Privacy Policy

We have a high level of commitment to the privacy of individuals, which is why the protection of personal data is important to us.

We process data in accordance with the provisions of the EU General Data Protection Regulation (2016/679 – GDPR), Organic Law 3/2018 on Personal Data Protection and Guarantee of Digital Rights (LOPDGDD), and other current regulations on the matter.

This Privacy Policy was reviewed in December 2025 to comply with the information and transparency obligations of the website itself and the Data Controller generally, aiming to provide any data subject, and not just the website users, with the Data Controller’s general terms on this subject. Variations may exist until its next review.

Who is the Data Controller of your data?

Data Controller: ASOCIACION CENTRO TECNOLOGICO NAVAL Y DEL MAR

Tax ID (NIF/CIF): G30772438

Address: PARQUE TECNOLOGICO FUENTE ALAMO, CTRA. EL ESTRECHO – LOBOSILLO, KM. 2. 30320 FUENTE ALAMO DE MURCIA ((MURCIA))

Email: contact@ctnaval.com 

What is the origin and type of data we process?

The origin of the information we process may be any of the following categories:

    • Paper, electronic, or digital forms.
    • Communication and messaging systems: email and messaging applications, telephone, etc.
    • Other lawful sources and origins of information.

The different categories of data that we may process, depending on the type of data subject (user, client, supplier, employee, etc.) and the nature of the Data Controller’s activity and the different data processing operations, are:

    • Identification data, e.g.: name and surname, image.
    • Identification codes or keys, e.g.: username, employee code.
    • Postal or electronic contact addresses, e.g.: telephone, email, social media profile.
    • Personal and professional characteristics data, e.g.: age, date of birth, qualifications, professional experience, curriculum vitae (CV).
    • Economic, financial, and insurance data, e.g.: bank details, credit card, etc.
    • Economic and non-economic payroll data and other employment-related information, e.g.: job title, payroll document, etc.
    • Transaction data, e.g.: goods and services supplied and received.
    • Special categories of data, e.g.: health, trade union membership, racial origin.
    • Other data and information necessary or implicit in the development of our activities, services, and objective.

MANDATORY OR OPTIONAL NATURE OF THE INFORMATION PROVIDED BY DATA SUBJECT

The Data Subject, by marking the corresponding boxes and entering data in the fields marked as mandatory (e.g., with an asterisk) in the contact form or presented in download forms, expressly, freely, and unequivocally accepts that their data is necessary for the Data Controller to address their request, with the inclusion of data in the remaining fields being voluntary.

The Data Subject guarantees that the personal data provided to the Data Controller are truthful and undertakes to communicate any modification thereof. The data requested through the website, marked as mandatory, are necessary for the provision of an optimal service to the Data Subject. In the event that all data are not provided, it is not guaranteed that the information and services provided will be fully adjusted to their needs.

What is the purpose of processing your personal data?

In general, data is processed to successfully carry out the actions implicit in the normal development and management of the Data Controller’s activity. However, we can specify different processing purposes depending on the existing categories of data subjects:

    • Clients and Potential Clients: management and maintenance of commercial, pre-contractual, and contractual relationships; internal administration; economic management; advertising and marketing, customer service.

    • Collaborators, Creditors, and Suppliers: management and maintenance of commercial relationships, internal administration, and economic management.

    • Employees (Working Persons): management, development, and maintenance of the employment relationship, human resources management, communications, training activities, occupational risk prevention, work time registration, and other purposes derived from legal obligations and the development of employment relationships.

    • Candidates: management of received curricula vitae (CVs), management of job offers, and personnel selection.

    • Website and Social Media Users: user support and management of communications between the parties.

    • Visitors: visitor assistance and control of access to facilities.

    • Information concerning any other category of data subjects processed by the Data Controller will be done within the framework of its activity, strict compliance with applicable regulations, and under the general criteria of this Privacy Policy.

Other general purposes that the Data Controller may implement are:

    • Creation of a commercial profile, with the aim of improving your experience by customizing offers and communications. Individualized decisions will not be taken based on said profile, and action will be taken based on legitimate interest.

    • Video surveillance, for the security of assets and people, as well as the corresponding labor control based on legitimate interest.

