This data protection policy of the Iberamerik Concert Associació refers to the data of the individuals with whom the Consorci is associated in the exercise of its powers and performance of its tasks. The processing of personal data is carried out in compliance with the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016) as well as the national legislation on this subject.
Who is responsible for processing the personal data?
The data controller is the Iluminario Associació (the entity), with tax ID no. G65486581 and address at carrer Portal, 4, Torrebesses – Lleida (postal code 25176), email adress email@example.com.
What are the criteria for processing personal data?
We fully adopt the principles of the General Data Protection Regulation in the processing of data.
a) We process data in a lawful manner (only when we have a legal basis that enables this and with transparency regarding the person concerned).
b) We use the data for the specified, explicit and legitimate purposes that we explain at the time of obtaining these data. They will not be further processed in a way incompatible with those purposes.
c) We only process data that are appropriate, relevant and restricted to what is necessary in each case and for each purpose.
d) We strive to keep the data up to date.
e) We keep the data for no longer than is necessary, complying with the regulations governing the retention of public information.
f) We implement the appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing or the loss, destruction or accidental damage thereof.
Who is the Data Protection Officer?
The Data Protection Officer (DPO) is the person who oversees and monitors compliance with the Consorci’s data protection policy, ensuring that personal data are properly processed and people’s rights are protected. The DPO’s duties include dealing with any questions, suggestions, complaints or claims from data subjects. You can contact the DPO by writing to our postal address or telephoning, or by writing directly to the following email address firstname.lastname@example.org.
For what purpose do we process data and with whom are the data shared?
The entity processes personal data mainly to provide programme information and ticket sales services, to send communications related to our activities and services and to develop commercial relationships with our suppliers. The main purposes are listed below:
Contact. We handle enquiries from the persons who use the contact forms on our website. The data are used for this purpose only and are not shared with anyone else.
Information on activities and services. With the explicit permission each person, we use the contact information they have provided to inform them about our initiatives, services or activities. We do this through different channels depending on the permission the person has given. The contact information is not shared with anyone else without the consent of the person concerned.
What is the lawful basis for data processing?
The data processing that we carry out has different legal bases, depending on the nature of the processing.
Compliance with legal obligations. The processing of data in the context of administrative procedures is carried out following the rules governing each of the procedures and in compliance with legal obligations.
In compliance with a contractual relationship. This is the case with the relationships with our customers and suppliers and all the actions and uses of the data that these commercial relationships entail.
Based on consent. When we send information about our initiatives, services or activities, we process the contact details of the recipients with their permission or explicit consent. The browsing data that we obtain from the person who visits our website is also based on consent, which can be withdrawn at any time by disabling the cookies.
Based on legitimate interest. The footage we obtain from the video surveillance cameras is processed for the legitimate interest of our institution in protecting its assets and facilities.
How long do we retain the data?
The length of time the data are retained is determined by different factors, mainly by the fact the data are still necessary to fulfil the purposes for which they were collected in each case. They are also retained to enable the entity to deal with possible liabilities due to data processing by the Consortium, as well as to meet any requirements from other public administrations or judicial bodies.
Consequently, the data will be retained for the time necessary to preserve their legal or information value or to comply with legal obligations, but for no longer than is necessary in accordance with the purposes of the processing.
In certain cases, such as the data appearing in accounting documentation and billing, tax legislation requires them to be retained until the relevant statutory limitation period expires.
In the case of data that are processed exclusively based on the data subject’s consent, they are stored until he/she withdraws this consent.
What rights do people have in relation to the data we process?
Under the provisions of the General Data Protection Regulation, data subjects have the following rights:
To know whether the data are being processed. Anyone has, first of all, the right to know whether we are processing their data, regardless of whether there has been a prior relationship.
To be informed during collection. Where personal data are obtained from the person concerned, at the time of providing them, this person must have clear information about the purposes for which they will be used, who the data controller will be and the main aspects arising from this processing.
To access their data. A very broad right that includes knowing precisely which personal data are subject to processing, what the purpose of the processing is, whether the data will be shared with anyone else (if applicable) or the right to obtain a copy of the data or to know the expected period of data retention.
To request rectification. This is the right to rectify any inaccurate data that we may process.
To request erasure. Under certain circumstances, there is the right to request the erasure of the data where, among other reasons, they are no longer necessary for the purposes for which they were collected and that justify the processing.
To request the restriction of processing. Under certain circumstances, the right to request the restriction of data processing is also recognised. In this case, the data will no longer be processed and will only be retained for the exercise or defence of claims, in accordance with the General Data Protection Regulation.
To portability. In the cases provided for by law, the right to obtain personal data in a structured, commonly used and machine-readable format is recognised, as well as having the right to transmit those data to another controller should the person concerned so decide.
To object to the processing. The data subject has the right to object to the processing of their data on grounds relating to their particular situation. The controller shall no longer process the subject’s data to the extent or degree that may be detrimental, unless there are compelling legitimate grounds, or for the exercise or defence of claims.
To not receive information. We immediately respond to requests to stop receiving information about our activities and services, where these mailings were based solely on the recipient’s consent.
How can you exercise or defend your rights?
The rights listed above can be exercised by sending a request to the entity at the postal address or the other contact information indicated in the header.
If no satisfactory response is obtained regarding the exercise of your rights, you may lodge a complaint with the Catalan Data Protection Authority, through the forms or other channels accessible from their website (apdcat.gencat.cat).
In all cases, whether to lodge complaints, request clarifications or make suggestions, you may contact the Data Protection Officer at the email address email@example.com.