1. Data controller

In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR) and Spanish Organic Law 3/2018 of 5 December on the Protection of Personal Data and the guarantee of digital rights (LOPDGDD), we inform you that the controller of your personal data is:

• Company name: Blue Mountain Asesores, SLU
• Tax ID (NIF/CIF): B42985432
• Registered address: C/ Castello 36, Planta 1, 28001 Madrid, Spain
• Telephone: +34 910 917 811 (Madrid) · +34 868 300 587 (Murcia) · +34 928 402 802 (Las Palmas)
• Data protection email: dpo@bm.consulting
• Website: bm.consulting

2. Data Protection Officer (DPO)

In compliance with Articles 37 to 39 of the GDPR and Articles 34 to 37 of the LOPDGDD, Blue Mountain Asesores, SLU has designated a Data Protection Officer (DPO). The DPO is the point of contact for all matters relating to the processing of personal data and the exercise of rights recognised under applicable data protection law.

You may contact our Data Protection Officer at:

• Email: dpo@bm.consulting
• Postal address: Data Protection Officer — Blue Mountain Asesores, SLU, C/ Castello 36, Planta 1, 28001 Madrid, Spain

The DPO acts independently and has access to the resources necessary to perform their duties in accordance with Article 38(2) of the GDPR.

3. Data we collect

Depending on the nature of your relationship with BMC, we may process the following categories of personal data:

• Identification data: first name and surname(s), national identity document (DNI/NIE/NIF), passport number or other identity document, date of birth, signature.
• Contact data: email address, telephone number, postal address.
• Economic and financial data: tax information (tax identification number, tax returns), accounting data, banking and payment information. These data are processed exclusively when BMC provides tax, accounting, employment or financial legal advisory services.
• Professional data: company name, company tax ID (NIF/CIF), position or role, economic activity (NACE code), representation data.
• Anti-money laundering (AML) data: due diligence documentation required under Law 10/2010 of 28 April on the prevention of money laundering and financing of terrorism.
• Browsing data: IP address, browser type and device, operating system, pages visited, session duration, cookie data (in accordance with our Cookie Policy).

As a general rule, we do not process special categories of data (health data, racial or ethnic origin, religious beliefs, etc.). However, in the course of providing payroll management and employment advisory services as data processors (Article 28 GDPR), we may access employees' health data (sick leave, medical certificates), trade union membership, or disability status on behalf of our clients. Such processing is carried out exclusively on the controller's (client's) behalf and is based on compliance with legal obligations in the field of employment and social security law (Article 9(2)(b) GDPR and Article 9 LOPDGDD).

4. Purposes of processing

Your personal data will be processed for the following purposes, subject to the legal bases and retention periods indicated:

5. Legal basis for processing

The processing of your personal data is based on the following legal grounds under Article 6 of the GDPR:

• Consent (Art. 6.1.a GDPR): Freely given, specific, informed and unambiguous consent for purposes such as sending commercial communications, subscribing to the newsletter or using contact forms. You may withdraw your consent at any time without retroactive effect.
• Contract performance (Art. 6.1.b GDPR): Processing is necessary for the performance of services contracted with BMC or for the application of pre-contractual measures at your request.
• Legal obligation (Art. 6.1.c GDPR): Processing is necessary to comply with obligations imposed by tax law (LGT), commercial law (Commercial Code), employment law (ET, LGSS), anti-money laundering law (Law 10/2010) and other applicable regulations.
• Legitimate interest (Art. 6.1.f GDPR): For purposes such as aggregate statistical analysis of the website or sending commercial communications to existing clients regarding similar services (pursuant to Art. 21.2 LSSI), provided that such interests are not overridden by the interests or fundamental rights of the data subject.

6. Recipients and data processors

Your personal data may be disclosed to the following recipients, where a legal basis exists for doing so:

• Brevo SAS (email sending and marketing service provider, based in the European Union) — acts as a data processor under a contract pursuant to Art. 28 GDPR.
• Railway Inc. (cloud infrastructure and hosting provider) — acts as a data processor. Its servers may be located in the European Union and/or in the United States (see section 7 on international transfers).
• Cloud software and platform service providers used in BMC's internal management platform, bound by data processing agreements.
• Public authorities and regulatory bodies when legally required: the Spanish Tax Agency (AEAT), the Social Security Treasury (TGSS), the Companies Register, courts and tribunals, the Executive Service of the Commission for the Prevention of Money Laundering (SEPBLAC), and any other competent authorities.
• Financial institutions for the management of collections, payments and direct debits.
• External professional collaborators (lawyers, auditors, notaries, experts) when necessary for the provision of services, subject to strict duties of confidentiality and, where applicable, bound by data processing agreements.

BMC does not sell or transfer personal data to third parties for their own commercial purposes. Any disclosure of data to third parties is made exclusively under a legal basis or following execution of the appropriate data processing agreement in accordance with Article 28 of the GDPR.

7. International data transfers

As a general rule, BMC processes your data within the European Economic Area (EEA). However, some of our technology providers may process data in third countries:

• Railway Inc. (United States): Railway may store or process data on servers located in the United States. This transfer is covered by the European Commission's Adequacy Decision on the EU-US Data Privacy Framework (DPF), adopted on 10 July 2023 (Implementing Decision 2023/1795). Additionally, BMC has executed the European Commission's Standard Contractual Clauses (SCCs) as a complementary safeguard mechanism.

