CUSTOMER AND SERVICE USER DATA PROTECTION POLICY

 

EMUASA assumes a strong commitment to the protection of personal data. The purpose of this personal data privacy policy is to inform about the measures applied in the collection of personal data during its activities. This Policy may evolve over time to adapt where appropriate to the legal context in Spain and in the European Union or to accommodate the recommendations or decisions taken by the Spanish Data Protection Agency and the European Data Protection Committee.

 

1. What is the purpose of this Personal Data Protection Policy?

This Privacy Policy aims to inform about the way in which we obtain, process, and protect the personal data of our customers and those people who contact the company in relation to them, and in this regard, this Policy is applicable to:

• People who want to hire or who maintain a contract or policy in force with EMUASA for the provision of some service. Customer or subscriber of the service.
• People who contact to report service incidents, make inquiries, file complaints or claims of any kind without maintaining a contractual relationship with EMUASA. For example, for inquiries about general service conditions, to report leaks in public roads, to communicate breakdowns, to report frauds, etc.
• Finally, it also refers to those people, third parties different from the client, whose data appear in a contract file because they have been informed by the client himself or by the interested party, such as those authorized by the owner to carry out procedures in the contract, as contact for notifications, as tenants of the property, or those whose payment details are indicated in the contract for the payment of receipts.

 

2. Who is controller for the data provided?

The controller is the Empresa Municipal de Abastecimiento y Saneamiento de Murcia, S.A. (hereinafter, EMUASA), with CIF number A-30054209 and address at Plaza Circular, nº 9, Murcia.

EMUASA is a company that manages the supply of drinking water, which is governed in its operation, among other regulations, by the Regulation of the Municipal Service of Domestic Supply of Drinking Water, BORM No. 247 27/10/2013 and BORM No. 74 30/03/1987, by the Regulation of the sewerage and wastewater drainage service of Murcia, BORM No. 154 07/07/1986, by Law 9/2017, of November 8, of Public Sector Contracts, by Law 3/2000, of July 12, of Sanitation and Purification of Wastewater from the Region of Murcia and Implementation of the Sanitation Fee, etc. The applicable regulations can be consulted in http://portaltransparencia.emuasa.es/normativa-aplicable.

 

3. What kind of data does EMUASA handle?

EMUASA will process the following categories of personal data:

• Identification data: first and last name, and ID number. Contact information: phone number, email, and mailing address.
• Economic: bank account number, if you choose this payment method.
• Information about the property for which the contract is requested: address of the supply point, cadastral reference, as well as the data contained in the documents provided to accredit your relationship with the property (rent, ownership, etc.).

• Representation data: powers of attorney, notarial deeds, company and professional contact details (in case of acting on behalf of a company).

• Consumption data: consumption readings, incidents and consumption alerts.

• Technical data of the contracted service: meter number, type of consumption of the supply point.

• Economic and billing data: invoice amount, payments and defaults.

• Data associated with a debt claim file for non-payment or fraud: claims, criminal offenses. 

• Other different data from the previous ones voluntarily provided by the customer or user of the services when contacting us for any reason (in complaints, claims, inquiries). 

• Third-party data that you voluntarily provide and that will be integrated into the contract file: contact information of a third party for notifications, data of third parties who are authorized by the client to carry out various tasks on their behalf in relation to their contract. 

• Signature: Digital signature data; handwritten signature. 

• Image and voice: recorded during phone calls, in video conferences, in dialogues through virtual environments. 

• Other data and documents required to access the social rate and special rates approved by the Murcia City Council in the terms published in the "ORDINANCE REGULATING WATER, SEWERAGE AND METER CONSERVATION RATES" Approved in the Plenary of the Excmo. Murcia City Council, on July 31, 2019, published in the B.O.R.M. no. 185 dated 08/12/2019 and added corrections in the B.O.R.M. no. 212 dated 09/13/2019. Among them are special category data (disability data) and other particularly sensitive data (social circumstances, vulnerable group, victims of gender violence, etc.). This data is required by the Murcia City Council to access these rates.  

