The following Privacy Policy has been written in accordance with the applicable Spanish Organic Law on Personal Data Protection and the EU General Data Protection Regulation 2016/679 of the European Parliament and the Council, regarding the protection of natural persons with regard to the processing of personal data and on the free movement of such data, hereinafter GDPR.

The aim of this Privacy Policy is to inform the data subjects of all aspects related to why and how the data is processed, how they can contact us to exercise their rights, how long the personal data is kept for and the security measures we take, among other things.

Data controller

The data controller responsible for the files/processing of the data collected through this website or any other means, such as telephone, email, in person, paper forms, legal documents, etc. is Innolact S.L.

Data controller: Innolact S.L.

Address: Polígono Industrial de Castro Riberas de Lea, parcelas 55 y 56, 27260, Castro de Rei, Lugo (Spain).


Processing of personal data

Only the essential personal data to identify and respond to the request made by the data subject will be collected. Said information will be processed in a fair, lawful and transparent manner. Personal data will be collected for explicit and legitimate purposes, and will not be processed in a manner incompatible with said purposes.

The data collected will be adequate, relevant and limited to what is necessary in each case, and will be updated whenever necessary.

The data subjects will be informed, prior to the collection of the data, of the main points of this policy so that they can give their express consent for the processing of the data, in accordance with the following:

Why we process personal data

The intended purpose of the personal data processing is identified in the information clause of each of the data collection channels (web forms, paper forms, posters and informative notes).

The personal data will be processed with the sole purpose of providing an effective response and addressing the requests made.


As a general rule, prior to the processing of personal data, Innolact S.L. obtains express and consent from the data subject by adding consent clauses in the different data collection systems.

However, if the consent of the data subject is not required, the legitimacy of the data processing is the existence of a specific law or norm that authorizes or requires the processing of the data.

Transfer of data

As a general rule, Innolact S.L. does not transfer data to third parties, except those legally required; however, the data subject will be informed of said transfers through the consent clauses in the different data collection systems.

Source of data

As a general rule, personal data is always collected directly from the data subject, however, in certain exceptions, the data may be collected through third parties, entities or services. In this sense, the data subject will be informed through the consent clauses in the different data collection systems and in a timely manner, no later than once month after the data has been collected.

Storage period

The data collected from the data subject will be stored for as long as it is necessary to fulfil the purpose for which the data was collected. When this purpose has been fulfilled, the data will be deleted, unless the data is needed to comply with any administrative or judicial requirements.

For information purposes, some of the legal storage periods for the data storage are as follows:

Employment or social security documentation 4 years Article 21 of the Spanish Legislative Royal Decree 5/2000 of 4 August, approving the consolidated text of the Law on Labour Law Infringements and Penalties
Accounting and tax records for business purposes 6 years Article 30 Commercial Code
Accounting and tax records for tax purposes 4 years


Articles 66 to 70 of the Spanish General Tax Law


Building access control 1 month Directive 1/1996 of the Spanish Data Protection Agency


Video surveillance 1 month Directive 1/2006 of the Spanish Data Protection Agency

Constitutional Law 4/1997


Navigation data

Regarding the navigation data that can be processed through the website, we recommended reading our Cookies Policy.

Rights of the data subject

The data protection regulations grant a series of rights to the data subjects, website users or users of Innolact S.L. social media profiles.

These rights are as follows:

Right of access: right to obtain confirmation as to whether personal data is being processed, the purposes of the processing, the categories of personal data concerned, the categories of personal data, the recipients or categories of recipient, the period for which the date will be stored and the source of said data.

Right to rectification: right to obtain the rectification of inaccurate personal data.

Right to erasure: right to obtain the erasure of personal data when the following applies:

  • When the data is no longer necessary in relation to the purposes for which it was collected.
  • When the data subject withdraws consent.
  • When the data subject objects to the processing.
  • When the data has to be erased for compliance with a legal obligation.
  • When the data has been collected in relation to the offer of information society services referred to in Article 8(1) of the European Regulation on Data Protection.

Right to object: right to object to a particular processing based on the data subject’s consent.

Right to restriction: right to obtain restriction of processing where one of the following applies:

  • When the accuracy of the data is contested by the data subject, for a period enabling the controller to verify the accuracy of said data.
  • When the processing is unlawful and the data subject opposes the erasure of the data.
  • When the controller no longer needs the data for the purposes of the processing, but it is required by the data subject for the establishment, exercise or defence of legal claims.
  • When the data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject.

The aforementioned rights can be exercised by sending a written communication to Innolact S.L. at, stating on the subject line the right to be exercised.

Innolact S.L. will respond to the requests as soon as possible and taking into account the deadlines established in the data protection regulations.

The data subject can at all times submit a claim to the relevant control authority.


Innolact S.L. has adopted the legally required security measures in accordance with the provisions of article 32 of the GDPR. In this sense, Innolact S.L., taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, it has implemented the appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

In any case, Innolact S.L. has implemented enough mechanisms to:

  1. Ensure the ongoing confidentiality, integrity, availability and resilience of the processing systems and services.
  2. Restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
  3. Test, assess and evaluate on a regular basis the effectiveness of technical and organisational measures to guarantee the security of the data processing.
  4. Pseudonymise and encrypt personal data.