Privacy Policy

1. SCOPE

The purpose of this document is to ensure compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, concerning the protection of natural persons with regard to the processing of personal data and the free movement of such data (GDPR), as well as Organic Law 3/2018 of 5 December on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD); in relation to the activity carried out by the entity NUTROFAR, S.L. (hereinafter, NUTROFAR) on its website, whose URL is https://www.nutrofar.es/, for the processing of CLIENTS’ data.

The NUTROFAR website, while including content accessible to the general public, is specifically designed for the commercialization of products and services in the field of animal health. Therefore, it is intended for veterinary professionals as well as establishments authorized to trade in animal health products and pet stores.
To access the products offered by NUTROFAR, users must first register as Clients by completing the form provided on the website. In addition to filling in the required information, users must submit the necessary documentation to gain access to all or part of the products marketed by NUTROFAR. Client registration, and therefore access to NUTROFAR’s products, will depend on the segmentation of said products according to the following criteria and the specific sectoral regulations applicable to NUTROFAR’s business activity and corporate purpose.

Prescription products: In order to access the purchase of veterinary prescription products, the appropriate accreditation for the commercialization of such products is required. Specifically:
- Veterinarians: a photo or copy of a valid professional association membership card.
- Veterinary Suppliers: a copy of the authorization issued by the corresponding Autonomous Community allowing the dispensing of veterinary products.
Non-prescription products: In addition to veterinarians and veterinary suppliers, pet stores, seed stores, agricultural centers, pet supply wholesalers, etc., may also access these products, provided they can demonstrate that they have notified the competent authority of their activity involving the sale of non-prescription animal health products.
BIOCIDAL products: In order to access and commercialize BIOCIDAL products, the Client must provide proof of authorization and registration in the Official Registry of Biocidal Establishments (ROESBA).

In all cases, it is the data subject themselves who directly provides their personal data to NUTROFAR through the various means available; therefore, the provisions of Article 13 of the GDPR and Article 11 of the LOPDGDD shall apply.

In terms of data protection, the GDPR introduces many changes compared to the repealed 1999 Spanish Data Protection Act (LOPD), one of the most significant being the establishment of the principle of “Accountability” or “Proactive Responsibility.” Under this principle, the data controller is required to demonstrate that their data processing activities comply with the principles relating to data processing set out in Article 5.1 of the GDPR.
To this end, appropriate technical and organizational measures must be implemented to demonstrate that the processing activities are in compliance with the GDPR. These measures must be regularly updated and reviewed through internal or external audit procedures.

This “proactive and systematic” obligation to comply with data protection regulations must include data protection by design and by default in the areas of the organization where it is necessary. The ultimate goal of implementing such data protection policies or measures is to ensure that the processing activities carried out by the data controller comply with the provisions of the GDPR and the LOPDGDD.

One of the main changes introduced by the GDPR is the obligation to inform and the responsibility of the data controller to demonstrate compliance with their obligations. All data processing must be justified by one of the legal bases established in Article 6 of the GDPR. When processing is based on consent, it must be granted through a clear affirmative action that reflects the data subject’s free, specific, informed, and unambiguous expression of will (Recital 32 and Article 7 of the GDPR, and Article 6 of the LOPDGDD).

With regard to the duty to inform, in accordance with Articles 13 and 14 of the GDPR and Article 11 of the LOPDGDD, it is necessary to inform the data subject of certain circumstances when personal data is obtained directly from them. Consequently, it is essential to adapt the compliance processes related to informing data subjects to the form and manner established by these regulations, ensuring they align with the criteria recommended by the Supervisory Authority through the publication of its implementation guidelines.

The GDPR adds additional requirements to those previously regulated by the LOPD (such as purpose, recipients or disclosures, rights, etc.) regarding the obligation to inform data subjects, while broadening the concept of “processing.” In general terms, it introduces the following details:

The contact details of the Data Protection Officer, where applicable.
The legal basis or justification for the processing.
The retention period or the criteria used to determine it.
The existence of automated decision-making, including profiling.
The prospect of transfers to Third Countries.
The right to lodge a complaint with the Supervisory Authorities.

Additionally, in cases where the data is not obtained directly from the data subject, the data controller must inform the data subjects within a reasonable period (no later than one month from the time the personal data was obtained or during the first communication with the data subject) of the following additional information:

The source of the data.
The categories of the data.

To reconcile the increased information requirements introduced by the GDPR with the need for conciseness and clarity in how that information is presented, Data Protection Authorities recommend adopting a layered or tiered information model.

The multi-layered information approach consists of the following:

Providing basic information at a first level, in a summarized form, at the same time and through the same means by which the data is collected.
Referring to additional information at a second level, where the remaining details are presented more thoroughly, using a medium better suited for its presentation, understanding, and, if desired, storage—e.g., a website.

