GDPR Rights Notice

This GDPR Rights Notice (the "Notice") is issued by BL PLATFORM S.L. (the "Controller") in its capacity as Data Controller of the personal data Processed through the B'local web platform (the "Platform"), pursuant to its obligation of transparency under Articles 12 to 14 of Regulation (EU) 2016/679 ("GDPR"). The Notice consolidates, in a single instrument, the catalogue of rights conferred upon Data Subjects and the procedure for the orderly exercise thereof.

The present Notice is supplementary to, and does not derogate from, the Privacy Policy, the Cookie Policy and the Legal Notice, with which it forms an integrated body of data-protection documentation.

The rights described in this Notice find their primary legal basis in Articles 15 to 22 of the GDPR, in Articles 13 to 18 of Spanish Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights ("LOPDGDD"), and in the interpretative guidance issued by the European Data Protection Board and by the Agencia Española de Protección de Datos ("AEPD").

The rights described herein are conferred upon any identified or identifiable natural person whose personal data is Processed by the Controller (the "Data Subject"). Such rights are personal and non-transferable, save for the case of representation pursuant to Article XV below or of the post-mortem rights described in Article XIII.

The Data Subject is entitled to exercise, before the Controller, the following rights:

• Right of Access: Obtain confirmation and a copy of the personal data Processed.
• Right to Rectification: Obtain the correction of inaccurate or incomplete data.
• Right to Erasure: Obtain the deletion of data where one of the grounds of Article 17(1) GDPR applies.
• Right to Restriction: Obtain the restriction of Processing in the cases enumerated by Article 18 GDPR.
• Right to Portability: Receive personal data in a structured, commonly used and machine-readable format.
• Right to Object: Object on grounds relating to the Data Subject's particular situation.
• Automated Decision-Making: Not be subject to a decision based solely on automated processing producing legal effects or similarly significantly affecting the Data Subject.
• Withdrawal of Consent: Withdraw consent at any time without affecting the lawfulness of prior Processing.
• Complaint to a Supervisory Authority: Lodge a complaint with the AEPD or with the supervisory authority of the Data Subject's habitual residence.

The Data Subject shall have the right to obtain from the Controller confirmation as to whether or not personal data concerning him or her is being Processed and, where that is the case, access to the personal data and to the following information: the purposes of the Processing; the categories of personal data concerned; the recipients or categories of recipients to whom the personal data has been or will be disclosed; the envisaged period for which the personal data will be stored; the existence of the rights enumerated in this Notice; the right to lodge a complaint with a supervisory authority; the source of the data where it has not been obtained directly from the Data Subject; the existence of automated decision-making, including profiling, and meaningful information about the logic involved, the significance and the envisaged consequences; and, where personal data is transferred to a third country, the appropriate safeguards relating to such transfer.

The Controller shall provide a copy of the personal data undergoing Processing. For any further copy requested by the Data Subject, the Controller may charge a reasonable fee based on administrative costs.

The Data Subject shall have the right to obtain from the Controller, without undue delay, the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the Processing, the Data Subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

The Data Subject shall have the right to obtain from the Controller the erasure of personal data concerning him or her without undue delay, where one of the following grounds applies:

1. The personal data is no longer necessary in relation to the purposes for which it was collected or otherwise Processed;
2. The Data Subject withdraws consent on which the Processing is based, and where there is no other legal ground for the Processing;
3. The Data Subject objects pursuant to Article 21(1) GDPR and there are no overriding legitimate grounds for the Processing;
4. The personal data has been unlawfully Processed;
5. The personal data must be erased for compliance with a legal obligation in EU or Member-State law to which the Controller is subject.

The right to erasure is not absolute and does not apply where Processing is necessary for compliance with a legal obligation (in particular, the six-year retention of tax and billing records under Article 30 of the Spanish Commercial Code), for the establishment, exercise or defence of legal claims, or for the exercise of the right of freedom of expression and information.

The Data Subject shall have the right to obtain from the Controller restriction of Processing where one of the following applies: (i) the accuracy of the personal data is contested by the Data Subject, for a period enabling the Controller to verify such accuracy; (ii) the Processing is unlawful and the Data Subject opposes erasure and requests restriction instead; (iii) the Controller no longer needs the data for the purposes of the Processing, but it is required by the Data Subject for the establishment, exercise or defence of legal claims; or (iv) the Data Subject has objected to the Processing pursuant to Article 21(1) GDPR, pending verification of whether the legitimate grounds of the Controller override those of the Data Subject.

