RCD group’s general principles on personal data protection

Data protection and security is absolutely paramount at the RCD Group. Our goal goes beyond having all RCD Group companies provide excellent services. We also want to be privacy protection leaders. For that reason, meeting all legal requirements when collecting and processing personal data is part of our nature. In particular, these requirements include Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as “GDPR”); Organic Law 3/2018, of 5 December, on Personal Data Protection and Securing Digital Rights (hereinafter referred to as “LOPDGDD”) and any other implementing regulations in force at a given time.

This policy covers the general principles on data protection and the measures put in place by the RCD Group to protect the rights and freedoms of natural persons with respect to processing their data.


The RCD Group provides its services through the following companies:

  • Rousaud Costas Duran, S.L.P. - Escoles Pies, 102 (08017) de Barcelona.

  • Rousaud Costas Duran Abogados, S.L.P.U. - Serrano, 116 20 3º (28006) de Madrid.

  • Rousaud Costas Duran Valencia, S.L.P.U. - Calle Colón, 31 (46004) de Valencia.

  • DWF-RCD Andalucía, S.L.P. - San Fernando, (41004) de Sevilla.

  • RCD Tax and Legal Advisors, S.L.P.U. - Escoles Pies, 102 (08017) de Barcelona.

  • RCD Concursal, S.L.P. - Escoles Pies, 102 (08017) de Barcelona.

  • Gestart Assessors, S.L.U. - Escoles Pies, 102 (08017) de Barcelona.

  • Gestart Asesoramiento Empresarial, S.L.U. - Serrano, 116 20 3º (28006) de Madrid.


    The RCD Group observes and implements the following principles when processing personal data:

    Principle of lawfulness: Data processing always requires a legal basis.

    Principle of transparency: All data subjects should be able to understand how their data is being processed.

    Principle of purpose limitation: The purposes for processing personal data should be clearly identified beforehand and be defined when collecting. Personal data will therefore be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes.

    Principle of data minimization: Personal data undergoing processing will be adequate, relevant and restricted to what is necessary in relation to the purposes for which they are processed.

    Principle of accuracy: Personal data need to be fully and correctly stored and be kept up to date. Every reasonable step must be taken to erase, rectify, supplement, or update that data which are inaccurate or incomplete or outdated.

    Principle of retention period limitation: Personal data needs to be stored for no longer than is strictly necessary for the processing purposes or as allowed by other legal rules.

    Principle of integrity and confidentiality: Appropriate technical and organizational measures must be taken when processing personal data in order to properly protect data, especially against unauthorized or illegal processing, and accidental loss, destruction or damage.


    For information about how personal data collected through communication channels on our website is processed please visit the following privacy policies: https://www.rcd.legal/es/politica-privacidad (Rousaud Costas Duran, S.L.P.) and http://www.ges-start.com/politica-privacidad/ (Gestart Assessors, S.L.U.).

    This Policy includes the RCD Group’s General Principles on personal data protection which applies to all Group companies and it generally concerns the principles observed and implemented by all RCD Group companies.

    The main purpose why we process personal data is to deliver our services. However, RCD Group companies deliver a wide variety of services which involve processing personal data. The RCD Group may process personal data for, but not limited to, the following:

    • Preparing service proposals;

    • Verifying background materials and potential conflicts of interest;

    • Keeping clients and potential clients informed about legal news and/or RCD’s services, by sending alerts, newsletters, invitations to events or similar communications;

    • Complying with our legal obligations, such as those related to the prevention of money laundering and financing of terrorism;

    • Improving our services and implementing client satisfaction measures;

    • Managing our communication policy and relationship with the media;

    • Verifying adherence to our own compliance policies;

    • Managing data we receive from job candidates in present or future; recruitment processes in order to manage talent acquisition processes.

    In keeping with the principle of lawfulness, all RCD Group data processing will take place based on the appropriate legal basis.

    The RCD Group may rely on any of the following legal bases for processing your data: (A) when necessary for meeting the legitimate interests pursued by RCD Group companies; (B) when you have granted your consent; (C) when necessary for meeting RCD Group companies’ legal and regulatory requirements and (D) where necessary for complying with a contract to which you are a party or for implementing precontractual measures.


    Protecting the rights and freedoms of natural persons with respect to processing their data is a key priority for all RCD Group companies. Data subjects have the following rights, inter alia, to ensure that protection:

    • Information: Data subjects will be made aware about how their data will be processed quickly and transparently. This applies for personal data received directly from data subjects and for personal data collected by other organizations (collected by third parties).