The sets of information required by the GDPR and LOPDGDD can be grouped into certain headings for the purposes of organizing and presenting them, especially with regard to the information to be presented in summarized form in the first layer or level.

This recommendation from the Data Protection Authorities regarding layered information has been reinforced in the LOPDGDD, acquiring regulatory status as it is established in Article 11 of said law.

This document includes the following drafted texts, prepared in compliance with the GDPR and the LOPDGDD, along with instructions for their use and inclusion. The drafted texts are divided into the following sections:

Section 2. Informative Clauses.

The drafted texts are intended to ensure compliance with the provisions of Articles 5, 6, 7, 13, and 14, where applicable, of the GDPR, and Articles 4, 6, and 11 of the LOPDGDD. In accordance with the guidelines and/or recommendations published by the Spanish Data Protection Agency (AEPD), the data subjects’ right to information will be implemented through a layered approach.

For this purpose, a first layer containing the “basic information” will be included, along with a second layer providing the “additional information” required to comply with the GDPR-LOPDGDD, on NUTROFAR’s website.

For the drafting of this document, the following premises have been taken into account:

Data Protection Officer. According to the meeting held with the Client, and based on the information provided by the company responsible for ensuring data protection compliance at NUTROFAR, the company has not designated a Data Protection Officer.
Purpose. The data will be used for the primary purpose for which it was collected, namely the contracting of NUTROFAR’s products and, specifically, for:
- Management of the contractual relationship and the delivery and/or provision of the contracted services.
- Management of deliveries and provision of contracted services.
- Management of the Customer Service Department in order to handle inquiries and resolve issues related to product orders or deliveries.
- Management of communications and information necessary during the course of service provision, which may be carried out through any means deemed appropriate by NUTROFAR (emails, phone calls, SMS, PUSH notifications, regular mail, etc.).
- Management of payments and execution of accounting, tax, and administrative tasks with our clients.

This involves the processing of data related both to the entity itself and to its employees.

In the event that NUTROFAR uses data subjects’ information for promotional or commercial purposes, the express consent of the data subjects will be required whenever electronic means are used for such purposes, in accordance with Articles 19 to 22 of Law 34/2002 of July 11, on Information Society Services and Electronic Commerce (LSSICE).
However, as an exception regulated in Article 21.2 of the LSSICE, it is permitted to send commercial communications by electronic means to contacts with whom there is already a prior contractual relationship (Client), provided the recipient has not objected to this purpose. Therefore, NUTROFAR may send advertising to those clients who have not opted out of receiving commercial communications.

In any case, NUTROFAR must offer recipients the option to object to the processing of their data for promotional purposes, both at the time of data collection and in each of the commercial communications sent to them. NUTROFAR must establish simple and free procedures for this purpose.
To this end, NUTROFAR may send commercial communications to clients based on legitimate interest, in accordance with Article 21.2 of the LSSICE. This legitimate interest is based on sending commercial communications concerning products or services similar to those already contracted by the client, and which may therefore be of interest to them.

For this purpose, the following clause may be included, for which the client must provide their explicit and unambiguous consent:

“In the legitimate interest, your data may be processed to send you commercial communications about other products or services marketed by NUTROFAR that are similar to those you have contracted. You may object to this processing at any time.”

If it were based on the data subject’s consent, the following should be included:

“Notwithstanding the above, provided that you have expressly consented by marking the boxes established for this purpose in the data collection forms, we will process your data to carry out promotional, advertising, or commercial actions and communications, through various means including electronic ones, regarding products and/or services that we consider of interest to you. We inform you that you can withdraw your consent at any time through the automatic link included for this purpose in the commercial communications you receive, if applicable, or by emailing to …… In the event that you express your desire for your data not to be processed for sending commercial communications, NUTROFAR informs you that you can register in the advertising exclusion systems.”

I consent to the sending of commercial and/or promotional communications through various means, including electronic means.

☐ Yes ☐ No

As indicated by the AEPD in Report 0195/2017 issued by the Legal Department of the AEPD in response to a query regarding the application of Article 6.1(f) of the GDPR on legitimate interest as a legal basis for data processing for commercial purposes, the AEPD concludes the following:

“Consequently, regarding the first of the scenarios mentioned, and always assuming that entities fully comply with their transparency obligations in accordance with Articles 13 and 14 of the General Data Protection Regulation, and also establish a simple procedure for exercising the right to object, it could be considered that the processing could be based on Article 6.1(f) of the mentioned Regulation when the actions are carried out by non-electronic means, the affected party continues to be a client of the entity, and the products or services offered can be considered ‘similar’ to those contracted by the client.”

And recently, the AEPD in Procedure No. E/01423/2020 states that:

“Thus, any sending of advertising or promotional communications by email or other equivalent electronic communication means is subject to the prior provision of explicit consent, unless there is a prior contractual relationship between the service provider and the recipient of the communications, and provided that the recipient has not expressed an objection.”

