Privacy Policy

‘by Data’ (‘the Company’ hereinafter) informs you about its Privacy Policy regarding the processing and protection of personal data of users, customers, clients and suppliers that may be collected by browsing or contracting services through this website or in person on any of our establishments.

In this regard, the Company guarantees compliance with current regulation on the protection of personal data by General Data Protection Regulation (EU) 2016/679 (GDPR), applying from 25th of May 2018 with the guideline of the Office of the Australian Information Commissioner (OAIC).

The use of this website implies the acceptance of this Privacy Policy.


‘by Data’ (as Controller) is responsible for your personal data and determines the purposes and means of the processing of your personal data.

Controller – by Data Pty Ltd
ABN – 33 420 814 429
Postal Address – PO Box 42034 Branch Office 2, Valencia 46017 (Spain)
Email –
Website –


The Data Protection Officer (DPO) informs and advises the Controller of its obligations pursuant to the GDPR and cooperates with the Supervisory Authority.

Data Protection Officer (DPO) – Jose Bravo (‘by Data’)
Registered Certificate – CP-X3-0261/2019
Postal Address – PO Box 785 Upper Coomera QLD 4209 (Australia)
Email –
Website –


The European Representative is a natural or legal person established in the European Union who represents the Controller with regard to its respective obligations under the GDPR.

Representative – Ana Gonzalez (‘by Data’)
ABN – 33 420 814 429
Postal Address – PO Box 42034 Branch Office 2, Valencia 46017 (Spain)
Email –
Website –


‘Personal data’ means any information relating to an identified or identifiable natural person (‘Data Subject’), who can be identified, directly or indirectly. Within the framework of the different data processing on activities carried out by the Company, the following types of personal data may be processed:

Identification Data includes Name, Middle Name and Surnames, Photo ID number or equivalent, Address and Postal Address, Telephone Numbers, Signature, Electronic Signature, Email Address, Social Data, Registration, Image / Voice and other contact information.

Personal and Social Data includes Marital Status, Date and Place of Birth, Title, Age, Gender, Nationality, Mother Tongue, Physical Characteristics, Properties and Housing, Properties, Hobbies and Lifestyle, Clubs and Associations, Licenses and Permits.

Academic and Professional Data includes Training, Degrees, Certificates and other Studies carried out, Professional Experience, Belonging to Professional Colleges.

Commercial and Marketing Data includes your preferences in receiving Marketing from us and Third Parties (external partners) and your preferences when receiving Communications, Activities and Businesses, Subscriptions to Publications or Media, and Commercial Licenses.

Geolocation, location and movement tracking data.

Technical Data includes Internet Protocol (IP) Address, your Login Data, data about your Browser Type and Version, Time Zone setting, Browser Plug-in Types and Versions, Operating System and Platform and other Technology on the devices you use to access this website.

Economic, Financial and Insurance Data includes Income, Investments, Heritage, Credits, Loans, Guarantees, Compensation, Banking, Payroll, Superannuation or Retirement Plans, Tax, Tax Deductions, Insurance, Subsidies, Benefits, Credit or Debit Cards.

Minors Data is any personal data when the person is under 16 years old (Kids Data).

Security Data includes Closed Circuit Television (CCTV) recordings within our stores for Safety and Security purposes.

Profile Data includes purchases made by you, your Interests, Service preferences, Feedback and Survey responses.

Aggregated Data is when you visit this website, we may also collect, use, store and share Aggregated, Anonymised Statistical or Demographic data (as cookies).

Special Category of Personal Data includes Gender Violence, Health, Exclusion Risk, Ethnic or Racial Origin, Political and Ideological Opinions, Philosophical Opinions, Beliefs, Trade Union Affiliations, Genetic or Biometric Data, and Sexual Identity.

Data relating to criminal convictions and offences.


Your personal data processing is lawful for any of the following applies:

You have given your consent to the processing of your personal data for one or more specific purposes;
It is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract;
It is necessary for compliance with a legal obligation to which the Controller is subject;
It is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data, in particular where the Data Subject is a child (under 16 years of age).

