Privacy Statement


A. Data processing that this Privacy Statement covers

This Privacy Statement provides information about the processing and the protection of your personal data when you accept to participate in the survey organized by ORIGINAL BUFF, SA regarding the sustainability strategy of ORIGINAL BUFF, SA and the prioritization of the different social and environmental issues that affect ORIGINAL BUFF, SA

B. Who we are

The controller of the personal data provided by you is:

Company name: ORIGINAL BUFF, S.A.
CIF: A58034000
Registered address: C/ França nº 16, Igualada (Barcelona) 08700, Spain
Phone: + 34 93 805 48 61
Email: [email protected]
Contact email for data proteccion: [email protected]

C. Information about you: which personal data do we collect and further process?

We collect, use, store and transfer different kinds of personal data about you as follows:

  • Email address

D. How we use your personal information?

We will only use your personal data for the specific purposes for which we collected it which include the following:

  1. Sending you and email to propose to participate and answer the survey.

Responses to the survey are answered anonymously through the online platform/form Typeform, in which we do not ask for any type of personal or identifying data.

E. What is the legal basis for the processing of your data?

The legal basis for the processing of your data is your consent.

We process your personal data on the basis of your consent given to the processing of your personal data for one or more specific purposes provided in the survey form.

You will give the aforementioned consent by accepting the present privacy statement and the consent box on the specific purposes provided on the survey form. Accepting this privacy statement and consent boxes on the specific purposes is required before sending your responses to the survey form.

You may exercise your right to withdraw your consent by contacting us to [email protected]

F. Information we Disclose to Third Parties:

Access to your personal data is provided to our staff responsible for carrying out the survey and the analysis of the responses according to the “need to know” principle.

We may share your personal data within the Company Group and with external third parties for the purposes set out in this Privacy Statement.

We carefully select third-party service providers. We have engaged these third-party service providers under contract and are required to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

Consequently, we may share your information with the following entities:

  • any individual employed by Original Buff, SA that works in this project and any Company Group, that is, our subsidiaries: BUFF GmbH (Germany), BUFF Inc, (USA), BUFF Canada Ltd (Canada) and BUFF UK Ltd (UK).

R4SGroup: Consultancy in charge to give support us to obtain the B Corp certification and develop the sustainability strategy of ORIGINAL BUFF, SA

  • Technology services, as Typeform, SL the provider of the online platform for creating online forms, which will be used to carry out the survey and collect the responses.

Such entities, will process the data if they need to know for the purposes described above. If they are located outside the European Union and European Economic Area, the international data transfers will be carried out with the guarantees provided for in the applicable legislation.

We may share your personal data with other third parties, as to the extent and for the purpose we may be required to do so by law.

G. Your data & Cross Border Transfers

Your data may be stored and processed in the European Union, in Canada, United Kingdom and the EEA or in any country where we engage services providers, this includes any country outside Canada and the EEA.

We are committed to the sufficient protection of your personal information regardless of where the data resides and to providing adequate protection for your personal information where such data is transferred outside Canada, the United Kingdom or the EEA.

H. Retention of your Information.

We will retain your personal information for the period necessary to fulfil the purposes outlined in this Privacy Policy unless a longer retention period is required or permitted by law and subsequently only in order to comply with its legal obligations.

As for the data processed for sending newsletters, we retain Users' personal data for as long as the User revokes his/her consent to the sending of promotional communications, and subsequently only in order to comply with its legal obligations.

Regardless of whether we process your data for the time strictly necessary to fulfil the relevant purpose, we will subsequently retain it, duly stored and protected for as long as liabilities may arise from the processing, in compliance with the legislation in force at any given time. Once the possible actions in each case have expired, we will delete the personal data.

I. Data Security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors, subsidiaries and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

J. Your Rights

You have, in connection with your personal data, under certain circumstances, the right to:

  • Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
  • Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
  • Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
  • Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
  • Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
  • Request the transfer of your personal information to another party.

If you wish to exercise any of the rights set out above, please contact us at:

ORIGINAL BUFF, S.A. at C/ França, 16, 08700, Igualada (Barcelona) Spain or by sending an e-mail to [email protected] , writing “Original Buff – Privacy Policy” on the envelope or in the subject of the message.

You have the right in any event to file a complaint with the competent Data Protection Agency which in Spain is Spanish Data Protection Agency (;

We would, however, appreciate the chance to deal with your concerns before you approach the Competent Data Authority, so please contact us in the first instance.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

K. What happens if you provide us with third-party data?

If you provide the personal details of a third party, you must prior to the inclusion of such data, have informed the third party and requested his/her consent for the purposes set out here, so that we can use it to attend to the requests made by you or the said third party.

L. Changes to the privacy policy

This privacy policy may be modified from time to time to adapt to new situations and the current legislation, and Users will be informed accordingly.


Version 26.08.2021