Scope of action of the Catalan Data Protection Authority

What is the scope of action of the Catalan Data Protection Authority?

The Catalan Data Protection Authority is the competent supervisory authority with respect to data processing which is the responsibility of or is managed by:

a. public institutions;

b. the Catalan government administration (Generalitat);

c. local entities;

d. autonomous entities, consortia and other affiliated or dependent public law organisations linked to the Administration of the Generalitat or Catalan local authorities;

e. those private law entities that meet at least one of the following three requirements in relation to the Generalitat, the Catalan local authorities or their dependent entities: 

i) the majority shareholding in their capital belongs to said public entities

ii) most of their budget revenue proceeds from said public entities

iii) members designated by said public entities form the majority in their governing bodies

f. other private law entities that provide public services by means of any form of direct or indirect management, in the case of files and processing related to the provision of those services;

g. the public and private universities that make up the Catalan university system and their dependent entities;

h. the natural persons or legal entities that carry out public functions related to matters which are the competence of the Generalitat or of the Catalan local authorities, provided the files or processing are to be employed in the exercise of these functions and the processing is performed in Catalonia;

i. the Public Law Corporations that carry out their activities exclusively in Catalonia.


This also includes processing carried out by third parties with personal data made available to them as the result of a processing agreement entered into by one of these organisations.

Within this scope of action, the Catalan Data Protection Authority is responsible for exercising all the functions attributed to supervisory authorities by data protection legislation, including international data transfers.