Should any other international transfer become necessary, BMC will ensure that appropriate safeguards as provided for in Chapter V of the GDPR are in place (Standard Contractual Clauses adopted by the European Commission, Binding Corporate Rules, or other adequacy mechanisms). You may obtain information about the applicable safeguards by contacting our DPO at dpo@bm.consulting.

8. Data retention periods

Personal data will be retained for the time necessary for the purposes for which it was collected and, in any case, for the minimum periods required by law. Once those periods have elapsed, data will be erased or irreversibly anonymised.

During the retention period, data will be properly blocked with restricted access and used only for compliance with legal obligations or to address potential claims.

9. Data subject rights

In accordance with Articles 15 to 22 of the GDPR and Articles 12 to 18 of the LOPDGDD, you have the right to:

• Access (Art. 15 GDPR): Know whether we process your personal data and obtain a copy thereof, as well as information about the purposes, categories of data, recipients and retention periods.
• Rectification (Art. 16 GDPR): Request the correction of inaccurate data or the completion of incomplete data.
• Erasure ("right to be forgotten", Art. 17 GDPR): Request the deletion of your data when, among other circumstances, it is no longer necessary for the purposes for which it was collected or you have withdrawn your consent.
• Restriction of processing (Art. 18 GDPR): Request the suspension of processing in certain circumstances (e.g., while the accuracy of contested data is being verified).
• Data portability (Art. 20 GDPR): Receive your data in a structured, commonly used and machine-readable format, and request its direct transmission to another controller, where processing is based on consent or on the performance of a contract.
• Objection (Art. 21 GDPR): Object to the processing of your data at any time on grounds relating to your particular situation, where processing is based on the legitimate interests of the controller.
• Not to be subject to automated decisions (Art. 22 GDPR): Not to be subject to decisions based solely on automated processing, including profiling, which produce legal effects concerning you or similarly significantly affect you.
• Withdrawal of consent: Withdraw at any time any consent previously given, without affecting the lawfulness of processing carried out prior to such withdrawal.

How to exercise your rights: You may exercise any of these rights by sending an email to dpo@bm.consulting or by written request to BMC's registered address, enclosing in either case a copy of your national identity document, NIE, passport or other valid identity document proving your identity.

Response period: We will respond within a maximum of one month from receipt of your request. This period may be extended by a further two months where necessary, having regard to the complexity and number of requests, in which case we will inform you within the first month of the extension and the reasons for it (Art. 12.3 GDPR).

10. Security measures

In accordance with Article 32 of the GDPR, BMC has implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

• Encryption of communications: All communications between users and the website are encrypted using TLS/SSL protocols (HTTPS).
• Role-based access control: Access to personal data is restricted to staff who need it for the performance of their duties, through authentication systems and permission management.
• Encryption of data at rest: Data stored on our platform is encrypted to prevent unauthorised access.
• Regular backups: Regular backups of data are performed to ensure availability and integrity in the event of incidents.
• Staff training: BMC staff receive regular training on data protection and information security.
• Periodic security assessments: Security reviews and audits are conducted regularly to identify and remediate vulnerabilities.
• Incident response plan: We maintain documented procedures for the detection, management, notification and resolution of security incidents affecting personal data.

11. Security breach notification

In the event of a personal data breach, BMC will act as follows, in accordance with Articles 33 and 34 of the GDPR:

• Notification to the AEPD (Art. 33 GDPR): Within 72 hours of becoming aware of a breach, we will notify the Spanish Data Protection Agency (AEPD), unless it is unlikely that the breach will result in a risk to the rights and freedoms of natural persons.
• Communication to data subjects (Art. 34 GDPR): Where the breach is likely to result in a high risk to the rights and freedoms of data subjects, we will communicate this to you without undue delay, with clear information about the nature of the breach, its likely consequences and the measures taken or proposed to address it.

If you become aware of or suspect any security incident involving your data, please notify us immediately at dpo@bm.consulting.

12. Processing of minors' data

In accordance with Article 7 of the LOPDGDD, the processing of personal data of minors under 14 years of age requires the consent of their parents or legal guardians.

BMC's services are directed exclusively to adults and to companies and professionals. We do not knowingly collect personal data from children under 14 years of age. If we become aware that we have collected data from a minor without the required parental consent, we will delete it immediately. If you are a parent or guardian and believe that your child has provided us with personal data, please contact us at dpo@bm.consulting.

13. Automated decisions and profiling

In accordance with Article 22 of the GDPR, BMC does not make automated individual decisions nor engage in profiling that produces legal effects on data subjects or similarly significantly affects them. The processing of your data always involves human intervention in decisions that concern you.

14. Right to lodge a complaint with the AEPD

Without prejudice to any other administrative or judicial remedy, if you consider that the processing of your personal data infringes the GDPR or the LOPDGDD, you have the right to lodge a complaint with the competent supervisory authority. In Spain, that authority is the Spanish Data Protection Agency (Agencia Española de Protección de Datos, AEPD):

• Address: C/ Jorge Juan 6, 28001 Madrid, Spain
• Telephone: +34 91 266 35 17
• Website: www.aepd.es
• Electronic office: sedeagpd.gob.es

Before lodging a complaint with the AEPD, we invite you to contact our DPO at dpo@bm.consulting, where we will endeavour to resolve your query or complaint as promptly as possible.

15. Amendments to this privacy policy

BMC reserves the right to amend this privacy policy to reflect legislative, case law or professional practice changes. Amendments will be notified to users by publication on this website with indication of the update date. We recommend that you review this page periodically.

Last updated: 12 March 2026.