This Privacy Policy has been developed according to the provisions of the Organic Law on Protection of Personal Data, as well as Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, hereinafter the GDPR.

This Privacy Policy seeks to inform the data subjects about specific aspects related to the data collected and data processing, including the purposes for processing the data, the contact information to exercise their rights, the data retention period and security measures, among other things.

Data Controller

Concerning data protection, Tornillería y Servicios SLU shall be considered the Data Controller of the files and data processing described herein, specifically in the Data Processing section.

The website owner’s identification data is provided below:

Data processing

Any personal data requested, where appropriate, will be limited to what is strictly necessary to identify and respond to the request submitted by the owner of the data, hereinafter data subject. The data subject’s personal data will be processed fairly, lawfully and transparently. Personal data will be collected for specified and legitimate purposes and not further processed in a way incompatible with those purposes.

The data collected from each data subject must be adequate, relevant and not excessive in relation to the purposes for which they were collected, and, where necessary, kept up to date.

The data subject must be informed prior to any data collection about the general provisions regulated under this policy to have the option of giving his/her express, precise and unambiguous consent to the processing of his/her data in accordance with the following criteria.

Purpose of the processing

The specified purposes for which the data is processed are listed in the clauses included in each data collection method (web forms, paper forms, recordings or posters and briefing notes).

Nonetheless, the personal data of the data subject will be processed solely for providing an effective response and meeting the requests submitted by the user, specified next to the option, service, form or data collection system used by the website owner.


As a rule, Tornillería y Servicios SLU shall obtain the express and unambiguous consent of the data subject prior to the processing of personal data, through the informed consent clauses included in the different data collection methods.

No obstante, en caso de que no se requiera el consentimiento del interesado, la base legitimadora del tratamiento en la cual se ampara Tornillería y Servicios SLU es la existencia de una ley o norma específica que autorice o exija el tratamientode los datos del interesado.


As a rule, Tornillería y Servicios SLU does not transfer or communicate data to third parties, except where required by law. However, if necessary, the data subject is informed of such transfer or communication through the informed consent clauses contained in the different data collection methods.


As a rule, personal data is always collected directly from the data subject; however, in certain circumstances, the data may be collected through third parties, entities or services other than the data subject. In any case, the data subject shall be informed of such transfers through the informed consent clauses contained in the different data collection methods, within a reasonable time after the data has been collected, and at the latest within a month.

Retention period

The data collected from the data subject will be retained as necessary to meet the intended purpose. Once the purpose has been achieved, the data will be voided. This means that the data will be blocked and made available only to public authorities, judges and courts to cover liabilities that may result from the processing of data, and only for the duration of such liability. After this period, the data will be destroyed.

Labour or social security related documentation4 yearsArticle 21 of Royal Legislative Decree 5/2000, of August 4, approving the revised text of the Law on Infringements and Penalties in the Social Sphere
Accounting and fiscal documentation for commercial purposes6 yearsArt. 30 Commercial Code
Accounting and fiscal documentation for tax purposes4 yearsArticles 66 to 70 of the General Tax Law
Controlling access to buildings1 monthInstruction 1/1996 of the AEPD
Camera surveillance1 monthInstruction 1/2006 of the AEPD
Organic Law 4/1997

The legal deadlines for storage of different types of data is provided below for information purposes only.

Browsing data

Please refer to the Cookies Policy on our website for information on browsing data that may be processed through the website, provided such data are subject to applicable regulations.

Rights of the data subject

The legislation on data protection gives certain rights to the data subjects, website users or users of Tornillería y Servicios SLU’s social media sites.

These rights are:

  • Right of access: the right to obtain information as to whether their data is being processed, the purpose of the processing, the categories of data, the recipients or categories of recipients, the retention period and the origin of such data.
  • Right of rectification: the right to rectify inaccurate or incomplete personal data.
  • Right of erasure: the right to have the data erased in the following cases:
    • The personal data are no longer necessary in relation to the purposes for which they were collected.
    • The data subject withdraws consent.
    • The data subject objects to the processing.
    • The personal data have to be erased for compliance with a legal obligation.
    • The personal data have been collected in relation to the offer of information society services referred to in Article 8(1) of the European Regulation on Data Protection.
  • Right to object: the right to object to a certain type of processing to which the data subject had consented.
  • Right to restriction of processing: the right to restrict processing of data where one of the following applies:
    • The accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data.
    • The processing is unlawful and the data subject opposes the erasure of the personal data.
    • The controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims.
    • The data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject.
  • Right to data portability: The right to receive the personal data in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller, where:
    • The processing is based on consent.
    • The processing is carried out by automated means.
  • The right to lodge a complaint with the competent supervisory authority.

The data subject may exercise these rights by sending a written request to Tornillería y Servicios SLU, to the e-mail address , indicating in the subject line the right you wish to exercise.

Tornillería y Servicios SLU will respond as soon as possible to your request, bearing in mind the deadlines set out in the data protection legislation.


Tornillería y Servicios SLU has adopted the security measures laid down in Article 32 of the GDPR. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Tornillería y Servicios SLU has implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

In any case, Tornillería y Servicios SLU has implemented sufficient mechanisms to:

  1. Safeguard the confidentiality, integrity, availability and permanent resilience of the processing systems and services.
  2. Restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
  3. Test, assess and evaluate, on a regular basis, the effectiveness of technical and organisational measures for ensuring the security of the processing.
  4. Pseudonymise and encrypt personal data, if applicable.