Registre des activités de traitement des données à caractère personnel de la Diputació de Lleida

In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR), and with Organic Law 3/2018, of 5 December, on data protection and the guarantee of digital rights (LOPDGDD), a proposal is made for the Diputació de Lleida Records of Personal Data Processing Activities.

Definitions and concepts

 

  1. WHAT IS PERSONAL DATA?

Personal data is any information relating to an identified or identifiable natural person.

An identifiable natural person is a person whose identity can be directly or indirectly established by means of an identifier such as a name, an identification number, location data, an online identifier and one or more elements of the person’s physical, physiological, genetic, mental, economic, cultural or social identity (Source: Guía Sectorial de la Asociación Española de Protección de Datos, “Protección de datos y Administración Local”).

 

  1. WHAT IS PERSONAL DATA PROCESSING?

Any activity involving personal data constitutes data processing. Such activity may be carried out manually or automatically, with all or only some of the data. Thus it covers the collection, recording, organisation, structuring, storage, adaptation or modification, retrieval, consultation, use, communication by transmission, dissemination or any other form of providing access, collation or interconnection, restriction, deletion or destruction of data.

In accordance with local government regulations, local authorities, and therefore Diputació de Lleida, provide a number of public services relating to its different areas of competence or functions.

In order to provide these public services, Diputació de Lleida may request, collect, process and store users’ personal data. This personal data can be processed by Diputació de Lleida, in whole or in part, manually or automatically (Source: Guía Sectorial de la Asociación Española de Protección de Datos, “Protección de datos y Administración Local”).

 

  1. PRINCIPLES OF PERSONAL DATA PROCESSING

Articles 5 to 11 of the GDPR regulate the principles that must be observed and respected when processing the personal data of data subjects. These principles are:

–        Lawfulness, fairness and transparency. Personal data must be processed in a lawful, fair and transparent manner in relation to the data subjects.

–        Purpose limitation. Personal data will be collected for specified, explicit and legitimate purposes and may not be processed in a way that is incompatible with these purposes. Further data processing for the purposes of archiving in the public interest, scientific and historical research or for statistical purposes is not considered incompatible with the initial purposes.

–        Data minimisation. Collected and/or processed personal data must be adequate and relevant, and limited to the requirements of the purpose for which it is collected and/or processed.

– Accuracy. Personal data must be accurate and, if necessary, updated. Reasonable technical measures must therefore be taken to delete or rectify data which is inaccurate in relation to the processing purposes.

– Limitation of the storage period. Personal data must be stored in such a way as to permit identification of data subjects only for as long as required for the processing purposes. The exceptions mentioned under “purpose limitation” are applicable to this point.

–        Integrity, security and confidentiality. Personal data must be processed in such a way as to ensure its integrity, security and confidentiality, including the protection of data from unauthorised or unlawful processing, destruction, manipulation or damage, by applying the necessary technical and organisational measures.

–        Proactive accountability. As a guiding principle for all the above, the data controller is responsible for ensuring compliance with these principles and must also be able to provide clear evidence of this compliance.

 

  1. THE DATA CONTROLLER

Diputació de Lleida is responsible for processing this data (Articles 24 to 27 of the GDPR) and, therefore, for ensuring compliance with the obligations arising from current personal data protection regulations and for adopting the appropriate technical and organisational measures for their implementation.

 

DATA CONTROLLER

Diputació de Lleida

Carrer Carme, 26

25007 Lleida

https://wwwdiputaciolleida.cat/contacte

 

THE DATA PROTECTION OFFICER

Articles 37, 38 and 39 of the GDPR introduce the data protection officer (DPO) as a mandatory role for government authorities; therefore, all local government bodies are also required to appoint one.

The European regulation states that the data protection officer must be a person with specialised legal and practical knowledge of data protection. This knowledge is required in relation to processing and the obligatory measures guaranteeing the adequacy of the personal data processing for which Diputació de Lleida is responsible.

Diputació de Lleida appointed the data protection officer, with the functions of GDPR Article 39, through Decree No. 586, of 13 March 2020.

DATA PROTECTION OFFICER

Diputació de Lleida 

Carrer Carme, 26

25007 Lleida

dpd@diputaciolleida.cat

 

  1. THE RECORDS OF PROCESSING ACTIVITIES (RPAs)

Article 30.1 of the GDPR states that local authority data controllers and processors must create and maintain the written record of processing activities, including in electronic form. These records must be available to the supervisory authority and must include: Contact details of the data controller. Contact details of the data protection officer. The purpose of processing. Categories of personal data. Categories of data subjects. Technical and organisational security measures. Categories of recipients. International transfers and, where possible, the time limits established for deleting the different data categories.

To identify the Diputació de Lleida processing activities, we have taken into account its areas of competence and previous personal data files, as well as corporate and online office procedures.

 

Diputació de Lleida Records of Processing Activities (RPAs)

Compliance with Article 30 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and Article 31 of Organic Law 3/2018, of 5 December, on data protection and the guarantee of digital rights.