    • Telephone exchange, for the purpose of recording communications for security, guarantee, and quality of service, based on legitimate interest.

    • Financial management and control of monetary obligations. In the case of debtors with certain, overdue, and enforceable outstanding payments, the Data Controller may communicate this circumstance to credit solvency files, debtor files, and debt management or recovery services, among others, based on legitimate interest.

    • Communications: development and execution of communications through the available contact data and means (email, instant messaging, etc.) with internal (employees) and external (clients, potential clients, collaborators, suppliers, etc.) categories of data subjects. The purposes of such communications may be informative, organizational, commercial, and advertising, as appropriate, based on the Data Controller’s informed consent and legitimate interest.

    • Other purposes derived from the nature of the Data Controller, motivated by the normal development and exercise of its activity, based on a valid lawful basis.

How long will we retain your data?

In general, personal data will be retained at least as long as a relationship exists with the data subject, as long as deletion is not requested, as long as liabilities may arise, or as long as there ir a legal requirement for retention.

Regarding the data of candidates and job applicants, they will be deleted immediately when they are no longer of interest to the Data Controller.

The Data Controller has a data protection plan that includes an inventory of retention periods which it observes to manage the different applicable retention periods.

Data deletion wiil, in all cases, be carried out ensuring the confidentiality of the data.

What is the lawful basis for processing your data?

The Data Controller observes and applies the various existing lawful bases that apply to each processing purpose. These are:

a) Informed consent of the data subject.

b) Pre-contractual or contractual commitments.

c) Legitimate interest of the Data Controller.

d) Applicable legal obligations.

e) Other legally prescribed lawful bases.

To which recipients will your data be disclosed?

The data of data subjects will not be disclosed to any third party by default, except for: 

a) Auxiliary services, authorized data processors, or other implicit third parties necessary for the correct provision of goods and services; b) Competent public authorities and administrations in the exercise of their functions; c) Other legitimate data subjects and legally mandated third parties.

What are your rights when you provide and/or we process your data?

As a Data Subject, you may request the exercise of any of the following data protection rights at any time:

    • Right of access to the Data Subject’s personal data to confirm whether or not data concerning them is being processed and to obtain more information abour this processing.
    • Right to rectification or erasuse of the personal data concerning the Data Subjetc when, among other reasons, the data is inaccurate or is no londer necessary for the purposes for which it was collected.
    • Right to restriction of processing of the Data Subject’s personal data in certain circumstances, in which case the data will only be retained for the purpose of the exercise or defense of claims, for the protection of the rights of another natural or legal person, or for reasons of public interest.
    • Right to data portability: to receive the personal data concerning you, which you have previously provided to us, and in a structured format, where possible.
    • Right to Object to the processing of your data in certain circumstances and for reasons related to your particular situation. The company will stop processing your data, except for compelling legitimate reasons, or the exercise or defense of possible claims.
    • Right to withdraw consent, which may lead to the annulment or cancellation of the existing business or contractual relationship, if any. This is without prejudice to processing carried out prior to the withdrawal of consent.

To exercise these rights, you only need to contact us via the email or postal address indicated at the beggining of this document.

Optionally, you can also contact our designated Data Protection Officer (DPO) or the Data Protection Agency to learn about your rights or to request the protection of these rights by the supervisory authority.

Data security

We adopt the necessary technical and organizational measures in our information system to guarantee an adequate level of confidentiality, integrity, availability, and resilience of the data, with the aim of protecting the rights and freedoms of the Data Subjects.

The Data Controller complies with the provisions and principles described in the GDPR to process data lawfully, fairly, and transparently in relation to the Data Subject, and to ensure the data is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.

Notwithstanding the foregoing, to the extent permitted by legal system, we do not assume any responsibility for damages or alterations that third parties may cause to our information system. Any security breach will be promptly and immediately communicated to the competent authority and/or State security forces.

Sending of communications and information

Our policy regarding the sending of information through electronic means (emails, instant messaging, ect.) is limited only communications that we consider to be of interest to our users and Data Subjects, in relation to the company’s functions and activity, or that you hace consented to receive.

