This is the data protection policy of the Baix Empordà Regional Council. It refers to the data of natural persons the Regional Council interacts with when carrying out its responsibilities and functions. Given the functions of the Baix Empordà Regional Council, some processing results from providing services to other public administrations that have delegated functions to it. The processing complies with the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016) and Spanish regulations covering this matter.
Who is the controller of the personal data?
The controller of the personal data is the Baix Empordà Regional Council (the Regional Council), which has tax identification number (CIF) P6700009A, its address at carrer Tarongers, 12, la Bisbal d’Empordà (CP17100), email address firstname.lastname@example.org and the website https://baixemporda.cat/.
With are the criteria for processing the personal data?
In data processing, we fully accept the principles of the General Data Protection Regulation.
a) We process the data lawfully (solely when we have a legal basis that enables us to do so and with transparency towards the data subject).
b) We use the data for the particular, explicit and legitimate purposes that we set out at the moment we obtain it. We do not subsequently process data in any way that is incompatible with these purposes.
c) We only process the data that is appropriate, relevant and limited to what is necessary in each case and for each purpose.
d) We make an effort to ensure your data is up-to-date.
e) We store the data for the necessary time, complying with the regulations governing the retention of public information.
f) We put in place the appropriate technical and organisational measures to avoid unauthorised or illegal processing, or the loss, destruction or accidental damage of data.
Who is the Data Protection Officer?
The Data Protection Officer (DPO) is the person who oversees compliance with the Regional Council’s data protection policy, making sure that personal data is processed appropriately and that individuals’ rights are protected. The DPO’s functions include responding to any doubts, suggestions, complaints or claims by persons whose data is processed. The Data Protection Officer can be contacted in writing at carrer Tarongers, 12, la Bisbal d’Empordà (17100), tel. 972642310 or at the email address email@example.com.
What purpose do you process the data for and who do you share it with?
The Regional Council processes data to fulfil its responsibilities and functions. The Regional Council’s services are described on its website and its online portal.
Administrative processes and procedures.
On the basis of requests by data subjects, we use their data to follow the processing pertaining to each procedure. The list of procedures and the processing undertaken can be consulted at the Regional Council’s online portal. Depending on the procedure, the data can be shared with other authorities that are competent in the matter. In some cases, the data must be published to comply with the principle of transparency.
In order to provide our services, we process data provided by users or data we acquire from other administrations. Offering these services often involves following them up and obtaining new data from people who use them. You can consult the list of services on our website. As a general criterion, the data is not shared with other persons without the explicit consent of the user of the service.
When organising cultural, leisure, educational or sporting activities, we receive data from the people who register for them with the purpose of organising the activity. As a general criterion the data is not shared with other persons without the explicit consent of the person who participates in the activity.
We respond to consultations from people who use the contact forms on our website. The data is only used for this purpose and is not shared with other persons.
We receive CVs and organise staff recruitment processes. The data applicants provide enables us to evaluate their merits and analyse whether their profiles are suitable for vacant posts or newly created positions. It is not shared with other persons.
With each person’s express authorisation, we use the contact details provided to inform them of our initiatives, services or activities. We do this through different channels depending on how each person has authorised it. It is not shared with other persons without their consent.
Managing our suppliers’ data
We store and process the data of suppliers from which we obtain services or goods. This can be the data of self-employed persons and also the data of representatives of legal persons. We obtain the necessary data to maintain the commercial relationship and we use it solely for this purpose. In accordance with legal requirements (tax regulations), we share data with the tax administration.
Notice is given at the entrance to our installations, when appropriate, of the presence of video-surveillance cameras using the approved signs. The cameras only record images of the points where it is justified to guarantee the safety of property and people. The images are only used for this purpose. When justified, we share the data with the law enforcement agencies or with the competent judicial authorities.
What is the legal basis for processing data?
The data processing we perform has different legal foundations according to the nature of each type of processing.
