Privacy Policy

We have a high level of commitment to individual privacy; therefore, the protection of personal data is important to us.

We process data in accordance with the provisions of EU Regulation 2016/679 (General Data Protection Regulation), Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights, and other current regulations in this regard.

This Privacy Policy was revised in December 2025 to comply with the information and transparency duties of both the website and the data controller in general, in order to provide any interested party—not just website users—with the controller’s general terms on the subject. Variations may exist until its next review.

Who is the controller of your data?

    • Data Controller: ASOCIACION CENTRO TECNOLOGICO NAVAL Y DEL MAR

    • Tax ID (NIF/CIF): G30772438

    • Address: PARQUE TECNOLOGICO FUENTE ALAMO, CTRA. EL ESTRECHO – LOBOSILLO, KM. 2. 30320 FUENTE ALAMO DE MURCIA (MURCIA), SPAIN.

    • Email: contact@ctnaval.com

What is the source and type of data we process?

The source of the information we process may fall into any of the following categories:

    • Paper-based, electronic, or digital forms.

    • Communication and messaging systems: email and messaging applications, telephone, etc.

    • Other lawful sources of information.

The different categories of data we may process, depending on the type of data subject (user, customer, supplier, employee, etc.), the nature of the controller’s activity, and the various data processing operations, are:

    • Identification data: e.g., first and last name, image.

    • Identification codes or keys: e.g., username, employee code.

    • Postal or electronic contact addresses: e.g., telephone number, email, social media profile.

    • Personal and professional characteristics: e.g., age, date of birth, qualifications, professional experience, CV.

    • Economic, financial, and insurance data: e.g., bank details, credit card, etc.

    • Economic and non-economic payroll data and other employment-related information: e.g., job position, payroll documents, etc.

    • Transaction data: e.g., goods and services provided and received.

    • Special categories of data: e.g., health, trade union membership, racial origin.

    • Other data and information necessary or implicit in the development of our activities, services, and objectives.

MANDATORY OR OPTIONAL NATURE OF THE INFORMATION PROVIDED BY THE DATA SUBJECT.

By checking the corresponding boxes and entering data into fields marked as mandatory (e.g., with an asterisk) in contact or download forms, data subjects expressly, freely, and unequivocally accept that their data is necessary for the controller to fulfill their request. Providing data in the remaining fields is voluntary.

The data subject guarantees that the personal data provided to the controller is true and undertakes to communicate any modifications. The data requested through the website, marked as mandatory, is necessary to provide an optimal service. If all data is not provided, we cannot guarantee that the information and services offered will be fully tailored to your needs.

For what purpose do we process your personal data?

In general, data is processed to successfully carry out the actions implicit in the normal development and management of the controller’s activity. We can specify different processing purposes based on the potential categories of data subjects:

    • Customers and prospects: management and maintenance of commercial, pre-contractual, and contractual relationships; internal administration; economic management; advertising and marketing; customer service.

    • Collaborators, creditors, and suppliers: management and maintenance of commercial relationships, internal administration, and economic management.

    • Employees: management, development, and maintenance of the employment relationship, human resources management, communications, training activities, occupational risk prevention, time tracking, and other purposes derived from legal obligations and employment relations.

    • Candidates: management of received CVs, job vacancy management, and personnel selection.

    • Web and social media users: user support and management of communications between parties.

    • Visitors: visitor support and access control to facilities.

    • Information regarding any other category of data subject processed by the controller will be handled within the framework of its activity, in strict compliance with applicable regulations and under the general criteria of this Privacy Policy.

Other general purposes that the controller may implement include:

    • Commercial profiling: aimed at improving your experience by personalizing offers and communications. No individualized decisions will be made based on said profile, and actions will be based on legitimate interest.

    • Video surveillance: for the security of property and persons, as well as corresponding labor control based on legitimate interest.

    • Telephone switchboard: recording communications for security, guarantee, and quality of service purposes, based on legitimate interest.

    • Financial management and control of monetary obligations: In the case of debtors with certain, matured, and enforceable outstanding payments, the controller may report this circumstance to credit solvency files, debtor files, and debt management or recovery services, among others, based on legitimate interest.

    • Communications: development and execution of communications via available data and contact methods (email, instant messaging, etc.) with internal (employees) and external (customers, prospects, collaborators, suppliers, etc.) categories of data subjects. These communications may serve informative, organizational, commercial, or advertising purposes, as appropriate, based on informed consent and the controller’s legitimate interest.

    • Other purposes derived from the nature of the controller, motivated by the normal development and exercise of its activity, based on a valid legal ground.

How long will we keep your data?

In general, personal data will be kept at least as long as a relationship with the data subject exists, as long as its deletion is not requested, as long as liabilities may arise, or as long as there is a legal requirement for retention.

Regarding the data of candidates and job seekers, it will be deleted immediately if it is of no interest to the controller.

The data controller has a retention period inventory within its data protection plan, which is followed to manage the various applicable retention periods. Data deletion will be carried out in all cases ensuring confidentiality.

What is the legal basis for processing your data?

The controller observes and applies the various existing legal bases applicable to each processing purpose. These are:

a) Informed consent of the data subject.

b) Pre-contractual or contractual commitments.

c) Legitimate interest of the controller.

d) Applicable legal obligations.

e) Other legally mandated legal bases.

To which recipients will your data be communicated?

Data subjects’ data will not be communicated to any third party by default, except for:

a) auxiliary services, authorized data processors, or other implicit third parties necessary for the correct provision of goods and services;

b) competent public authorities and administrations in the exercise of their functions;

c) other legitimate stakeholders and legally provided third parties.

