Privacy policy


DUTY OF INFORMATION. In compliance with the provisions of current data protection legislation [EU REGULATION 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation)], the personal data contained in this document will be processed on a CO-RESPONSIBILITY BASIS. When the booking service is provided as a proprietary label (look & feel of the PARTNER) and jointly by TIXALIA and the PARTNER, the user's data will be processed jointly by TIXALIA and the PARTNER, with both parties responsible for the resulting database. Both parties undertake to comply with the personal data protection regulations as data controllers, complying with all the obligations and duties contemplated in the GDPR and its implementing regulations. The actions carried out by both parties under a coresponsibility basis shall be carried out in compliance with the provisions of Article 26 of the GDPR.

Specifically, customer data will be processed by TIXALIA and the PARTNER, on a coresponsibility basis, through the redirection of the sale by the PARTNER to the 'Proprietary label ticket shop' owned by TIXALIA, where the sale will be processed.

Your personal data will not be disclosed to third parties, except for legal obligations of communication or handling processing for the proper management of the relationship between the two parties.

The basis for the legitimisation of the processing is the contractual relationship between the parties subject to the contractual relationship. Your data will not be processed for purposes other than those set out in this clause.

You may also exercise your rights of access, rectification, deletion, opposition, limitation, and portability under the legal terms by either sending an email to or by writing a letter to TIXALIA WORLDWIDE, S.L. at the following address: Calle Botiguers, número 3, oficina 4E, Paterna, or by sending a letter to or by writing to Groupon Netherlands BV at the following address: Prins Bernhardplein 200, Amsterdam , Amsterdam , nl, 1097 JB indicating in the same communication the right you wish to exercise, your name and surname(s), and attaching a photocopy of your national ID card or equivalent identification document. In addition, you have the possibility of lodging a complaint with the Spanish Data Protection Agency.;

For this purpose, TIXALIA undertakes to implement appropriate and relevant security measures based on the risk analysis carried out and in compliance with the current legislation on data protection.

In this service contracting modality, the PARTNER agrees to comply with all the obligations foreseen in the data protection regulations as the DATA CONTROLLER, implementing in its privacy policies the principles of consent and duty of information, without prejudice to the rest of the duties and obligations contemplated in the aforementioned regulations, exonerating TIXALIA from any responsibility otherwise.

In compliance with the provisions of Article 28 of the General Data Protection Regulation, TIXALIA, as the data processor in this specific case, and all its staff are obliged to:

a. Use the personal data undergoing processing, or collected for inclusion, only for the purpose specified herein. Under no circumstances use the data for its own purposes.

b. Process the data in accordance with the instructions of the data controller. Immediately inform the controller if it considers that any instructions are in breach of the GDPR or any other Union or Member State data protection provisions.

c. Keep, in writing, a record of all categories of processing activities carried out on behalf of the controller, either where there are more than 250 employees, or the processing is likely to result in a risk to the rights and freedoms of data subjects and is not occasional, or involves special categories of data or personal data relating to criminal convictions or offences. Each record shall include the following minimum content:

I. The name and contact details of the processor(s) and of each controller on whose behalf the processor is acting and, where applicable, of the representative of the controller or processor and of the data protection officer.

II. The categories of processing operations carried out on behalf of each controller.

III. Where applicable, transfers of personal data to a third country or international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1) of the GDPR, documentation of appropriate safeguards.

IV. A general description of the technical and organisational security measures relating to:

1. Anonymisation and encryption of personal data.

2. The ability to ensure the continued confidentiality, integrity, availability, and resilience of processing systems and services.

3. The ability to quickly restore availability and access to personal data in the event of a physical or technical incident.

4. The process of regular verification, evaluation, and assessment of the effectiveness of the technical and organisational measures to ensure the security of processing.

d. Not communicating the data to third parties, except with the express authorisation of the data controller, in the legally admissible cases.

The processor may communicate the data to other processors of the same controller, in accordance with the instructions of the controller. In this case, the data controller shall identify, in advance and in writing, the entity to which the data are to be communicated, the data to be communicated, and the security measures to be applied in order to proceed with the communication.

