This Privacy Policy has been developed taking into account the provisions of data protection regulations, specifically Regulation 2016/679 of the European Parliament and of the Council of 27th April 2016 on the protection of natural persons about the processing of personal data and the movement of such data, hereinafter the RGPD, as well as Organic Law 3/2018, of 5th December, on the Protection of Personal Data and Guarantee of Digital Rights, hereinafter the LOPDGDD (its initials in Spanish).

The purpose of this Privacy Policy is to inform the owners of the personal data, whose information is being collected, of the specific aspects relating to the processing of their data, including the purposes of the processing, the contact details for exercising their rights, the periods of conservation of the information and the security measures, among other things.

Data Controller

  • Malasa Grupo, S.L.
  • CIF: B70303482
  • Dirección: Lugar A Telva, Nº 1- A (Sigrás) -15181 Cambre, A Coruña
  • e-mail: Teléfono: 981688014

This Privacy Policy applies to the following entities that are part of the Grupo Malasa (Malasa Group), namely:

  • Malasa Grupo, S.L.
  • Comercial Malasa, S.L.U.
  • Ebanistería Barreiro, S.L.
  • Montajes Cerceda, S.L.U.
  • Fresno Metal, S.L.U.
  • Fresno Cristal, S.L.U.
  • Malasa Rus, L.L.C.
  • Noa Design and Architecture, S.L.
  • Noa Madera Creativa, S.L.U.
  • Malasa Mex Contract, S.A.

This is because the implementation of technical, organisational and legal security measures converge and are managed in the same way, respecting at all times the logical access control between entities so that each entity has access to the information for which it is responsible.

In this sense, in terms of data protection, the aforementioned entities should be considered Data Controllers, concerning the files they manage (handling of data).

Data processing

The personal data, processed by the entity not only through the website but in any of its activities, will consist of those data strictly necessary for the purposes for which they were collected in each case and which are identified below. Said information will be treated in a loyal, lawful and transparent manner in relation to the interested party. On the other hand, personal data will be collected for specific, explicit and legitimate purposes, and will not be further processed or used in a manner incompatible with those purposes.

The data collected from each person shall be adequate, relevant and not excessive concerning the relevant purposes for each case, and shall be updated whenever necessary.

The data subject shall be informed, before the collection of his/her data, of the general points regulated in this policy so that he/she may provide express, precise and unequivocal consent for the processing of his/her data, following the following aspects.

Purposes of processing

The explicit purposes for which each of the processing operations are carried out are set out in the informative clauses included in each of the data collection methods (web forms, paper forms, announcements or posters and information notes).

However, the personal data of the data subject will be processed for each of the purposes specified in the documents or data collection systems established by the entity and which, in general terms, are specified below:

  • Clients: economic, financial, administrative and information management, loyalty management and promotion of the entity.
  • Staff: labour and human resources management.
  • Suppliers: economic, financial and administrative management.
  • CVs: candidate management and development of recruitment processes.
  • Web-users: answering queries or requests for information, management of the commercial relationship and the potential contractual relationship.
  • Video surveillance: guaranteeing the security of people, goods and facilities and monitoring compliance with labour obligations.


  • Customers and suppliers: the processing is necessary for the performance of a contract if the data subject is a party or for the implementation of pre-contractual measures at his/her request (A.6.1 b. RGPD).
  • Staff: the processing is necessary for the performance of a contract if the data subject is party or for the implementation of pre-contractual measures at his/her request (A.6.1 b. RGPD) and compliance with a legal obligation applicable to the data controller (A.6.1 c. RGPD).
  • CVs and Web users: the data subject consented to the processing of his or her personal data for one or more specific purposes (A.6.1 a. RGPD).
  • Video surveillance: the processing is necessary for the performance of a task carried out in the public interest (A.6.1 e. RGPD) and for compliance with a legal obligation applicable to the controller (A.6.1 c. RGPD in conjunction with A.20.3 of the Workers’ Statute – “Estatuto de los Trabajadores” in Spanish).


As a general rule, the entities identified do not transfer or communicate data to third parties, except as required by law. However, if necessary, the interested party is informed of such transfers or communications of data through the informed consent clauses contained in the different personal data collection channels.