What are your rights when you provide us with and/or we process your data?

As a data subject, you may at any time request to exercise any of the following data protection rights:

  • Access: to confirm whether or not data concerning you is being processed and to obtain more information about this processing.

  • Rectification or erasure: to correct or delete personal data concerning the data subject when, among other reasons, it is inaccurate or no longer necessary for the purposes for which it was collected.

  • Restriction of processing: in certain circumstances, in which case it will only be kept for the exercise or defense of claims, for the protection of the rights of another person, or for reasons of public interest.

  • Data portability: to receive the personal data concerning you, which you have previously provided to us, in a structured format whenever possible.

  • Object: to object to the processing of your data in certain circumstances and for reasons related to your particular situation. The company will stop processing your data, except for compelling legitimate reasons, or the exercise or defense of possible claims.

  • Withdrawal of consent: this may lead to the cancellation of the existing business or contractual relationship, if any, without prejudice to the processing carried out prior to the withdrawal of consent.

To do so, you only need to contact us via the email or postal address indicated at the beginning.

Optionally, you may also contact our designated Data Protection Officer (DPO) or the Data Protection Agency to learn more about your rights or to request their protection by the supervisory authority.

Data security

We implement the necessary technical and organizational measures within our information system to guarantee an adequate level of confidentiality, integrity, availability, and resilience of data, in order to protect the rights and freedoms of data subjects.

The controller complies with the provisions and principles described in the GDPR to process data lawfully, fairly, and transparently in relation to the data subject, and ensures that data is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.

However, to the extent permitted by the legal system, we assume no responsibility for damages or losses resulting from alterations that third parties may cause to our information system. Any security breach will be properly and immediately communicated to the competent authority and/or state security forces and bodies.

Sending communications or information

Our policy regarding the sending of information through electronic means (email, instant messaging, etc.) is limited to sending only communications that we consider of interest to our users and stakeholders, in relation to the company’s functions and activities, or that you have consented to receive.

If you prefer not to receive these messages, we will offer you the possibility to exercise your right to cancel and waive the receipt of these messages, in accordance with the provisions of Title III, Article 22 of Law 34/2002 on Information Society Services and Electronic Commerce (LSSI-CE).

Social media

The controller may have a presence on social media through corresponding profiles. This section and any legal and privacy terms present on the website apply to the processing of data of users or stakeholders who become followers or otherwise link themselves to said profiles.

The purposes for which the controller uses these profiles are communication, commercial development, marketing and advertising, handling inquiries, user support, providing information about actions, activities, and events organized by or involving the controller, and interacting through official profiles.

The legal bases set out in section 6 above are supplemented in this case because the user or stakeholder may have a profile on the same social network as the controller and has decided to join or connect with the controller’s profile, thus showing interest in the information published. Therefore, by following the controller’s profiles, you provide your consent for the processing of the data available on your profile.

The user can access the privacy policies and terms of the corresponding social network at any time, as well as configure the privacy features of their profile. Posts made by the user will be known by other users; therefore, the user themselves is primarily responsible for their privacy.

Followers and/or participants on our profiles shall refrain from:

a) Publishing content or information contrary to the law, morals, or good faith. No illegal, annoying, inappropriate use or behavior that may generate negative opinions on the profile or violate people’s rights is permitted.

b) Behaving in a manner contrary to the principles of legality, honesty, responsibility, protection of human dignity, protection of minors, public order, privacy, consumer protection, and intellectual and industrial property rights.

The controller reserves the right to remove any content considered inappropriate without prior notice. Likewise, the controller is released from any responsibility regarding the security measures of each platform; the user must be aware of these along with the legal terms and conditions of use of the platform itself.

The controller is expressly exonerated from any liability that may arise from the use of social media by minors or persons with special needs. The controller’s social media accounts do not knowingly collect any personal information from minors; therefore, if the user is a minor, they should not register, use the controller’s social media, or provide any personal information. Specifically in Spain, the processing of personal data of a minor may only be based on consent starting from the age of 14. Furthermore, if any rule or regulation so requires, or if the user has special needs, the intervention of the holder of parental authority or guardianship, or their legal representative through a valid document proving representation, will be necessary.

Employment and candidate management

Those interested in accessing job offers from the controller may provide their data and professional information through various channels, preferably via existing forms, email addresses, and media provided for this purpose.

This data will be processed in line with these privacy terms for the purpose of managing applications for potential job offers, internships, and training within the responsible entity and any subsidiaries or companies belonging to the same business organization, where applicable.

Processing will be carried out based on the informed consent of the data subject or another valid legal basis. Provided data that is not of professional interest to the entity, or once it is no longer necessary for the purposes for which it was collected, will be deleted ensuring its confidentiality and anonymization.

Ethics channel

The data provided by any interested party through the procedures available in our Ethics Channel will be processed based on informed consent, the legitimate interest of the controller, and compliance with legal obligations.

The purpose of the processing is the management and control of potential communications and reports under the conditions established in our Ethics Channel.

The data of any interested or affected party, the person making the communication or report, employees, and third parties will be kept only for the time essential to decide whether any investigative action is appropriate. In any case, the information provided will be deleted, ensuring its confidentiality, once the legal periods for conservation or custody of evidence have elapsed.

No automated decisions will be taken, and no profiles will be created in relation to the information and data collected. Data may be communicated to third parties when necessary for the adoption of disciplinary measures or for the processing of potential legal proceedings.