Mercado Privacy Policy
Most recent amendment: December 2022
Index
1. Scope
2. Summary of information
3. Your personal data rights
4. Data controller of your personal data
5. Useful information if you are a USER
• 5.1 What are the data processing purposes and the legitimate basis of the processing?
5.2 What kind of data do we hold about you and how is your personal data collected?
5.3 What are the recipients of your data and why are we communicating it?
5.4 How long will we keep your data?
Annex I- General retention periods and retention periods applicable for Users
6. Useful information if you are a COURIER:
• 6.1 What are the data processing purposes and the legitimate basis of the processing?
6.2 What kind of data do we hold about you and how is your personal data collected?
6.3 What are the recipients of your data and why are we communicating it?
6.4 How long will we keep your data?
Annex I- General retention periods and retention periods applicable for Couriers
7. Useful information if you are a PARTNER:
• 7.1 What are the data processing purposes and the legitimate basis of the processing?
7.2 What kind of data do we hold about you and how is your personal data collected?
7.3 How long will we keep your data?
Annex I- General retention periods and retention periods applicable to Partners
8. Useful information if you are an INVESTOR:
• 8.1 What are the data processing purposes and the legitimate basis of the processing?
8.2 What kind of data do we hold about you and how is your personal data collected?
8.3 How long will we keep your data?
Annex I- General retention periods
9. Useful information if you are an JOB APPLICANT:
• 9.1 What are the data processing purposes and the legitimate basis of the processing?
9.2 What kind of data do we hold about you and how is your personal data collected?
9.3 How long will we keep your data?
Annex I- General retention periods
10. Useful information if you are a PROSPECT:
• 10.1 What are the data processing purposes and the legitimate basis of the processing?
10.2 What kind of data do we hold about you and how is your personal data collected?
10.3 How long will we keep your data?
Annex I- General retention periods
11. Useful information if you are a WEBSITE VISITOR:
• 11.1 What are the data processing purposes and the legitimate basis of theprocessing?
11.2 What kind of data do we hold about you and how is your personal data collected?
11.3 How long will we keep your data?
Annex I- General retention periods
12. Do we proceed to international transfer of data?
13. Do we proceed to automated decision making?
14. Do we proceed to profile creations?
15. What security measures have been adopted?
16. Definitions
Annex II - Details of Mercado Groups companies
1. Scope
Our commitment
Mercado is committed to respecting Users’/ Couriers’/ Job Applicants’/ Partners’/ Investors’/ Prospects’/ Website Visitors’ (jointly named hereinafter as the “Data Subjects”) privacy and protecting their Personal data. In this sense, the aim of this Privacy Policy is to inform Data Subjects about Mercado’s processing activities as per GDPR and the Local Regulation requirements.
The purpose of the Privacy Policy
This Privacy Policy provides information on the processing of personal data of Data Subjects who contact us via the contact form available on our website, in accordance with the General Data Protection Regulation ("GDPR").
To find them, the different stakeholders involved in this processing as well as our Data Subjects can enter our main website Mercado.pk>>Contact us>>Policies, or App: Help>>Not related to an order>>Policies and there they can select the right which they wish to exercise.
This Privacy Policy notice describes: how Mercado collects and processes the personal data, the different stakeholders involved in this processing as well as our Data Subjects rights with regard to their data.
We recommend that both all stakeholders involved in the processing as well as Data Subjects read it carefully and on a frequent basis to fully understand this along with our privacy overview, which highlights key points about our current privacy practices.
Possible changes and updates on the Privacy Policy
Due to the constant evolution of Mercado’s activities, this Privacy Policy may be subject to change or updates in the future.
Use of our Platform after this Privacy Policy has been updated shall be deemed to constitute consent by Data Subjects, whether located in the EU or outside the EU, to the updated or modified Privacy Policy to the extent permitted by local law.
Mercado will notify the Data Subjects in advance in case of substantial changes and modifications to the Privacy Policy by e-mail or through any other means that ensures its receipt.
Mercado will in no event modify its policies or practices to make them less effective in the protection of its Data Subjects personal data.
Any doubts? Contact our DPO
If our Data Subjects have any doubt concerning this Privacy Policy or want to obtain more information on it, they can contact our DPO at any time to this email address: gdpr@mercado.pk.
2. Summary of information
Data Controller • Mercado Web and App, is owning by EP Mercado (SMC-Private) Limited
Your rights You can exercise your rights related to personal data at any time HERE or by sending us an email to: gdpr@Mercado.pk.
Your rights related to personal data: right of access, right to rectification, right to erasure, right to object to processing, right to object to profiling, right to unsubscribe to any marketing communication
Data Protection Officer gdpr@mercado.pk
For which purpose do we use your data? When you are a User or Courier we may use your data for:
• legal purposes (e.g. in case of frauds and crimes committed on our App; to comply with legal regulations; menage your requests, to fill and/or defend any claims and legal actions),
• contractual purposes (e.g. grant the possibility to create your own account, locate the nearest Partner and Courier, perform payment processing, assist in decisions and use of the service, provide you with a customer service, studying the use of the platform performed by you, provide you with the equipment and material needed to provide the services),
• security purposes (e.g. use device, location, profile, usage, and other data to prevent and detect malicious or unsafe activities, monitor all actions that could cause fraud, when requested by any authority, administration or court, collaborate with Public Authorities),
• statistics and research purposes (e.g. analyse trends, purchase behaviour and characteristics, understand how you use our Platform, send voluntary and anonymous questionnaires, and surveys, competitions and communications of your interest, carry out financial calculations),
• marketing and non marketing purposes (e.g. carry out marketing, communications, research and development activities, analyse how to improve our services, provide you with offers, promotions, discounts, suggestions, carry out promotional activities for the delivery of samples or free products, generate and provide you with receipts, inform you about any incident on the App).
When you are a Partner we may use your data for:
• grant you the possibility to create your own account and maintain the business relationship with Mercado,
• provide you with customer service to answer your questions or consultations.
When you are an Investor we may use your data for:
• fulfil the compliance requirements
• formalise the relationship with you as an Investor,
• notify you concerning the corporate matters and inform you about Mercado’s results.
When you are a Job Applicant we may use your data for:
• consider your present or future suitability for any of the positions available at Mercado, to conduct any interviews it may deem necessary for the position, test your knowledge, contact companies for which you have previously worked, check references, and assess your skills and abilities in general.
• provide you with information of your interest regarding our Job offers.
When you are a Prospect we may use your data for:
• process your requests to obtain the products and/or services offered by Mercado and manage the prospective relationship,
• carry out marketing, communications, research activities regarding Mercado’s products and/or services similar to those included in your request.
When you are a Web Visitors we may use your data for:
• follow up your comments left on Mercado Website or our Blog,
• provide you with the answer regarding your request.
Why can we do it?
Lawfulness of processing • Compliance with the business/ labour relationship.
• Legitimate interest and User/ Courier / Applicant/ Investor/ Website visitor consent.
With whom we share your data? If you are a User we may share your data with two different group of recipients:
The recipients of data while we carry on your orders:
the Courier who carries out the task of collecting and delivering the product; the establishment or venue in charge of selling the product; the Customer Care Services available to you; the payment Platform and payment service providers; Telecommunications service providers; Providers rendering satisfaction survey services Recipients of the data, during the actions undertaken to continue to provide the services offered through the App: service providers that send parcels, carry out orders and/or resolve incidents with delivery; pharmacists dispensing products; Payment Platforms contracted by Mercado; Service providers for fraud control purposes and for for the anonymisation of some data; Telecommunications services; Punctually another entity or affiliate of the Mercado Group; Social media, Third parties associated with Mercado for the purposes of commercial communications; insurance companies
If you are a Courier we may share your data with different group of recipients:
• advisers and consultants for the pursuit of accounting, labour, tax, insurance, legal and technical activities,
• government bodies (tax authority, social security system, etc.),
• state security forces, courts, mediation and arbitration bodies, governments for regulatory matters
• users who have placed an order which you have agreed to carry out,
• external service providers that provide commercial offers with benefits and/or discounts for you,
• to group companies or third parties in charge of the filing and management of computer data.
