Registre des activités de traitement des données à caractère personnel de la Diputació de Lleida
In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR), and with Organic Law 3/2018, of 5 December, on data protection and the guarantee of digital rights (LOPDGDD), a proposal is made for the Diputació de Lleida Records of Personal Data Processing Activities.
Definitions and concepts
- WHAT IS PERSONAL DATA?
Personal data is any information relating to an identified or identifiable natural person.
An identifiable natural person is a person whose identity can be directly or indirectly established by means of an identifier such as a name, an identification number, location data, an online identifier and one or more elements of the person’s physical, physiological, genetic, mental, economic, cultural or social identity (Source: Guía Sectorial de la Asociación Española de Protección de Datos, “Protección de datos y Administración Local”).
- WHAT IS PERSONAL DATA PROCESSING?
Any activity involving personal data constitutes data processing. Such activity may be carried out manually or automatically, with all or only some of the data. Thus it covers the collection, recording, organisation, structuring, storage, adaptation or modification, retrieval, consultation, use, communication by transmission, dissemination or any other form of providing access, collation or interconnection, restriction, deletion or destruction of data.
In accordance with local government regulations, local authorities, and therefore Diputació de Lleida, provide a number of public services relating to its different areas of competence or functions.
In order to provide these public services, Diputació de Lleida may request, collect, process and store users’ personal data. This personal data can be processed by Diputació de Lleida, in whole or in part, manually or automatically (Source: Guía Sectorial de la Asociación Española de Protección de Datos, “Protección de datos y Administración Local”).
- PRINCIPLES OF PERSONAL DATA PROCESSING
Articles 5 to 11 of the GDPR regulate the principles that must be observed and respected when processing the personal data of data subjects. These principles are:
– Lawfulness, fairness and transparency. Personal data must be processed in a lawful, fair and transparent manner in relation to the data subjects.
– Purpose limitation. Personal data will be collected for specified, explicit and legitimate purposes and may not be processed in a way that is incompatible with these purposes. Further data processing for the purposes of archiving in the public interest, scientific and historical research or for statistical purposes is not considered incompatible with the initial purposes.
– Data minimisation. Collected and/or processed personal data must be adequate and relevant, and limited to the requirements of the purpose for which it is collected and/or processed.
– Accuracy. Personal data must be accurate and, if necessary, updated. Reasonable technical measures must therefore be taken to delete or rectify data which is inaccurate in relation to the processing purposes.
– Limitation of the storage period. Personal data must be stored in such a way as to permit identification of data subjects only for as long as required for the processing purposes. The exceptions mentioned under “purpose limitation” are applicable to this point.
– Integrity, security and confidentiality. Personal data must be processed in such a way as to ensure its integrity, security and confidentiality, including the protection of data from unauthorised or unlawful processing, destruction, manipulation or damage, by applying the necessary technical and organisational measures.
– Proactive accountability. As a guiding principle for all the above, the data controller is responsible for ensuring compliance with these principles and must also be able to provide clear evidence of this compliance.
- THE DATA CONTROLLER
Diputació de Lleida is responsible for processing this data (Articles 24 to 27 of the GDPR) and, therefore, for ensuring compliance with the obligations arising from current personal data protection regulations and for adopting the appropriate technical and organisational measures for their implementation.
DATA CONTROLLER
Diputació de Lleida
Carrer Carme, 26
25007 Lleida
https://wwwdiputaciolleida.cat/contacte
THE DATA PROTECTION OFFICER
Articles 37, 38 and 39 of the GDPR introduce the data protection officer (DPO) as a mandatory role for government authorities; therefore, all local government bodies are also required to appoint one.
The European regulation states that the data protection officer must be a person with specialised legal and practical knowledge of data protection. This knowledge is required in relation to processing and the obligatory measures guaranteeing the adequacy of the personal data processing for which Diputació de Lleida is responsible.
Diputació de Lleida appointed the data protection officer, with the functions of GDPR Article 39, through Decree No. 586, of 13 March 2020.
DATA PROTECTION OFFICER
Diputació de Lleida
Carrer Carme, 26
25007 Lleida
- THE RECORDS OF PROCESSING ACTIVITIES (RPAs)
Article 30.1 of the GDPR states that local authority data controllers and processors must create and maintain the written record of processing activities, including in electronic form. These records must be available to the supervisory authority and must include: Contact details of the data controller. Contact details of the data protection officer. The purpose of processing. Categories of personal data. Categories of data subjects. Technical and organisational security measures. Categories of recipients. International transfers and, where possible, the time limits established for deleting the different data categories.
To identify the Diputació de Lleida processing activities, we have taken into account its areas of competence and previous personal data files, as well as corporate and online office procedures.
Diputació de Lleida Records of Processing Activities (RPAs)
Compliance with Article 30 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and Article 31 of Organic Law 3/2018, of 5 December, on data protection and the guarantee of digital rights.