Version in force as from:      04 December 2020           approval: Decree No. 2020/3448          dated 03 December 2020

Data controller Diputació de Lleida
Contact details Calle Carme, 26 Lleida (CP 25007) Tel. no. +34 973249200 https://www.diputaciolleida.cat/contacte
DPO contact details Carrer Carme, 26 Lleida (CP 25007) Tel. no. +34 973249200, email dpd@diputaciolleida.cat

 

Processing Included in the records
Register of incoming and outgoing data  
Data subject management in procedures  
Personnel management  
Payroll and Social Security management  
Occupational health  
Attendance records  
Personnel selection processes  
Diputació members, mayors and councillors  
Management of elected officials  
Third parties  
Tax management and collection  
Suggestions, complaints and queries mailbox  
Management of the Official Gazette of the Province of Lleida (BOP Lleida)  

 

Processing Included in the records
Management of subsidies  
Management of publications  
User training  
Cultural activities  
Subscribers to newsletters of Diputació de Lleida and dependent bodies  
Media directory  
Video surveillance  
Access control  
Archive users  
IT services  
E-government service users  
Legal services  
Mailing lists  

 

Register of incoming and outgoing data
Purpose of processing –        Official records of incoming and outgoing documents–        Identification of senders or addressees

–        Calculation of time limits for complying with the obligations for each procedure

–        Monitoring actions
Data subject categories –        Persons who send or receive documents entered in the records, or representatives of such persons
Categories of personal data –        Identification data
Special category data
Categories of data transfer recipients –        Other public authorities in order to ensure intercommunication and coordination of records
Third country destination categories
Time limits for the deletion of the different data categories –        Data storage is determined by the procedure covering the document added to the records
Technical and organisational security measures –        Access for authorised users only–        Login ID and passwords (unique per user)

–        Regular change of password, without repeating the previous one, is compulsory

–        Blocking access

–        Data are stored only on Diputació de Lleida central servers

–        Inventory of media containing data

–        Control of physical access to DPCs

–        Daily/weekly backups

Details of the security measures are contained in the SECURITY DOCUMENT.
Lawful basis –        Fulfilment of legal obligation (Art. 6.1.c GDPR) according to Law 39/2015, of 1 October, on the common administrative procedure of government authorities and Law 40/2015, of 1 October, on the legal system for the public sector.

 

 

Data subject management in procedures
Purpose of processing –        Identifying data subjects in administrative procedures–        Monitoring actions

–        Communicating of proceedings and notification of decisions
Data subject categories –        Persons with the status of data subjects in the proceedings
Categories of personal data –        Identification data–        Data on personal characteristics

–        Data on social circumstances

–        Academic and professional data

–        Employment data

–        Commercial data

–        Economic, financial and insurance data

–        Administrative infractions and sanctions
Special category data
Categories of data transfer recipients –        Other public authorities where required with regard to following the procedure
Third country destination categories
Time limits for the deletion of the different data categories –        The data storage period is determined by the type of procedure and the legal obligations arising from it
Technical and organisational security measures –        Access for authorised users only–        Login ID and passwords (unique per user)

–        Regular change of password, without repeating the previous one, is compulsory

–        Blocking access

–        Data are stored only on Diputació de Lleida central servers

–        Inventory of media containing data

–        Control of physical access to DPCs

–        Daily/weekly backups

Details of the security measures are contained in the SECURITY DOCUMENT.
Lawful basis –        Fulfilment of legal obligation (Art. 6.1.c GDPR) according to Law 39/2015, of 1 October, on the common administrative procedure of government authorities and Law 40/2015, of 1 October, on the legal system for the public sector.
  

 
Personnel management
Purpose of processing –        Personnel management–        Monitoring work activity

–        Training

–        Incident management and resolution

–        Granting licences, permits or advance payments
Data subject categories –        Employees
Categories of personal data –        Identification data–        Data on personal characteristics

–        Academic and professional data

–        Employment data

–        Economic, financial and insurance data

–        Administrative infractions and sanctions
Special category data –        Health data (degree of disability)–        Biometric data
Categories of data transfer recipients –        Insurance companies–        Tax administration

–        National Social Security Institute (INSS)

–        Banking institutions for payroll payment purposes

–        Persons accessing information in application of the principle of active publicity
Third country destination categories
Time limits for the deletion of the different data categories –        The data is stored on a permanent basis. Supporting and supplementary documents are regularly erased
Technical and organisational security measures –        Access for authorised users only–        Login ID and passwords (unique per user)

–        Regular change of password, without repeating the previous one, is compulsory

–        Blocking access

–        Data are stored only on Diputació de Lleida central servers

–        Inventory of media containing data

–        Control of physical access to DPCs

–        Daily/weekly backups

Details of the security measures are contained in the SECURITY DOCUMENT.
Lawful basis –        Fulfilment of legal obligation (Art. 6.1.c GDPR) and those arising from a contractual relationship (Art. 6.1.b GDPR) are regularly deleted.

