating and reporting any notification of this type of request and other possible situations of risk of cyber-attacks in which our Entity may be used, as well as any possible security risk of which you may be aware.

Data Protection Channel

The Entity has implemented a Channel, contemplating the highest commitment, rigour and professionalism in terms of security, experience, independence and knowledge in the processing of the communications received.

The Channel, which includes the use in the field of Data Protection, has been implemented through a web platform, developed and managed by an independent external expert, to provide and guarantee our previous commitments.

Through the Channel, you may communicate and process the exercise of your Rights (see previous section) and communicate any indication or knowledge you may have of possible security breaches (breaches), cyber-attacks and/or possible breaches or irregularities regarding Data Protection regulations, this Entity's Policy and all the aforementioned aspects regarding confidentiality and company secrets.

The Channel access details are detailed at the beginning of this Policy.

Supervisory authority

In case of disagreement with the Entity in relation to the processing of your data, you have the right to lodge a complaint with the relevant Data Protection Supervisory Authority. In Spain, this Authority is the Spanish Data Protection Agency (

Attention and support

Interested parties may inform the Entity of any doubts regarding the processing of their personal data or the interpretation of our Policy by contacting the Data Protection Officer/Data Protection Delegate (DPO/DPD) at the address indicated at the beginning of this Policy.