Privacy policy

DATA PROTECTION POLICY OF SAMOVING, S.L.

1. General information

At Samoving, S.L. we are committed to complying with the applicable data protection regulations and with the best market practices in this respect, both nationally and internationally. That is why we have created this Data Protection Policy which, in compliance with (i) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data; and (ii) Organic Law 3/2018, of 5 December, on the Protection of Personal Data and guarantee of digital rights, informs you about how we process your Personal Data, our purposes and the rights that you can exercise at any time.

Samoving is the owner of the ScrapAd platform, a global marketplace for the sale and purchase of recyclable material. ScrapAd is a leading platform in the global recycling sector, adapted to current demands, with two main objectives: firstly, to help recyclers to find – to the extent of their possibilities and the confluence of the willingness of third party buyers to acquire such materials – the best purchase or sale counterpart for their materials, in a transparent transaction and a click away; secondly, to reduce as much as possible the waste that ends up in landfills, supporting the circular economy and taking care of the environment.

Any user wishing to open an account on the ScrapAd platform who is interested in marketing raw materials and recovery material via the ScrapAd platform (the “User”) accepts this data protection policy.

2. Data controller.

Your Personal Data will be processed by SAMOVING, S.L., with NIF number B-75.237.651, with registered office in Éibar (Gipuzkoa), calle Iñaki Goenaga, 5-Edificio Tekniker and registered in the Companies Register of Gipuzkoa, Volume 2.944, Folio 57, Page SS-42.586, 1st Entry (hereinafter, “Samoving”), which will act as Data Controller.

Samoving has not appointed a Data Protection Officer, since according to the applicable regulations, such appointment is not necessary taking into account the structure of its company. In any case, Samoving declares that it has a management team that supervises and ensures Samoving’s compliance with all legal provisions on data protection, as well as all data security requirements.

3. Category of Personal Data.

According to the different purposes for which we process your data, and which we identify in this document, we will process your identification and contact data (name and surname, address, country, telephone number and e-mail address), data on the material purchased, as well as bank data, commercial data when the User is a legal entity and financial data (hereinafter, the “Personal Data”).

Personal Data may be provided by sending the file or document containing them or at the time of registration by filling in the forms provided for this purpose on the ScrapAd platform.

The User guarantees that the data provided to Samoving for the provision of the services requested are accurate and that he/she will communicate any changes that affect them, as well as having the consent or any other legitimate basis that allows Samoving to use the User’s data. Consequently, the User shall be liable to Samoving and third parties for any damages caused as a result of the breach of the obligations assumed in this clause.

4. Purpose and Legitimation.

We process your Personal Data for specific purposes and always legitimised in accordance with the provisions of the RGPD. Specifically, depending on the capacity in which you interact with us, we process your data for the following purposes and under the following legitimacy:

A. Creation of a profile on the ScrapAd website and/or platform and application of pre-contractual measures

We process your Personal Data when you create a profile on ScrapAd. We will also process your phone number and/or email address when you call us, send us a message on WhatsApp or Telegram or when we contact you by email. Finally, we process your Personal Data to send you more information about our services, when you request it directly on our website.

B. Our legitimate interest for the provision of services

The buyer’s and seller’s data will be processed to provide the services that allow them to carry out transactions of raw materials and recovery material through the ScrapAd Platform, which, among other activities, involves: (i) your registration as a customer; (ii) processing and responding to your doubts, queries or complaints; (iii) contracting a merchandise verification service; (iv) contracting the transport service; and (v) processing the payment flow with Lemonway.

C. Compliance with legal obligations

Within the scope of our relationship with you, we may need to process your Personal Data in order to comply with legal obligations, from time to time.

In complying with these obligations, Samoving may disclose your data to public authorities and courts, where such information is required in accordance with established legal processes.

