The Catalan Data Protection Authority
The Catalan Data Protection Authority (APDCAT) is an independent body whose mission is to safeguard, within the scope of competences held by the Generalitat, the rights of protection of personal data and access to the information linked to such data. The institution provides advice about what rights exist in this area, how to exercise them and what to do if they are not respected. It also reports and advises on obligations established in the corresponding legislation and oversees entities to ensure they meet these obligations.
The scope of action of the Catalan Data Protection Authority includes the files and processing carried out by:
- Public institutions.
- The Catalan government administration (Generalitat).
- Local entities.
- Autonomous entities, consortia and other affiliated or dependent public law organisations linked to the Administration of the Generalitat or Catalan local authorities.
- Those private law entities that meet at least one of the following three requirements in relation to the Generalitat, the Catalan local authorities or their dependent entities:
- The majority shareholding in their capital belongs to said public entities.
- Most of their budget revenue proceeds from said public entities.
- Members designated by said public entities form the majority in their governing bodies.
- Other private law entities that provide public services by means of any form of direct or indirect management, in the case of files and processing related to the provision of those services.
- The public and private universities that make up the Catalan university system and their dependent entities.
- The natural persons or legal entities that carry out public functions related to matters which are the competence of the Government of Catalonia or of the Catalan local authorities, provided the files or processing are to be employed in the exercise of these functions and the processing is performed in Catalonia.
- The Public Law Corporations that carry out their activities exclusively in Catalonia for the purposes of that established by the law.
Within this competency framework, the Catalan Data Protection Authority shall:
a) monitor and ensure the application of the General Data Protection Regulation (GDPR);
b) promote public awareness and understanding of the risks, rules, safeguards and rights in relation to processing. Activities addressed specifically to children must receive specific attention;
c) advise, in accordance with Member State law, the national parliament, the government, and other institutions and bodies on legislative and administrative measures relating to the protection of natural persons' rights and freedoms with regard to processing;
d) promote the awareness of controllers and processors of their obligations under the GDPR;
e) upon request, provide information to any data subject concerning the exercise of their rights under the GDPR and, if appropriate, cooperate with the supervisory authorities in other Member States to that end;
f) handle complaints lodged by a data subject, or by a body, organisation or association in accordance with Article 80 of the GDPR, and investigate, to the extent appropriate, the subject matter of the complaint and inform the complainant of the progress and the outcome of the investigation within a reasonable period, in particular if further investigation or coordination with another supervisory authority is necessary;
g) cooperate with, including sharing information, and provide mutual assistance to, other supervisory authorities with a view to ensuring the consistency of application and enforcement of the GDPR;
h) conduct investigations on the application of the GDPR, including on the basis of information received from another supervisory authority or other public authority;
i) monitor relevant developments, insofar as they have an impact on the protection of personal data, in particular the development of information and communication technologies and commercial practices;
j) adopt the standard contractual clauses referred to in Article 28, section 8, and in Article 46, section 2, point d), of the GDPR;
k) establish and maintain a list in relation to the requirement for data protection impact assessment pursuant to Article 35, section 4, of the GDPR;
l) give advice on the processing operations referred to in Article 36, section 2, of the GDPR;
m) encourage the drawing up of codes of conduct pursuant to Article 40, section 1, of the GDPR and provide an opinion and approve such codes of conduct which provide sufficient safeguards, pursuant to Article 40, section 5;
n) encourage the establishment of data protection certification mechanisms and of data protection seals and marks pursuant to Article 42, section 1, of the GDPR, and approve the criteria of certification pursuant to Article 42, section 5;
o) where applicable, carry out a periodic review of certifications issued in accordance with Article 42, section 7, of the GDPR;
p) draft and publish the criteria for accreditation of a body for monitoring codes of conduct pursuant to Article 41 of the GDPR, and of a certification body pursuant to Article 43;
q) conduct the accreditation of bodies for monitoring codes of conduct pursuant to Article 41 of the GDPR, and of certification bodies pursuant to Article 43;
r) authorise the contractual clauses and provisions referred to in Article 46, section 3, of the GDPR;
s) approve binding corporate rules pursuant to Article 47 of the GDPR;
t) contribute to the activities of the European Data Protection Board;
u) keep internal records of infringements of the GDPR and of measures taken in accordance with its Article 58, section 2;
v) fulfil any other tasks related to the protection of personal data.
In this respect, the Law 32/2010, of 1 October, of the Catalan Data Protection Authority establishes the following functions, among others, for the Authority:
- Respond to enquiries from entities in its scope of action regarding the protection of data of a personal nature in the possession of the public administrations, and collaborate with these entities in publicising the obligations deriving from the legislation that regulates these matters.
- Issue the mandatory report on those provisions that affect the protection of personal data.
- Draw up audit plans.