Privacy Policy

Data protection information

Nalanda makes available the web pages located at the URLs and or accessible through an application for mobile devices (hereinafter, “Web Platform ”).This Privacy Policy is generated, in order to provide information on how we treat your personal data and protect your privacy.

We kindly ask you to carefully read this Privacy Policy. It may be modified when necessary but in case of modifications, we will notify you through the web platform, or by other means, so that you can update with the new privacy conditions. Continuing to make use of the functionalities made available by the data controller after having notified the aforementioned modifications will mean that you agree with them, except for those cases in which your express consent is necessary.

The data implemented into the Web Platform for the provision of document management services are owned by the contracting entities and / or subcontractors. Between Nalanda and a client (regardless of their position as a contractor or subcontractor in the provision of services) governs a relationship of treatment order in terms of data protection. Nalanda and the client are holding the position of data controllers. The responsibilities of Nalanda and the client are defined in the sections “Responsibilities of Nalanda as data controller” and “Responsibilities of the client as data controller”.

In case that the client subcontracts other companies or freelancers, both the client and Nalanda will have access to the documents of their subcontractors at different levels and in turn to the documentation of the workers involved in each project. In the event that it accesses the documentation of its lower levels according to the subcontracting chain, the client will be responsible for obtaining the relevant authorization for its lower subcontractors and / or its self-employed / workers and will guarantee that it has sufficient legitimacy, regulating its relationship in accordance with the regulations regarding the protection of personal data.


Why do we process your personal data?

The personal data that are provided by the users of this Web Platform will be processed for the following purposes:

  • In case you are a client and / user of Nalanda, or are in the process of contracting a service provided by Nalanda:
    • Processing of the registration process.
    • Management and maintenance of the users of the Nalanda portal.
    • Management and maintenance of Nalanda clients.
  • In the event that your professional data is included in any of the complementary services provided by Nalanda, your data will be processed for the following purposes:
    • Administration of the web directory “Orange Pages”. The processing of data for this purpose could include the publication of the professional contact data (may include name and surname) of certain interlocutors or administrators of the entities that are clients of Nalanda in order to list and classify the companies that participate in the Nalanda platform and promote relationships between them.
    • Administration of the purchase tool. The data processing for this purpose could include the publication of professional contact data necessary to enable the management of the sale and purchase operations carried out through the tool.
    • Administration of the electronic invoice tool. For correct sending and receiving of invoices, we will collect the data of the person in charge of sending / receiving each company and its different delegations / centers.
    • Administration of the homologation service. Nalanda will request the data of the Compliance person and those responsible for Homologation / Compliance of the company to carry out the communications that, for business, are necessary.
    • Document management tool. The processing of data for this purpose could include the publication of professional contact details necessary to enable the management of the validation and authorization operations carried out through the tool.
  • Purposes related to commercial communications:
      • Commercial communications about Nalanda products and services.
      • Commercial communications from third parties with whom Nalanda has collaboration agreements.


What data is processed and from what sources do they come?

The data that Nalanda treats as a result of the interactions made by the user through our Web Platform come from the following sources:

  • Data provided by the client / user, or by a third party on their behalf, by filling in the forms made available in the registration process or through the registration process by other means such as, for example, the service of Customer Support.
  • Data generated as a result of the development, processing and maintenance of the relationship established between the user and Nalanda.

Nalanda may process personal data of the following types, depending on the relationship established with the client / user:

  • Identification and contact data (eg: name and surname, professional telephone number, professional email, IP address, etc.).
  • Economic and financial data (eg: means of payment of which you were the owner as a natural person, etc.).
  • Academic and professional data (eg: your position within an organization, etc.).

To guarantee the proper management of the processing of your data, Nalanda has designated a Data Protection Delegate, who you can contact for any questions you may need and who you can contact at the email address: .

What is the legal legitimacy for the processing of your data?