In accordance with the discussions held with NUTROFAR, this entity will send commercial communications based on the legal basis of the consent of the data subjects. Additionally, commercial profiles will be created, but no automated decisions will be made based on them. According to the definition of profiling in Article 4.4) of the GDPR, it is understood that NUTROFAR does not create profiles for the purpose of analyzing or predicting aspects related to the personal preferences and interests of the data subjects/clients.

Article 22 of the GDPR and Article 18 of the LOPDGDD establish that every data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects on them or similarly significantly affects them.

According to the Opinion of the European Commission’s Working Party (WP29) on automated individual decision-making and profiling, this article should be interpreted as a prohibition of fully automated individualized decisions, including profiling, that have legal effects on the data subject or similarly significantly affect them. The GDPR does not include a definition of “legal effects” or what should be understood by the expression “similarly significant.” WP29 has stated that a “legal effect” can be the result of processing that impacts rights—such as preventing someone from entering a country, voting in elections, or taking legal action—or legal or contractual obligations.
However, even if legal rights or obligations are not specifically affected, data subjects could still be impacted enough to require the protection that Article 22 provides. As WP29 points out, in many cases, targeted advertising does not have a significant effect on individuals but could have a concrete effect or impact on a particular individual depending on their specific characteristics. For example, when automated decision-making results in different or exclusionary pricing. In this case, the processing will be prohibited, meaning that explicit consent from the data subject will be required for the data to be processed legally.

If NUTROFAR were to carry out these actions, it would be required to inform about the existence of automated decisions, including profiling, and provide meaningful information about the logic applied, as well as the significance and expected consequences of such processing for the data subject.

In any case, the prohibition of automated decision-making set out in Article 22 of the GDPR is exempted in its second paragraph when: (i) it is necessary for the performance or conclusion of a contract; (ii) it is authorized by EU law or the law of a Member State; and (iii) it is based on the explicit consent of the data subjects.

It is important to consider Recitals 71 and 91 of the GDPR, as this type of processing is one of the criteria or factors to consider when determining whether the processing of personal data involves a high risk for data subjects and would require a Data Protection Impact Assessment (DPIA) to assess this.

The customer’s data may also be processed for the purpose of fraud prevention. According to Article 47 of the GDPR, this processing is carried out on the basis of legitimate interest, and NUTROFAR must have a risk analysis document and a balancing of interests for this purpose.

Another purpose for processing could be participation in surveys or statistics conducted by NUTROFAR in order to make improvements, marketing actions, and service developments, with the aim of offering products and services in accordance with the interests revealed in the surveys and thus improving the customer experience. This purpose would have a legal basis in legitimate interest. Although Recital 47 of the GDPR does not specifically include these purposes for this legal basis, it does regulate that it can apply in cases where there is a relationship between the data subject and the controller (such as a service contract, for example, or a customer or employment relationship). However, processing based on legitimate interest will require a thorough assessment that takes into account the reasonable expectations of the data subjects in relation to the context that binds them. As stated in Recital 47, this applies even if the data subject can reasonably anticipate that such processing may occur for this purpose. It should be noted that in practice, this legal basis is commonly used, as indicated in the “Guideline on Legitimate Interest” published by the ISM Forum and DPI (Data Privacy Institute).
While statistical data is typically anonymized, surveys conducted by NUTROFAR should be quality surveys for customers, aimed at ensuring that the services provided are effectively delivered and improving products and services based on feedback from customers.

In any case, regardless of whether there is a legal provision that enables processing based on legitimate interest, a balancing test must be conducted to determine whether legitimate interest outweighs the rights and freedoms of the data subjects, and this purpose for processing must be included in the informational clause for the customer. For this purpose, NUTROFAR must have a risk analysis document and a balancing of interests.

Legitimacy. The Clients will enter into a contract and/or General Terms and Conditions with NUTROFAR, which will be done in electronic format, as discussed in the meeting with NUTROFAR. According to Article 6.1 of the GDPR, the processing carried out by NUTROFAR is legitimized:
- 6.1.a) The consent of the data subject for the purposes of sending commercial or promotional communications via electronic means, if applicable, and in the event that the data is communicated to third parties for reasons other than the contractual relationship or legal obligation.
- 6.1.b) The processing is necessary for the performance of a contract to which the data subject is a party or for the implementation of pre-contractual measures at the request of the data subject.
- 6.1.f) Legitimate Interest. According to Article 19 of the LOPDGDD, the contact details of individuals who provide services to a legal entity, individual entrepreneurs, and self-employed professionals, as long as they refer only to their professional location and the purpose is to maintain the necessary relationships to execute the contract. Additionally, data will also be processed under this legal basis in the event of sending commercial communications as provided for in Article 21.2 of the LSSI.
Data Communications. No data will be communicated to third parties, except when required by law and specifically to public health inspection bodies upon their request, in accordance with the provisions of Royal Decree 867/2020 of September 29, which regulates veterinary diagnostic reagent animal health products, systems for monitoring physiological parameters in animals, and products intended for the maintenance of animal reproductive material.