    • Access: Data subjects may at any time request information about their stored and/or processed personal data, as well as a copy of their stored and/or processed personal data.

    • Rectification: Data subjects may at any time request that incorrect or incomplete data be rectified or completed (i.e., a name or address is wrong).

    • Erasure: Data subjects may request that their personal data be erased. This right will always apply provided it does not conflict with existing requirements or rights (i.e., storage requirement under current legislation).

    • Restriction of processing: Data subjects may request their personal data be restricted (i.e., if they are inaccurate).

    • Objection: Data subjects may at any time object to having their personal data processed for advertising purposes, and may object to other purposes under certain conditions according to the specific personal circumstances of each data subject.

    • Automated individual case-by-case decisions: In the context of efficient commercial transactions, data subjects are only subject to an automated individual case-by-case decision if it is legal (i.e., in the context of complying with a contract). Data subjects will be made aware of the relevant automated processing procedures.

    • Data portability: Should a data subject wish to have their data processed by a different data controller, they may request, provided it is technically possible, that their personal data be transmitted to the new data controller.
    The RCD Group ensures that if the data subject granted their consent for a specific purpose then they may withdraw it at any time. Withdrawing consent will not affect the lawfulness of processing based on consent before its withdrawal.

    When exercising their rights, data subjects are to write to Rousaud Costas Duran, S.L.P. Carrer de les Escoles Pies, 102, Barcelona (08017), stating their name, last name, and address, or send us an email at: privacy@rcd.legal. When there are doubts regarding your identity, you may be asked to provide a photocopy of your DNI or of any other valid identity document. To do so, you may use the Spanish Data Protection Agency’s rights forms available on its official website: https://www.aepd.es/reglamento/derechos/index.html. Data subjects also have the right to lodge a complaint with the supervisory authority, in this case the Spanish Data Protection Agency (https://sedeagpd.gob.es/sede-electronica-web/vistas/formNuevaReclamacion/reclamacion.jsf), and with other public competent bodies for any complaints regarding your personal data.


    Depending on the purposes why personal data are being collected, any of the following people may access them individually: (a) RCD Group authorized staff or their representatives acting on behalf of the RCD Group, subject to any applicable data protection legislation; (b) regulatory authorities and other third parties in compliance with applicable legislation; (c) third parties/data processors (service providers processing information as data processors under the instructions of RCD). All of this will only take place after undertaking the actions necessary to ensure that we may share said information and after entering into the relevant external data processor contract in compliance with data protection regulations.

    Appropriate measures will be taken to ensure the protection of personal data being processed provided they are processed by service providers or external collaborators on behalf of any RCD Group company.

    The RCD Group will not provide data to third parties without your specific consent. However, as a result of the relationship with the data subject we may disclose their data to: (1) companies belonging to the RCD Group at any given time; (2) other law firms and/or professionals we may work with, as long as you have provided your consent for us to do so; (3) competent bodies and/or authorities for cases where a legal requirement and/or obligation exists.

    In cases where it is necessary to transfer personal data to recipients located in countries that do not belong to the EU, or that do not guarantee a level of protection comparable to that derived from Regulation (EU) 2016/679, we do so only in fulfilment with the legally established requirements and guarantees.


    We implement all appropriate technical and organizational measures to protect personal data processing. In particular, these include measures for ensuring personal data confidentiality, integrity, and availability, including the ability to recover systems and services.

    The risks to the rights and freedoms of data subjects are considered during all processing operations when selecting technical and organizational measures. Processing will be subject to additional risk and measure monitoring for high-risk scenarios.

    When processing personal data, the RCD Group applies the principle of “data protection through the design of appropriate technology and presettings for data protection” (privacy by design/by default).

    The technical and organizational measures will be reviewed regularly in terms of effectiveness and will be adjusted as needed based on the latest state of the art technology. This will also take place for technical and organizational measures implemented by service providers or external partners. Despite these measures being implemented efficiently, data subjects are cautioned that Internet security measures are not impenetrable. The RCD Group is not liable for the acts of third parties who gain access to personal data and information by violating these measures.


    The RCD Group’s Data Protection Officer (privacy@rcd.legal) reviews and updates this Policy annually.
    If you do not understand one or more of the aspects covered by this Policy, or if you have any questions about it, please send us an email at privacy@rcd.legal.

    Last update: december 2022.