This is the data protection policy of Capellades Paper Mill Museum (Museu Molí Paperer de Capellades or MMPC). It refers to the data of natural persons with whom the MMPC has relations whilst exercising its duties and functions. Given the functions of the Capellades Paper Mill Museum, some processing is the result of providing services to other public administrations that have delegated functions to the MMPC. Processing is carried out complying with the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and Council, of 27 April 2016), and any state regulations related to this area.
Who is the data controller?
The data controller is the MMPC, domiciled in Capellades, Carrer Pau Casals 10, 08786, Barcelona, with Tax Code (NIF) P-P5804302-G and email address firstname.lastname@example.org.
What criteria are applied when processing personal data?
When processing data, we fully assume the principles of the General Data Protection Regulation.
a. We process data lawfully (only when we have a legal basis that allows us to do so and with transparency towards the data subject).
b. We use data for specific, explicit and legitimate purposes explained at the time the data are obtained. Subsequently we do not process data in a manner incompatible with these purposes. c. We only process data that are adequate, relevant and limited to what is necessary in each case and for each purpose.
d. We strive to keep the data up-to-date. e. We store data for the necessary time, complying with the regulations governing the conservation of public information.
f. We apply appropriate technical or organisational measures to prevent any unauthorised or unlawful processing, or accidental loss, destruction or damage.
For what purpose are the data processed and who are they passed on to?
The MMPC processes the data in order to exercise its duties and functions. The MMPC services are described on its website.
Administrative procedures and formalities
Based on the requests of data subjects, we use their data to monitor how each procedure is managed. Depending on the procedure in question, the data may be transmitted to other administrations with relevant authority. In some cases the data must be made public in compliance with the principle of transparency.
In order to provide services, we process the data obtained from the beneficiaries or data we have obtained from other administrations. Offering such services often entails tracking and obtaining new data from the people using the services. The catalogue of services can be consulted at the online administrative office. As a general criterion, data are not transmitted to other people without the explicit consent of the user of the service.
When organising cultural, leisure, training or sports activities, we receive data from the people registering, for the purpose of organising the activity. As a general criterion, the data are not transmitted to other people without the explicit consent of the person taking part in the activity.
We attend to queries of people using the contact forms on our website. The data are only used for this purpose and are not transmitted to other people.
With the explicit authorisation of each person, we use the contact details they have provided to inform them of our initiatives, services and activities. We do this via different channels depending on the authorisation given by each person. Data are not transmitted to other people without their consent.
Managing supplier data
We register and process the data of suppliers from whom we obtain services or goods. These may be data from people acting as freelancers and also data of representatives for legal persons. We obtain the data that are essential in order to maintain the commercial relationship and they are used solely for this purpose. In compliance with our legal obligations (tax regulations), we transmit data to the tax authorities.
If applicable, people are notified of the existence of video surveillance cameras at the entrance to our facilities via the approved signs. Cameras record images only at points at which this is justified to ensure the safety and security of goods and people. The images are used only for this purpose. When justified, we transmit these data to the security bodies and forces or to the relevant judicial bodies.
What is the legal justification for data processing?
Our processing of data has different legal bases depending on the nature of each case.
Compliance with legal obligations
Within the context of administrative procedures, the processing of data is carried out following the regulatory rules of each procedure in question. It is carried out in compliance with legal obligations.
To fulfil a mission in the public interest
Processing resulting from the provision of our services is justified in order to satisfy the public interest. The images we obtain from video surveillance cameras are also processed in order to preserve the public interest.
Fulfilment of contractual or pre-contractual relations
We process the data from our suppliers following the public sector's own contract regulations, to the degree and with the scope necessary in order to develop the contractual relationship. Regarding another area that is nevertheless related to contractual or pre-contractual relations, we process the data of people who take part in recruitment procedures or who join our institution.
Based on consent
When we send information about our initiatives, services or activities, we process the contact details of receivers with their explicit authorisation or consent.
How long do we store data?
The period of time that data are stored is determined by different factors, mainly whether the data are still required to serve the purposes for which they have been obtained in each case. Secondly, data are kept to deal with possible liabilities regarding the processing of data by the MMPC, and to attend to any request from other public administrations or judicial bodies.
Consequently, data must be kept for the time required to preserve their legal or informative value or to certify compliance with legal obligations, but not for a period longer than necessary in accordance with the purposes of the processing.
In certain cases, such as data contained in documents related to accounting and invoicing, tax regulations force us to store such data until our obligations in this area have expired.
In the case of data that are processed exclusively based on the consent of the data subject, these are kept until this person withdraws their consent.
Finally, in the case of images obtained by video surveillance cameras, the data are stored for maximum one month. However, should the incident justify it, data are stored for the necessary time to facilitate the actions of the security bodies and forces or of the judicial bodies.
The regulations governing the storage of public documentation and the rulings given by the National Commission of Access, Evaluation and Documentary Selection are used as a reference to determine the criteria to be followed when keeping or eliminating data.
What rights do people have in relation to the data we process?
As provided for in the General Data Protection Regulation, the people whose data we process have the following rights:
To know if their data are being processed. Anyone has, first of all, the right to know whether we are processing their data, regardless of whether a relationship has existed previously.
To be informed upon collection. When personal data are obtained from the data subject personally, at the time of providing these data they must be clearly informed regarding the purposes for which their data will be used, who will be responsible for the processing and the main aspects resulting from this processing.
To access their data. A very broad right that includes knowing, with precision, what personal data are being processed, what is the purpose for such processing, whether their data will be transmitted to other people (if applicable ) and the right to obtain a copy or know the period planned for storing their data.
To request the rectification of their data. This is the right to demand that inaccurate data be rectified when they are being processed by us.
To request the erasure of their data. Under certain circumstances there is the right to request that data be erased when, among other reasons, the data are no longer necessary for the purposes for which they were collected and processing was justified.
To request that processing be restricted. Also under certain circumstances, the right to request that data processing be restricted is recognised. In this case data will cease to be processed and will only be kept for the exercise or defence of claims, in accordance with the General Data Protection Regulation.
The right to portability. In those cases established by the regulations, the right to obtain one's own personal data is recognised, in a structured, commonly used and machine-readable format, and to transmit these to another controller should the data subject so wish.
To object to the processing. A person can adduce reasons related to their particular situation, reasons that will lead to their data no longer being processed, insofar as this might result in injury or damages for them, except for legitimate grounds or for the exercise or defence of claims.
Not to receive information. We immediately attend to requests not to continue receiving information regarding our activities and services when the sending of such information is based solely on the consent of the person receiving it.
How rights can be exercised or defended
The rights we have just listed can be exercised by sending a request to the MMPC at its postal address or other contact details indicated in the heading.
If a satisfactory response has not been obtained regarding the exercise of rights, a complaint may be brought before the Catalan Data Protection Authority, using the forms or other channels accessible on its website (www.apdcat.cat).