Privacy Policy

PRIVACY POLICY AND PERSONAL DATA PROCESSING AT BAM ACADEMY

1. Who is the data controller?

Controller: ASOCIACIÓN VASCA PARA EL DESARROLLO DE TECNOLOGÍAS DE FABRICACIÓN AVANZADA EN AUTOMOCIÓN. BAM – Basque Automotive Manufacturing Center

Tax ID (CIF): G56200728

Postal address: Avenida de los Huetos, 79–81, Oficina 27, 01010 Vitoria-Gasteiz (Álava)

Telephone: +34 914846000

Email for the exercise of rights relating to the processing of personal data: info@bamcenter.eus

2. For what purposes does BAM ACADEMY process your personal data?

3. What personal data does BAM process?

– Identification and contact: full name, email, telephone, company/entity, position, and corporate data. 

– Professional/company data: information necessary to manage requests made by companies, including tax data of the requesting entity. 

– Economic and billing data: billing data and, where applicable, the bank account of the requesting company. 

– Participation data: registration/participation data, attendance (without biometrics), and data necessary for the issuance of certificates/diplomas. 

– Data for speaker logistics: when necessary, essential data for travel/accommodation (e.g., ID card and address). 

– Image/voice: photographs and recordings (video and/or audio) made during events and outreach activities. – Preferences and traceability of consents: evidence of consents granted and unsubscribe/objection preferences.

4. What is the legal basis for the processing?

– Contract / pre-contractual measures (Art. 6.1.b GDPR): to manage the request, registration/participation, and the provision of the training service or participation in activities/events.

 – Legal obligation (Art. 6.1.c GDPR): to comply with tax and accounting obligations and, where applicable, obligations derived from subsidies or requirements of public bodies, as well as to address rights requests and security obligations. 

– Legitimate interest (Art. 6.1.f GDPR): exclusively for sending informative/commercial communications about similar activities when there is a prior relationship, with the right to object and unsubscribe in each communication. 

– Consent (Art. 6.1.a GDPR): when applicable, for (i) commercial communications without a prior relationship or when required; (ii) audiovisual capture/dissemination and (iii) communication of data to sponsors (specific and granular consent).

5. To whom does BAM communicate personal data? (recipients)

– Providers and collaborators (data processors): training providers, technologies, and platforms (for example, LMS, i.e., online learning management platforms, video calls, and email marketing tools), IT support, agency/consultancy, and logistics providers (agencies/hotels). 

– Administrations, authorities, and public or private bodies: for compliance with legal obligations (for example, tax/accounting obligations or requirements from competent authorities). 

– Event sponsors: no data will be communicated to event sponsors unless the person has expressly authorized it. In that case, only identity and corporate contact data will be communicated so that the sponsoring company can contact them, with the sponsor acting as an independent controller.

6. International transfers

The processing does not involve international transfers of personal data. In the event that, for service provision reasons, it is necessary to carry out international transfers of personal data outside the European Economic Area, such transfers must comply with the obligations established in Chapter V of the General Data Protection Regulation (GDPR).

7. How long does BAM keep the data?

BAM retains the data for the time necessary to fulfill the purpose for which they were collected and, subsequently, duly blocked, during the limitation periods for legal obligations or liabilities. In particular:

– Leads/requests: while the request is being managed and during a reasonable follow-up period; subsequently, they will be deleted or blocked according to internal criteria and/or until deletion or objection is requested.

– Training (courses) and certification: during the delivery and issuance/management of certificates; subsequently, during the applicable limitation periods and according to internal criteria for verification/re-issuance of certifications.

– Administrative and economic management: during the periods required by tax and accounting regulations.

– Subsidized training: during the period required by subsidy regulations and by the funding entity for justification and possible audits.

– Events and speakers: until the end of the event and the management of incidents/expenses; subsequently, during the limitation periods.

– Images and audiovisual material: for the time necessary for dissemination and promotion purposes, depending on the nature of the medium/publication, and, in any case, until objection/deletion is exercised where appropriate or consent is withdrawn if this was the basis of the processing.

– Commercial communications: as long as the person does not exercise the right to object or request to unsubscribe.

– Evidence of consent: BAM maintains the necessary traceability to prove compliance with its obligations.

– Data processed by BAM on behalf of educational centers (universities): they will be kept only for the time necessary to provide the service and, upon completion, will be returned or deleted according to the university’s instructions, unless there is a legal obligation.

8. What are your rights?

– The rights of access, rectification, erasure, objection, restriction, and portability may be exercised, as well as the withdrawal of consent when the processing is based on it. To exercise them, please address your request to info@bamcenter.eus. BAM may request additional information to verify identity or clarify the request. 

– Important: (i) if the person has consented to the communication of data to a sponsor, the sponsor will process those data as an independent controller for its own purposes; in that case, the rights must be exercised before the sponsor. (ii) In master’s degrees managed by a university, the university will be responsible for the academic and recruitment processing carried out on its website; for these treatments, rights must be exercised before the university.

 – If the person considers that the processing does not comply with current regulations, they may contact BAM via email at info@bamcenter.eus, indicating “Exercise of GDPR Rights” as a reference, so that BAM can identify the request and resolve it as soon as possible. Likewise, if you consider that your rights have not been duly addressed, you may file a complaint with the Spanish Data Protection Agency (AEPD) (www.aepd.es).

9. Origin of the data

– Data is generally obtained from the interested party (web forms, communications, and participation in activities). Occasionally, the request may be made by a company (e.g., staff registration); in that case, the company is responsible for initially informing its staff about the processing associated with the registration or request. Without prejudice to the foregoing, this Privacy Policy informs and complements said information regarding the processing that BAM may carry out, both as a data controller (for example, when BAM attracts and manages interested parties through its own channels, organizes its own courses/events, or sends communications in the terms provided), and on behalf of third parties when applicable (for example, in the framework of collaborations with universities, as described below). 

– The information published on the BAM website may include links (for example, in the case of certain master’s degrees) that redirect to third-party websites (e.g., a university) where the corresponding form is hosted and where the data is initially collected, managing the recruitment/enrollment and, where applicable, the academic management under the responsibility of that third party. Subsequently, said third parties may communicate to BAM the data necessary for specific tasks (e.g., teaching or coordination), in which case BAM will act on behalf of the university under the terms of the applicable agreement/assignment. The above does not prevent BAM from carrying out, for its own purposes, processing as a controller regarding its own courses, events, and communications. 

– Furthermore, if the communication to a sponsor is expressly authorized, BAM will communicate the data to the identified sponsor.

10. Mandatory or optional nature of the information

The data requested as mandatory are necessary to address your request and/or manage your participation in the training or event. If they are not provided by the interested party, it may not be possible to process the request or provide the service.

11. Automated decisions

The adoption of automated decisions, including profiling, that produce legal effects on the interested party or significantly affect them in a similar way, is not foreseen. Where appropriate, basic segmentation may be carried out (e.g., by training interest) to send relevant communications, always respecting the person’s right to object or unsubscribe.

12. Security

The data will be treated confidentially and subject to appropriate technical and organizational security measures to prevent its alteration, loss, or unauthorized processing or access.