 

Payroll and Social Security management
Purpose of processing –        Drawing up the payroll of the corporation’s employees for the purpose of remuneration payment
Data subject categories –        Corporation employees
Categories of personal data –        Identification data–        Data on personal characteristics

–        Data on social circumstances

–        Academic and professional data

–        Employment data

–        Economic, financial and insurance data
Special category data –        Health data (degree of disability)–        Biometric data
Categories of data transfer recipients –        Tax administration–        National Social Security Institute (INSS)

–        Banking institutions for payroll payment purposes
Third country destination categories
Time limits for the deletion of the different data categories –        Those provided for in labour law in relation to the provision of responsibilities in this area
Technical and organisational security measures –        Access for authorised users only–        Login ID and passwords (unique per user)

–        Regular change of password, without repeating the previous one, is compulsory

–        Blocking access

–        Data are stored only on Diputació de Lleida central servers

–        Inventory of media containing data

–        Control of physical access to DPCs

–        Daily/weekly backups

Details of the security measures are contained in the SECURITY DOCUMENT.
Lawful basis –        Compliance with legal obligations (Art.6.1.c GDPR) and those arising from a contractual relationship (Art.6.1.b GDPR) in accordance with Royal Legislative Decree 5/2015, of 30 October, approving the revised text of the Basic Statute of Public Employees and its implementing regulations, and Royal Legislative Decree 2/2015, of 23 October, approving the revised text of the Workers’ Statute.

 

Occupational health
Purpose of processing –        Documenting health and safety promotion processes for Diputació de Lleida personnel in accordance with the regulatory regulations–        Planning improvement actions.

–        Conducting training activities
Data subject categories –        Diputació de Lleida staff
Categories of personal data –        Identification data–        Data on personal characteristics

–        Employment data
Special category data –        Health data
Categories of data transfer recipients –        Public bodies with powers in the field of occupational health
Third country destination categories
Time limits for the deletion of the different data categories –        The data will be erased in line with the deadlines established in the document assessment tables, approved by the Comissió Nacional d’Accés Avaluació i Tria Documental (National Document Access, Evaluation and Selection Committee, CNAATD) and according to specific applicable regulations.
Technical and organisational security measures –        Access for authorised users only–        Login ID and passwords (unique per user)

–        Regular change of password, without repeating the previous one, is compulsory

–        Blocking access

–        Data are stored only on Diputació de Lleida central servers

–        Inventory of media containing data

–        Control of physical access to DPCs

–        Daily/weekly backups

Details of the security measures are contained in the SECURITY DOCUMENT.
Lawful basis –        Compliance with obligations arising from a contractual relationship (Art.6.1.b GDPR) and compliance with legal obligations (Art.6.1.c GDPR) according to Law 31/1995, of 8 November, on occupational health and safety, Royal Decree 39/1997, of 17 January, approving the regulations for health and safety services.

 

Attendance records
Purpose of processing –        Controlling access to the facilities–        Monitoring staff compliance on working hours
Data subject categories –        Staff
Categories of personal data –        Identification data–        Others: type of incident
Special category data –        Biometric data
Categories of data transfer recipients –        Public bodies with powers in the field of occupational health
Third country destination categories
Time limits for the deletion of the different data categories –        Data is erased one year from the end of the calendar year in which it was collected. For disciplinary offences, it is erased once the sanction has expired
Technical and organisational security measures –        Access for authorised users only–        Login ID and passwords (unique per user)

–        Regular change of password, without repeating the previous one, is compulsory

–        Blocking access

–        Data are stored only on Diputació de Lleida central servers

–        Inventory of media containing data

–        Control of physical access to DPCs

–        Daily/weekly backups

Details of the security measures are contained in the SECURITY DOCUMENT.
Lawful basis –        Performance of the contractual relationship (Art. 6.1.b GDPR) in accordance with Royal Legislative Decree 5/2015, of 30 October, approving the revised text of the Basic Statute of Public Employees and its implementing regulations, and Royal Legislative Decree 2/2015, of 23 October, approving the revised text of the Workers’ Statute.

 

Personnel selection procedures
Purpose of processing –        Organising selection processes–        Assessing candidates

–        Information on the call for applications and results
Data subject categories –        Persons taking part in the calls for job applications
Categories of personal data –        Identification data–        Data on personal characteristics

–        Employment data
Special category data –        Health data: degree of disability
Categories of data transfer recipients –        The identification data of persons admitted and excluded, and the results of the tests are published on the website in application of the principle of transparency
Third country destination categories
Time limits for the deletion of the different data categories –        The data contained in the final report of the selection board and in the announcements and decisions of the collegiate bodies is stored permanently. The rest is erased once the resolution of the call for applications and the appointment of staff is completed (Official Journal of the Generalitat de Catalunya (DOGC) No. 6966).
Technical and organisational security measures –        Access for authorised users only–        Login ID and passwords (unique per user)

–        Regular change of password, without repeating the previous one, is compulsory

–        Blocking access

–        Data are stored only on Diputació de Lleida central servers

–        Inventory of media containing data

–        Control of physical access to DPCs

–        Daily/weekly backups

Details of the security measures are contained in the SECURITY DOCUMENT.
Lawful basis –        Consent of the person concerned (Art. 6.1.a GDPR) and task performed in the public interest (Art. 6.1.e GDPR) according to Section IV, Chapter I of Royal Legislative Decree 5/2015, of 30 October, approving the revised text of the Law on the Basic Statute of the Public Employees.

