If you have registered on the Website using your email address, the data you provide includes:

• Personal identification and personal characteristics data: first name, surname(s), telephone number, email address, date of birth, postal code, third-party account identifiers (Google ID or Apple ID), and supplementary information for applications to join the employment pool or other corporate requests addressed to the Club.

The data provided through forms marked as mandatory must be supplied in order to enable the Website’s core functionalities. Failure to provide such data will prevent the application from delivering its basic functionalities to the user.

Additionally, for certain interactive functionalities of the Website or other tools within RCDE’s digital ecosystem, we may process data derived from such interactions, including messages, enquiries, comments, content entered by the user in chats or virtual assistants, username or alias, avatar, date and time of publication or interaction, associated audiovisual content, and technical information necessary to ensure the provision of the service.

Likewise, we may collect data through the use of cookies on the Website (and/or similar technologies), meaning that, depending on your settings, RCDE may collect and process personal data.

The information collected includes:

• Limited personal information and anonymous aggregate statistics concerning all users who visit our websites, including the Internet Protocol (IP) address of the device being used, browser type, operating system, date and time of access, the referring website address from which you accessed our websites, and information regarding how you use our websites, device battery status, available storage space, device language, and similar information.

For more information regarding the use and configuration of cookies and/or similar technologies, please consult our Cookie Policy.

Your personal data will be processed for the following purposes:

1. Provision of Services and Sale of Products
   Your data will be processed to provide the service consisting of the purchase and sale of products and the contracting of services offered through the Website. This processing includes, by way of example and without limitation, managing contracted services, processing orders, delivering them to the specified address, handling returns, and informing you about the status of or any issues relating to your order or shipment.
   Legal basis: performance of a contract to which you are a party or implementation of pre-contractual measures at your request (Article 6(1)(b) GDPR).

2. Management of Membership as a Club Member (“Socio”)
   If you wish to create a Club member account (“socio”), we will process your data to manage your application, provide access to members’ content, and enable the rights and benefits available to Club members. This includes managing your member account as part of the Club’s digital services (single sign-on).
   Legal basis: performance of a contract or pre-contractual measures (Article 6(1)(b) GDPR).

3. Management of Registered User Accounts
   If you wish to create a registered user account, we will process your data to manage your registration request and provide access to content and functionalities available to registered users. This includes managing your account as part of the Club’s digital services (single sign-on).
   Legal basis: performance of a contract or pre-contractual measures (Article 6(1)(b) GDPR).

4. Complaints and Incident Management
   To manage and respond to complaints, requests, suggestions, and potential incidents, including sending non-commercial information related to contractual services when appropriate.
   Legal basis: performance of a contract or pre-contractual measures (Article 6(1)(b) GDPR).

5. Marketing Communications Based on Consent
   Where you have provided consent, RCDE may send commercial communications by electronic means (email, SMS, or push notifications) concerning RCDE products and services, including discounts, news, upcoming launches, invitations to events or competitions, surveys, and products or services offered by RCDE partners in connection with exclusive promotions for users. This processing does not involve profiling or disclosure of your personal data to third parties.
   Legal basis: consent (Article 6(1)(a) GDPR).

6. Video Surveillance
   To protect the safety of individuals, property, and Club facilities through video surveillance systems.
   Legal basis: performance of a task carried out in the public interest (Article 6(1)(e) GDPR), in accordance with Spanish Private Security Law 5/2014 of 4 April.

7. Compliance with Legal Obligations
   In certain circumstances, your personal data may be disclosed to third parties in order to comply with legal obligations or judicial decisions, including competent authorities, courts, tribunals, and other entities legally authorised under applicable regulations.
   Legal basis: compliance with legal obligations (Article 6(1)(c) GDPR).

8. Marketing Communications Based on Legitimate Interest
   To the extent permitted by applicable law and provided that you have not objected, we may use your data to send commercial and promotional communications by email or SMS regarding products and services similar to those purchased or contracted from the Club within the previous year. This processing does not involve disclosure of personal data to third parties or profiling activities.
   Legal basis: RCDE’s legitimate interest (Article 6(1)(f) GDPR), provided such interest does not override your rights and fundamental freedoms. Where communications are sent by email, SMS, or equivalent electronic means, RCDE relies on the exemption set out in Article 21.2 of Spanish Law 34/2002 on Information Society Services (LSSI).

9. Personalised Commercial Offers
   Where you have provided your consent, your personal data will be processed to assess which products or services may be best suited to your profile and commercial circumstances, enabling us to present commercial offers tailored to your needs and preferences. This processing does not involve sending marketing communications or disclosing personal data to third parties. In particular, transactional data obtained through the Club’s various digital channels will be analysed in order to identify historical and temporal behavioural patterns, allowing a better understanding of your interests and consumption habits.
   Legal basis: consent (Article 6(1)(a) GDPR).