Regarding the delivery of products, it will be necessary to determine the legal relationship with the third parties with whom NUTROFAR enters into agreements for this purpose. In this regard, such a third party may have a dual consideration: Data Processor or Data Controller. In this sense, Report 2008/0122 of the Legal Department of the AEPD is particularly illustrative, even though it was drafted and published under the previous LOPD. Below, we reproduce some of its most enlightening paragraphs:

– “Furthermore, the doctrine emanating from the National Court has helped clarify the scope of the concept of Data Processor. Thus, the ruling of September 28, 2005, reminds us that “The difference between a data processor and a data transfer in some cases is quite complex, but as this section pointed out in the recent ruling of April 12, 2005 (appeal 258/2003), the typical feature of data processing is when an external party, not related to the data controller, processes personal data belonging to the controller’s treatments in order to provide a service in a specific area… It is essential to maintain the nature of the role that the Data Processor limits itself to performing the material act of processing entrusted to it, and not cases where the purpose of the contract involves the exercise of an independent function or activity of the processor. In summary, there is a Data Processor relationship when the transmission or transfer of data is justified by the provision of a service that the data controller receives from an external company, which helps fulfill the purpose of the data processing consented to by the data subject.”
Consequently, to determine whether we are dealing with a Data Processor, it is necessary to analyze whether their activity is limited to providing a service to the data controller, without establishing any relationship between the data subject and the supposed processor. Additionally, it will obviously be essential that the data controller does not have the power to decide the purpose that justifies the processing. Therefore, if the processing arises from the will of the so-called processor, that entity will, in all cases, be considered the data controller. In the case presented, it is the driving schools, not the consulting party, that have the power to decide on the purpose, content, and use of the data processing for individuals who decide to take the traffic awareness and re-education course with them, and they are the ones processing the student data according to the signed contract between the two parties. Therefore, in our opinion, the driving schools should be considered as data controllers, with each one being responsible for a file that must comply with the requirements set forth in Organic Law 15/1999.”
This excerpt is highly relevant in distinguishing between a data processor and a data controller, which is critical for NUTROFAR when determining the legal framework for its agreements with third parties.

In this regard, it will be necessary to review the contracts signed by NUTROFAR with its logistics providers.

Notwithstanding the above, NUTROFAR will also communicate data to pharmaceutical entities, laboratories, and suppliers at their request. According to the discussions held with NUTROFAR, these entities require the submission of customer purchase information and identification of the clients of their products. This data communication does not create implications in terms of data protection for legal entities; however, it may have implications regarding confidentiality or business secrecy under Law 1/2019 of February 20, on Business Secrets, and may involve conduct covered by Law 3/1991 of January 10, on Unfair Competition. In the case of individuals/self-employed professionals, the consent of the data subjects will be required.

– Rights. On October 17, 2018, the Spanish Data Protection Agency (AEPD) published the Report on “Privacy Policies on Websites. Adaptation to the GDPR,” in which it addresses the conclusions of the study conducted on this matter, stating that it is necessary to specify what rights data subjects can exercise.

– How we obtained your data. The data is collected directly from the data subject, who can complete the forms provided for this purpose. In principle, only the following data will be collected: name, email, and “icons” if the customer comes from that network. Subsequently, the customer will be asked for contractual data for the purpose of processing payment for services. The data subject may be an individual working in an entity, individual entrepreneurs, and self-employed professionals, whose data will be processed in accordance with Article 19 of the LOPDGDD. Data of minors may also be processed, depending on the area of expertise for which the service is requested.

– Data Retention. NUTROFAR will process and store the data as long as it is necessary in accordance with the purpose and legal basis for processing for which it was collected, and provided that the data subject does not object or explicitly withdraw their consent in cases where consent is the legal basis for processing.

– International Transfers. In principle, the GDPR establishes the principle that data transfers from the EU to operators located outside the European Economic Area will only be lawful if they meet the conditions set out in Articles 44-49 of the GDPR. As of now, international data transfers are not foreseen.

– Section 3. Record of Processing Activities. . The GDPR removes the requirement to register files with the AEPD and establishes in Article 30 of the GDPR the obligation for companies to have a Record of Processing Activities (RAT) document.

