Data Privacy Policy for Business Partners and Visitors of PAP

Pap Tecnos Innovación SAU (jointly referred to as “PAP Tecnos”) take the protection of your personal data seriously. We attach great importance to protecting your privacy while processing personal data, and take it into account in our business processes. We process personal data in accordance with the applicable data protection and data security laws.

Since changes in the law or changes in our internal processes may require this privacy policy to be adjusted, we ask you to kindly read this privacy policy regularly.


The controller in the sense of the General Data Protection Regulation (“GDPR”) and other national privacy laws of Member States as well as other privacy law provisions is

For orders to/from or visits to PAP Tecnos
PAP Tecnos Innovación SAU
Av. de las Estaciones, 8
28850 Torrejón de Ardoz, Madrid
This data privacy policy is accessible on (hereinafter referred to as “our website”).
The controller’s data privacy officer can be contacted at: [email protected]

Personal data are individual details about personal or factual situations of a specific or identifiable natural person (data subject). This includes information such as your name, address, phone number, date of birth, or e-mail address. Information with which we cannot (or can only with a disproportionate effort) establish a reference to your person, e.g. by making the information anonymous, is not personal data.


 a) Scope

We generally only collect and use our business partners’ personal data where this is required for the preparation, execution and processing of a contractual relationships between our company and the business partner.

Your personal data will not be used for any other purpose, especially not for advertising purposes. We will not transmit your personal data to third parties without your consent, except in the cases outlined below, unless we are legally obliged to disclose the data.

If necessary, we will transmit personal data for the purposes listed under § 5 to to affiliated companies in the sense of §§ 15 et seq. AktG (Stock Corporation Act).

If necessary we will also, where legally permitted, transmit personal data to courts, supervisory authorities (esp. aviation safety authorities) or legal advisers in order to comply with applicable law or to assert, exercise or defend against legal claims.

Where we transmit data to service providers (e.g. providers of IT services) acting on behalf of our company, we will contractually oblige them in advance to comply with the applicable requirements of data protection law and they will be subject to our instructions.

b) Legal basis

When processing personal data which is required to pursue a contractual relationship with your company, Art. 6 para. 1 b GDPR will serve as the legal basis. Where processing personal data is required for compliance with a legal obligation to which our company is subject, Art. 6 para. 1 c GDPR will serve as the legal basis.

If processing is required to protect a legitimate interest on the part of our company or a third party and the data subject’s interests, basic rights and basic freedoms do not outweigh the above interest, Art. 6 para. 1 f GDPR will serve as the legal basis for the processing. Our legitimate interest in the processing lies in ensuring the efficiency and effectiveness of our company’s activity and the effective execution of our contractual rela-tionship. Physical protection and security of our sites are the legitimate interest for video surveillance. Infor-mation signs indicate surveilled areas.

c) Data erasure and storage time

Your personal data shall be erased or blocked as soon as the purpose of storage ceases to apply. However, the data may be stored if provided for by European or national laws or other statutory provisions to which the controller is subject. The data shall be blocked or erased at the end of a storage period prescribed by the aforementioned standards, unless the data needs to be stored further in order to conclude or implement a contract.


In the course of cooperation we process our business partners’ personal data especially for the following pur-poses:
Preparation, execution and processing of a contractual relationship, incl. associated communication.
Preparation and execution of conferences, campaigns, negotiations, customer/supplier surveys, invitations to trade fairs or events;

Risk management, especially in connection with the use of PAP Tecnos IT systems, to prevent and identify illegal or contractually non-compliant conduct;

Compliance with legal requirements (esp. those of aviation, tax, commercial or export control laws);

Assertion of legal claims and their (judicial or extrajudicial) enforcement;

Video surveillance for ensuring physical protection and security of our sites.


The processing of the following categories of personal data is required for the above purposes:

Personal master data such as surname, first name, business address, phone/fax number and business email address;

Payment details, i.e. details required for the processing of payment procedures;

Data on the use of PAP Tecnos IT systems (e.g. log files);

Information collected from publicly available sources, databases or credit agencies (e.g. credit reform);

Images recorded by means of video surveiallance (indicated by information signs).


We undertake to protect the personal data we store and to treat it as confidential. In order to avoid loss or misuse of the data we store, we take comprehensive technical and organisational measures, which are regularly checked and adapted to technological progress. We would like to point out, however, that due to the structure of the internet, it is possible that the data protection rules and the above-mentioned safety measures may not be observed by other persons or institutions outside our field of responsibility. In particular, data disclosed in unencrypted form – e.g. by email – may be read by third parties. We have no technical influence on this. It is the business partner’s responsibility to protect the data it provides from misuse by encryption or otherwise.


If business partners’ personal data are processed, you have the following rights vis-à-vis the controller:

1. Right to information

You can ask the controller to confirm whether your personal data are processed by us.

If this is the case, you can ask the controller for the following information:

(1)        the purposes for which the personal data are processed;

(2)        the categories of personal data processed;

(3)        the recipients or categories of recipients to whom your personal data have been or are still being disclosed;

(4)        the planned duration of the storage of your personal data or, if specific information on this is not possible, the criteria for determining the storage period;

(5)        the existence of a right to rectify or erase your personal data, a right to have the processed data restricted by the controller, or a right to object to such processing;

(6)        the existence of a right to appeal to a supervisory authority;

(7)        all available information about the origin of the data if the personal data are not collected from the data subject.

