Privacy Policy


This Privacy Policy has been drawn up taking into account the prevailing Organic Data Protection Act, and also Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the movement of such data, hereinafter GDPR.

The purpose of this Privacy Policy is to inform the owners of the personal data about which information is being collected, specific considerations concerning the processing of their data, including, inter alia, the purposes of the processing, the contact details for exercising the rights to which they are entitled, and the time limits for storing the information and the security measures.

Data Controller

In terms of data protection, Tuncalya, S.L. must be considered the Data Controller in relation to the files/processing identified in this policy, specifically in the Data Processing section.

The details of the owner of this website are as follows:

Data Controller: Tuncalya, S.L.
Postal address: Poligono Industrial Pagatza – P4 20690 Elgeta (Gipuzkoa)

Data processing

The personal data requested, if any, consist only of those strictly necessary to identify and address any requests made by the owner of such data, hereinafter the data subject. Such information shall be processed fairly, lawfully and transparently in relation to the data subject. Personal data will be collected for specific explicit and legitimate purposes and will not be further processed in a manner incompatible with those purposes.

The data collected from each data subject shall be adequate, relevant and not excessive in relation to the relevant purposes for each case, and shall be updated whenever necessary.

Before the data owner’s data are collected, they will be informed about the general points regulated in this policy so they can give their express, accurate and unequivocal consent for the processing of their data, in accordance with the following considerations.

Purposes of processing

The explicit purposes for which each data processing is carried out are set out in the informative clauses included in each of the data collection channels (web forms, paper forms, telephone statements or posters and information sheets).

However, the data subject’s personal data will be processed solely to provide them with an effective reply and to meet the user’s requests, specified together with the option, service, form or data collection system used by the owner.


As a general rule, before processing personal data, Tuncalya, S.L. obtains express and unequivocal consent from the owner of such data, by adding informed consent clauses in the different data collection systems.

However, if the data subject’s consent is not required, the legitimate basis for the processing by Tuncalya, S.L. is the fact that there is a specific law or regulation that authorises or requires the processing of the data subject’s data.


As a general rule, Tuncalya, S.L. does not transfer or communicate data to third parties, except those legally required. However, if necessary, the data subject will be informed of such data transfers or communications through the informed consent clauses contained in the various channels for collecting personal data.


As a general rule, personal data are always collected directly from the data subject, although, in certain exceptions, data may be collected through third parties, entities or services other than the data subject. The data subject will be informed of this way in which personal data is collected through the informed consent clauses which appear in the various data collection channels and within a reasonable period of time, once the data has been obtained, and at the latest within one month.

Storage periods

The information gathered from the data subject will be kept as long as it is necessary to fulfil the purpose for which the personal data were collected, and thus, once the purpose has been fulfilled, the data will be cancelled. Once cancelled, the data will also be blocked, and will only be kept at the disposal of the Public Administrations, Judges and Courts, to deal with any possible liabilities arising from the processing, during the statute of limitations period, and once this period has expired, then the data will be permanently erased.

As a guideline, the mandatory legal data storage periods for different types of data are set out below:

Documents of a labour-related nature or which concerns the fulfilment of Social Security registration obligations 4 years Article 21 of Royal Legislative Decree 5/2000, of 4 August, approving the consolidated text of the Social Infringements and Sanctions Act
Accounting and tax documentation for commercial purposes 6 years Art. 30 Code of Commerce
Accounting and tax documentation for fiscal purposes 4 years Articles 66 to 70 General Tax Act
Building access control 1 month Guide on the use of video cameras for security and other purposes of the Spanish Data Protection Agency (AEPD)
Registration of working day 4 years Labour legislation
Video surveillance 1 month Guide on the use of video cameras for security and other purposes of the Spanish Data Protection Agency (AEPD)
Organic Law 4/1997, of 4 August, regulating the use of video cameras by security forces in public places
Organic Law 4/2015, of 30 March, on the protection of citizen security

Browsing data

You are recommended to consult the Cookies Policy published on our website for information about browsing data that may be processed through the website, in the event that data affected by the regulation is collected.

Data subjects’ rights

Under data protection regulations, data subjects or data holders, website users or users of the social network profiles of Tuncalya, S.L. are granted certain rights. Specifically, data subjects have the following rights:

  • Right of access: the right to obtain information on whether your own data are being processed, the purpose of the processing being carried out, the categories of data concerned, the recipients or categories of recipients, the storage period and the origin of the data.
  • Right of rectification: the right to have inaccurate or incomplete personal data concerning you corrected.
  • Right of deletion: the right to have your data deleted in the following cases:
    • When the data are no longer necessary for the purpose for which they were collected.
    • When the owner of such data withdraws his/her consent.
    • When the data subject objects to the processing.
    • When the data must be deleted to fulfil a legal obligation.
    • When the data have been obtained by virtue of an information society services as provided for under art. 8 section.
  • Right to object: the right to object to a particular processing based on the consent of the data subject.
  • Right of limitation: the right for the data processing to be limited in any of the following cases:
    • When the data subject contests the accuracy of the personal data, for a period enabling the controller to verify the accuracy of the personal data.
    • When the processing is unlawful and the data subject opposes the erasure of the personal data.
    • When the enterprise no longer needs the personal data for the purposes for which they were gathered, but the data subject needs them to establish, exercise or defend legal claims.
    • When the data subject has objected to processing pursuant pending the verification on whether the legitimate grounds of enterprises override those of the data subject.
  • Right to portability: the right to obtain data in a structured, commonly used and machine-readable format, and to convey them to another controller when:
    • The processing is based on consent.
    • The processing is carried out by automated means.
  • Right to lodge a complaint with a competent supervisory authority.

Data subjects may exercise the aforementioned rights by writing to Tuncalya, S.L., at the following address: indicating the right you wish to exercise in the subject line.

Tuncalya, S.L. will deal with your request as soon as possible, taking into account the terms established in the data protection regulation.


The security measures adopted by Tuncalya, S.L. are those required, in accordance with article 32 of the GDPR. Tuncalya, S.L.taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, has implemented the appropriate technical and organisational measures to ensure a level of security appropriate to the existing risk.

Tuncalya, S.L. has invariably implemented sufficient mechanisms to:

  1. Guarantee the permanent confidentiality, integrity, availability and resilience of the processing systems and services.
  2. Restore the availability of and access to personal data quickly in the event of a physical or technical incident.
  3. Regularly verify, evaluate and evaluate, the effectiveness of the technical and organisational measures implemented to guarantee the security of the processing.
  4. Pseudonymise and encrypt personal data, if applicable.