This is the data protection policy of the Greenways Consortium. It supplements the General Data Protection Regulation (Regulation [EU] 2016/679 of the European Parliament and the Council, of April 27, 2016) and Organic Law 3/2018, on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD).
The data controller of the personal data is the Greenways Consortium, with CIF P1700047B and registered address at Emili Grahit, 13, 9è B, Girona (17002), email address firstname.lastname@example.org, www.viesverdes.cat.
How we use the personal data
The personal data is processed in accordance with the provisions of the General Data Protection Regulation.
The data is processed on a lawful basis (only when there is a legal reason to do so and in transparency with the data subject).
We use them for the specific, legitimate, explicit purposes that were explained when they were obtained. We do not process them for any other reasons incompatible with these purposes at a later date.
We only process data that is adequate, relevant and limited to what is necessary in each case and for each purpose.
We aim to keep the data updated.
We conserve the data for the necessary amount of time, in compliance with regulations on the conservation of public information.
We take the necessary technical and organizational steps to avoid unauthorized or illicit use, data loss, destruction or accidental damage.
In general, data may only be obtained from people over 14 years old. In the case of minors under 14 years old, the authorization from parents or legal representatives is required.
Who is the data protection officer
The data protection officer (DPO) supervises the compliance with the data protection regulations, ensuring that the persons’ rights are protected. Included in their responsibilities is that of tending to data subjects who wish to file a claim or complaint. The data protection officer may be contacted by writing to Greenways Consortium or by sending an email directly to the address email@example.com.
The Greenways Consortium processes the data for carrying out its competencies and functions. The Consortium’s services are described at its website. A complete description of data processing activities and the purposes for which the data is used is included in the Record of processing activities, in compliance with Article 30 of the GDPR.
Administrative processes and procedures
Based on the requests made by the interested parties, we utilize their data to carry out the filing procedures for each process. The catalog of processes and the filing procedures can be seen at the electronic headquarters. Depending on the process, data may be shared with other administrations competent on the subject. In some cases they may need to be published, in compliance with transparency principles.
In providing services, we process the data provided by the recipient of those services or data received from other administrations. Offering these services often requires tracking data and obtaining new data from the users. The catalog of services can be seen at this site. In general, the data is not shared with other parties without the users’ consent.
We handle the queries made by people who use the contact submission forms on our website. The data is used solely for this purpose and is not shared with third parties.
With the express permission of each person, we use the contact data they have provided to inform them about our initiatives, services and/or activities. This is done through various channels, depending on the authorizations given by each person. The data is not shared with other parties without their consent.
Data processing of our providers
We record and process the data of providers from whom we obtain works, services or goods. They may include personal data of those who are self-employed and data of the representatives of legal subjects. We obtain the essential data for maintaining the commercial relationship and the data is used solely for this purpose. In compliance with legal obligations (fiscal and contractual regulations for public services) we share data with other public administrations.
The data processing carried out has different legal requirements, depending on the nature of each type of processing.
Compliance with legal obligations
The processing of data in the context of administrative procedures is done in accordance with the regulations for each procedure. It will be done in compliance with all legal obligations.
Perform a task in the public interest
Data processing as a result of our provision of services is justified as satisfying the public interest. Similarly, the images we obtain from security video cameras is also processed for preserving the public interest.
Compliance with a contractual or pre-contractual relationship
We process the data from our providers following the contract guidelines that apply to the public sector, with the necessary scope for the development of the contractual relationship.
Based on consent given
When we send information about our initiatives, services or activities, we process the contact data of the recipients with their authorization or explicit consent.
The data retention time is determined by various factors, primarily the fact that the data remains necessary to satisfy the purposes for which it was collected in each case. Additionally, they are retained to be able to respond to any responsibility issues regarding the data processing by the Girona Greenways Consortium, and to meet any requirements set by other public administrations or judicial bodies.
Consequently, the data must be retained as long as necessary to preserve its legal or informative value, or to show compliance with legal obligations, but not exceeding a period longer than is necessary, in accordance with the purpose of the processing.
In certain cases, such as data contained in accounting and invoicing documents, the tax regulations require them to be kept until the legal responsibilities in those areas are no longer applicable.
In the case of data that is processed exclusively with the consent of the person interested, it will be retained until the consent is withdrawn.
The regulations governing the conservation of public documents, and the rulings of the National Commission for Documentation Access, Evaluation and Selection are the references that determine the criteria that we follow in the retention or elimination of the data.
What are the rights of the people whose data we process
The people whose data we process have the following rights:
To know if their data is processed
In the first place, any person has the right to know if we process their data, regardless of any prior relationships that may have existed.
To be informed about the collection
When the data is obtained directly from the person, they must have clear information regarding the purposes for collecting it, who will be responsible for processing it and the main details arising from this processing.
Right that lets people know what data is subject to processing, what the purpose is for processing it, how it may be shared with other parties for processing (if that is the case) and the right to obtain a copy of it and know how long it will be retained.
To request rectification
This is the right to rectify any incorrect data that is subject to processing on our part.
To request erasure
The right to request data be erased is recognized when, among other reasons, the data is not necessary for the purposes for which it was collected.
To restrict processing
Also recognized in certain circumstances is the right to request the restriction of data processing. In this case the data will not be processed and will only be stored for the establishment or defense of legal claims.
To data portability
In the cases foreseen under this regulation is the recognition of the right for an individual to obtain their own personal data in a common-use format.
To object to processing
A person can adduce particular reasons for objecting to having their data processed to the extent that doing so would be harmful.
How the rights may be exercised or defended
The rights that we just listed can be exercised by sending a request to the Greenways Consortium via mail or using the other contact information listed in the heading.
If you have not received a satisfactory response in exercising your rights, it is possible to file a complaint with the Catalan Data Protection Authority, by using their form or through other channels listed on their website: www.apd.cat.
In any case, in order to file a claim, request clarifications or offer suggestions, you can contact the Data Protection Officer via email at firstname.lastname@example.org.