Version in force as from: 04 December 2020 approval: Decree No. 2020/3448 dated 03 December 2020
Data controller | Diputació de Lleida |
Contact details | Calle Carme, 26 Lleida (CP 25007) Tel. no. +34 973249200 https://www.diputaciolleida.cat/contacte |
DPO contact details | Carrer Carme, 26 Lleida (CP 25007) Tel. no. +34 973249200, email dpd@diputaciolleida.cat |
Processing | Included in the records |
Register of incoming and outgoing data | |
Data subject management in procedures | |
Personnel management | |
Payroll and Social Security management | |
Occupational health | |
Attendance records | |
Personnel selection processes | |
Diputació members, mayors and councillors | |
Management of elected officials | |
Third parties | |
Tax management and collection | |
Suggestions, complaints and queries mailbox | |
Management of the Official Gazette of the Province of Lleida (BOP Lleida) |
Processing | Included in the records |
Management of subsidies | |
Management of publications | |
User training | |
Cultural activities | |
Subscribers to newsletters of Diputació de Lleida and dependent bodies | |
Media directory | |
Video surveillance | |
Access control | |
Archive users | |
IT services | |
E-government service users | |
Legal services | |
Mailing lists |
Register of incoming and outgoing data | |
Purpose of processing | – Official records of incoming and outgoing documents– Identification of senders or addressees
– Calculation of time limits for complying with the obligations for each procedure – Monitoring actions |
Data subject categories | – Persons who send or receive documents entered in the records, or representatives of such persons |
Categories of personal data | – Identification data |
Special category data | — |
Categories of data transfer recipients | – Other public authorities in order to ensure intercommunication and coordination of records |
Third country destination categories | — |
Time limits for the deletion of the different data categories | – Data storage is determined by the procedure covering the document added to the records |
Technical and organisational security measures | – Access for authorised users only– Login ID and passwords (unique per user)
– Regular change of password, without repeating the previous one, is compulsory – Blocking access – Data are stored only on Diputació de Lleida central servers – Inventory of media containing data – Control of physical access to DPCs – Daily/weekly backups Details of the security measures are contained in the SECURITY DOCUMENT. |
Lawful basis | – Fulfilment of legal obligation (Art. 6.1.c GDPR) according to Law 39/2015, of 1 October, on the common administrative procedure of government authorities and Law 40/2015, of 1 October, on the legal system for the public sector. |
Data subject management in procedures | |
Purpose of processing | – Identifying data subjects in administrative procedures– Monitoring actions
– Communicating of proceedings and notification of decisions |
Data subject categories | – Persons with the status of data subjects in the proceedings |
Categories of personal data | – Identification data– Data on personal characteristics
– Data on social circumstances – Academic and professional data – Employment data – Commercial data – Economic, financial and insurance data – Administrative infractions and sanctions |
Special category data | — |
Categories of data transfer recipients | – Other public authorities where required with regard to following the procedure |
Third country destination categories | — |
Time limits for the deletion of the different data categories | – The data storage period is determined by the type of procedure and the legal obligations arising from it |
Technical and organisational security measures | – Access for authorised users only– Login ID and passwords (unique per user)
– Regular change of password, without repeating the previous one, is compulsory – Blocking access – Data are stored only on Diputació de Lleida central servers – Inventory of media containing data – Control of physical access to DPCs – Daily/weekly backups Details of the security measures are contained in the SECURITY DOCUMENT. |
Lawful basis | – Fulfilment of legal obligation (Art. 6.1.c GDPR) according to Law 39/2015, of 1 October, on the common administrative procedure of government authorities and Law 40/2015, of 1 October, on the legal system for the public sector. |
|
|
Personnel management | |
Purpose of processing | – Personnel management– Monitoring work activity
– Training – Incident management and resolution – Granting licences, permits or advance payments |
Data subject categories | – Employees |
Categories of personal data | – Identification data– Data on personal characteristics
– Academic and professional data – Employment data – Economic, financial and insurance data – Administrative infractions and sanctions |
Special category data | – Health data (degree of disability)– Biometric data |
Categories of data transfer recipients | – Insurance companies– Tax administration
– National Social Security Institute (INSS) – Banking institutions for payroll payment purposes – Persons accessing information in application of the principle of active publicity |
Third country destination categories | — |
Time limits for the deletion of the different data categories | – The data is stored on a permanent basis. Supporting and supplementary documents are regularly erased |
Technical and organisational security measures | – Access for authorised users only– Login ID and passwords (unique per user)
– Regular change of password, without repeating the previous one, is compulsory – Blocking access – Data are stored only on Diputació de Lleida central servers – Inventory of media containing data – Control of physical access to DPCs – Daily/weekly backups Details of the security measures are contained in the SECURITY DOCUMENT. |
Lawful basis | – Fulfilment of legal obligation (Art. 6.1.c GDPR) and those arising from a contractual relationship (Art. 6.1.b GDPR) are regularly deleted. |
Payroll and Social Security management | |
Purpose of processing | – Drawing up the payroll of the corporation’s employees for the purpose of remuneration payment |
