This data protection policy of the Consorci de l’Auditori i l’Orquestra (Auditorium and Orchestra Consortium) refers to the data of the individuals with whom the Consorci is associated in the exercise of its powers and performance of its tasks. The processing of personal data is carried out in compliance with the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016) as well as the national legislation on this subject.
Who is responsible for processing the personal data?
The data controller is the Consorci de l’Auditori i l’Orquestra (‘the Consorci’), with tax ID no. Q-5856358-F and address at Carrer de Lepant, 150, 08013 Barcelona, email address email@example.com and website www.auditori.cat.
What are the criteria for processing personal data?
We fully adopt the principles of the General Data Protection Regulation in the processing of data.
a) We process data in a lawful manner (only when we have a legal basis that enables this and with transparency regarding the person concerned).
b) We use the data for the specified, explicit and legitimate purposes that we explain at the time of obtaining these data. They will not be further processed in a way incompatible with those purposes.
c) We only process data that are appropriate, relevant and restricted to what is necessary in each case and for each purpose.
d) We strive to keep the data up to date.
e) We keep the data for no longer than is necessary, complying with the regulations governing the retention of public information.
f) We implement the appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing or the loss, destruction or accidental damage thereof.
Who is the Data Protection Officer?
The Data Protection Officer (DPO) is the person who oversees and monitors compliance with the Consorci’s data protection policy, ensuring that personal data are properly processed and people’s rights are protected. The DPO’s duties include dealing with any questions, suggestions, complaints or claims from data subjects. You can contact the DPO by writing to our postal address or telephoning, or by writing directly to the following email address: firstname.lastname@example.org.
For what purpose do we process data and with whom are the data shared?
The Consorci processes personal data mainly to provide programme information and ticket sales services, to send communications related to our activities and services and to develop commercial relationships with our suppliers. The main purposes are listed below:
- Ticket sales and season ticket services. To manage ticket sales, season tickets and other services and products from the Consorci, we record the data of the persons who purchase them. We obtain the data required to complete the purchase and use them for this purpose only.
- Contact. We handle enquiries from the persons who use the contact forms on our website. The data are used for this purpose only and are not shared with anyone else.
- Personnel selection. We receive CVs and carry out personnel selection processes. The data provided by the persons concerned allows us to assess their merits and analyse the adequacy of the candidates’ profiles according to the vacancy or newly created position. The data are not shared with anyone else.
- Information on activities and services. With the explicit permission each person, we use the contact information they have provided to inform them about our initiatives, services or activities. We do this through different channels depending on the permission the person has given. The contact information is not shared with anyone else without the consent of the person concerned.
- Supplier data management. We record and process the data of suppliers from whom we obtain goods or services. This applies to the data of persons who act as freelancers as well as data from the representatives of legal entities. We obtain the data necessary to maintain the business relationship and we only use it for this purpose. In compliance with legal obligations (tax regulations), we share data with the tax authorities.
- Document registration. We record the data of the senders or recipients of documents completed in the Register, we use their data to record incoming and outgoing documents and keep track of any actions taken. According to the procedure, the data can be shared with other public administrations to guarantee the intercommunication and coordination of records.
- Video surveillance. In the access to our facilities, we provide information, where appropriate, on the existence of video surveillance cameras by means of approved signage. The cameras only record images of the points where justified to ensure the security of goods and persons. The footage is only used for this purpose. If justified, in certain cases, we share the data with law enforcement authorities or the competent judicial bodies.
What is the lawful basis for data processing?
The data processing that we carry out has different legal bases, depending on the nature of the processing.
- Compliance with legal obligations. The processing of data in the context of administrative procedures is carried out following the rules governing each of the procedures and in compliance with legal obligations.
- In compliance with a contractual relationship. This is the case with the relationships with our customers and suppliers and all the actions and uses of the data that these commercial relationships entail.
- Based on consent. When we send information about our initiatives, services or activities, we process the contact details of the recipients with their permission or explicit consent. The browsing data that we obtain from the person who visits our website is also based on consent, which can be withdrawn at any time by disabling the cookies.
- Based on legitimate interest. The footage we obtain from the video surveillance cameras is processed for the legitimate interest of our institution in protecting its assets and facilities.
The length of time the data are retained is determined by different factors, mainly by the fact the data are still necessary to fulfil the purposes for which they were collected in each case. They are also retained to enable the Consorci to deal with possible liabilities due to data processing by the Consortium, as well as to meet any requirements from other public administrations or judicial bodies.
Consequently, the data will be retained for the time necessary to preserve their legal or information value or to comply with legal obligations, but for no longer than is necessary in accordance with the purposes of the processing.
In certain cases, such as the data appearing in accounting documentation and billing, tax legislation requires them to be retained until the relevant statutory limitation period expires.
In the case of data that are processed exclusively based on the data subject’s consent, they are stored until he/she withdraws this consent.
Finally, in the case of footage obtained from the video surveillance cameras, the data will be stored for a maximum of one month, although in the case of incidents that so justify, the data will be retained for the amount of time necessary to facilitate the actions of law enforcement authorities or judicial bodies.
The regulations governing the retention of public documentation, and the reports of the la Comissió Nacional d'Accés, Avaluació i Tria Documental (National Commission on Documentary Access, Evaluation and Selection), are a benchmark that determine the criteria we follow in the retention or erasure of data.
What rights do people have in relation to the data we process?
Under the provisions of the General Data Protection Regulation, data subjects have the following rights:
- To know whether the data are being processed. Anyone has, first of all, the right to know whether we are processing their data, regardless of whether there has been a prior relationship.
- To be informed during collection. Where personal data are obtained from the person concerned, at the time of providing them, this person must have clear information about the purposes for which they will be used, who the data controller will be and the main aspects arising from this processing.
- To access their data. A very broad right that includes knowing precisely which personal data are subject to processing, what the purpose of the processing is, whether the data will be shared with anyone else (if applicable) or the right to obtain a copy of the data or to know the expected period of data retention.
- To request rectification. This is the right to rectify any inaccurate data that we may process.
- To request erasure. Under certain circumstances, there is the right to request the erasure of the data where, among other reasons, they are no longer necessary for the purposes for which they were collected and that justify the processing.
- To request the restriction of processing. Under certain circumstances, the right to request the restriction of data processing is also recognised. In this case, the data will no longer be processed and will only be retained for the exercise or defence of claims, in accordance with the General Data Protection Regulation.
- To portability. In the cases provided for by law, the right to obtain personal data in a structured, commonly used and machine-readable format is recognised, as well as having the right to transmit those data to another controller should the person concerned so decide.
- To object to the processing. The data subject has the right to object to the processing of their data on grounds relating to their particular situation. The controller shall no longer process the subject’s data to the extent or degree that may be detrimental, unless there are compelling legitimate grounds, or for the exercise or defence of claims.
- To not receive information. We immediately respond to requests to stop receiving information about our activities and services, where these mailings were based solely on the recipient’s consent.
How can you exercise or defend your rights?
The rights listed above can be exercised by sending a request to the Consorci at the postal address or the other contact information indicated in the header.
If no satisfactory response is obtained regarding the exercise of your rights, you may lodge a complaint with the Catalan Data Protection Authority, through the forms or other channels accessible from their website (www.apd.cat).
In all cases, whether to lodge complaints, request clarifications or make suggestions, you may contact the Data Protection Officer at the email address email@example.com.