GDPR Rights Notice
Effective and last updated: July 13, 2026
This notice explains how to exercise data-protection rights with BAM SEO and how we act when we process personal data as a controller or processor. It supplements the Privacy Policy.
1. Controller and processor roles
BAM SEO is the controller for personal data collected through this website, audit requests, commercial correspondence, and its own business administration. Contact: [email protected], Barcelona, Spain.
When BAM SEO handles personal data solely on a client's documented instructions while delivering services, the client is normally the controller and BAM SEO is a processor. The service agreement or data processing agreement governs that activity. BAM SEO may remain an independent controller for billing, security, legal compliance, and management of its own business contacts.
2. Principles and legal bases
We apply the GDPR principles of lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, confidentiality, and accountability.
The lawful basis depends on the activity: steps requested before a contract for audit and proposal requests; performance of a contract for client administration; legitimate interests for proportionate site security, fraud prevention, and B2B relationship management; consent for optional analytics or marketing; and legal obligation for tax, accounting, regulatory, and lawful disclosure duties.
3. Your rights
Subject to the conditions and exceptions in applicable law, you may exercise the following rights:
- Access: confirmation of whether we process your data and a copy of relevant personal data.
- Rectification: correction of inaccurate data and completion of incomplete data.
- Erasure: deletion where the data is no longer needed, consent is withdrawn, an objection succeeds, or processing is unlawful.
- Restriction: temporary limitation of processing in the circumstances set out in Article 18 GDPR.
- Portability: receipt of data you supplied in a structured, commonly used, machine-readable format where processing is automated and based on consent or contract.
- Objection: opposition to processing based on legitimate interests, including an unconditional right to object to direct marketing.
- Withdrawal of consent: withdrawal at any time, without affecting processing already carried out lawfully.
- Automated decisions: protection from decisions based solely on automated processing that produce legal or similarly significant effects, where Article 22 applies.
4. How to submit a request
Send a request to [email protected] with the subject 'Data Protection Request' or use the contact page and clearly identify the right you want to exercise. Provide enough information to locate the relevant records, such as the email address used to contact us and the approximate date of the interaction.
We may request proportionate additional information when reasonably necessary to verify identity. Do not send identity documents unless we specifically request them. An authorised representative may act for you if they provide evidence of authority.
5. Response time, verification, and limits
We will respond without undue delay and normally within one month of receiving a complete request. For complex or numerous requests, the GDPR permits an extension of up to two additional months; if that applies, we will explain the extension within the first month.
Requests are normally free. We may charge a reasonable fee or refuse to act only where a request is manifestly unfounded or excessive, particularly because it is repetitive, and we will explain the decision. Legal retention duties, the rights of others, privilege, freedom of expression, and the establishment or defence of legal claims may limit a request.
6. Consent and direct-marketing objections
You can reject optional analytics from the first-layer banner. You can later withdraw consent by opening Cookie preferences in the footer. Withdrawal applies prospectively and does not affect the lawfulness of earlier processing.
To stop B2B promotional email, use any unsubscribe method provided or email [email protected]. We may retain a minimal suppression record so that we can honour the objection.
7. International transfers
Some providers may process data outside the European Economic Area. Where no adequacy decision applies, BAM SEO relies on an available transfer mechanism such as the European Commission's Standard Contractual Clauses, together with supplementary safeguards where required. More detail is provided in the Privacy Policy or on request.
8. Complaints
If you believe your request has not been handled properly, contact us first so we can investigate. You also have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD) at www.aepd.es, or with the supervisory authority in the EU or EEA country of your habitual residence, workplace, or the place of the alleged infringement.