Privacy Policy

General Information

Through this Privacy Policy, UNESID aims to demonstrate its commitment to compliance with regulations and legislation derived from the processing of information necessary for the provision of its services and the use of Information and Communication Technologies. In particular, UNESID expresses its commitment to compliance with regulations aimed at the protection of personal data. In this regard, the main reference frameworks are:

Reglamento (UE) 2016/679 del Parlamento Europeo y del Consejo, de 27 de abril de 2016, relativo a la protección de las personas físicas en lo que respecta al tratamiento de datos personales y a la libre circulación de estos datos (RGPD)

Ley Orgánica de Protección de Datos (LOPD)

Ley 34/2002, de 11 de julio, de servicios de la sociedad de la información y de comercio electrónico (LSSI)

This declaration applies to any website, application, product, software, or service belonging to UNESID that is linked to it (together, our “Services”). Occasionally, a service may be linked to a different privacy statement, which will list the specific privacy practices of that service.

This policy may be periodically updated, so we encourage you to access and review it. In case of making changes that we consider significant, we will inform you through a notice on the relevant services or contact you through other means such as email.

Information and Personal Data We Collect

Personal information refers to any information related to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, especially by reference to an identifier, such as a name, an identification number, location data, online identification, or one or more specific factors of the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.

We collect, store, and process the information (particularly personal data) necessary for the provision of our services. In particular, the information we collect includes:

  • Customer information necessary for the development of our services, including identification and contact information, economic and banking data, necessary to provide our services and for our operational and business purposes. Although most of this information is business-related, personal data may be included, mainly concerning the contact personnel of our client companies.
  • For the proper development of these services, UNESID staff may have access to information and personal data contained in the files of our client companies. In these cases, UNESID will commit to maintaining the confidentiality and security of such data, adhering to the necessary confidentiality commitments and external processing contracts.
  • Upon request for consent from the data subjects, UNESID may send commercial or informative communications via email, such as newsletters, for which the identification and contact data provided directly by the interested party will be used. Specific mechanisms for disabling the receipt of these communications will be indicated in such dispatches.
  • Similarly, we will collect information, including personal data (mainly identification and contact data), through our website, whenever contact or information request mechanisms are used.
  • We also collect personal information from third parties such as our collaborators, service providers, and publicly available websites, to offer services that we believe may be of interest and to help us maintain accuracy in data and offer and improve services.
  • Internally, UNESID collects, stores, and processes personal data of its employees and collaborators, necessary to maintain the employment relationship with workers and comply with legal obligations in this regard.

How We Protect Information and Personal Data

UNESID is highly committed to the security of the information we handle and compliance with the legal requirements applicable to us. In this sense, to ensure the confidentiality, availability, and integrity of both the information we handle (and, in particular, personal data) and the systems, networks, applications, and databases used for their processing, UNESID:

  • Periodically conducts risk assessments associated with information security and the protection of personal data, analyzing our risk situation and defining action plans accordingly.
  • Has defined an Information Security and Data Protection Policy that must be complied with by the different parties involved in information processing.
  • Has developed Access Control, Systems and Communications Security, Incident and Security Violation Management, and Information Backup Procedures.
  • Has developed awareness and training actions necessary to ensure compliance with these policies and procedures.


In case you, as a user or affected party, detect any security incident or violation, or any vulnerability that may be affected, UNESID makes available to the affected parties the email address:  , through which appropriate or necessary communications can be made for the improvement of the security of our information and systems.

Rights of Data Subjects

UNESID has enabled the necessary means to comply with the right to information and obtain consent where necessary to ensure the legality of the processing of personal data. At the time of collection or gathering of information, UNESID undertakes to inform the data subjects about the identity of the controller, the purpose, possible communications or transfers, and the possibility of exercising the rights recognized by the regulations.

UNESID recognizes and guarantees the exercise of the rights of access, rectification, cancellation, opposition, limitation of processing, and portability, as provided by data protection regulations.

Right of Access

You can obtain confirmation as to whether your data is being processed, and if so, you have the right to access the following information regarding the processing of your data:

  • The purposes of the processing.
  • The categories of personal data concerned.
  • The recipients or categories of recipients to whom the personal data may be disclosed.
  • The envisaged period for which the personal data will be stored.
  • The existence of the right to request rectification, erasure, or restriction of processing.
  • The right to lodge a complaint with a supervisory authority.
  • When personal data has not been obtained from the data subject, any available information about its source.
  • The existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
  • When personal data is transferred to a third country or an international organization, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.

