Information on Data Protection
Data Protection
In accordance with
Regulation (EU) 2016/679 General Data Protection Regulation (RGPD) and
Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD), the Concello de Vilanova de Arousa, as responsible, sets forth the following points:
- Information on Data Protection
- Data protection rights
- Record of Processing Activities
- Data Protection Officer
1. Information on Data Protection.
RESPONSIBLE |
CONCELLO DE VILANOVA DE AROUSA
NIF: P3606100J |
CONTACT |
986 554 021
Praza do Concello, 1, 36620, Vilanova de Arousa. |
PURPOSE |
Provision of services, sending of information. |
LEGITIMATION |
Provision of the requested services, legal compliance and consent of the interested party. |
RECIPIENTS |
No data will be transferred to third parties, except for those necessary for employees, collaborators and suppliers for the provision of services and/or for legal obligations. |
RIGHTS |
Interested persons may request access, rectification or deletion of their data, as well as exercise other rights or withdraw, where appropriate, the consent granted through the electronic office, at the address Praza do Concello, 1, 36620, Vilanova de Arousa or by sending an email to dpd@vilanovadearousa.gal. |
ADDITIONAL INFORMATION |
Please read the detailed information on data protection below. |
2. Detailed Information on Data Protection.
The personal data linked to the electronic headquarters under the responsibility of the Concello de Vilanova de Arousa respects the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and the free circulation of these data (R.G.P.D.) and Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (L.O.P.D.G.D.D.).
2.1 Who is the Data Controller?
Data of the person responsible:
- RESPONSIBLE: Concello de Vilanova de Arousa
- NIF: P3606100J
- Adress: Praza do Concello, 1, 36620, Vilanova de Arousa
- Phone: 986 554 021
Data Protection Officer details:
The City Council of Vilanova de Arousa is responsible for maintaining a record of processing activities, under its responsibility, in compliance with the obligations established in article 30 of the R.G.P.D.
2.2 For what purpose do we process your personal data?
The Vilanova de Arousa Council will process the personal data of the interested parties, in general, for:
- Manage the different administrative procedures and report on their processing.
- Verify or check the accuracy of the personal data that interested parties declare, which are already in the possession of public administrations or which have already been previously provided.
- Make notifications and process appeals.
- Manage requests for information, suggestions, communications in general and send newsletters.
2.3 What is the legitimacy for the processing of your data?
The City Council of Vilanova de Arousa is authorized to process personal data, in accordance with the principle of legality of processing, indicated in article 6 of the GDPR and, specifically, to:
- As a general rule, in the case of administrative procedure activity, the legal basis for the processing will be the fulfilment of a task in the public interest or the exercise of public powers, taking into account Law 39/2015, of 1 October, on the common administrative procedure; Law 9/2017, of 8 November, on public sector contracts; Law 39/2015, of 1 October, on the common administrative procedure, etc.
- In certain cases, the processing will be legitimised by the consent of the interested parties.
- In any case, the basis for legitimacy will be included in the basic information clauses available in the personal data collection forms.
2.4 To which recipients will your data be communicated?
Your data may be communicated, in accordance with current legislation and whenever necessary for the management of the procedure or request, to other public administrations in the exercise of their powers, to financial entities, to official newspapers, websites or notice boards of the Vilanova de Arousa Council in order to provide the legally required publicity in the procedures where it is necessary.
The basic information clauses will include, in all cases, the specific recipients of the data.
2.5 How long will we retain your personal data?
The personal data provided will be kept as long as you do not request its deletion or cancellation and as long as it is adequate, relevant and limited to what is necessary for the purposes for which it is processed.
2.6 Will data transfers be made to third countries?
No international data transfers will occur.
2.7 What are your rights when you provide us with your personal data?
- Access: right to obtain confirmation as to whether or not we are processing your personal data, namely, what they are, what they are used for, how long they will be kept, their origin and whether they have been or will be communicated to a third party.
- Rectification: right to request the rectification of inaccurate data and to have incomplete personal data completed.
- Deletion: right to request the deletion of personal data when it is inadequate, excessive or no longer necessary for the purposes for which it was collected, including the right to be forgotten.
- Objection: the right to object, in certain circumstances, to the processing of your personal data or to request that the processing be stopped.
- Limitation of Processing: right to request, in the circumstances established by law, that your data not be processed beyond the mere conservation thereof.
- Portability: right to receive personal data in a structured, commonly used and machine-readable format, and to be able to transmit it to another controller, whenever technically possible.
2.8 Will you have the possibility to withdraw consent?
You will have the possibility and right to withdraw your consent for any specific purpose granted at any time, without affecting the legality of the processing based on the consent prior to its withdrawal.
2.9 Where can you exercise your rights?
The interested party may exercise their rights at no cost, receiving a response within the time limits established in the R.G.P.D. and the L.O.P.D.G.D.D., by the following means:
- In writing, at the registry of the Vilanova de Arousa Council. This application must be signed, along with a copy of the N.I.F. or passport of the interested party. If the application is made through a legal representative, the N.I.F. and the document proving the presentation of the representative must also be submitted.
- If the Council of Vilanova de Arousa has reasonable doubts regarding the identity of the natural person submitting the request, it may request the additional information necessary to confirm the identity of the interested party..