Organic Law 3/2018 of December 5, on Personal Data Protection and Guarantee of Digital Rights (LOPDGDD), in its Article 31, refers to the provisions of Article 30 of the GDPR regarding this matter. This article includes the requirement that all entities listed in Article 77.1 of the LOPDGDD must make public an inventory of their processing activities, which will include the information specified in Article 30 of the GDPR and its legal basis.
In this regard, Article 77 of the LOPDGDD, in its first paragraph, includes both public and private entities that do not correspond to the activity, legal form, etc., of NUTROFAR. Therefore, this entity is not obliged to make its Record of Processing Activities (RAT) public, although it may choose to do so voluntarily. The information is provided in the RAT format so that it can be included by NUTROFAR in its own RAT.

2. TEXT

2.1. BASIC INFORMATION ON THE PROCESSING OF PERSONAL DATA

Controller. NUTROFAR, S.L.

Purpose. Management of the contractual relationship for the acquisition of products.
Sending of commercial communications through any means, including electronic means.
Creation of statistics and surveys.
Fraud prevention.

Legitimacy. Execution of a contract in which the data subject is a party, legitimate interest, and consent of the data subject, where applicable.

Recipients. No data transfers to third parties are foreseen, except when required by law and to pharmaceutical companies, laboratories, and distributors that request it.

Rights. You may exercise your rights of access, rectification, erasure, restriction, objection, and portability, as well as other rights explained in the Additional Information available at www.nutrofar.es.

☐ I consent to the sending of commercial and/or promotional communications through various means, including electronic means.

☐ I consent to the communication of my data to pharmaceutical companies, laboratories, and distributors that require it from NUTROFAR.

2.2. SECOND LAYER OF INFORMATION: ADDITIONAL INFORMATION OR PRIVACY POLICY

The website of NUTROFAR, S.L. (hereinafter, NUTROFAR) includes information, markets, and distributes veterinary products and medicines.

While the use of the website does not require prior registration, in order to access some of our services as a customer, it will be necessary for you to provide the information we request (“Data”). At NUTROFAR, we are aware of the importance of privacy, and for this reason, we take responsibility for complying with the current data protection legislation and aim to process your data transparently.

To this end, in this Privacy Policy and in accordance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and the free movement of such data (GDPR), and in Organic Law 3/2018 of December 5, on Personal Data Protection and Guarantee of Digital Rights (LOPDGDD); NUTROFAR and/or the data controller informs you about the processing of personal data you provide and the security, technical, and organizational measures applied in compliance with the current legislation.

NUTROFAR reserves the right to modify this Privacy Policy to adapt it to legislative, jurisprudential, or interpretative developments from the Spanish Data Protection Agency and/or the procedures or purposes for processing your data. NUTROFAR will notify you in advance or announce any changes made, clearly indicating the modifications and providing due notice of the changes, and requesting your acceptance if necessary. NUTROFAR will not make retroactive changes that reduce your rights unless legally required, regarding the processes we have in place to protect your data.