Nalanda treats the personal data of the users of the Web Platform in accordance with the following legitimating bases, depending on the type of data and the interactions between the client / user and Nalanda:

  • Execution of the contractual relationship established between Nalanda and the client, in relation to the purposes of processing the registration and the management and maintenance of clients and users of the Nalanda portal.
  • Compliance with legal obligations applicable to Nalanda, such as tax and billing obligations, in relation to the management and maintenance purposes of clients and users of the Nalanda portal.
  • Nalanda’s legitimate interest, in relation to the purpose of sending advertising and promotional information related to Nalanda’s products and services, in the case of Nalanda’s clients.
  • Legitimate interest of third parties, in relation to the purposes of the purchase tool, “Orange Pages”, approval service, document management service and electronic invoice service. Said legitimate interests of the Nalanda platform clients must with -be considered in connection with article 19 of Organic Law 3/2018, of December 5, on Protection of Personal Data and guarantee of digital rights, as long as said data is necessary for the professional location of the interested party and that the purpose is solely to maintain relations with the legal person in which the natural person provides services, or, if it is a freelance worker or professional.
  • Consent, in the event that it has been provided, for the purpose of sending advertising and promotional information regarding Nalanda’s products and services, as well as third-party products with whom Nalanda has collaboration agreements.
  • We will not transfer your data to non-client companies, unless there is an explicit document or contract with authorization for the proper functioning of our services.

Who is your data communicated to?

Nalanda informs interested parties that the processing of personal data described and reported in this Privacy Policy does not imply any communications or transfer of their data by Nalanda to third parties. However, to the extent that certain functionalities of the platform imply the dissemination of certain professional data (in a restricted manner), those entities that are clients / users of the platform made available by Nalanda could be recipients of the data.

How long do we keep your data?

Personal data will be kept for the duration of the relationship established with Nalanda and / or to achieve the intended purpose of treatment, as well as during the required legal periods.

Subsequently, the client may require that we completely delete their information, in which case it will no longer be accessible. To process this request, you must contact our data protection officer and write to In compliance with the principle of limitation of the conservation period, we reserve the right to keep the data and documentation for the duration of the contractual relationship and subsequently for the time necessary for the specific purposes for which they have been collected in order to comply with legal obligations and the responsibilities derived from said treatments based on the applicable regulations such as the prevention of possible inspections, for which custody is agreed during a subsequent period of prudence.

What information should you provide us?

Nalanda informs customers and users that it will be necessary to provide, at least, those data marked with an asterisk (*) in the registration form. These data are strictly necessary to acquire the status of registered customer and, eventually, user, the inclusion of data in the remaining fields being voluntary.

In case of not providing at least such data, considered necessary, Nalanda will not be able to manage the registration process or carry out the provision of the service.

What must you guarantee us when providing your personal data?

The user guarantees that the data provided are true, accurate, complete and updated, being responsible for any damage or loss, direct or indirect, that may be caused as a result of the breach of such obligation.

When the user provides data belonging to a third party, they guarantee that they have informed said third party of all the aspects contained in this Privacy Policy and obtained their authorization, or have sufficient legitimacy, to provide us with their data to the purpose of the treatment in question.

What do we do to protect your personal data?

In response to Nalanda’s concern to guarantee the security and confidentiality of your data, the security levels required for the protection of personal data have been adopted and the technical means at its disposal have been installed to avoid loss, misuse, alteration, unauthorized access and theft of personal data provided through the web platform.

What are your rights over your personal data?

Nalanda informs you that you have the right to obtain confirmation about whether we are treating personal data that concerns you or not.

In the same way, Nalanda informs you that you have the following rights over your personal data:

  • Access your data: You have the right to access your data to find out what personal data we are dealing with that concerns you.
  • Request the rectification or deletion of your data: in certain circumstances, you have the right to rectify those personal data that you consider inaccurate and that concern you, and that are subject to treatment by Nalanda, as well as the right to request the deletion of your data when, among other reasons, the data is no longer necessary for the purposes for which it was collected.
  • Request the limitation of the processing of your data: in certain circumstances, you have the right to request the limitation of the processing of your data, in which case we inform you that we will only keep the data on which you have requested limitation in the treatment for the exercise or defense of claims.
  • To the portability of your data: in certain circumstances, you have the right to receive the personal data that concern you, and that you have provided us, in a structured format of common use and mechanical reading, as well as to have them transmitted by Nalanda to another controller.
  • Oppose the processing of your data: in certain circumstances and for reasons related to your particular situation, you will have the right to oppose the processing of your data in which case, we would stop processing them unless we must continue to do so for compelling legitimate reasons or  for the exercise or the defense of possible claims. Likewise, we remind you that you have the right to withdraw any of the consents that you have given for the processing of your data, without affecting the legality of the treatment based on the consent prior to its withdrawal.


