This is the Data Protection Policy of the Les Gavarres Consortium. It complies with the General Data Protection Regulation (EU Regulation 2016/679 of the European Parliament and of the Council, of 27 April 2016) and with national regulations on the subject.
Who is responsible for the processing of personal data?
The data controller is the Les Gavarres Consortium, with tax identification code (CIF) P-6700016F and registered office at Finca Camps i Armet, s/n (postcode: 17121), email: consorci@gavarres.cat, website: www.gavarres.cat
On what basis do we process personal data?
We process data only when we have a lawful basis for doing so. Data are processed for specific, explicit and legitimate purposes, as explained at the time of collection. We process only data that are adequate, relevant and limited to what is necessary in each case. We make every effort to keep data up to date and retain them only for as long as necessary, in compliance with public information retention regulations. Appropriate technical and organisational measures are applied to prevent unauthorised or unlawful processing, and to avoid accidental loss, destruction or damage. As a general rule, data may only be submitted by persons aged 14 years or older. In the case of minors under 14, authorisation from parents or legal guardians is required.
Who is the Data Protection Officer?
The Data Protection Officer (DPO) supervises compliance with data protection regulations and ensures the protection of individuals’ rights. Among other functions, the DPO attends to any data subjects who wish to make a complaint or claim. To contact the Data Protection Officer, you may write to the Les Gavarres Consortium or email dpd@ddgi.cat.
For what purposes do we process data and to whom may they be disclosed?
The Les Gavarres Consortium processes data in order to carry out its competences and functions, and to provide the services described on its website and electronic headquarters.
Administrative procedures and formalities. Primarily at the request of individuals, we use their data to follow up on the relevant procedure. Depending on the procedure, data may be shared with other competent public administrations or published in compliance with the principle of transparency.
Services. To deliver services, we process data provided by users. As a general rule, data are not shared with third parties without the user’s consent.
Activities. When organising outreach and training activities, we collect data from registrants for the purpose of managing the event. These data are not shared with third parties.
Contact. Contact. We respond to enquiries submitted through our website contact forms. Data are used solely for this purpose and are not shared with third parties.
Information mailings. With prior authorisation, we use contact details to inform about our services or activities through the channels approved by each person. Recipient data are not disclosed to third parties.
Supplier data management. We register and process data from suppliers from whom we procure works, services or goods. Only essential data are obtained to maintain the commercial relationship, and they are used solely for this purpose. In compliance with legal obligations, data are disclosed to the tax authorities.
What are the legal grounds for data processing?
The legal grounds for our data processing activities vary depending on the nature of each case.
Compliance with legal obligations. Data processing within administrative procedures is carried out in accordance with the specific regulations governing each procedure.
Public interest tasks. Processing related to the provision of our services is justified by the pursuit of public interest. Likewise, images captured by CCTV cameras are processed to preserve public safety.
Performance of a contract or pre-contract. We process supplier data in accordance with public sector procurement regulations, to the extent necessary for managing the contractual relationship.
Consent. When sending information about our activities or services, we process contact data based on the recipient’s prior consent.
How long do we keep the data?
The data retention period is determined primarily by how long the data are needed to fulfil the purposes for which they were collected in each case. Secondly, they are kept in order to address any potential liabilities arising from data processing and to comply with requests from other public administrations or judicial bodies.
Accordingly, the data must be retained for as long as necessary, but not for a period longer than required. In certain cases, such as data included in accounting documentation and invoicing, tax regulations require them to be kept until liabilities in this area have expired. In the case of data processed solely on the basis of the data subject’s consent, they are retained until such consent is withdrawn.
What rights do people have in relation to the data we process?
Individuals whose data we process have the following rights:
To know whether their data are being processed. Any person has the right to know whether we are processing their data, regardless of whether a prior relationship exists.
To be informed at the time of collection. When data are obtained directly from the data subject, they must be clearly informed of the purposes for which the data will be used, who is responsible for the processing, and the main aspects related to such processing.
To access their data. This right allows individuals to know which personal data are being processed, for what purpose, to whom they may be communicated (if applicable), to obtain a copy, or to know the expected retention period.
To request rectification. This is the right to have inaccurate data that we hold corrected.
To request erasure. Individuals have the right to request the deletion of their data when, among other reasons, they are no longer necessary for the purposes for which they were collected.
To request restriction of processing. In certain circumstances, individuals have the right to request that processing of their data be restricted. In this case, the data will no longer be processed and will only be kept for the exercise or defence of legal claims.
To data portability. In the cases provided for by law, individuals have the right to obtain their personal data in a commonly used format.
To object to processing. A person may raise specific reasons that result in their data no longer being processed, to the extent that such processing may cause them harm.
How to exercise or defend these rights.
The above rights may be exercised by submitting a request to the Les Gavarres Consortium at the postal address or other contact details indicated in the header. It is also possible to file a complaint with the Catalan Data Protection Authority, using the forms or other channels available on its website (www.apd.cat). In any case, for submitting complaints, requesting clarification, or sending suggestions, you may contact the Data Protection Officer by email at dpd@ddgi.cat.