Data Controller. NUTROFAR, S.L. with CIF B41395716 and postal address at Parque Empresarial Los Llanos, Calle Galicia Nº 270, CP 41909, Salteras (Sevilla). Email: m.castillo@nutrofar.es and Phone: 955 997788.
Source and Category of the Data. We obtain the personal data that you provide to us through the provided form (whether physical or online), and the data processed includes:
- Registered veterinarians:
  - Identification data: name, surname, copy of the valid professional association membership card.
  - Contact data: email address and phone number.
  - Payment data (bank account – SEPA form or card).
- Veterinary suppliers:
  - Identification data: name and surname of the person acting on behalf of the representative.
  - Contact data: email address and phone number.
  - Payment data (bank account – SEPA form or card).
  - Copy of the authorization for the specific activity with which the commercial relationship will be established: Sale and distribution of animal health products, sale of biocides, animal shelter registration certificate, etc.
- Pet stores:
  - Identification data: name and surname of the person acting on behalf of the representative.
  - Contact data: email address and phone number.
  - Payment data (bank account – SEPA form or card).
  - Copy of the notification of the activity to the competent local authority.
Accuracy of the data and age of majority. By completing the form, you guarantee that you are of legal age or over fourteen years old to provide your consent in accordance with the current data protection regulations, that you are authorized to market animal health and nutritional products, and that the data provided is true, accurate, complete, and up-to-date. You are responsible for any direct or indirect damage or harm that may result from the failure to comply with this obligation.
Purpose of the processing. We will process your data for the purpose of managing the relationship established through this contract and, specifically, for:
1. Formalization of the contract. Management of deliveries, customer service, and after-sales service in order to address inquiries and issues related to products and/or services. Management of communications and information necessary during the process of finalizing the purchase and delivery, which may be conducted through means deemed appropriate (emails, phone calls, SMS, push notifications, regular mail, etc.). Management of payments and carrying out accounting, tax, and administrative procedures with our clients. Handling claims procedures before consumer organizations, consumer associations, or judicial or administrative bodies.
2. Manage a secure relationship with our clients. Your data may be processed to carry out fraud prevention actions in the contracting process if evidence of fraud arises during the current contracting process.
3. Sending of commercial communications. Provided you have expressly consented by marking the boxes provided for this purpose in the data collection forms, we will process your data to carry out promotional, advertising, or commercial actions and communications through various means, including electronic means, regarding products and/or services that we consider of interest to you. We inform you that you may withdraw your consent at any time through the automatic link included for this purpose in the commercial communications you receive, if applicable, or by emailing m.castillo@nutrofar.es or by postal mail to the address provided in the “Data Controller” section. If you express your wish for your data not to be processed for sending commercial communications, NUTROFAR informs you that you can register in advertising exclusion systems. For this purpose, you can consult the information published by the Spanish Data Protection Agency, which serves as the competent supervisory authority.
4. Creation of statistics. Additionally, we may process your data to create statistics and conduct quality surveys of our products in order to make improvements, marketing actions, and developments. For this purpose, we may create a commercial profile of the customer, but no automated decisions will be made based on this profile.
5. The processing of data for purposes other than those detailed above will require a legal basis or prior explicit consent in each case.
Legitimacy. The legal basis for processing your data for the purposes detailed in the previous section are as follows:
- (i) Article 6.1 b) GDPR: performance of a contract or for the implementation of pre-contractual measures; however, handling claims before certain bodies or judicial authorities will be carried out in compliance with a legal obligation.
- (ii) and (iv) Article 6.1 f) GDPR: legitimate interest. We will also process data of natural persons and/or individual entrepreneurs as necessary for the purpose of the contract, processing only the minimum data required for their professional location and solely for the purpose of maintaining the relationship concerning the contract with the legal entity in which the data subject works and/or provides services. The processing of your data based on legitimate interests will, in all cases, be carried out with the utmost rigor and respect for your privacy, rights, and freedoms; under no circumstances will the data be used for purposes that undermine your rights in this regard.
- (iii) Article 6.1 a) GDPR: consent of the data subject, which may be revoked at any time. The processing of your data for purposes established in the previous section and based on the consent requested from you may be revoked at any time, without in any case affecting the execution of the contract signed with NUTROFAR.
Recipients. Your personal data may be communicated to administrations, authorities, and public bodies, including courts and tribunals, when required by applicable regulations. Specifically, they will be communicated to the competent public administrations in the relevant matter in accordance with Royal Decree 867/2020, of September 29, which regulates veterinary diagnostic reagent animal health products, systems for monitoring physiological parameters in animals, and products intended for the maintenance of animal reproductive material. Additionally, provided you expressly consent, your data may be communicated to pharmaceutical companies, laboratories, and distributors when required by them and when necessary for the maintenance of commercial relations between NUTROFAR and these entities.

In cases where your data is processed by third-party companies contracted by NUTROFAR, a corresponding data processing agreement will be signed with them. An essential requirement for formalizing this agreement is that the service provider is aware of the existing regulations regarding personal data protection and that compliance with these regulations is guaranteed throughout the course of the contract.

International Transfers. International data transfers are not foreseen. If they are necessary for our activities, they will always be made to countries within the European Union or those that provide an adequate level of protection or guarantees in accordance with current regulations.

Rights. Any individual has the right to obtain confirmation as to whether NUTROFAR is processing personal data concerning them or not.

You can also exercise the rights granted by the applicable regulations: the right of access, rectification, erasure, and objection, restriction of processing, data portability, and the right not to be subject to automated individual decisions.

- Access: Allows the data subject to obtain information about whether NUTROFAR is processing personal data concerning them or not, and if so, the right to obtain information about the personal data being processed.
- Rectification: Allows the correction of errors and the modification of data that is found to be inaccurate or incomplete.
- Erasure: Allows the data to be deleted and no longer processed by NUTROFAR, unless there is a legal obligation to retain it and/or other legitimate grounds for processing by NUTROFAR in accordance with current regulations.
- Restriction: Under the conditions established by law, it allows the processing of data to be halted, so that NUTROFAR will not process the data in the future, retaining it only for the exercise or defense of claims.
- Objection: Allows the data subject, in certain circumstances and for reasons related to their particular situation, to object to the processing of their data. NUTROFAR will cease processing the data, unless there are legal reasons or for the exercise or defense of potential claims.
- Portability: Allows the data subject to receive their personal data and transmit it directly to another Data Controller in a structured, commonly used, and machine-readable format. To exercise this right, the data subject must provide a valid email address.

Additionally, you have the right to withdraw your consent at any time for those purposes and/or uses based on it. This withdrawal will result in the deletion or blocking of your data in accordance with our data retention policies.

You can exercise your rights through any means that allows proof of sending and receiving your request. The request should be addressed to NUTROFAR using the contact details provided in the “Data Controller” section, with the reference “Data Protection.” The request must include: Name, surname, a photocopy of your ID, a description of your request, and an address for notification purposes.