Data subject categories | – Corporation employees |
Categories of personal data | – Identification data– Data on personal characteristics
– Data on social circumstances – Academic and professional data – Employment data – Economic, financial and insurance data |
Special category data | – Health data (degree of disability)– Biometric data |
Categories of data transfer recipients | – Tax administration– National Social Security Institute (INSS)
– Banking institutions for payroll payment purposes |
Third country destination categories | — |
Time limits for the deletion of the different data categories | – Those provided for in labour law in relation to the provision of responsibilities in this area |
Technical and organisational security measures | – Access for authorised users only– Login ID and passwords (unique per user)
– Regular change of password, without repeating the previous one, is compulsory – Blocking access – Data are stored only on Diputació de Lleida central servers – Inventory of media containing data – Control of physical access to DPCs – Daily/weekly backups Details of the security measures are contained in the SECURITY DOCUMENT. |
Lawful basis | – Compliance with legal obligations (Art.6.1.c GDPR) and those arising from a contractual relationship (Art.6.1.b GDPR) in accordance with Royal Legislative Decree 5/2015, of 30 October, approving the revised text of the Basic Statute of Public Employees and its implementing regulations, and Royal Legislative Decree 2/2015, of 23 October, approving the revised text of the Workers’ Statute. |
Occupational health | |
Purpose of processing | – Documenting health and safety promotion processes for Diputació de Lleida personnel in accordance with the regulatory regulations– Planning improvement actions.
– Conducting training activities |
Data subject categories | – Diputació de Lleida staff |
Categories of personal data | – Identification data– Data on personal characteristics
– Employment data |
Special category data | – Health data |
Categories of data transfer recipients | – Public bodies with powers in the field of occupational health |
Third country destination categories | — |
Time limits for the deletion of the different data categories | – The data will be erased in line with the deadlines established in the document assessment tables, approved by the Comissió Nacional d’Accés Avaluació i Tria Documental (National Document Access, Evaluation and Selection Committee, CNAATD) and according to specific applicable regulations. |
Technical and organisational security measures | – Access for authorised users only– Login ID and passwords (unique per user)
– Regular change of password, without repeating the previous one, is compulsory – Blocking access – Data are stored only on Diputació de Lleida central servers – Inventory of media containing data – Control of physical access to DPCs – Daily/weekly backups Details of the security measures are contained in the SECURITY DOCUMENT. |
Lawful basis | – Compliance with obligations arising from a contractual relationship (Art.6.1.b GDPR) and compliance with legal obligations (Art.6.1.c GDPR) according to Law 31/1995, of 8 November, on occupational health and safety, Royal Decree 39/1997, of 17 January, approving the regulations for health and safety services. |
Attendance records | |
Purpose of processing | – Controlling access to the facilities– Monitoring staff compliance on working hours |
Data subject categories | – Staff |
Categories of personal data | – Identification data– Others: type of incident |
Special category data | – Biometric data |
Categories of data transfer recipients | – Public bodies with powers in the field of occupational health |
Third country destination categories | — |
Time limits for the deletion of the different data categories | – Data is erased one year from the end of the calendar year in which it was collected. For disciplinary offences, it is erased once the sanction has expired |
Technical and organisational security measures | – Access for authorised users only– Login ID and passwords (unique per user)
– Regular change of password, without repeating the previous one, is compulsory – Blocking access – Data are stored only on Diputació de Lleida central servers – Inventory of media containing data – Control of physical access to DPCs – Daily/weekly backups Details of the security measures are contained in the SECURITY DOCUMENT. |
Lawful basis | – Performance of the contractual relationship (Art. 6.1.b GDPR) in accordance with Royal Legislative Decree 5/2015, of 30 October, approving the revised text of the Basic Statute of Public Employees and its implementing regulations, and Royal Legislative Decree 2/2015, of 23 October, approving the revised text of the Workers’ Statute. |
Personnel selection procedures | |
Purpose of processing | – Organising selection processes– Assessing candidates
– Information on the call for applications and results |
Data subject categories | – Persons taking part in the calls for job applications |
Categories of personal data | – Identification data– Data on personal characteristics
– Employment data |
Special category data | – Health data: degree of disability |
Categories of data transfer recipients | – The identification data of persons admitted and excluded, and the results of the tests are published on the website in application of the principle of transparency |
Third country destination categories | — |
Time limits for the deletion of the different data categories | – The data contained in the final report of the selection board and in the announcements and decisions of the collegiate bodies is stored permanently. The rest is erased once the resolution of the call for applications and the appointment of staff is completed (Official Journal of the Generalitat de Catalunya (DOGC) No. 6966). |
Technical and organisational security measures | – Access for authorised users only– Login ID and passwords (unique per user)
– Regular change of password, without repeating the previous one, is compulsory – Blocking access – Data are stored only on Diputació de Lleida central servers – Inventory of media containing data – Control of physical access to DPCs – Daily/weekly backups Details of the security measures are contained in the SECURITY DOCUMENT. |
