- Notice of personal data protection
- Protection and processing of personal data
- Protection of personal data included on Idescat's forms
- Transfer of the personal data from Idescat's forms
- Security of the personal data
- List of processing activities
- Rights of the data subject (Habeas data rights)
- How to exercise the rights
1. Notice of personal data protection
With this notice of data protection, the Statistical Institute of Catalonia (Idescat) wants to offer agile and rapid access to the main sources of information about data processing that is being carried out and the rights that data subject have and can use to have effective control over their personal data.
The controller for the processing carried out is the Statistical Institute of Catalonia, whose address is Via Laietana 58, 08003 Barcelona.
- Switchboard tel: +34 93 557 30 00
- NIF: Q5850015H
- sasg at idescat dot cat
3. Protection and processing of personal data
Idescat, as the owner of the domain of this website, is committed to respecting current law on protection and confidentiality when processing personal data, in accordance with EU Regulation number 2016/679 of the European Parliament and of the Council, dated 27 April 2016, related with the protection of the personal data of natural persons and the free flow of these data, which repeals Directive 95/46/CE (General Data Protection Regulation, GDPR) and the Organic Law 3/2018, of 5 December on the Protection of Personal Data and Guarantee of Digital Rights, LOPDGDD.
4. Protection of personal data included on Idescat's forms
The personal data you provide on Idescat's forms (queries, suggestions, statistical training and promotion, venue rental and visits) will be subject to processing and included on the forms controlled by the Statistical Institute of Catalonia for the respective processing of queries, suggestions, statistical training and promotion, venue rental and visits.
The personal data provided via the query form will be used for the sole purposes of maintaining the administrative relationship resulting from the management of the request for information, sending information by post or email on Idescat's services and activities in relation to its competencies and sending satisfaction surveys on its service, by traditional and electronic means, so as to expand or improve it, as appropriate.
The personal data provided via the forms for suggestions, statistical training and promotion, venue rental and visits will be used for the sole purpose of maintaining the administrative relationship resulting from the respective management of the suggestion, course registration application, venue rental request or visit request.
5. Transfer of the personal data from Idescat's forms
Idescat undertakes to not disclosing personal data supplied by the data subject through any media and to not selling, leasing or transferring the personal data of users of the forms for orders, suggestions, statistical training and promotion, venue rental and visits to any public or private company or institution without the consent of the holder of the data. Personal data may only be transferred to judicial or administrative authorities should the law make this mandatory.
6. Security of the personal data
Personal data shall be processed with the degree of protection legally required in accordance with the GDPR, and all security measures will be taken to prevent misuse, modification, loss, unauthorised access or processing or appropriation by third parties who may use them for fraudulent purposes of one that are different from those for which they were requested.
7. List of processing activities
Idescat will carry out the following processing actions:
- Population Register of Catalonia
- Extra-parliamentary legislative initiatives
- Economic management and public procurement
- Human resource management
- Prevention of occupational hazards
- Contacts, institutional relations and subscribers
- Access control
- Video surveillance
- Statistical training and promotion
- Venue rental
You can find information on each kind of processing in the Recording processing activities.
The browsing data collected by the Idescat website do not contain information that may be associated with specific users and are only used to obtain statistical information on the use of this website.
9. Rights of the data subject (Habeas data rights)
Right of access
The data subject has the right to know whether the controller is processing their data and, if so, the right to access this data and obtain the following information:
- The purpose of the processing, the categories of personal data being processed or the addressees and categories of the addressees to whom the data has been or will be disclosed.
- The period for maintaining the personal data or the criteria used to determine this.
- The right to request rectification or elimination of the data by the controller for processing, restricting the processing or the right of opposition.
- The right to present a complaint before the monitoring authority.
- The source of the data, not obtained from the data subject.
- The existence of automated decision, including the creation of profiles, applied logic and the consequences of this process.
- If the data is transferred internationally, the suitable guarantees that have been offered.
The data subject has the right to obtain a free copy of the data that is the object of processing. A canon can be arranged for later copies in accordance with the administrative costs. If requested by electronic means, the data subject has the right to receive information in the same format.