What are the purposes of the legitimate interests of the Company?

To carry out advice and control on privacy policies and protection of personal data of our clients, as well as carry out Data Protection Impact Assessment (DPIA), audits, and creation and development of Technical and Organisational Measures to apply the General Data Protection Regulation (GDPR) on our clients.


Your personal data is processed for the following purposes:


To provide and facilitate your engagement with our goods and services;
To respond to your inquiries, comments, feedback or questions related to our goods and services;
To carry out the management of the service, billing, offers, customer service and business relations;
To send communications to you regarding our goods and services, information related to our services, direct marketing, updates and changes to our terms, conditions, and policies;
To administer a promotion, contest, sweepstakes, survey or other service feature;
To maintain and improve the content and functionality of our business;
To develop new products and services;
To prevent fraud, criminal activity, or misuses of our services, and to ensure the security of our IT systems, architecture and networks;
To comply with legal obligations and legal process and to protect your Rights and Freedoms.

Potential Clients

To offer goods and services to receive specialised advice by our staff;
To respond to your inquiries, comments, feedback or questions related to our goods and services;
With your consent, receive communications about news, offers, goods and services related to the Company or our sector that may be of interest.

Web Users

To improve our goods and services offered by this website and analyse navigation, as the Company collects Aggregated Data obtained using cookies that are downloaded to your electronic device when you browse the website whose characteristics and purpose are detailed in the Cookies Policy and to analyse how you interact with our Website.

Service Suppliers

To carry out purchasing management, accounting, payments, delivery note and order management, contact and business relations with providers of goods and services.

Contact Form Users

To respond to your request or enquiry, as well as maintain a business contact initiated in the interest of our services.

Social Network Users

To inform you about our activities, products and services, if you become a follower of ‘by Data’ on social networks, as well as for any other purpose that the regulations of social networks allow. The categories of personal data, the conditions of use, the privacy policies and the rules of access to Social Media Networks, can be consulted at the following links:


In no case the Company will use the profiles of followers in social networks to send advertising individually.


In the processing of your personal data, the Company will apply the following Principles that conform to the requirements of the General Data Protection Regulation (GDPR):

Principle of Lawfulness, Fairness and Transparency: The Company will always require the consent for the processing of your personal data that may be for one or several specific purposes on which he will previously inform you with absolute transparency.

Principle of Data Minimization and Accuracy: The Company will request only the data strictly necessary for the purpose or the purposes that request them.

Principle of Limitation of the Storage Period: The data will be kept for the time strictly necessary for the purpose or purposes of the processing. The Company will inform you of the corresponding conservation period according to the purpose. In the case of subscriptions, the Company will periodically review the lists and delete those inactive records for a considerable time.

Principle of Integrity and Confidentiality: Your data will be processed in such a way that your security, confidentiality and integrity is guaranteed. You should know that the Company takes the necessary precautions to prevent unauthorised access or improper use of their users’ data by third parties.


We use different methods to collect data from and about you including through:

Personal interactions. You, an agent acting on your behalf or a holder of parental responsibility over the child, may give us your Personal Data when you:

Purchase or arrange any of our products or services from us;
Visit any of our establishments or make any enquiry in;
Contact us by post or phone call;
By a third party, contractors or subcontractors on our behalf;
Apply for a job with us.

Electronic interactions. You, an agent acting on your behalf or a holder of parental responsibility over the child, may give us your Personal Data when you:

Visit and browse our website (see our Cookie Policy for further information);
Fill our online Contact Form;
Purchase or arrange any of our products or services from us via our website;
Contact us via email, enter an online promotion, survey or feedback;
Subscribe to our Newsletter and direct marketing;
Follow us on our Social Media.

Third parties or publicly available sources. We may receive Personal Data about you from various third parties and public sources as set out below:

Analytics providers; Advertising Networks and Search information providers.
Contact, Financial and Transaction Data from providers of technical or payment services.
Identity and Contact Data from data brokers or aggregators.


When you connect to, send an email to or fill in our Online Contact Form, you are providing personal information of an identifying nature for which the Company is responsible.