You have the right to request for information as to whether your personal data is transferred to a third country or to an international organisation. In this connection, you may request that the appropriate guarantees pursuant to Art. 46 of the GDPR in connection with the transmission of data shall be made available to you.

2. Right to correction

You may ask the controller to rectify and/or complete your personal data if your personal data are incorrect or incomplete. The controller shall make the correction without delay.

3. Right to restrict the processing

Under the following circumstances, you can request that the processing of your personal data shall be restricted:

(1)        if you contest the accuracy of your personal data;

(2)        if the processing is unlawful and you reject the deletion of the personal data and instead demand the restriction of the use thereof;

(3)        if the controller no longer needs the personal data for the purposes of processing, but you do need them to assert, exercise or defend legal claims, or

(4)        if you have filed an objection to the processing pursuant to Art. 21, Section 1, of the GDPR and it has not yet been determined whether the controller’s legitimate reasons outweigh your reasons.

If the processing of your personal data has been restricted, such data may only be processed – apart from being stored – with your consent or for the purpose of asserting, exercising or defending rights or protecting the rights of another natural or legal person or on grounds of an important public interest of the Union or a Member State.

If the processing restriction has been limited on the above conditions, we shall inform you before the restriction is lifted.

4. Right to deletion

a) Deletion obligation

You may ask to delete your personal data without delay and we are obliged to delete this data without delay if:

(1)        Your personal data are no longer necessary for the purposes for which they were collected or otherwise processed.

(2)        You revoke your consent, on which the processing was based pursuant to Art. 6, Section 1a or Art. 9, Section 2a of the GDPR, and there is no other legal basis for the processing.

(3)        You file an objection against the processing pursuant to Art. 21, Section 1, of the GDPR and there are no overriding legitimate reasons for the processing, or you file an objection against the processing pursuant to Art. 21, Section 2, of the GDPR.

(4)        Your personal data have been processed unlawfully.

(5)        Deleting your personal data is necessary to fulfil a legal obligation under EU law or the law of the Member States to which we are subject.

(6)        Your personal data have been collected regarding the services offered by the information company pursuant to Art. 8, Section 1, of the GDPR.

b) Information to third parties

If the controller has disclosed your personal data to the public and is obliged to delete it pursuant to Art. 17, Section 1, of the GDPR, it shall take appropriate measures, including technical measures, considering the available technology and the implementation costs, to inform the processors of the personal data for which you as the data subject have asked for the deletion of all links thereto or of copies or replications thereof.

c) Exceptions

The right to deletion does excluded if and to the extent as the processing is required

(1)        to exercise the freedom of expression and information;

(2)        to fulfil a legal obligation required for processing under EU law or the law of Member States to which the controller is subject or for the performance of a task in the public interest or in the exercise of official authority conferred on the controller;

(3)        for reasons of public interest in the field of public health pursuant to Art. 9, Sections 2h and i, and Art. 9, Section 3, of the GDPR;

(4)        for archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes pursuant to Art. 89, Section 1, of the GDPR, insofar as the law referred to under a) is likely to render impossible or seriously impair the attainment of the objectives of such processing, or

(5)        to assert, exercise or defend legal claims.

5. Right to information

If you have asked us to correct, delete or restrict the processing of your personal data, we must inform all recipients of your personal data about this correction or deletion of the data or restriction on processing, unless this proves impossible or entails a disproportionate effort.

You have the right to be informed of such recipients.

6. Right to data portability

You have the right to receive the personal data you have made available to the controller in a structured, accessible and machine-readable format. Moreover, you have the right transmit this data on to another controller, provided that

(1)        processing is based on consent pursuant to Art. 6, Section 1a, of the GDPR or Art. 9, Section 2a, of the GDPR or on a contract pursuant to Art. 6, Section 1b, of the GDPR, and

(2)        processing is carried out automatically.

While exercising this right, you also have the right to request that your personal data be transferred directly from us to another controller, so far as this is technically feasible. Other persons’ freedoms and rights must not be affected by this.

The right to portability  shall not apply to the processing of personal data needed to perform a task in the public interest or to exercise official authority conferred on the controller.

7. Right to object

You have the right to object at any time, on the grounds of your particular situation, to the processing of your personal data in accordance with Article 6(1)(e) or (f) of the GDPR.

We shall no longer process your personal data, unless we can prove protection-worthy compelling reasons for the processing, which outweigh your interests, rights and freedoms, or unless the processing is used to assert, exercise or defend legal claims.

8. Right to revoke the data protection consent

You have the right to revoke your data protection consent at any time.

The revocation of consent shall not affect the legality of the processing carried out on the basis of the consent until revocation.

9. Right to appeal to a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right of appeal to a supervisory authority, in particular in the Member State where you reside, work or where the alleged infringement has been made, if you believe that the processing of your personal data is contrary to the stipulations of the GDPR.

 The competent supervisory authority in Spain, is:

Agencia Española de Protección de Datos

C/ Jorge Juan, 6