Privacy Policy and General Conditions



The companies of the SISTEPLANT group, which is composed of the following entities, are respectively responsible for the processing of your personal data:

Company name: SISTEPLANT SL
C.I.F./N.I.F.: B95299707
Registered Office: Parque Tecnológico, Edif. 607, 48160 Derio  ( Bizkaia)
Registered in the Mercantile Registry of Bizkaia Volume 4390, Folio 65, Page BI 38863, 1st Inscription

C.I.F./N.I.F.: B88002191 Registered
Office: Calle Golfo de Thessaloniki 27 piso 1º letras A y B, 28033 Madrid (Madrid)
Registered in the Mercantile Registry of Madrid Volume 37269, Folio 103, Section 8, Page M 664662, Inscription 1ª

For both entities

  • Phone: 946021200
  • Email:

From now on and to refer to both, the expression SISTEPLANT will be used.


In accordance with the provisions of EU Regulation 679/2016 and Organic Law 3/2018 of December 5 on the protection of personal data and  guarantee of digital rights, we inform you that the personal data you provide us and those generated during the development of the relationship with you, are treated for the following purposes:

  • Respond to the requests you make
  • Provide you with information about SISTEPLANT products,  consenting to it, in the sending of commercial communications by email or by any other equivalent means of electronic communication (such as SMS) that you have provided us.
  • If you send us a CV, that your candidacy is valued in the realization of personnel selection processes. In this case you must indicate the center or centers of SISTEPLANT SL in which you would be interested in working.
  • Allow the subscription of the person concerned to our newsletter
  • The sending of communications by any means that you have provided, related to the activities developed by the entity and that may be of interest to you.
  • The response to queries, complaints and suggestions, and the realization of all kinds of communication actions.
  • The accounting, fiscal and administrative management of the entity.



The personal data provided will be kept as long as its deletion is not requested by the interested person, or who legally acts as their legal representative and this proceeds, and as long as they are necessary -including the need to keep them during the applicable limitation periods- or relevant for the purpose for which they were collected or registered.

The conservation of the data will be conditioned to the legal obligation that SISTEPLANT has to  keep them. Once these deadlines have passed, the data will be destroyed or deleted, and the deletion, elimination or destruction will be carried out so that the information contained in the media is not recoverable.


The legal basis for the processing of your data is the consent given by the person concerned. This is obtained expressly and unequivocally by completing and, where appropriate, sending the documents and forms on paper or electronic in which your data is collected. In all the documents of the entity, which are used to collect data for the different uses, there are informative clauses in accordance with the provisions of the data protection regulations and the consent is expressly expressed by signing by the interested person, or sending the existing forms on the website.

The processing is also a cause of legitimacy when it is necessary for the execution of a contract, or the provision of a service provided to the interested persons, in which they are a party, or for the application at their request  of pre-contractual measures (art. 6.1.a and b GDPR).

SISTEPLANT is also entitled to process your data to comply with the legal obligations to which it is subject and for the satisfaction of legitimate interests, provided that the interests or fundamental rights of the interested parties do not prevail over these.

Whatever the cause of legitimation, the consent can be revoked at any time.


Your data will not be transferred to any entity without your consent except for the assignments provided by law, in this sense your express consent will be requested for the transfer of your data to any other entity.

As a result of the management of the authorized purposes, your data may be communicated to the companies that make up the SISTEPLANT group and entities or persons directly related to SISTEPLANT and the services provided by it. Likewise, your personal information will be available to the Public Administrations, Judges and Courts, for the attention of the possible responsibilities arising from the treatment and provided that these assignments are covered by law.

Your data may also be transferred to companies that provide us with some type of advisory services, computer maintenance, marketing, training or auditing. These entities only have access to the personal information that is necessary to carry out these services, requiring it through a “data processing order” contract that maintains confidentiality, that they cannot use the information for other purposes and that they adopt measures that guarantee the integrity and availability of it.

International data transfers outside the European Union or to entities that do not comply with the data protection standards established by EU Regulation 679/2016 are not foreseen.


The personal data processed by SISTEPLANT are provided by the person concerned, by the entity in which it provides services or obtained from sources accessible to the public.