In case of every Data Subject (Users, Couriers, Job Applicants, Partners, Investors, Prospects, Website Visitors) we may share personal data with:
• another entity or affiliate of the Mercado Group,
• any public authority that requests the sharing.
3. What are your personal data rights?
You may exercise your rights free of charge at any time using the form available on our main website Mercado.pk>>Contact us>>Policies, or in the App, entering to: Help>>Not related to an order>>Policies.
To exercise your rights click HERE .If you have any questions, you can write to us at gdpr@mercado.pk.
You may exercise the following rights vis-à-vis Mercado:
• The right of access to your personal data to know which data is being processed and the processing operations carried out thereon;
• The right to correct any inaccuracies in relation to your personal data;
• The right to the erasure of your personal data, where possible; by sending us a data erasure request.
• The right to request the restriction of processing of your personal data when the accuracy, legality or need for processing of the data is in question, in which case we may retain the data for the purpose of filing or defending claims.
• The right to object to the processing of your data in order to resolve any query you may have raised with us through the contact form (website: Mercado.pk>>Contact us>>Policies or in the App: Help>>Not related to an order>>Policies) and the right to object to the processing of your data on social media and/or for the purpose of processing your CV.
• If you are the User, and you don’t want to receive any marketing communications, you have the right to unsubscribe to any marketing communication, by sending an e-mail or by using the link provided for this purpose in every commercial communication.
Please note that disabling Push notifications will also prevent you from receiving notifications about the status of any order.
You can anytime object to profiling by sending an email to: gdpr@mercado.pk
If you believe that Mercado is in breach of data protection law:
Please take into account that there may be some situations where the above rights could not be exercised or effectively executed by Mercado, for example when asking us to erase all your personal data where there is contractual relationship with us.
Notifications and Modifications
Due to the constant evolution of Mercado’s activities, this Privacy Policy, the Cookie Policy and the Terms of Use are also subject to change.
Mercado will send all Users/ Couriers / Job Applicants/ Partners/ Investors/ Prospects/ Website Visitors notifications about substantial changes and modifications to such documents by email or through any other method that ensures their receipt.
In any case, Mercado will in no event modify its policies or practices to make them less effective in the protection of our customers’ previously stored personal data.
In the event of discrepancies between the translations and the Spanish version of this document, the Spanish version will prevail.
4. Who is a Data Controller of your data?
The Data Controller of your Personal Data in relation with the use of the Mercado Platform and of the other Forms is Mercado Pakistan Platform.
In addition to the information provided above, details of each Mercado Group company can be found in Annex II to this Privacy Policy.
Furthermore, Mercado may share the data of those users ("users") or Couriers ("Couriers") who register on the website or the APP (the "Platform") and those persons who contact Mercado using the forms available on its platform with each of the subsidiaries and companies of the Mercado Group for the purpose of offering the services requested by Users through the Platform.
5. Useful information if you are a USER:
5.1 What are the data processing purposes and the legitimate basis of the processing?
Mercado will process you’re the personal data for the following purposes:
1. For legal purposes.
2. For contractual purposes.
3. For security purposes.
4. For statistics and research purposes.
5. For marketing and commercial purposes.
6. For non-marketing purposes.
Legal purposes
Mercado processes your personal data for:
i) detect and investigate fraud and possible crimes committed against our Platform and all the users,
ii) comply with the legislation in case any legal regulations oblige us to keep your data for a defined period of time (please check Annex I on data retention),
iii) manage and execute your request(s) to exercise the rights established in the GDPR and local regulations,
iv) file, submit and defend legal actions against any entity of our Group,
v) in any of the cases above-mentioned, Mercado shall be entitled to use any data obtained from you or arisen from your activity through our Platform (e.g. conversations between you and the Partner, you and the Courier, you and our Platform using the chat system) for the purpose of filing and/or defending any claims and/or legal actions that may be necessary, and to manage any incidents arising in connection with User’s orders.
Contractual purposes
Mercado processes your personal data for:
i) grant you the possibility to create your own account,ii) provide you with the services you have requested and any additional features on the Platform,
ii) locate the nearest Partners and Courier to the delivery point informed by you (which may involve using geolocation services, if you agreed to them when asked to by the Platform, as described above),
iii) perform payment processing and collection on behalf of you,v) communicate your Order to the Partner selected by you and update you on the status of your Order,
iv) assist you in your decisions and use of the service, including the possibility to quickly reorder from the stores, where you have ordered in the past or suggest you stores based on your past orders or “popularity” among new users. Additionally, we could assist you in your decisions through automatically determined filters by the historical order you have placed in the past, providing in each case specific contents in the Platform tailored for you,
v) send you the receipt corresponding to your Orders,
vi) provide you with a customer service to manage any incident related to your Orders and being able to answer your questions or consultations,
vii) allow your direct contact with the Courier in charge of your Order,
viii) be contacted by our Partners in case of any incident with your Orders,
ix) process reimbursements and refunds both via promo-codes or bank refunds,
x) notify you concerning changes or updates to our services, terms and conditions, privacy policy, cookies policy and any other corporate document that may affect you in a substantial way.
Security purposes
Mercado processes your personal data for:
i) use device, location (including geolocation data, if you agreed to), profile, usage, and other data to prevent and detect malicious or unsafe activities (e.g. payment fraud, identity fraud, account hacking, phishing, incentive abuses),
ii) monitor all actions that could cause fraud or in the commission of a criminal offence related to the payment method employed by you; if any irregularities are detected, Mercado reserves the right to retain the data provided and share it with the competent Authorities in order to carry out the relevant investigation,
iii) make sure that you follow the legal requirements related to specific products you may order through the Platform (e.g. legal age for alcoholic beverages).
For statistics and research purposes
Mercado processes your statistics based on your Personal data for:
i) analyse trends, purchase behaviour and characteristics,
ii) understand how you use our Platform,
iii) manage and improve the services offered, including the possibility of adding new or different features and services to improve the quality of the services.
Marketing and commercial purposes
Mercado processes your personal data for:
i) carry out marketing, communications, research and development activities,
ii) analyse and research how to improve our services both offline and on the Platform, by using the data provided by you (such as in focus groups, reviews, valuations of the services, satisfaction survey, feedback or any kind, etc.),
iii) provide you with personalised offers, promotions, discounts, suggestions, views and options in App, by email or by any other communication means, including the use of cookies or other technologies for advertising in third party websites or apps, according to our Cookie Policy and only if you have agreed to,
iv) carry out promotional activities for the delivery of samples or free products inside the order placed by you, which may be of your interest to promote Mercado’s and our Partner’s products or services,
v) carry out promotional activities such as contests, raffles, tenders, quizzes, competitions between users when they have subscribed and/or sent their data for such campaigns,
vi) create custom audiences with Facebook or other providers to reach out to you or other people with similar characteristics, who might be interested in using Mercado services; you can manage your privacy in your Facebook or other third party platform settings,
vii) use as commercial or marketing material published by you on your social networks profiles when Mercado has been expressly mentioned by you (i.e. via hashtag or @).
We may personalize the marketing communications by using the User activity in our App (including your past orders) and the interaction with the App, online advertising, previous emails, promotions, etc. However, this personalisation is not made only by automated means, nor have any legal effect or affect the User similarly.
Mercado may use Push services on the User’s mobile device to provide marketing communications. If the User does not want to receive these marketing communications, he / she shall unsubscribe in the notifications centre. Please note that disabling Push notifications will also prevent the User from receiving notifications about the status of any order.
Non-marketing purposes
Mercado processes your personal data for:
i) generate and provide you with receipts from each of your Orders placed through our App,
ii) inform you about any incident on the Platform or the operation of the services, including incidents related to your orders. This information can be sent by e-mail or SMS messages, and any other messaging application, that may be used by you and Mercado at any moment,
iii) inform you about any changes to our Terms and Conditions, privacy policy, cookies policy, services, and more generally to inform you about any relevant non-marketing communications.
iii) process incidents and claims with insurance companies in the event you report the occurrence of any damages or unforeseen events that may be covered by Mercado’s insurance policy.