Lawful basis | – Consent of the person concerned (Art. 6.1.a GDPR) and task performed in the public interest (Art. 6.1.e GDPR) according to Section IV, Chapter I of Royal Legislative Decree 5/2015, of 30 October, approving the revised text of the Law on the Basic Statute of the Public Employees. |
Diputació members, mayors and councillors | |
Purpose of processing | – Identification of persons who hold or have held elected office in local authorities in Lleida– Protocol
– Documentation – Sending information |
Data subject categories | – Persons who hold or have held any of the above-mentioned positions |
Categories of personal data | – Identification data– Data on personal characteristics
– Employment data |
Special category data | — |
Categories of data transfer recipients | — |
Third country destination categories | — |
Time limits for the deletion of the different data categories | – The data is permanently stored in the historical archive |
Technical and organisational security measures | – Access for authorised users only– Login ID and passwords (unique per user)
– Regular change of password, without repeating the previous one, is compulsory – Blocking access – Data are stored only on Diputació de Lleida central servers – Inventory of media containing data – Control of physical access to DPCs – Daily/weekly backups Details of the security measures are contained in the SECURITY DOCUMENT. |
Lawful basis | – Performing a task in the public interest (Art. 6.1.e GDPR) |
Management of elected officials | |
Purpose of processing | – Register of elected officials– Convening and organising meetings and minutes
– Payment of remuneration and attendance fees – Information to the public – Communications and notifications to elected officials – Compliance with the obligations of active transparency arising from transparency legislation – Compliance with local government legal obligations to register declarations of activities and assets |
Data subject categories | – Diputació members |
Categories of personal data | – Identification data– Data on personal characteristics
– Employment data – Academic and professional data – Commercial data – Economic, financial and insurance data |
Special category data | – Health data |
Categories of data transfer recipients | – The data is made public on the Diputació de Lleida website or online office– Insurance companies
– Tax Agency – National Social Security Institute (INSS) |
Third country destination categories | — |
Time limits for the deletion of the different data categories | – The data is kept permanently because of its historical interest |
Technical and organisational security measures | – Access for authorised users only– Login ID and passwords (unique per user)
– Regular change of password, without repeating the previous one, is compulsory – Blocking access – Data are stored only on Diputació de Lleida central servers – Inventory of media containing data – Control of physical access to DPCs – Daily/weekly backups Details of the security measures are contained in the SECURITY DOCUMENT. |
Lawful basis | – Fulfilment of legal obligation (Art. 6.1.c GDPR) |
Third parties | |
Purpose of processing | – Register of persons with whom there is a financial relationship for carrying out works or procuring goods or services– Accounts management
– Registration and payment of invoices – Budget implementation |
Data subject categories | – Persons with whom there is a contractual relationship as suppliers of products, services or works, contractors and professionals bidding for the award of contracts |
Categories of personal data | – Identification data– Transaction data
– Economic, financial and insurance data |
Special category data | – Health data |
Categories of data transfer recipients | – Tax administration– Banking institutions for payments
– Audit Office – People who access the information through dissemination by the institution in compliance active publicity obligations |
Third country destination categories | — |
Time limits for the deletion of the different data categories | – The data must be retained for as long as the business relationship lasts and thereafter until the statute of limitations for tax liability according to Art. 66 of Law 58/2003 of 17 December 2003 on general taxation. The document assessment tables approved by the CNAATD are applied |
Technical and organisational security measures | – Access for authorised users only– Login ID and passwords (unique per user)
– Regular change of password, without repeating the previous one, is compulsory – Blocking access – Data are stored only on Diputació de Lleida central servers – Inventory of media containing data – Control of physical access to DPCs – Daily/weekly backups Details of the security measures are contained in the SECURITY DOCUMENT. |
Lawful basis | – Fulfilment of legal obligations (Art. 6.1.c GDPR) and those arising from a contractual relationship (Art. 6.1.b GDPR) |
Tax management and collection | |
Purpose of processing | – Identification of taxpayers or other persons liable to pay taxes– Management of taxes and other public law revenues
– Collection – Proof of income and accounting |
Data subject categories | – Taxpayers and parties liable to payment of other revenues– Taxpayers’ representatives
– Persons who pay amounts of money |
Categories of personal data | – Identification data– Commercial data
– Transaction data – Economic, financial and insurance data |
Special category data | – Health data |
Categories of data transfer recipients | – Tax administration– Public bodies referred to in Art. 95 of the General Tax Law |
Third country destination categories | — |
Time limits for the deletion of the different data categories | – The data will be erased in line with the deadlines established in the document assessment tables, approved by the Comissió Nacional d’Accés Avaluació i Tria Documental (National Document Access, Evaluation and Selection Committee, CNAATD) and according to specific applicable regulations. |