 

Diputació members, mayors and councillors
Purpose of processing –        Identification of persons who hold or have held elected office in local authorities in Lleida–        Protocol

–        Documentation

–        Sending information
Data subject categories –        Persons who hold or have held any of the above-mentioned positions
Categories of personal data –        Identification data–        Data on personal characteristics

–        Employment data
Special category data
Categories of data transfer recipients
Third country destination categories
Time limits for the deletion of the different data categories –        The data is permanently stored in the historical archive
Technical and organisational security measures –        Access for authorised users only–        Login ID and passwords (unique per user)

–        Regular change of password, without repeating the previous one, is compulsory

–        Blocking access

–        Data are stored only on Diputació de Lleida central servers

–        Inventory of media containing data

–        Control of physical access to DPCs

–        Daily/weekly backups

Details of the security measures are contained in the SECURITY DOCUMENT.
Lawful basis –        Performing a task in the public interest (Art. 6.1.e GDPR)

 

Management of elected officials
Purpose of processing –        Register of elected officials–        Convening and organising meetings and minutes

–        Payment of remuneration and attendance fees

–        Information to the public

–        Communications and notifications to elected officials

–        Compliance with the obligations of active transparency arising from transparency legislation

–        Compliance with local government legal obligations to register declarations of activities and assets
Data subject categories –        Diputació members
Categories of personal data –        Identification data–        Data on personal characteristics

–        Employment data

–        Academic and professional data

–        Commercial data

–        Economic, financial and insurance data
Special category data –        Health data
Categories of data transfer recipients –        The data is made public on the Diputació de Lleida website or online office–        Insurance companies

–        Tax Agency

–        National Social Security Institute (INSS)
Third country destination categories
Time limits for the deletion of the different data categories –        The data is kept permanently because of its historical interest
Technical and organisational security measures –        Access for authorised users only–        Login ID and passwords (unique per user)

–        Regular change of password, without repeating the previous one, is compulsory

–        Blocking access

–        Data are stored only on Diputació de Lleida central servers

–        Inventory of media containing data

–        Control of physical access to DPCs

–        Daily/weekly backups

Details of the security measures are contained in the SECURITY DOCUMENT.
Lawful basis –        Fulfilment of legal obligation (Art. 6.1.c GDPR)

 

 

Third parties
Purpose of processing –        Register of persons with whom there is a financial relationship for carrying out works or procuring goods or services–        Accounts management

–        Registration and payment of invoices

–        Budget implementation
Data subject categories –        Persons with whom there is a contractual relationship as suppliers of products, services or works, contractors and professionals bidding for the award of contracts
Categories of personal data –        Identification data–        Transaction data

–        Economic, financial and insurance data
Special category data –        Health data
Categories of data transfer recipients –        Tax administration–        Banking institutions for payments

–        Audit Office

–        People who access the information through dissemination by the institution in compliance active publicity obligations
Third country destination categories
Time limits for the deletion of the different data categories –        The data must be retained for as long as the business relationship lasts and thereafter until the statute of limitations for tax liability according to Art. 66 of Law 58/2003 of 17 December 2003 on general taxation. The document assessment tables approved by the CNAATD are applied
Technical and organisational security measures –        Access for authorised users only–        Login ID and passwords (unique per user)

–        Regular change of password, without repeating the previous one, is compulsory

–        Blocking access

–        Data are stored only on Diputació de Lleida central servers

–        Inventory of media containing data

–        Control of physical access to DPCs

–        Daily/weekly backups

Details of the security measures are contained in the SECURITY DOCUMENT.
Lawful basis –        Fulfilment of legal obligations (Art. 6.1.c GDPR) and those arising from a contractual relationship (Art. 6.1.b GDPR)

 

Tax management and collection
Purpose of processing –        Identification of taxpayers or other persons liable to pay taxes–        Management of taxes and other public law revenues

–        Collection

–        Proof of income and accounting
Data subject categories –        Taxpayers and parties liable to payment of other revenues–        Taxpayers’ representatives

–        Persons who pay amounts of money
Categories of personal data –        Identification data–        Commercial data

–        Transaction data

–        Economic, financial and insurance data
Special category data –        Health data
Categories of data transfer recipients –        Tax administration–        Public bodies referred to in Art. 95 of the General Tax Law
Third country destination categories
Time limits for the deletion of the different data categories –        The data will be erased in line with the deadlines established in the document assessment tables, approved by the Comissió Nacional d’Accés Avaluació i Tria Documental (National Document Access, Evaluation and Selection Committee, CNAATD) and according to specific applicable regulations.
Technical and organisational security measures –        Access for authorised users only–        Login ID and passwords (unique per user)