• Data from publicly accessible sources: cadastral data when necessary to verify the location of a supply point and its connection.

• Exploration data, activity on the Website, (cookies), if you access the Aguas de Murcia website. If you access the Virtual Office, your access and connection data will also be collected (credentials, IP address, device type and ID, browser type and language, domain through which you access). All this information is indicated and collected in detail in the Cookie Policy available on. https://www.emuasa.es/politica-de-cookies.

The website contains its own "Web Privacy Policy" which you can consult at the following link https://www.emuasa.es/aviso-legal.

On the other hand, anyone who is a client of the service will be able to register at the Virtual Office and carry out all the enabled procedures and management ("Virtual Office procedures"). To sign up for the Virtual Office, the client must accept its terms of use (please refer to the Terms of Use of the Virtual Office in https://www.emuasa.es/condiciones-uso).

 

4. Procedures carried out by a third party or on behalf of a company and by Property Administrators.

As a general rule, all procedures and actions that involve personal data processing will be carried out by a person on their own behalf and in this case will only provide personal data for which they are the owner. However, it will be allowed for the user to provide data from a third party provided that: (i) they have obtained the data lawfully and with their authorization; (ii) they have informed the affected party, when appropriate, of the procedure or inquiry they are going to make, and (iii) they have a legitimate interest in carrying out the management that they initiate. In this sense, actions can be carried out on behalf of third parties in the case of:

• Person with express authorization from the holder.
• Representatives or contact persons of legal entities acting on their behalf.
• Duly registered Property Administrators, acting on behalf of homeowners' associations and other clients.

The personal data of representatives, contact persons and Real Estate Administrators will be processed, based on legitimate interest (article 6.1.f) of Regulation (EU) 2016/679 and article 19 of Organic Law 3/2018), with the sole purpose of managing the request made on behalf of a third party.

In the event that you provide third party data to EMUASA, you become solely responsible to them and guarantee that you have obtained the authorization from these individuals to provide their data and have informed them about the purpose of the processing. You also guarantee that the data you have provided is accurate and up-to-date, being responsible for any damage or harm, direct or indirect, that could occur as a consequence of the non-compliance with such obligation.

 

5. What do we use your personal data for and what is the basis for legitimization?

The data will be processed for some of the purposes and with the legitimizing basis indicated below:

• To provide the contracted service as the main purpose and for this: to process registrations, cancellations or changes of ownership; to assign the rates, or discounts that correspond to the requested and applied ones; to carry out periodic readings; to issue invoices; to communicate through any of the contact methods that have been provided to us including electronic ones; to attend to or inform you about any incident related to the service (scheduled cuts, possible leak in your facilities, upcoming receipt or repeated non-payments, etc.); to carry out debt collection actions including the claim of non-payments; other administrative actions, including those necessary to maintain the accuracy of the data and to address issues that you raise with this service in relation to your contract or the contracted service. To leave a trace of the actions taken by phone or in virtual environments, if this service is activated, the recording of the calls will be saved.

These treatments are necessary for the execution of the contract (Article 6.1.b) of Regulation (EU) 2016/679).

In the case of special category data processing to assign a social rate, the legitimizing basis will be the consent granted when making the request. (Article 6.1.a) of Regulation (EU) 2016/679).

