This Privacy Policy was created in light of the current legislation on data protection, Regulation 2016/679 of the European Parliament and the Council, dated 27 April 2016, on the protection of physical persons in the matter of the processing of personal data and the circulation of said data (henceforth, GDPR) and Organic Law 3/2018, dated 5 December, on Personal Data Protection and the assurance of digital rights (henceforth, LOPDFDD).
The purpose of this Privacy Policy is to inform those to whom the personal data which has been collected pertains of the specific details regarding the processing of their data. Amongst other matters, this covers processing purpose, contact information so their rights can be exercised, the period for which data is retained and safety measures in place.

1. Data Controller

TIN: B50852763
Address: Carretera Cogullada Nº 65 (Mercazaragoza) – 50014 Zaragoza.
Tel. No. +34 976 47 96 58


2. Purpose of data gathering

The specific purpose for which each processing is undertaken is detailed in the informational clauses included in the data-gathering channels (web forms, paper-based forms, contracts, agreements, posters, etc.).
This notwithstanding, the purpose behind gathering and processing data is generally:
– To maintain the contractual relationship between the data owner and TMZ.
– To implement, maintain and manage any relationships between TMZ and the data owner: commercial, administrative, accounting, labour, marketing, training or any other service provision requested by the data owner from TMZ.
– To have details of candidates who participate in recruitment processes undertaken by TMZ.
– To mailing technical, operational and promotional material, where consent is given for this purpose (by clicking the corresponding field); or there is a prior commercial/contractual relationship with the user/customer and this concerns the mailing of advertising for similar services (article 21.2 of Law 34/2002, dated 11 July, on Information Society Services and Electronic Commerce).
The data shall at no time be used for any other purposes than those for which they have been collected. Likewise, to improve the browsing experience, cookies are used to ensure the website operates and can be viewed properly. See our cookie policy:


3. Duty of information and consent from the affected party: Legitimisation of processing

When personal data are requested through any medium, they will be added to the TMZ processing system. They are then processed for the purpose and on the legal basis established in the clause appended to the form for this reason and with a suitable level of protection, as per the General Data Protection Regulation (EU Regulation 2016/679).
In general, the legal basis for data processing is:

  • The undertaking of a contractual relationship between the two parties, to comply with the rights and accountability arising from said relationship (article 6.1 b) GDPR).
  • Our legitimate interest, for the mailing of advertising directly related to the contractual relationship (article 6.1 f) GDPR).
  • Our legitimate interest in processing the contact details from physical persons who provide services as a legal person, having just the information necessary to find their work address. The purpose is to maintain a relationship of some kind with said legal person, in which the owner provides their services (article 19 LOPDGDD, with regard to article 6.1 f) GDPR).
  • The processing is necessary to comply with a mission undertaken in the public interest (article 6.1 e) GDPR): to facilitate and enhance foreign maritime trade among the various regions of the Ebro Valley, by means of this inland port created for international trade; to help companies improve their logistical efficiency and competitiveness.
  • Consent given for one or more purposes (article 6.1 a) GDPR). In this case, please be aware your consent can be withdrawn at any time.


4. Data retention

The data will be retained for the time necessary to comply with the purpose for which they were collected, i.e. once the purpose for the data has been met, they will be cancelled. This cancellation will see the data blocked, leaving them available to only the relevant authorities, judges and tribunals, to attend to any liability arising from the processing, during the limitation period for this. Once this period has expired, the data will be destroyed.
For information purposes, the legally permitted periods for data retention in relation to various matters are given below:

Documents of a work type or related to social security 4 years Article 21 of Legislative Royal Decree 5/2000, dated 4 August, which passed the Codified Text of the Law on Labour Infringements and Penalties.
Accountancy and tax documents for business purposes 6 years Art. 30 Business Code
Accountancy and tax documents for taxation purposes 4 years Articles 66 to 80, General Taxation Act
CV details (candidates) 2 years Not applicable
Contact persons details While not requesting elimination Not applicable


5. Data recipients

TMZ will not provide your data to third parties unless the purpose of said communication is compliance with purposes specifically connected to the lawful duties of the assigning party and the assignee or Owner has granted their consent to such purposes or when the transfer is authorised by Law.
Data transfers to third countries are not anticipated.


6. Rights of the data owner

The regulation on data protection grants a series of rights to the interested parties or data owners. The rights for interested parties are as follows:

  • Right to access: the right to obtain information on whether your data are being processed, the purpose for said processing, the categories of data being processed, the recipients or category of recipients, the retention period and the origin of the data.
  • Right to rectification: the right to rectify any inexact or incomplete personal data.
  • Right to elimination: the right to eliminate data in the following cases:
    • When the data are no longer necessary for the purpose for which they were collected;
    • When their owner withdraws consent;
    • When the interested party opposes processing;
    • When they must be eliminated to comply with a legal obligation;
    • When the data were obtained pursuant to an Information Society Services and Electronic Commerce service, under Art. 8 Sect. 1 of the European Data Protection Regulation.
  • Right to opposition: the right to oppose specific processing based on consent from the interested party.
  • Right to limitation: the right to limit the processing of data in the following cases:
    • When the interested party challenges the accuracy of the personal data, within a period which allows the company to check their accuracy.
    • When processing is illegal, and the interested party opposes elimination of the data.
    • When the company no longer needs the personal data for the purposes for which they were collected, but the interested party needs them to file, exercise or defend against claims.
    • When the interested party opposes the processing while checking whether the legitimate interests of the company prevail over those of the interested party.
  • Right to portability: the right to receive the data in a commonly used and mechanically-readable structured format, and transfer them to another data controller when:
    • Processing is based on consent;
    • Processing is done by automated means.
  • Right to present a complaint before the relevant Supervisory Body.

The interested parties may exercise these rights by writing to Terminal Marítima de Zaragoza at any of the addresses given in the “Data Controller” section. Make sure to include a photocopy of a valid ‘DNI’ or equivalent document that testifies to your identity.


7. Data security

The security measures adopted by TMZ are as required by Article 32 of the GDPR. Thus, considering the state-of-the-art, application costs and type, scope, context and purposes of the processing, in addition to the variable probability and severity risks for the rights and freedoms of physical persons, suitable technical and organisational measures are in place to ensure the right level of security for the existing risk.

In any case, TMZ has implemented sufficient mechanisms to:

  • Ensure permanent confidentiality, integrity, availability, and resilience of the processing systems and services;
  • Restore availability and access to personal data rapidly should a physical or technical incident occur;
  • Regularly verify, assess and evaluate the effectiveness of the technical and organisational measures implemented to ensure processing security;
  • Pseudonymize and encrypt personal data, where appropriate.