–        Regular change of password, without repeating the previous one, is compulsory

–        Blocking access

–        Data are stored only on Diputació de Lleida central servers

–        Inventory of media containing data

–        Control of physical access to DPCs

–        Daily/weekly backups

Details of the security measures are contained in the SECURITY DOCUMENT.
Lawful basis –        Exercise of public powers (Art. 6.1.e GDPR)

 

Suggestions, complaints and queries mailbox
Purpose of processing –        To record and address citizens’ complaints, suggestions and comments–        Compilation of statistics
Data subject categories –        Persons submitting complaints, suggestions or comments or who are named in them
Categories of personal data –        Identification data
Special category data
Categories of data transfer recipients
Third country destination categories
Time limits for the deletion of the different data categories –        The data of persons representing public and private entities is kept on a permanent basis. The data of natural persons acting in their own name may be erased within two years (Official Journal of the Generalitat de Catalunya (DOGC) No. 6627).
Technical and organisational security measures –        Access for authorised users only–        Login ID and passwords (unique per user)

–        Regular change of password, without repeating the previous one, is compulsory

–        Blocking access

–        Data are stored only on Diputació de Lleida central servers

–        Inventory of media containing data

–        Control of physical access to DPCs

–        Daily/weekly backups

Details of the security measures are contained in the SECURITY DOCUMENT.
Lawful basis –        Performing a task in the public interest (Art. 6.1.e GDPR) and compliance with legal obligations (Art. 6.1.c GDPR)

 

Management of the Official Gazette of the Province of Lleida (BOP Lleida
Purpose of processing –        Keeping an entry register of announcements published in the Official Journal of the Province of Lleida (BOP Lleida)
Data subject categories –        Persons and entities submitting announcements published in the BOP Lleida
Categories of personal data –        Identification data–        Economic, financial and insurance data
Special category data
Categories of data transfer recipients
Third country destination categories
Time limits for the deletion of the different data categories –        The data is erased within one year of publication of the announcements or official notices in the BOP Lleida, in accordance with the document access and assessment table, approved by Order CLT/66/ 2004, of 4 March 2004, approving the assessment tables.
Technical and organisational security measures –        Access for authorised users only–        Login ID and passwords (unique per user)

–        Regular change of password, without repeating the previous one, is compulsory

–        Blocking access

–        Data are stored only on Diputació de Lleida central servers

–        Inventory of media containing data

–        Control of physical access to DPCs

–        Daily/weekly backups

Details of the security measures are contained in the SECURITY DOCUMENT.
Lawful basis –        Fulfilment of legal obligations (Art. 6.1.c GDPR)

 

Management of subsidies
Purpose of processing –        Management of calls for grants
Data subject categories –        Applicants for subsidies from Diputació de Lleida acting in their own name or as representatives of legal entities
Categories of personal data –        Identification data–        Data on personal characteristics

–        Data on social circumstances

–        Commercial data

–        Economic, financial and insurance data
Special category data
Categories of data transfer recipients –        Other public authorities, where necessary, for the purposes of the administrative procedure
Third country destination categories
Time limits for the deletion of the different data categories –        The data will be erased within the time limits foreseen in the document assessment tables, approved by the CNAATD and in accordance with applicable regulations
Technical and organisational security measures –        Access for authorised users only–        Login ID and passwords (unique per user)

–        Regular change of password, without repeating the previous one, is compulsory

–        Blocking access

–        Data are stored only on Diputació de Lleida central servers

–        Inventory of media containing data

–        Control of physical access to DPCs

–        Daily/weekly backups

Details of the security measures are contained in the SECURITY DOCUMENT.
Lawful basis –        Fulfilment of legal obligations (Art. 6.1.c GDPR) and performing a task in the public interest (Art. 6.1.e GDPR)

 

Management of publications
Purpose of processing –        Communicating and sending information on the Diputació de Lleida’s publications
Data subject categories –        Subscribers to publications–        Members of editorial boards
Categories of personal data –        Identification data
Special category data
Categories of data transfer recipients
Third country destination categories
Time limits for the deletion of the different data categories –        The data is erased upon request of the person concerned, immediately after their request
Technical and organisational security measures –        Access for authorised users only–        Login ID and passwords (unique per user)

–        Regular change of password, without repeating the previous one, is compulsory

–        Blocking access

–        Data are stored only on Diputació de Lleida central servers

–        Inventory of media containing data

–        Control of physical access to DPCs

–        Daily/weekly backups

Details of the security measures are contained in the SECURITY DOCUMENT.
Lawful basis –        Consent of the person concerned (Art. 6.1.c GDPR)

 

Museum legacies and collections
Purpose of processing –        Description of funds–        Control and dissemination of contents
Data subject categories –        Authors–        Rights holders

