1. Data Controller

The controller responsible for the processing of personal data collected through this website is:

BUFET VALLÈS ARBÓS SCP

VIA LAIETANA STREET, 40 – FLOOR 1, OFFICE 1, Spain

Website: https://bufet-valles.com

‒ Email: valles@bufetvalles.com

‒ Telephone number: +34 932 682 554

For any matter related to the processing of your personal data, you may contact the controller through the email address indicated above.

2. Purpose of this Policy

The purpose of this Privacy Policy is to inform website users about how their personal data is processed, in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation), Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights, and other applicable regulations.

This policy applies to the processing of personal data resulting from browsing the website, sending communications or enquiries, requesting information, the possible engagement of professional services, and the submission of résumés or job applications.

3. Personal Data That May Be Processed

Depending on your relationship with the controller and the way you use the website, the following categories of data may be processed:

  • Identification data: first name, surname(s) and, where applicable, identification document details.
  • Contact data: email address, telephone number, postal address or other communication channels provided by the data subject.
  • Professional or employment data: company, position, professional activity or information contained in professional communications.
  • Data voluntarily included in enquiries, communications, emails or documentation submitted to the firm.
  • Recruitment-related data: curriculum vitae, professional experience, education, language skills, cover letter and any other information provided by the candidate.
  • Browsing and technical information: IP address, online identifiers, device information, browser details, date and time of access, pages visited and information derived from the use of cookies or similar technologies.
  • Data necessary for managing a potential professional or contractual relationship.

Within the context of legal services, enquiries or documentation submitted by the data subject may contain special categories of personal data or sensitive information. For this reason, users are advised not to send particularly sensitive data, confidential documentation or third-party information through unsecured channels unless necessary and prior instructions have been provided by the firm.

4. Purposes of Processing, Legal Bases and Retention Periods

Personal data will be processed for the following purposes:

Enquiries and Information Requests

Purpose: To respond to enquiries, requests for information, communications received and requests submitted through the website, email or telephone.

Legal basis: The controller’s legitimate interest in responding to communications received. Where the enquiry is related to a potential engagement of services, the implementation of pre-contractual measures.

Retention period: For the time necessary to manage the enquiry and, where no professional relationship arises, for the period required to demonstrate its management and address any potential liabilities.

Management of Potential Professional Engagements

Purpose: To assess the feasibility of providing legal services, manage requests for legal advice, prepare quotations or professional proposals, and maintain communications prior to engagement.

Legal basis: Implementation of pre-contractual measures requested by the data subject and the legitimate interest in the professional management of requests received.

Retention period: For the time necessary to manage the request and subsequently blocked for the legally applicable liability periods.

Provision of Legal Services

Purpose: To manage the professional relationship with clients, provide legal advice, defence, representation or legal consultancy services, manage files, communications, invoicing and professional obligations.

Legal basis: Performance of the contractual or professional relationship. Compliance with applicable legal obligations. Legitimate interest in the management and protection of professional interests. Where special categories of data are processed, such processing may be based on the establishment, exercise or defence of legal claims.

Retention period: For the duration of the professional relationship and subsequently for the legal, ethical and liability periods applicable.

Receipt and Management of CVs

Purpose: To manage unsolicited applications or current and future recruitment processes of the firm.

Legal basis: Implementation of pre-contractual measures where the application is submitted for a specific recruitment process. Consent of the candidate where the CV is retained for future recruitment opportunities.

Retention period: For the duration of the relevant recruitment process. For future opportunities, for a recommended maximum period of 1 year, unless the candidate authorises a different period or requests deletion beforehand.

6. Mandatory or Optional Nature of the Data

The data requested in each case will be those necessary to manage the corresponding purpose. Refusal to provide the essential data may prevent the handling of the enquiry, the management of the request, the assessment of an application or the provision of the requested professional services.

The data subject undertakes to provide truthful, accurate, complete and up-to-date information and shall be liable for any damages that may arise as a consequence of communicating inaccurate, incomplete or outdated data.

7. Recipients of the Data

Personal data will not be sold or disclosed to third parties for commercial purposes.

