S21sec Privacy Policy

In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the free circulation of such data; Grupo S21Sec Gestión, S.A, responsible for the data provided, informs you:



Responsible Grupo S21Sec Gestión, S.A
Purpose Management of the contractual relationship for the provision of cybersecurity services
Legitimacy Execution of a contract accepted and signed by the interested party or his legal representative and consent
Data transfers Communication of data to companies of the Sonae Group and legal obligations.
Right Access, rectification, deletion, limitation, opposition and portability, as well as other rights explained in the Additional Information



Responsible Grupo S21Sec Gestión, S.A
Purpose Management of CVs of candidates in recruitment processes
Legitimacy Consent of the interested party
Data transfers No data transfers to third parties, except legal obligations, will be nade. In the event that such a possibility is contemplated, your consent will be requested.
Rights Access, rectification, deletion, limitation, opposition and portability, as well as other rights explained in the Additional Information.
Additional Information You can consult the additional information on Data Protection in our Privacy Policy on this page. (https://www.s21sec.com/en/privacy-policy/)

Additional information. Privacy Policy

Through site www.s21sec.com (hereinafter, the Web), the entity Grupo S21Sec Gestión, S.A. (hereinafter, S21SEC) provides services and presents its catalog of services and products under the conditions included therein.

The Web is accessible from different devices and there are contact forms that require you to fill in information fields established for this purpose.

S21SEC has updated its Privacy Policy, which affects individuals and business interlocutors, and which replaces the one that previously regulated the processing of your data.

For S21SEC, your privacy is important, so your data will be treated in accordance with the principles of transparency, purpose limitation, data minimization, accuracy, integrity and confidentiality.

S21SEC will notify you in advance of any changes made to this Privacy Policy and will not make retroactive changes that reduce your rights unless legally required and, in such case, your consent will always be necessary. You can revoke your consempt at any time if you are not satisfied with the changes made.

In accordance with the provisions of Regulation EU 2016/679, of the European Parliament and of the Council of April 27, 2016. (RGPD); S21SEC informs you that by accepting this information protection clause, you give your informed consent, expressly, freely and unequivocally so that the personal data you provide to S21SEC are included in the data records S21SEC is responsible for, duly registered in the Data Protection Agency and on which security, technical and organizational measures established in the current regulations are applied.

In this sense and, according to the provisions of the RGPD, below we detail information on the treatment that S21SEC performs on your data

Who is responsible for the processing of your data?

Grupo S21Sec Gestión, S.A. (from now on, S21SEC)
Parque Empresarial Zuatzu,
Edificio Urgull, 2ª planta local 10,
20018 – San Sebastián (Guipúzcoa)
Phone: +34 902 020 222
Email: info@s21sec.com

Who is the Data Protection Officer?

The Data Protection Officer is in charge of protecting the fundamental right to data protection and compliance with current regulations applicable to this matter in S21SEC. You can contact the Data Protection Officer of S21SEC at the following email address: data.privacy@s21sec.com.

What are the purposes of the personal data processing made by S21sec?

  1. If you are a S21SEC customer, this company treats the data you provide us with in order to manage and execute the provision of the services or supply of cybersecurity products, including training, detailed in the Contract or Offer of Provision of Services or Supply of Products subscribed with S21SEC (hereinafter, the Contract), that is, to carry out all the actions that are necessary to adequately provide the services or products detailed in the Contract in the terms and with the scope foreseen therein, including, where appropriate, the provision of services through own or third-party electronic systems or tools that S21SEC provides (hereinafter, S21SEC electronic tools), including the S21SEC e-learning tool. As part of the cybersecurity services, S21SEC may send you “Informational Alerts” that S21SEC considers of interest.

In addition to providing our Services or supplying you with Products, we will also process your data to evaluate your financial solvency and perform the accounting, tax and administrative management tasks.

Likewise, due to the legitimate interests of S21SEC, we create statistics on the use of services in order to improve them, detect deficiencies and incidents, and develop new services and / or tools. For these purposes, we can develop a commercial profile of customers, although not making any automated decisions based on that profile.

  1. If you have not yet contracted our services or products, but you have provided us with your data for such future purposes, S21SEC treats such data in order to manage and develop a commercial relationship aimed at providing the services or supply of cybersecurity products that S21SEC offers.
  2. In both cases, S21SEC will also process your data to send out informative notes related to cybersecurity market trends, threat alerts, industry events including ones managed by S21sec and description of services that S21SEC provides or can provide. For these purposes, you expressly consent and accept to receive such notes by postal mail, electronic mail and even by mobile services. You can revoke this consent at any time by sending an email to data.privacy@s21sec.com.
  3. In the event that you use the website www.s21sec.com to send us your CV, filling out the forms established for this purpose or send it to us by any other means; S21SEC treats the data you provide us with in order to manage your candidacy for the selection processes of the vacant positions offered by S21SEC.
  4. The processing of your data for purposes other than those detailed above will require your prior and explicit consent in each case.
  5. Finally, as it is described in our Cookies Policy, we remind you that on S21sec website www.s21sec.com we use cookies to perform user navigation’s analysis and measurements in order to improve our services.

What is the legitamicy for processing personal data?

The legal basis for the processing of your data, if you have contracted with S21SEC the provision of services or supply of products, is the execution of the Contract. In this case, the processing of your data based on legitimate interests of S21SEC will be carried out, in all cases, with the utmost rigor and respect for your privacy, rights and freedoms; in any cases will they be used for purposes that undermine subject’s rights in this regard.

