- Public Information Service
- Consultation Service
- Training in and publicity of the right to data protection
- Drafting of opinions, instructions and recommendations
- Prior consultation
- International transfers
- Approval of codes of conduct
- Designation of the Data Protection Officer (DPO)
- Notifications of personal data breaches (PDB)
Public Information Service
The Catalan Data Protection Authority offers an information service which is available to members of the public or organisations to request information, make a complaint or clear up any doubts they may have about the application of personal data protection legislation.
This service also provides details of courses, conferences, symposiums, seminars and other training and dissemination activities organised by the Authority or in which it participates. If you would like to receive this type of information directly you can ask to be included in a mailing list created for just this purpose, by filling in this form(Catalan version available).
You can access this service in the following ways:
By phone: 93 552 78 00 / 012 (from 8 a.m. to 10 p.m., Monday to Friday)
By email: email@example.com
By post: C/ Rosselló, 214, Esc. A, 1r 1a, 08008 Barcelona
In person: by making an appointment via 93 552 78 00 or by sending an email to firstname.lastname@example.org, indicating a contact telephone number.
How is your personal data processed?
Controller: Catalan Data Protection Authority (C/ Rosselló, 214, Esc. A, 1r 1a, 08008 Barcelona; Tel. 93 552 78 00; email@example.com; www.apdcat.cat).
Data Protection Officer: firstname.lastname@example.org C/ Rosselló, 214, Esc. A, 1r 1a, 08008 Barcelona. Tel. 93 552 78 00.
Purpose of treatment: Resolve your question.
Lawfulness: performance of a task carried out in the public interest.
Recipients: The data will not disclosed to third parties or transferred outside the European Union.
Data subjects rights: You can access your data, request its rectification or erasure, object to the processiong and request its restriction , by sending your request to the address of the APDCAT or through its electronic office.
Data retention period: The data will be erased once the question has been resolved.
Complaint: You can submit a complaint addressed to the APDCAT, through the Authority's electronic office or by non-electronic means.
The Catalan Data Protection Authority (APDCAT) offers a personalised consultation service to institutions within its scope of authority that wish to adapt their actions to data protection legislation.
This service may be requested by all bodies, organisations and entities that are part of the scope of the APDCAT. Since May 25, 2018, with the full application of the GDPR, the Data Protection Officer of the Data Controllers and processors will act as the contact point of the APDCAT.
The main aim of this service is to provide timely or continued support to all projects of adaptation to personal data protection legislation. Advice may be requested on initiation of a new project which may have impact in the area of data protection or at any other moment during the processing of personal data.
To request the consultation service, your application should be sent by email to:
Information on the data treatment: The contact data and those related to your query will be treated by the Catalan Data Protection Authority in order to process your request. You can access your data, request its rectification or erasure, oppose the treatment and request its limitation, sending your request to the APDCAT address.
Training in and publicity of the right to data protection
APDCAT training plan 2022-2024
Among its strategic lines, the Catalan Data Protection Authority has training and awareness-raising in the field of data protection, with the aim of achieving effective compliance with the obligations and guarantees established in the data protection regulations.
The Plan is structured in three different lines of action:
The first, made up of training actions in the field of data protection, aimed at people in management positions, the commanders and the people responsible and in charge of data protection of the Administration of the Generalitat, public institutions, local bodies, public and private universities that make up the Catalan university system and other public entities in Catalonia (in accordance with article 3 of Law 32/2010, of 1 October, of the Catalan Data Protection Authority).
This training is the result of the collaboration between the APDCAT and the School of Public Administration of Catalonia (EAPC) and is especially aimed at:
- Public sector data protection officers, with the aim of consolidating a deep and dynamic knowledge of data protection regulations.
- Managers and controllers of the processing of the Administration and public entities, to make them aware of the obligations that must be fulfilled in accordance with the General Data Protection Regulations.
- Persons responsible for data protection techniques of these bodies, who will receive specialized training in accordance with the functions assigned to them within their organizations. They are mainly the people responsible for the management of the information and the users who have access to personal data.
A second line of action is also being developed with training actions for the protection of sectoral data, in particularly sensitive environments that deal with information from vulnerable groups. This training is specifically aimed at the staff of the Generalitat de Catalunya in the health, education and social services sectors.
In the field of education, we will continue to promote the children’s project started in 2015, with the aim of raising awareness among this group and their environment about the responsible management of personal data, when they use technologies and the internet.
The third line of action of the Plan is the internal training of APDCAT staff, based on the detection of training needs in the following subjects:
- Data protection and information security
- Transparency and access to information
- Administrative procedure
- Electronic administration
- Economic management
- Human resources
The training activities included in the catalogs of the training plans are developed in the face-to-face, semi-face-to-face, virtual and self-learning modalities.
Drafting of opinions, instructions and recommendations
The Catalan Data Protection Authority (APDCAT) issues opinions in response to consultations made by the controllers or data protection officers of organisations that fall within its scope of competence. These enquiries may concern a specific problem or subject with regard to data protection and, in the case of local entities, may also optionally request a report on the general draft provisions that may have an impact on the protection of personal data. The following entities may formulate consultations to the APDCAT:
- Public institutions, Administration of the Government of Catalonia and Catalan local authorities.