SISTEPLANT will process the data you provide us, which may be of the following categories:

  • Identification and contact data
  • Academic and professional data
  • Employment detail data
  • Commercial information


Anyone has the right to obtain confirmation as to whether SISTEPLANT processes personal data concerning them, or not.

Interested persons have the right to access their personal data and to obtain a copy of the personal data being processed, to update them, as well as to request the rectification of inaccurate data or, where appropriate, request its deletion when, among other reasons, the data are no longer necessary for the purposes for which they were collected.

In certain circumstances and for reasons related to their particular situation, interested parties may object to the processing of their data. SISTEPLANT will stop processing the data, except for compelling legitimate reasons, or the exercise or defense of possible claims.

Also in certain circumstances, provided for in Article 18 RGPD, the interested parties may request the limitation of the processing of their data, in which case SISTEPLANT will treat them, with the exception of their conservation, with the  consent of the interested party or for the formulation, exercise or defense of claims, or with a view to the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a given Member State.

In the event that it was applicable, as a result of the application of the right to erasure or opposition to the processing of personal data in the online environment, the interested parties have the right to be forgotten according to the jurisprudence of the Court of Justice of the EU.

By virtue of the right to portability, the interested parties have the right to obtain the personal data concerning them in a structured format of common use and mechanical reading and to transmit them to another person in charge.

Every data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects on him or her or similarly significantly affects him, except for the exceptions provided for in Art.22.1 GDPR.

The interested party has the right to the deletion of their data, due to the disappearance of the purpose that motivated the treatment or collection, by revocation of consent when it is this one that legitimizes the treatment, or for the rest of the reasons contained in article 17RGPD. The deletion will be carried out by proceeding to the high-level erasure of the data contained in automated media and the physical destruction of non-automated media


By means of a letter always accompanied by a copy of the DNI or other document that proves the identity of the interested person addressed to the addresses indicated in the heading.


If you consider that your rights have not been duly addressed, you have the right to file a claim with the Spanish Agency for Data Protection, whose contact details are: Telephones: 901 100 099 Postal address: C / Jorge Juan, 6 Madrid.


These conditions apply to contracting with the companies that make up the SISTEPLANT group and which currently are:

Company name: SISTEPLANT SL C.I.F.
/N.I.F.: B95299707
Registered Office: Parque Tecnológico, Edif. 607, 48160 Derio  ( Bizkaia)
Registered in the Mercantile Registry of Bizkaia Volume 4390, Folio 65, Page BI 38863, 1st Inscription

/N.I.F.: B88002191 Registered
Office: Calle Golfo de Thessaloniki 27 piso 1º letras A y B, 28033 Madrid (Madrid)
Registered in the Mercantile Registry of Madrid Volume 37269, Folio 103, Section 8, Page M 664662, Inscription 1ª

These general conditions are added to the contracts of the company with its clients, thus being stated in the different documents or annexes that are signed with the particular conditions applicable to each contract or service.

From now on, the name SISTEPLANT   will be used  to refer to any of the aforementioned companies.

The following is established as domicile for the purposes of any type of communication:

Registered Office: Parque Tecnológico de Bizkaia Edif. 607, 48160 Derio ( Bizkaia)

For both entities

  • Phone: 946021200
  • Email:


These clauses establish the conditions that enable SISTEPLANT to process personal data arising from the execution of the contract or the provision of the service contracted with the client.

SISTEPLANT will process, to the extent that the execution of the contract or the provision of the service makes it essential, personal data for which the client is responsible. These general conditions, mentioned in the particular conditions and accepted by the client are established to comply with the provisions of article 33 of Organic Law 3/2018 of December 5  on the protection of personal data and guarantee of digital rights, and in 28 of EU Regulation 2016/679 delimiting the obligations of the person in charge and the person in charge of treatment.

The treatment that is carried out will consist of the service detailed in the contract or budget accepted by the client

The client as responsible for the treatments authorizes SISTEPLANT to treat on its own the personal data contained in its files and treatments to the extent that this is necessary to provide the indicated service.

Regarding the indicated data, SISTEPLANT may treat them by adopting those decisions that are necessary for the adequate provision of the service.


For the execution of the services derived from the fulfillment of the object of this order, the client responsible for the treatment has made available to the entity SISTEPLANT, in charge of the treatment, the information described in the particular conditions, or in the accepted budget, without this description being exhaustive or excluding other related documents.