Technical and organisational security measures | – Access for authorised users only– Login ID and passwords (unique per user)
– Regular change of password, without repeating the previous one, is compulsory – Blocking access – Data are stored only on Diputació de Lleida central servers – Inventory of media containing data – Control of physical access to DPCs – Daily/weekly backups Details of the security measures are contained in the SECURITY DOCUMENT. |
Lawful basis | – Exercise of public powers (Art. 6.1.e GDPR) |
Suggestions, complaints and queries mailbox | |
Purpose of processing | – To record and address citizens’ complaints, suggestions and comments– Compilation of statistics |
Data subject categories | – Persons submitting complaints, suggestions or comments or who are named in them |
Categories of personal data | – Identification data |
Special category data | — |
Categories of data transfer recipients | — |
Third country destination categories | — |
Time limits for the deletion of the different data categories | – The data of persons representing public and private entities is kept on a permanent basis. The data of natural persons acting in their own name may be erased within two years (Official Journal of the Generalitat de Catalunya (DOGC) No. 6627). |
Technical and organisational security measures | – Access for authorised users only– Login ID and passwords (unique per user)
– Regular change of password, without repeating the previous one, is compulsory – Blocking access – Data are stored only on Diputació de Lleida central servers – Inventory of media containing data – Control of physical access to DPCs – Daily/weekly backups Details of the security measures are contained in the SECURITY DOCUMENT. |
Lawful basis | – Performing a task in the public interest (Art. 6.1.e GDPR) and compliance with legal obligations (Art. 6.1.c GDPR) |
Management of the Official Gazette of the Province of Lleida (BOP Lleida | |
Purpose of processing | – Keeping an entry register of announcements published in the Official Journal of the Province of Lleida (BOP Lleida) |
Data subject categories | – Persons and entities submitting announcements published in the BOP Lleida |
Categories of personal data | – Identification data– Economic, financial and insurance data |
Special category data | — |
Categories of data transfer recipients | — |
Third country destination categories | — |
Time limits for the deletion of the different data categories | – The data is erased within one year of publication of the announcements or official notices in the BOP Lleida, in accordance with the document access and assessment table, approved by Order CLT/66/ 2004, of 4 March 2004, approving the assessment tables. |
Technical and organisational security measures | – Access for authorised users only– Login ID and passwords (unique per user)
– Regular change of password, without repeating the previous one, is compulsory – Blocking access – Data are stored only on Diputació de Lleida central servers – Inventory of media containing data – Control of physical access to DPCs – Daily/weekly backups Details of the security measures are contained in the SECURITY DOCUMENT. |
Lawful basis | – Fulfilment of legal obligations (Art. 6.1.c GDPR) |
Management of subsidies | |
Purpose of processing | – Management of calls for grants |
Data subject categories | – Applicants for subsidies from Diputació de Lleida acting in their own name or as representatives of legal entities |
Categories of personal data | – Identification data– Data on personal characteristics
– Data on social circumstances – Commercial data – Economic, financial and insurance data |
Special category data | — |
Categories of data transfer recipients | – Other public authorities, where necessary, for the purposes of the administrative procedure |
Third country destination categories | — |
Time limits for the deletion of the different data categories | – The data will be erased within the time limits foreseen in the document assessment tables, approved by the CNAATD and in accordance with applicable regulations |
Technical and organisational security measures | – Access for authorised users only– Login ID and passwords (unique per user)
– Regular change of password, without repeating the previous one, is compulsory – Blocking access – Data are stored only on Diputació de Lleida central servers – Inventory of media containing data – Control of physical access to DPCs – Daily/weekly backups Details of the security measures are contained in the SECURITY DOCUMENT. |
Lawful basis | – Fulfilment of legal obligations (Art. 6.1.c GDPR) and performing a task in the public interest (Art. 6.1.e GDPR) |
Management of publications | |
Purpose of processing | – Communicating and sending information on the Diputació de Lleida’s publications |
Data subject categories | – Subscribers to publications– Members of editorial boards |
Categories of personal data | – Identification data |
Special category data | — |
Categories of data transfer recipients | — |
Third country destination categories | — |
Time limits for the deletion of the different data categories | – The data is erased upon request of the person concerned, immediately after their request |
Technical and organisational security measures | – Access for authorised users only– Login ID and passwords (unique per user)
– Regular change of password, without repeating the previous one, is compulsory – Blocking access – Data are stored only on Diputació de Lleida central servers – Inventory of media containing data – Control of physical access to DPCs – Daily/weekly backups Details of the security measures are contained in the SECURITY DOCUMENT. |
Lawful basis | – Consent of the person concerned (Art. 6.1.c GDPR) |
Museum legacies and collections | |
Purpose of processing | – Description of funds– Control and dissemination of contents |
Data subject categories | – Authors– Rights holders
– Persons listed therein |
Categories of personal data | – Identification data |
Special category data | — |
Categories of data transfer recipients | – Users and researchers |
Third country destination categories | — |