The Data Subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the Controller, in a structured, commonly used and machine-readable format and shall have the right to transmit such data to another controller without hindrance from the Controller, where the Processing is based on consent or on the performance of a contract and is carried out by automated means.

Where technically feasible, the Data Subject shall have the right to have the personal data transmitted directly from one controller to another.

The Data Subject shall have the right to object, on grounds relating to his or her particular situation, at any time, to Processing of personal data concerning him or her which is based on Article 6(1)(e) or (f) GDPR, including profiling based on those provisions. The Controller shall no longer Process the personal data unless it demonstrates compelling legitimate grounds for the Processing which override the interests, rights and freedoms of the Data Subject, or for the establishment, exercise or defence of legal claims.

Where personal data is Processed for direct marketing purposes, the Data Subject shall have the right to object at any time to such Processing, and the Controller shall cease to Process the personal data for such purposes immediately and without justification.

The Data Subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. The Controller does not carry out decisions of this nature on the public Platform; automated processing is limited to fraud-prevention, content-moderation triage and bot mitigation, which produce only automated friction (additional verification, queueing for human review).

Where, in any event, an automated process results in the suspension or termination of an account, the Data Subject shall have the right to obtain human intervention by the Controller, to express his or her point of view and to contest the decision by writing to support@blocalapp.com.

Where the lawful basis of a given Processing is the consent of the Data Subject under Article 6(1)(a) or Article 9(2)(a) GDPR, the Data Subject shall have the right to withdraw such consent at any time, by means as simple as those used to give it. The withdrawal of consent shall not affect the lawfulness of Processing based on consent prior to its withdrawal.

In accordance with Article 3 LOPDGDD, the persons linked to a deceased Data Subject by family or factual relations, as well as the heirs of the deceased, may address the Controller for the purpose of accessing the personal data of the deceased and, where appropriate, of obtaining its rectification or deletion, unless the deceased has expressly prohibited it or so provided by law.

The Data Subject may exercise any of the rights described in this Notice by means of a written request addressed to the Controller at the following address:

The request shall contain, at a minimum:

1. The identification of the Data Subject (full name and a copy of an official identity document, in accordance with Article XV);
2. A precise description of the right being invoked and of the request;
3. The address for the purposes of receiving the response;
4. The date and signature of the Data Subject;
5. Where the request is submitted through a representative, documentary evidence of the representation.

In order to prevent unauthorised disclosure of personal data, the Controller may, in accordance with Article 12(6) GDPR, request additional information necessary to confirm the identity of the Data Subject. Where the Controller has reasonable doubts concerning the identity of the requester, it may refuse to act upon the request until such doubts have been dissipated, without prejudice to the deadlines set out in Article XVI.

The Controller shall provide information on action taken on a request without undue delay and in any event within one (1) month from receipt of the request. That period may be extended by two (2) further months where necessary, taking into account the complexity and number of requests, in which case the Controller shall inform the Data Subject of any such extension within one (1) month from receipt of the request, together with the reasons for the delay.

Information and any communication and any actions taken under Articles 15 to 22 GDPR shall be provided free of charge. Where requests from a Data Subject are manifestly unfounded or excessive, in particular because of their repetitive character, the Controller may either: (i) charge a reasonable fee taking into account the administrative costs of providing the information or taking the action requested; or (ii) refuse to act on the request. In any such case, the Controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.

Where the Controller does not take action on the request of the Data Subject, the Controller shall inform the Data Subject, without delay and at the latest within one (1) month of receipt of the request, of the reasons for not taking action and of the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

Without prejudice to any other administrative or judicial remedy, every Data Subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement, if the Data Subject considers that the Processing of personal data relating to him or her infringes the GDPR.

Prior to lodging a complaint with the AEPD, the Data Subject may address the Controller at support@blocalapp.com. The Controller welcomes such prior contact and undertakes to examine the matter in good faith.

Without prejudice to any available administrative or non-judicial remedy, the Data Subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under the GDPR have been infringed as a result of the Processing of his or her personal data in non-compliance with the Regulation, in accordance with Article 79 GDPR.

The Controller reserves the right to amend the present Notice at any time, in particular in order to reflect changes to the applicable regulatory framework or to the procedures implemented internally for the orderly handling of rights requests. The version in force is the one published at the address indicated in the canonical link of this page.