PRIVACY POLICY

The present Privacy and Personal Data Protection Policy forms an integral part of the Terms of Use of the website located at www.tablaolacarmela.com.

Usuario is aware of the importance of personal data and therefore assures all Users and Customers that we safeguard the proper handling and privacy of such data, strictly complying with the provisions of the Legal System, under the terms explained below:

Exercise of Rights: Any Customer or Candidate may exercise the rights of access, rectification, deletion, objection, and request the erasure of data by postal mail to Usuario at Calle Victoria 4, 28012 Madrid, or by sending an email to administracion@tablaolacarmela.com with the subject line reference: “Data Protection,” including with the request a copy of their DNI (ID) or an official document proving identity.

The processing activities are recorded in the Company’s Data Protection Policy and have the legally established security measures (technical and organizational measures that prevent the alteration, loss, processing, or unauthorized access to data, as applicable).

In compliance with the General Data Protection Regulation of May 25, 2016, on the Protection of Personal Data, we inform you that there is an automated processing of personal activities solely for the purpose of facilitating the management of this Website’s activity, the management of the services offered through it and, where applicable, the management, development, and performance of the contractual relationship that the Customer establishes with Usuario. Likewise, Usuario will process data to manage inquiries made through the Website. For the purposes of the Law, Usuario is the Data Controller.

Providing the personal data requested by Usuario is mandatory so that you can be registered as a Customer for certain services offered on the Website. If the Customer does not provide the requested personal data or does not accept this Privacy and Data Protection Policy, they will not be able to acquire the products offered. Likewise, providing the data requested by Usuario is mandatory so that your candidacies can be assessed. If the candidate does not provide the personal data or does not accept this Privacy and Data Protection Policy, it will not be possible to assess it.

All personal data you provide to us will be incorporated into our record of processing activities.

Usuario’s Administrators are responsible for formulating the Company’s strategy and approving corporate policies, as well as organizing internal control systems. In exercising these responsibilities, and in order to establish the general principles that must govern the processing of personal data:

1. Purpose
   The Personal Data Protection Policy establishes the common principles and guidelines that must govern Usuario in the field of personal data protection, guaranteeing, in any case, compliance with applicable legislation. In particular, the Personal Data Protection Policy aims to guarantee the right to the protection of the data of all natural persons who interact with the company, ensuring respect for the right to honor and privacy in the processing of different types of personal data, originating from different sources and for various purposes depending on its business activity.

2. Evaluation
   The Security Officer will evaluate, at least once a year, the compliance and effectiveness of this Personal Data Protection Policy and will report the result to the management that assumes these functions at any given time.

3. Approval
   The Personal Data Protection Policy was initially approved by Senior Management on May 25, 2018.

4. Accuracy and confidentiality commitments
   By accepting this Privacy and Data Protection Policy, the Customer guarantees the accuracy, validity, and authenticity of the personal data provided, and undertakes to keep them duly updated.
   The Customer releases Usuario from liability for any damage or harm that may be suffered as a consequence of errors, defects, or omissions in the information the Customer has provided to Usuario.
   Usuario undertakes to comply with its professional secrecy obligation regarding personal data received through the Website and to handle them confidentially.
   The Customer expressly agrees that Usuario may transfer personal data since, on occasion, we use other companies to provide certain services. To do so, they require access to personal data of our customers and/or Users. Usuario may provide the information supplied through the Website to third parties related to or dependent on it or to service providers for the provision of such services, for the purposes and with the security measures provided for in the GDPR. In order to facilitate browsing of the Website, Usuario will use cookies or other similar functionality files. For more information about Cookies, Users and Customers are advised to read the Cookies policy.

5. Principles for processing personal data
   The principles governing the Personal Data Protection Policy are as follows:

a) General principles: Usuario will scrupulously comply with the data protection legislation of its jurisdiction, that which applies depending on the personal data processing carried out, and that which is determined by binding rules or agreements adopted within the company. Usuario will promote the consideration of the principles set forth in this Personal Data Protection Policy
(i) in the design and implementation of all procedures involving the processing of personal data,
(ii) in the products and services it offers,
(iii) in all contracts and obligations it formalizes with natural persons, and
(iv) in the implementation of any systems and platforms that allow employees or third parties to access personal data and/or the collection or processing of such data.

b) Principles related to personal data processing:

(i) Principles of legitimacy, lawfulness, and fairness in the processing of personal data. The processing of personal data will be fair, legitimate, and lawful in accordance with applicable legislation. In this regard, personal data must be collected for one or more specific and legitimate purposes in accordance with applicable legislation. In cases where it is mandatory under applicable legislation, consent must be obtained from the data subjects before collecting their data. Likewise, where required by law, the purposes of processing personal data will be explicit and determined at the time of their collection. In particular, Usuario will not collect or process personal data relating to ethnic or racial origin, political ideology, beliefs, religious or philosophical convictions, sexual life or orientation, trade union membership, health, nor genetic or biometric data intended to uniquely identify a person, unless the collection of such data is necessary, legitimate, and required or permitted by applicable legislation, in which case they will be collected and processed in accordance with that legislation.