Nalanda informs you that they may exercise the rights over your personal data by writing to NALANDA GLOBAL, S.A. To which you must accompany a copy of your ID, NIE, Passport or equivalent document, on both sides, in order to prove your identity, and that you must send to the following address: Nalanda will provide you with the requested information within a maximum period of 1 month from the receipt of the request, although we inform you that this period could be extended for another 2 months taking into account the complexity and number of requests. Finally, we inform you that you can file a claim with the competent Control Authority in matters of data protection, in Spain being the Spanish Agency for Data Protection ( However, in the first instance, you may file a claim with the Data Protection Officer, who will resolve the claim within a maximum period of two months.

Nalanda as data controller

NALANDA GLOBAL, S.A, with CIF A82692617 and address at Proción Street, 7- Building América II Entrance 4, 2º I, 28023, Madrid is responsible for the personal data of our employees, direct customers, suppliers, etc. For any questions related to this treatment, you can contact

Responsibilities of Nalanda as data controller

Nalanda, as the data controller, will carry out the processing of personal data derived from the provision of the contracted service, in accordance with the following conditions:

  • It will be limited to carry out the actions that are necessary to provide the client with the contracted Service.
  • It will not carry out any other treatment on personal data, nor will it apply or use the data for a purpose other than the provision of the contracted Service.
  • Guarantees that the persons authorized to process the client’s personal data have expressly and in writing committed to respecting confidentiality and complying with security measures and that they have been adequately trained in data protection.
  • It will immediately inform the client if, in its opinion, it considers that any of the instructions transmitted by the client violates the GDPR or any other provision on data protection of the Union or of the Member States.
  • Keep a record, in writing, of the treatment activities carried out on behalf of the client.
  • Provide support to the client in conducting impact assessments on data protection and prior consultation, where appropriate.
  • Make available to the client the information necessary to demonstrate compliance with its obligations, as well as allow and actively collaborate in the performance of audits. In this sense, the client, prior notice of thirty (30) business days, if possible, may appear at the Nalanda facilities, in order to carry out the controls and on-site audits that they deem appropriate, as long as they do not exceed the limit of one face-to-face audit per calendar year.
  • It will implement the security measures described in the general conditions, to guarantee the confidentiality, integrity, availability and permanent resilience of the treatment systems and services.
  • Notify the client, without undue delay, and in any case before the maximum period of 72 hours, the violations of the security of personal data in his charge of which he has knowledge.
  • It will destroy the personal data that is the responsibility of the client, once the services have been rendered. Without prejudice to the possibility that the client expressly requests the return of the commissioned data, before the end of the service.
  • It will assist the client in responding to the exercise of the interested parties, as well as in notifying the client of the rights that will be exercised directly before Nalanda, which will be notified within a maximum period of five business days.

Responsibilities of the client as data controller

The client, as data controller:

  • Will comply with current legislation on labor, subcontracting and coordination of business activities in the instructions given to Nalanda as a result of the provision of services.
  • It will guarantee to have sufficient legitimacy to upload, download or carry out any processing activity on documentation containing personal data, through Nalanda tools.
  • It will ensure, previously and throughout the treatment, compliance with the RGPD and other regulations that may be applicable, as well as its obligations as data controller. Authorizes Nalanda to subcontract the services that are part of the Service to Nalanda Panama, Nalanda Colombia and Nalanda Chile, who hold the position of sub-processors. The international data transfers that may occur due to the services of these sub-processors are guaranteed by the Standard Contractual Clauses adopted in the Commission Decision of February 5, 2010. If it is necessary to subcontract a service in the future, the identifying data of the supplier will be incorporated into the list and previously communicated to the client, who may express his opposition within 10 days of notification. If no such opposition occurs, the incorporation of the subcontractor as sub-manager of treatment will be understood to be authorized. In any case, Nalanda guarantees that the sub-manager is subject to the same conditions established in this clause.
  • Authorizes and entrusts Nalanda the formalization, on behalf of the client, of the Standard Contractual Clauses with the treatment sub-manager (s) (data importer / s), by which the International Data Transfers necessary for the correct performance of the obligations established in this treatment order entered into between the client and Nalanda (as data exporter).