In accordance with the provisions of Article 11 of Organic Law 3/2018, of 5 December, on the protection of personal data and guarantee of digital rights (hereinafter, LOPDGDD) and Article 13 of the General Data Protection Regulation 2016/679 (GDPR), below we describe how personal data is processed at the Pere Tarrés Foundation.
1.1.1- Definitions
1) Personal data: means any information concerning an identified or identifiable natural person (the data subject). An identifiable natural person is any individual whose identity can be determined, directly or indirectly, using an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
2) Processing: means an operation or set of operations performed on personal data or a set of personal data, whether by automated means or not, such as collection, recording, organisation, structuring, storage, adaptation, modification, retrieval, consultation, use, disclosure by transmission or dissemination, as well as any other form of access, comparison or interconnection, restriction, erasure, or destruction.
3) Profiling: means any form of automated processing of personal data consisting of using such data to evaluate personal aspects relating to a natural person; in particular, to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, preferences, interests, reliability, behaviour, location, or movements.
4) Pseudonymisation: means the processing of personal data in such a manner that the personal data cannot be attributed to a data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.
5) File: means a structured set of personal data accessible according to specific criteria, whether centralised, decentralised, or distributed functionally or geographically.
6) Data controller or controller: means a natural or legal person, public authority, agency, or any other body which, alone or jointly with others, determines the purposes of the processing.
7) Data processor or processor: means a natural or legal person, public authority, agency, or any other body which processes personal data on behalf of the controller.
8) Recipient: means a person to whom personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular investigation will not be regarded as recipients.
9) Third party: means a natural or legal person, public authority, agency, or body other than the data subject, the controller, the processor, and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
10) Data subject’s consent: means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
11) Supervisory authority: means an independent public authority which is established by a Member State pursuant to Article 51 of the GDPR.
12) Cross-border processing:
1.1.2- Who decides on the use to be made of the data and the means for carrying out the processing?
The data controller is the Pere Tarrés Foundation
Tax ID: R5800395E
Registered address: Barcelona, C/ Numància, 149-151
Telephone: 934301606
E-mail: [email protected]
1.1.3- Who ensures that all the rules governing the processing of information at the Pere Tarrés Foundation are correctly applied?
The data protection officer is the Foundation’s Legal Department, with the e-mail address: [email protected].
1.1.4- What will we use your data for? What is the legal basis for processing it? How long will we keep it?
| Purpose | Legal basis | Conservation |
|---|---|---|
|
Providing the services you request from us |
Contractual relationship |
10 years |
|
Sending information on activities by e-mail or post |
Contractual relationship and consent |
Until consent is revoked |
| Information request |
Consent |
1 year |
|
Donation management |
Contractual relationship and legal obligation |
10 years |
|
Staff management |
Contractual relationship and legal obligation |
5 years |
|
Supplier management |
Contractual relationship and legal obligation |
5 years |
|
Attention to legal and contractual obligations |
Contractual relationship and legal obligation |
5 years |
|
Image management |
Consent and Art. 8 LO 1/1982 |
Until consent is revoked |
|
Video surveillance |
Legitimate interest. Maintaining security |
Maximum 30 days from capture |
|
Resumes |
Contractual relationship and consent |
1 year |
1.1.5- Do we process your images?
The data controller documents public events organised by the Foundation using photographs and videos to disseminate information on its website or other public information channels, such as social networks where the controller maintains an official profile, and its own publications or press releases. You can obtain more information by consulting the controller’s website or by contacting the DPO.
1.1.6- Who will be able to access and find out about the content of your data?
To fulfil the aforementioned purposes, the following persons and entities may access personal data. Access will be limited to the data strictly necessary to carry out the controller’s functions. Confidentiality agreements or specific conventions have been signed with all recipient organisations and individuals, regulating access to information, security measures, and the use of data. Recipients include:
You can obtain more information by consulting the data protection officer.
1.1.7- Is cross-border data processing carried out?
The controller uses the following programs, which may involve data transfer outside the Schengen area:
Microsoft. For more information, click: https://privacy.microsoft.com/es-es/privacystatement
Google Workspace. For more information, click:
II.- Social media announced on our website.
