SPIRIT & BRANDS, S.L. (hereinafter the Entity) is committed to due diligence and compliance with the Data Protection regulations implemented through Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and the free movement of such data General Data Protection Regulation (RGPD) and Organic Law 3/2018 on Data Protection and Guarantee of Digital Rights (LOPDGDD).

1. Data Controller and contact details of the Data Protection Officer/Data Protection Officer (DPO/DPO):

Identity: Spirit & Brands SL
Address / C. P.: Passeig de Gràcia, 103 4º 08008 Barcelona
DPO / DPO contact details:
Data Protection Channel:

2. Purposes of processing

The Entity will process the information provided by the interested parties for the following purposes:

  • Manage your attention, visit and meeting at our facilities, as well as the management and implementation of the services / products contracted.
  • To manage any type of request, suggestion or petition about our professional services made by interested parties.
  • Informative and commercial communications: processing of your data in order to inform you about activities, articles of interest and general information
    related to our activity and the services/products contracted.
  • Manage data provided by job candidates through the Curriculum Vitae (CV) for the purpose of the selection and recruitment process.
  • Promotional actions and campaigns (promotions, raffles,…).
  • Manage the communications received through the SPIRIT & BRANDS ethical channel and carry out the appropriate investigations (in the event that
    the informant identifies him/herself).

For the good purpose and development of your  attention and management of the above purposes, the holder consents to the processing of your  data for the above purposes, all under the strictest compliance with the Data Protection regulations and the policy that we are  detailing. You may  exercise your  rights at any time (see  specific section).

3. Data retention criteria

Management of services / products contracted with the Entity: the personal data provided in the contracts, offers and/or service proposals, as well as those of other persons whose intervention is necessary, will be kept for as long as the contracted services are  in force. At the end of the provision of the contracted service/s, the personal data shall be kept in the event that liabilities may  arise with the Entity and/or in compliance with other regulatory frameworks that are applicable to the Entity or a regulation with the rank  of law that requires the conservation of the same. Personal data shall be kept in such a way as to allow the identification and exercise of the rights of those affected and under the legal and organisational technical measures necessary to guarantee the confidentiality and integrity of the same.

Curriculum Vitae Management: the Entity, as a rule,  keeps your  Curriculum Vitae for a maximum period of one year;  at the end of this period, it will be automatically destroyed, in compliance with the principle of data quality.

Others: the rest of the data and information provided by the user by any means will be kept for the time necessary to fulfil the purpose for which  they were collected.

4. Legitimation 

  • The legal basis that enables the Entity to process the personal data of users, customers, potential customers by virtue of the following  titles:
  • The consent of the persons concerned for the processing and management of any request for information or enquiry about our  services and products.  Consent given by Job Applicants for recruitment and selection purposes.
  • The framework for the provision and/or contracting of services/products with the Entity.
  • Legitimate interest in sending you information, commercial and/or promotional offers related to the Entity’s activity and the services/products contracted via e- mail or any other means. 

5. Addressees

 No personal data will be passed on to third parties, except as provided for by law.

 6. Source 

Personal data is collected directly from the persons concerned and from our  partners. The categories of personal data provided to us by our  employees are  as follows:

  •      Identification data. 
  •      Postal or e-mail  addresses.
  •      Data provided and/or consented to by the interested parties themselves related to and necessary for the management and performance of the service / product requested. 

  7. Rights

Right of Access, Rectification and Deletion: interested parties have the right to obtain confirmation as to whether or not the Entity is processing personal data concerning them. Interested parties have the right to access their personal data, as well as to request the rectification of inaccurate data or request its deletion when, among other reasons, the data is no longer necessary for the purposes for which  it was  collected.

Right to Restriction and Opposition: In certain circumstances, data subjects may request that we restrict the processing of their data, in which  case we will only retain the data for the purpose of exercising or defending claims. In certain circumstances and for reasons related to their particular situation, data subjects may  object to the processing of their data. The Entity will stop processing the data in this case, except for compelling legitimate reasons, or for the exercise or defence of possible claims. These rights may be exercised in our  Data Protection Channel, see specific  section.

  8. Ethical Channel

The Entity has  implemented a Communications and Whistleblowing Channel to comply with Law 2/2023 of 20 February, regulating the protection of persons who report regulatory infringements and the fight against corruption. The channel is intended for reporting any suspicions or violations of wrongdoing, including suggestions or queries. 

Accessed via the following  link:

 9. Attention and support

 Interested parties may inform the Entity of any doubts regarding the processing of their personal data or the interpretation of our  policy by contacting the Data Protection Officer/Data Protection Delegate (DPO/DPD) at the address indicated at the beginning of this policy.