Privacy Policy
in accordance with the GDPR and Spanish Data Protection Law (LOPDGDD)
Last modified: 15 October 2025
Table of Contents
1. Introduction
2. Legal Framework
3. Data Controller
4. Definitions
5. What Personal Data We Collect
6. Legal Basis for Processing
7. Use and Sharing of Data
8. Role of the Client Company
9. Photography and Media
10. International Data Transfers
11. Your Rights
12. Data Retention
13. Data Security and Breach Notification
14. Protection of Minors
15. Cookies and Third-Party Services
16. Email Communications
17. Updates to this Policy
18. Contact and Supervisory Authority
1. Introduction
Meridional Events S.L. (“we”, “our”, “us”) is committed to protecting the privacy and personal data of its clients, event participants, and website users.
This Privacy Policy explains how we collect, use, disclose, and safeguard personal data when you:
- visit our website www.meridionalevents.com (the “Site”), or
- participate in any event organised or coordinated by us, either directly or on behalf of your company or employer.
2. Legal Framework
This Privacy Policy complies with:
- the General Data Protection Regulation (GDPR) – Regulation (EU) 2016/679,
- the Spanish Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD), and
- other applicable provisions under Spanish civil, commercial, and constitutional law.
In case of discrepancy, the Spanish text shall prevail as the legally binding version.
3. Data Controller
- Meridional Events S.L.
- Tax ID: B75679035
- Address: Calle Pelayo, Málaga, Spain
- Email:
- Website: www.meridionalevents.com
4. Definitions
- Personal Data: Any information relating to an identified or identifiable natural person.
- Special Category Data: Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data for identification, health data, or data concerning a person’s sex life or sexual orientation.
- Processing: Any operation performed on personal data (collection, storage, use, transfer, deletion, etc.).
- Data Subject: The individual whose data are processed.
- Data Controller: The entity that determines the purposes and means of processing.
- Data Processor: The entity that processes personal data on behalf of a Controller.
5. What Personal Data We Collect
We may collect and process:
- Identification: Name, surname, ID/passport, nationality, date of birth.
- Contact details: Email, phone number, address.
- Professional details: Company, job title, business contact information.
- Event logistics: Travel details, accommodation preferences, activity schedules.
- Billing and payment: Invoicing details, VAT number, bank/payment information.
- Health and medical data (optional): Allergies, intolerances, chronic conditions, mobility needs, or insurance data — provided directly by you or by your employer for logistics and safety.
- Emergency contact: Name and phone number of a designated contact.
- Media: Photographs and videos taken during events.
- Communications: Emails and messages exchanged with us.
- Technical data: IP address, browser details, device information, and browsing behaviour (see section 15).
Sources of data: We obtain data (i) directly from you via our forms or communications, and/or (ii) from your employer or client company for the purpose of organising and delivering the event.
6. Legal Basis for Processing
| Purpose of Processing | Data Category | Legal Basis |
|---|---|---|
| Event coordination and logistics | Identification, contact, professional, travel/accommodation data | Contract performance (Art. 6(1)(b)) |
| Health and safety management | Health/medical data | Explicit consent (Art. 9(2)(a)); and vital interests in emergencies (Art. 9(2)(c)) |
| Billing and payment | Financial and tax data | Legal obligation (Art. 6(1)(c)) |
| Communication with participants | Contact data | Legitimate interest (Art. 6(1)(f)) or contract performance (Art. 6(1)(b)) where strictly necessary |
| Marketing communications | Contact data | Consent (Art. 6(1)(a)) |
| Photography and video | Images and media | Legitimate interest (Art. 6(1)(f)) |
| Quality control and reporting | General event data | Legitimate interest (Art. 6(1)(f)) |
Where health data are provided by a client company, the client (as Controller) is responsible for having a valid lawful basis (typically explicit consent or, in emergencies, vital interests). Meridional Events S.L. processes such data solely to ensure event safety and does not use them for any other purpose.
Where processing relies on legitimate interest, Meridional Events S.L. has performed a balancing test to ensure such interest does not override the rights and freedoms of data subjects (Art. 6(1)(f) GDPR). Special Category Data are never used for profiling or marketing under any circumstances.
7. Use and Sharing of Data
Your data may be processed for:
- event coordination and logistics,
- health and safety purposes,
- communication and administration,
- legal compliance (tax, insurance, and security),
- internal quality reporting and analysis,
- marketing (only with prior consent).
Data may be shared, strictly on a need-to-know basis, with:
- Hotels, restaurants, venues, transport providers, museums, monuments, and other necessary third parties involved in the event,
- Insurance providers or emergency services when required,
- Tax and other public authorities when legally mandated.
All sharing is limited to the minimum data necessary for the intended purpose and subject to confidentiality and security obligations. We do not sell personal data.
7.1 Processing of health data and emergency situations
Participants may voluntarily provide health-related information during the registration process (such as allergies, intolerances, accessibility needs or other relevant medical data) to ensure their safety and wellbeing during the event.