The client, as responsible for treatment, in addition to those established in the data protection regulations, corresponds to at least the following obligations:

  1. Provide the person in charge with access to the data that are part of their files and / or treatments or deliver them in the way that is appropriate for the correct provision of the service. It will be the client’s obligation to identify the assets that may contain personal data and/or special categories of personal data, so that additional security measures or precautions are applied if required.
  2. Inform in accordance with the regulations the interested persons whose data are subject to treatment and have lawfully obtained their express consent from them or have legitimate and creditable reasons for it.
  3. Have established the legal basis that legitimizes the treatment.
  4. Have simple mechanisms so that interested persons can exercise their rights.
  5. Have risk assessments, with a record of treatments and impact assessments if necessary due to the nature of the data processed.
  6. Have enabled the appropriate security measures to safeguard the data in the transmission of the data to the person in charge.
  7. Appoint a data protection officer in cases where it is mandatory and communicate your identity to the person in charge.


SISTEPLANT undertakes to  comply with the provisions of European and Spanish data protection regulations and undertakes to: INSTRUCTIONS FOR USE AND COMMUNICATION OF DATA

  • SISTEPLANT will use the personal data subject to processing, or those collected for inclusion, only for the purpose of this order. In no case may you use the data for your own purposes.
  • It will process the data in accordance with the instructions of the controller. If SISTEPLANT considers that any of the instructions infringes EU Regulation 2016/679D, the LOPD or any other data protection provision of the Union or the Member States, it will immediately inform the person responsible.
  • SISTEPLANT undertakes not to copy or reproduce the information provided by the data controller except when its treatment is necessary for the purposes provided in the contract.
  • SISTEPLANT will not communicate the data to third parties, unless it has the express authorization of the person responsible for the treatment, or in the cases provided for by law. The assignment to subcontracted third parties is regulated in another section of this same document.
  • SISTEPLANT will keep the personal data processed secret indefinitely. This obligation continues after the end of the contract. SECURITY MEASURES.

SISTEPLANT has adopted the appropriate security measures to safeguard the integrity of the personal data to which it has access for the provision of the service, and to prevent its alteration, loss, unauthorized access. In the same way, the measures adopted guarantee the confidentiality, integrity and availability of the information, as well as the permanent resilience of the treatment systems in case of physical or technical incident.

SISTEPLANT is in the process of implementing in your organization an information security management system, based on the UNE-EN-ISO 27001 standard.

The mode of provision of SISTEPLANT services will determine the  security measures that are applicable as well as the person responsible for their establishment and maintenance. The services can be provided in different modalities:

  • IN SITU AT THE CLIENT’S FACILITIES: In this modality it is the client as Responsible for the  treatments who must have the appropriate security measures to guarantee the integrity, availability and confidentiality of the information. The technical staff of SISTEPLANT displaced will be a  user, more of the system that will have attributed a certain profile, and to which must be provided, prior to any intervention, the information on the existing security measures, in order to respect and apply them
  • TELEMATIC MODE ON THE CLIENT’S ASSETS: In this modality, the services are provided remotely by accessing the technical staff through the network to the assets and computer systems located in the client’s facilities or to systems in the cloud, under their responsibility. It will be the client who is obliged to establish and maintain the appropriate security measures to safeguard the information, and SISTEPLANT staff must  make such access through secure procedures, being recorded of them.
  • IN THE ASSETS OF SISTEPLANT : When the service is provided in the facilities themselves or with the assets of SISTEPLANT, it will be SISTEPLANT who must establish the security measures. PERSONNEL

The number of people who depend on SISTEPLANT, which processes the personal data of the person in charge is limited and known. There is an updated list of profiles with access, which are always essential to comply with the purpose of the contract.

All SISTEPLANT staff receive periodic training on confidentiality and data protection, know the applicable regulations, their obligations in the matter and the consequences of non-compliance with the law. REGISTRATION OF PROCESSING ACTIVITIES

SISTEPLANT, keeps in writing, a record of all categories of processing activities carried out on behalf of the controller, and this contains:

  • The name and contact details of the processor and of each controller on behalf of whom the processor acts and, where applicable, of the representative of the controller or processor and the data protection officer.
  • The categories of processing carried out on behalf of each controller.
  • Where applicable, transfers of personal data to a third country or international organisation, including the identification thereof and, in  the case of transfers referred to in the second subparagraph of Article 49 paragraph 1 of the GDPR, documentation of appropriate safeguards.


