Privacy Policy

Purpose and scope of application

Noatum is committed to complying with the rules of protection of personal data that affect all processing activities for which it is controller or processor. This Privacy Policy establishes the general guidelines that are observed in such compliance.

This Noatum Privacy Policy is mandatory for all its employees and internal or external collaborators who have access to personal data.

The Privacy Policy is approved by the Security Committee and the management of Noatum, who establishes in this way the basic guidelines to be followed within the organization, while giving their consent and support to the whole in an explicit way.



Noatum processes personal data under its responsibility in accordance with the following principles:

  • Lawfulness, fairness and transparency: personal data will be treated in a lawful, fair and transparent manner in relation to the data subject.
  • Legitimation in the processing of personal data: personal data will only be processed when such processing is covered by data protection regulations.
  • Purpose limitation: personal data will be processed for the fulfillment of specific, explicit and legitimate purposes, and will not be further processed in a manner incompatible with said purposes.
  • Data minimization: personal data will be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
  • Accuracy: personal data shall be accurate and, if necessary, up-to-date; all reasonable steps shall be taken to ensure that personal data which are inaccurate with regard to the purposes for which they are processed are erased or rectified without delay.
  • Limitation of the retention period: personal data will be kept in such a way as to allow the identification of the interested parties for no longer than necessary for the purposes that justified their treatment.
  • Accountability: Noatum will be responsible for compliance with the principles relating to the processing of data required by GDPR and will adopt the technical and organizational measures that allow it to be in a position to prove it.
  • Attention to the rights of the data subjects: measures will be adopted in Noatum that guarantee the adequate exercise by data subjects, when appropriate, of the rights of access, rectification, erasure, objection, restriction of processing and portability with respect to their personal data.
  • Data protection by design and by default: Noatum will promote the implementation of the principle of data protection by design and by default so that data protection is present in the early stages of conception of a project. This principle will also be applied from the initial design of information systems.
  • Confidentiality and integrity: Noatum will guarantee an adequate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, shall be ensured through the application of appropriate technical or organizational measures.
  • Risk management: the management of personal data carried out by Noatum will be carried out through active risk management, understanding as risk the effect of uncertainty on the achievement of the main objective, which is the protection of the rights and freedoms of the holders of the personal data that are processed.
  • Continuous improvement: the degree of effectiveness of the security controls implemented will be reviewed on a recurring basis to increase the capacity to adapt to the constant evolution of the environment.
  • Awareness and training: training and awareness-raising programs will be articulated for users on data protection.


Technical and organizational security measures

Noatum will process personal data under its responsibility considering the state of the art, the costs of application, and the nature, scope, context and purposes of the processing it carries out, as well as the possible risks of variable likelihood and severity for the rights and freedoms of natural persons.

In assessing the adequacy of the level of security, it shall be considered of the risks presented by the processing of data, in particular because of accidental or unlawful destruction, loss or alteration of personal data transmitted, stored or otherwise processed, or unauthorized communication of or access to such data.


Record of processing activities

Noatum will keep an up-to-date record of the processing activities with personal data for which it is controller or processor, which will include at least the following information:

  • Name and contact details of the controller
  • Purposes of processing
  • Description of the categories of data subjects
  • Description of the categories of personal data
  • Categories of recipients to whom personal data are communicated
  • Transfers of personal data to a third country
  • Time limits for deletion of the different categories of data
  • General description of technical and organizational security measures


Risk analysis and impact assessment.

A risk analysis shall be carried out before any processing of personal data, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the processing, as well as risks of varying likelihood and severity for the rights and freedoms of natural persons.

Appropriate technical and organizational measures shall be implemented to ensure a level of security appropriate to the risk.

Noatum will carry out an impact assessment of the processing activities on the protection of personal data when the analysis carried out is likely that the processing would pose a significant risk to the rights and freedoms of individuals. If necessary, it will consult and request authorization to carry out the processing of personal data from the corresponding supervisory authority.


Personal data security breaches

In the event of a personal data breach, Noatum shall notify the competent supervisory authority without undue delay and, if possible, no later than 72 hours after it became aware of it, unless such a security breach is unlikely to constitute a risk to the rights and freedoms of natural persons.

Noatum will take the appropriate measures for the communication without undue delay to the data subjects who may have been affected by the breach of security of personal data, when it is likely that it entails a high risk to their rights and freedoms.

Noatum will document any personal data breach, including the facts related to it, its effects and the corrective measures taken.


Attention to rights exercise

Noatum has established the necessary procedures to meet possible requests for the exercise of rights from the owners of personal data that are under its responsibility.


Relationships with third parties

Noatum has established the necessary controls to ensure that, in its relations with third parties, whether customers or suppliers, the regulations on the protection of personal data are observed.



Noatum carries out periodic audits aimed at verifying, evaluating and assessing the effectiveness of technical and organizational measures to ensure compliance with the processing of personal data carried out under its responsibility.



You can contact the Information Security Department – Privacy Office of Noatum:

Torre Auditori – Planta 13

Passeig de la Zona Franca nº111

08038 Barcelona

Phone – (+34) 932987777

Email –