This information will be handled confidentially by Meridional Events S.L. and will not be shared with any third parties, including the participant’s employer, unless one of the following applies:
- There is a medical emergency or situation involving a serious risk to the participant’s health or physical integrity.
- It is strictly necessary to communicate the information to emergency services or a company representative to ensure proper medical care or coordination.
In such cases, the legal basis for data processing is the vital interest of the data subject, in accordance with Articles 6(1)(d) and 9(2)(c) of the EU GDPR.
We do not share health data with third parties as a general or preventive measure without the participant’s explicit consent, unless strictly required in an emergency.
8. Role of the Client Company
Depending on circumstances, Meridional Events S.L. may act as:
- Data Controller, when collecting data directly from participants; or
- Data Processor, when receiving data from the client company for event execution only.
Where we act as Processor, the Data Processing Agreement (DPA) under Article 28 GDPR forms part of the client contract by reference, and the client company (Controller) is responsible for ensuring it has a lawful basis—particularly when sharing Special Category Data—with us.
9. Photography and Media
Photos and videos may be taken during events for documentation, internal reporting, and promotional use.
Legal basis: legitimate interest (Art. 6(1)(f) GDPR). We use media proportionately and never in a context that may harm participants’ rights.
If you appear in an image or video and wish it to be removed, please email: 
. We will handle your request promptly in accordance with Article 17 GDPR.
10. International Data Transfers
If data are transferred or stored outside the EEA, we ensure appropriate safeguards under:
- an adequacy decision of the European Commission, or
- Standard Contractual Clauses (SCCs) or other recognised safeguards.
Where service providers are located outside the EEA, such as certain Google or Microsoft services hosted in the United States, Meridional Events S.L. ensures that transfers are governed by the European Commission’s SCCs.
11. Your Rights
You may exercise the following rights: access, rectification, erasure (“right to be forgotten”), restriction or objection to processing, portability, and withdrawal of consent (without affecting the lawfulness of prior processing).
Send your request to and include a copy of your ID to verify identity. We will respond within one month, extendable by up to two months where justified (Art. 12(3) GDPR).
If you believe your rights have been infringed, you may lodge a complaint with the Agencia Española de Protección de Datos (AEPD) – www.aepd.es
12. Data Retention
Retention periods are defined in line with the principles of necessity and proportionality (Art. 5(1)(e) GDPR).
- Event-related data: up to 24 months after the event for quality and reporting.
- Medical/insurance data: up to 90 days after the event, then securely deleted or anonymised (unless otherwise required by law).
- Billing/tax data: as required by law (usually 4–10 years).
- Communications (emails/messages): up to 48 months after final interaction, unless longer retention is needed for legal defence.
- Server logs/technical records: up to 12 months, unless needed to investigate security incidents.
- Media files: retained indefinitely unless removal is requested.
13. Data Security and Breach Notification
We implement technical and organisational measures, including encrypted storage, secure servers, role-based access, continuous monitoring, and staff training. In the event of a personal data breach, we will notify the AEPD within 72 hours and the affected individuals when required (Arts. 33–34 GDPR).
14. Protection of Minors
Our services are not intended for individuals under 14 years of age. We do not knowingly collect or process data from minors under this threshold in accordance with Article 7 of the LOPDGDD. If such data were inadvertently collected, it will be erased immediately.
16. Email Communications
Emails sent by Meridional Events S.L. may contain confidential information. If received in error, please notify us and delete the message. You may unsubscribe from marketing communications at any time.
17. Updates to this Policy
This policy may be updated from time to time. Significant changes will be announced on our website or by email. Meridional Events S.L. acts under the principles of lawfulness, fairness, transparency, data minimisation, integrity/confidentiality and accountability, ensuring compliance with Articles 5 and 24 GDPR.
Automated decision-making and profiling: We do not carry out automated decisions producing legal or similar significant effects, nor profiling for marketing based on Special Category Data.
18. Contact and Supervisory Authority
Contact:
Meridional Events S.L. – Calle Pelayo, Málaga, Spain
Supervisory authority: Agencia Española de Protección de Datos (AEPD) – C/ Jorge Juan, 6 – 28001 Madrid – www.aepd.es
Contents
- 1 Privacy Policy
- 1.1 in accordance with the GDPR and Spanish Data Protection Law (LOPDGDD)
- 1.2 Table of Contents
- 1.3 1. Introduction
- 1.4 2. Legal Framework
- 1.5 3. Data Controller
- 1.6 4. Definitions
- 1.7 5. What Personal Data We Collect
- 1.8 6. Legal Basis for Processing
- 1.9 7. Use and Sharing of Data
- 1.10 8. Role of the Client Company
- 1.11 9. Photography and Media
- 1.12 10. International Data Transfers
- 1.13 11. Your Rights
- 1.14 12. Data Retention
- 1.15 13. Data Security and Breach Notification
- 1.16 14. Protection of Minors
- 1.17 15. Cookies and Third-Party Services
- 1.18 16. Email Communications
- 1.19 17. Updates to this Policy
- 1.20 18. Contact and Supervisory Authority