SISTEPLANT may communicate the data to other data processors of the same controller, in accordance with their instructions. In this case, the person in charge will identify, in advance and in writing, the entity to which the data must be communicated, the data to be communicated and the security measures to be applied to proceed with the communication.

If SISTEPLANT must transfer personal data to a third country or to an international organization, under the Union or Member State law applicable to it, it will inform the person responsible for that legal requirement in advance, unless such law prohibits it for important reasons of public interest.


The customer allows the subcontracting of the services that are part of the object of this contract – Some of which involve the processing of personal data, especially the hiring of trainers.

The subcontractor, who will also have the status of data processor, is also obliged to comply with the obligations established in this document for SISTEPLANT as data  processor and the instructions issued by the data controller. It corresponds  to SISTEPLANT as initial manager, to regulate the new  relationship so that the new person in charge is subject to the same conditions (instructions, obligations, security measures …) and with the same formal requirements as him, in relation to the proper processing of personal data and the guarantee of the rights of the affected persons. In the event of non-compliance by  the sub-processor, SISTEPLANT as the  initial processor will remain fully liable to the person in charge.


SISTEPLANT, undertakes to assist the data controller in responding to the exercise of the rights of:

  • Access, rectification, deletion and opposition
  • Restriction of processing
  • Data portability
  • Not be subject to automated individualized decisions (including profiling)

When the affected persons exercise the rights of access, rectification, deletion and opposition, limitation of treatment, portability of data and not to be subject to automated individualized decisions, before SISTEPLANT, it must communicate it by email to the usual address of the person in charge. The communication will be made immediately and in no case beyond the working day following the receipt of the request, together, where appropriate, with other information that may be relevant to resolve the request.


SISTEPLANT as the person in charge of the treatment will notify the  person responsible for the treatment, without undue delay, and in any case before the maximum period of 72 hours, and through EMAIL, the breaches of the security of the personal data in its charge of which it has knowledge, together with all the relevant information for the documentation and communication of the incident.

Notification shall not be required where such a breach of security is unlikely to constitute a risk to the rights and freedoms of natural persons.

If available, at least the following information shall be provided:

  1. Description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects affected, and the categories and approximate number of personal data records affected.
  2. The name and contact details of the data protection officer or other contact point where further information can be obtained.
  3. Description of the possible consequences of the breach of the security of personal data.
  4. Description of the measures taken or proposed to remedy the personal data breach, including, where appropriate, the measures taken to mitigate possible negative effects.

If and to the extent that it is not possible to provide the information simultaneously, the information shall be provided gradually without undue delay.

The person responsible for the treatment will be the one who must make the communications to the Data Protection Agency or to the interested persons .


SISTEPLANT is committed to

  • Support the controller in carrying out data protection impact assessments, where appropriate.
  • Support the data controller in carrying out prior consultations with the supervisory authority, where appropriate.
  • Make available to the data controller all the information necessary to demonstrate compliance with its obligations, as well as to carry out audits or inspections carried out by the controller or another auditor authorized by it.
  • Designate a data protection officer and communicate their identity and contact details to the controller. This obligation will only exist in the cases established in the regulations.


Once the service has been completed, in accordance with the provisions of the contract, SISTEPLANT at the choice of the data controller will proceed to

  • Return to the person responsible for the treatment the personal data and, if applicable, the supports where they appear. The return will entail the total deletion of the existing data in the computer equipment used by the person in charge
  • Deliver to another person in charge who designates in writing the person responsible for the treatment, the personal data and, if applicable, the supports where they appear. The return must entail the total deletion of the existing data on the computer equipment used by the processor.
  • Destroy the data, once the service has been fulfilled. Once destroyed, the processor must certify their destruction in writing and must deliver the certificate to the controller. However, SISTEPLANT may keep a copy, with the data duly blocked, as long as responsibilities can be derived from the execution of the service.

Last updated: March 16,  2023