- The Council of Vilanova de Arousa must respond to the request within one (1) month of receipt. This period may be extended up to two (2) months, taking into account the complexity and number of requests received. The interested party, in any case, will be informed within one (1) month of receipt of the request.
- Any interested party may also direct their request to exercise their rights to the Data Protection Officer at the following email address: dpd@vilanovadearousa.gal.
- For more information: https://www.aepd.es/reglamento/derechos/index.html
2.10 How can you make a claim to the Control Authority?
If your rights are not respected, you can file a claim by writing to the Spanish Data Protection Agency (A.E.P.D.) located at Calle Jorge Juan, 6, C.P. 28001, Madrid, or use the electronic office:
https://sedeagpd.gob.es/sede-electronica-web/.
In both cases, you must submit the relevant documentation.
2.11 What are the security measures?
In compliance with article 32 of the R.G.P.D. and taking into account the provisions of the First Additional Provision of the L.O.P.D.G.D.D. 3/2018, the Council of Vilanova de Arousa has security measures established by its internal security regulations that follow the National Security Scheme (ENS), regulated by Royal Decree 3/2010, of January 8.
APPLICABLE REGULATIONS
3. Data Protection Rights
Data protection regulations allow any person to exercise their rights of access, rectification, deletion and portability of data, opposition and limitation to their processing, as well as not to be subject to decisions based solely on automated processing of their data.
Right of Access.
The affected person has the right to be informed:
- The purposes of the processing, as well as the categories of personal data that are processed and the possible communications of data and their recipients.
- The period of conservation of the data, if possible. If not, the criteria to determine this period.
- The right to request the rectification or deletion of data, the limitation of processing, or to oppose it.
- The right to file a claim with the control authority.
- To obtain, when the personal data were not obtained from the interested party, any available information about their origin.
- To receive information on the appropriate guarantees if an international transfer of data occurs.
- To obtain a copy of the data subject to processing.
- The existence of automated decisions (including profiles), the logic applied and the consequences of this processing.
It must be distinguished from the right of access of interested parties to administrative files regulated by Law 39/2015, of October 1, on the common administrative procedure of Public Administrations, as well as the right of access regulated by Law 19/2013, of December 9, on transparency, access to public information and good governance.
Right of Rectification.
The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data and to have incomplete personal data completed, including by means of providing a supplementary statement.
Right to Deletion (right to be forgotten).
The affected person may request the deletion of personal data when any of the situations contemplated in the legislation occur, highlighting those cases in which the purpose that motivated the processing disappears, or the personal data were processed unlawfully.
This right is excepted in cases where it must prevail, for the fulfillment of a mission carried out in the public interest or in the exercise of public powers conferred on the controller.
Right to Limitation of Processing.
It allows the affected person to obtain from the data controller the limitation of the processing of data when:
- The accuracy of the data is contested, while the data controller is verifying its accuracy.
- The processing is unlawful, but the data subject requests, instead of deletion, the limitation of its use.
- The data controller no longer needs the data for the purpose of processing, but the data subject needs it for the exercise of one of his or her rights.
- The data subject has exercised his or her right to object to the processing, while the controller is verifying whether the legitimate reasons of the controller prevail over those of the data subject.
Right to Portability.
The interested party shall have the right to receive from the controller his or her personal data in a structured, commonly used and machine-readable format, or to request that they be transmitted to another controller, when technically feasible.
Right of Opposition.
The affected person may object to the treatment:
- When, for reasons related to your personal situation, the processing of the data must cease, unless a legitimate interest is proven, which prevails over the interests, rights and freedoms of the interested party, or it is necessary for the exercise or defense of claims.
- When the processing is for direct marketing purposes.
Forms for exercising your rights:
4. Record of Processing Activities
Article 30 of Regulation EU 2016/679 General Data Protection Regulation (GDPR) establishes that each controller shall keep a record of the processing activities it carries out and with the information indicated below:
- The name and contact details of the controller and the data protection officer.
- The purposes of the processing.
- A description of the categories of data subjects and the categories of personal data.
- The categories of recipients of the data.
- The transfers of personal data, if any.
- The expected time frames for deleting the different categories of data, where possible.
- A general description of the technical and organisational security measures.
Likewise, as regulated by article 31.2 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (L.O.P.D.G.D.D.), all entities included in article 77.1 of this organic law must make public an inventory of their treatments, which will include the information established in article 30 of the R.G.P.D. and its legitimizing legal basis for the processing of personal data.
In accordance with this regulation, a record of the processing activities carried out by the City Council of Vilanova de Arousa is published.:
5. Data Protection Officer
Article 37.1 of Regulation EU 2016/679 General Data Protection Regulation (GDPR) establishes that public authorities and bodies have the obligation to appoint a Data Protection Officer (DPO).
The City Council of Vilanova de Arousa appointed its DPO correctly, as can be seen in:
Consultation DPD
Its functions are defined in article 39 of the GDPR and consist mainly of informing and advising the Council and its employees on the obligations incumbent upon them in the processing of personal data and the supervision of their compliance. Likewise, it must cooperate with the Spanish Data Protection Agency (AEPD) and act as a point of contact between it and the Council.
In turn, any citizen may contact the Data Protection Officer if they have questions about the processing of their data by the Council, or are not satisfied with it. To do so, they can contact the Data Protection Officer of the Council of Vilanova de Arousa by writing to the email address
dpd@vilanovadearousa.gal
More information:
Spanish Data Protection Agency