–        Persons listed therein
Categories of personal data –        Identification data
Special category data
Categories of data transfer recipients –        Users and researchers
Third country destination categories
Time limits for the deletion of the different data categories –        Permanent storage in the interest of the historical archive
Technical and organisational security measures –        Access for authorised users only–        Login ID and passwords (unique per user)

–        Regular change of password, without repeating the previous one, is compulsory

–        Blocking access

–        Data are stored only on Diputació de Lleida central servers

–        Inventory of media containing data

–        Control of physical access to DPCs

–        Daily/weekly backups

Details of the security measures are contained in the SECURITY DOCUMENT.
Lawful basis –        Performing a task in the public interest (Art. 6.1.e GDPR)

 

User training
Purpose of processing –        Keeping a register of persons interested or participating in training activities organised by Diputació de Lleida–        Organising training activities

–        Sending information
Data subject categories –        Persons participating or interested in the training activities
Categories of personal data –        Identification data–        Employment data

–        Economic, financial and insurance data
Special category data
Categories of data transfer recipients –        Authorities to which the attendees belong, if applicable–        Public bodies co-organising or funding the activity
Third country destination categories
Time limits for the deletion of the different data categories –        The data will be erased within the time limits foreseen in the document assessment tables, approved by the CNAATD and in accordance with applicable regulations
Technical and organisational security measures –        Access for authorised users only–        Login ID and passwords (unique per user)

–        Regular change of password, without repeating the previous one, is compulsory

–        Blocking access

–        Data are stored only on Diputació de Lleida central servers

–        Inventory of media containing data

–        Control of physical access to DPCs

–        Daily/weekly backups

Details of the security measures are contained in the SECURITY DOCUMENT.
Lawful basis –        Performing a task in the public interest (Art. 6.1.e GDPR)

 

Users of document collections
Purpose of processing –        Keeping a register of IEI Library service and the Diputació de Lleida archive service users–        Identifying users

–        Service management
Data subject categories –        Library and archive users and, in the case of children under 14 years of age, their parents or legal representatives
Categories of personal data –        Identification data–        Data on personal characteristics
Special category data
Categories of data transfer recipients
Third country destination categories
Time limits for the deletion of the different data categories –        The data will be erased within the time limits foreseen in the document assessment tables, approved by the CNAATD and in accordance with applicable regulations
Technical and organisational security measures –        Access for authorised users only–        Login ID and passwords (unique per user)

–        Regular change of password, without repeating the previous one, is compulsory

–        Blocking access

–        Data are stored only on Diputació de Lleida central servers

–        Inventory of media containing data

–        Control of physical access to DPCs

–        Daily/weekly backups

Details of the security measures are contained in the SECURITY DOCUMENT.
Lawful basis –        Performing a task in the public interest (Art. 6.1.e GDPR)

 

Participation in and organisation of cultural activities
Purpose of processing –        Organising cultural and leisure activities–        Registration management

–        Participant registration

–        Sending information
Data subject categories –        People interested in participating in cultural and leisure activities organised by Diputació de Lleida and its dependent bodies
Categories of personal data –        Identification data–        Data on personal characteristics

–        Academic and professional data
Special category data
Categories of data transfer recipients
Third country destination categories
Time limits for the deletion of the different data categories –        The data will be erased within the time limits foreseen in the document assessment tables, approved by the CNAATD and in accordance with applicable regulations
Technical and organisational security measures –        Access for authorised users only–        Login ID and passwords (unique per user)

–        Regular change of password, without repeating the previous one, is compulsory

–        Blocking access

–        Data are stored only on Diputació de Lleida central servers

–        Inventory of media containing data

–        Control of physical access to DPCs

–        Daily/weekly backups

Details of the security measures are contained in the SECURITY DOCUMENT.
Lawful basis –        Performing a task in the public interest (Art. 6.1.e GDPR)

 

Subscribers to newsletters of Diputació de Lleida and dependent bodies
Purpose of processing –        Keeping a register of newsletter users/subscribers
Data subject categories –        Newsletter users/subscribers
Categories of personal data –        Identification data
Special category data
Categories of data transfer recipients –        Names are made visible newsletter website with the consent of the persons concerned
Third country destination categories
Time limits for the deletion of the different data categories –        The data is erased upon request of the person concerned, immediately after their request
Technical and organisational security measures –        Access for authorised users only–        Login ID and passwords (unique per user)

–        Regular change of password, without repeating the previous one, is compulsory

–        Blocking access

–        Data are stored only on Diputació de Lleida central servers

–        Inventory of media containing data

–        Control of physical access to DPCs

–        Daily/weekly backups

Details of the security measures are contained in the SECURITY DOCUMENT.
Lawful basis –        Performing a task in the public interest (Art. 6.1.a GDPR)

 