Time limits for the deletion of the different data categories | – Permanent storage in the interest of the historical archive |
Technical and organisational security measures | – Access for authorised users only– Login ID and passwords (unique per user)
– Regular change of password, without repeating the previous one, is compulsory – Blocking access – Data are stored only on Diputació de Lleida central servers – Inventory of media containing data – Control of physical access to DPCs – Daily/weekly backups Details of the security measures are contained in the SECURITY DOCUMENT. |
Lawful basis | – Performing a task in the public interest (Art. 6.1.e GDPR) |
User training | |
Purpose of processing | – Keeping a register of persons interested or participating in training activities organised by Diputació de Lleida– Organising training activities
– Sending information |
Data subject categories | – Persons participating or interested in the training activities |
Categories of personal data | – Identification data– Employment data
– Economic, financial and insurance data |
Special category data | — |
Categories of data transfer recipients | – Authorities to which the attendees belong, if applicable– Public bodies co-organising or funding the activity |
Third country destination categories | — |
Time limits for the deletion of the different data categories | – The data will be erased within the time limits foreseen in the document assessment tables, approved by the CNAATD and in accordance with applicable regulations |
Technical and organisational security measures | – Access for authorised users only– Login ID and passwords (unique per user)
– Regular change of password, without repeating the previous one, is compulsory – Blocking access – Data are stored only on Diputació de Lleida central servers – Inventory of media containing data – Control of physical access to DPCs – Daily/weekly backups Details of the security measures are contained in the SECURITY DOCUMENT. |
Lawful basis | – Performing a task in the public interest (Art. 6.1.e GDPR) |
Users of document collections | |
Purpose of processing | – Keeping a register of IEI Library service and the Diputació de Lleida archive service users– Identifying users
– Service management |
Data subject categories | – Library and archive users and, in the case of children under 14 years of age, their parents or legal representatives |
Categories of personal data | – Identification data– Data on personal characteristics |
Special category data | — |
Categories of data transfer recipients | — |
Third country destination categories | — |
Time limits for the deletion of the different data categories | – The data will be erased within the time limits foreseen in the document assessment tables, approved by the CNAATD and in accordance with applicable regulations |
Technical and organisational security measures | – Access for authorised users only– Login ID and passwords (unique per user)
– Regular change of password, without repeating the previous one, is compulsory – Blocking access – Data are stored only on Diputació de Lleida central servers – Inventory of media containing data – Control of physical access to DPCs – Daily/weekly backups Details of the security measures are contained in the SECURITY DOCUMENT. |
Lawful basis | – Performing a task in the public interest (Art. 6.1.e GDPR) |
Participation in and organisation of cultural activities | |
Purpose of processing | – Organising cultural and leisure activities– Registration management
– Participant registration – Sending information |
Data subject categories | – People interested in participating in cultural and leisure activities organised by Diputació de Lleida and its dependent bodies |
Categories of personal data | – Identification data– Data on personal characteristics
– Academic and professional data |
Special category data | — |
Categories of data transfer recipients | — |
Third country destination categories | — |
Time limits for the deletion of the different data categories | – The data will be erased within the time limits foreseen in the document assessment tables, approved by the CNAATD and in accordance with applicable regulations |
Technical and organisational security measures | – Access for authorised users only– Login ID and passwords (unique per user)
– Regular change of password, without repeating the previous one, is compulsory – Blocking access – Data are stored only on Diputació de Lleida central servers – Inventory of media containing data – Control of physical access to DPCs – Daily/weekly backups Details of the security measures are contained in the SECURITY DOCUMENT. |
Lawful basis | – Performing a task in the public interest (Art. 6.1.e GDPR) |
Subscribers to newsletters of Diputació de Lleida and dependent bodies | |
Purpose of processing | – Keeping a register of newsletter users/subscribers |
Data subject categories | – Newsletter users/subscribers |
Categories of personal data | – Identification data |
Special category data | — |
Categories of data transfer recipients | – Names are made visible newsletter website with the consent of the persons concerned |
Third country destination categories | — |
Time limits for the deletion of the different data categories | – The data is erased upon request of the person concerned, immediately after their request |
Technical and organisational security measures | – Access for authorised users only– Login ID and passwords (unique per user)
– Regular change of password, without repeating the previous one, is compulsory – Blocking access – Data are stored only on Diputació de Lleida central servers – Inventory of media containing data – Control of physical access to DPCs – Daily/weekly backups Details of the security measures are contained in the SECURITY DOCUMENT. |
Lawful basis | – Performing a task in the public interest (Art. 6.1.a GDPR) |
Press and Communications Officer | |
Purpose of processing | – Producing a list of recipients of the Diputació de Lleida press services |
Data subject categories | – Media professionals and partners |
Categories of personal data | – Identification data– Employment data |
Special category data | — |
Categories of data transfer recipients | — |