The processing of your data for the purposes detailed in the previous section and based on the consent that is requested may be withdrawn at any time. The withdrawal of this consent will, in any case, condition the execution of the Contract.

The legal basis for the processing of your data, if you are not a S21SEC client or submitted your CV to this company, is based on your consent, in any case.

To which 3rd parties will your personal data be transfered to?

In the case that you are a customer of S21SEC, S21sec will communicate your data to companies of the Sonae Group in order to centrally manage the data of our customers, with you expressly consenting to this assignment.

In other cases, no communication of data to third parties is foreseen, except for those that are required by legal obligations. Such communications will be made, in any case, complying with all the guarantees legally foreseen. However, if the possibility of transfer of your data for other reasons is contemplated, S21SEC will request your explicit consent.

Notwithstanding the foregoing, S21SEC informs you that the provision of some of its Services and / or products requires storage at the S21SEC facilities or third parties and access by this or third parties to your data, S21SEC committing to comply with the provisions in the applicable current legislation. For these purposes, S21SEC informs you that it will perform third-party treatment orders, such as storage services on physical servers or in the cloud, maintenance services for computer systems and, where appropriate, services with third-party companies to which S21SEC could trust the selection processes carried out, etc. Such treatment orders may require international data transfers, always performed to countries of the European Union, US privacy shield or that have an adequate level of protection in accordance with current regulations.

What are your rights when sharing with us personal data?

Anyone has the right to obtain confirmation of whether S21SEC is processing personal data concerning him or her.

You can also exercise the rights conferred by current legislation: right of access, rectification, deletion and opposition, limitation of processing, portability of data and not to be subject to automated individualized decisions.

Also, you have the right to withdraw or revoke the consent at any time for those purposes and / or uses based on it, without in any case the withdrawal of this consent conditions the execution of the Contract, when applicable.

You can exercise your rights by any means that allows confirmation of identity of your request. The request must be addressed to S21SEC through the data included in the “Responsible for Treatment” section, indicating the reference “Data Protection”. The application must include: Name, surnames and photocopy of your ID, text in which you detail your request and address to be used for notifications.

If you are not satisfied with the response of S21SEC to the exercise of your rights, you have the right to claim protection from the applicable Control Authority.

How have we obtained your data?

Personal data processed by S21SEC have been provided by you by signing the Contract. However, in the event that S21SEC had access to and processed data on natural persons (employees, collaborators, etc.) that are necessary as a result of the execution of the Contract, S21SEC will only deal with the minimum data for its professional location and only with the purpose of the need to execute what is established in such Contract.

S21SEC informs you of the treatment of the following categories of data:

Identifying data
Postal and electronic addresses
User data and password hashes in the event that you use the electronic tools of S21SEC.
Economic and / or billing information
Specially protected data is not processed

However, if you hire S21SEC training services, this company will handle the academic data necessary for this purpose.

Likewise, personal data processed by S21SEC includes data that has been provided by you by sending your CV to this company. For this purpose, S21SEC informs you of the treatment of the following categories of data:

Identifying data
Postal, electronic and telephone addresses
Academic education
Professional experience
Economic data on applicable salary bands
Specially protected data is not processed

Finally, personal data processed by S21SEC includes data that has been provided by you by registering previsouly to an industry event managed by S21sec. For this purpose, S21SEC informs you of the treatment of the following categories of data:

Identifying data
Postal, electronic and telephone addresses
Company where you work, when applicable

How are you personal data processed?

Your data will be treated on paper or digital media.

In accordance with the Contract, S21SEC and you can communicate and carry out transactions with S21SEC by: (i) E-mail, (ii) Telephone calls and (iii) Use of S21SEC electronic tools, including S21sec’s e-learning tool.

At S21SEC we are concerned about security and guaranteeing and protecting your privacy. For this reason, we guarantee that the processing of your data is carried out under high levels of security and in accordance with our Corporate Information Security Policy.

According to industry standards, we maintain technical and organizational measures against accidental or illegal destruction, accidental loss or alteration, disclosure or unauthorized access and other illegal forms or procedures.

For these purposes, transactions made through our electronic systems will be transmitted through a SSL secured server (Secure Socket Layering). When the letters “http” pass to “https”, the “s” means that all data transfers are encrypted and, therefore, secure. Your browser can also inform you of the site’s security through a pop-up message. The SSL security protocol encrypts personal information during data transport.

Notwithstanding the foregoing, the security of information transmitted over the internet can not be guaranteed. Users of electronic tools are responsible for maintaining the security of any password, username or any other form of identification to gain access to password protected areas of any of our services. In order to protect both you and your information, we may suspend the use of any of the services of S21SEC, without prior notice, pending investigation, if it is suspected that there is a security breach.

For how long will your data be kept by us?

We will treat and keep your data as long as it is necessary for the provision of the services object of the Contract and it is in force. Once the Contract is finished, we will keep your personal data during the general legal limitation periods and for any other actions permitted by law.

S21SEC will treat and store the data you provide us, unless you revoke your consent or object to its treatment and, in the event that we treat your curricular data, only during the duration of the selection process for which you submitted your curriculum, destroying it at the moment S21SEC informs you that your candidacy has been rejected, unless that communication was requested to be retained for other selection processes deemed appropriate.

Once the statutory limitation periods have elapsed, we will remove them and / or block them according to our retention and deletion of data policy.

More information


If you have any questions about this privacy policy, you can contact us through the email account data.privacy@s21sec.com.