The Catalan Data Protection Authority offers an information service which is available to members of the public or organisations to request information, make a complaint or clear up any doubts they may have about the application of personal data protection legislation.
This service also provides details of courses, conferences, symposiums, seminars and other training and dissemination activities organised by the Authority or in which it participates. If you would like to receive this type of information directly you can ask to be included in a mailing list created for just this purpose, by filling in this form(Catalan version available).
You can contact this service:
By telephone: 012 (from 8 a.m. to 10 p.m., Monday to Friday)
By email: email@example.com
By normal mail: C/ Rosselló, 214, esc. A, 1r 1a, 08008 Barcelona.
In person, with a prior appointment (Request an appointment using this form (Catalan version available) and giving a contact telephone number).
The Register timetable is from 9 a.m. to 2 p.m., Monday to Friday.
The Catalan Data Protection Authority (APDCAT) offers a personalised consultation service to institutions within its scope of authority that wish to adapt their actions to data protection legislation.
This service may be requested by all bodies, organisations and entities that are part of the scope of the APDCAT. Since May 25, 2018, with the full application of the GDPR, the Data Protection Officer of the Data Controllers and processors will act as the contact point of the APDCAT.
The main aim of this service is to provide timely or continued support to all projects of adaptation to personal data protection legislation. Advice may be requested on initiation of a new project which may have impact in the area of data protection or at any other moment during the processing of personal data.
To request the consultation service, your application should be sent by email to:
Information on the data treatment: The contact data and those related to your query will be treated by the Catalan Data Protection Authority in order to process your request. You can access your data, request its rectification or erasure, oppose the treatment and request its limitation, sending your request to the APDCAT address.
2018-2020 Strategic Training Plan
In 2018 we set in motion the APDCAT Strategic Training Plan for the period 2018-2020. The aim of the Plan is to provide a response to the training needs resulting from our competence framework, especially since the General Data Protection Regulation (GDPR) became fully applicable as from 25 May 2018.
The Plan is structured into three distinct lines of action:
The first, made up of training actions in the field of data protection, is addressed to managers, heads of department, controllers and processors working in data protection in the Administration of the Government of Catalonia, public institutions, local authorities, the public and private universities that make up the Catalan university system, and all other public entities in Catalonia (in accordance with Article 3 of Law 32/2010, of 1 October, of the Catalan Data Protection Authority - APDCAT).
This training is the fruit of collaboration between the APDCAT and the Catalan School of Public Administration (EAPC).
These actions are mainly addressed to:
- Managers and controllers of processing undertaken by the Administration and public entities, the actions being aimed at raising their awareness of the obligations they must meet to comply with the new GDPR.
- Technical officials responsible for data protection at these bodies, who will receive specialised training in line with the tasks assigned to them in their organisations. This mainly applies to heads of information management, data protection officers and users with access to personal data.
The second line of action in the Strategic Plan consists in developing data protection training actions on a sectoral basis.
This training is specifically addressed to Government of Catalonia staff in the health, education and social services sectors.
In the area of education, we will continue driving forward our project for the young initiated in 2015 and aimed at raising the awareness of children and those around them about taking responsible control over their personal data when using technologies and the Internet. This project sets out to generate debate and involve children and schools in establishing common rules for growing up and living together in today’s digital world.
The Plan’s third line of action addresses in-house training of APDCAT staff, with two clearly differentiated areas of action:
- An area of basic training in data protection for all staff, and of updating and a more in-depth approach adapted to the functions of each department.
- Another area of specific training for staff engaged in different fields, included in the offering of the EAPC and the Catalan Ministry of Governance, in the following subjects:
The catalogue of training activities for all lines of action will include face-to-face, blended learning, virtual and self-learning courses.
The Catalan Data Protection Authority (APDCAT) issues opinions in response to consultations made by the controllers or data protection officers of organisations that fall within its scope of competence. These enquiries may concern a specific problem or subject with regard to data protection and, in the case of local entities, may also optionally request a report on the general draft provisions that may have an impact on the protection of personal data. The following entities may formulate consultations to the APDCAT:
- Public institutions, Administration of the Government of Catalonia and Catalan local authorities.
- All bodies, organisations and entities linked to or answerable to the public institutions of Catalonia, the Administration of the Government of Catalonia, the Catalan local authorities, the universities of Catalonia and the Public Law Corporations that carry out their activities exclusively in Catalonia.
- The natural persons or legal entities that, in accordance with any agreement, contract or legal provision, manage public services or carry out public functions providing, in the latter case, the processing is performed in Catalonia and is related to matters which are the competence of the Government of Catalonia or of the Catalan local authorities.
You can access the e-procedure through this link.