5.2 What kind of data do we hold about you and how is your personal data collected?
Mercado holds the following data about you:
1. Information supplied directly by you:
1.1. Registration Data: the information provided by you when you create an account on the Mercado Platform: username and e-mail.
1.2. User Profile Information: the information added by you on the Platform in order to be able to use Mercado's service, e.g.. your mobile phone number and delivery address. You can view and edit the personal data on your profile whenever you wish.
1.3. Payment information: payment information when processing your orders; card data will be processed by our electronic payment service providers, who will receive the data directly from you. Mercado will have access to this information only for complying with the request of any competent authority,
Mercado offers its users to store the payment information or card details. In this case, the card details are tokenized (converted in a unique code). This token is usable in the Mercado platform, allowing Mercado to facilitate the use of the platform by preventing the introduction of the card details each time you want to perform a payment and provide additional security, as the details of the card are never stored in our systems. You can erase this token at any moment in your profile area.
1.4. Additional information: any information that you could supply to Mercado for other purposes, e.g. your photograph or the billing address in the case if you have asked to receive invoices from Mercado.
1.5. Information about previous communications with Mercado: information supplied by you for the resolution of any queries or complaints about the use of the platform, whether through the contact form (website: Mercado.pk>>Contact us>>Policies, App: Help>>Not related to an order>>Policies), by e-mail or by phone through the customer service.
1.6. Information regarding any accidents: information of any of the parties involved in the provision of services through the Platform for the purpose of making insurance claims or carrying out any other actions with the insurance companies contracted by Mercado.
1.7. Information of conversations held with Mercado: Transcription and recording of conversations for the processing of incidents, queries or other consultations that may be made to guarantee and improve the quality of our services and for security reasons.
1.8. Information on Communications: communications exchanged between you and the Couriers on the chat system provided on the Platform whenever it is necessary to address any incident or discussion between Users and Couriers, or to comply with any request made by authorities. Mercado will never access the communications if it is not strictly necessary and will always ensure the privacy of its users and the confidentiality of all information exchanged on its platform.
1.9. Any additional information that you provide in your requests, comments or questions.
• Information indirectly supplied by Users:
2.1. Data arising from the Use of the Platform: Mercado collects the data arising from your Use of the Platform every time you interact with the Platform.
2.2. Data on the application and the device: Mercado stores data on the device and the Application used by you to access the services:
i) the IP address used by you to connect to the Internet using your computer or mobile phone,ç
ii) information about your computer or mobile phone, such as your Internet connection, browser type, version and operating system, and type of device,
iii) the full uniform resource locator (URL) Clickstream (the information related with your navigation through our website or the Application, links followed, etc.), including date and time,
iv) data from your account: information on the orders made by you, as well as feedback and/or comments made by you,
v) your browsing history and preferences.
2.3. Data arising from the User’s origin: if you arrive at the Mercado Platform through an external source (such as a link from another website or a social network, as long as you have authorised it on those websites), Mercado collects data on the source from which you arrived.
2.4. Data resulting from the management of incidents: if you contact the Mercado Platform through the Contact Form( website: Mercado.pk>>Contact us>>Policies or App: Help>>Not related to an order>>Policies), Mercado Chat or on Mercado’s phone number, Mercado will collect the messages received in the format used by you and may use and store them to manage current or future incidents.
2.5. Data arising from “cookies”: Mercado uses its own and third-party cookies to facilitate browsing by its users and for statistical purposes, among others (please refer to the Cookie Policy for more details).
2.6. Geolocation Data: provided that you have authorised this, Mercado will collect data relating to your location, including the real-time geographic location of your computer or mobile device.
2.7. Data resulting from external third parties:
i) Mercado collects personal data or information from external third parties only if you authorise such third parties to share that information with Mercado. For example, if you create an account through your Facebook or Google account, these platforms could disclose to us your personal data that can be found on your Facebook/Google profile (such as name, gender or age).
ii) If you choose to send messages to us from social media networks (including Twitter, Facebook and Whatsapp), we will collect that information you provide to us for the purposes set out in this privacy policy, including responding to your inquiry, providing you with customer support and resolving issues.
5.3. What are the recipients of your data and why are we communicating it?
Mercado warrants that all commercial partners, technicians, suppliers or independent third parties are bound by contractually binding promises to process the information shared with them in accordance with Mercado’s indications, this Privacy Policy and the applicable data protection legislation.
We will not disclose your personal data to any third party who does not act under our instructions and no communication will involve selling, renting, sharing or in any other way revealing customers’ personal information for commercial purposes in breach of the commitments made in this Privacy Policy.
When carrying out an order, data may be shared with:
• The Courier who carries out the task of collecting and delivering the product.
• The establishment or venue in charge of selling the product, if you have requested the purchase of a product. If you contact the above-mentioned providers directly and give them your data directly, Mercado will not be responsible for the providers’ use of such data.
• The Customer Care Services contracted by Mercado for the purpose of warning you of any possible incidents or asking why negative feedback has been given; data will be used to manage any incidents that may occur during the provision of the services.
• The payment Platform and payment service providers so that the amount can be charged to your account.
• Telecommunications service providers, when they are used to send communications regarding orders or incidents relating to orders.
• Providers rendering satisfaction survey services on Mercado’s behalf.
Sharing your data with third parties:
To continue providing the services offered through the Platform, Mercado may share your certain personal data with:
• Service providers: service providers that send parcels, carry out orders and/or resolve incidents with deliveries have access to your personal information as may be necessary only to carry out their functions. They must process the said personal information as provided in this Privacy Policy and in the applicable data protection legislation.
• Pharmacies: Mercado may provide your name and phone number to pharmacists dispensing products to those Users, to ensure the provision of pharmaceutical advice according to the current applicable legislation.
• Payment Service Providers: When you enter your card number on the App, this is stored directly by the Payment Platforms contracted by Mercado, which allows payment to be charged to your account. Payment service providers have been chosen based on their security measures and in any event complying with the security measures stipulated in the payment service legislation, and they are PCI Compliant under the Payment Card Industry Data Security Standard or PCI DSS. Mercado does not store such data in any event.
• Service providers for fraud control purposes: Mercado will share your data with fraud control service providers to assess the risk of the transactions carried out.
• Service providers for the anonymisation of some data: In order to prevent the misuse of your data by third-party service providers, your data may be being anonymised so that it can be used solely for the provision of the service. For example, Mercado may assign your telephone numbers to third parties in order to anonymise them and provide them in this format to the providers used to carry out the services contracted by you.
• Security companies and Law Enforcement Forces and Agencies: Mercado may disclose personal data on its customers’ accounts if such disclosure is necessary to comply with the law, to enforce or apply the “Terms of Use'' or to protect Mercado’s, its users’ or third parties’ rights, property or safety. It includes the exchange of information with other companies and organisations and with Law Enforcement Forces and Agencies to protect against fraud and reduce credit risk.
• Call centre and incident management services: In order to provide a Customer Service and call centres, actions to measure your degree of satisfaction and the provision of administrative support services, your data may be disclosed to companies located outside the European Economic Area.
• Telecommunications services: In order to be able to provide you with telephone contact services, Mercado may contact telecommunications companies that provide secure lines and systems for the purpose of contacting you.
• Companies in the Mercado group: To be able to provide its services, Mercado may transfer your certain personal data to subsidiaries, based on the geographical area from which users request our services. When you register on the Platform from any country in which Mercado operates, your data is stored on Mercado’s database, which is located in Ireland and belongs to the Spanish company Mercado23, S.A. In the case of subsidiaries located outside the European Economic Area, the data will be transferred, using the systems established by the European Commission and the GDPR, to countries with an appropriate personal data protection level or through contracts approved by the European Commission establishing and guaranteeing the rights of data subjects.
• Social media connected by Users: If you connect your Mercado account to other social media or to a third-party platform, Mercado may use the information provided to such social media or third party in compliance with the privacy policy of the social media or third-party platform in question.