Right to Erasure

  • You can obtain the erasure of your data when one of the following circumstances occurs (provided the data does not comply with any of the requirements set out in the regulations: that they are data of general interest, necessary for compliance with a legal obligation, or for the exercise of the right to freedom of expression, …):
  • The personal data is no longer necessary for the purposes for which it was collected.
  • The data subject withdraws consent given for the processing of the data.
  • The data subject objects to the processing, and there are no overriding legitimate grounds for the processing.
  • The personal data has been unlawfully processed.
  • Personal data must be deleted for compliance with a legal obligation that may be established.

Right of Rectification

  • You can modify inaccurate, incorrect, or incomplete data.

Right to Data Portability

You can receive your personal data from UNESID and transmit it to another controller when:

  • The lawfulness of the processing is based on the data subject’s consent or on the performance of a contract.
  • The processing is carried out by automated means.

Right of Objection

You can object to personal data concerning you being processed based on the performance of tasks carried out in the public interest or in the exercise of official authority vested in the controller.

Right to Restriction of Processing

You can obtain from the controller the restriction of processing when one of the following conditions is met:

  • The data subject contests the accuracy of the personal data, for a period enabling the controller to verify the accuracy of the data.
  • The processing is unlawful, and the data subject opposes the erasure of the personal data and requests instead the restriction of its use.
  • The controller no longer needs the personal data for the purposes of the processing, but the data subject requires them for the establishment, exercise, or defense of legal claims.


The data subject has objected to processing pursuant to the right to object.

Exercising These Rights

For the exercise of these rights, UNESID has provided the email address: , through which you can contact the organization to request the exercise of the rights recognized by the regulations. Similarly, these rights can be exercised through the postal address indicated in the first section.

For a proper exercise of these rights, we encourage you to use the templates and models for exercising rights that can be found on the website of the Data Protection Agency (

Additionally, we inform you of the possibility, if you believe that your rights have been violated or that appropriate action has not been taken regarding the requests for rights you may have made, to file the corresponding complaint with the Data Protection Agency, and you can contact it through its electronic headquarters accessible from its website (

What Information We Communicate or Transfer

As a general rule, from UNESID, we only communicate personal data to third parties or provide them with access to it in cases necessary to develop an adequate provision of the requested service, to comply with legal, tax, and corporate obligations, or for the development of certain processes or activities of the organization in a subcontracted manner (Data Access on Behalf of Third Parties).

In particular, we carry out communications and exchanges of information with banking entities, based on the services provided, to carry out the management of collections and billing of the services provided, the management of payments to service providers, or in compliance with legal, tax, and public duty requirements. Also, in compliance with these public duties, communications are made to other public administration bodies, such as Social Security or the Tax Administration.

On the other hand, at UNESID, we establish agreements, alliances, or collaborations with other entities that provide us with certain services or collaborate in the development of certain activities, being able to have access to the personal data we manage. This is the case, for example, with tax and labor advisory services to which access to personal data of our workers is granted for payroll management, compliance with public duties, or occupational risk prevention.

Additionally, we have certain subcontracted services on which we rely for the provision and development of our services. This is mainly the case with external hosting services (housing) or web hosting (hosting). For the provision of these services, the corresponding external processing contracts have been signed, ensuring compliance with the requirements of the regulations. It may be the case that these services are provided or require the intervention of entities or systems hosted in third countries. At UNESID, we ensure that, in cases where international data transfers are required, these are made to countries that demonstrate a level of security equivalent to European regulations. In this regard, the adequacy decisions of the European Data Protection Committee will be considered, or, failing that, certificates, corporate rules, contractual clauses, or any other recognized mechanism that demonstrates an adequate level of protection.

What Information We Retain

As a general rule, at UNESID, we only keep information and personal data for the time necessary to fulfill the purpose for which the data was obtained, as well as to address any claims or liabilities that may arise from the data processing. Generally, once the service provision is completed, the data is blocked, and no further processing is carried out on it beyond keeping it available to Public Administrations, Courts, and Tribunals, for the attention of possible responsibilities arising from the processing, during the prescription period of these, after which cancellation must be carried out. On the other hand, to determine data retention periods, UNESID considers local laws, contractual obligations, and the expectations and requirements of our clients. When we no longer need personal information, we delete or securely destroy it.