10. Statistical Analysis and Service Improvement
    Depending on your cookie settings, we will process your information to conduct collective and anonymous statistical analyses aimed at understanding how the Website operates and improving the development and personalisation of our services.
    Legal basis: consent (Article 6(1)(a) GDPR).

11. Website Security
    Your information will be processed to ensure the security of the Website and to prevent and detect potential security incidents and fraudulent activities.
    Legal basis: RCDE’s legitimate interest in ensuring and improving the security of its products and services (Article 6(1)(f) GDPR), provided such interest does not override your rights and fundamental freedoms.

12. Artificial Intelligence Virtual Assistants
    To manage automated responses to enquiries submitted through artificial intelligence-based virtual assistants, providing guidance regarding RCDE content, services, and official communication channels. This processing does not involve automated decision-making or profiling.
    Legal basis: performance of a contract or implementation of pre-contractual measures (Article 6(1)(b) GDPR).

13. Live Chat and Comment Functions
    To manage participation in live chat features and comments associated with audiovisual content, subject to moderation procedures intended to prevent unlawful, abusive, or otherwise prohibited uses. This processing does not involve automated decision-making or profiling.
    Legal basis: performance of a contract or implementation of pre-contractual measures (Article 6(1)(b) GDPR). Processing begins when the user accepts and uses the live chat functionality.

Where consent has been obtained, your personal data may be subject to profiling as described in Section 3 above. Your data will be analysed for the purpose of creating a profile of your interests and preferences in order to personalise the commercial and promotional communications that you have agreed to receive.

Such profiling may combine:

• Information provided during user registration.
• Information obtained through cookies for which consent has been granted.
• Transactional data collected through the Club’s digital channels.
• Historical and behavioural patterns derived from user activity.

The creation of these profiles will not produce legal effects concerning the user nor similarly significantly affect them. Their sole purpose is to influence the type of commercial and promotional communications that are sent. You may withdraw your consent for this processing at any time.

But nevertheless, notwithstanding the foregoing, certain functionalities of the Website or RCDE’s digital ecosystem, such as virtual assistants and chat or comment moderation systems, may incorporate automated mechanisms to generate responses, filter content, prevent abuse, or ensure service security. These mechanisms are not intended to create commercial profiles of users nor to make decisions based solely on automated processing that produce legal effects concerning users or similarly significantly affect them.

RCDE will process your personal data for the period necessary to fulfil the purposes set out in this Privacy Policy and to retain your information in compliance with applicable legal and regulatory requirements.

The criteria used to determine retention periods include:

• a) The purpose for which the data was collected and the time required to fulfil that purpose (for example, while the relationship with the user remains active).
• b) The reasons why the data was collected (for example, where processing is based on consent, consent may be withdrawn at any time).
• c) Mandatory retention periods established by contractual obligations or legal requirements.

As a general rule, the Club will process personal data while the commercial and/or contractual relationship remains in force.

However, for each specific processing purpose, the information provided at the time of collection will indicate the applicable retention period, including those established by law for activities such as video surveillance or internal whistleblowing procedures. With regard to chat functionalities, published messages and comments may remain visible while the audiovisual content with which they are associated remains available on the Platform, unless they are removed by RCDE, at the request of the user, or for any other reason provided for under applicable terms and conditions or current legislation.

Please note that, in certain circumstances, we may retain your data beyond the periods described above where necessary for the establishment, exercise, or defence of legal claims, liabilities, obligations, or legal requirements.

During such periods, the data will remain duly restricted and protected. Once the applicable statutory limitation periods have expired, personal data will be permanently deleted.

Your personal data will not be disclosed to third parties without your express consent.

However, depending on the purposes for which personal information is collected, the following recipients may have access to it:

• Public authorities and regulatory bodies.
• Courts and tribunals.
• Law enforcement agencies.

Such disclosures will occur where required by law or pursuant to a valid legal request.

Certain third-party providers may access personal data as data processors in order to provide services to RCDE related to the purposes described in this Privacy Policy. These providers may include, among others:

• Technology service providers.
• Legal advisers.
• Marketing agencies.
• Professional consultancy firms.
• IT service providers.
• Other operational support providers.

These providers will only process personal data on behalf of RCDE, subject to confidentiality obligations and strictly in accordance with RCDE’s instructions. They may not use the data for their own purposes or for any unauthorised purpose.