- All bodies, organisations and entities linked to or answerable to the public institutions of Catalonia, the Administration of the Government of Catalonia, the Catalan local authorities, the universities of Catalonia and the Public Law Corporations that carry out their activities exclusively in Catalonia.
- The natural persons or legal entities that, in accordance with any agreement, contract or legal provision, manage public services or carry out public functions providing, in the latter case, the processing is performed in Catalonia and is related to matters which are the competence of the Government of Catalonia or of the Catalan local authorities.
You can access the e-procedure through this link.
The Catalan Data Protection Authority offers advice when a prior consultation request is received in the following circumstances, pursuant to Article 36 of the GDPR:
a) Prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate it.
b) During the preparation of a proposal for a legislative measure to be adopted by the Parliament of Catalonia, or of a regulatory measure based on such a legislative measure, which relates to processing.
c) In other cases in which a Member State law may require the controller to consult with and obtain prior authorisation from the supervisory authority in relation to processing for the performance of a task carried out by the controller in the public interest.
You can access the e-procedure through this link.
The Catalan Data Protection Authority exercises the powers provided in the GDPR with regard to international transfers. This includes:
Approval of codes of conduct
The Catalan Data Protection Authority is the body that must, within its scope of action, approve codes of conduct prepared by associations and other bodies representing categories of controllers or processors or presented directly by controllers or processors for the purpose of specifying the application of the GDPR or other applicable legislation.
If the code of conduct relates to processing activities in several Member States, prior to granting approval the Catalan Data Protection Authority must submit it to the European Data Protection Board in the procedure referred to in Article 63 of the GDPR. The Board will provide an opinion on whether the code complies with the Regulation and, where applicable, provides appropriate guarantees for the transfer of data to third countries or international organisations. Where this opinion confirms that the code of conduct offers appropriate safeguards, the Board will submit it to the European Commission for approval.
You can request approval of a code of conduct through this link.
Through its Inspection Service, the Catalan Data Protection Authority (APDCAT) verifies that controllers and processors comply with current personal data protection law. It also pursues any infringement of this fundamental right and adopts the measures necessary to guarantee it.
The Inspection Service safeguards the exercise of data protection rights by individuals, specifically the rights of access, rectification, erasure, objection, restriction and portability (habeas data rights) and oversees the effectiveness of such action within the scope the Authority's powers. Thus, it supervises the activities of:
- All bodies, organisations and entities linked or answerable to the public institutions of Catalonia, the Administration of the Government of Catalonia, the Catalan local authorities, the universities of Catalonia and the Public Law Corporations that carry out their activities exclusively in Catalonia and which, in accordance with article 156 of the Statute of Autonomy of Catalonia (EAC), form part of the APDCAT's scope of action.
- The natural persons or legal entities that, in accordance with any agreement, contract or legal provision, manage public services or carry out public functions, providing, in the latter case, the processing is performed in Catalonia and is related to matters which are the competence of the Government of Catalonia or of the Catalan local authorities.
When a person (data subject) has exercised any of the habeas data rights before the controller or processor and has not obtained an answer within the established period, or the response has been completely or partially unsatisfactory, the data subject may complain to the Authority, which will verify whether the denial is well-founded or not.
A complaint may be made before the Authority for any action which is contrary to that provided in current data protection law.
For further information and access to the standard forms that we make available to the public, please go to the Claim and Complain section.
Claims and complaints addressed to the Spanish Data Protection Agency (AEPD) may also be presented to the APDCAT, which will take charge of transferring them to the Spanish institution.
Designation of the Data Protection Officer (DPO)
Since the General Data Protection Regulation establishes the need to appoint a data protection delegate, the entities included in the scope of action of the APDCAT that appoint him must communicate this designation to the Authority, through the procedure “Communication designation DPD” of the electronic headquarters.
Data controllers and data controllers must communicate the appointments, appointments and dismissals of data protection officers within ten days, both in cases where they are required to be appointed and in the event that it is voluntary.
Notifications of personal data breaches (PDB)
If a personal data breach occurs, data controllers included within the scope of action of the Catalan Data Protection Authority (APDCAT) must notify that Authority without undue delay. If possible, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons, such notification should be made within no more than 72 hours of having become aware of it (Art. 33, GDPR).
The controller must document all data breaches, whether notification to the APDCAT is required or not. Specifically, a record must be made of all information relating to the event, its effects and the remedial action taken. This documentation must be available to the APDCAT (Article 33.5, GDPR).
Notification of the personal data breach must be submitted via the notification form. Once filled in and electronically signed, the form must be processed (together with any relevant documentation, where applicable) according to the following procedure:
- institutions registered with the EACAT platform must submit the form through the platform’s “Notifications of security violations” procedure;
- other institutions should submit it through this procedures page of the Authority’s online office;
- individuals and businesses not obliged to deal with public administrations electronically may also use any of the other means referred to in Article 16.4 of Law 30/2015, of 1 October, of the common administrative procedure for public administrations.
To complete the information on PDBs and notifying affected individuals (Art. 33 and 34, GDPR), please use this link.