1. Data Controller

DEBRA Spain
Tax ID (NIF): G-29617347
Address: C/ Jacinto Benavente 12, 29601 Marbella (Málaga), Spain
Phone: +34 952 816 434
Email: [email protected]

Data Protection Officer (DPO): Datainfo Consultores Y Asesores, S.L. [email protected]

2. Purposes and Legal Bases for Processing

We process personal data for the following purposes and legal bases:

• Management of members, donors, collaborators, and benefactors
  • Legal basis: performance of the associative relationship and compliance with legal obligations (tax and accounting).
• Communication and information about Epidermolysis Bullosa, our activities, and charitable campaigns
  • Legal basis: explicit consent of the data subject.
• Compliance with legal obligations (tax, labor, healthcare, volunteer insurance, etc.)
  • Legal basis: legal obligation applicable to the Association.
• Sending automated communications related to the Association (e.g., welcome emails upon becoming a member, thank-you messages for donations or participation, periodic newsletters with information about EB and our activities, reminders of campaigns and events), always based on your consent or on the relationship you maintain with the Association. Each communication will include a simple and free option to unsubscribe.
  • Legal basis: explicit consent of the data subject and, in certain cases, the legitimate interest of the Association in keeping you informed about your relationship with DEBRA Spain.

3. Categories of Data Processed

• Identification data: first name, last name, address, phone number, email, date of birth, nationality, Tax ID/passport.
• Economic and financial data: bank account number for donations, payments, or refunds.

4. Data Retention

Personal data will be retained:

• For the duration of the relationship with the Association and subsequently for the legally established limitation periods (e.g., 10 years for tax obligations).
• In the case of commercial or informational communications, until you withdraw your consent.
• Health data will be retained only for the time strictly necessary to provide the requested care and comply with legal or healthcare obligations.

5. Data Recipients

Your data will not be disclosed to third parties except where required by law (e.g., Tax Agency, Social Security, courts and tribunals).

When it is necessary to use service providers (e.g., web hosting, newsletter distribution, cloud-based management tools), they will act as data processors and always under a contract that guarantees the confidentiality and security of the information.

An international data transfer may occur if providers are located outside the European Economic Area. In such cases, DEBRA Spain will ensure that the European Commission’s Standard Contractual Clauses or other adequacy mechanisms required by the GDPR are applied.

6. Security Measures

DEBRA Spain implements technical and organizational measures to protect personal data against unauthorized access, loss, destruction, or improper disclosure. These include:

• Encryption of devices and communications.
• Restricted access only to authorized personnel.
• Confidentiality protocols and specific training for employees and volunteers.
• Backups and contingency plans.

7. Data of Minors

If data of minors under 14 years of age are processed, the consent of their parents or legal guardians will be required. No data of minors will be collected without this explicit authorization.

8. Data Subjects’ Rights

You may exercise the following rights at any time:

• Access: to know what data we process.
• Rectification: to request the correction of inaccurate data.
• Erasure: to request the deletion of your data when it is no longer necessary.
• Restriction of processing: to request that data be retained only in certain circumstances.
• Objection: to object to processing based on legitimate interest or marketing.
• Data portability: to receive your data in a structured format and transmit it to another controller.
• Withdrawal of consent at any time, without retroactive effects.

To exercise these rights, you may write to [email protected] or to the postal address indicated, enclosing a copy of an identity document.

If you believe that your request has not been properly addressed, you may lodge a complaint with the Spanish Data Protection Agency (AEPD).

9. Contact

For any questions regarding this Privacy Policy, you may contact:

DEBRA Spain
C/ Jacinto Benavente 12, 29601 Marbella (Málaga), Spain
[email protected] | Tel. +34 952 816 434