Restriction on the right to receive copies: if this infringes the rights of third parties.
Right to rectification
This is linked to the inaccurate or incomplete nature of the data.
The data subject has the right to correct any inaccurate personal data and to complete any that are incomplete, through an additional declaration if appropriate.
The controller must inform each of the addressees to whom the data has been sent of the rectification made, unless this is impossible or requires disproportionate effort. If the data subject requests it, the controller must identify the addressees.
Right of erasure (or right to be forgotten)
The GDPR includes the right to be forgotten as a right linked to the erasure of data.
The data subject has the right to demand the erasure of their personal data (right to be forgotten) when:
- The data is no longer necessary for the purpose for which it was collected.
- The consent on which processing was based has been revoked.
- The data subject is opposed to the processing.
- The data has been processed illicitly.
- The data must be erased to comply with a legal obligation.
When the controller has made the personal data public and they must be erased, reasonable measures must be taken to inform the other controllers for processing the data of this.
The controller must inform each of the addressees of the erasure, unless this is impossible or requires disproportionate effort. If the data subject requests it, the controller must identify the addressees.
Exceptions to the exercise of the right of erasure:
- The exercise of this right of freedom of expression and information
- Compliance with a legal obligation
- The existence of reasons of public interest, scientific or historical research or statistical purposes for keeping the files
- The drafting, exercise or defence of complaints
Right to object
The data subject has the right to object the processing of their personal data when:
- The processing is based on public interest or the exercise of public authority conferred on the controller, or a legitimate interest pursued by this controller or a third party. In this case, the object must be grounded on reasons related with their personal situation.
- The controller for processing must refrain from processing them, unless they can prove a legitimate interest that prevails over those of the data subject or it is necessary to exercise or defend claims.
- The purpose of processing is direct marketing, including the preparation of profiles related with this marketing.
- Processing has statistical motives or scientific or historical research and a reason related with their personal situation is invoked.
Right to restriction of processing
The data subject has the right for their personal data to be marked in order to restrict processing in the future. The restriction of processing implies that the personal data of the data subject can stop being processed on request.
This should not be confused with the blocking of data stipulated in Organic Law 15/1999 of 13 December on personal data protection (LOPD).
The restriction can be requested when:
- The data subject has exercised their right to rectification or object and until the controller decides whether to accept the request.
- Processing is illicit, which would result in erasure of the data, but the data subject does not want to erase them.
- The data is not needed for processing, which would result in erasure of the data, but the data subject does not want to erase them because they are needed to make, exercise or defend claims.
While the restriction lasts, the controller can only process the data affected, besides preserving them, in the following cases:
- With the consent of the data subject
- To make, exercise or defend claims
- To protect the rights of another natural or legal person
- For public interest, of the European Union or the corresponding member state
The controller must inform each of the addressees to whom the data has been sent of the restriction, unless this is impossible or requires disproportionate effort. If the data subject requests it, the controller must identify the addressees.
Right to data portability
The data subject has the right to receive their personal data provided by a controller for processing in a structured, commonly used, machine-readable format to transfer it to another controller, if the following requirements are met:
- Processing is based on consent or a contract.
- Processing is done through automated means.
On the other hand, this right cannot be exercised when processing is grounded on compliance with a purpose of interest public or inherent to the exercise of public authority.
10. How to exercise the rights
You can access your data, rectify or erase them, oppose processing and request the restriction of processing or portability by sending the corresponding form to the email address dpd at idescat dot cat or the postal address of Idescat (Via Laietana, 58, 08003 Barcelona).
You can also use the generic request available on Gencat procedures. In this case, submitting the request by digital means requires possession of an electronic certificate or the idCat Mòbil alternative system of identification. You must clearly state which right or rights you wish to exercise in your request.
Idescat will inform you of the actions arising from your request within one month that, in the case of particularly complex requests, can be extended for two more months (therefore to a maximum of three months). In the latter case, the extension of the period will be notified in the first month.
If you consider that we have not offered a suitable response to your request, you can make a complaint to the Catalan Data Protection Authority or take legal action.