Press and Communications Officer
Purpose of processing –        Producing a list of recipients of the Diputació de Lleida press services
Data subject categories –        Media professionals and partners
Categories of personal data –        Identification data–        Employment data
Special category data
Categories of data transfer recipients
Third country destination categories
Time limits for the deletion of the different data categories –        The data is stored for as long as the information recipients are employed in the professional press and media sector
Technical and organisational security measures –        Access for authorised users only–        Login ID and passwords (unique per user)

–        Regular change of password, without repeating the previous one, is compulsory

–        Blocking access

–        Data are stored only on Diputació de Lleida central servers

–        Inventory of media containing data

–        Control of physical access to DPCs

–        Daily/weekly backups

Details of the security measures are contained in the SECURITY DOCUMENT.
Lawful basis –        Performing a task in the public interest (Art. 6.1.e GDPR)

 

 

Video surveillance
Purpose of processing –        Registering images of persons entering buildings or facilities–        Access control

–        Security of persons and property
Data subject categories –        Persons entering buildings or facilities
Categories of personal data –        Identification data (images)
Special category data
Categories of data transfer recipients –        Law enforcement agencies, in the event of incidents that may constitute an offence or crime
Third country destination categories
Time limits for the deletion of the different data categories –        Data is stored for a maximum of one month, except when an incident arises and it has to be made available to law enforcement authorities
Technical and organisational security measures –        Access for authorised users only–        Login ID and passwords (unique per user)

–        Regular change of password, without repeating the previous one, is compulsory

–        Blocking access

–        Data are stored only on Diputació de Lleida central servers

–        Inventory of media containing data

–        Control of physical access to DPCs

–        Daily/weekly backups

Details of the security measures are contained in the SECURITY DOCUMENT.
Lawful basis –        Performing a task in the public interest (Art. 6.1.e GDPR)

 

 

Access control
Purpose of processing –        Registering entries and exits to and from Diputació de Lleida facilities–        Verifying the identity of the users of Diputació de Lleida services or facilities

–        Security of facilities and people
Data subject categories –        Persons entering buildings or facilities
Categories of personal data –        Identification data
Special category data
Categories of data transfer recipients
Third country destination categories
Time limits for the deletion of the different data categories –        Data is stored for a maximum of one month, except when an incident arises and it has to be made available to law enforcement authorities
Technical and organisational security measures –        Access for authorised users only–        Login ID and passwords (unique per user)

–        Regular change of password, without repeating the previous one, is compulsory

–        Blocking access

–        Data are stored only on Diputació de Lleida central servers

–        Inventory of media containing data

–        Control of physical access to DPCs

–        Daily/weekly backups

Details of the security measures are contained in the SECURITY DOCUMENT.
Lawful basis –        Performing a task in the public interest (Art. 6.1.e GDPR)

 

Archive and documentation centre users
Purpose of processing –        Register of people who use the Diputació de Lleida archives and documentation centre consultation service–        Register of documentation consulted and services obtained by users

–        Communication to parties interested in receiving information on Archive activities

–        Statistics on services

–        Identifying people who make enquiries in the Diputació de Lleida archives and documentation centres by different means (telephone, email and in person)
Data subject categories –        People who consult documentation in archives and documentation centres–        Person interested in receiving information on Archive activities
Categories of personal data –        Identification data–        Academic and professional data

–        Employment data
Special category data
Categories of data transfer recipients
Third country destination categories
Time limits for the deletion of the different data categories –        The data will be erased in line with the deadlines established in the document assessment tables, approved by the Comissió Nacional d’Accés Avaluació i Tria Documental (National Document Access, Evaluation and Selection Committee, CNAATD) and according to specific applicable regulations.
Technical and organisational security measures –        Access for authorised users only–        Login ID and passwords (unique per user)

–        Regular change of password, without repeating the previous one, is compulsory

–        Blocking access

–        Data are stored only on Diputació de Lleida central servers

–        Inventory of media containing data

–        Control of physical access to DPCs

–        Daily/weekly backups

Details of the security measures are contained in the SECURITY DOCUMENT.
Lawful basis –        Performing a task in the public interest (Art. 6.1.e GDPR) and legal obligation (Art. 6.1.c GDPR)

 

IT services
Purpose of processing –        Keeping a register of users of Diputació de Lleida IT resources
Data subject categories –        Diputació de Lleida employees and other persons with ties to the Diputació
Categories of personal data –        Identification data–        Employment data
Special category data
Categories of data transfer recipients
Third country destination categories
Time limits for the deletion of the different data categories –        The data is stored permanently
Technical and organisational security measures –        Access for authorised users only–        Login ID and passwords (unique per user)

–        Regular change of password, without repeating the previous one, is compulsory

–        Blocking access

–        Data are stored only on Diputació de Lleida central servers

–        Inventory of media containing data

–        Control of physical access to DPCs

–        Daily/weekly backups

Details of the security measures are contained in the SECURITY DOCUMENT.
Lawful basis –        Performing a task in the public interest (Art. 6.1.e GDPR) and legal obligation (Art. 6.1.c GDPR)