• Third parties associated with Mercado for the purposes of commercial communications: Mercado may transfer your personal data to third parties associated with Mercado, provided that you have given your express informed and unequivocal consent to such transfer of data and that you are aware of the purpose and recipient of such transfer.
• Changes of ownership: If Mercado’s ownership changes or the majority of its assets are acquired by a third party, you are informed that Mercado will transfer your data to the acquiring organisations to continue to provide the services subject to the processing of data.
As Mercado keeps growing continuously, we may buy or sell business units, assets, shares or legal entities, so data subjects’ information may also be transferred. That information, when acquired by Mercado, shall be processed as any other information as described in our privacy policy. You acknowledge that such transfer may occur and that we will be allowed to use your personal information for any of the purposes described in this Privacy Policy. The new file controller will inform Users of its identification data. Mercado states that it will comply with its duty of information and it shall inform Users of the change of file controller if and when this happens. This processing shall be carried out under the contract entered into with Mercado.
• Insurance companies: Mercado may provide your data to those insurers and insurance brokers it collaborates with, for the management and processing of claims and losses arising from the activity carried out by Mercado and the parties that collaborate with it.
Your data will not be disclosed to any third parties unless:
i) this is necessary to provide the services requested if Mercado is collaborating with third parties ;
ii) if Mercado has your express and unambiguous authorisation;
iii) where this has been requested by a competent authority pursuant to its functions (in order to investigate, prevent or take action in relation to illegal actions);
iv) finally, where required by law.
Sharing your data with Mercado Partners
Mercado may share your data also with some of Mercado’s top Partners and only under some certain conditions:
i) having obtained your expressed consent via consent checkbox which may appear (a) at the first order made by you or (b) in each order made by you previously to proceed with the check-out when placing an order through the Partner store.
Once giving your consent, you will be able to withdraw it at any time, using Contact Form ( website: Mercado.pk>>Contact us>>Policies or App: Help>>Not related to an order>>Policies).
ii) having signed a Data Sharing Agreement with the Partner and ensuring that all legal, safety and technical measures are met.
5.4 How long will we keep your data?
Mercado shall retain your data for the duration of the contractual relationship and, after this has come to an end, for the period established by law for filing or defending the appropriate legal actions. This is established at a maximum of fifteen (15) years in order to comply with Mercado’s legal obligations – which include the duty to assist the security forces as necessary in the investigation and prosecution of crimes pursuant to the higher interest of public safety – and defend itself or take any action in relation to criminal, tax and social security matters.
The said period may be shorter depending on the legal provision applicable to each purpose of data processing, as established in the table of retention periods set forth in Annex I.
ANNEX I - GENERAL RETENTION PERIODS
GENERAL
TERM DESCRIPTION LEGAL REF.
DATA PROTECTION 3 years The limitation periods for infringements are:
- Very serious infringements: after 3 years,
- Serious infringements: after 2 years,
- Minor infringements: after 1 year Spanish Organic Data Protection Law (LOPD)
PERSONAL CIVIL ACTIONS 5 years Personal actions of any kind without a specific limitation period established from the moment when the obligation becomes enforceable, taking into account that, in the case of ongoing positive or negative obligations, the period will start running again every time they are infringed. Article 1962 of the Spanish Civil Code (Código Civil)
ACCOUNTING
AND TAX DOCUMENTATION 6 years
For commercial purposes: books, correspondence, documentation and supporting documents relating to their business, duly ordered, from the last entry in the books, save as may be established by general or special provisions. This commercial obligation applies to both compulsory books (income, expenses, investment goods and provisions), and the documentation and documentary evidence of the entries contained in the books (invoices issued and received, vouchers, amendment invoices, bank documents, etc.). Art. 30 of the Royal Decree of 22 August 1885 publishing the Civil Code
4 years For tax purposes: accounting books and other compulsory record books pursuant to the applicable tax legislation (personal income tax, VAT, corporation tax, etc.), as well as documentary evidence justifying the entries in the books (including software and computer files and any other documentary evidence that is relevant for tax purposes) must be retained at least for the period during which the tax authorities are entitled to verify and investigate and, therefore, assess and inform of, the tax owed. Section 3 (Limitation Periods), Arts. 66 to 70 of Law 58/2003 of 17 December 2003, the General Taxation Law (Ley General Tributaria)
INFORMATION RELEVANT FOR CRIMINAL ACTIONS 10 to 15 years Any information and documentation that may be relevant for the prosecution or defence of criminal proceedings relating to the criminal liability of legal persons.
This may include invoices, payment receipts, claims or complaints, delivery routes with geolocation, tax documentation and, in general, any other information from any data subject that may be useful to defend Mercado’s legal interests. Article 131 of the Organic Law 10/1995, of 23 November 1995, publishing the Spanish Criminal Code (Código Penal).
USERS
TERM DESCRIPTION LEGAL REF.
USERS AND CONSUMERS 3 years Claims to enforce performance of the service as a result of non-conformity with the contract are subject to a limitation period of three years after the delivery of the product Article 123.4 of Royal Legislative Decree 1/2007 of 16 November 2007 approving the consolidated text of the General User and Consumer Defence Law (Ley General para la Defensa de los Consumidores y Usuarios) and other additional laws
E-COMMERCE AND INFORMATION SOCIETY SERVICES 3 years The limitation periods for infringements are:
- Very serious infringements: after 3 years,
- Serious infringements: after 2 years,
- Minor infringements: after 6 months. Article 45 of Law 34/2002 of 11 July 2002 on E-Commerce and Information Society Services (Ley de Servicios de la Sociedad de la Información y el Comercio Electrónico)
MONEY LAUNDERING 10 years Documents formalising compliance with the obligations provided by law. The filing systems of regulated parties must ensure the proper management and availability of documentation both for internal control purposes and for the purpose of responding to requests from the authorities in a proper and timely manner.
Article 25 of Law 10/2010 of 28 April 2010 on the prevention of money laundering and the financing of terrorism (Ley de prevención del blanqueo de capitales y de la financiación del terrorismo).
6. Useful information if you are a COURIER:
Mercado will process the personal data of Couriers for the following purposes:
1. For legal purposes.
2. For contractual purposes.
3. For security purposes.
4. For statistics and research purposes.
Legal purposes
Mercado processes your personal data for:
i) detect and investigate fraud and possible crimes committed against our Platform and all the users,
ii) comply with the legislation in case any legal regulations oblige us to keep your data for a defined period of time (please check Annex I on data retention),
iii) manage and execute your request(s) to exercise the rights established in the GDPR and local regulations,
iv) file, submit and defend legal actions against any entity of our Group,
v) manage and execute your claims related to an Order, problems with the delivery and different sorts of general incidents generated by the use of the Platform.
Contractual purposes
Mercado processes your personal data for:
i) manage Mercado’s activity, enabling you to access and communicate with the Mercado platform so as to provide their services through it,
ii) provide informative sessions to you before the starting of services (focus groups) and to comply with the services offered by the providers through the technological platform, and with obligations arising from the contractual relationship,
iii) studying the use of the platform performed by you and performance of focus groups with you to understand their opinion and feedback about the services provided,
iv) provide you with the equipment and material needed to provide the services, if requested,
v) activate the insurance in case of an incident of you during the delivery of an Order,
vi) assign Orders to you and show to the cCustomers your position while delivering their Orders,
vii) assist you during the performance of services by contacting customer centres,
viii) notify you concerning changes or updates to our services, terms and conditions, privacy policy, cookies policy and any other corporate document that may affect them in a substantial way
Security purposes
Mercado processes your personal data for:
i) control visitors’ access to Courier centre’s facilities and ensure your goods’ and facilities’ safety,
ii) use device, location, profile, usage, and other data to prevent and detect improper payments, money laundering, especially when you pay by cash,
iii) when requested by any authority, administration or court, collaborate with Public Authorities whenever they request Mercado information useful to the aim of their investigation (e.g. anti-drug projects, anti-fraud projects, anti-terrorism projects),
iv) defend Mercado interests in case of a conflict between the parties related to the interpretation or execution of the contract,
v) comply with the compensation, accounting, tax and economic obligations.