(ii) Principle of data minimization. Only those personal data that are strictly necessary for the purpose for which they are collected or processed and appropriate to such purpose will be processed.

(iii) Principle of accuracy. Personal data must be accurate and kept up to date. Otherwise, they must be deleted or rectified.

(iv) Principle of storage limitation. Personal data will not be retained beyond the period necessary to achieve the purpose for which they are processed, except in cases provided for by law.

(v) Principles of integrity and confidentiality. In processing personal data, adequate security must be guaranteed, through technical or organizational measures, to protect them from unauthorized or unlawful processing and to prevent their loss, destruction, and accidental damage. The personal data collected and processed by Usuario must be kept with the utmost confidentiality and secrecy and may not be used for purposes other than those that justified and permitted their collection, nor may they be communicated or transferred to third parties except in cases permitted by applicable legislation.

(vi) Principle of proactive accountability. Usuario will be responsible for complying with the principles set out in this Personal Data Protection Policy and those required by applicable legislation and must be able to demonstrate such compliance when required by law. Usuario must carry out a risk assessment of the processing it performs in order to determine the measures to be applied to ensure that personal data are processed in accordance with legal requirements. In cases where the law so requires, the risks that new products, services, or information systems may pose to the protection of personal data will be assessed in advance, and the necessary measures will be taken to eliminate or mitigate them. Usuario must keep a record of processing activities describing the processing of personal data carried out within the framework of its activities. If an incident occurs that causes the accidental or unlawful destruction, loss, or alteration of personal data, or the unauthorized communication of or access to such data, the internal protocols established for this purpose by the Security Officer and those established by applicable legislation must be followed. Such incidents must be documented, and measures will be taken to resolve and mitigate possible negative effects for data subjects. In the cases provided for by law, data protection officers will be appointed to ensure compliance with data protection regulations within the company.

(vii) Principles of transparency and information. The processing of personal data will be transparent in relation to the data subject, providing them with information about the processing of their data in an understandable and accessible manner when required by applicable law. To ensure fair and transparent processing, the controller must inform the affected parties or data subjects whose data are to be collected of the circumstances relating to the processing in accordance with applicable legislation.

(viii) Acquisition or obtaining of personal data. The acquisition or obtaining of personal data from illegitimate sources, from sources that do not sufficiently guarantee their legitimate origin, or from sources whose data have been collected or transferred in contravention of the law is prohibited.

(ix) Engagement of processors. Prior to engaging any service provider that accesses personal data for which Usuario is responsible, and throughout the term of the contractual relationship, measures must be taken to ensure—and, where legally required, demonstrate—that the data processing by the processor is carried out in accordance with applicable regulations.

(x) International data transfers. Any processing of personal data subject to European Union regulations that involves a transfer of data outside the European Economic Area must be carried out in strict compliance with the requirements established by the applicable law in the originating jurisdiction. Likewise, business partners or subsidiaries located outside the European Union must comply with the requirements established for international transfers of personal data that are, where applicable, applicable in their jurisdiction.

(xi) Rights of data subjects. Usuario must allow data subjects to exercise the rights of access, rectification, erasure, restriction of processing, data portability, and objection that are applicable in each jurisdiction, establishing, for this purpose, the internal procedures necessary to satisfy at least the applicable legal requirements in each case.

4. Implementation
   In accordance with this Personal Data Protection Policy, the Corporate Security Department, together with the Company’s Legal Services, will develop and keep up to date the internal global data protection management regulations, which will be implemented by the Security Officer and will be mandatory for all the Company’s managers and employees. Likewise, the Officer will establish internal procedures that develop the principles set out herein.

5. Control and evaluation
   a) Control. It is the responsibility of the Security Officer to supervise compliance with the provisions of this Personal Data Protection Policy by the Company. To verify compliance with this Personal Data Protection Policy, periodic audits will be carried out by internal or external auditors.

© TABLAO FLAMENCO LA CARMELA 2025