 

E-government service users
Purpose of processing –        Management of users of e-government services offered by Diputació de Lleida to local authorities
Data subject categories –        Persons who use services because they are associated with local authorities served by Diputació de Lleida
Categories of personal data –        Identification data
Special category data
Categories of data transfer recipients
Third country destination categories
Time limits for the deletion of the different data categories –        The data is stored for as long as the persons accessing the e-government services hold their post related to these services
Technical and organisational security measures –        Access for authorised users only–        Login ID and passwords (unique per user)

–        Regular change of password, without repeating the previous one, is compulsory

–        Blocking access

–        Data are stored only on Diputació de Lleida central servers

–        Inventory of media containing data

–        Control of physical access to DPCs

–        Daily/weekly backups

Details of the security measures are contained in the SECURITY DOCUMENT.
Lawful basis –        Performing a task in the public interest (Art. 6.1.e GDPR) and legal obligation (Art. 6.1.c GDPR)

 

Legal services
Purpose of processing –        General monitoring of lawsuits and disputes in which Diputació de Lleida is a party, as well as wage garnishment and disciplinary cases–        Drafting reports
Data subject categories –        Persons involved in litigation, claims, disputes, proceedings or reports
Categories of personal data –        Identification data–        Data on personal characteristics

–        Data on social circumstances

–        Commercial data

–        Administrative infractions or sanctions
Special category data
Categories of data transfer recipients –        Judicial bodies–        Authorities involved in or affected by these procedures
Third country destination categories
Time limits for the deletion of the different data categories –        The data will be erased in line with the deadlines established in the document assessment tables, approved by the Comissió Nacional d’Accés Avaluació i Tria Documental (National Document Access, Evaluation and Selection Committee, CNAATD) and according to specific applicable regulations.
Technical and organisational security measures –        Access for authorised users only–        Login ID and passwords (unique per user)

–        Regular change of password, without repeating the previous one, is compulsory

–        Blocking access

–        Data are stored only on Diputació de Lleida central servers

–        Inventory of media containing data

–        Control of physical access to DPCs

–        Daily/weekly backups

Details of the security measures are contained in the SECURITY DOCUMENT.
Lawful basis –        Compliance with legal obligation (Art.6.1.c GDPR), according to Articles 26.3, 31.2 and 36.b of Law 7/1985, of 2 April, regulating the basis of local government

 

Mailing lists
Purpose of processing –        Sending information on the organisation of events or other Diputació de Lleida initiatives
Data subject categories –        Representatives of institutions, entities or associations–        Public office

–        Subscribers to publications

–        Other persons interested in Diputació de Lleida activities
Categories of personal data –        Identification data–        Employment data
Special category data
Categories of data transfer recipients
Third country destination categories
Time limits for the deletion of the different data categories –        The data is erased at the request of the person concerned, immediately after their request or once they have ceased to perform the duties or functions for which it was provided
Technical and organisational security measures –        Access for authorised users only–        Login ID and passwords (unique per user)

–        Regular change of password, without repeating the previous one, is compulsory

–        Blocking access

–        Data are stored only on Diputació de Lleida central servers

–        Inventory of media containing data

–        Control of physical access to DPCs

–        Daily/weekly backups

Details of the security measures are contained in the SECURITY DOCUMENT.
Lawful basis –        Performing a task in the public interest (Art. 6.1.e GDPR) or consent of the data subject (Art.6.1.a GDPR).

 

ANNEX. Categories of personal data

Personal data is listed below, grouped by category (for the purposes of this document).

 

  • Identification: first name and surname; national identity card or foreigner identification number; social security or mutual insurance number; postal address; email address; telephone number; profession; handwritten signature, electronic signature; image; voice; user name, personal identifier, personal registration number.
  • Personal characteristics: sex; marital status; family details; date of birth; place of birth; age; nationality; mother tongue; physical characteristics.
  • Social circumstances: accommodation or housing; property or possessions; hobbies and lifestyles; membership of clubs and associations; licences, permits and personal authorisations.
  • Academic and professional: training and qualifications; academic background; professional experience; membership of professional bodies or associations.
  • Employment: job title; non-financial payroll data; employment history; work activity monitoring data; training; permits and licences; infractions and sanctions.
  • Commercial: activities and business; professional or industrial trade licences, permits and authorisations; subscriptions and publications/media; artistic, literary and scientific/technical creations.
  • Economic, financial and insurance: financial payroll data; bank details; credit card number; income and revenue; investments, credits, loans, guarantees, mortgages; tax deductions/taxes; pension plans; insurance; subsidies.
  • Transactions: goods or services supplied by the person concerned; goods or services received by the person concerned; financial transactions; compensations.
  • Administrative infractions and sanctions: administrative infractions; administrative penalties.
  • Special data categories: criminal convictions; criminal offences; health; ethnicity; sex life; sexual orientation; genetic data; biometric data; ideology; religion; trade union affiliation; beliefs; political opinions; philosophical convictions.