For statistics and research purposes
Mercado processes your statistics based on your personal data for:
i) carry out statistical and financial calculations based on aggregate and non-identifiable data,
ii) send voluntary and anonymous questionnaires, as well as surveys, competitions and communications of your interest, for the purpose of assessing the quality of the relationship and any opinions that you may have.
6.2 What kind of data do we hold about you and how is your personal data collected?
Mercado holds the following data about you:
• Name and surnames: pursuit of the contractual relationship.
• Identity Card (DNI) / Passport No.Foreign resident’s card: pursuit of the contractual relationship – billing and legal compliance.
• Social Security number: payment management and legal compliance.
• Bank and billing information: information for billing purposes, current account or credit card numbers, if necessary to fulfil contractual obligations or manage purchases, or services.
• Photo: road safety, account fraud prevention and public safety.
• Image: video surveillance and access control when entering one of the company’s sites.
• Voice (without biometrics) from Customer service calls: pursuit of the contractual relationship and legal compliance.
• Signature: pursuit of the contractual relationship.
• Date of birth: legal compliance.
• Residence details (resident/non-resident): legal compliance.
• Accident insurance processing details: accident insurance management.
• Driving licence: road safety.
• Own vehicle: pursuit of the contractual relationship.
• Vehicle insurance: pursuit of the contractual relationship.
• Geolocation: management of the service provider’s location during the provision of services for road safety reasons and in order to comply with tax and accounting obligations.
• Phone number and Email (Contact data): Pursuit of the contractual relationship and be able to communicate with the Courier by sending some communications through different channels such as: SMS, email, Whatsapp messages, etc.
• Internet connection: pursuit of the contractual relationship.
• Conversation information: Transcription and recording of conversations held between Couriers and Mercado to guarantee and improve the quality of our services, processing of incidents and for security reasons.
6.3 What are the recipients of your data and why are we communicating it?
Your data may be disclosed to third parties only where necessary for the establishment, performance and termination of the contractual relationship with Mercado. The third-party recipients of the Data, designated as Data Processors, include:
i) advisers and consultants for the pursuit of accounting, labour, tax, insurance, legal and technical activities,
ii) government bodies (tax authority, social security system, etc.),
iii) state security forces, courts, mediation and arbitration bodies,
iv) governments for regulatory matters.
During the performance of the relationship and to ensure that you can carry out your activity, the Data will be disclosed:
i) to those establishments with which Mercado has a commercial T&Cs,
ii) those users who have placed an order which you have agreed to carry out,
iii) external service providers that provide commercial offers with benefits and/or discounts for you.
Mercado hereby informs you that the Data may be disclosed to companies in the Mercado group in connection with the purposes described previously.
The Data may also be transferred inside and outside the European Union to group companies or third parties in charge of the filing and management of computer data solely for purposes related to the management of the contractual relationship between the Parties and fully in accordance with the applicable data protection legislation. Mercado hereby reports that it has taken the necessary measures to ensure that the disclosure of your data is carried out in accordance with the above-mentioned legislation.
6.4 How long will we keep your data?
Mercado shall retain your data for the duration of the contractual relationship and, after this has come to an end, for the period established by law for filing or defending the appropriate legal actions. This is established at a maximum of fifteen (15) years in order to comply with Mercado’s legal obligations – which include the duty to assist the security forces as necessary in the investigation and prosecution of crimes pursuant to the higher interest of public safety – and defend itself or take any action in relation to criminal, tax and social security matters.
The said period may be shorter depending on the legal provision applicable to each purpose of data processing, as established in the table of retention periods set forth in Annex I.
ANNEX I - GENERAL RETENTION PERIODS
GENERAL
TERM DESCRIPTION LEGAL REF.
DATA PROTECTION 3 years The limitation periods for infringements are:
- Very serious infringements: after 3 years,
- Serious infringements: after 2 years,
- Minor infringements: after 1 year Spanish Organic Data Protection Law (LOPD)
PERSONAL CIVIL ACTIONS 5 years Personal actions of any kind without a specific limitation period established from the moment when the obligation becomes enforceable, taking into account that, in the case of ongoing positive or negative obligations, the period will start running again every time they are infringed. Article 1962 of the Spanish Civil Code (Código Civil)
ACCOUNTING
AND TAX DOCUMENTATION 6 years For commercial purposes: books, correspondence, documentation and supporting documents relating to their business, duly ordered, from the last entry in the books, save as may be established by general or special provisions. This commercial obligation applies to both compulsory books (income, expenses, investment goods and provisions), and the documentation and documentary evidence of the entries contained in the books (invoices issued and received, vouchers, amendment invoices, bank documents, etc.). Art. 30 of the Royal Decree of 22 August 1885 publishing the Civil Code
4 years For tax purposes: accounting books and other compulsory record books pursuant to the applicable tax legislation (personal income tax, VAT, corporation tax, etc.), as well as documentary evidence justifying the entries in the books (including software and computer files and any other documentary evidence that is relevant for tax purposes) must be retained at least for the period during which the tax authorities are entitled to verify and investigate and, therefore, assess and inform of, the tax owed. Section 3 (Limitation Periods), Arts. 66 to 70 of Law 58/2003 of 17 December 2003, the General Taxation Law (Ley General Tributaria)
INFORMATION RELEVANT FOR CRIMINAL ACTIONS 10 to 15 years Any information and documentation that may be relevant for the prosecution or defence of criminal proceedings relating to the criminal liability of legal persons.
This may include invoices, payment receipts, claims or complaints, delivery routes with geolocation, tax documentation and, in general, any other information from any data subject that may be useful to defend Mercado’s legal interests. Article 131 of the Organic Law 10/1995, of 23 November 1995, publishing the Spanish Criminal Code (Código Penal).
COURIERS
TERM DESCRIPTION LEGAL REF.
COMMERCIAL AGREEMENTS OR. CONTRACTS 6 years The agreements signed between the Courier and Mercado in case of commercial relationships. Article 30 of the Royal Decree of 22 August 1885 publishing the Code of Commerce (Código de Comercio).
COMMERCIAL AGREEMENTS OR. CONTRACTS 6 years The agreements signed between the Courier and Mercado in case of commercial relationships. Article 30 of the Royal Decree of 22 August 1885 publishing the Code of Commerce (Código de Comercio).
USERS AND CONSUMERS 3 years Claims to enforce performance of the service as a result of non-conformity with the contract are subject to a limitation period of three years after the delivery of the product Article 123.4 of Royal Legislative Decree 1/2007 of 16 November 2007 approving the consolidated text of the General User and Consumer Defence Law (Ley General para la Defensa de los Consumidores y Usuarios) and other additional laws
E-COMMERCE AND INFORMATION SOCIETY SERVICES 3 years The limitation periods for infringements are:
- Very serious infringements: after 3 years,
- Serious infringements: after 2 years,
- Minor infringements: after 6 months. Article 45 of Law 34/2002 of 11 July 2002 on E-Commerce and Information Society Services (Ley de Servicios de la Sociedad de la Información y el Comercio Electrónico)
7. Useful information if you are a PARTNER:
7.1 What are the data processing purposes and the legitimate basis of the processing?
Mercado will process your personal data in order to:
i) grant you the possibility to create your own account and maintain the business relationship with Mercado in order to provide technology intermediation in the generation of leads and processing of payments and other services relating to in-store sales and the delivery of products, also to handle incidents arising in relation to orders,
ii) provide you with customer service to answer your questions or consultations.
7.2 What kind of data do we hold about you and how is your personal data collected?
Mercado holds the following data about you:
• Information supplied directly by you:
1.1. Registration Data: the information provided by you when you create an account on the Mercado Platform: username and e-mail.
1.2. User Profile Information phone number and email; phone number and email; pursuit of the business relationship and be able to communicate with the Partner or the Investor by sending some communications through different channels such as: SMS, email.
