Privacy policy

In compliance with the provisions of personal data protection regulations (EU Regulation 2016/679 and Organic Law 3/2018), we inform you that CLUB ATLÉTICO OSASUNA has adopted the necessary technical and organisational measures to guarantee compliance with the rights of data subjects, and hereby informs you of the data processing that will be carried out through this website.

Likewise, through the following privacy policy, CLUB ATLÉTICO OSASUNA will comply with the obligations established in Law 34/2002 on Information Society Services and Electronic Commerce.

1. Identity of the data controller

The data controller for the personal data collected on this website is:

Company name: CLUB ATLÉTICO OSASUNA

Tax ID number: G31080179

Address: Calle El Sadar SN – 31006 Pamplona, Navarra

Email: lopd@osasuna.es

Data Protection Officer details: Consulting & Strategy GFM S.L.

DPO contact details: dpo@gfmservicios.com

2. Purposes of personal data processing

The data controller will process the data collected and managed through this website in order to facilitate and fulfil the commitments and services established through the website of the data controller and the user; as well as to maintain the relationship established through the forms filled in by the latter or to respond to a request or query.

At the time the personal data is obtained, the user will be informed of the specific purpose or purposes for which the personal data will be processed; that is, the use or uses that will be made of the information collected.

Likewise, in accordance with the provisions of the GDPR and the LOPD, unless the exception provided for in Article 30.5 of the GDPR applies, a record of processing activities is kept which specifies, according to their purposes, the processing activities carried out by the data controller and the other circumstances established in the GDPR.

The processing of the user's personal data will be subject to the following principles set out in the GDPR and the LOPD:

  • Principle of lawfulness, fairness and transparency: the user's consent will be required at all times, following fully transparent information on the purposes for which the personal data is collected.
  • Principle of purpose limitation: personal data will be collected for specific, explicit and legitimate purposes.
  • Principle of data minimisation: the personal data collected will be only those strictly necessary in relation to the purposes for which they are processed.
  • Principle of accuracy: personal data must be accurate and always up to date.
  • Principle of storage limitation: personal data shall only be kept in a form that allows the identification of the User for as long as is necessary for the purposes for which it is processed.
  • Principle of integrity and confidentiality: personal data shall be processed in such a way as to ensure its security and confidentiality.
  • Principle of proactive responsibility: the Data Controller shall be responsible for ensuring that the above principles are complied with.

3. Legitimacy for the processing of personal data

The processing of personal data shall be legitimate, in accordance with the provisions of Article 6 of the GDPR (EU) 2016/679, on the following legal bases:

  • Consent of the data subject (Article 6.1, letter a): for the acceptance of processing whose purpose is not necessary for the functioning of the website or for the provision of the requested services; such as marketing purposes, sending electronic communications and newsletters.
  • Performance of a contract (Article 6.1, letter b): for processing related to the provision of a service or the contracting of a present or future product or service (“Member Area” or “Soy Rojill@”, ticket purchases).
  • Legitimate interest of the controller (Article 6.1, letter f): for processing related to the functioning of the website, as well as for processing derived from the development of the controller's own activity.

In cases where the processing of personal data is legitimised by the consent of the data subject, the data controller undertakes to obtain the free, express, voluntary and unequivocal consent of the data subject. Likewise, the user shall have the right to withdraw their consent at any time and as easily as they gave it. As a general rule, the withdrawal of consent shall not condition the use of the website.

On occasions when the user must or may provide their data through forms to make enquiries, request information or for reasons related to the content of the website, they will be informed if the completion of any of these forms is mandatory because they are essential for the proper performance of the operation carried out.

4. Categories of personal data, origin and retention period.

The categories of data processed on this website are solely identification and contact details. In certain cases, other personal data may be processed, such as date of birth or gender.

Under no circumstances will specially protected categories of personal data be processed, in accordance with the provisions of Article 9 of the GDPR (EU) 2016/679. If a specific data processing operation involves the processing of these categories of data, the consent of the data subject will be obtained in accordance with the terms described in the previous section.

The personal data processed through this website will come from the data subject themselves or their legal representative.

In accordance with the provisions of Articles 8 of the GDPR and 7 of the LOPD, only persons over the age of 14 may give their consent to the lawful processing of their personal data. In the case of minors under the age of 14, the consent of their legal representatives will be required for the processing, and this will only be considered lawful to the extent that they have authorised it.

The personal data processed will be kept for the legally established periods and, in any case, for as long as the data controller may be liable. In cases where the user has given their consent, the data will be kept until they request its deletion or revoke their consent.

