The director of the Catalan Data Protection Authority manages and represents the Authority. He or she acts with full independence and objectivity and is not subject to any imperative mandate or directive.
It corresponds to the director of the Authority to issue decisions or instructions and approve recommendations or opinions in accordance with the functions described in Article 57 of the General Data Protection Regulation (GDPR).
To perform these duties, the Authority is vested with the following powers:
- Investigative powers:
a) to order the controller and the processor and, where applicable, the controller's or the processor's representative, to provide any information it requires for the performance of its tasks;
b) to carry out investigations in the form of data protection audits;
c) to carry out a review on certifications issued pursuant to Article 42 section 7, of the GDPR;
d) to notify the controller or the processor of an alleged infringement of the GDPR;
e) to obtain from the controller and the processor access to all personal data and to all information necessary for the performance of its tasks;(f) to obtain access to any premises of the controller and the processor, including to any data processing equipment and means, in accordance with Union or Member State procedural law.
- Corrective powers:
a) to issue warnings to a controller or processor that intended processing operations are likely to infringe provisions of the GDPR;
b) to issue reprimands to a controller or a processor where processing operations have infringed provisions of the GDPR;
c) to order the controller or the processor to comply with the data subject's requests to exercise his or her rights pursuant to the GDPR;
d) to order the controller or processor to bring processing operations into compliance with the provisions of the GDPR, where appropriate, in a specified manner and within a specified period;
e) to order the controller to communicate a personal data breach to the data subject;
f) to impose a temporary or definitive limitation, including a ban on processing;
g) to order the rectification or erasure of personal data or restriction of processing pursuant to Articles 16, 17 and 18 of the GDPR and the notification of such actions to recipients to whom the personal data have been disclosed pursuant to Article 17 section 2, and Article 19 of the GDPR;
h) to withdraw a certification or to order the certification body to withdraw a certification issued pursuant to Articles 42 and 43 of the GDPR, or to order the certification body not to issue certification if the requirements for the certification are not or are no longer met;
i) to impose an administrative fine pursuant to Article 83 of the GDPR, in addition to or instead of measures referred to in this paragraph, depending on the circumstances of each individual case;
j) to order the suspension of data flows to a recipient in a third country or to an international organisation.
- Authorisation and advisory powers:
a) to advise the controller, in accordance with the prior consultation procedure referred to in Article 36 of the GDPR;
b) to issue, on its own initiative or on request, opinions to the national parliament, the Member State government or, in accordance with Member State law, to other institutions and bodies as well as to the public on any issue related to the protection of personal data;
c) to authorise processing referred to in Article 36 section 5 of the GDPR, if the law of the Member State requires such prior authorisation;
d) to issue an opinion and approve draft codes of conduct pursuant to Article 40 section 5 of the GDPR;
e) to accredit certification bodies pursuant to Article 43 of the GDPR;
f) to issue certifications and approve criteria of certification in accordance with Article 42 section 5 of the GDPR;
g) to adopt standard data protection clauses referred to in Article 28 section 8 and in point (d) of Article 46 section 2 of the GDPR;
h) to authorise contractual clauses referred to in point (a) of Article 46 section 3 of the GDPR;
i) to authorise administrative arrangements referred to in point (b) of Article 46 section 3 of the GDPR;
j) to approve binding corporate rules pursuant to Article 47 of the GDPR.
The director of the Catalan Data Protection Authority is appointed on the proposal of the Data Protection Advisory Board by plenary session of the Catalan Parliament, requiring a majority of three fifths of its members, and is elected for a five-year term, renewable once.
Meritxell Borràs i Solé is the director of the Catalan Data Protection Authority (Resolution 231/XIV, of 10 February 2022, of the Parliament of Catalonia, published in the Official Gazette of the Generalitat of Catalonia (DOGC) Nº 8606, February 15, 2022), taking office on February 22, 2022.
Maria Àngels Barbarà Fondevila is adhered to the content of the code of conduct of the Senior Executives and Management Personnel of the Administration of the Generalitat and of the entities of its public sector.