Third country destination categories | — |
Time limits for the deletion of the different data categories | – The data is stored for as long as the information recipients are employed in the professional press and media sector |
Technical and organisational security measures | – Access for authorised users only– Login ID and passwords (unique per user)
– Regular change of password, without repeating the previous one, is compulsory – Blocking access – Data are stored only on Diputació de Lleida central servers – Inventory of media containing data – Control of physical access to DPCs – Daily/weekly backups Details of the security measures are contained in the SECURITY DOCUMENT. |
Lawful basis | – Performing a task in the public interest (Art. 6.1.e GDPR) |
Video surveillance | |
Purpose of processing | – Registering images of persons entering buildings or facilities– Access control
– Security of persons and property |
Data subject categories | – Persons entering buildings or facilities |
Categories of personal data | – Identification data (images) |
Special category data | — |
Categories of data transfer recipients | – Law enforcement agencies, in the event of incidents that may constitute an offence or crime |
Third country destination categories | — |
Time limits for the deletion of the different data categories | – Data is stored for a maximum of one month, except when an incident arises and it has to be made available to law enforcement authorities |
Technical and organisational security measures | – Access for authorised users only– Login ID and passwords (unique per user)
– Regular change of password, without repeating the previous one, is compulsory – Blocking access – Data are stored only on Diputació de Lleida central servers – Inventory of media containing data – Control of physical access to DPCs – Daily/weekly backups Details of the security measures are contained in the SECURITY DOCUMENT. |
Lawful basis | – Performing a task in the public interest (Art. 6.1.e GDPR) |
Access control | |
Purpose of processing | – Registering entries and exits to and from Diputació de Lleida facilities– Verifying the identity of the users of Diputació de Lleida services or facilities
– Security of facilities and people |
Data subject categories | – Persons entering buildings or facilities |
Categories of personal data | – Identification data |
Special category data | — |
Categories of data transfer recipients | — |
Third country destination categories | — |
Time limits for the deletion of the different data categories | – Data is stored for a maximum of one month, except when an incident arises and it has to be made available to law enforcement authorities |
Technical and organisational security measures | – Access for authorised users only– Login ID and passwords (unique per user)
– Regular change of password, without repeating the previous one, is compulsory – Blocking access – Data are stored only on Diputació de Lleida central servers – Inventory of media containing data – Control of physical access to DPCs – Daily/weekly backups Details of the security measures are contained in the SECURITY DOCUMENT. |
Lawful basis | – Performing a task in the public interest (Art. 6.1.e GDPR) |
Archive and documentation centre users | |
Purpose of processing | – Register of people who use the Diputació de Lleida archives and documentation centre consultation service– Register of documentation consulted and services obtained by users
– Communication to parties interested in receiving information on Archive activities – Statistics on services – Identifying people who make enquiries in the Diputació de Lleida archives and documentation centres by different means (telephone, email and in person) |
Data subject categories | – People who consult documentation in archives and documentation centres– Person interested in receiving information on Archive activities |
Categories of personal data | – Identification data– Academic and professional data
– Employment data |
Special category data | — |
Categories of data transfer recipients | — |
Third country destination categories | — |
Time limits for the deletion of the different data categories | – The data will be erased in line with the deadlines established in the document assessment tables, approved by the Comissió Nacional d’Accés Avaluació i Tria Documental (National Document Access, Evaluation and Selection Committee, CNAATD) and according to specific applicable regulations. |
Technical and organisational security measures | – Access for authorised users only– Login ID and passwords (unique per user)
– Regular change of password, without repeating the previous one, is compulsory – Blocking access – Data are stored only on Diputació de Lleida central servers – Inventory of media containing data – Control of physical access to DPCs – Daily/weekly backups Details of the security measures are contained in the SECURITY DOCUMENT. |
Lawful basis | – Performing a task in the public interest (Art. 6.1.e GDPR) and legal obligation (Art. 6.1.c GDPR) |
IT services | |
Purpose of processing | – Keeping a register of users of Diputació de Lleida IT resources |
Data subject categories | – Diputació de Lleida employees and other persons with ties to the Diputació |
Categories of personal data | – Identification data– Employment data |
Special category data | — |
Categories of data transfer recipients | — |
Third country destination categories | — |
Time limits for the deletion of the different data categories | – The data is stored permanently |
Technical and organisational security measures | – Access for authorised users only– Login ID and passwords (unique per user)
– Regular change of password, without repeating the previous one, is compulsory – Blocking access – Data are stored only on Diputació de Lleida central servers – Inventory of media containing data – Control of physical access to DPCs – Daily/weekly backups Details of the security measures are contained in the SECURITY DOCUMENT. |
Lawful basis | – Performing a task in the public interest (Art. 6.1.e GDPR) and legal obligation (Art. 6.1.c GDPR) |
E-government service users | |