5. Communication of Personal Data to Third Parties.

The User expressly authorises the Personal Data to be communicated to Lemonway SAS. Likewise, the User expressly authorises that the identification and contact data (name and surname, address, country, telephone number and email), commercial data when the User is a legal entity and data on the material purchased be communicated to the verification entities and to the logistics operator or operators that will be responsible for loading, transporting, unloading and delivering the goods. In this regard, it is not foreseen that your data will be communicated to persons other than the aforementioned.

Likewise, in the case of international shipments, and in order to comply with the request made by the User, it is essential that Samoving communicates the details of the buyer, the seller and the description of the goods to the customs authorities and the logistics operators who will be responsible for making the delivery.

In this regard, the User is informed that both the customs authorities and the logistics operator may be located in a country whose data protection regulations have not been declared adequate by the European Commission and/or may not provide adequate guarantees for data processing. You can consult the List of Countries whose data protection regulations provide an adequate level of security on the website of the AEPD and the European Commission. We also inform you that such international transfer of data is legitimised as being necessary to provide the service by the sender, in accordance with article 49.1.b) of the RGPD.

6. Obligations

Samoving and all its staff are obliged to:

1. To use the Personal Data undergoing processing only for the purpose of this order. Under no circumstances may it use the Personal Data for its own purposes.

2. Process the Personal Data in accordance with the User’s instructions.
If Samoving considers that any of the instructions infringes the regulations in force regarding the protection of Personal Data, it will immediately inform the User of this fact.


3. To keep, in writing, a record of all categories of processing activities carried out on behalf of the User, containing:

a. Where applicable, transfers of Personal Data to a third country or international organisation, including the identification of such third country or international organisation and, in the case of transfers referred to in Article 49(1), second subparagraph of the GDPR, documentation of appropriate safeguards.

b. A general description of the technical and organisational security measures relating to:

i. Pseudonymisation and encryption of Personal Data where necessary.

ii. The ability to ensure the continuing confidentiality, integrity, availability and resilience of processing systems and services.

iii. The ability to restore availability and access to Personal Data in a timely manner in the event of a physical or technical incident.

iv .The process of regular verification, evaluation and assessment of the effectiveness of the technical and organisational measures to ensure the security of the processing.

4. Not to communicate the Personal Data to third parties, except with the express authorisation of the User of the processing, in the legally admissible cases and except as indicated in the following section.
Samoving may communicate the Personal Data to other data processors of the same User, in accordance with the User’s instructions. In this case, the User shall identify, in advance and in writing, the entity to which the Personal Data are to be disclosed, the Personal Data to be disclosed, and the security measures to be applied to proceed with the disclosure.
If Samoving must transfer Personal Data to a third country or to an international organisation, under the law of the Union or of the Member States applicable to it, it will inform the User of this legal requirement in advance, unless such law prohibits it for important reasons of public interest.

5. Not to subcontract any of the services that form part of the object of the services provided by Samoving that involve the processing of Personal Data, except with financial institutions, verifiers and the logistics operator or operators that will be responsible for carrying out the loading, transport, unloading and delivery of the goods, subcontracting which is expressly authorised at this time.
Should it be necessary to subcontract any additional processing in addition to the above, the User must be given prior written notice of this fact three working days in advance, indicating the processing to be subcontracted and identifying the subcontracting company and its contact details. The subcontracting may be carried out if the User does not express his/her opposition within the established period.
The subcontractor, who shall have the status of data processor, shall also be obliged to comply with the obligations established in this Data Protection Policy for Samoving and the instructions issued by the User. It is Samoving’s responsibility to regulate the new relationship in such a way that the new processor is subject to the same conditions (instructions, obligations, security measures, etc.) and the same formal requirements as Samoving, with regard to the proper processing of the Personal Data and the guarantee of the rights of the data subjects. In the event of non-compliance by the sub-processor, Samoving shall remain fully liable to the User with regard to the fulfilment of the obligations.

6. Maintain the duty of secrecy with respect to the Personal Data to which it has had access by virtue of this assignment, even after the end of its purpose.

7.To ensure that the persons authorised to process Personal Data undertake, expressly and in writing, to respect confidentiality and to comply with the corresponding security measures, of which they must be duly informed.