If you are not satisfied with NUTROFAR’s response to the exercise of your rights, you have the right to file a complaint with the Supervisory Authority (Spanish Data Protection Agency) for the protection of your rights.

Data Retention. NUTROFAR informs you that it will process and store your data as long as necessary for the execution of the Contract and while it remains valid, in order to use it in accordance with the purpose and legal basis for processing for which it was collected, and provided you do not revoke your consent. We will also process your data to comply with the requirements of applicable law, prevent unlawful actions, resolve disputes, address issues, execute our contract, and take other actions permitted by law. Once the Contract has ended, we will retain your personal data for the legally prescribed periods, in accordance with the applicable Tax, Civil, and Commercial legislation and, where applicable, the specific sectoral legislation governing NUTROFAR’s activities.

Once the processing of your data is no longer necessary and the legal retention periods have passed, we will delete and/or block your data in accordance with our data retention and deletion policy.

NUTROFAR will adopt the appropriate security measures to prevent the alteration, loss, unauthorized processing, or access to data. Additionally, it will inform those who have access to your data about their security obligations, confidentiality, and their duty to maintain secrecy.

In the event that you formalize your contract electronically, NUTROFAR processes your data under secure levels. For this purpose, credit card transactions will be transmitted through a secure SSL (Secure Socket Layer) server. When the letters “http” change to “https,” the “s” means it is in an SSL area; your browser may also notify you of the site’s security through a pop-up message. The SSL security protocol encrypts personal information during data transmission.

3. INSTRUCTIONS FOR INCLUSION

The two-layer information system (recommended in the guide published by the AEPD) acquires regulatory status and is simplified with the entry into force of the LOPDGDD, as it is regulated in Article 11 of the same.

The first layer of information “Basic Information” included in section 2.1 of this document must be inserted into the corresponding electronic or physical form where data is collected, ensuring that the information is within the data subject’s field of vision. It must be included in information request forms and placed in the same field of vision as the place where the data subject is required to indicate their consent/acceptance (e.g., “submit/accept” button if it is an electronic form), and it should be part of the copy available to the data subject.

The “Basic Information” must be clearly identified and placed in the same field of vision where the customer is required to express their consent to what is requested (next to the “accept/submit” button, along with a click that the data subject must expressly mark) or a handwritten signature.

SEND/ACCEPT

According to the AEPD’s Duty to Inform Guide, if it is not possible due to design restrictions, a “note or reference” will be included in the form indicating where this information is located.

“Before submitting this form/signing this document, you must read NUTROFAR’s Basic Data Protection Information, which is available at (determine clause or click here “(a link to the Basic Information, pop-up, landing page, etc. should be included).”

Signature or

SEND/ACCEPT

Additionally, the following consents must be included in the same field of vision, in accordance with the purposes analyzed.

I consent to the sending of commercial and/or promotional communications through various means, including electronic means.

☐ Yes ☐ No

Or alternatively

☐ I consent to the sending of commercial and/or promotional communications through various means, including electronic means.

Additionally, consent must be obtained for the data communications that NUTROFAR intends to carry out at the request of pharmaceutical companies, laboratories, and service distributors.

☐ I consent to the communication of my data to pharmaceutical companies, laboratories, and distributors that require it from NUTROFAR.

It is important and necessary for NUTROFAR to retain the documents or logs of customer acceptances, as, according to Article 7.1 of the GDPR, it is the responsibility of the data controller to prove it.

Regarding the “Additional Information” or Privacy Policy included in section 2.2 of this document, it should be included at the bottom of the website (next to the General Terms and Conditions and the Cookie Policy) if it is an electronic contract or in a contractual clause if the contract is finalized in writing. It should be noted that the Basic Information must refer to this.