If you prefer not to receive these messages, we will offer you the possibility to exercise your right to cancellation and to waive the reception of theses messages through them, in accordance with the provisions of Title III, Article 22 of Law 34/2002 on  Information Society Services and Electronic Commerce (LSSICE).

Social media

The Data Controller may have a presence on social media through corresponding profiles. This section, along with any legal and privacy terms present on the website, shall apply to the processing of data of users or Data Subjects who become followers or are otherwise linked to these profiles.

The purposes of the Data Controller’s use of these profiles are communication, commercial development, marketing and advertising, handling queries addressed to the Data Controller and user support, informing about actions, activities, and events organized by the Data Controller or in which ir participates, and interacting through the official profiles.

The lawful bases set out in section «What is the Lawful Basis for Processing Your Data?» are supplemented in this case because the user or Data Subject may have a profile on the same social network as the Data Controller and has decided to join or connect with the Data Controller’s profile, thereby giving their consent to the processing of the data available on their profile, Therefore, by following the Data Controller’s profiles, you provide your consent to the processing of data available on your profile.

The user can access the policies and privacy terms of the corresponding social network at any time, as well as configure the privacy features that can be implemented on their profile. Publications made by the user will be known by other users, meaning the user themselves is primarily responsible for their privacy.

Users who are followed and/or participants in our profiles shall refrain from:

a) Publising content or information contrary to the Laws, morality, and good faith. Any unlawful, annoying, inappropriate use or behavior that may generate negative opinions on the profile or violate the rights of individuals is not permitted.

b) Behaving in a manner contrary to the principles of legalitu, honesty, responsibility, protection of human dignity, protection of minors, protection of public order, the protection of private life, consumer protection, and intellectual and industrial property rights.

The Data Controler reserves the right to remove any content considered inappropriate without prior notice. Likewise, the Data Controller is exempt from any liability in relation to the security measures corresponding to each platform, the user being responsible for knowing them, along with the legal terms and conditions of use of the platform itself.

The Data Controller shall be expressly exempt from any liability that may arise from the use of social media by minors or persons with special needs. The Data Controller’s social media profiles do not knowingly collect any personal information from minors. Therefore, if the user is a minor, they should not register, use the Data Controller’s social media, or provide any personal information. Specifically in Spain, the processing of personal data of a minor can only be based on consent starting from the age of 14. Furthermore, if any rule or regulation requires it, or the user has special needs, the intervention of the holder of their parental authoriry or guardianship, or their legal representative, through a valid document proving the representation, will be necessary.

Employment and candidate management

Data Subjects interested in accessing job offers from the Data Controller may provide their data and professional information to the Data Controller through different channels, preferably via existing forms, email addresses, and specific means available for this purpose, where applicable.

This data will be processed in line with these privacy terms for the purpose of managing candidacies for potential job offers, internships, and training within the responsible entity and any affiliated companies or those belonging to the same business organization, where such affiliation exists and is relevant.

The processing will be carried out based on the informed consent of the Data Subject or another valid lawful basis.

The data provided, if not of professional interest to the entity or once they cease to be necessary for the purposes for which they were collected, will be deleted, ensuring their confidentiality and anonymization.

Any Data Subject may revoke their consent and exercise their privacy rights in accordance with the terms set out in this privacy policy.

Ethics channel

The data provided by any Data Subject through the procedures available on our Ethics Channel will be processed based on informed consent, the legitimate interest of the Data Controller, and compliance with legal obligations.

The purpose of processing will be the management and control of possible communications and complaints in accordance with the conditions established in our Ethics Channel.

The data of any Data Subject or affected person, the person making the communication or complaint, employees, and third parties will be retained only for the time strictly necessary to decide whether any investigation action proceeds. In all cases, the information provided will be deleted, ensuring its confidentiality, when the legal periods for retention or custody of evidence have elapsed.

No automated decisions will be made, nor will profiling be carried out in relation to the information and data collected.

Data may be disclosed to third parties when necessary for the adoption of disciplinary measures or for the processing of any ensuing legal proceedings.

Any Data Subject may exercise their data protection rights under the terms provided in this privacy policy.

Users should be aware that the information and data provided are confidential and reserved.