8. Keep at the User’s disposal the documentation accrediting compliance with the obligation established in the previous section.

9. Guarantee the necessary training in personal data protection for the persons authorised to process personal data.

10. Assist the User in responding to the exercise of the rights of:

a. Access, rectification, deletion and opposition

b. Limitation of processing

c. Data portability

d. Not to be subject to automated individualised decisions (including profiling).
When the data subjects exercise their rights of access, rectification, erasure and objection, limitation of processing, data portability and the right not to be subject to automated individualised decisions, the Data Controller must communicate this by e-mail to the address indicated by the User. The communication must be made immediately and in no case later than the working day following receipt of the request, together, where appropriate, with other information that may be relevant to resolve the request.

11. Samoving will notify the User, without undue delay, and in any case within a maximum period of two working days, and via email, of the security breaches of the Personal Data under its care of which it becomes aware, along with all relevant information for the documentation and communication of the incident.
Notification shall not be required where such a breach of security is unlikely to constitute a risk to the rights and freedoms of data subjects.
If available, at least the following information shall be provided:

a. Description of the nature of the Personal Data security breach, including, where possible, the categories and approximate number of data subjects affected, and the categories and approximate number of Personal Data records affected.

b. Description of the possible consequences of the Personal Data breach.

c. Description of the measures taken or proposed to be taken to remedy the Personal Data breach, including, if applicable, measures taken to mitigate the possible negative effects.

If and to the extent that it is not possible to provide the information simultaneously, the information shall be provided in a phased manner without undue delay.

12. Support the User in carrying out data protection impact assessments, where appropriate.

13. Support the User in carrying out prior consultations with the supervisory authority, where appropriate.

14. Make available to the User all information necessary to demonstrate compliance with its obligations, as well as for audits or inspections carried out by the User or another auditor authorised by the User.

15. Implement at least the following security measures to:

a. Ensure the continued confidentiality, integrity, availability and resilience of processing systems and services.

b. Restore availability and access to Personal Data promptly in the event of a physical or technical incident.

c. Regularly verify, evaluate and assess the effectiveness of the technical and organisational measures implemented to ensure the security of the processing.

d. Pseudonymise and encrypt the Personal Data, where appropriate.

7. Retention.

The Personal Data of the sender and recipient will be kept for as long as they are necessary for the development of the contractual relationship. Once this period has elapsed, the data will be deleted in accordance with the provisions of the data protection regulations, which implies its blocking, being available only at the request of Judges and courts, the Public Prosecutor’s Office or the competent Public Administrations during the period of limitation of the actions that may derive from it in order to be subsequently deleted. The limitation periods vary depending on the type of service; for exemplary purposes, in general, the limitation period for most personal civil actions is 5 years, as established in article 1964, section two of the Civil Code.

8. Rights.

Our data protection regulations give you a series of rights in relation to the data processing involved in our services, which can be summarised as follows:

– Right of access: To know what type of data we are processing and the characteristics of the processing we are carrying out.

– Right of rectification: To be able to request the modification of your data if they are inaccurate or untrue.

– Right to portability: To be able to obtain a copy in an interoperable format of the data being processed.

– Right to limitation of processing in the cases set out in the Law.

– Right to erasure: To request the erasure of your data when the processing is no longer necessary.

– Right of opposition: To request the cessation of the sending of commercial communications in the terms indicated above.

– Right to revoke the consent given.

You may exercise your rights through any of the following channels, indicating the right to be exercised and enclosing a copy of your National Identity Card or equivalent document, as well as any other documentation you consider appropriate:

a) Postal address:

Éibar (Gipuzkoa), calle Iñaki Goenaga, 5-Edificio Tekniker.

b) E-mail address:

info@scrapad.com

On the website of the Spanish Data Protection Agency (AEPD) you can find a series of models that will help you to exercise your rights. We also inform you that you have the right to lodge a complaint with the supervisory authority (in Spain, the AEPD) in the event that you consider your rights have been infringed.