By providing this information, you give your consent for your personal data to be collected, used, managed and stored by:

NIF/CIF: B65739856
6-7/11 Almagro Street, 28010 Madrid (Spain)
Webempresa is committed to the protection of personal data and applies the General Data Protection Regulation (GDPR).

To fulfill the purposes described above, when you interact with the Company, your personal data can be shared with:

Judicial Authorities, State Agencies or Public Bodies;
Professional advisers acting as Processors or joint Controllers including lawyers, bankers, consultants, security providers, auditors and insurers who provide consultancy, banking, legal, security, insurance and accounting services;
Service providers acting as processors who provide IT and system administration services on our behalf.

The following Clouding companies that we use to process your personal data:

GOOGLE (Technology, Cloud computing & Software)
1600 Amphitheatre Parkway Mountain View, CA 94043 (United States)
Google is included in the ‘EU-US Data Privacy The European Commission establishes the adequate level of protection of personal data for data processing.

We require all third parties to respect the security of your Personal Data and to process it in accordance with the law. We do not allow our third-party service providers to use your Personal Data for their own purposes and only permit them to process your Personal Data for specified purposes and in accordance with our instructions.


An International Transfer of personal data means any personal data transferred from a country member of the European Economic Area (EEA)* to a third country or international organisation outside the EEA.

(EEA)*: Composed of the 27 EU Member States plus Norway, Iceland and Liechtenstein).

In this case, your personal data is collected directly from outside the European Economic Area (EEA)* with your explicit consent, accepting this Privacy Policy.

Internal Transfers

We may share your Personal Data within the Company Group. As our head office is based in Australia, we ensure your Personal Data is protected by requiring all our Group companies, branches and staff to follow the same rules and security procedures when processing your Personal Data.

External Transfers

Many of our external third parties are based outside the EEA so their processing of your Personal Data will involve a transfer of data outside the EEA.

Whenever we transfer your Personal Data to third parties which are based outside the EEA, we ensure a similar degree of protection is afforded to the data by ensuring at least one of the following safeguards is implemented:

Certain non-EEA countries to which we may transfer your Personal Data have already been deemed by the European Commission to provide an adequate level of protection.

An approved Code of Conduct binding and enforceable commitments of the Company (‘Data Protection Officer’s Code of Conduct’) in the third country to apply the appropriate safeguards, including as regards Data Subjects’ rights;

As all our establishments are located outside of the EEA we collect and process your personal data because:

You have explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for you due to the absence of an adequacy decision and appropriate safeguards.
The transfer is necessary for the performance of a contract between you and the Controller, or the implementation of pre-contractual measures taken at your request;
The transfer is necessary for the conclusion or performance of a contract concluded in your interest between the Controller and other natural or legal person;

Please contact us if you want further information on the specific mechanism used by us when transferring your Personal Data out of the EEA.


Your personal data is processed during the following deadlines:

The period established by law, or
Until you exercise the Right of Erasure, or
The period necessary for the purposes for which we collected your personal data, including for the purposes of satisfying any legal, accounting, or reporting requirements.

The data will be kept for the time necessary to fulfill the purpose for which they were collected and to determine the possible responsibilities that could be derived from said purpose and the data processing, in accordance with the regulations set forth above, in addition to the periods established in the archives and documentation regulations that may apply.


The Rights that assist you are the following

Access. Right to request information from the Company. This enables you to receive a copy of the Personal Data we hold about you and to check that we are lawfully processing it.

Rectification. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.

Erasure (‘right to be forgotten’), This enables you to ask us to delete or remove Personal Data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your Personal Data where you have successfully exercised your right to Object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your Personal Data to comply with local law.

Note that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.

Restriction. This enables you to ask us to suspend the processing of your Personal Data in the following situations:

If you want us to establish the data’s accuracy;
Where our use of the data is unlawful, but you do not want us to erase it;
Where you need us to hold the data even if we no longer require it because you need it to establish, exercise or defend legal claims; or
You have objected to our use of your data, but we need to verify whether we have overriding legitimate grounds to use it.