1.3. Information of conversations held with Mercado Transcription and recording of conversations for the processing of incidents, queries or other consultations that may be made to guarantee and improve the quality of our services and for security reasons.
1.4. Any additional information that you provide in your requests, comments or questions
7.3 How long will we keep your data?
Mercado shall retain your data for the duration of the contractual relationship and, after this has come to an end, for the period established by law for filing or defending the appropriate legal actions. This is established at a maximum of fifteen (15) years in order to comply with Mercado’s legal obligations – which include the duty to assist the security forces as necessary in the investigation and prosecution of crimes pursuant to the higher interest of public safety – and defend itself or take any action in relation to criminal, tax and social security matters.
The said period may be shorter depending on the legal provision applicable to each purpose of data processing, as established in the table of retention periods set forth in Annex I.
ANNEX I - GENERAL RETENTION PERIODS
GENERAL
TERM DESCRIPTION LEGAL REF.
DATA PROTECTION 3 years The limitation periods for infringements are:
- Very serious infringements: after 3 years,
- Serious infringements: after 2 years,
- Minor infringements: after 1 year Spanish Organic Data Protection Law (LOPD)
PERSONAL CIVIL ACTIONS 5 years Personal actions of any kind without a specific limitation period established from the moment when the obligation becomes enforceable, taking into account that, in the case of ongoing positive or negative obligations, the period will start running again every time they are infringed. Article 1962 of the Spanish Civil Code (Código Civil)
ACCOUNTING
AND TAX DOCUMENTATION 6 years For commercial purposes: books, correspondence, documentation and supporting documents relating to their business, duly ordered, from the last entry in the books, save as may be established by general or special provisions. This commercial obligation applies to both compulsory books (income, expenses, investment goods and provisions), and the documentation and documentary evidence of the entries contained in the books (invoices issued and received, vouchers, amendment invoices, bank documents, etc.). Art. 30 of the Royal Decree of 22 August 1885 publishing the Civil Code
4 years For tax purposes: accounting books and other compulsory record books pursuant to the applicable tax legislation (personal income tax, VAT, corporation tax, etc.), as well as documentary evidence justifying the entries in the books (including software and computer files and any other documentary evidence that is relevant for tax purposes) must be retained at least for the period during which the tax authorities are entitled to verify and investigate and, therefore, assess and inform of, the tax owed. Section 3 (Limitation Periods), Arts. 66 to 70 of Law 58/2003 of 17 December 2003, the General Taxation Law (Ley General Tributaria)
INFORMATION RELEVANT FOR CRIMINAL ACTIONS 10 to 15 years Any information and documentation that may be relevant for the prosecution or defence of criminal proceedings relating to the criminal liability of legal persons.
This may include invoices, payment receipts, claims or complaints, delivery routes with geolocation, tax documentation and, in general, any other information from any data subject that may be useful to defend Mercado’s legal interests. Article 131 of the Organic Law 10/1995, of 23 November 1995, publishing the Spanish Criminal Code (Código Penal).
PARTNERS
TERM DESCRIPTION LEGAL REF.
COMMERCIAL AGREEMENTS OR. CONTRACTS 6 years The agreements signed between the Courier and Mercado in case of commercial relationships. Article 30 of the Royal Decree of 22 August 1885 publishing the Code of Commerce (Código de Comercio).
USERS AND CONSUMERS 3 years Claims to enforce performance of the service as a result of non-conformity with the contract are subject to a limitation period of three years after the delivery of the product Article 123.4 of Royal Legislative Decree 1/2007 of 16 November 2007 approving the consolidated text of the General User and Consumer Defence Law (Ley General para la Defensa de los Consumidores y Usuarios) and other additional laws
E-COMMERCE AND INFORMATION SOCIETY SERVICES 3 years The limitation periods for infringements are:
- Very serious infringements: after 3 years,
- Serious infringements: after 2 years,
- Minor infringements: after 6 months. Article 45 of Law 34/2002 of 11 July 2002 on E-Commerce and Information Society Services (Ley de Servicios de la Sociedad de la Información y el Comercio Electrónico)
MONEY LAUNDERING 10 years Documents formalising compliance with the obligations provided by law. The filing systems of regulated parties must ensure the proper management and availability of documentation both for internal control purposes and for the purpose of responding to requests from the authorities in a proper and timely manner.
Article 25 of Law 10/2010 of 28 April 2010 on the prevention of money laundering and the financing of terrorism (Ley de prevención del blanqueo de capitales y de la financiación del terrorismo).
8. Useful information if you are an INVESTOR:
8.1 What are the data processing purposes and the legitimate basis of the processing?
Mercado will process your personal data for the following purposes:
i) fulfil the requirements of Mercado’s Compliance Model of carrying out an Investors Due Diligence procedure,
ii) formalise the relationship with you as an Investor,
iii) notify you concerning the corporate matters and inform you about Mercado’s results.
8.2 What kind of data do we hold about you and how is your personal data collected?
1. Information supplied directly by you:
1.1. Registration Data: the information provided by you when you create an account on the Mercado Platform: username and e-mail.
1.2. User Profile Information: phone number and email; pursuit of the business relationship and be able to communicate with the Partner or the Investor by sending some communications through different channels such as: SMS, email.
1.3. Information of conversations held with Mercado: transcription and recording of conversations for the processing of incidents, queries or other consultations that may be made to guarantee and improve the quality of our services and for security reasons.
1.4. Any additional information that you provide in your requests, comments or questions.
8.3 How long will we keep your data?
Mercado shall retain your data for the duration of the contractual or investment relationship and, after this has come to an end, for the period established by law for filing or defending the appropriate legal actions. This is established at a maximum of fifteen (15) years in order to comply with Mercado’s legal obligations – which include the duty to assist the security forces as necessary in the investigation and prosecution of crimes pursuant to the higher interest of public safety – and defend itself or take any action in relation to criminal, tax and social security matters.
The said period may be shorter depending on the legal provision applicable to each purpose of data processing, as established in the table of retention periods set forth in Annex I.
ANNEX I - GENERAL RETENTION PERIODS
GENERAL
TERM DESCRIPTION LEGAL REF.
DATA PROTECTION 3 years The limitation periods for infringements are:
- Very serious infringements: after 3 years,
- Serious infringements: after 2 years,
- Minor infringements: after 1 year Spanish Organic Data Protection Law (LOPD)
PERSONAL CIVIL ACTIONS 5 years Personal actions of any kind without a specific limitation period established from the moment when the obligation becomes enforceable, taking into account that, in the case of ongoing positive or negative obligations, the period will start running again every time they are infringed. Article 1962 of the Spanish Civil Code (Código Civil)
ACCOUNTING
AND TAX DOCUMENTATION 6 years For commercial purposes: books, correspondence, documentation and supporting documents relating to their business, duly ordered, from the last entry in the books, save as may be established by general or special provisions. This commercial obligation applies to both compulsory books (income, expenses, investment goods and provisions), and the documentation and documentary evidence of the entries contained in the books (invoices issued and received, vouchers, amendment invoices, bank documents, etc.). Art. 30 of the Royal Decree of 22 August 1885 publishing the Civil Code
4 years For tax purposes: accounting books and other compulsory record books pursuant to the applicable tax legislation (personal income tax, VAT, corporation tax, etc.), as well as documentary evidence justifying the entries in the books (including software and computer files and any other documentary evidence that is relevant for tax purposes) must be retained at least for the period during which the tax authorities are entitled to verify and investigate and, therefore, assess and inform of, the tax owed. Section 3 (Limitation Periods), Arts. 66 to 70 of Law 58/2003 of 17 December 2003, the General Taxation Law (Ley General Tributaria)
INFORMATION RELEVANT FOR CRIMINAL ACTIONS 10 to 15 years Any information and documentation that may be relevant for the prosecution or defence of criminal proceedings relating to the criminal liability of legal persons.
This may include invoices, payment receipts, claims or complaints, delivery routes with geolocation, tax documentation and, in general, any other information from any data subject that may be useful to defend Mercado’s legal interests. Article 131 of the Organic Law 10/1995, of 23 November 1995, publishing the Spanish Criminal Code (Código Penal).
