In accordance with Article 11 of the Spanish Personal Data Protection and Guarantee of Digital Rights Act 3/2018, of 5 December (hereafter LOPDGDD), and Article 13 of the General Data Protection Regulation 2016 /679 (GDPR), here we describe how personal data is processed at the Pere Tarrés Foundation.
1.1.1- Definitions
The terms below are understood as follows:
1) Personal data: any information about an identified or identifiable individual (the data subject). An identifiable individual is considered any person whose identity can be determined, directly or indirectly, using an identifier, such as a name, an identification number, location data, an online identifier or one or more elements of their physical, physiological, genetic, psychological, economic, cultural or social identity.
2) Processing: any operation or set of operations carried out on personal data or a set of personal data using automated or non-automated procedures, such as collecting, storing, organising, structuring, conserving, adapting, modifying, extracting, consulting, using or communicating it through transmission, dissemination or any other form of allowing access to it, collation or interconnection, or limiting, erasing or destroying it.
3) Profiling: any form of automated personal data processing consisting of using this data to evaluate personal aspects of an individual, particularly to analyse or predict aspects related to their professional performance, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
4) Pseudonymisation: processing personal data in such a way that it cannot be attributed to a data subject without the use of additional information, provided that this information is separated and subject to technical and organisational measures aimed at ensuring that the personal information is not attributed to an identified or identifiable individual.
5) File: a structured set of personal data accessible following specific criteria. It may be centralised or decentralised or distributed functionally or geographically.
6) Data controller or controller: the individual or organisation, public authority, service or any other body which, alone or together with others, decides the purpose of the processing.
7) Data processor or processor: the individual or organisation, public authority, service or any other body that processes personal data on behalf of the data controller.
8) Recipient: a person or organisation to which personal data is communicated, which may or may not be a third party. However, public authorities that receive personal data in the context of a specific investigation should not be considered as recipients.
9) Third party: an individual or organisation, public authority, service or body other than the data subject, the controller, the processor and persons or organisations authorised to process personal data under the direct authority of the controller or processor.
10) Data subject’s consent: any free, specific, informed and unequivocal expression of will by which the data subject accepts the processing of personal data relating to them by means of clear affirmative action or a declaration.
11) Supervisory authority: an independent public authority established by an EU Member State under Article 51 of the GDPR.
12) Cross-border processing:
1.1.2- Who decides on the use to be made of the data and the means for carrying out the processing?
The data controller is the Pere Tarrés Foundation
Tax ID: R5800395E
Registered address: Barcelona, C/ Numància, 149-151
Telephone: 934301606
E-mail: LOPD@peretarres.org
1.1.3- Who ensures that all the rules governing the processing of information at the Pere Tarrés Foundation are correctly applied?
The data protection officer is the Foundation’s Legal Department, with the e-mail address: LOPD@peretarres.org.
1.1.4- What will we use your data for? What is the legal basis for processing it? How long will we keep it?
Purpose | Legal basis | Conservation |
---|---|---|
Providing the services you request from us |
Contractual relationship |
10 years |
Sending information on activities by e-mail or post |
Contractual relationship and consent |
Until consent is revoked |
Information request |
Consent |
1 year |
Donation management |
Contractual relationship and legal obligation |
10 years |
Staff management |
Contractual relationship and legal obligation |
5 years |
Supplier management |
Contractual relationship and legal obligation |
5 years |
Attention to legal and contractual obligations |
Contractual relationship and legal obligation |
5 years |
Image management |
Consent and Art. 8 LO 1/1982 |
Until consent is revoked |
Video surveillance |
Legitimate interest. Maintaining security |
Maximum 30 days from capture |
Resumes |
Contractual relationship and consent |
1 year |
1.1.5- Do we process your images?
The data controller documents the public events it organises with photographs and videos in order to publicise them on its website or other spaces for the public dissemination of information such as: the website itself, social media where the data controller has a profile, its own publications, and the press. You can obtain more information on this section by consulting the data controller’s website or by contacting its DPO.
1.1.6- Who will be able to access and find out about the content of your data?
In order to comply with the above purposes, the persons and organisations listed below may have access to personal data. Their access will be limited to the data necessary to carry out the data controller’s functions. Confidentiality agreements and/or specific agreements governing access to information, security measures and the use that can be made of the data have been signed with all recipient organisations and persons. The following people can access the data:
You can find out more information by consulting the data protection officer.
1.1.7- Is cross-border data processing carried out?
The controller uses the following programs, which may involve data transfer outside the Schengen area:
Microsoft. For more information, click: https://privacy.microsoft.com/es-es/privacystatement
Google Workspace. For more information, click:
II.- Social media announced on our website.
In these cases, the data transfer is carried out to countries considered appropriate because they have been deemed adequate by the European Commission or in accordance with the guarantees required by GDPR, such as having standard data protection clauses approved by the European Commission.
All information on the rights of users who have allowed digital processing is in the legal notices of the websites containing the software and applications. As access is unrestricted, we consider the entire content of these notices to be reproduced. Given the extent of the content of the published policies, you can request a copy by contacting the data controller or data protection officer at the addresses listed in part 1.3 of this section.
1.1.8- What rights do data subjects and data owners have?
Right of access. This is governed by Article 15 of the GDPR 2016/679 of 27 April 2016. This involves asking the data controller for access in order to obtain all the information they have about your own personal data, and communications made or planned with it, free of charge.
Right to rectification. This is governed by Article 16 of the GDPR. It involves asking the data controller to change the content of the information about you and your data following instructions from the owner of the information.
Right of erasure. This is governed by Article 17 of the GDPR 2016/679. It consists of asking the data controller to delete any information about the person of the data owner. Erasure implies blocking all data and keeping it available to public administrations until the right to take legal action has expired.
