Astrum

Menu

Privacy Policy

Last Updated: December 18, 2025

  1. General Principles The Astrum Group is committed to the protection of personal data. All processing activities are conducted in strict compliance with Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR) and the applicable local data protection regulations of the jurisdictions in which we operate. This policy specifically applies to data collected through the Astrum CRO website.
  1. Data Controller The primary entity responsible for the processing of personal data is: Astrum CRO S.L. (Spain).

Note: In instances where a user applies for a position or enters into a contract with a specific subsidiary (e.g., Astrum Germany), that respective entity shall act as a Joint Controller of the data.

  1. Nature and Purpose of Data Processing We collect and process personal data exclusively for specified, explicit, and legitimate purposes:

A. Technical Usage Data (Server Logs)

  • Purpose: To ensure the technical functionality, stability, and security of the website (e.g., defending against cyberattacks).
  • Categories of Data: IP address, browser type and version, operating system, referrer URL, and time of server request.
  • Legal Basis: Art. 6(1)(f) GDPR (Legitimate Interest in network security and error diagnosis).
  • Retention Period: Technical logs are deleted or anonymized after [e.g., 14 days], unless required for evidence in a security incident.

B. Commercial and Business Communications (Contact Forms)

  • Purpose: To manage Requests for Information (RFI), facilitate business development, and prepare commercial proposals via our website contact forms.
  • Categories of Data: Professional contact details (Name, Email, Phone), Corporate information (Company, Job Title, Country), and project-specific data provided in the message field.
  • Legal Basis: Art. 6(1)(f) GDPR (Legitimate Interest) and Art. 6(1)(b) GDPR (Performance of pre-contractual measures).
  • Retention Period: Data shall be retained for the duration of the commercial relationship or as mandated by applicable fiscal and commercial legislation.

C. Recruitment and Selection Processes

  • Purpose: To assess the suitability of candidates for current or future vacancies within the Astrum Group via the “Join Us” or application forms.
  • Categories of Data: Identification data, contact details, curriculum vitae (CV), cover letters, and professional qualifications.
  • Legal Basis: Art. 6(1)(b) GDPR (Pre-contractual measures taken at the request of the data subject).
  • Retention Period: Data retention is governed strictly by the local labor laws of the hiring entity (Spain, Germany, France, or Portugal).
    • Talent Pool: Absent immediate hiring, personal data will be securely erased upon expiration of the statutory period, unless the candidate provides explicit consent for extended retention.
  1. Data Security and Hosting
    • Secure Data Transmission (SSL/TLS): We use encryption technology to protect your personal data while it travels from your device to our servers. You can recognize this secure connection by the lock symbol in your browser address bar and the “https://” prefix. This ensures that third parties cannot read the data you send us.
  1. Disclosure and International Data Transfers Personal data may be shared within the Astrum Group and with select third parties under the following conditions:
    • Intra-Group Transfers: Data may be communicated to subsidiaries in Germany, France, and Portugal for administrative purposes or project allocation. Such transfers are regulated by internal data processing agreements ensuring a unified level of protection.
    • Third-Party Processors: We engage authorized service providers (e.g., hosting services, recruitment software) who act as Data Processors. All such providers are contractually bound to comply with European data protection standards.
    • International Transfers: Primary processing occurs within the European Economic Area (EEA). In the event data is transferred outside the EEA, appropriate safeguards, such as the European Commission’s Standard Contractual Clauses (SCCs), are implemented.
  1. Automated Decision-Making We do not utilize fully automated decision-making or profiling (as defined in Art. 22 GDPR) to make decisions that have legal effects on you (e.g., we do not use AI to automatically reject job applications without human review).
  1. Voluntary Provision of Data The provision of personal data via our forms is voluntary. However, failure to provide mandatory fields (marked with an asterisk) may prevent us from processing your inquiry or application.
  1. Rights of the Data Subject In accordance with applicable law, users possess the following rights regarding their personal data:
    • Right of Access: To request confirmation of whether personal data is being processed.
    • Right to Rectification: To request the correction of inaccurate data.
    • Right to Erasure (Right to be Forgotten): To request the deletion of data when it is no longer necessary for the collected purposes.
    • Right to Restriction of Processing: To limit the processing of data under certain circumstances.
    • Right to Object: To oppose the processing of data based on legitimate interest.
    • Right to Data Portability: To receive personal data in a structured, commonly used format.

 

To exercise these rights, requests must be submitted in writing to privacy@astrumcro.com. Users also retain the right to lodge a complaint with the Spanish Data Protection Agency (AEPD) or the competent local supervisory authority.

  1. Cookie Policy This website utilizes cookies to optimize functionality. For detailed information regarding cookie usage and configuration, please refer to our [Cookie Policy].