However, where necessary, the data may be disclosed or made accessible to the following categories of recipients:

  • Technology service providers, web hosting providers, IT maintenance providers, email services, security providers, document management providers or other services necessary for the operation of the website and the professional activity.
  • Professional collaborators, court representatives (procuradores), experts, notaries, registries, public administrations, courts, tribunals or other legal operators when necessary for the provision of legal services or compliance with legal obligations.
  • Banking institutions, tax advisers, accountants or administrative advisers when necessary for the financial, accounting or tax management of the professional relationship.
  • Public authorities, supervisory bodies or duly authorised third parties when there is a legal obligation or when necessary for the exercise or defence of rights or legal claims.

Where service providers access personal data on behalf of the controller, they shall do so as data processors and in accordance with the corresponding data processing agreement.

8. International Data Transfers

As a general rule, no international transfers of personal data outside the European Economic Area are foreseen as a direct result of the ordinary use of the website, except where the use of certain technology providers or third-party services may involve international access to or processing of data.

Should international data transfers occur, they shall be carried out in accordance with the safeguards provided for by applicable legislation, such as adequacy decisions, Standard Contractual Clauses approved by the European Commission or other legally valid mechanisms.

Specific information regarding cookies or third-party services is available in the Cookie Policy.

9. Automated Decision-Making and Profiling

No decisions will be made solely on the basis of automated processing that produce legal effects concerning data subjects or similarly significantly affect them.

If the website uses analytical, statistical, advertising or third-party cookies that may involve profiling activities, such processing shall only be carried out where the user has given consent, in accordance with the Cookie Policy and the relevant configuration panel.

10. Rights of Data Subjects

Data subjects may exercise the following rights:

  • Right of access: to obtain confirmation as to whether personal data concerning them is being processed and to access such information.
  • Right to rectification: to request the correction of inaccurate or incomplete data.
  • Right to erasure: to request the deletion of data where, among other reasons, it is no longer necessary for the purposes for which it was collected.
  • Right to object: to object to the processing of personal data in certain circumstances.
  • Right to restriction of processing: to request that the processing of personal data be restricted in cases provided for by law.
  • Right to data portability: to receive personal data in a structured, commonly used and machine-readable format where applicable.
  • Right to withdraw consent: to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

To exercise these rights, data subjects may send a written request to: valles@bufetvalles.com

The request must specify the right being exercised and allow the identity of the applicant to be verified where necessary.

Likewise, if you consider that the processing of your personal data does not comply with the applicable regulations, you may lodge a complaint with the Spanish Data Protection Agency through its website: www.aepd.es.

11. Confidentiality and Professional Secrecy

The controller shall process personal data with the utmost confidentiality and shall implement the appropriate technical and organisational measures to ensure its security.

Where personal data is processed within the framework of legal services, it shall be subject to the duties of confidentiality and professional secrecy applicable to the legal profession, without prejudice to any communications that may be necessary for the proper provision of the service, compliance with legal obligations, or the exercise and defence of legitimate rights and interests.

12. Information Security

The controller applies appropriate technical and organisational measures to protect personal data against destruction, loss, alteration, unauthorised access, or accidental or unlawful disclosure.

However, no information system or data transmission over the Internet can guarantee absolute security. For this reason, users are advised to avoid sending particularly sensitive or confidential documentation through unsecured channels unless it is strictly necessary or appropriate safeguards have been implemented.

13. Minors

This website is not specifically directed at minors. Should a minor wish to submit an enquiry or provide personal data, they must have the authorisation of their legal representatives whenever such authorisation is required by law.

14. Links to Third-Party Websites

This website may contain links to third-party websites. The controller accepts no responsibility for the privacy policies, content or practices of such third parties. Users are encouraged to review the privacy policies of any external websites they access.

15. Cookie Policy

This website uses cookies and similar technologies. Users may obtain detailed information regarding the cookies used, their purposes, the third parties involved, retention periods and the means of configuring or withdrawing consent through the Cookie Policy available on the website.

16. Amendments to the Privacy Policy

The controller reserves the right to amend this Privacy Policy in order to adapt it to legislative developments, guidance from supervisory authorities, case law developments, technical modifications to the website or changes in the data processing activities carried out.

Where the amendments are substantial, the relevant information shall be provided to data subjects through appropriate means to ensure they are properly informed.

Last updated: 28/05/2026