As a general rule, personal data are always collected directly from the data subject; however, in certain exceptions, data may be collected through third parties, entities or services other than the data subject. In this regard, the data subject shall be informed of this fact through the informed consent clauses contained in the different information collection channels and within a reasonable time, once the data have been obtained, and at the latest within one month.

Periods of data retention

The information collected from the data subject will be kept for as long as it is necessary to fulfil the purpose for which the personal data were collected, so that, once the purpose has been fulfilled, the data will be cancelled. Said cancellation will give rise to the blocking of the data, which will only be kept at the disposal of the Public Administrations, Judges and Courts, to attend to any possible liabilities arising from the processing, during the period of limitation of such liabilities, and then the information will be deleted.

For information purposes, the following is a list of the legal deadlines for the conservation of information in relation to different matters:

Documentation of an employment or social security nature 4 years Article 21 of Royal Legislative Decree 5/2000, of 4th August, approving the revised text of the Law on Offences and Penalties in the Social Order.
Accounting and tax documentation for commercial purposes 6 years Art. 30 of the Commercial Code
Accounting and tax documentation for tax purposes 4 years Articles 66 to 70 of the General Tax Law
Building access control 1 month AEPD (Spanish Data Protection Agency) Instruction 1/1996
Video-surveillance 1 month AEPD Instruction 1/2006 – Organic Law 4/1997

Navigation data

In relation to the browsing data that may be processed through the website, if data subject to the regulations are collected, we recommend reading the Cookies Policy published on our website.

Rights of data subjects

Data protection legislation grants a series of rights to the data subjects or owners of the data that are processed by the identified entities.

The rights of the persons concerned are as follows:

  • Right of access: the right to obtain information on whether their data is being processed, the purpose of the processing being carried out, the categories of data being processed, the recipients or categories of recipients, the storage period and the origin of the data.
  • Right of rectification: the right to obtain the rectification of inaccurate or incomplete personal data.
  • Right of deletion: the right to delete the data in the following cases:
    • When the data are no longer necessary for the purpose for which they were collected.
    • When the consent is withdrawn by the data subject.
    • When the data subject objects to the processing.
    • When they must be deleted in compliance with a legal obligation.
    • When the data have been obtained under an information society service based on Art. 8 paragraph 1 of the European Data Protection Regulation.
  • Right of opposition: the right to object to a particular processing operation based on the data subject’s consent.
  • Right of restriction: the right to obtain the restriction of data processing in any of the following cases:
    • When the data subject contests the accuracy of the personal data, for a time that allows the company to verify the accuracy of the data.
    • When the processing is unlawful and the data subject objects to the erasure of the data.
    • When the company no longer needs the data for the purposes for which they were collected, but the data subject needs them for the formulation, exercise or defence of claims.
    • When the data subject has objected to the processing while it is being verified whether the legitimate business grounds override those of the data subject.

Interested parties may exercise the aforementioned rights by sending a letter and a copy of their ID card to the following address: indicating in the subject line the right they wish to exercise.

In this regard, the entities identified should respond to your request as soon as possible and taking into account the deadlines set out in the data protection regulations.

On the other hand, it should be borne in mind that the data subject or interested party may at any time lodge a complaint with the competent supervisory authority: Agencia Española de Protección de Datos C/Jorge Juan 6, 28001-Madrid (Spain).


The security measures adopted by the identified entities are those required, following the provisions of Article 32 of the RGPD. In this regard, the identified entities, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the risks of varying likelihood and severity to the rights and freedoms of natural persons, have in place the appropriate technical and organisational measures to ensure the level of security appropriate to the existing risk.

In any case, the entities identified have sufficient mechanisms to:

  1. Ensure the continued confidentiality, integrity, availability and resilience of processing systems and services.
  2. Restore availability and access to personal data quickly, in the event of a physical or technical incident.
  3. Regularly verify, evaluate and assess the effectiveness of the technical and organisational measures implemented to ensure the security of the processing.
  4. Pseudonymise and encrypt personal data, where appropriate.