• The personal data of representatives, contact persons and Property Administrators will be processed on the basis of legitimate interest (article 6.1.f) of Regulation (EU) 2016/679 and art.19 of Organic Law 3/2018), with the sole purpose of managing the request made on behalf of a third party.
• To address incidents and inquiries about the service not related to a supply contract, made by any interested party. The data of the person who contacts will be processed based on the consent granted when making contact with the company. (Article 6.1.a) of Regulation (EU) 2016/679).
• To manage the signing of documents through the OTP SMS (One Time Password) signing process, the signing operation is linked to the signer through the mobile phone number provided by the customer and with the content through the OTP calculation algorithm. The processing of this data is necessary to maintain the contractual relationship with our customers and provide this service if they request it (Article 6.1.b) of Regulation (EU) 2016/679).
• To calculate the performance of the network to detect water leaks and fraud with the aim of ensuring an adequate flow to the supply network. Aggregate data from the consumption of the entire population will be used and, if appropriate, fraud in water consumption will be reported and the defrauded amount will be claimed. The processing of these data is based on the legitimate interest of the company in ensuring supply to the population's needs. There is the possibility to object to this processing. However, you will not be able to object to the processing that the company must carry out to report and/or claim the detected fraud.
• Manage access and use of the virtual office. The processing of this data is based on the existence of a contractual relationship.
• Creating a profile through continuous monitoring of water consumption, as well as using other data that have been provided to us, to offer promotions and personalized services related to the water sector, as long as we have your consent. For this, among other things, the data obtained through remote reading will be used, allowing among other things to know in real time the water consumption that is being made. The processing of data for this purpose is based on consent.
• To carry out statistical studies and customer satisfaction surveys in relation to the contracted service, which help us improve the service or design new features. This treatment is based on the legitimate interest in knowing your level of satisfaction and detecting areas for improvement in relation to the services provided. Opposition to this treatment is possible.
• To send perception surveys about EMUASA or the business group to which it belongs. These surveys are not directly related to the provision of the contracted service, so they will only be conducted if explicit consent is given, which can be revoked at any time.
• To send promotional communications about the products, services, and events organized by EMUASA and the business group it belongs to. These communications can be made even by electronic means. This activity requires explicit consent that can be revoked at any time.
• To offer promotions and personalized services related to the water sector based on a customer profile developed from consumption data, billing data, and technical data of the contracted service. This activity requires express consent that can be revoked at any time.
• To define debt collection and recovery actions based on a customer profile created from the number of unpaid invoices, amount owed, and age of debt from a contract. This treatment is based on the company's legitimate interest in streamlining the debt claim by adjusting to the individual payment and non-payment characteristics of each customer. It is possible to object to this treatment.

For the previous treatments based on legitimate interest, EMUASA has carried out the corresponding balance report of the interests pursued by the controller and the fundamental rights and freedoms of the interested parties. In case of doubt about them, you can send your query to the company's DPO.

 

6. Who can access your personal data?

EMUASA has service providers for the performance of some tasks inherent to the contract (customer service support, legal advice, invoice printing and mailing, technological services, storage and destruction of physical files, among others). These providers may need to access your personal data to carry out these tasks. EMUASA guarantees that these providers have signed a contract for the processing and will only handle your personal data under express instructions and will not use them for their own purposes or different from those detailed in this Policy.

Some of our suppliers are located in countries outside the European Economic Area (EEA) or, being located in the EEA, they share information with other entities located outside of that territory. In any case, EMUASA guarantees that:

• Transfers are made to countries that the European Commission has declared provide a level of protection comparable to the European one.
• In the absence of such a declaration of adequacy, the Standard Contractual Clauses approved by the Commission have been signed. You can consult this information on the AEPD page: https://www.aepd.es/es/derechos-y-deberes/cumple-tus-deberes/medidas-de-cumplimiento/transferencias-internacionales

For more information on this subject, please contact the Data Protection Officer.

 

7. Who do we communicate your data to?

EMUASA does not share your personal data with third parties, unless we have consent or are required by law.

When your consent is necessary to communicate your personal data to third parties, in the data collection forms we will inform you of the purpose of processing the data subject to communication, as well as the identity or sectors of activity of the possible recipients of your personal data.