9. Useful information if you are a JOB APPLICANT:
9.1 What are the data processing purposes and the legitimate basis of the processing?
Mercado will process your personal data for the following purposes:
i) consider your present or future suitability for any of the positions available at Mercado. In addition, Mercado shall process your data for the purpose of conducting any interviews it may deem necessary for the position, test your knowledge, contact companies for which you have previously worked, check references, and assess your skills and abilities in general.
ii) provide you with information of your interest regarding our Job offers.
9.2 What kind of data do we hold about you and how is your personal data collected?
Mercado holds the following data about you:
• Information supplied directly by you:
1.1. Registration Data: the information provided by you when you apply for the position available at Mercado or when you request information of your interest regarding our job offers, including the information of your CV and any additional information provided by you during interviews, results of any test or assessment on skills, abilities carried out, information on previous companies and references.
1.2. Academic and Professional Data: student history, professional experience, membership in professional associations, trainings, qualifications.
1.3. Any additional information that you provide in your requests, comments or questions.
9.3 How long will we keep your data?
Your data will be retained for the duration of the selection process and, if you are not selected, for two (2) years following the end of such process, for the purpose of being able to offer the candidate any other vacancy that may be similar and/or compatible to those for which he/she has applied.
If you register in our Mercado Careers portal, your personal data may be retained until you delete your user or any information that you may have included in your applicant profile.
In some cases, we may have to retain some information to comply with any legal provision applicable, such as in case of fraud on your application, according to the table of general retention periods set forth in Annex I.
ANNEX I - GENERAL RETENTION PERIODS
GENERAL
TERM DESCRIPTION LEGAL REF.
DATA PROTECTION 3 years The limitation periods for infringements are:
- Very serious infringements: after 3 years,
- Serious infringements: after 2 years,
- Minor infringements: after 1 year Spanish Organic Data Protection Law (LOPD)
PERSONAL CIVIL ACTIONS 5 years Personal actions of any kind without a specific limitation period established from the moment when the obligation becomes enforceable, taking into account that, in the case of ongoing positive or negative obligations, the period will start running again every time they are infringed. Article 1962 of the Spanish Civil Code (Código Civil)
ACCOUNTING
AND TAX DOCUMENTATION 6 years
For commercial purposes: books, correspondence, documentation and supporting documents relating to their business, duly ordered, from the last entry in the books, save as may be established by general or special provisions. This commercial obligation applies to both compulsory books (income, expenses, investment goods and provisions), and the documentation and documentary evidence of the entries contained in the books (invoices issued and received, vouchers, amendment invoices, bank documents, etc.). Art. 30 of the Royal Decree of 22 August 1885 publishing the Civil Code
4 years For tax purposes: accounting books and other compulsory record books pursuant to the applicable tax legislation (personal income tax, VAT, corporation tax, etc.), as well as documentary evidence justifying the entries in the books (including software and computer files and any other documentary evidence that is relevant for tax purposes) must be retained at least for the period during which the tax authorities are entitled to verify and investigate and, therefore, assess and inform of, the tax owed. Section 3 (Limitation Periods), Arts. 66 to 70 of Law 58/2003 of 17 December 2003, the General Taxation Law (Ley General Tributaria)
INFORMATION RELEVANT FOR CRIMINAL ACTIONS 10 to 15 years Any information and documentation that may be relevant for the prosecution or defence of criminal proceedings relating to the criminal liability of legal persons.
This may include invoices, payment receipts, claims or complaints, delivery routes with geolocation, tax documentation and, in general, any other information from any data subject that may be useful to defend Mercado’s legal interests. Article 131 of the Organic Law 10/1995, of 23 November 1995, publishing the Spanish Criminal Code (Código Penal).
10. Useful information if you are a PROSPECT:
10.1 What are the data processing purposes and the legitimate basis of the processing?
Mercado will process your personal data for the following purposes:
i) process your requests to obtain the products and/or services offered by Mercado and manage the prospective relationship between both parties,
ii) carry out marketing, communications, research activities regarding Mercado’s products and/or services that are similar to those included in your request.
10.2 What kind of data do we hold about you and how is your personal data collected?
Mercado holds the following data about you:
• Information supplied directly by you:
1.1. Registration Data: the information provided by you when you request for information relating to our products and/or services.
1.2. Any additional information that you provide in your requests, comments or questions.
10.3 How long will we keep your data?
Mercado shall retain your data while it is necessary to provide you with the relevant answer to any question you may ask and, after this has come to an end, for the period established by law for filing or defending the appropriate legal actions. The said period may vary depending on the legal provision applicable to each purpose of data processing, as established in the table of retention periods set forth in Annex I.
ANNEX I - GENERAL RETENTION PERIODS
GENERAL
TERM DESCRIPTION LEGAL REF.
DATA PROTECTION 3 years The limitation periods for infringements are:
- Very serious infringements: after 3 years,
- Serious infringements: after 2 years,
- Minor infringements: after 1 year Spanish Organic Data Protection Law (LOPD)
PERSONAL CIVIL ACTIONS 5 years Personal actions of any kind without a specific limitation period established from the moment when the obligation becomes enforceable, taking into account that, in the case of ongoing positive or negative obligations, the period will start running again every time they are infringed. Article 1962 of the Spanish Civil Code (Código Civil)
ACCOUNTING
AND TAX DOCUMENTATION 6 years For commercial purposes: books, correspondence, documentation and supporting documents relating to their business, duly ordered, from the last entry in the books, save as may be established by general or special provisions. This commercial obligation applies to both compulsory books (income, expenses, investment goods and provisions), and the documentation and documentary evidence of the entries contained in the books (invoices issued and received, vouchers, amendment invoices, bank documents, etc.). Art. 30 of the Royal Decree of 22 August 1885 publishing the Civil Code
4 years For tax purposes: accounting books and other compulsory record books pursuant to the applicable tax legislation (personal income tax, VAT, corporation tax, etc.), as well as documentary evidence justifying the entries in the books (including software and computer files and any other documentary evidence that is relevant for tax purposes) must be retained at least for the period during which the tax authorities are entitled to verify and investigate and, therefore, assess and inform of, the tax owed. Section 3 (Limitation Periods), Arts. 66 to 70 of Law 58/2003 of 17 December 2003, the General Taxation Law (Ley General Tributaria)
INFORMATION RELEVANT FOR CRIMINAL ACTIONS 10 to 15 years Any information and documentation that may be relevant for the prosecution or defence of criminal proceedings relating to the criminal liability of legal persons.
This may include invoices, payment receipts, claims or complaints, delivery routes with geolocation, tax documentation and, in general, any other information from any data subject that may be useful to defend Mercado’s legal interests. Article 131 of the Organic Law 10/1995, of 23 November 1995, publishing the Spanish Criminal Code (Código Penal).
11. Useful information if you are a WEB VISITOR:
11.1 What are the data processing purposes and the legitimate basis of the processing?
Mercado will process your personal data for the following purposes:
i) follow up your comments left on Mercado Website or our Blog. This may include, depending on your consent, the notification of new comments on the article commented by you, and the information on new entries on the blog or our website.
ii) provide you with the answer regarding your request.
11.2 What kind of data do we hold about you and how is your personal data collected?
Mercado holds the following data about you:
• Information supplied directly by you:
1.1. Registration Data: the information provided by you when you request for information relating to our products and/or services.
1.2. Any additional information that you provide in your requests, comments or questions.
1.3. Data derived from cookies: MERCADO uses its own and third party cookies to facilitate navigation for its users and for statistical purposes (see Cookies Policy).
11.3 How long will we keep your data?
Mercado shall retain your data while it is necessary to provide you with the relevant answer to any question you may ask and, after this has come to an end, for the period established by law for filing or defending the appropriate legal actions.
The said period may vary depending on the legal provision applicable to each purpose of data processing, as established in the table of retention periods set forth in Annex I.
Any comment you may post on our articles published on Mercado Website and/or Blog may be kept indefinitely while the post is still published.