4. RECORD OF PROCESSING ACTIVITIES

PROCESSING: NUTROFAR WEB CLIENTS
Controller	NUTROFAR S.L. (NUTROFAR) CIF: B41395716 Postal Address: Parque Empresarial Los Llanos. Calle Galicia, N 270. Salteras (Sevilla) E-mail: pedidos@nutrofar.es
Legal Basis	General Data Protection Regulation and Organic Law on Personal Data Protection and Guarantee of Digital Rights. GDPR: 6.1 a) Consent of the data subject GDPR: 6.1 b) Processing necessary for the performance of a contract to which the data subject is a party or for the implementation of pre-contractual measures at the request of the data subject. GDPR: 6.1 f) Processing based on Legitimate Interest (Article 19 of the LOPDGDD)
Purposes of the processing	Pre-contractual Information · Management of the pre-contractual relationship for the acquisition of products and/or provision of services. · Sending of commercial communications through any means, including electronic means. Contractual Information · Formalization of the contract. Management of deliveries, customer service, and after-sales service. Management of communications and information necessary during the process of finalizing the purchase and delivery. Management of payments and handling accounting, tax, and administrative procedures. Call recording. Handling claims procedures before consumer organizations, consumer associations, or judicial or administrative bodies. · Fraud prevention in the contracting process. · Sending commercial communications about other products or services from NUTROFAR similar to those you have contracted. · Carrying out promotional, advertising, or commercial actions and communications through various means, including electronic means. Creating statistics and conducting quality surveys of our products.
Group	Natural or legal persons who contract the services of NUTROFAR (Clients).
Categories of Data	Pre-contractual Information · Identification Data: Name and Surname, DNI/NIE/CIF, and place of residence. Contractual Information · Identification Data (Name, Surname, DNI/NIE/CIF, and Date of Birth) · Contact Data: Postal addresses, email addresses, and phone numbers. · Payment Data: Bank account (CCC) or credit card if paid in full. · Payment Method: Cash, financed, or direct debit. · No special categories of data are processed.
Recipient Category	Legal obligation (Tax Administration, Banks and financial institutions, etc.) and to those public organizations and/or entities required in compliance with the legislation applicable to NUTROFAR, as set out in Royal Decree 867/2020 of September 29, which regulates veterinary diagnostic reagent animal health products, systems for monitoring physiological parameters in animals, and products intended for the maintenance of animal reproductive material. By consent to pharmaceutical companies, laboratories, and distributors when required by them and when necessary for maintaining commercial relationships between NUTROFAR and these entities.
Data Processing on behalf of Third Parties	NUTROFAR will delegate data processing to third parties such as administrative and tax management services, audits, storage on physical servers as well as in the cloud, and provision of system services with third-party entities with which NUTROFAR has signed agreements, such as logistics and messaging services.
Transfer. Internacional	International data transfers to countries without an adequate level of protection are not foreseen. Data is stored on servers located in EU countries.
Retention Period	Resolution of the contractual relationship and retention for legal periods in accordance with tax, accounting regulations, and the application of the Civil Code, Commercial Code, and fiscal and specific sectoral legislation, where applicable. The data will be retained for as long as necessary to fulfill the purpose and legal basis for processing for which it was collected, and as long as the data subject does not revoke their consent. Additionally, they will be retained to determine any potential liabilities that may arise from that purpose and the processing of the data.
Security Measures	NUTROFAR assumes the responsibility of complying with the applicable data protection legislation and aims to process the data in accordance with the principles of transparency, purpose limitation, data minimization, accuracy, integrity, and confidentiality; adopting the necessary security measures for this purpose, specifically: Selection of Data Processors whose tools ensure compliance with data protection regulations. Employee and collaborator access subject to access management and control. Procedure in the event of security breaches Procedure and prompt response to the exercise of rights by data subjects. Updated maintenance of antivirus software, firewalls, and operating systems and software used. Training of staff and collaborators in data protection, informing those who have access to data about their security obligations, confidentiality, and their duty to maintain secrecy.

\[1] Personal data will be:
a) processed lawfully, fairly, and transparently in relation to the data subject (“lawfulness, fairness, and transparency”);
b) collected for specified, legitimate, and explicit purposes, and not further processed in a manner incompatible with those purposes; according to Article 89(1), further processing of personal data for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes shall not be considered incompatible with the original purposes (“purpose limitation”);
c) adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (“data minimization”);
d) accurate and, where necessary, kept up to date; all reasonable measures will be taken to ensure that personal data that is inaccurate is erased or corrected without delay, in relation to the purposes for which they are processed (“accuracy”);
e) kept in a form that permits identification of the data subjects for no longer than is necessary for the purposes of processing the personal data; personal data may be kept for longer periods as long as they are processed exclusively for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, in accordance with Article 89(1), subject to the application of appropriate technical and organizational measures required by this Regulation to protect the rights and freedoms of the data subject (“storage limitation”);
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, through the application of appropriate technical or organizational measures (“integrity and confidentiality”).
2\. The data controller shall be responsible for compliance with the provisions of paragraph 1 and able to demonstrate compliance (“accountability”).

[2] Article 19. Processing of contact data, individual entrepreneurs, and self-employed professionals.

1. Unless proven otherwise, the processing of contact data and, where applicable, data related to the function or position held by individuals who provide services to a legal entity will be presumed to be covered under Article 6.1(f) of Regulation (EU) 2016/679, provided that the following conditions are met:
a) The processing relates solely to the data necessary for their professional location.
b) The purpose of the processing is solely to maintain relationships of any kind with the legal entity where the data subject provides their services.

2. The same presumption will apply to the processing of data related to individual entrepreneurs and self-employed professionals when the data refers solely to them in that capacity and is not processed to establish a relationship with them as natural persons.