Purpose of processing | – Management of users of e-government services offered by Diputació de Lleida to local authorities |
Data subject categories | – Persons who use services because they are associated with local authorities served by Diputació de Lleida |
Categories of personal data | – Identification data |
Special category data | — |
Categories of data transfer recipients | — |
Third country destination categories | — |
Time limits for the deletion of the different data categories | – The data is stored for as long as the persons accessing the e-government services hold their post related to these services |
Technical and organisational security measures | – Access for authorised users only– Login ID and passwords (unique per user)
– Regular change of password, without repeating the previous one, is compulsory – Blocking access – Data are stored only on Diputació de Lleida central servers – Inventory of media containing data – Control of physical access to DPCs – Daily/weekly backups Details of the security measures are contained in the SECURITY DOCUMENT. |
Lawful basis | – Performing a task in the public interest (Art. 6.1.e GDPR) and legal obligation (Art. 6.1.c GDPR) |
Legal services | |
Purpose of processing | – General monitoring of lawsuits and disputes in which Diputació de Lleida is a party, as well as wage garnishment and disciplinary cases– Drafting reports |
Data subject categories | – Persons involved in litigation, claims, disputes, proceedings or reports |
Categories of personal data | – Identification data– Data on personal characteristics
– Data on social circumstances – Commercial data – Administrative infractions or sanctions |
Special category data | — |
Categories of data transfer recipients | – Judicial bodies– Authorities involved in or affected by these procedures |
Third country destination categories | — |
Time limits for the deletion of the different data categories | – The data will be erased in line with the deadlines established in the document assessment tables, approved by the Comissió Nacional d’Accés Avaluació i Tria Documental (National Document Access, Evaluation and Selection Committee, CNAATD) and according to specific applicable regulations. |
Technical and organisational security measures | – Access for authorised users only– Login ID and passwords (unique per user)
– Regular change of password, without repeating the previous one, is compulsory – Blocking access – Data are stored only on Diputació de Lleida central servers – Inventory of media containing data – Control of physical access to DPCs – Daily/weekly backups Details of the security measures are contained in the SECURITY DOCUMENT. |
Lawful basis | – Compliance with legal obligation (Art.6.1.c GDPR), according to Articles 26.3, 31.2 and 36.b of Law 7/1985, of 2 April, regulating the basis of local government |
Mailing lists | |
Purpose of processing | – Sending information on the organisation of events or other Diputació de Lleida initiatives |
Data subject categories | – Representatives of institutions, entities or associations– Public office
– Subscribers to publications – Other persons interested in Diputació de Lleida activities |
Categories of personal data | – Identification data– Employment data |
Special category data | — |
Categories of data transfer recipients | — |
Third country destination categories | — |
Time limits for the deletion of the different data categories | – The data is erased at the request of the person concerned, immediately after their request or once they have ceased to perform the duties or functions for which it was provided |
Technical and organisational security measures | – Access for authorised users only– Login ID and passwords (unique per user)
– Regular change of password, without repeating the previous one, is compulsory – Blocking access – Data are stored only on Diputació de Lleida central servers – Inventory of media containing data – Control of physical access to DPCs – Daily/weekly backups Details of the security measures are contained in the SECURITY DOCUMENT. |
Lawful basis | – Performing a task in the public interest (Art. 6.1.e GDPR) or consent of the data subject (Art.6.1.a GDPR). |
ANNEX. Categories of personal data
Personal data is listed below, grouped by category (for the purposes of this document).
- Identification: first name and surname; national identity card or foreigner identification number; social security or mutual insurance number; postal address; email address; telephone number; profession; handwritten signature, electronic signature; image; voice; user name, personal identifier, personal registration number.
- Personal characteristics: sex; marital status; family details; date of birth; place of birth; age; nationality; mother tongue; physical characteristics.
- Social circumstances: accommodation or housing; property or possessions; hobbies and lifestyles; membership of clubs and associations; licences, permits and personal authorisations.
- Academic and professional: training and qualifications; academic background; professional experience; membership of professional bodies or associations.
- Employment: job title; non-financial payroll data; employment history; work activity monitoring data; training; permits and licences; infractions and sanctions.
- Commercial: activities and business; professional or industrial trade licences, permits and authorisations; subscriptions and publications/media; artistic, literary and scientific/technical creations.
- Economic, financial and insurance: financial payroll data; bank details; credit card number; income and revenue; investments, credits, loans, guarantees, mortgages; tax deductions/taxes; pension plans; insurance; subsidies.
- Transactions: goods or services supplied by the person concerned; goods or services received by the person concerned; financial transactions; compensations.
- Administrative infractions and sanctions: administrative infractions; administrative penalties.
- Special data categories: criminal convictions; criminal offences; health; ethnicity; sex life; sexual orientation; genetic data; biometric data; ideology; religion; trade union affiliation; beliefs; political opinions; philosophical convictions.