Who is the Data Controller for your personal data?
The Data Controller responsible for processing your personal data is the entity Zinnia Telecomunicaciones SLU with tax ID ref. B87836607 and registered address at María Tubau, planta 5, M, módulo C, 28050 Madrid (henceforth by its Trading Name “Lobster”).
We also advise that the Data Protection Officer is the person responsible for ensuring that your fundamental right to personal data protection is respected. You may contact the Lobster Data Protection Officer: email@example.com
What data is processed and from what sources is it obtained?
Lobster may process the following data:
- Identifying data (name and surnames, ID numbers, address, telephone, signature, image/voice, electronic signature).
- Electronic communication meta-data (call and SMS records, CDRs, MSISDN, MAC addresses, IP addresses, browser data, communications localisation data, location data different to those previously mentioned for calls to emergency services.)
- Financial or economic data (billing, bank details, credit card, credit information).
- Date of birth, place of birth, age, sex, nationality.
At the point of signing the contract, the Customer should provide the data marked as obligatory in the corresponding forms. It is not possible for a Customer to enter into a contract if the Customer does not agree to provide any of this data. The Customer guarantees that the information provided is true and accurate and authorises Lobster to request, if it deems it necessary and appropriate, additional or complementary details in order to verify and confirm the Customer’s identity.
If the Customer is not the data subject of the data provided (data on dependants, employees, relatives, etc.), the Customer guarantees that they have been authorised by and obtained the data subject’s consent to submit their data and they will be liable to Lobster for the same.
Lobster also collects the Customer’s personal data directly through its customer service channels and traffic data generated through their use of Lobster’s Service.
We also collect information about any breach of monetary or credit obligations provided by credit information systems and fraud prevention agencies such as payment failures.
What is the legal basis and purpose for processing your data?
Lobster processes Customer’s personal and traffic data for the following purposes:
- Finalise the contract and provide Services once the contract is executed. Lobster handles your identification data for contracting the service and billing for it. Additionally, your traffic data is processed by Lobster to be able to offer you the contracted mobile communications service. Customers are advised that the routing of the calls you make through Lobster’s electronic communications service necessarily involves the transmission of traffic data to deliver the call and for its termination at the desired number. However, the transmission of traffic metadata does not allow for personal identification and location data other than traffic data is not transmitted, except in the case of calls to emergency services as required by legal obligations.
- Legitimate interest of Lobster. Lobster may use your anonymised and aggregated traffic data for statistical purposes and to monitor the service status of the network in order to ensure efficient network management and to develop new features. Lobster will also be able to process your personal and traffic data for the internal credit and fraud control processes.
- Compliance with legal obligations. Lobster is obliged to comply with certain legal obligations, which legitimize the processing of your personal and traffic data, especially:
- obligation to conserve and transfer identification data and data on electronic communications to agencies authorised by virtue of the law 25/2007 of October 18
- compliance with the derivatives of General Telecommunications Law 9/2014 of May 9, such as: (a) the processing and communication of data to the National Competition Commission for subsequent transfer to entities authorized by virtue of Circular 1/2013 regarding the procedure for the provision of subscriber data for the provision of directory services, telephone consultation on subscriber numbers and emergencies, (b) the central database and other electronic communications operators in the portability management framework if you request a change of operator whilst retaining its numbering, (c) to other operators within the framework of the obligations of identification illegal or fraudulent traffic established in Royal Decree 381/2015 of May 14 as well as (d) other operators with whom Lobster collaborates to comply with the obligations of lawful interception of communications in If such an interception request is made by the authorised agencies;
- the processing of personal data related to fair use policies used to determine residence or stable links with Spain under the provisions of Regulation (EU) 531/2012 on roaming; and
- other legal obligations to communicate data to Public Bodies, including the Spanish Data Protection Agency, or Judicial Bodies.
- Consent. Lobster may send you marketing communications about its services or make marketing calls with prior consent on your part. Explicit consent must be given at the time of contracting the service, and you are able to modify your communication preferences and withdraw this consent (if it has been provided) at all times in your Customer Area or by calling 711. If you do not consent or if you opt out of receiving these messages, we will not send you marketing promotions or communications.
