Notice from the Catalan Data Protection Authority (APDCAT) regarding protection of personal data

The APDCAT is issuing this data protection notice to help users gain quick, easy access to the most important information relating to the data processing it carries out and to the rights of data subjects, so that they can effectively take control over their personal data.

 

Data controller

The data controller is the Direcció de l’Autoritat Catalana de Protecció de Dades, with headquarters at C/ Rosselló 214, esc. A, 1r 1a, 08008 Barcelona.

Tel. 93 552 78 00. Fax 93 552 78 30 apdcat@gencat.cat www.apdcat.cat

 

Data protection officer

The data protection officer (DPO) is the person responsible for ensuring that the APDCAT fully complies with data protection legislation. The DPO can be contacted by email at dpd.apdcat@gencat.cat, by post at C/ Rosselló 214, esc. A, 1r 1a, 08008 Barcelona, or by telephone on 93 552 78 05.

 

List of processing activities carried out by the APDCAT

The Authority carried out the following processing activities. You can find a full description of each one in the Catalan Data Protection Authority record of processing activities:

  • Communications and institutional relations
  • Training activities
  • Human resources management
  • Financial and economic management
  • Protection of rights, inspection, and penalty files
  • Management of enquiries about data protection
  • Requests to exercise the right of access to public information
  • Requests to exercise the rights of habeas data (access, rectification, erasure, objection, restriction of processing and data portability)
  • Public sector consultancy
  • Catalan Data Protection Register
  • Audits
  • Register of entry and exit of documents
  • Register of data protection officers
  • International transfer authorisations
  • Codes of conduct
  • IDT communication based on compelling legitimate interests
  • Prior consultation
  • Opinions
  • Binding Corporate Rules
  • Awards
  • Notification of personal data breaches

 

Habeas data rights

Right of access

The data subject has the right to know whether the data controller is processing any of his or her personal data, and where that is the case, to have access to the data and to the following information:

  • The purposes of the processing, categories of personal data being processed and the recipients or categories of recipients to whom the personal data have been or will be disclosed.
  • Where possible, the envisaged period for which the personal data will be stored, or the criteria used to determine that period.
  • The existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing.
  • The right to lodge a complaint with a supervisory authority.
  • The origin of the data, when not collected from the data subject.
  • The existence of automated decision-making, including profiling, meaningful information about the logic involved and the envisaged consequences of such processing for the data subject.
  • Where personal data are transferred to an international organisation, the appropriate safeguards relating to the transfer.

The data subject has the right to receive a free copy of the personal data undergoing processing. For any further copies, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, the information should be provided in the same format.

Restriction of the right to obtain a copy: when it adversely affects the rights and freedoms of others.

[CAT] Standard form for exercising the right of access

 

Right to rectification

This right refers to personal data which is inaccurate or incomplete.

The data subject has the right to the rectification of inaccurate personal data concerning him or her and to have incomplete personal data completed, including by means of providing a supplementary statement.

The controller should communicate the rectification to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller should inform the data subject about those recipients if the data subject so requests.

[CAT] Standard form for exercising the right to rectification

 

Right to erasure (right to be forgotten)

The GDPR includes the “right to be forgotten”, as a right linked to the right to erasure of personal data.

The data subject has the right to obtain the erasure of personal data concerning him or her (“right to be forgotten”) when:

  • The personal data are no longer necessary in relation to the purposes for which they were collected.
  • The data subject withdraws consent on which the processing was based.
  • The data subject objects to the processing.
  • The personal data have been unlawfully processed.
  • The personal data have to be erased for compliance with a legal obligation.
  • The personal data have been collected in relation to the offer of information society services addressed to children under 16 years of age.

Where the controller has made the personal data public and is obliged to erase them, the controller should take reasonable steps to inform other controllers which are processing the personal data that the data subject has requested their erasure.

The controller should communicate the erasure to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller should inform the data subject about those recipients if the data subject so requests.

The right to erasure does not apply to the extent that processing is necessary:

  • For exercising the right of freedom of expression and information.
  • For compliance with a legal obligation.
  • For archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
  • For the establishment, exercise or defence of legal claims.

[CAT] Standard form for exercising the right to erasure (right to be forgotten)

 

Right to object

The data subject has the right to object to the processing of personal data concerning him or her. The following criteria apply:

  • Where the processing is based on public interest or on the exercise of official authority vested in the controller, or for the purposes of the legitimate interests pursued by the controller or by a third party, the objection should be based on reasons related to the personal situation of the data subject.
  • The controller should no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
  • The data subject has the right to object to processing where personal data are processed for direct marketing purposes, which includes profiling to the extent that it is related to such direct marketing.
  • Where personal data are processed for scientific or historical research purposes or statistical purposes the data subject has the right to object to processing of personal data concerning him or her on grounds relating to his or her particular situation.

[CAT] Standard form for exercising the right to object

 

Right to restriction of processing

The data subject has the right to have his or her stored personal data marked, with the aim of restricting their processing in the future. Restriction of processing implies that, on the request of the data subject, his or her personal data should no longer be processed.

Restriction of processing should not be confused with the blocking of data that currently exists in Spanish data protection legislation (LOPD 15/1999).

Restriction may be requested when:

  • The data subject has exercised the rights of rectification or objection and while the controller determines whether the request should be granted.
  • The processing is unlawful, which would mean the personal data would be erased, but the data subject opposes such erasure.
  • The personal data are no longer necessary for the purposes of the processing, which would result in their erasure, but erasure is opposed and restriction requested by the data subject because they are required for the establishment, exercise or defence of legal claims.

Where the processing has been restricted, the controller may only process the affected data, with the exception of storage, in the following cases:

 

  • With the data subject's consent.
  • For the establishment, exercise or defence of legal claims.
  • For the protection of the rights of another natural or legal person.
  • For reasons of important public interest of the Union or of the corresponding Member State.

The controller should communicate the restriction to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller should inform the data subject about those recipients if the data subject so requests.

[CAT] Standard form for exercising the right to restriction of processing

 

Right to data portability

The data subject has the right to receive the personal data he or she has provided to a controller concerning him or her in a structured, commonly used and machine-readable format and to transmit those data to another controller, if the following requirements are met:

  • The processing is based on consent or on a contract.
  • The processing is carried out by automated means.

This right does not apply when the processing of the personal data is necessary for the performance of a task carried out in the public interest or in the exercise of an official authority vested in the controller.

[CAT] Standard form for exercising the right to data portability

 

Right to contest automated individual decision-making

The APDCAT does not perform automated individual decision-making and thus this right is not applicable.

You can see further information about this right here

 

How can I exercise these rights?

You can apply to access, rectify or erase your personal data, object to, apply for restriction of the processing or request portability of the data in writing by post to the APDCAT (C/ Rosselló 214, esc. A, 1r 1a, 08008 Barcelona), or to the Authority’s email address.

The APDCAT will inform you of actions resulting from your request within one month which, in the event of particularly complex applications, may be extended by two months (thus resulting in a maximum of three months). In the latter case, you will be notified of the time extension during the first month.

If you consider we have not given an adequate response to your request, you may complain to the Authority to take appropriate legal action.

Update:  23.05.2018