Some providers may process or store personal information on servers located outside the user’s country of residence. Detailed information regarding such providers and international transfers may be requested by contacting: dpd@rcdespanyol.com

Depending on the user’s location, personal data may be transferred outside the European Economic Area (EEA), provided RCDE is authorised to do so and appropriate safeguards under Articles 44–50 GDPR are implemented. Such safeguards may include:

• i. Adequacy Decisions: European Commission decisions recognising that a third country provides an adequate level of data protection.
• ii. Binding Corporate Rules (BCRs): Internal data protection policies approved for multinational corporate groups.
• iii. Standard Contractual Clauses (SCCs): Contractual mechanisms approved by the European Commission governing international transfers.
• iv. Codes of Conduct and Certification Mechanisms: Approved compliance frameworks supported by binding commitments from the data recipient.

Where none of the above safeguards apply, transfers may occur only in exceptional circumstances permitted under applicable data protection legislation. RCDE applies the following order of preference:

• Adequacy Decisions.
• Binding Corporate Rules.
• Standard Contractual Clauses.
• Other GDPR-recognised safeguards.

You have the following rights:

Right of Access: To obtain confirmation as to whether your personal data is being processed and to access such data.

Right to Rectification: To request correction of inaccurate data or completion of incomplete data.

Right to Erasure: To request deletion of all or part of your personal data. However, where a contractual or commercial relationship remains active, certain data must continue to be processed in order to fulfil contractual obligations.

Right to Restriction of Processing: To request that data be retained solely for the establishment, exercise, or defence of legal claims.

Right to Object: To object to processing based on:

• Consent.
• Legitimate interests.

In such cases, RCDE will cease processing unless compelling legitimate grounds exist or processing remains necessary for legal claims. Where processing is based on legitimate interests, users may request a copy of the balancing assessment carried out by RCDE. Users may also register with advertising opt-out mechanisms where available.

Right to Data Portability: To receive personal data in a structured, commonly used, machine-readable format and request its transmission to another controller where technically feasible.

Right Not to Be Subject to Solely Automated Decisions: Not to be subject to decisions based solely on automated processing that produce legal effects or similarly significant consequences. RCDE confirms that any automated systems used:

• Do not produce significant legal effects; or
• Do not operate exclusively through automated decision-making.

Withdrawal of Consent: Any consent granted may be withdrawn at any time without retroactive effect.

Complaints to the Supervisory Authority: Users may lodge a complaint with the Spanish Data Protection Agency (AEPD).

Exercising Your Rights: Requests may be sent to: dpd@rcdespanyol.com or by post to the address indicated in Section 1 of this Privacy Policy.

We will only use your personal data in accordance with the Privacy Policy in force at the time your data is collected. RCDE reserves the right to amend this Privacy Policy at any time by publishing the relevant changes on the Website. Should any provision of this Privacy Policy be declared invalid or unenforceable, the remaining provisions shall remain fully valid and effective in accordance with applicable law.

Our services are intended exclusively for individuals over the age of 14. Accordingly, we do not knowingly collect information from children under the age of 14, except where such information is provided by their parents or legal guardians. If we become aware that a user is under 14 years of age, we may block and/or delete any personal data provided by that user.

However, in certain limited circumstances, particularly in connection with promotional activities, personal data relating to minors may be processed. In such cases, parental or guardian consent will be required where the child has not reached the age of 14.

If you are a minor and are unsure about anything explained in this Privacy Policy, please seek assistance from your parents or legal guardians.

RCDE does not request or seek to process personal data revealing:

• Racial or ethnic origin.
• Political opinions.
• Religious or philosophical beliefs.
• Trade union membership.
• Genetic data.
• Biometric data used for unique identification.
• Health-related data.
• Data concerning sex life or sexual orientation.

Users should not provide such information through forms, chats, comments, virtual assistants, or other interactive channels.

Should a user voluntarily provide such information, RCDE will only process it to the extent strictly necessary for:

• Removing such data.
• Moderating content.
• Responding to requests.
• Complying with legal obligations.
• Defending legal rights or legitimate interests.

In certain circumstances, users may create an RCDE member account through federated authentication services (“Social Login”) without completing all registration form fields. This may be done by selecting the logo of an identity provider such as Google or Apple. In such cases, the social network or identity provider may share the following profile information with RCDE:

• First name.
• Surname(s).
• Email address.

This information will be used solely for the creation of the member account. During registration, users will be redirected to the relevant authentication service, which will verify credentials and return the required information to RCDE.

The personal data obtained through these systems will be processed together with information generated through the use of the member account in accordance with the purposes disclosed during registration. These systems also allow users to configure privacy preferences and restrict certain data-sharing activities. For further information, users should consult the privacy policies of the relevant providers.

The Website may contain links to third-party websites that we consider potentially useful or informative. However, RCDE does not necessarily endorse or recommend the content, services, or privacy practices of such websites and accepts no responsibility for them. Users are encouraged to review the privacy policies of all websites they visit.

This Privacy Policy applies exclusively to personal data collected and processed directly by RCDE through the Website.