In such cases, the transfer of data is made to countries deemed adequate by the European Commission or under GDPR-compliant safeguards (e.g., Standard Contractual Clauses).
All information regarding the rights of users who have consented to digitised processing can be found in the legal notices of the websites hosting the software and applications. As access is free, we assume that all the content of the notices has been reproduced. Given the extent of the content of the published policies, you may request a copy by contacting the data controller or the DPO at the addresses set out in section 1.1.3.
1.1.8- What rights do data subjects and data owners have?
Right of access. (regulated by Article 15 of RGPD). It involves requesting access from the data controller to obtain free of charge all the information they hold about your personal data and any communications that have been or are planned.
Right to rectification. (regulated by Article 16 of RGPD). It involves asking the data controller to change the content of your personal information in accordance with your instructions as the data subject.
Right of erasure. (regulated by Article 17 of RGPD). It involves asking the data controller to erase any of your personal information. Suppression involves blocking all data and retaining it at the disposal of public authorities for the period provided for the limitation of the right to bring legal proceedings.
Right to restrict processing. (regulated by Article 18 of RGPD). You can ask the controller to restrict the processing of your data when one of the following conditions is met:
i.- personal data are not accurate;
ii. the processing is unlawful;
iii. the data controller no longer needs to process the data;
iv.- your reasons as data subjects for objecting to the processing of the data take precedence over those of the controller.
The right to data portability. (regulated by Article 20 of RGPD). It involves asking the data controller to provide your personal data as the data subject in a structured, commonly used and machine-readable format, in order to transmit it to another controller when the processing is carried out by automated means and is based on explicit consent.
Right to object. (regulated by Article 21 of RGPD). It involves asking the data controller to process your data in accordance with instructions you provide as the data subject.
Right to withdraw consent. (regulated by Article 13.2.c) RGPD). It is an instruction you can give to the controller to notify them that you are withdrawing the consent you gave them to process your data.
Right not to be subject to automated individual decision-making. It is a request to the data controller that all decisions with legal effects should not be made exclusively by machines.
You can exercise your rights by obtaining the following forms and sending them by e-mail to [email protected] or to the data controller’s addresses:
You can also write to the data controller’s addresses or send an e-mail to [email protected] with the text “DATA PROTECTION” in the subject line, attaching a photocopy of your Spanish identity card, foreigner’s number or passport.
1.1.9- 9 How can you lodge a complaint?
YYou may contact the internal compliance officer via the whistleblowing channel at www.peretarres.org.
If you believe your rights have been infringed, the competent authority is the Spanish Data Protection Agency, with legal address at Calle Jorge Juan, 6, Madrid.
1.1.10- What obligations do you have as data subjects?
You must provide truthful and up-to-date information in all data collection processes, and you are liable in the event of any breach of this obligation.
Depending on the request you make, the mandatory data are already marked in the collection forms. If you do not provide the mandatory data, your participation in the activity or the provision of the requested service may be prevented.
1.1.11- Can the controller create profiles?
To provide more personalized, accurate and effective attention, it is sometimes necessary to create profiles of the recipients of the services. No profiling is carried out without the direct intervention of a natural person.
It will be understood that the user accepts the conditions established by pressing the ‘ACCEPT’ button found in all data collection forms, or by sending an email to the contact addresses listed on the website.
Personal data are stored in the general administration database of the controller which, in any case, guarantees the technical and organisational measures to preserve the integrity and security of the information it processes.
The general database is equipped with the mandatory security document and all the technical means available to prevent the loss, misuse, alteration, unauthorized access or theft of the data you provide. The processing of personal data complies with the provisions of Organic Law 3/2018 on Data Protection and the guarantee of digital rights and Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27th April 2016.
To facilitate the search for resources that we believe may be of interest to you, this website may include links to other pages.
This privacy policy only applies to this website. The controller does not guarantee compliance with these rules on other websites, nor is it responsible for access through links from this site.
The Foundation
How we do
Transparency portal
Sustainability and environment
Quality
Ethical commitment
Quality
Promoting equality
SDG
Networking
Recognition and awards
Who endorses and supports us
Charity projects
Presentation
Projects
How to help
Cooperation
Transparency and accountability
Frequently asked questions