If the processor must transfer personal data to a third country or to an international organisation under Union or Member State law applicable to it, it shall inform the controller of that legal requirement in advance, unless such law prohibits it for important reasons of public interest.

e. Subcontracting

It shall not subcontract any of the services forming part of the object of this contract that involve the processing of personal data, except for auxiliary services necessary for the normal operation of the services of the processor. If it is necessary to subcontract any processing, this fact must be communicated in writing in advance to the data controller, indicating the processing operations to be subcontracted and clearly and unequivocally identifying the subcontracting company and its contact details. Subcontracting may be carried out if the controller does not express his or her opposition within the established time limit. The subcontractor, who shall also have the status of 'processor', is also bound by the obligations set out in this document for the processor and the instructions issued by the controller. It is up to the initial processor to regulate the new relationship in such a way that the new processor is subject to the same conditions (instructions, obligations, security measures...) and with the same formal requirements as the initial processor regarding the proper processing of personal data and the guarantee of the rights of the data subjects. In the event of non-compliance by the sub-processor, the initial processor shall remain fully liable to the controller for the fulfilment of the obligations.

f. Maintain the duty of secrecy with regard to personal data to which it has access by virtue of this assignment, even after the end of the assignment.

g. Ensure that persons authorised to process personal data undertake, expressly and in writing, to respect confidentiality and to comply with the corresponding security measures, of which they must be duly informed.

h. Maintain the documentation accrediting compliance with the obligation established in the previous section available to the controller.

i. Ensure the necessary training in personal data protection for persons authorised to process personal data.

j. Assisting the controller in responding to the exercise of the rights:

I. Access, rectification, deletion, and opposition

II. Processing limitation

III. Data portability

IV. Not to be subject to automated individualised decisions

When the data subjects exercise their rights of access, rectification, deletion, and opposition, restriction of processing, or data portability with the data processor, the latter must inform the data controller. The communication must be made immediately and in no case later than the working day following the reception of the request, together, where appropriate, with any other information that may be relevant to the resolution of the request.

k. Right to information

If the processor is to collect personal data, it must inform the data subject on behalf of the controller at the time of collection by following the instructions and providing the information indicated by the controller.

l. Data security breach notification

The processor shall notify the controller, without undue delay, and in any event no later than 48 hours, and via the email address indicated by the controller, of any breaches of security of the personal data under its responsibility of which it becomes aware, together with all relevant information for the documentation and communication of the incident. Notification shall not be required where such a breach of security is unlikely to constitute a risk to the rights and freedoms of natural persons.

If available, at least the following information shall be provided:

I. Description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects affected and the categories and approximate number of personal data records affected.

II. The name and contact details of the data protection officer or other point of contact where further information can be obtained.

III. Description of the possible consequences of the personal data security breach.

IV. Description of the measures taken or proposed to be taken to remedy the personal data breach, including, where appropriate, measures taken to mitigate possible negative effects. If it is not possible to provide the information simultaneously, and to the extent that it is not, the information shall be provided periodically without undue delay.

m. Support the controller in carrying out data protection impact assessments, where appropriate.

n. Support the controller in carrying out prior consultations with the supervisory authority, where appropriate.

o. Make available to the controller all information necessary to demonstrate compliance with his or her obligations, as well as for audits or inspections to be carried out by the controller or another auditor authorised by the controller.

p. Implement the security measures indicated by the controller following an impact assessment or, in any case, implement mechanisms in the case of automated processing to:

I. Ensure the continued confidentiality, integrity, availability, and resilience of processing systems and services.

II. Restore availability and access to personal data quickly, in the event of a physical or technical incident.

III. Pseudonymise and encrypt personal data, where appropriate.

In the processing of paper documents and when new technologies are used:

Regularly verify, evaluate, and assess the effectiveness of the technical and organisational measures implemented to ensure the security of the processing.

q. Designate a data protection officer and communicate his or her identity and contact details to the data controller, if applicable. That is, if it is a public body, if personal data are routinely and systematically observed on a large scale, or if the main activity of the processing is to handle special-category data or data relating to criminal convictions and offences.

r. Destination of the data

Return to the data controller the personal data and, if applicable, the media on which they are stored, once the service has been rendered.

The return must entail the complete erasure of the data existing on the computer equipment used by the data processor.

However, the processor may keep a copy, with the data duly blocked, for as long as liability may arise related to the performance of the service.