EMUASA is obliged to communicate your data to the following entities and for the purposes and reasons indicated below:

Entity	Purpose	This communication is legal according to:
Murcia City Council	Collection of the garbage fee by the City Council.	Fiscal Ordinance of October 16, 1989 Official Bulletin of the Region no. 286, of December 15, 1989.
Murcia City Council Social Services	Before applying the flat rate of the social fund, we need approval from the Social Services of the Murcia City Council.	Collaboration agreement between EMUASA and the Murcia City Council for the control and regulation of the Social Fund signed on March 27, 2024.
Tax Agency (AEAT)	Compliance with tax obligations: Submission of issued and received invoices.	Immediate Information Supply System (SII), regulated in the RD 596/2016, of December 2 and by the Order HFP/417/2017, of May 12.
Regional Entity for Sanitation and Purification of Wastewater (ESAMUR)	Collection of the sanitation fee.	Law 3/2000, of July 12, on Sanitation and Purification of Wastewater in the Region of Murcia and Implementation of the Sanitation Fee, the current rate and the Regulation that develops it.

 

8. How long do we keep the data?

Customer data will be retained as long as the contractual relationship is maintained in order to manage it properly. Once this relationship has ended (after the deadlines for the collection of outstanding receipts and resolved conflicts related to the service), we must retain your data properly blocked for an additional period in which there may be legal responsibilities arising from services provided or treatments performed.

The data of non-customers provided for other management processes (inquiries, fraud communications...) will be kept for the time necessary to manage your request, plus an additional period to address possible legal responsibilities arising from it.

In case you have authorized the sending of commercial communications, we will keep your data until the moment you indicate to us that you want to stop receiving our offers, even if the contractual relationship with us has ended.

The data will be kept for the strictly necessary time to fulfill the purposes described in the previous sections. After this period, the data will be blocked for an additional period in order to address possible legal responsibilities derived from the same. Subsequently, they will be permanently deleted.

 

9. What are the rights regarding data protection and how can they be exercised?

The Law recognizes the following rights in terms of data protection for you:

Right	Content
Access	Check your personal data included in the EMUASA databases.
Rectification	Modify your personal data when it is inaccurate or incomplete.
Eurases	Request that we delete your personal data.
Opposition	Oppose the treatment of your personal data for purposes based on public interest or legitimate interest.
Treatment limitation	Request the limitation of the processing of your data in the following cases:  While the challenge to the accuracy of your data is being verified. When the treatment is illegal, but you oppose the deletion of your data. When EMUASA does not need to process your data, but the customer or user needs them for the exercise or defense of claims. When you have objected to the processing of your data for the fulfillment of a mission in the public interest or for the satisfaction of a legitimate interest, while it is verified if the legitimate reasons for the processing prevail over yours.
Portability	Receive, in electronic format, the personal data that you have provided to us, as well as to transmit them to another Data Controller.

To exercise the aforementioned rights, or to revoke the consent given for any of the indicated purposes, it will be enough to send a request through any of the following means indicating in the subject "Data Protection":

• By postal mail to the address: Pza. Circular, 9 30008 Murcia.
• By email: dpd@emuasa.es
• Through the website contact: https://www.emuasa.es/contacta.

You can also register the request at the service offices. The applicant must be sufficiently identified in the request. When the person responsible for processing has reasonable doubts about the applicant's identity, they may ask for additional information necessary to confirm their identity. In the event that action is taken through legal representation, the representative's ID and proof of representation must also be provided.

The exercise of rights is free of charge, however, EMUASA reserves the right to charge a fee when requests are manifestly unfounded or excessive, especially due to their repetitive nature. In this case, EMUASA may choose not to respond to the received request.

 

10. Data Protection Officer of EMUASA.

EMUASA has appointed a Data Protection Officer who can be contacted if you have any questions or complaints about data protection. The complaint will be investigated confidentially. You can contact our Data Protection Officer by any of the following means:

• Email: dpd@emuasa.es
• Postal Mail: Pza. Circular 9 30008 Murcia. For the attention of the Data Protection Delegate.

In any case, as an affected or interested party, you can file a complaint with the competent data protection authority, in this case, the Spanish Data Protection Agency https://www.aepd.es/

Policy revised on April 8, 2024.