The Catalan Data Protection Authority offers advice when a prior consultation request is received in the following circumstances, pursuant to Article 36 of the GDPR:
a) Prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate it.
b) During the preparation of a proposal for a legislative measure to be adopted by the Parliament of Catalonia, or of a regulatory measure based on such a legislative measure, which relates to processing.
c) In other cases in which a Member State law may require the controller to consult with and obtain prior authorisation from the supervisory authority in relation to processing for the performance of a task carried out by the controller in the public interest.
You can access the e-procedure through this link.
The Catalan Data Protection Authority exercises the powers provided in the GDPR with regard to international transfers. This includes:
The Catalan Data Protection Authority is the body that must, within its scope of action, approve codes of conduct prepared by associations and other bodies representing categories of controllers or processors or presented directly by controllers or processors for the purpose of specifying the application of the GDPR or other applicable legislation.
If the code of conduct relates to processing activities in several Member States, prior to granting approval the Catalan Data Protection Authority must submit it to the European Data Protection Board in the procedure referred to in Article 63 of the GDPR. The Board will provide an opinion on whether the code complies with the Regulation and, where applicable, provides appropriate guarantees for the transfer of data to third countries or international organisations. Where this opinion confirms that the code of conduct offers appropriate safeguards, the Board will submit it to the European Commission for approval.
You can request approval of a code of conduct through this link.
Through its Inspection Service, the Catalan Data Protection Authority (APDCAT) verifies that controllers and processors comply with current personal data protection law. It also pursues any infringement of this fundamental right and adopts the measures necessary to guarantee it.
The Inspection Service safeguards the exercise of data protection rights by individuals, specifically the rights of access, rectification, erasure, objection, restriction and portability (habeas data rights) and oversees the effectiveness of such action within the scope the Authority's powers. Thus, it supervises the activities of:
- All bodies, organisations and entities linked or answerable to the public institutions of Catalonia, the Administration of the Government of Catalonia, the Catalan local authorities, the universities of Catalonia and the Public Law Corporations that carry out their activities exclusively in Catalonia and which, in accordance with article 156 of the Statute of Autonomy of Catalonia (EAC), form part of the APDCAT's scope of action.
- The natural persons or legal entities that, in accordance with any agreement, contract or legal provision, manage public services or carry out public functions, providing, in the latter case, the processing is performed in Catalonia and is related to matters which are the competence of the Government of Catalonia or of the Catalan local authorities.
When a person (data subject) has exercised any of the habeas data rights before the controller or processor and has not obtained an answer within the established period, or the response has been completely or partially unsatisfactory, the data subject may complain to the Authority, which will verify whether the denial is well-founded or not.
A complaint may be made before the Authority for any action which is contrary to that provided in current data protection law.
For further information and access to the standard forms that we make available to the public, please go to the Claim and Complain section.
Claims and complaints addressed to the Spanish Data Protection Agency (AEPD) may also be presented to the APDCAT, which will take charge of transferring them to the Spanish institution.
File controllers included within the scope of activity of the Catalan Data Protection Authority (APDCAT) may request the Authority to provide a copy of the content of any files recorded by them in the Catalan Data Protection Register (RPDC).
Copies of content can be exported in Excel or XML format, according to preference, along with a full description of the files the controller has recorded in the RPDC.
Requests must be made using the online form.
You can obtain further information through this link.
The General Data Protection Regulation establishes the requirement to designate a Data Protection Officer (DPO). Consequently, when organisations included within the scope of activity of the Catalan Data Protection Authority (APDCAT) appoint a DPO they must inform the APDCAT of that person’s details prior to 25 May 2018, and maintain the data they communicate updated.
You can obtain further information on how to inform the APDCAT of such appointment through this link.
If a personal data breach occurs, data controllers included within the scope of action of the Catalan Data Protection Authority (APDCAT) must notify that Authority without undue delay. If possible, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons, such notification should be made within no more than 72 hours of having become aware of it (Art. 33, GDPR).
The controller must document all data breaches, whether notification to the APDCAT is required or not. Specifically, a record must be made of all information relating to the event, its effects and the remedial action taken. This documentation must be available to the APDCAT (Article 33.5, GDPR).
Notification of the personal data breach must be submitted via the notification form. Once filled in and electronically signed, the form must be processed (together with any relevant documentation, where applicable) according to the following procedure:
- institutions registered with the EACAT platform must submit the form through the platform’s “Notifications of security violations” procedure;
- other institutions should submit it through this procedures page of the Authority’s online office;
- individuals and businesses not obliged to deal with public administrations electronically may also use any of the other means referred to in Article 16.4 of Law 30/2015, of 1 October, of the common administrative procedure for public administrations.
To complete the information on PDBs and notifying affected individuals (Art. 33 and 34, GDPR), please use this link.