The Port Authority of Barcelona (hereinafter APB), as data controller, guarantees an adequate and consistent level of protection of natural persons with respect to their personal data, which is the subject of processing for the development of its competences, in accordance with the requirements of the General Data Protection Regulation (2016/679) and the Organic Law 3/2018 of December 5, on data protection and guarantee of digital rights.
The APB processes personal data in a fully responsible and loyal manner, and in accordance with the legal bases that allow the lawfulness of the processing, in compliance with the General Data Protection Regulation and the Organic Law on the Protection of Personal Data and Guarantee of Digital Rights.
In order to comply with data protection legislation, the APB has prepared and published a Register of Processing Activities and has adopted technical and organisational security measures, appropriate to the risks assessed and objectively identified for the rights and freedoms of the persons concerned, to which the data processed and the processing carried out by the APB.
The APB applies the principle of transparency in the processing of personal data, providing interested parties with the information required by the RGPD and the LOPDGDD in a concise, easily accessible, complete and easy to read language; at the same time, it facilitates the exercise of rights in the Electronic Register through the electronic office at https://seu. portdebarcelona.gob.es or in person at the offices of the SAU General Registry located at Moll de Barcelona, World Trade Center – Edifici Est, 08039 Barcelona.
On the other hand, the APB has a Data Protection Delegate, in accordance with the provisions of Article 37.1.a) of the General Data Protection Regulation (2016/679) and Articles 34 and 36 of Organic Law 3/2018, on the protection of personal data and guarantee of digital rights. APB also has a Data Protection Officer, whose email address is firstname.lastname@example.org.
The following is expanded information on each processing activity under the responsibility of the APB, listed in the Register of Processing Activities, and for which basic information has been provided in each data collection procedure:
1. Data Controller
PORT AUTHORITY OF BARCELONA
Postal address. Moll de Barcelona, World Trade Center – East Building
2. Legal basis for processing
The processing of the personal data of the persons concerned, derived from APB’s competences and functions are based, for all purposes, on the following legal bases, which are detailed for each processing activity in the Register of Processing Activities:
- General Data Protection Regulation 2016/679.
Article 6.1. b. The processing is necessary for the performance of a contract to which the data subject is a party or for the implementation at the data subject’s request of pre-contractual measures.
Article 6.1.c. The processing is necessary for compliance with a legal obligation applicable to the controller.
Article 6.1.e. The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Article 6.1. a. The processing has been carried out by obtaining the consent of the data subject.
- Organic Law 3/2018 on the protection of personal data and guarantee of digital rights.
Article 8. Processing of data due to legal obligation, public interest or exercise of public powers.
The processing of personal data may only be considered to be founded on the fulfilment of a legal obligation enforceable on the data controller, in the terms provided for in Article 6.1.c) of Regulation (EU) 2016/679, when so provided by a rule of European Union law or a rule having the force of law.
The processing of personal data may only be considered to be based on the performance of a task carried out in the public interest or in the exercise of public powers conferred on the controller, in the terms provided for in Article 6.1.e) of Regulation (EU) 2016/679, when it derives from a competence conferred by a rule having the force of law.
3. Purposes of the processing
The purposes of the processing of the personal data of the persons concerned, which the APB carries out in the exercise of its powers, in accordance with the legal bases that legitimise the processing of personal data by APB, are recorded in the Register of Processing Activities.
4. Data retention period
The personal data of the persons concerned will be kept for the time necessary to fulfil the purposes justifying the processing, in accordance with the exercise of the powers and functions of the APB, and to determine the possible responsibilities arising from these purposes. The deletion of the data will also comply with sectoral regulations that require minimum retention periods; and subsequently in application of the legislation on administration files.
5. Data protection rights and how to exercise them
The interested parties, holders of the data processed by the APB have the right to exercise their data protection rights: right of access to their data, rectification of erroneous, inaccurate or incomplete data, and deletion when, among other reasons, the data are no longer necessary for the purposes for which they were processed.
In certain circumstances, data subjects may request the limitation of the processing of their data, in which case the data will only be kept for the exercise or defence of claims.
Also for reasons related to their particular situation, data subjects may object to the processing of their data. In this case, the APB will cease the processing of this data except for legitimate reasons or for the exercise or defence of possible claims.
Definition of data protection rights
Right of Access: Consists of the right of data subjects to contact the data controller and find out whether or not their personal data is being processed.
Right of Rectification: Consists of the right of data subjects to rectify or complete inaccurate or incomplete data.
Right of Opposition: Consists of the right of the interested parties to oppose the processing of their data, for reasons related to their particular situation.
Right of Deletion: Consists of the right of data subjects to request the deletion of their personal data.
Right to Limitation of Processing: Consists of the right of data subjects to request the limitation of the processing of their personal data, in accordance with certain conditions related to the interests of the persons concerned.
Right of Portability: Consists of the right of data subjects to receive their personal data that they have provided to a controller, in a structured, commonly used and machine-readable format, and to transfer it to another controller without being prevented by the controller to whom they have provided it, where the processing is based on consent or a contract and the processing is carried out by automated means. This right of portability does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Right not to be subject to automated individual decisions and profiling: This is the right of data subjects not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects on him or her or significantly affects him or her in a similar way, including certain opt-out situations.
To exercise these rights, the interested party may do so through the Electronic Register through the Electronic Headquarters at https://seu.portdebarcelona.gob.es or in person at the offices of the General Registry-SAU located in the Moll of Barcelona, World Trade Centre – East Building, 08039 Barcelona.
Likewise, if you are not satisfied with the response to the request to exercise your rights, and in any case, whenever you consider it appropriate, you may file a complaint with the Spanish Data Protection Agency through its electronic headquarters at https://sedeagpd.gob.es/sede-electronica-web/.
6. Data recipients
The identification of the recipients of the data appears in the Register of Processing Activities that the APB has made public. In any case, other public administrations competent in the matter may also be recipients of personal data, where appropriate, the transfer having been based on a legitimate legal basis, in accordance with Article 6 of the RGPD and Article 8 of the LOPDGDD.
7. International data transfers
No international data transfers are foreseen.
8. Origin of personal data
The personal data processed by the APB in the performance of a task carried out in the public interest, in the exercise of public powers vested in the data controller, in compliance with a legal obligation or in the performance of a contract originate directly from the data subjects or their representatives.
In the event that the data do not come directly from the data subjects, for example if it comes from other public administrations, Article 14 of the GDPR concerning the additional information to be provided to the data subject when the personal data have not been obtained from the data subject, which specifically includes the obligation to inform about the origin of the data and about the categories of personal data undergoing processing, shall be complied with.
Likewise, with regard to the right of citizens not to provide documents that are already in the possession of the administration acting or have been prepared by any other administration, the provisions of the current wording of Article 28.2 of the Administrative Procedure Act shall apply, in accordance with the Twelfth Final Provision of Organic Law 3/2018, on the protection of personal data and guarantee of digital rights and the Eighth Additional Provision of the same law, on the verification power of the public administrations of the same law.