Complying with legal requirements
Data processing in the context of administrative procedures is done following the norms governing each type of processing. It is done to comply with legal requirements.
Performance of a task carried out in the public interest
Processing deriving from the provision of our services is justified by satisfying the public interest. Also the images we obtain with video-surveillance cameras are processed to safeguard the public interest.
Complying with a contractual or precontractual relationship
We process the data of our suppliers following the public procurement rules, to the degree and with the scope needed for the implementation of the contractual relationship. In another sense, but also within the framework of contractual or precontractual relationships, we process the data of people who participate in recruitment processes or who join our institution.
Based on consent
When we send information about our initiatives, services or activities, we process the contact data of the recipients with their authorisation or express consent.
How long do we store the data?
How long we store the data is determined by a variety of factors, principally that the data continues to be necessary to respond to the purposes for which it was collected in each case. Secondly, the data is stored to respond to potential liabilities arising from the processing of the data by the Regional Council and to respond to any request by other public authorities or judicial authorities.
Consequently, the data must be stored for as long as is necessary to preserve its legal or informative value or to demonstrate compliance with legal obligations, but not for a longer period than is necessary in accordance with the purposes of the processing.
In certain cases, such as those of data that appears in accounting and invoicing documentation, the tax regulations mandate storing it until liabilities in this area lapse.
In the case of data that is processed solely on the basis of the data subject’s consent, it is stored until the data subject withdraws this consent.
Finally, in the case of images obtained by video-surveillance cameras, these are stored for a maximum of one month, although in the case of incidents that justify doing so, it is stored for as long as necessary to facilitate the actions of law enforcement agencies or of judicial authorities.
The regulations governing the storage of public documentation and the rulings of the National Document Access, Evaluation and Selection Commission are a reference that determines the criteria we follow for storing and erasing data.
What rights do people have in relation to the data we process?
As stated in the General Data Protection Regulation, the subjects whose data we process have the following rights:
To know if their data is being processed. Any person primarily has the right to know if his or her data is being processed, regardless of whether there has been a previous relationship.
To be notified of collection. When the personal data is obtained from the data subject, the data subject must have clear information at the moment he or she provides the data about the purposes for which it will be used, who the controller will be and what the main aspects deriving from this processing are.
To access it. This is a very extensive right which includes the right to know precisely which personal data is processed, the purpose for which it is processed, any transmission of it to other persons (if applicable) and the right to obtain a copy of it or to know the planned period of storage.
To request its rectification. This is the right to obtain rectification of inaccurate personal data that we process.
To request its erasure. In certain circumstances, there is a right to request the erasure of data when, among other reasons, it is no longer necessary for the purposes for which it was collected and which justified its processing.
To request restriction of processing. The right to request restriction of processing of data is also recognised in certain circumstances. In this case, it will stop being processed and will only be stored for exercising or defending legal claims, in accordance with the General Data Protection Regulation.
To portability. In the cases specified in the regulations, the data subject has the right to obtain his or her personal data in a structured, commonly used and machine-readable format and has the right to transmit those data to another controller if he or she decides to do so.
To object to processing. A person may cite reasons relating to his or her personal situation that will result in his or her personal data no longer being processed insofar as it may cause him or her harm except for legitimate grounds or for the exercise or defence of legal claims.
Not to receive information. We immediately respond to requests to stop receiving information about our activities and services, when this information is sent on the sole basis of the consent of the person receiving it.
How you can exercise and defend your rights.
The rights listed here can be exercised by sending a request to the Regional Council at its postal address or to the other contact details indicated in the header.
If you do not obtain a satisfactory response when exercising these rights, you can lodge a complaint with the Catalan Data Protection Authority through the forms or other channels that can be accessed on its website (www.apd.cat).
In all cases, whether for lodging complaints, requesting clarifications or making suggestions, you can contact the Data Protection Officer by email at the address firstname.lastname@example.org
Record of Processing Activities.
The document with the Record of Processing Activities can be consulted here.