ANNEX I - GENERAL RETENTION PERIODS
GENERAL
TERM DESCRIPTION LEGAL REF.
DATA PROTECTION 3 years The limitation periods for infringements are:
- Very serious infringements: after 3 years,
- Serious infringements: after 2 years,
- Minor infringements: after 1 year Spanish Organic Data Protection Law (LOPD)
PERSONAL CIVIL ACTIONS 5 years Personal actions of any kind without a specific limitation period established from the moment when the obligation becomes enforceable, taking into account that, in the case of ongoing positive or negative obligations, the period will start running again every time they are infringed. Article 1962 of the Spanish Civil Code (Código Civil)
ACCOUNTING
AND TAX DOCUMENTATION 6 years For commercial purposes: books, correspondence, documentation and supporting documents relating to their business, duly ordered, from the last entry in the books, save as may be established by general or special provisions. This commercial obligation applies to both compulsory books (income, expenses, investment goods and provisions), and the documentation and documentary evidence of the entries contained in the books (invoices issued and received, vouchers, amendment invoices, bank documents, etc.). Art. 30 of the Royal Decree of 22 August 1885 publishing the Civil Code
4 years For tax purposes: accounting books and other compulsory record books pursuant to the applicable tax legislation (personal income tax, VAT, corporation tax, etc.), as well as documentary evidence justifying the entries in the books (including software and computer files and any other documentary evidence that is relevant for tax purposes) must be retained at least for the period during which the tax authorities are entitled to verify and investigate and, therefore, assess and inform of, the tax owed. Section 3 (Limitation Periods), Arts. 66 to 70 of Law 58/2003 of 17 December 2003, the General Taxation Law (Ley General Tributaria)
INFORMATION RELEVANT FOR CRIMINAL ACTIONS 10 to 15 years Any information and documentation that may be relevant for the prosecution or defence of criminal proceedings relating to the criminal liability of legal persons.
This may include invoices, payment receipts, claims or complaints, delivery routes with geolocation, tax documentation and, in general, any other information from any data subject that may be useful to defend Mercado’s legal interests. Article 131 of the Organic Law 10/1995, of 23 November 1995, publishing the Spanish Criminal Code (Código Penal).
12. Do we proceed to international transfer of data?
When choosing service providers, Mercado may transfer your data outside the borders of the European Economic Area, for example to the United States. In such cases, Mercado will ensure before sending the data, that such service providers are in compliance with the standard clauses and minimum security standards established by the European Commission and that they always process the data in accordance with Mercado’s instructions.
Basis and instructions regarding the international transfer
Mercado may have a contractual relationship with service providers under which they agree to comply with Mercado’s instructions and put in place the necessary security measures to protect your data.
Where Mercado is compelled to carry out further processing by EU law or the law of the EU Member States to which it is subject, it shall inform the service provider of such legal requirements prior to the processing.
Mercado may subsequently change, supplement or replace the instructions initially given to the service provider by means of individual instructions and is entitled to issue appropriate instructions at any time. This includes, among other things, instructions regarding the correction, deletion and prohibition of data. All instructions issued shall be documented by both Mercado and the service provider.
Requirements directed to service providers
Service providers may only collect, process or use data pursuant to a master contract and in accordance with Mercado’s instructions. This applies in particular to the transfer of personal data to a third country or an international organizations.
External service providers are required to inform Mercado if they consider that an instruction issued by Mercado, is in contravention of the data protection legislation. Furthermore, service providers are entitled to suspend the execution of the instruction concerned until its confirmation or modification by Mercado, and they have a duty to refuse to carry out any instructions that are clearly illegal.
13. Do we proceed to automated decision making?
Mercado does not adopt any decision that could affect our User/ Courier / Job Applicant significantly based solely on automated processing of their data (e.g. reordering from the stores where our Users have ordered in the past). The only decision-making processes of Mercado are conducted by applying human intervention (e.g. defining the conditions that the User shall meet to be considered for an offer, such as location).
Regarding the existence of automated decisions with legal effects for the Courier, it should be noted that:
• Decisions are not made solely on the basis of the automated processing of the personal data of Couriers, but, where appropriate, on the basis of an assessment of the performance of the service.
• Consumers or Stores have generated all parameters to be taken into account manually.
• All parameters and metrics used to make such decisions always and exclusively refer to the service and the execution of the Terms and Conditions, regardless of the Courier executing it.
• Profiles based on the personal data or personal characteristics of the Couriers are not created, as described below.
• In no case the attributes of the personality or of the non-professional sphere of the Couriers are taken into account.
• The results depend on previous and voluntary actions of the Couriers.
• The results may be corrected if there has been an error and/or discrepancy between the Couriers and Mercado.
• The Couriers are not prevented from exercising any right.
• The Couriers are not prevented from accessing a good or service.
• The Couriers are not prevented from entering into a contract.
14. Do we proceed to profile creations?
When using the application, Mercado classifies Users based on the information provided by them about their usage of the application to adapt it to their needs and to improve it.
The classification is conducted by solely using first party data. We use information that our Users provide us, such as their historical orders and popularity among new users to suggest similar stores that could be of their interest. This classification is only intended to ensure that our Users find relevant contents, Partners or offers, among others, that may be suitable according to their preferences, and will never have any legal effect on them or the provision of the services by Mercado, the Partners or the Couriers.
15. What security measures have been adopted?
Mercado has taken the necessary steps recommended by the European Commission and the competent authority to maintain the required security level, according to the nature of the personal data processed and the circumstances of the processing, in order to avoid, to the extent possible and always in accordance with the state of the art, its alteration, loss or unauthorised access or processing. As mentioned above, the personal data supplied will not be disclosed to third parties without the data subject’s prior authorisation.
16. Definitions
For the purpose of this document:
• “Data Controller” shall mean: the entity in charge of determining the purposes and means of the processing of personal data
• “Data Processor” shall mean: the entity in charge of processing personal data on behalf of the controller
• “GDPR” shall mean: General Data Protection Regulation ((EU) 2016/679)
• “Glover(s)” also referred to as “Courier(s)” shall mean: the independent professionals in charge of providing the user with delivery services and who may access User’s personal data in order to perform such services
• “Mercado” also referred to as “Us” / “we / our / ours” shall mean: the company of the Mercado Group corresponding to the country where User(s) or Courier(s) have registered for the first time in the website or App. The legal details of such a company are included hereafter in the section “Who is the data controller of your data?”
• “Investor(s)” shall mean: anyone who shows interest in committing capital with the expectation of receiving financial returns
• “Job Applicant” shall mean: anyone who applies for a Job on Mercado's website or App
• “Local regulation” shall mean: the data protection regulation applicable to your country
• “Order(s)” shall mean: both food and non-food product/ service requested by the User through the Mercado Platform
• “Partner(s)” shall mean: local stores, physical “retailer”, “supplier”, or “seller” that offer to Users include their products and/or services in the Mercado Platform
• “Personal data” shall mean: any information which directly relates to User(s), Courier(s), Job Applicant(s), Partner(s), Investor(s), Prospect(s), Website Visitor(s) or that may allow their identification
• “Platform” shall mean: both and indifferently the Mercado website and Application
• “App” shall mean: the word “App” is used interchangeably with the word “Platform” , both words means the same: both and indifferently the Mercado website and Application
• “Processing of personal data” also referred to as “Data activity(ies)” shall mean: any activity performed on or with your Personal data, such as collecting, organising, accessing, holding, storing, disclosing, adapting, destroying, erasing or using the Data in any way
• “Profiling” is the process of construction and application of user profiles generated by computerised data analysis also understandable as the use of algorithms or other mathematical techniques that allow the discovery of patterns or correlations in large quantities of data, aggregated in databases
• “Prospects” shall mean: anyone who leaves their data on Mercado’s forms to receive information about Mercado’s services
• “User(s)” shall mean: anyone who registers on Mercado's website or App
• “Website Visitor(s)” shall mean: anyone who browses Mercado website, leaves comments in relation to Mercado’s publications or asks any questions through the website