To whom is your data communicated?
The following entities process your data on behalf of Lobster:
- Group companies for the provision of customer service;
- Network providers (electronic communications operators) for the provision of the lectronic communications service contracted; and
- Banking and/or credit institutions responsible for managing the collection of payments for services contracted, on Lobster’s behalf.
The Customer is advised that some of these trusted providers are located in Gibraltar. European data protection legislation is fully in force in Gibraltar.
Lobster may also communicate your information to:
- Third party electronic communications operators for the management of the portability and/or fraud control processes in compliance with legal obligations.
How long will we store your data?
The Customer is advised that, in compliance with the principal of limiting the period of retention, the collected data will solely and exclusively be processed for the necessary time and for the purposes for which they were originally collected. They will be stored in a way that enables identification of data subjects for no longer than is necessary for the purpose of processing the personal data or responding to possible claims under the Civil Code or fiscal regulations.
As a general rule, customer data (identifiable, contact, or billing data) shall be stored for a period of 5 years from the end of the contractual relationship with Lobster. Once this period is over, Lobster may keep the data blocked for whatever period in which liabilities may arise derived from the Service provided by Lobster to the Client.
Regarding traffic data and communication meta-data, Lobster should comply with certain legal requirements, for example Law 25/2007 of 18 October, on the retention of data relating to electronic communications and public communications networks, which means storing traffic and localisation information for a period of 12 months in case of a legal requirement to submit it.
What measures do we use to protect your personal data?
Lobster is committed to guaranteeing the security, secrecy and confidentiality of your data, communications and personal information. Therefore, in compliance with current legislation and as part of our commitment, we have adopted the most rigorous, robust security, technical and organisational measures to guarantee the security of your data and prevent its destruction, loss, or illegal access or amendment to it. At the time of determining these measures, criteria were taken into account such as the scope, context and purposes of the processing; the status of the technology and the existing risks.
What are your rights regarding your personal data?
In accordance with the stipulations of the applicable regulation, Lobster informs the Customer that they have the following rights derived from the applicable regulation:
- Access: allows the data subject to obtain information about whether Lobster are processing their personal data or not and, if so, the right to obtain information about the personal data being processed.
- Rectification: allows errors to be corrected and amendments made to any data that are inaccurate or incomplete.
- Erasure: allows data to be erased and Lobster to cease processing it, unless there is a legal requirement to store the data and/or there are no other legitimate reasons for Lobster to process it. For example, when personal data is no longer necessary in relation to the purpose for which it was collected, the Customer may request that we erase them without undue delay.
- Limitation: under the legally established terms, this allows data processing to be halted in such a way that it prevents Lobster from processing the data in the future, and they will only be stored for potential use defending against any claims.
- Opposition: In certain circumstances, and for reasons relating to their specific situation, data subjects can oppose the processing of their data. Lobster shall cease to process the data, unless there are legitimate overriding reasons to do so, or they are needed for defending potential claims. In particular, you can object at any time to: the sending of marketing communications by Lobster, managing your consent through your Customer Area or by calling 711; to the inclusion of all or some of your personal data in the telephone directories; and to the processing of your personal and traffic data only when they are no longer necessary for the transmission of communications, billing for the service or for processing, response and, where appropriate, defence of possible complaints or issues.
- Portability: allows the data subject to receive their personal data and be able to transmit it directly to another data controller in a structured, commonly used, machine-readable format. In order to exercise this right, the Customer should provide a valid email address.
The Customer may exercise the above rights by contacting Lobster in writing, (Calle María Tubau, planta 5, Módulo C, 28050 Madrid), by email: firstname.lastname@example.org, attaching a copy of their ID document for identification purposes, or through their Customer Area.
Likewise, and in particular when the Customer believes they have not received a satisfactory response when exercising their rights, they may write to the Lobster Data Protection Officer.
They may also submit a claim before the relevant Controlling Authority responsible for Data Protection, which in Spain is the Spanish Data Protection Agency (www.aepd.es).