5. Recipients of the personal data processed

The personal data processed on this website will be shared with those individuals and/or entities related to the data controller that are necessary for the provision of the services offered through the website, such as: IT companies, banks and savings banks, marketing companies, and management software companies.

Likewise, it may be shared with law enforcement agencies and judicial authorities when required.

6. Exercise of rights by data subjects

Users may exercise the following rights recognised in the GDPR and LOPD against the Data Controller:

  • Right of access: the right to obtain confirmation as to whether or not the data controller is processing their personal data and, if so, to obtain information about their specific personal data and the processing that has been or is being carried out, as well as, among other things, the information available about the origin of such data and the recipients of the communications made or planned.
  • Right of rectification: the right to have your personal data modified if it is inaccurate or, taking into account the purposes of the processing, incomplete.
  • Right of erasure (‘the right to be forgotten’): the right, unless otherwise provided by applicable law, to obtain the erasure of your personal data when it is no longer necessary for the purposes for which it was collected or processed; the User has withdrawn their consent to the processing and there is no other legal basis for it; the User objects to the processing and there is no other legitimate reason to continue with it; the personal data has been processed unlawfully; the personal data must be deleted in compliance with a legal obligation; or the personal data has been obtained as a result of a direct offer of information society services to a child under 14 years of age.
  • In addition to deleting the data, the data controller, taking into account the available technology and the cost of its application, must take reasonable steps to inform the controllers who are processing the personal data of the data subject's request to delete any links to that personal data.
  • Right to restriction of processing: the right to restrict the processing of your personal data. The user has the right to obtain the restriction of processing when they contest the accuracy of their personal data; the processing is unlawful; the data controller no longer needs the personal data, but the user needs it to make claims; and when the user has objected to the processing.
  • Right to data portability: Where the processing is carried out by automated means, you have the right to receive your personal data from the data controller in a structured, commonly used and machine-readable format and to transmit it to another data controller. Where technically feasible, the data controller shall transmit the data directly to that other controller.
  • Right to object: the right to object to the processing of your personal data or to have the processing of your personal data ceased.
  • Right not to be subject to a decision based solely on automated processing, including profiling: the right not to be subject to an individualised decision based solely on the automated processing of your personal data, including profiling, unless otherwise provided for by applicable law.

Therefore, users may exercise their rights through the controller's website, using the form provided for this purpose, duly proving their identity (Exercise of Rights Arsol).

If their rights are not respected or they feel that their rights have been violated, they may send a communication to the Data Protection Officer of the data controller, as well as file a complaint with the competent supervisory authority (Spanish Data Protection Agency, www.aepd.es).

7. Security measures

The data controller undertakes to adopt the necessary technical and organisational measures, in accordance with the level of security appropriate to the risk of the data collected, in order to guarantee the security of personal data and prevent the accidental or unlawful destruction, loss or alteration of personal data transmitted, stored or otherwise processed, or unauthorised communication or access to such data.

The website has an SSL (Secure Socket Layer) certificate, which ensures that personal data is transmitted securely and confidentially, as the transmission of data between the server and the User, and in feedback, is fully encrypted.

However, as the data controller cannot guarantee the impregnability of the internet or the total absence of hackers or others who fraudulently access personal data, the data controller undertakes to notify the user without undue delay when a breach of personal data security occurs that is likely to pose a high risk to the rights and freedoms of natural persons.

In accordance with Article 4 of the GDPR, a personal data breach is any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Personal data will be treated as confidential by the data controller, who undertakes to inform and ensure, by means of a legal or contractual obligation, that such confidentiality is respected by its employees, associates and any person to whom the information is made accessible.

The website may include hyperlinks or links that allow access to third-party websites other than the website owner and which are therefore not operated by the website owner. The owners of such websites will have their own data protection policies, and they themselves will be responsible in each case for their own files and their own privacy practices.

8. Acceptance and changes to this privacy policy

Users must have read the conditions regarding the protection of personal data contained in this Privacy Policy and accept the processing of their personal data so that the Data Controller can proceed with the processing in the manner, during the periods and for the purposes indicated.

The Data Controller reserves the right to modify its Privacy Policy, at its own discretion, or due to a change in legislation, case law or doctrine of the Spanish Data Protection Agency. Changes or updates to this Privacy Policy will not be explicitly notified to the user. Users are advised to check this page periodically to keep abreast of the latest changes or updates.

Last update: August 2025