Right to restrict processing. Governed by Article 18 of the GDPR 2016/679 of 27 April 2016, this involves asking the data controller to restrict the processing of your data if any of the following conditions apply:
i.- the personal data is inaccurate;
ii.- the processing is illicit;
iii.- the data controller no longer needs to process the data;
iv.- the reasons for ceasing to process the data claimed by the affected party take precedence over those of the data controller for continuing to do so.
The right to data portability. This is contained in Article 20 of the GDPR 2016/679 of 27 April 2016. It consists of asking the data controller to provide the information owner’s personal data in a structured, commonly used, machine-readable format so they can be passed on to another data controller, when the processing is carried out by computerised means, based on express consent.
Right to object. Governed by Article 21 of the GDPR 2016/679 of 27 April 2016, this involves asking the data controller to process the data following certain instructions given by the owner of the personal information.
Right to revoke consent. Governed by article 13.2.c) of the GDPR 2016/679 of 27 April 2016, this is an order given by the data owner to the data controller that they are withdrawing the consent they had previously given to their data being processed.
Right not to be subject to automated individual decisions. This is a request to the data controller that decisions with legal effects should not be taken exclusively by machines.
You can exercise your rights by obtaining the following forms and sending them by e-mail to LOPD@peretarres.org or to the data controller’s addresses:
You can also write to the data controller’s addresses or send an e-mail to LOPD@peretarres.org with the text “DATA PROTECTION” in the subject line, attaching a photocopy of your Spanish identity card, foreigner’s number or passport.
1.1.9- How to make a claim
You can contact the person responsible for internal compliance using the complaints channel you will find on the website www.peretarres.org.
If you believe your rights have been infringed, the competent body for finding out about the correct application of the rules on information processing is the Spanish Data Protection Authority at number 6, Calle Jorge Juan in Madrid.
1.1.10- What obligations do I have as a data subject?
The person concerned must provide truthful and up-to-date information in all data collection processes and is liable if this obligation is breached.
The compulsory data is already marked on the collection forms, depending on the request made by the person concerned. If compulsory data is not provided, the right to participate in the activity could be negatively affected or it may not be possible to provide the service or benefit requested.
1.1.11- Can the data controller create profiles?
It is sometimes necessary to develop profiles of service recipients in order to provide more personalised, careful and effective attention to the user. Profiles are not created without the direct involvement of an individual.
It is understood that the user accepts the proposed conditions if they press the 'ACCEPT' button on the data collection forms, or if they send an e-mail to the contact addresses listed on the website.
Personal data is stored in the data controller’s general administration database which, in all cases, guarantees technical and organisational measures to preserve the integrity and security of the information processed.
The general database is equipped with the mandatory security document and has all technical means available to prevent the loss, misuse, alteration, or theft of the data you provide us with or unauthorised access to it. Personal data processing is in accordance with the provisions of the Spanish Personal Data Protection and Guarantee of Digital Rights Act 3/2018 and Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016.
To make it easier for you to find resources we believe are of interest to you, on this website there are links to other sites.
This privacy policy applies only to this website. The data controller does not guarantee compliance with these rules on other websites, nor is it responsible for access via links from this site.
Whoever accesses and uses this website will be considered a user. The simple fact of making use of the website indicates that the user has accepted all the conditions of use.
It is forbidden to publish content that violates the following principles on this website, our blogs, and other participatory tools:
a) The safeguarding of public order, criminal investigation, public security and national defence.
b) The protection of public health or of natural persons having the status of consumers or users.
c) Respect for human dignity and the principle of non-discrimination on grounds of race, sex, opinion, nationality, disability or any other personal or social circumstance.
d) Child and youth protection.
e) Respect for the free will of those affected.
f) Respect for the intellectual property of published content.
g) In general, respect for current legality.
The user assumes responsibility for use of the portal. This responsibility extends to the registration required to access certain services or content. The user shall be responsible for providing truthful and lawful information in the registration process.
The user undertakes to make appropriate use of the contents and services that the owner of the domain offers through its websites and tools for participation, by way of example and without limitation, and also undertakes not to use them for:
The domain owner reserves the right to withdraw all comments and contributions that violate respect for human dignity, that are discriminatory, xenophobic, racist, pornographic, that threaten people, especially against the interests of youth or childhood, public order or security or that are not suitable for publication at the discretion of the management of the centre.
In any case, the domain owner is not responsible for the opinions expressed by users through forums, chats, or other participatory tools.
In order to access certain content, a user code and password must be entered. If you do not have a password, you can get one when you register.
We inform you that passwords are personal and non-transferable. The user is solely responsible for the consequences that may result from the use of their password.
For any password issues, you can follow the instructions in a link on the identification screen.
The domain holder is the owner of all the intellectual and industrial property rights of their web pages, as well as the entirety of their content, so that any reproduction, distribution and public communication of all or part of its content is expressly prohibited without the express authorization of the management of the centre.
The owner of the domain is not responsible for damages that may arise from telephone interference or breakdowns, disconnections in the electronic system, presence of computer viruses, malicious programs or any other factor beyond its control.
The domain owner reserves the right to take legal action against those who violate these conditions.
The Pere Tarrés Foundation may modify these conditions at any time, without prior notice, publishing its modifications as they appear.
The relationship between the domain owner and the user will be governed by current Spanish legislation and any dispute will be submitted to the Courts and Tribunals corresponding to Barcelona.
The Foundation
How we do
Transparency portal
Sustainability and environment
Quality
Ethical commitment
Quality
Promoting equality
SDG
Networking
Recognition and awards
Who endorses and supports us
Charity projects
Presentation
Projects
How to help
Cooperation
Transparency and accountability
Frequently asked questions