Portability. The right to request that the Company will provide to you, or a third party you have chosen, your Personal Data in a structured, commonly used, machine-readable format. Note that this right only applies to information which was originally collected electronically and which you either consented to us using or was used to perform a contract with you.

Object. Right of a person to object to the processing of their personal data or the cessation of these. You also have the right to object where we are processing your Personal Data for direct marketing purposes (and you will always be able to opt-out via the “unsubscribe” link on an email from us). In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.

Not be Subject to Automated individual decision-making. Right not to be subject to a decision based solely on automated processing, including profiling, that has legal effects on it or significantly affects it in a similar way.

The maximum period for the resolution of the application is 30 days from receipt, it can be extended for a maximum of 2 months whenever necessary.

To exercise your rights, you must send an email to or by post to PO Box 785 Upper Coomera QLD 4209 (Australia).

We may need to request specific information from you to help us confirm your identity and ensure your right to access your Personal Data (or to exercise any of your other rights). This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it.

We may also contact you to ask you for further information in relation to your request to speed up our response.

You will not have to pay a fee to access your Personal Data or to exercise any of the other rights. However, we may charge a reasonable fee (considering the administrative costs of providing the information) if we consider your request to be unfounded, repetitive or excessive.  Alternatively, in these circumstances, we may refuse to comply with your request, but we will provide you with a full explanation of this at the time.


You have the right to withdraw consent at any time where we are relying on consent to process your Personal Data.

However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain services to you. We will advise you if this is the case at the time you withdraw your consent.


You have the right to lodge a complaint with a Supervisory Authority.

You may submit a complaint if you do not receive a response to your request for the execution of your rights or if you consider that the processing of your personal data breaks the law, and it could affect your rights and freedoms.

You may submit a complaint if you do not receive a response to your request for the execution of your rights or if you consider that the processing of your personal data breaks the law, and it could affect your rights and freedoms.

Australian residents may submit a complaint to the Office of the Australian Information Commissioner (OAIC)

EU residents may submit a complaint to the Spanish Agency for Data Protection (AEPD), as it is the EU Supervisory Authority chosen by the Company for data protection issues.

All affected parties may submit a complaint to any of the European Supervisory Authorities established by the European Commission.


Where we need to collect Personal Data by law, or under the terms of a contract that we have with you, and you fail to provide truthful and accurate information when requested, we may not be able to perform the contract that we have or are trying to enter with you. In these circumstances, we have the right to cancel or refuse our services, but we will notify you if this is the case at the time.


The Company will not process your personal data for a different purpose that was collected for.

However, in case that the Company has the intention to use your personal data for another purpose, we will contact you, prior to further processing, to provide the information on that other purpose and with any relevant further information.


To protect your personal data, the Company takes all reasonable precautions and follows the best Technical and Organisational measures to avoid loss, misuse, unauthorised access, disclosure, alteration or destruction of your personal data, according to the General Data Protection Regulation (EU) 2016/679 (GDPR).

To protect your personal data, the Company takes all reasonable precautions and follows the best technical and organizational practices to avoid loss, misuse, unauthorised access, disclosure, alteration or destruction of your personal data.

The Company takes into account all security policies and procedures to guarantee your rights and freedoms, and undertakes to maintain and ensure the Confidentiality, Integrity and Availability of your Personal Data.

These Technical and Organisational measures are available for consultation by the Judicial and Supervisory Authorities, and are under continuous review and audits in data protection and privacy.


This website may contain links to and from third parties’ websites.

The personal data that you provide through these websites is not subject to this Privacy notice and the processing of your personal data by those websites is not our responsibility.

Those websites have their own privacy policies which will set out how your personal information is collected and processed when visiting those websites.


As a User of this website, you declare to have been informed of the conditions on personal data protection, you accept and consent the data processing of your personal data by the Company in the manner and for the purposes indicated in this Privacy Policy.


‘by Data’ reserves the right to modify this Privacy Policy to adapt it to legislative or jurisprudential developments, as well as to industry practices.

This policy will be in effect until they are modified by others duly published.

Last update on 30th August 2023